FCP FGT AD-7.4 Exam Questions PDF

Summary

This document contains exam questions on Fortigate networking and security. The questions cover various topics, including firewall and routing configurations.

Full Transcript



- Expert Verified, Online, Free.

 Custom View Settings

Topic 1 - Exam A

Question #1 Topic 1

Refer to the exhibit.

Which two statements are true about the routing entries in this database table? (Choose two.)

A. All of the entries in the routing database table are installed in the FortiGate routing table.

B. The port2 interface is marked as inactive.

C. Both default routes have different administrative distances. Most Voted

D. The default route on port2 is marked as the standby route. Most Voted

Correct Answer: CD

Community vote distribution
CD (100%)
Question #2 Topic 1


Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled?

(Choose three.)

A. The host field in the HTTP header.

B. The server name indication (SNI) extension in the client hello message.

C. The subject alternative name (SAN) field in the server certificate.

D. The subject field in the server certificate.

E. The serial number in the server certificate.

Correct Answer: BCD

Question #3 Topic 1

Refer to the exhibit.

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

A. All traffic from a source IP to a destination IP is sent to the same interface. Most Voted

B. Traffic is sent to the link with the lowest latency.

C. Traffic is distributed based on the number of sessions through each interface.

D. All traffic from a source IP is sent to the same interface

Correct Answer: A

Community vote distribution
A (100%)
Question #4 Topic 1


A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad.

Which IPsec Wizard template must the administrator apply?

A. Remote Access Most Voted

B. Site to Site

C. Dial up User

D. Hub-and-Spoke

Correct Answer: A

Community vote distribution
A (100%)

Question #5 Topic 1

Refer to the exhibits, which show the system performance output and the default configuration of high memory usage thresholds in a FortiGate.

Based on the system performance output, what can be the two possible outcomes? (Choose two.)

A. FortiGate will start sending all files to FortiSandbox for inspection.

B. FortiGate has entered conserve mode. Most Voted

C. Administrators cannot change the configuration. Most Voted

D. Administrators can access FortiGate only through the console port.

Correct Answer: BC

Community vote distribution
BC (100%)
Question #6 Topic 1


Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, as well as the firewall policy and IP pool configuration on the

FortiGate device.

Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third

PC to the network (PC3), the PC cannot connect to the internet.

Based on the information shown in the exhibit, which two configuration options can the administrator use to fix the connectivity issue for PC3?

(Choose two.)

A. In the firewall policy configuration, add 10.0.1.3 as an address object in the source field.

B. In the IP pool configuration, set endip to 192.2.0.12. Most Voted

C. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.

D. In the IP pool configuration, set type to overload. Most Voted
 Correct Answer: BD 

Community vote distribution
BD (100%)

Question #7 Topic 1

Which method allows management access to the FortiGate CLI without network connectivity?

A. CLI console widget

B. Serial console Most Voted

C. Telnet console

D. SSH console

Correct Answer: B

Community vote distribution
B (100%)

Question #8 Topic 1

Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and

gets the output shown in the exhibit.

What should the administrator do next, to troubleshoot the problem?

A. Execute a debug flow. Most Voted

B. Capture the traffic using an external sniffer connected to port1.

C. Execute another sniffer on FortiGate, this time with the filter "host 10.0.1.10".

D. Run a sniffer on the web server.

Correct Answer: A

Community vote distribution
A (100%)
Question #9 Topic 1


Refer to the exhibit.

The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.

An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must

also allow other websites in the same category.

What are two solutions for satisfying the requirement? (Choose two.)

A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address.

B. Set the Freeware and Software Downloads category Action to Warning.

C. Configure a web override rating for download.com and select Malicious Websites as the subcategory. Most Voted

D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively. Most Voted

Correct Answer: CD

Community vote distribution
CD (100%)

Question #10 Topic 1

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes

down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

A. Enable Dead Peer Detection. Most Voted

B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Most Voted

D. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Correct Answer: AC

Community vote distribution
AC (100%)
Question #11 Topic 1


Refer to the exhibits.

The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.

Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

A. Apple FaceTime will be allowed, based on the Video/Audio category configuration.

B. Apple FaceTime will be allowed, based on the Apple filter configuration.

C. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.

D. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration. Most Voted

Correct Answer: D

Community vote distribution
D (91%) 9%
Question #12 Topic 1


An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

A. SSL VPN idle-timeout

B. SSL VPN login-timeout Most Voted

C. SSL VPN dtls-hello-timeout

D. SSL VPN session-ttl

Correct Answer: B

Community vote distribution
B (58%) C (42%)

Question #13 Topic 1

When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate.

Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.)

A. Allow & Warning

B. Trust & Allow Most Voted

C. Allow Most Voted

D. Block & Warning

E. Block Most Voted

Correct Answer: BCE

Community vote distribution
BCE (61%) ABE (39%)
Question #14 Topic 1


Refer to the exhibit, which shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A. The sensor will gather a packet log for all matched traffic. Most Voted

B. The sensor will reset all connections that match these signatures.

C. The sensor will allow attackers matching the Microsoft.Windows.iSCSI.Target.DoS signature. Most Voted

D. The sensor will block all attacks aimed at Windows servers.

Correct Answer: AC

Community vote distribution
AC (45%) CD (36%) AD (18%)

Question #15 Topic 1

Which statement is a characteristic of automation stitches?

A. They can be run only on devices in the Security Fabric.

B. They can be created only on downstream devices in the fabric.

C. They can have one or more triggers.

D. They can run multiple actions at the same time. Most Voted

Correct Answer: D

Community vote distribution
D (73%) C (27%)
Question #16 Topic 1


What is the primary FortiGate election process when the HA override setting is disabled?

A. Connected monitored ports > Priority > System uptime > FortiGate serial number

B. Connected monitored ports > System uptime > Priority > FortiGate serial number

C. Connected monitored ports > Priority > HA uptime > FortiGate serial number

D. Connected monitored ports > HA uptime > Priority > FortiGate serial number Most Voted

Correct Answer: D

Community vote distribution
D (100%)

Question #17 Topic 1

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

A. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN. Most Voted

B. The server FortiGate requires a CA certificate to verify the client FortiGate certificate. Most Voted

C. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

D. The client FortiGate requires a manually added route to remote subnets.

Correct Answer: AB

Community vote distribution
AB (75%) BC (25%)
Question #18 Topic 1


Refer to the exhibit.

Which statement about this firewall policy list is true?

A. The Implicit group can include more than one deny firewall policy.

B. The firewall policies are listed by ID sequence view.

C. The firewall policies are listed by ingress and egress interfaces pairing view.

D. LAN to WAN, WAN to LAN, and Implicit are sequence grouping view lists. Most Voted

Correct Answer: D

Community vote distribution
D (80%) C (20%)
Question #19 Topic 1


Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Based on the exhibit, which statement is true?

A. The underlay zone contains port1 and port2.

B. The d-wan zone contains no member. Most Voted

C. The d-wan zone cannot be deleted.

D. The virtual-wan-link zone contains no member.

Correct Answer: B

Community vote distribution
B (100%)

Question #20 Topic 1

Which two statements describe how the RPF check is used? (Choose two.)

A. The RPF check is run on the first sent packet of any new session. Most Voted

B. The RPF check is run on the first reply packet of any new session.

C. The RPF check is run on the first sent and reply packet of any new session.

D. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks. Most Voted

Correct Answer: AD

Community vote distribution
AD (83%) BD (17%)
Question #21 Topic 1


Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)

A. Manual with load balancing Most Voted

B. Lowest Cost (SLA) with load balancing Most Voted

C. Best Quality with load balancing

D. Lowest Quality (SLA) with load balancing

E. Lowest Cost (SLA) without load balancing Most Voted

Correct Answer: ABE

Community vote distribution
ABE (65%) ABC (30%) 5%

Question #22 Topic 1

Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

A. Pre-shared key and certificate signature as authentication methods Most Voted

B. Extended authentication (XAuth) to request the remote peer to provide a username and password Most Voted

C. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged

D. No certificate is required on the remote peer when you set the certificate signature as the authentication method

Correct Answer: AB

Community vote distribution
AB (100%)

Question #23 Topic 1

Which two statements are true regarding FortiGate HA configuration synchronization? (Choose two.)

A. Checksums of devices are compared against each other to ensure configurations are the same. Most Voted

B. Incremental configuration synchronization can occur only from changes made on the primary FortiGate device.

C. Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster. Most Voted

D. Checksums of devices will be different from each other because some configuration items are not synced to other HA members.

Correct Answer: AC

Community vote distribution
AC (100%)
Question #24 Topic 1


What are two features of the NGFW profile-based mode? (Choose two.)

A. NGFW profile-based mode can only be applied globally and not on individual VDOMs.

B. NGFW profile-based mode must require the use of central source NAT policy.

C. NGFW profile-based mode policies support both flow inspection and proxy inspection.

D. NGFW profile-based mode supports applying applications and web filtering profiles in a firewall policy.

Correct Answer: CD

Community vote distribution
CD (100%)
Question #25 Topic 1


Refer to the exhibit to view the firewall policy.

Why would the firewall policy not block a well-known virus, for example eicar?

A. The action on the firewall policy is not set to deny.

B. The firewall policy is not configured in proxy-based inspection mode.

C. Web filter is not enabled on the firewall policy to complement the antivirus profile.

D. The firewall policy does not apply deep content inspection.

Correct Answer: D

Community vote distribution
D (100%)
Question #26 Topic 1


Which inspection mode does FortiGate use for application profiles if it is configured as a profile-based next-generation firewall (NGFW)?

A. Full content inspection

B. Proxy-based inspection

C. Certificate inspection

D. Flow-based inspection Most Voted

Correct Answer: D

Community vote distribution
D (100%)

Question #27 Topic 1

Refer to the exhibit showing a FortiGuard connection debug output.

Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.)

A. One server was contacted to retrieve the contract information. Most Voted

B. There is at least one server that lost packets consecutively.

C. A local FortiManager is one of the servers FortiGate communicates with.

D. FortiGate is using default FortiGuard communication settings. Most Voted

Correct Answer: AD

Community vote distribution
AD (100%)
Question #28 Topic 1


Refer to the exhibit.

Why did FortiGate drop the packet?

A. It matched an explicitly configured firewall policy with the action DENY.

B. It failed the RPF check.

C. The next-hop IP address is unreachable.

D. It matched the default implicit firewall policy. Most Voted

Correct Answer: D

Community vote distribution
D (100%)

Question #29 Topic 1

An administrator must enable a DHCP server on one of the directly connected networks on FortiGate. However, the administrator is unable to

complete the process on the GUI to enable the service on the interface.

In this scenario, what prevents the administrator from enabling DHCP service?

A. The role of the interface prevents setting a DHCP server. Most Voted

B. The DHCP server setting is available only on the CLI.

C. Another interface is configured as the only DHCP server on FortiGate.

D. The FortiGate model does not support the DHCP server.

Correct Answer: A

Community vote distribution
A (100%)
Question #30 Topic 1


Refer to the exhibit.

Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit.

What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?

A. Traffic matching the signature will be allowed and logged.

B. The signature setting uses a custom rating threshold.

C. The signature setting includes a group of other signatures.

D. Traffic matching the signature will be silently dropped and logged. Most Voted

Correct Answer: D

Community vote distribution
D (100%)

Question #31 Topic 1

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.

Which order must FortiGate use when the web filter profile has features such as safe search enabled?

A. FortiGuard category filter and rating filter

B. Static domain filter, SSL inspection filter, and external connectors filters

C. DNS-based web filter and proxy-based web filter

D. Static URL filter, FortiGuard category filter, and advanced filters Most Voted

Correct Answer: D

Community vote distribution
D (100%)
Question #32 Topic 1


FortiGate is integrated with FortiAnalyzer and FortiManager.

When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or

FortiManager?

A. Log ID

B. Policy ID

C. Sequence ID

D. Universally Unique Identifier Most Voted

Correct Answer: D

Community vote distribution
D (100%)

Question #33 Topic 1

An administrator configured a FortiGate to act as a collector for agentless polling mode.

What must the administrator add to the FortiGate device to retrieve AD user group information?

A. RADIUS server

B. DHCP server

C. Windows server

D. LDAP server

Correct Answer: D

Community vote distribution
D (100%)

Question #34 Topic 1

An administrator manages a FortiGate model that supports NTurbo.

How does NTurbo enhance performance for flow-based inspection?

A. NTurbo offloads traffic to the content processor.

B. NTurbo creates two inspection sessions on the FortiGate device.

C. NTurbo buffers the whole file and then sends it to the antivirus engine.

D. NTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces. Most Voted

Correct Answer: D

Community vote distribution
D (85%) A (15%)
Question #35 Topic 1


Refer to the exhibit.

FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles.

Which action must the administrator perform to consolidate the two policies into one?

A. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy. Most Voted

B. Create an Interface Group that includes port1 and port2 to create a single firewall policy.

C. Select port1 and port2 subnets in a single firewall policy.

D. Replace port1 and port2 with the any interface in a single firewall policy.

Correct Answer: A

Community vote distribution
A (100%)

Question #36 Topic 1

Refer to the exhibit, which shows a partial configuration from the remote authentication server.

Why does the FortiGate administrator need this configuration?

A. To authenticate only the Training user group. Most Voted

B. To set up a RADIUS server Secret.

C. To authenticate and match the Training OU on the RADIUS server.

D. To authenticate Any FortiGate user groups.

Correct Answer: A

Community vote distribution
A (100%)
Question #37 Topic 1


Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IPaddress 10.0.1.254/24.

Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate

(10.200.3.1)?

A. 10.200.1.1

B. 10.200.1.149

C. 10.200.1.99 Most Voted

D. 10.200.1.49

Correct Answer: C

Community vote distribution
C (100%)
Question #38 Topic 1


Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed

to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring

phase 1 up? (Choose two.)

A. On HQ-FortiGate, disable Diffie-Helman group 2.

B. On Remote-FortiGate, set port2 as Interface. Most Voted

C. On both FortiGate devices, set Dead Peer Detection to On Demand.

D. On HQ-FortiGate, set IKE mode to Main (ID protection). Most Voted

Correct Answer: BD

Community vote distribution
BD (100%)
Question #39 Topic 1


A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The

firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the

browser reports certificate warning errors.

What is the reason for the certificate warning errors?

A. The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is

defined with a private CA certificate.

B. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

C. The browser does not recognize the certificate in use as signed by a trusted CA. Most Voted

D. With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.

Correct Answer: C

Community vote distribution
C (100%)

Question #40 Topic 1

Refer to the exhibit.

FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt.

What is the most likely reason for this situation?

A. The Service DNS is required in the firewall policy. Most Voted

B. The user is using an incorrect user name.

C. The Remote-users group is not added to the Destination.

D. No matching user account exists for this user.

Correct Answer: A

Community vote distribution
A (100%)
Question #41 Topic 1


Which three methods are used by the collector agent for AD polling? (Choose three.)

A. WinSecLog Most Voted

B. WMI Most Voted

C. NetAPI Most Voted

D. FSSO REST API

E. FortiGate polling

Correct Answer: ABC

Community vote distribution
ABC (100%)

Question #42 Topic 1

Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)

A. If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode. Most Voted

B. If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.

C. If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP

D. If SD-WAN is disabled, you configure the load balancing algorithm in config system settings. Most Voted

Correct Answer: AD

Community vote distribution
AD (100%)

Question #43 Topic 1

What are two features of collector agent advanced mode? (Choose two.)

A. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate. Most Voted

B. Advanced mode supports nested or inherited groups. Most Voted

C. In advanced mode, security profiles can be applied only to user groups, not individual users.

D. Advanced mode uses the Windows convention —NetBios: Domain\Username.

Correct Answer: AB

Community vote distribution
AB (100%)
Question #44 Topic 1


An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.

What is true about the DNS connection to a FortiGuard server?

A. It uses UDP 8888.

B. It uses DNS over HTTPS.

C. It uses DNS over TLS. Most Voted

D. It uses UDP 53.

Correct Answer: C

Community vote distribution
C (100%)

Question #45 Topic 1

Refer to the exhibits, which show the firewall policy and an antivirus profile configuration.

Why is the user unable to receive a block replacement message when downloading an infected file for the first time?

A. The intrusion prevention security profile must be enabled when using flow-based inspection mode.

B. The option to send files to FortiSandbox for inspection is enabled.

C. The firewall policy performs a full content inspection on the file.

D. Flow-based inspection is used, which resets the last packet to the user. Most Voted

Correct Answer: D

Community vote distribution
D (100%)
Question #46 Topic 1


Refer to the exhibits.

FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit.

What would be the expected outcome in the HA cluster?

A. FGT-1 will remain the primary because FGT-2 has lower priority.

B. FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1.

C. FGT-1 will synchronize the override disable setting with FGT-2.

D. The HA cluster will become out of sync because the override setting must match on all HA members.

Correct Answer: B
Question #47 Topic 1


Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.

The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the

Webserver.

Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)

A. Enable match-vip in the Deny policy. Most Voted

B. Set the Destination address as Webserver in the Deny policy. Most Voted

C. Disable match-vip in the Deny policy.

D. Set the Destination address as Deny_IP in the Allow_access policy.

Correct Answer: AB

Community vote distribution
AB (100%)
Question #48 Topic 1


Which two statements explain antivirus scanning modes? (Choose two.)

A. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

B. In flow-based inspection mode files bigger than the buffer size are scanned

C. In proxy-based inspection mode files bigger than the buffer size are scanned

D. In proxy-based inspection mode antivirus scanning buffers the whole file for scanning, before sending it to the client

Correct Answer: AD

Community vote distribution
AD (100%)
Question #49 Topic 1


Refer to the exhibits, which show the firewall policy and the security profile for Facebook.
 

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions

on videos or other types of posts.

Which part of the configuration must you change to resolve the issue?

A. Make the SSL inspection a deep content inspection

B. Add Facebook to the URL category in the security policy

C. Disable HTTP redirect to HTTPS on the web browser

D. Get the additional application signatures required to add to the security policy

Correct Answer: D

Community vote distribution
A (100%)
 Question #50 Topic 1


Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

A. Internet Service Database (ISDB) engine

B. Intrusion prevention system engine Most Voted

C. Antivirus engine

D. Application control engine

Correct Answer: B

Community vote distribution
B (100%)

Next Questions 

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple
registration. Elevate your learning journey with our expertly curated content.
Register now to access a diverse range of educational resources designed for
your success. Start learning today with ExamTopics!

Start Learning for free