This page was exported from Best Free Exam Guide [ http://free.exams4sures.com ] Export date:Wed Mar 19 8:44:32 2025 / +0000 GMT ___________________________________________________ Title: Ultimate Guide to Prepare Free Fortinet FCP_FGT_AD-7.4 Exam Questions & Answer [Q46-Q64] --------------------------------------------------- Ultimate Guide to Prepare Free Fortinet FCP_FGT_AD-7.4 Exam Questions and Answer Pass Fortinet FCP_FGT_AD-7.4 Tests Engine pdf - All Free Dumps Fortinet FCP_FGT_AD-7.4 Exam Syllabus Topics: TopicDetailsTopic 1VPN: In this section, the focus is on how to configure SSL VPNs for secure network access and implement meshed or redundant IPsec VPNs.Topic 2Content Inspection: This section covers how to inspect encrypted traffic, configure inspection modes, apply web filtering, manage applications, set antivirus modes, and implement IPS for security.Topic 3Routing: This section covers how to set up packet routing with static routes and configure SD-WAN for efficient traffic load balancing.Topic 4Firewall Policies and Authentication: This topic covers how to set firewall policies, configure SNATDNAT, implement authentication methods, and deploy FSSO.Topic 5Deployment and System Configuration: This section covers how to set up initial configurations, implement Fortinet Security Fabric, and configure an FGCP HA cluster; diagnose resources and connectivity.   QUESTION 46Refer to the exhibit.The exhibit shows the IPS sensor configuration.If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)  The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.  The sensor will block all attacks aimed at Windows servers.  The sensor will reset all connections that match these signatures.  The sensor will gather a packet log for all matched traffic. The correct answers are:A. The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.B. The sensor will block all attacks aimed at Windows servers.For option A, the sensor is configured to “Deny Attacker Inline” for the NTP.Spoofed.KoD.DoS signature, which means it will block traffic matching this signature.For option B, the sensor is configured to “Deny Attacker Inline” for the Windows Servers category, which means it will block all attacks aimed at Windows servers.QUESTION 47Refer to the exhibits, which show the system performance output and the default configuration of high memory usage thresholds in a FortiGate.Based on the system performance output, what can be the two possible outcomes? (Choose two.)  FortiGate will start sending all files to FortiSandbox for inspection.  FortiGate has entered conserve mode.  Administrators cannot change the configuration.  Administrators can access FortiGate onlythrough the console port. Based on the system performance output provided, the memory usage on the FortiGate device is at 90%, which is above the green threshold (82%) but below the red threshold (88%). Given this high memory usage, the FortiGate device will enter “conserve mode” to prevent further resource exhaustion. In conserve mode:* B. FortiGate has entered conserve mode: When the memory usage reaches or exceeds certain thresholds (in this case, the green and red thresholds), the FortiGate enters conserve mode to protect itself from running out of memory entirely. This mode limits some functionalities to reduce memory usage and avoid a potential system crash.* D. Administrators can access FortiGate only through the console port: During conserve mode, administrative access might be restricted, and administrators may only be able to connect to the device via the console port. This restriction is in place to ensure that the FortiGate can be managed directly, even under low resource conditions.The other options are not correct:* A. FortiGate will start sending all files to FortiSandbox for inspection: This is unrelated to memory usage and conserve mode.* C. Administrators cannot change the configuration: While access may be limited, configuration changes can still be made via the console port.References* FortiOS 7.4.1 Administration Guide – Monitoring System Resources and Performance, page 325.* FortiOS 7.4.1 Administration Guide – Conserve Mode, page 330.QUESTION 48Refer to the exhibit.A user located behind the FortiGate device is trying to go to http://www.addictinggames.com (Addicting.Games). The exhibit shows the application detains and application control profile.Based on this configuration, which statement is true?  Addicting.Games will be blocked, based on the Filter Overrides configuration.  Addicting.Games will be allowed only if the Filter Overrides action is set to Learn.  Addicting.Games will be allowed, based on the Categories configuration.  Addicting.Games will be allowed, based on the Application Overrides configuration. Addicting.Games will be allowed, based on the Application Overrides configuration.Based on the Scan order. Application and Filter overrides>>Category.Application and Filter overrides follows the same rules as firewall policy. Application override will be considered first.QUESTION 49Refer to the exhibits, which show the firewall policy and an antivirus profile configuration.Why is the user unable to receive a block replacement message when downloading an infected file for the first time?  The intrusion prevention security profile must be enabled when using flow-based inspection mode.  The option to send files to FortiSandbox for inspection is enabled.  The firewall policy performs a full content inspection on the file.  Flow-based inspection is used, which resets the last packet to the user. In flow-based inspection mode, FortiGate sends a reset (RST) packet to the client instead of providing a replacement message, which causes the block message not to be displayed.QUESTION 50Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)  The host field in the HTTP header.  The server name indication (SNI) extension in the client hello message.  The subject alternative name (SAN) field in the server certificate.  The subject field in the server certificate.  The serial number in the server certificate. When SSL certificate inspection is enabled on a FortiGate device, the system uses the following three pieces of information to identify the hostname of the SSL server:Server Name Indication (SNI) extension in the client hello message (B): The SNI is an extension in the client hello message of the SSL/TLS protocol. It indicates the hostname the client is attempting to connect to. This allows FortiGate to identify the server’s hostname during the SSL handshake.Subject Alternative Name (SAN) field in the server certificate (C): The SAN field in the server certificate lists additional hostnames or IP addresses that the certificate is valid for. FortiGate inspects this field to confirm the identity of the server.Subject field in the server certificate (D): The Subject field contains the primary hostname or domain name for which the certificate was issued. FortiGate uses this information to match and validate the server’s identity during SSL certificate inspection.The other options are not used in SSL certificate inspection for hostname identification:Host field in the HTTP header (A): This is part of the HTTP request, not the SSL handshake, and is not used for SSL certificate inspection.Serial number in the server certificate (E): The serial number is used for certificate management and revocation, not for hostname identification.ReferenceFortiOS 7.4.1 Administration Guide – SSL/SSH Inspection, page 1802.FortiOS 7.4.1 Administration Guide – Configuring SSL/SSH Inspection Profile, page 1799.QUESTION 51Refer to the exhibits.Exhibit A.Exhibit B.An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).What must the administrator do to synchronize the address object?  Change the csf setting on Local-FortiGate (root) to set configuration-sync local.  Change the csf setting on ISFW (downstream) to set configuration-sync local.  Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.  Change the csf setting on ISFW (downstream) to set fabric-object-unification default. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.The CLI command set fabric-object-unification is only available on the root FortiGate. When set to local, global objects will not be synchronized to downstream devices in the Security Fabric. The default value is default.Option A will not synchronise global fabric objects downstream.QUESTION 52Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)  Shut down/reboot a downstream FortiGate device.  Disable FortiAnalyzer logging for a downstream FortiGate device.  Log in to a downstream FortiSwitch device.  Ban or unban compromised hosts. A. Shut down/reboot a downstream FortiGate device.This is correct. The root FortiGate has the ability to control the power state of downstream FortiGate devices.D. Ban or unban compromised hosts.This is also correct. The root FortiGate can take actions to ban or unban compromised hosts, helping to manage and control security incidents.Therefore, the correct answers are A and D.QUESTION 53Refer to the exhibits.The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)  Enable match-vip in the Deny policy.  Set the Destination address as Webserver in the Deny policy.  Disable match-vip in the Deny policy.  Set the Destination address as Deny_IP in the Allow_access policy. QUESTION 54Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)  The issuer must be a public CA  The CA extension must be set to TRUE  The Authority Key Identifier must be of type SSL  The keyUsage extension must be set to The CA extension must be set to TRUEThis indicates that the certificate can be used to issue other certificates, a requirement for it to function as a CA.The keyUsage extension must be set to keyCertSignThis specifies that the certificate can be used to sign other certificates, which is essential for a CA certificate.QUESTION 55Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)  The host field in the HTTP header.  The server name indication (SNI) extension in the client hello message.  The subject alternative name (SAN) field in the server certificate.  The subject field in the server certificate.  The serial number in the server certificate. When SSL certificate inspection is enabled on a FortiGate device, the system uses the following three pieces of information to identify the hostname of the SSL server:* Server Name Indication (SNI) extension in the client hello message (B): The SNI is an extension in the client hello message of the SSL/TLS protocol. It indicates the hostname the client is attempting to connect to. This allows FortiGate to identify the server’s hostname during the SSL handshake.* Subject Alternative Name (SAN) field in the server certificate (C): The SAN field in the server certificate lists additional hostnames or IP addresses that the certificate is valid for. FortiGate inspects this field to confirm the identity of the server.* Subject field in the server certificate (D): The Subject field contains the primary hostname or domain name for which the certificate was issued. FortiGate uses this information to match and validate the server’s identity during SSL certificate inspection.The other options are not used in SSL certificate inspection for hostname identification:* Host field in the HTTP header (A): This is part of the HTTP request, not the SSL handshake, and is not used for SSL certificate inspection.* Serial number in the server certificate (E): The serial number is used for certificate management and revocation, not for hostname identification.References* FortiOS 7.4.1 Administration Guide – SSL/SSH Inspection, page 1802.* FortiOS 7.4.1 Administration Guide – Configuring SSL/SSH Inspection Profile, page 1799.QUESTION 56Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)  Lookup is done on the first packet from the session originator  Lookup is done on the last packet sent from the responder  Lookup is done on every packet, regardless of direction  Lookup is done on the first reply packet from the responder FortiGate performs route lookup based on the trust packet. The trust packet is the first packet of the session that is sent by the session originator.This is the packet that initiates the communication. The route lookup is also done on the trust reply packet, which is the first reply packet received from the responder.In summary, FortiGate looks at the initial packet from the session originator and the first reply packet from the responder when performing route lookup to determine the suitable gateway.QUESTION 57Refer to the exhibit to view the authentication rule configuration.In this scenario, which statement is true?  Session-based authentication is enabled  Policy-based authentication is enabled  IP-based authentication is enabled  Route-based authentication is enabled The correct statement is:A. Session-based authentication is enabledThe configuration specifies the use of web authentication cookies (set web-auth-cookie enable), which is a form of session-based authentication. NTLM authentication = session-basedQUESTION 58Refer to the FortiGuard connection debug output.Based on the output shown in the exhibit, which two statements are correct? (Choose two.)  There is at least one server that lost packets consecutively.  One server was contacted to retrieve the contract information.  A local FortiManager is one of the servers FortiGate communicates with.  FortiGate is using default FortiGuard communication settings. B is correct, one server has the flag DI which means it was contacted to retrieve contract information. A:no server has packets droppedC: No local(ip) fortimanager can be seenD:……Anycast is enabled by default(as it says on the study guide) so its not using default settings. still, it uses HTTPS(TCP) and port 443 under tcp so we can consider this a default setting.“by default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering with FortiGuard or FortiManager” We did check ourFortiGate and its configured the same.Anycast is Enabled by default, but A and C are definitely incorrect.QUESTION 59An administrator has configured a strict RPF check on FortiGate.How does strict RPF check work?  Strict RPF checks the best route back to the source using the incoming interface.  Strict RPF allows packets back to sources with all active routes.  Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.  Strict RPF check is run on the first sent and reply packet of any new session. Strict RPF (Reverse Path Forwarding) check ensures that the packet is received on the same interface that the FortiGate device would use to send traffic back to the source. It verifies that the best route to the source of the packet is through the same interface it arrived on, enhancing security by preventing IP spoofing. If the check fails, the packet is dropped.QUESTION 60Which method allows management access to the FortiGate CLI without network connectivity?  SSH console  CLI console widget  Serial console  Telnet console The serial console method allows management access to the FortiGate CLI without relying on network connectivity. This method involves directly connecting a computer to the FortiGate device using a serial cable (such as a DB-9 to RJ-45 cable or USB to RJ-45 cable) and using terminal emulation software to interact with the FortiGate CLI. This method is essential for situations where network-based access methods (such as SSH or Telnet) are not available or feasible.References:* FortiOS 7.4.1 Administration Guide: Console connectionQUESTION 61Refer to the exhibit.Which two statements are true about the routing entries in this database table? (Choose two.)  All of the entries in the routing database table are installed in the FortiGate routing table.  The port2 interface is marked as inactive.  Both default routes have different administrative distances.  The default route on porc2 is marked as the standby route. The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances:* The default route through port2 has an administrative distance of 20.* The default route through port1 has an administrative distance of 10.Administrative distance determines the priority of the route; a lower value is preferred. Here, the route through port1 with an administrative distance of 10 is the preferred route. The route through port2 with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed through port2.Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table that port2 is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes.References:* FortiOS 7.4.1 Administration Guide: Default route configuration* FortiOS 7.4.1 Administration Guide: Routing table explanationQUESTION 62Refer to the exhibits.The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?  Apple FaceTime will be allowed, based on the Video/Audio category configuration.  Apple FaceTime will be allowed, based on the Apple filter configuration.  Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.  Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration. Based on the application sensor configuration and the filter details:* D. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration: The“Excessive-Bandwidth” filter is set to block, which includes “FaceTime” under its application signature.As a result, FaceTime will be blocked regardless of the “Apple” filter configuration because the“Excessive-Bandwidth” filter takes precedence due to its block action setting.The other options are not correct:* A. Apple FaceTime will be allowed, based on the Video/Audio category configuration: The Video/Audio category is not relevant because FaceTime is specifically included in the Excessive-Bandwidth filter, which blocks it.* B. Apple FaceTime will be allowed, based on the Apple filter configuration: Although the Apple filter is set to monitor, the block action of the Excessive-Bandwidth filter will override this.* C. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow: The allow setting for the Apple filter is irrelevant in this context, as the block action in the Excessive-Bandwidth filter will prevail.References* FortiOS 7.4.1 Administration Guide – Application Control and Filtering, page 978.* FortiOS 7.4.1 Administration Guide – Application Sensor Configuration, page 982.QUESTION 63Refer to the exhibit.Based on the ZTNA tag, the security posture of the remote endpoint has changed.What will happen to endpoint active ZTNA sessions?  They will be re-evaluated to match the endpoint policy.  They will be re-evaluated to match the firewall policy.  They will be re-evaluated to match the ZTNA policy.  They will be re-evaluated to match the security policy. C: They will be re-evaluated to match the ZTNA policy.Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the endpoint is no longer compliant with the ZTNA policy.QUESTION 64Which two configuration settings are global settings? (Choose two.)  User & Device settings  Firewall policies  HA settings  FortiGuard settings The two configuration settings that are global settings are:C. HA settings – High Availability settings are typically configured globally to manage failover and redundancy.D. FortiGuard settings – FortiGuard settings for security services and updates are also configured globally to ensure consistent protection across the network.HA configuration overview. The purpose of an HA configuration is to reduce downtime when a zone or instance becomes unavailable. This might happen during a zonal outage, or when an instance runs out of memory. With HA, your data continues to be available to client applications.FortiGuard > Settings provides a central location for configuring and enabling your FortiManager system’s built-in FDS as an FDN override server. Loading … Online Exam Practice Tests with detailed explanations!: https://www.exams4sures.com/Fortinet/FCP_FGT_AD-7.4-practice-exam-dumps.html --------------------------------------------------- Images: https://free.exams4sures.com/wp-content/plugins/watu/loading.gif https://free.exams4sures.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2025-03-18 15:44:17 Post date GMT: 2025-03-18 15:44:17 Post modified date: 2025-03-18 15:44:17 Post modified date GMT: 2025-03-18 15:44:17