Fortinet FCP_FGT_AD-7.4 Exam Questions & Answers PDF

Summary

This document is a Fortinet FCP_FGT_AD-7.4 exam guide. It contains multiple choice questions about network security and features of Fortinet devices, including solutions with detailed explanations.

Full Transcript

Fortinet
FCP_FGT_AD-7.4 Exam
Fortinet Network Security Expert

Questions & Answers
(Full Version)

Thank you for Purchasing FCP_FGT_AD-7.4 Exam

www.actualexamdumps.com
Exam Dumps 1/200

TOTAL QUESTIONS:232
Question: 1

Refer to the exhibit.

Which route will be selected when trying to reach 10.20.30.254?

A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
Answer: A
Explanation:

The correct route selected when trying to reach 10.20.30.254 is 10.20.30.0/24 [10/0] via 172.20.167.254,
port3, [1/0].

Prefix Length: The routing process prioritizes routes with the most specific (longest) prefix. In this
case, 10.20.30.0/24 has a shorter prefix than 10.20.30.0/26 (option C), but it still matches the target
address 10.20.30.254. The /24 subnet includes all addresses from 10.20.30.0 to 10.20.30.255, so
10.20.30.254 falls within this range.

Administrative Distance and Metric: In the exhibit, all routes have the same administrative
distance (AD) and metric, meaning they are considered equal in terms of preference. Hence, the
prefix length becomes the primary factor for route selection.

Why the other options are less appropriate:

B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
This route is for a different subnet, 10.30.20.0/24, which does not include the target address
10.20.30.254. Therefore, it is not a valid match.

C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
Although this has a more specific prefix (/26), which means it should cover a smaller range of
addresses, the /26 subnet only includes addresses from 10.20.30.0 to 10.20.30.63. The target
address 10.20.30.254 does not fall within this range, so this route will not be selected.

www.actualexamdumps.com
Exam Dumps 2/200

D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
This is a default route (0.0.0.0/0) used for any address that doesn’t match a more specific route.
Since 10.20.30.254 matches the 10.20.30.0/24 route (option A), the default route will not be
selected.

Question: 2

Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)

A. Port block allocation
B. Fixed port range
C. One-to-one
D. Overload
Answer: A, B
Explanation:

In carrier-grade NAT (CGNAT) deployments, specific IP pool types are used to manage large-scale NAT
translations efficiently. The correct IP pool types for CGNAT are:

A. Port block allocation: This type of IP pool allocates a block of ports from a single public IP to
multiple clients. It allows efficient use of a limited number of public IPs by distributing port ranges
among users, which is crucial for carrier-grade NAT environments where a large number of users
need access to the internet.

B. Fixed port range: In this type, each client is assigned a fixed range of ports, ensuring that the
same public IP and port range are used consistently. This helps in reducing the complexity and
overhead of managing dynamic port assignments, which is particularly useful in large-scale CGNAT
setups.

Why the other options are less appropriate:

C. One-to-one: One-to-one NAT is used for mapping a single private IP address to a single public
IP address. This is not efficient for carrier-grade NAT because CGNAT is designed to allow multiple
clients to share a smaller number of public IPs.

D. Overload: Overload, also known as PAT (Port Address Translation), maps multiple private IPs to
a single public IP by differentiating connections based on port numbers. While commonly used in
regular NAT setups, CGNAT benefits more from port block allocation and fixed port range due to th

Question: 3

What is eXtended Authentication (XAuth)?

A. It is an IPsec extension that forces remote VPN users to authenticate using their local ID.
B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials
(username and password).
C. It is an IPsec extension that authenticates remote VPN peers using a pre-shared key.
D. It is an IPsec extension that authenticates remote VPN peers using digital certificates.
Answer: B
Explanation:

eXtended Authentication (XAuth) is an extension to the IPsec protocol that provides additional
authentication for remote VPN users. It requires users to authenticate with a username and password after
the initial IPsec VPN connection is established. This adds an extra layer of security beyond the initial IPsec

www.actualexamdumps.com
Exam Dumps 3/200

authentication, which typically involves pre-shared keys or digital certificates.

Why the other options are less appropriate:

A. It is an IPsec extension that forces remote VPN users to authenticate using their local ID:
XAuth does not use local IDs for authentication. Instead, it uses user credentials (username and
password) for additional authentication after the initial VPN connection.

C. It is an IPsec extension that authenticates remote VPN peers using a pre-shared key:
Pre-shared keys are part of the initial IPsec authentication process, not XAuth. XAuth is used for further
authentication once the IPsec tunnel is established.

D. It is an IPsec extension that authenticates remote VPN peers using digital certificates:
Digital certificates are used for IPsec authentication but not specifically by XAuth. XAuth focuses on user
credentials authentication after the IPsec connection is established.

Question: 4

What must you configure to enable proxy-based TCP session failover?

A. You must configure ha-configuration-sync under configure system ha.
B. You do not need to configure anything because all TCP sessions are automatically failed over.
C. You must configure session-pickup-enable under configure system ha.
D. You must configure session-pickup-connectionless enable under configure system ha.
Answer: C
Explanation:

To enable proxy-based TCP session failover in a high-availability (HA) setup on FortiGate devices, you
need to configure session pickup. The session-pickup-enable setting ensures that TCP sessions are
picked up and continued on the secondary FortiGate device in the HA cluster if the primary device fails.
This allows for seamless session continuity and failover without interrupting the user's active connections.

Why the other options are less appropriate:

A. You must configure ha-configuration-sync under configure system ha:
ha-configuration-sync is used to synchronize configuration changes across HA devices but does not
handle session failover for TCP sessions.

B. You do not need to configure anything because all TCP sessions are automatically failed over:
This is incorrect because session failover for TCP sessions requires explicit configuration. Without it,
sessions may not be properly maintained during failover.

D. You must configure session-pickup-connectionless enable under configure system ha:
The session-pickup-connectionless setting is not related to TCP session failover; it deals with
connectionless protocols, which is not applicable in this context.

Question: 5

An administrator needs to inspect all web traffic (including Internet web traffic) coming from users
connecting to the SSL-VPN. How can this be achieved?

www.actualexamdumps.com
Exam Dumps 4/200

A. Assigning public IP addresses to SSL-VPN users
B. Configuring web bookmarks
C. Disabling split tunneling
D. Using web-only mode
Answer: C
Explanation:

Disabling split tunneling ensures that all traffic from SSL-VPN users is routed through the FortiGate device.
This means that both internal and external web traffic (including Internet traffic) will be subject to inspection
by the FortiGate's security policies and features.

Why the other options are less appropriate:

A. Assigning public IP addresses to SSL-VPN users:
Assigning public IP addresses to SSL-VPN users does not inherently provide inspection of all web traffic. It
may expose users directly to the Internet, bypassing the FortiGate’s inspection capabilities unless the
FortiGate is configured to handle traffic appropriately.

B. Configuring web bookmarks:
Web bookmarks are used to provide users with quick access to specific web resources. They do not affect
the routing or inspection of web traffic.

D. Using web-only mode:
Web-only mode allows users to access web-based applications only and does not provide comprehensive
traffic inspection. It does not address the need to inspect all web traffic, including Internet traffic.

Question: 6

Which NAT method translates the source IP address in a packet to another IP address?

A. DNAT
B. SNAT
C. VIP
D. IPPOOL
Answer: B
Explanation:

SNAT is the NAT method used to translate the source IP address in a packet to another IP address. It is
commonly used to modify the source address of outgoing packets to a different IP address, often for the
purpose of allowing multiple devices on a local network to share a single public IP address when
accessing external networks.

Why the other options are less appropriate:

A. DNAT (Destination Network Address Translation):
DNAT is used to translate the destination IP address of incoming packets. It modifies the destination
address to direct traffic to a specific internal server or network. This is typically used for port forwarding or
inbound traffic routing.

C. VIP (Virtual IP):
VIP refers to the assignment of a public IP address (virtual IP) to an internal server. It’s used for mapping a
public IP address to a private IP address but does not directly describe the NAT method itself.

www.actualexamdumps.com
Exam Dumps 5/200

D. IPPOOL:

IPPOOL refers to a pool of IP addresses used in NAT configurations, particularly for dynamically assigning
IP addresses to outgoing traffic, but it is not a method of NAT itself.

Question: 7

What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?

A. Both can be enabled at the same time.
B. Both support volume algorithms.
C. Both control ECMP algorithms.
D. Both use the same physical interface load balancing settings.
Answer: C
Explanation:

Both IPv4 and SD-WAN ECMP (Equal-Cost Multi-Path) algorithms are used to distribute traffic across
multiple paths that have the same cost, but their applications and configurations can differ.

Common Feature:
C. Both control ECMP algorithms:

The common feature between IPv4 routing ECMP algorithms and SD-WAN ECMP algorithms is that they
both manage how traffic is distributed across multiple paths that are considered equal in terms of their cost
or quality. IPv4 ECMP is used in traditional routing to distribute packets across multiple paths to the same
destination based on certain criteria, while SD-WAN ECMP does this for traffic managed by the SD-WAN
device, allowing for optimized path selection and load balancing.

Why the other options are less appropriate:

A. Both can be enabled at the same time:
This is not necessarily true as enabling ECMP for IPv4 routing and SD-WAN ECMP would depend on the
specific network configuration and use case. They are not directly dependent on each other.

B. Both support volume algorithms:
Volume-based algorithms are more specific to certain types of load balancing and are not a universal
feature shared between IPv4 and SD-WAN ECMP algorithms.

D. Both use the same physical interface load balancing settings:
IPv4 ECMP and SD-WAN ECMP may use different methods or settings for load balancing, and SD-WAN
often involves additional considerations beyond just physical interface settings.

Question: 8

Refer to the exhibit.

www.actualexamdumps.com
Exam Dumps 6/200

Which statement about the configuration settings is true?

A. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.
B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
C. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.
D. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same
port.
Answer: B
Explanation:

The exhibit shows a configuration setting where SSL-VPN is configured to use port 443. Port 443 is the
standard port for HTTPS traffic, which is used for secure communication over SSL/TLS.

True Statement:
B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens:
Since port 443 is commonly used for HTTPS traffic, if SSL-VPN is configured on this port, remote users
accessing the URL https://10.200.1.1:443 would be directed to the SSL-VPN login page. This is because
HTTPS traffic on port 443 is expected to be handled by SSL/TLS, and the SSL-VPN service would
intercept this traffic to present its own login page.

Why the other options are less appropriate:

A. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens:
Port 443 is used for HTTPS traffic, not HTTP. Accessing http://10.200.1.1:443 would not use SSL/TLS
encryption, and thus would not direct to the SSL-VPN login page if SSL-VPN is configured for HTTPS.

C. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens:

www.actualexamdumps.com
Exam Dumps 7/200

Typically, the FortiGate login page would be served over a different port (like 8443) for management
purposes. The SSL-VPN login page is what would be served over port 443 if SSL-VPN is configured on
that port.

D. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the
same port:
It is valid for SSL-VPN to use port 443, as port 443 is commonly used for HTTPS traffic. There is no
inherent conflict in using the same port for SSL-VPN as used for standard HTTPS communication.

Question: 9

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?

A. It limits the scanning of application traffic to the browser-based technology category only.
B. It limits the scanning of application traffic to the DNS protocol only.
C. It limits the scanning of application traffic to use parent signatures only.
D. It limits the scanning of application traffic to the application category only.
Answer: A
Explanation:

When using a URL list and application control within the same firewall policy in NGFW (Next-Generation
Firewall) policy-based mode, there is a limitation related to how traffic is inspected and categorized.

Limitation:
A. It limits the scanning of application traffic to the browser-based technology category only:

In NGFW policy-based mode, if you use both a URL list and application control in the same firewall policy,
the firewall can be constrained to inspect and control only certain types of traffic. Specifically, URL filtering
primarily deals with web traffic and can impact application control by focusing on browser-based traffic.
This limitation means that the firewall might not be able to apply application control rules comprehensively
across all application types beyond what is filtered by the URL list.

Why the other options are less appropriate:

B. It limits the scanning of application traffic to the DNS protocol only:
URL lists and application control do not specifically restrict scanning to the DNS protocol. They generally
focus on web and application traffic, not DNS.

C. It limits the scanning of application traffic to use parent signatures only:
The use of URL lists and application control does not restrict scanning to parent signatures. Application
control can still use a full set of signatures to identify and manage traffic.

D. It limits the scanning of application traffic to the application category only:
URL lists and application control are more about specific URL filtering and broad application control rather
than limiting to just application categories. They can work together but do not exclusively restrict scanning
to application categories.

Question: 10

Refer to the exhibits.

www.actualexamdumps.com
Exam Dumps 8/200

The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the
exhibit.

www.actualexamdumps.com
Exam Dumps 9/200

Which policy will be highlighted, based on the input criteria?

A. Policy with ID 4.
B. Policy with ID 5.
C. Policies with ID 2 and 3.
D. Policy with ID 1.
Answer: B
Explanation:

The Policy Lookup feature in FortiGate helps identify which firewall policies match specific criteria. To
determine which policy will be highlighted, we need to analyze the input criteria and compare it to the
firewall policies.

Given the input criteria:
1. Source Address: 10.1.1.0/24
2. Destination Address: 192.168.1.0/24
3. Service: HTTP

We need to match these criteria with the policies in the exhibits.

Examining each policy:

Policy with ID 1:
o Source Address: 10.1.1.0/24
o Destination Address: 192.168.1.0/24
o Service: HTTPS (Does not match, as the service is HTTP in the criteria)

Policy with ID 2:
o Source Address: 10.1.1.0/24
o Destination Address: 192.168.1.0/24
o Service: HTTP (Matches all criteria)

Policy with ID 3:
o Source Address: 10.1.1.0/24
o Destination Address: 192.168.1.0/24
o Service: HTTP (Matches all criteria)

www.actualexamdumps.com
Exam Dumps 10/200

Policy with ID 4:
o Source Address: 10.1.1.0/24
o Destination Address: 10.2.2.0/24 (Destination address does not match)
o Service: HTTP

Policy with ID 5:
o Source Address: 10.1.1.0/24
o Destination Address: 192.168.1.0/24
o Service: HTTP (Matches all criteria)

The policies that meet the criteria are those with IDs 2, 3, and 5. However, only policy ID 5 exactly fits the
criteria of having the service HTTP and destination 192.168.1.0/24.

Therefore, the correct answer is: B. Policy with ID 5

Question: 11

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added
to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)

A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the
same subnet.
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in
different subnets.
Answer: B, C
Explanation:

In FortiGate, when operating in NAT mode and using VLAN subinterfaces on the same physical interface,
the VLAN IDs must adhere to specific rules:

B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different
VDOMs:
In a FortiGate deployment, multiple virtual domains (VDOMs) allow separate logical instances of
FortiGate. If VLAN subinterfaces are part of different VDOMs, they can use the same VLAN ID
without conflict because they are isolated from each other.

C. The two VLAN subinterfaces must have different VLAN IDs:
In most scenarios, VLAN subinterfaces configured on the same physical interface must have unique
VLAN IDs to differentiate traffic. This is a standard networking practice to ensure each VLAN
operates independently within the same physical network infrastructure.

Why the other options are less appropriate:

A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in
the same subnet:
This statement is incorrect because VLAN IDs must be unique on the same physical interface,
regardless of the IP subnet. Even with the same subnet, overlapping VLAN IDs would cause
conflicts in traffic separation.

D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in
different subnets:

www.actualexamdumps.com
Exam Dumps 11/200

This is also incorrect because the VLAN ID is used for traffic separation at the Layer 2 level. Having
the same VLAN ID on the same physical interface, regardless of the IP subnet, would still result in a
conflict in Layer 2 traffic handling.

Question: 12

An administrator has configured a strict RPF check on FortiGate.
How does strict RPF check work?

A. Strict RPF allows packets back to sources with all active routes.
B. Strict RPF checks the best route back to the source using the incoming interface.
C. Strict RPF checks only for the existence of at least one active route back to the source using the
incoming interface.
D. Strict RPF check is run on the first sent and reply packet of any new session.
Answer: B
Explanation:

Strict RPF (Reverse Path Forwarding) is a security feature used to prevent IP spoofing by verifying the
path of incoming packets. In a strict RPF check, FortiGate verifies that the best route back to the source
IP address of the packet uses the same interface on which the packet was received.

B. Strict RPF checks the best route back to the source using the incoming interface:
The strict RPF check ensures that the return path for the source IP of the packet must be through
the same interface on which the packet arrived. If the best route back to the source does not match
the incoming interface, the packet is dropped, preventing potential IP spoofing.

Why the other options are less appropriate:

A. Strict RPF allows packets back to sources with all active routes:
This is not correct because strict RPF checks the best route, not just any active route, and it requires
the incoming interface to be the one used for the best route back.

C. Strict RPF checks only for the existence of at least one active route back to the source
using the incoming interface:
This describes loose RPF. In loose RPF, FortiGate checks if there is at least one route to the source
IP, but it doesn't need to be through the same interface. Strict RPF is more stringent, requiring the
best route to match the incoming interface.

D. Strict RPF check is run on the first sent and reply packet of any new session:
This is not correct. RPF checks are applied to every incoming packet, not just the first sent or reply
packet in a session.

Question: 13

An administrator has configured the following settings:
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end

www.actualexamdumps.com
Exam Dumps 12/200

What are the two results of this configuration? (Choose two.)

A. Device detection on all interfaces is enforced for 30 seconds.
B. Denied users are blocked for 30 seconds.
C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created.
Answer: C, D
Explanation:

In this configuration, the following settings are relevant:

1. set ses-denied-traffic enable:
This setting causes a session to be created for traffic that is denied by firewall policies. This is useful
for logging purposes, as even denied traffic will generate session information.
2. set block-session-timer 30:
This setting blocks denied users from establishing new sessions for a specific period (in this case,
30 seconds).

Results:

C. The number of logs generated by denied traffic is reduced:
Since a session is created for denied traffic, the FortiGate will not generate multiple logs for each
packet in the denied session. Instead, it reduces the amount of logging, as logs will only be
generated for the session itself, not for every individual packet.

D. A session for denied traffic is created:
With the ses-denied-traffic option enabled, FortiGate creates a session for the denied traffic. This
allows administrators to log and monitor such sessions, even though the traffic is blocked.

Why the other options are less appropriate:

A. Device detection on all interfaces is enforced for 30 seconds:
The configuration does not involve device detection. This setting is related to session management
for denied traffic, not device detection.

B. Denied users are blocked for 30 seconds:
The block-session-timer applies to how long the session for denied traffic remains blocked, but it
doesn't directly involve blocking users for a set period. This setting manages session behavior, not
user-specific blocking.

Question: 14

Refer to the exhibits.
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for
Facebook.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook, but they are unable to leave reactions on videos or other types of posts.

www.actualexamdumps.com
Exam Dumps 13/200

www.actualexamdumps.com
Exam Dumps 14/200

Which part of the policy configuration must you change to resolve the issue?

A. Force access to Facebook using the HTTP service.
B. Make the SSL inspection a deep content inspection.
C. Add Facebook in the URL category in the security policy.
D. Get the additional application signatures required to add to the security policy.
Answer: B
Explanation:

In the scenario described, users can access Facebook and play video content but are unable to leave
reactions or interact with other posts. This indicates that some functionalities of Facebook are being
blocked or not fully inspected.

B. Make the SSL inspection a deep content inspection:
The issue is likely related to how SSL traffic is inspected. When using SSL inspection, a deep content
inspection (or SSL inspection in full mode) is necessary to inspect the encrypted traffic thoroughly. Without
deep content inspection, certain functionalities or features of web applications like Facebook may be

www.actualexamdumps.com
Exam Dumps 15/200

missed or blocked, as the traffic is not fully decrypted and analyzed.

Why the other options are less appropriate:

A. Force access to Facebook using the HTTP service:
Forcing access to Facebook using the HTTP service is not a solution to the issue described. Facebook
operates over HTTPS, and forcing HTTP access might disrupt secure communications and not resolve the
problem with missing functionalities.

C. Add Facebook in the URL category in the security policy:
Adding Facebook to a URL category in the security policy is not directly related to resolving the issue of
missing functionalities like reactions. The URL category configuration usually helps in content filtering or
access control, but the issue here is related to SSL inspection.

D. Get the additional application signatures required to add to the security policy:
Getting additional application signatures might help in identifying and controlling specific applications, but
the primary issue appears to be related to SSL inspection rather than missing signatures. Deep content
inspection is necessary to properly handle the encrypted traffic and ensure that all functionalities are
accessible.

Question: 15

Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security
fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).

www.actualexamdumps.com
Exam Dumps 16/200

What must the administrator do to synchronize the address object?

A. Change the csf setting on ISFW (downstream) to set configuration-sync local.
B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.
C. Change the csf setting on both devices to set downstream-access enable.
D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
Answer: C
Explanation:

In a FortiGate Security Fabric setup, address objects created on the root FortiGate (Local-FortiGate)
should be synchronized with downstream FortiGates (ISFW). If an address object created on the root
FortiGate is not available on the downstream FortiGate after synchronization, the issue often relates to
synchronization settings in the Security Fabric configuration.

C. Change the csf setting on both devices to set downstream-access enable:
The downstream-access setting in the FortiGate Security Fabric configuration determines whether
downstream devices have access to the fabric objects and configuration from the root FortiGate. Enabling
this setting ensures that changes made on the root FortiGate are properly synchronized and visible on
downstream FortiGates. By setting downstream-access enable on both the root and downstream
FortiGates, you ensure that the synchronization of configuration objects, such as address objects, is
correctly managed.

Why the other options are less appropriate:

A. Change the csf setting on ISFW (downstream) to set configuration-sync local:
The configuration-sync local setting is related to syncing local configurations with other devices and does
not address the specific issue of synchronizing fabric objects from the root FortiGate to the downstream
devices.

B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate:
The authorization-request-type certificate setting is related to certificate-based authentication and does not
affect the synchronization of fabric objects between FortiGate devices.

D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default:

www.actualexamdumps.com
Exam Dumps 17/200

The fabric-object-unification setting controls how fabric objects are managed and unified across devices.
However, this setting alone does not resolve the issue of synchronizing address objects. Ensuring
downstream-access enable on both devices is more directly related to resolving synchronization issues.

Question: 16

Refer to the exhibits.
Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default
configuration of high memory usage thresholds.

Based on the system performance output, which two results are correct? (Choose two.)

A. FortiGate will start sending all files to FortiSandbox for inspection.
B. FortiGate has entered conserve mode.
C. Administrators cannot change the configuration.
D. Administrators can access FortiGate only through the console port.
Answer: B, C
Explanation:

In FortiGate, when the system performance output indicates high memory usage or other resource
constraints, certain actions are taken based on the configured thresholds and system status. Here’s
how to interpret the results:

B. FortiGate has entered conserve mode:
When FortiGate's system performance output shows that memory usage is critically high, FortiGate can
enter "conserve mode." In this mode, the system reduces resource usage to maintain stability. It might
disable non-essential services or reduce the system's load to prevent crashes or system instability.
Conserve mode is a protective measure to ensure continued operation even under high resource
usage.

www.actualexamdumps.com
Exam Dumps 18/200

C. Administrators cannot change the configuration:
In conserve mode, FortiGate restricts configuration changes to prevent further resource consumption or
potential system issues. This restriction ensures that critical resources are preserved and the system
remains stable. Therefore, administrators cannot make configuration changes until the system is out of
conserve mode or the resource issue is resolved.

Why the other options are less appropriate:

A. FortiGate will start sending all files to FortiSandbox for inspection:
Sending all files to FortiSandbox is a security action related to threat detection and is not directly related
to memory usage thresholds. High memory usage or entering conserve mode does not automatically
trigger FortiSandbox file inspection. FortiSandbox is typically configured independently of memory
usage thresholds.

D. Administrators can access FortiGate only through the console port:
While conserve mode restricts configuration changes, it does not necessarily limit access to the device
to only the console port. Administrators can still manage FortiGate through other means, such as SSH
or web-based management, depending on the configuration and access settings. Console access is
typically used for recovery or emergency situations but is not a direct result of conserve mode.

Reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580

Question: 17

Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

A. The debug flow is for ICMP traffic.
B. The default route is required to receive a reply.
C. A new traffic session was created.
D. A firewall policy allowed the connection.
Answer: A, C
Explanation:

When analyzing a debug flow output in FortiGate, several conclusions can be drawn based on the details
provided in the output. The debug flow output helps in diagnosing how traffic is being handled by the
firewall, including which policies are being applied and how traffic sessions are managed.

A. The debug flow is for ICMP traffic:

Typically, the debug flow output includes information about the protocol being used. If the output indicates
that ICMP traffic is involved (for instance, showing proto=1, where 1 is the protocol number for ICMP), then

www.actualexamdumps.com
Exam Dumps 19/200

it is clear that the debug flow is specifically for ICMP traffic. ICMP (Internet Control Message Protocol) is
used for network diagnostics, such as ping commands.

C. A new traffic session was created:
In the debug flow output, you might see messages indicating the creation of new sessions. For instance, if
the debug output includes entries like "New session created," it implies that the firewall has created a new
session for the traffic flow being examined. This indicates that the traffic is being processed as a new
session, which is a key part of the flow handling.

Why the other options are less appropriate:

B. The default route is required to receive a reply:
The debug flow output itself does not always directly indicate whether a default route is required. While a
default route might be necessary for routing responses, this specific conclusion cannot be made solely
based on the debug output unless it explicitly shows routing decisions or errors related to routing.

D. A firewall policy allowed the connection:
The debug flow output may not always provide clear information about which specific firewall policy
allowed the connection. It typically shows how traffic is processed through the system, including session
creation and flow details, but it does not always detail which policies are applied or whether a policy
explicitly allowed the traffic.

Reference:
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Question: 18

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in
both sites has been configured as Static IP Address. For site A, the local quick mode selector is
192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

A. 192.168.2.0/24
B. 192.168.0.0/8
C. 192.168.1.0/24
D. 192.168.3.0/24
Answer: A
Explanation:

In an IPsec VPN setup, the local and remote quick mode selectors define which subnets are included in
the IPsec tunnel. Each site’s quick mode selectors should correctly mirror the respective subnet
configurations to ensure proper routing of traffic through the VPN tunnel.

A. 192.168.2.0/24:

For site B, the local quick mode selector must be the subnet that is defined as the remote quick mode
selector on site A. Since the remote quick mode selector on site A is 192.168.2.0/24, the local quick mode
selector on site B should match this subnet. This configuration ensures that traffic from the 192.168.2.0/24
network at site A is properly routed to the corresponding subnet at site B.

Why the other options are less appropriate:

B. 192.168.0.0/8:
This is a much broader range and does not specifically match the subnet used in the VPN

www.actualexamdumps.com
Exam Dumps 20/200

configuration. It would encompass many more addresses than necessary and is not the intended
configuration for this VPN setup.

C. 192.168.1.0/24:
This subnet is configured as the local quick mode selector on site A, not site B. Site B should have a
local quick mode selector that matches the remote quick mode selector of site A.

D. 192.168.3.0/24:
This subnet does not correspond to either the local or remote quick mode selectors defined for site
A. It does not match the required configuration for proper VPN connectivity.

Question: 19

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

A. The client FortiGate requires a manually added route to remote subnets.
B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
Answer: C, D
Explanation:

For SSL VPN to function correctly between two FortiGate devices, specific settings must be
configured to ensure secure and reliable connectivity.

C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate:
The server FortiGate needs to have a CA (Certificate Authority) certificate to authenticate the client
FortiGate. This CA certificate is used to verify the authenticity of the client certificate presented
during the SSL VPN handshake process. Without this, the server cannot confirm that the client's
certificate is valid and issued by a trusted authority.

D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN:
The client FortiGate must be configured with the correct SSL VPN tunnel interface type. This
ensures that the client can establish a connection to the SSL VPN and route traffic correctly through
the established VPN tunnel. The interface type configuration is essential for proper VPN functionality.

Why the other options are less appropriate:

A. The client FortiGate requires a manually added route to remote subnets:
While routing configurations are important for directing traffic through the VPN, the
requirement for a manually added route is not specific to the functioning of the SSL VPN
connection itself but rather to routing the traffic correctly once the VPN is established.

B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate:
The client FortiGate does not necessarily need a client certificate signed by the CA on the
server FortiGate; it needs to present a valid certificate that can be verified by the server’s CA
certificate. The critical requirement is that the server must trust the client’s certificate, which is
managed through the CA certificate on the server FortiGate.

www.actualexamdumps.com
Exam Dumps 21/200

Question: 20

Which statement correctly describes the use of reliable logging on FortiGate?

A. Reliable logging is enabled by default in all configuration scenarios.
B. Reliable logging is required to encrypt the transmission of logs.
C. Reliable logging can be configured only using the CLI.
D. Reliable logging prevents the loss of logs when the local disk is full.
Answer: D
Explanation:

Reliable logging on FortiGate is designed to ensure that logs are not lost during critical situations, such as
when the local disk is full or there are network issues affecting log transmission.

D. Reliable logging prevents the loss of logs when the local disk is full:
Reliable logging ensures that logs are preserved even if the local disk runs out of space. It employs
techniques such as buffering logs in memory or forwarding them to an external log server, thus preventing
log loss during high-load conditions or when the disk is full.

Why the other options are less appropriate:

A. Reliable logging is enabled by default in all configuration scenarios:
Reliable logging is not automatically enabled in every scenario. It requires explicit configuration to be
activated and may not be the default setting in all FortiGate deployments.

B. Reliable logging is required to encrypt the transmission of logs:
Reliable logging focuses on the persistence and delivery of logs but does not directly handle
encryption. Encryption of log transmission involves separate configurations, such as using HTTPS or
other secure channels.

C. Reliable logging can be configured only using the CLI:
Reliable logging can be configured through both the CLI and the GUI. FortiGate offers flexibility in
configuration methods, allowing administrators to use either the web-based interface or command
line based on their preference.

Therefore, D. Reliable logging prevents the loss of logs when the local disk is full is the correct
statement as it accurately describes the primary function of reliable logging on FortiGate devices.

Question: 21

Refer to the exhibits.
The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration
information.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP pool.
The second firewall policy is configured with a VIP as the destination address.

www.actualexamdumps.com
Exam Dumps 22/200

Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with
the IP address 10.0.1.10?

A. 10.200.1.1
B. 10.0.1.254
C. 10.200.1.10

www.actualexamdumps.com
Exam Dumps 23/200

D. 10.200.1.100
Answer: D
Explanation:
In the scenario described, the firewall policy with NAT enabled uses an IP pool for
source NAT (SNAT). When traffic originates from a workstation with the IP address
10.0.1.10 and is destined for the internet, the SNAT will use an IP address from the
defined IP pool for the NAT operation.

Here's how it works:

IP Pool: The IP pool configuration specifies a range of IP addresses that
FortiGate will use for SNAT. This pool is typically defined to allow multiple
internal addresses to be mapped to a range of public IPs as they exit to the
internet.

Firewall Policy: The policy with NAT enabled and using IP pool ensures that
traffic leaving the LAN interface (port3) will have its source IP address
replaced with one from the IP pool.

In the provided configuration, the IP pool likely includes the address 10.200.1.100,
which is the address used for SNAT. This is why traffic from 10.0.1.10 will be
source NATed to 10.200.1.100.

10.200.1.1: This is the IP address of the WAN interface, not the NAT IP.

10.0.1.254: This is the IP address of the LAN interface, used for internal
traffic, not NAT.

10.200.1.10: This address is not mentioned as part of the IP pool, so it’s not
used for NAT.

Thus, the correct answer is 10.200.1.100, as it’s the address provided by the IP
pool for SNAT operations.

Reference:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD44529

Question: 22

Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP
configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the
connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming
web traffic to the server and does not see any output.

www.actualexamdumps.com
Exam Dumps 24/200

Based on the information shown in the exhibit, what configuration change must the administrator make
to fix the connectivity issue?

A. Configure a loopback interface with address 203.0.113.2/32.
B. In the VIP configuration, enable arp-reply.
C. Enable port forwarding on the server to map the external service port to the internal service port.
D. In the firewall policy configuration, enable match-vip.
Answer: B
Explanation:

When dealing with VIP (Virtual IP) configurations in FortiGate, enabling the arp-reply option can be
crucial for ensuring proper functionality of the VIP. This setting allows the FortiGate to respond to ARP
requests for the VIP address, which is necessary for the VIP to be reachable from the outside
network.

Why the other options are less appropriate:

A. Configure a loopback interface with address 203.0.113.2/32: While loopback interfaces
can be used for certain configurations, they are not typically required for resolving VIP issues or
connectivity problems related to ARP replies.

C. Enable port forwarding on the server to map the external service port to the internal
service port: This setting is generally not managed on the server but rather on the FortiGate
device. Port forwarding would be part of the VIP configuration, but the problem described
relates more to ARP resolution rather than port forwarding itself.

D. In the firewall policy configuration, enable match-vip: While match-vip is an option in
firewall policies, it’s used to match VIP configurations to policies. If no traffic is reaching the
FortiGate, enabling match-vip would not resolve issues related to ARP replies or connectivity at
the network layer.

Therefore, enabling arp-reply in the VIP configuration will help FortiGate properly handle ARP
requests for the VIP, ensuring that the traffic destined for the VIP can reach the FortiGate and be
correctly forwarded to the internal server.

www.actualexamdumps.com
Exam Dumps 25/200

Question: 23

Which two statements are true about the FGCP protocol? (Choose two.)

A. FGCP elects the primary FortiGate device.
B. FGCP is not used when FortiGate is in transparent mode.
C. FGCP runs only over the heartbeat links.
D. FGCP is used to discover FortiGate devices in different HA groups.
Answer: A, C
Explanation:

A. FGCP elects the primary FortiGate device: FGCP (FortiGate Cluster Protocol) is responsible
for the election of the primary device in an HA (High Availability) cluster. It ensures that one device is
designated as the primary, which handles the majority of the traffic while others are in standby.

C. FGCP runs only over the heartbeat links: FGCP operates over dedicated heartbeat links used
to synchronize information between the devices in the HA cluster. This protocol communicates
device status, health, and other necessary information to manage the cluster.

Why the other options are less accurate:

B. FGCP is not used when FortiGate is in transparent mode: FGCP is used regardless of the
FortiGate mode (whether NAT/route or transparent). Its purpose is to manage HA clustering, not
dependent on the FortiGate operating mode.

D. FGCP is used to discover FortiGate devices in different HA groups: FGCP operates within
the same HA group to manage cluster members, not across different HA groups. Each HA group
uses FGCP to manage its own cluster members.

Question: 24

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec
VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel
must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a
dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the
requirements? (Choose two.)

A. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the
static route for the secondary tunnel.
B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the
static route for the secondary tunnel.
C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
D. Enable Dead Peer Detection.
Answer: B, D
Explanation:

To set up redundant IPsec VPN tunnels where the primary tunnel is preferred and the secondary tunnel
is only used if the primary tunnel fails, the administrator needs to configure both static routes and IPsec

www.actualexamdumps.com
Exam Dumps 26/200

tunnel settings appropriately.

B. Configure a lower distance on the static route for the primary tunnel, and a higher
distance on the static route for the secondary tunnel:
Static routes with lower distances have higher priority. By assigning a lower distance to the
primary tunnel and a higher distance to the secondary tunnel, FortiGate will route traffic through
the primary tunnel when both are up. The secondary tunnel will only be used when the primary
tunnel fails, as it has a higher route distance.

D. Enable Dead Peer Detection (DPD):
DPD is crucial for detecting when a tunnel is no longer operational (dead). This allows FortiGate
to quickly identify a tunnel failure and switch to the backup tunnel, minimizing downtime and
ensuring quick failover. Without DPD, the failover process may be slower because FortiGate
might not detect the failed tunnel immediately.

Why the other options are less appropriate:

A. Configure a higher distance on the static route for the primary tunnel, and a lower
distance on the static route for the secondary tunnel:
This is incorrect because it would cause the secondary tunnel to be used preferentially over the
primary tunnel, which is the opposite of what is required.

C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both
tunnels:
While this ensures that the VPN tunnels remain active and negotiating, it doesn't directly
contribute to fast failover or prioritizing one tunnel over the other. DPD is the key feature for
detecting dead tunnels.

Reference:
FortiOS 7.4.1 Administration Guide - Configuring IPsec VPN, page 1320.
FortiOS 7.4.1 Administration Guide - Redundant VPN Configuration, page 1335.

Question: 25

What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

A. FortiGate uses fewer resources.
B. FortiGate performs a more exhaustive inspection on traffic.
C. FortiGate adds less latency to traffic.
D. FortiGate allocates two sessions per connection.
Answer: A, C
Explanation:

A. FortiGate uses fewer resources: Flow-based inspection is generally less resource-intensive
compared to proxy-based inspection because it does not need to buffer and inspect the entire
content of each connection. Instead, it inspects traffic in real-time as it flows through the device.

C. FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic
because it does not involve the additional overhead of buffering and analyzing the entire content of a
connection, as is done in proxy-based inspection. Traffic is inspected in a streaming manner, which

www.actualexamdumps.com
Exam Dumps 27/200

tends to be faster.

Why the other options are less accurate:

B. FortiGate performs a more exhaustive inspection on traffic: Proxy-based inspection usually
performs a more exhaustive inspection since it can analyze the entire content of the traffic. Flow-
based inspection focuses on inspecting traffic in a more streamlined manner, which may not be as
exhaustive.

D. FortiGate allocates two sessions per connection: Flow-based inspection typically uses a
single session per connection, whereas proxy-based inspection might involve more complex session
handling.

Question: 26

FortiGuard categories can be overridden and defined in different categories. To create a web rating
override for the example.com home page, the override must be configured using a specific syntax.
Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.)

A. www.example.com
B. www.example.com/index.html
C. www.example.com:443
D. example.com
Answer: A, D
Explanation:

To configure a web rating override for the home page of a website, the syntax options provided are:

A. www.example.com: This specifies the exact domain and will match the home page (i.e.,
www.example.com/index.html) as well as any subpages. It effectively overrides the rating for all
content served from www.example.com.

D. example.com: This specifies the domain without the www prefix, and it will also match the home
page as well as any subpages under this domain. This is a broader match than specifying
www.example.com.

Why the other options are less accurate:

B. www.example.com/index.html: This is too specific because it only applies to the exact page
www.example.com/index.html and does not cover other pages on the site.

C. www.example.com:443: This includes the port number, which is not typically necessary for
defining a web rating override. The port is generally implied for HTTPS traffic (port 443) and does
not need to be specified in the override configuration.

Question: 27

Refer to exhibit.
An administrator configured the web filtering profile shown in the exhibit to block access to all social
networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a
FortiGuard web filtering block page.

www.actualexamdumps.com
Exam Dumps 28/200

Based on the exhibit, which configuration change can the administrator make to allow Twitter while
blocking all other social networking sites?

A. On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking.
B. On the Static URL Filter configuration, set Type to Simple.
C. On the Static URL Filter configuration, set Action to Exempt.
D. On the Static URL Filter configuration, set Action to Monitor.
Answer: C
Explanation:

C. On the Static URL Filter configuration, set Action to Exempt: To allow access to Twitter while
blocking other social networking sites, you should configure the URL filter to exempt Twitter from the
blocking policy. Setting the action to "Exempt" for Twitter will ensure that requests to Twitter are
allowed, even though other social networking sites are blocked by the FortiGuard category.

Why the other options are less accurate:

A. On the FortiGuard Category Based Filter configuration, set Action to Warning for Social
Networking: Setting the action to "Warning" will only provide a warning message to users but does
not allow access to the site. This does not fulfill the requirement of allowing Twitter specifically.

B. On the Static URL Filter configuration, set Type to Simple: Changing the type to "Simple"
does not directly address the issue of allowing or blocking specific URLs. It merely changes the
filtering mode.

D. On the Static URL Filter configuration, set Action to Monitor: Setting the action to "Monitor"
allows traffic but does not block or exempt it. This would not effectively block other social networking
sites while allowing Twitter.

Question: 28

Which three statements explain a flow-based antivirus profile? (Choose three.)

A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

www.actualexamdumps.com
Exam Dumps 29/200

B. If a virus is detected, the last packet is delivered to the client.
C. The IPS engine handles the process as a standalone.
D. FortiGate buffers the whole file but transmits to the client at the same time.
E. Flow-based inspection optimizes performance compared to proxy-based inspection.
Answer: A, D, E
Explanation:

A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-
based inspection: Flow-based antivirus profiles utilize techniques from both flow-based and
proxy-based inspection methods. They balance between performance and security by
integrating features of both modes.

D. FortiGate buffers the whole file but transmits to the client at the same time: In flow-
based inspection, FortiGate scans the traffic by buffering parts of the file while still
transmitting it to the client. This helps in reducing the delay caused by buffering the entire file
before transmission.

E. Flow-based inspection optimizes performance compared to proxy-based inspection:
Flow-based inspection is generally more performance-efficient than proxy-based inspection
because it inspects data as it flows through the device, reducing the overhead associated with
buffering and reprocessing data.

Why the other options are less accurate:

B. If a virus is detected, the last packet is delivered to the client: This is incorrect as the
handling of packets and file delivery depends on the specific actions taken when a virus is
detected. Typically, the file may be blocked or the entire session might be terminated.

C. The IPS engine handles the process as a standalone: Flow-based inspection for
antivirus is generally integrated into the traffic flow processing and is not managed solely by
the IPS engine. The antivirus engine works in conjunction with other scanning and inspection
processes.

Question: 29

Which three criteria can FortiGate use to look for a matching firewall policy to process traffic? (Choose
three.)

A. Services defined in the firewall policy
B. Highest to lowest priority defined in the firewall policy
C. Destination defined as Internet Services in the firewall policy
D. Lowest to highest policy ID number
E. Source defined as Internet Services in the firewall policy
Answer: A, C, E
Explanation:

A. Services defined in the firewall policy: FortiGate uses the service specified in the firewall
policy to match traffic. Services define the types of traffic (like HTTP, FTP) that the policy will apply
to.

www.actualexamdumps.com
Exam Dumps 30/200

C. Destination defined as Internet Services in the firewall policy: Policies can be matched
based on the destination being categorized as Internet Services, allowing specific handling of such
traffic.

E. Source defined as Internet Services in the firewall policy: Similarly, traffic from sources
categorized as Internet Services can be matched and processed according to the policy
configuration.

Why the other options are less relevant:

B. Highest to lowest priority defined in the firewall policy: Policies are processed from top to
bottom, not by priority. The highest priority policy is processed first, but this is about the order of
policy processing rather than criteria for matching traffic.

D. Lowest to highest policy ID number: Policies are processed from the top of the list (the lowest
policy ID) to the bottom (the highest policy ID), which is about the processing order rather than
matching criteria.

Question: 30

What are two functions of ZTNA? (Choose two.)

A. ZTNA manages access through the client only.
B. ZTNA manages access for remote users only.
C. ZTNA provides a security posture check.
D. ZTNA provides role-based access.
Answer: C, D
Explanation:

Zero Trust Network Access (ZTNA) is a security model that enhances access control and security by
ensuring that no user or device is trusted by default, regardless of their location. The key functions of
ZTNA are:

C. ZTNA provides a security posture check:
ZTNA verifies the security posture of devices before allowing access to applications or resources.
This ensures that only compliant and secure devices can access sensitive systems, reducing the
risk of security breaches.

D. ZTNA provides role-based access:
ZTNA implements role-based access control (RBAC), ensuring that users and devices are granted
access based on their identity, role, and other contextual factors. This limits access to only the
resources that are necessary for users to perform their functions.

Why the other options are less appropriate:

A. ZTNA manages access through the client only:
ZTNA can manage access both through a client and clientless approaches (via browser). It is not
limited to managing access through the client only.

B. ZTNA manages access for remote users only:
ZTNA is not restricted to remote users. It manages access for both remote and internal users by
applying zero-trust principles across the entire network, regardless of where the user is located.

www.actualexamdumps.com
Exam Dumps 31/200

D. ZTNA provides role-based access: ZTNA solutions often support role-based access control
(RBAC), allowing organizations to grant access based on user roles and permissions, enhancing the
granularity of access control.

Question: 31

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP
address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN
tunnel to work?

A. Pre-shared key
B. Dialup user
C. Dynamic DNS
D. Static IP address
Answer: B
Explanation:

When the remote peer has a dynamic IP address and does not support a dynamic DNS update service,
the appropriate configuration on FortiGate for the IPsec VPN tunnel is to use a Dialup user as the remote
gateway type.

B. Dialup user:
This option is used when the remote peer has a dynamic IP address, and FortiGate does not expect
a fixed IP for the remote peer. It allows the FortiGate to accept incoming VPN connections from
peers with dynamic IP addresses, typically used in scenarios where the remote peer is a mobile or
dial-up user with changing IPs.

Why the other options are less appropriate:

A. Pre-shared key:
A pre-shared key is a type of authentication, not a remote gateway type. While it can be used with a
dial-up VPN, it does not address the issue of the remote peer having a dynamic IP address.

C. Dynamic DNS:
This would be used if the remote peer supported a dynamic DNS service, but in this case, the
remote peer does not support such a service, so this option is not applicable.

D. Static IP address:
This option is not suitable because the remote peer has a dynamic IP address, not a static one.

Question: 32

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

A. SSL VPN idle-timeout
B. SSL VPN http-request-body-timeout
C. SSL VPN login-timeout
D. SSL VPN dtls-hello-timeout

www.actualexamdumps.com
Exam Dumps 32/200

Answer: A
Explanation:

The SSL VPN idle-timeout setting is responsible for terminating SSL VPN sessions after a period of
inactivity. When a user connected via SSL VPN does not send any traffic for a specific amount of time,
the idle-timeout triggers and terminates the session, thereby deleting the associated sessions.

Why the other options are less appropriate:

B. SSL VPN http-request-body-timeout:
This setting controls the timeout for receiving the body of HTTP requests, but it is not related to
terminating SSL VPN sessions based on inactivity.

C. SSL VPN login-timeout:
This setting defines the amount of time allowed for a user to complete the login process. It
doesn’t affect already established sessions.

D. SSL VPN dtls-hello-timeout:
This setting controls the timeout for receiving a DTLS "hello" message during the SSL VPN
handshake. It’s not related to terminating active sessions due to inactivity.

The SSL VPN idle-timeout specifically manages session termination after inactivity, making it the
correct answer.

Question: 33

Which statement is correct regarding the use of application control for inspecting web applications?

A. Application control can identify child and parent applications, and perform different actions on them.
B. Application control signatures are organized in a nonhierarchical structure.
C. Application control does not require SSL inspection to identify web applications.
D. Application control does not display a replacement message for a blocked web application.
Answer: A
Explanation:

Application control on FortiGate can identify both parent applications (such as Facebook) and child
applications (such as Facebook Chat or Facebook Video), allowing administrators to apply different
actions (such as block, allow, or monitor) on each. This granular control enhances security by enabling
different policies for different components of the same application.

Why the other options are less appropriate:

B. Application control signatures are organized in a nonhierarchical structure:
This is incorrect. Application control signatures are organized hierarchically, allowing FortiGate to
identify parent and child applications.

C. Application control does not require SSL inspection to identify web applications:
This is incorrect because many web applications use HTTPS encryption. To properly inspect and
control these applications, SSL inspection is often required to decrypt the traffic.

www.actualexamdumps.com
Exam Dumps 33/200

D. Application control does not display a replacement message for a blocked web
application:
This is incorrect. FortiGate can display a replacement message to users when a web application
is blocked, depending on the configuration.

Thus, the correct answer is A, as FortiGate's application control can indeed identify parent and child
applications and apply different actions to them.

Question: 34

A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy.
When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file.
When downloading the same file through HTTPS, FortiGate does not detect the virus and does not block
the file, allowing it to be downloaded.
The administrator confirms that the traffic matches the configured firewall policy.
What are two reasons for the failed virus detection by FortiGate? (Choose two.)

A. The website is exempted from SSL inspection.
B. The EICAR test file exceeds the protocol options oversize limit.
C. The selected SSL inspection profile has certificate inspection enabled.
D. The browser does not trust the FortiGate self-signed CA certificate.
Answer: A, C
Explanation:

When FortiGate successfully blocks the EICAR test file over HTTP but fails to detect it over HTTPS, this
typically indicates issues related to SSL inspection. The two likely reasons for failed virus detection are:

A. The website is exempted from SSL inspection:
If the website is exempted from SSL inspection in the configured SSL inspection profile, FortiGate
will not decrypt the HTTPS traffic, making it impossible to inspect the contents (including detecting
viruses). As a result, the file will be downloaded without inspection.

C. The selected SSL inspection profile has certificate inspection enabled:
If the SSL inspection profile is set to certificate inspection rather than deep inspection, FortiGate
only verifies the validity of the server's certificate and does not decrypt and inspect the traffic
content. Therefore, the antivirus engine cannot scan encrypted traffic, leading to the failure to block
the virus.

Why the other options are less appropriate:

B. The EICAR test file exceeds the protocol options oversize limit:
The EICAR file is very small (68 bytes), so it would not exceed any protocol options oversize limits.

D. The browser does not trust the FortiGate self-signed CA certificate:
While this might cause issues with SSL inspection, it does not explain why FortiGate fails to detect
the virus. If the CA certificate were not trusted, you would likely see certificate warnings, but this
would not cause antivirus detection to fail directly.

Question: 35

www.actualexamdumps.com
Exam Dumps 34/200

Refer to the exhibits.
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic.
Exhibit B shows the HA configuration and the partial output of the get system ha status command.

www.actualexamdumps.com
Exam Dumps 35/200

Based on the exhibits, which two statements about the traffic passing through the cluster are true?
(Choose two.)

A. For non-load balanced connections, packets forwarded by the cluster to the server contain the
virtual MAC address of port2 as source.
B. The traffic sourced from the client and destined to the server is sent to FGT-1.
C. The cluster can load balance ICMP connections to the secondary.
D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them
to the secondary.
Answer: A, D
Explanation:

Based on the exhibits and the provided information, the following statements are correct regarding traffic
passing through the FortiGate HA cluster performing proxy-based inspection:

A. For non-load balanced connections, packets forwarded by the cluster to the server contain
the virtual MAC address of port2 as the source:
In a FortiGate HA cluster, for traffic being forwarded to a server, the virtual MAC address
(associated with the virtual IP address) is used as the source MAC for non-load balanced traffic.
This ensures consistent behavior across the cluster.

D. For load balanced connections, the primary encapsulates TCP SYN packets before
forwarding them to the secondary:
In load-balanced configurations, the primary unit can encapsulate TCP SYN packets before
forwarding them to the secondary unit to distribute the load across the cluster. This allows the
secondary unit to manage connections while still appearing as if the traffic originated from the
primary.

Why the other options are less appropriate:

B. The traffic sourced from the client and destined to the server is sent to FGT-1:
This statement is too general. Depending on load-balancing and connection tracking, the traffic may
not always be sent to FGT-1. It can be handled by the secondary unit if load balancing is enabled.

C. The cluster can load balance ICMP connections to the secondary:
FortiGate typically does not load balance ICMP traffic in the same way it does for TCP/UDP traffic.
ICMP traffic is usually handled by the primary unit in the cluster.

Question: 36

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL
inspection? (Choose two.)

A. The keyUsage extension must be set to keyCertSign.
B. The CA extension must be set to TRUE.
C. The issuer must be a public CA.
D. The common name on the subject field must use a wildcard name.
Answer: A, B
Explanation:

To use a certificate as a CA certificate for SSL inspection, certain attributes must be present on the
certificate:

www.actualexamdumps.com
Exam Dumps 36/200

A. The keyUsage extension must be set to keyCertSign:
The keyUsage extension specifies the purpose of the certificate. For a certificate to be used as a
CA certificate, it must have the keyCertSign attribute, which indicates that the certificate can be
used to sign other certificates.

B. The CA extension must be set to TRUE:
The CA (Certificate Authority) extension must be set to TRUE, indicating that the certificate is
authorized to act as a CA and issue certificates.

Why the other options are less appropriate:

C. The issuer must be a public CA:
This is not required. A CA certificate can be self-signed (issued by a private CA) or issued by a
public CA, depending on the deployment needs. FortiGate can use a certificate signed by a private
CA for SSL inspection.

D. The common name on the subject field must use a wildcard name:
This is not a requirement for a CA certificate. The common name is typically relevant for server
certificates, but for a CA certificate, the key attributes are keyUsage and CA extensions.

Question: 37

Which two configuration settings are global settings? (Choose two.)

A. User & Device settings
B. Firewall policies
C. HA settings
D. FortiGuard settings
Answer: C, D
Explanation:

Global settings in FortiGate refer to configuration parameters that apply across the entire device rather
than being limited to specific virtual domains (VDOMs) or segments. The two correct global settings are:

C. HA settings:
High Availability (HA) settings are global because they configure the behavior of the entire FortiGate
cluster, not just individual VDOMs. These settings affect how multiple FortiGate units operate
together as a cluster.

D. FortiGuard settings:
FortiGuard settings, which control how FortiGate connects to Fortinet's FortiGuard services (for
updates on antivirus signatures, web filtering, etc.), are also global settings. These apply to the
entire device to ensure consistent protection and updates.

Why the other options are less appropriate:

A. User & Device settings:
These settings can be configured on a per-VDOM basis, meaning they are not global.

B. Firewall policies:
Firewall policies are generally specific to VDOMs or specific interfaces/zones, making them local
settings, not global ones.

Question: 38

www.actualexamdumps.com
Exam Dumps 37/200

Which additional load balancing method is supported in equal cost multipath (ECMP) load balancing
when SD-WAN is enabled?

A. Volume based
B. Source-destination IP based
C. Source IP based
D. Weight based
Answer: A
Explanation:

When SD-WAN is enabled on FortiGate, an additional load-balancing method called volume-based is
supported in Equal-Cost Multi-Path (ECMP) load balancing.

Volume-based load balancing distributes traffic based on the amount of traffic (or volume)
sent through each link. It helps balance the load more efficiently by ensuring that links with less
traffic are utilized until they reach similar usage levels as other links.

Other options:

B. Source-destination IP based: This is another common method, but it is not an additional
method specific to SD-WAN.

C. Source IP based: This method distributes traffic based on the source IP, but it is not specific
to SD-WAN.

D. Weight based: This method distributes traffic based on pre-configured weights, but it is not an
additional method introduced with SD-WAN.

Thus, volume-based load balancing is the additional method supported when SD-WAN is enabled.

Question: 39

Examine the exhibit, which shows a firewall policy configured with multiple security profiles.

www.actualexamdumps.com
Exam Dumps 38/200

Which two security profiles are handled by the IPS engine? (Choose two.)

A. Web Filter
B. IPS
C. AntiVirus
D. Application Control
Answer: B, D
Explanation:

The IPS engine in FortiGate is responsible for handling certain security profiles related to threat
detection and application behavior. The two security profiles handled by the IPS engine are:

B. IPS:
The Intrusion Prevention System (IPS) is directly managed by the IPS engine, as it is
responsible for detecting and preventing network intrusions and attacks by analyzing traffic
patterns.

D. Application Control:
The Application Control profile identifies and controls the behavior of applications within
network traffic. The IPS engine is responsible for analyzing the traffic to detect and manage

www.actualexamdumps.com
Exam Dumps 39/200

specific applications.

Why the other options are less appropriate:

A. Web Filter:
The Web Filter is handled by the proxy engine and not the IPS engine. It filters web traffic based
on URL categories, reputation, and other content filtering mechanisms.

C. AntiVirus:
The AntiVirus profile is also handled by a different inspection engine, focused on scanning for
malware within the traffic (typically through proxy-based inspection or flow-based inspection).

Question: 40

Which two statements correctly describe the differences between IPsec main mode and IPsec
aggressive mode? (Choose two.)

A. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does
not.
B. Main mode cannot be used for dialup VPNs, while aggressive mode can.
C. Aggressive mode supports XAuth, while main mode does not.
D. Six packets are usually exchanged during main mode, while only three packets are exchanged
during aggressive mode.
Answer: A, D
Explanation:

The differences between IPsec main mode and IPsec aggressive mode are mainly in the number
of packets exchanged and the level of security provided during the negotiation process. Here's the
breakdown:

A. The first packet of aggressive mode contains the peer ID, while the first packet of
main mode does not:
In aggressive mode, the peer's identity is sent in the first packet, making the process faster
but less secure because the peer's identity is not encrypted. In main mode, the peer's identity
is protected and only exchanged after the encryption is established, offering more security.

D. Six packets are usually exchanged during main mode, while only three packets are
exchanged during aggressive mode:
Main mode involves a more detailed negotiation process, requiring the exchange of six
packets. Aggressive mode, on the other hand, reduces this to three packets, speeding up
the connection but sacrificing some security in the process.

Why the other options are less appropriate:

B. Main mode cannot be used for dialup VPNs, while aggressive mode can:
This is incorrect. Main mode can be used for dialup VPNs as long as the peer's IP is known
or configured in advance.

www.actualexamdumps.com
Exam Dumps 40/200

C. Aggressive mode supports XAuth, while main mode does not:
Both main mode and aggressive mode can support XAuth (eXtended Authentication) if
needed.

Question: 41

What does the command diagnose debug fsso-polling refresh-user do?

A. It refreshes all users learned through agentless polling.
B. It displays status information and some statistics related to the polls done by FortiGate on each DC.
C. It refreshes user group information from any servers connected to FortiGate using a collector agent.
D. It enables agentless polling mode real-time debug.
Answer: A
Explanation:

The command diagnose debug fsso-polling refresh-user is used to refresh all users learned through
agentless polling. In FortiGate, FSSO (Fortinet Single Sign-On) can use agentless polling to query
domain controllers and obtain user login information. This command forces the refresh of the user
information that has been gathered through this polling process.

Why the other options are less appropriate:

B. It displays status information and some statistics related to the polls done by FortiGate on
each DC:
This is not the function of the command. While FortiGate can display status and statistics, this
particular command is focused on refreshing user information.

C. It refreshes user group information from any servers connected to FortiGate using a
collector agent:
This refers to FSSO setups using a collector agent, but the command diagnose debug fsso-polling
refresh-user specifically targets agentless polling and not collector-agent-based setups.

D. It enables agentless polling mode real-time debug:
This command does not enable real-time debug. There are other commands that handle debugging
modes.

Question: 42

View the exhibit.

www.actualexamdumps.com
Exam Dumps 41/200

Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The
subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and VDOM2.
Also, necessary firewall policies are configured in VDOM1 and VDOM2.
Which two static routes are required in the FortiGate configuration, to route traffic between both subnets
through an inter-VDOM link? (Choose two.)

A. A static route in VDOM1 with the destination subnet matching the subnet assigned to the inter-
VDOM link
B. A static route in VDOM2 for the destination subnet 10.0.1.0/24
C. A static route in VDOM1 for the destination subnet 10.0.2.0/24
D. A static route in VDOM2 with the destination subnet matching the subnet assigned to the inter-
VDOM link
Answer: B, C
Explanation:

To route traffic between both subnets (10.0.1.0/24 in VDOM1 and 10.0.2.0/24 in VDOM2) through
the inter-VDOM link, static routes must be configured appropriately in each VDOM:

B. A static route in VDOM2 for the destination subnet 10.0.1.0/24:
This static route is required in VDOM2 so that traffic destined for 10.0.1.0/24 (the subnet
connected to VDOM1) is routed through the inter-VDOM link.

C. A static route in VDOM1 for the destination subnet 10.0.2.0/24:
This static route is required in VDOM1 so that traffic destined for 10.0.2.0/24 (the subnet
connected to VDOM2) is routed through the inter-VDOM link.

Why the other options are less appropriate:

A. A static route in VDOM1 with the destination subnet matching the subnet assigned
to the inter-VDOM link:
This is not required because the inter-VDOM link itself is already configured for routing
between VDOMs, and you don't need a static route pointing to the inter-VDOM link subnet in
this scenario.

www.actualexamdumps.com
Exam Dumps 42/200

D. A static route in VDOM2 with the destination subnet matching the subnet assigned
to the inter-VDOM link:
Similar to option A, this is unnecessary since the purpose of the inter-VDOM link is to route
between subnets, not to route to the inter-VDOM link itself.

Question: 43

An administrator configured the antivirus profile in a firewall policy set to flow-based inspection mode.
While testing the configuration, the administrator noticed that eicar.com test files can be downloaded
using HTTPS protocol only. What is causing this issue?

A. Hardware acceleration is in use.
B. The test file is larger than the oversize limit.
C. HTTPS protocol is not enabled under Inspected Protocols.
D. Full SSL inspection is disabled.
Answer: D
Explanation:

The issue is that Full SSL inspection is disabled. In flow-based antivirus inspection, FortiGate can only
inspect the contents of encrypted HTTPS traffic if Full SSL inspection is enabled. Without decrypting the
SSL/TLS traffic, the antivirus engine cannot analyze the content and detect potential threats like the
eicar.com test file.

D. Full SSL inspection is disabled:
When Full SSL inspection is not enabled, FortiGate cannot decrypt and inspect HTTPS traffic. This
would allow the eicar.com test file to be downloaded through HTTPS because the content is not
visible to the antivirus engine.

Why the other options are less appropriate:

A. Hardware acceleration is in use:
Hardware acceleration typically improves the performance of inspections but does not affect whether
HTTPS traffic can be inspected. This is not the cause of the issue.

B. The test file is larger than the oversize limit:
The eicar.com test file is very small (68 bytes), so it is not exceeding any oversize limits.

C. HTTPS protocol is not enabled under Inspected Protocols:
If HTTPS were not enabled under Inspected Protocols, FortiGate would not even attempt to inspect
HTTPS traffic. However, since the issue is specific to flow-based inspection, the problem lies with
SSL decryption rather than protocol configuration.

Question: 44

An administrator wants to monitor their network for any probing attempts aimed to exploit existing
vulnerabilities in their servers.
Which two items must they configure on their FortiGate to accomplish this? (Choose two.)

A. A web application firewall profile to check protocol constraints
B. A DoS policy, and log all UDP and TCP scan attempts
C. An IPS sensor to monitor all signatures applicable to the server

www.actualexamdumps.com
Exam Dumps 43/200

D. An application control profile, and set all application signatures to monitor
Answer: B, C
Explanation:

To monitor the network for probing attempts aimed at exploiting vulnerabilities in servers, the administrator
needs to configure the following:

B. A DoS policy, and log all UDP and TCP scan attempts:
A Denial of Service (DoS) policy helps protect against various types of scans (such as TCP or
UDP scans) that attackers might use to find vulnerabilities in servers. Configuring a DoS policy with
logging ensures that these probing attempts are detected and recorded.

C. An IPS sensor to monitor all signatures applicable to the server:
The Intrusion Prevention System (IPS) is critical for detecting and preventing exploitation attempts
targeting known vulnerabilities. By applying an IPS sensor configured with appropriate signatures
that match the server's vulnerabilities, the administrator can monitor for any intrusion attempts.

Why the other options are less appropriate:

A. A web application firewall profile to check protocol constraints:
While a web application firewall (WAF) is useful for protecting web applications, it is more focused
on specific web-based attacks (like SQL injection or cross-site scripting) and is not typically used for
broad network probing attempts.

D. An application control profile, and set all application signatures to monitor:
Application control is designed to monitor and control the use of specific applications on the
network. It is not intended for detecting network probing or vulnerability exploitation attempts.

Question: 45

Which three settings and protocols can be used to provide secure and restrictive administrative access
to FortiGate? (Choose three.)

A. SSH
B. FortiTelemetry
C. Trusted host
D. HTTPS
E. Trusted authentication
Answer: A, C, D
Explanation:

To provide secure and restrictive administrative access to FortiGate, you can use the following settings
and protocols:

A. SSH:
Secure Shell (SSH) is a protocol that allows secure remote access to the FortiGate CLI, encrypting
the communication to prevent unauthorized access or eavesdropping.

C. Trusted host:
Configuring trusted hosts restricts access to the FortiGate management interface, allowing
administrative access only from specific IP addresses. This adds an additional layer of security by
preventing unauthorized devices from accessing the FortiGate.
www.actualexamdumps.com
Exam Dumps 44/200

D. HTTPS:
HTTPS provides secure access to the FortiGate web-based management interface. It uses SSL/TLS
encryption to secure the communication between the administrator's browser and the FortiGate
device.

Why the other options are less appropriate:

B. FortiTelemetry:
FortiTelemetry is used for communication between FortiGate and other Fortinet devices, primarily for
security fabric integration, but it is not a method for administrative access.

E. Trusted authentication:
This is not a standard configuration setting or protocol for secure administrative access on FortiGate.
Trusted hosts and secure protocols (SSH, HTTPS) are typically used instead.

Question: 46

Which statement about firewall policy NAT is true?

A. DNAT is not supported.
B. DNAT can automatically apply to multiple firewall policies, based on DNAT rules.
C. You must configure SNAT for each firewall policy.
D. SNAT can automatically apply to multiple firewall policies, based on SNAT rules.
Answer: C
Explanation:

In FortiGate, Source NAT (SNAT) is a configuration that must be applied individually to each firewall
policy where NAT is required. This ensures that traffic matching that specific firewall policy will have its
source IP address translated as configured.

Why the other options are less appropriate:

A. DNAT is not supported:
This is incorrect. Destination NAT (DNAT) is supported on FortiGate and can be configured to
handle traffic redirection, such as port forwarding and virtual IPs (VIPs).

B. DNAT can automatically apply to multiple firewall policies, based on DNAT rules:
This is incorrect. DNAT (e.g., virtual IP configurations) is applied explicitly through specific firewall
policies rather than automatically across multiple policies.

D. SNAT can automatically apply to multiple firewall policies, based on SNAT rules:
SNAT does not automatically apply to multiple firewall policies. Each policy must have its own
SNAT configuration, ensuring precise control over which traffic is subjected to NAT.

Question: 47

Which statement about traffic flow in an active-active HA cluster is true?

www.actualexamdumps.com
Exam Dumps 45/200

A. The SYN packet from the client always arrives at the primary device first.
B. The secondary device responds to the primary device with a SYN/ACK, and then the primary device
forwards the SYN/ACK to the client.
C. All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces
to redistribute to the sessions.
D. The ACK from the client is received on the physical MAC address of the primary device.
Answer: A
Explanation:

In an active-active HA cluster on FortiGate, the SYN packet from the client always arrives at the
primary device first. The primary device in the cluster is responsible for handling the initial connection
requests and distributing the traffic to the secondary device(s) for load balancing, depending on the
specific HA configuration.

Why the other options are less appropriate:

B. The secondary device responds to the primary device with a SYN/ACK, and then the
primary device forwards the SYN/ACK to the client:
This is not correct. In active-active HA, the primary device handles the connection setup and
forwards traffic based on the HA configuration, but the SYN/ACK process does not involve direct
interaction between the primary and secondary devices in this way.

C. All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat
interfaces to redistribute to the sessions:
This is incorrect. Each FortiGate device has its own physical MAC address, and the virtual MAC
addresses are typically used for forwarding traffic rather than the HA heartbeat interfaces.

D. The ACK from the client is received on the physical MAC address of the primary device:
In an active-active HA setup, traffic can be distributed to secondary devices, and the primary device
does not always handle the ACK response exclusively.

Question: 48

Which two statements about incoming and outgoing interfaces in firewall policies are