This page was exported from Free valid test braindumps [ http://free.validbraindumps.com ] Export date:Sat Apr 5 14:25:29 2025 / +0000 GMT ___________________________________________________ Title: Online Questions - Valid Practice To your FCP_FGT_AD-7.4 Exam (Updated 50 Questions) [Q17-Q37] --------------------------------------------------- Online Questions - Valid Practice To your FCP_FGT_AD-7.4 Exam (Updated 50 Questions) Practice To FCP_FGT_AD-7.4 - Remarkable Practice On your FCP - FortiGate 7.4 Administrator Exam NEW QUESTION 17Refer to the exhibit to view the application control profile.Users who use Apple FaceTime video conferences are unable to set up meetings.In this scenario, which statement is true?  Apple FaceTime belongs to the custom monitored filter.  The category of Apple FaceTime is being monitored.  Apple FaceTime belongs to the custom blocked filter.  The category of Apple FaceTime is being blocked. Apple FaceTime belongs to the custom blocked filter.FaceTime categorized (filtered) under “Excessive-Bandwidth” and custom filter override set to block this.Also we know that users can’t use FaceTime.Apple FaceTime falls under (VoIP Catagory), (Excessive-Bandwidth Behavior) and (Vendor as Apple).A. Correct, but that comes 2nd.B. Correct, but that comes 2nd, as custom Filter Overrides the precedence of Category.C. Correct, and that comes 1st.D. Wrong, VoIP Category is monitoredSo correct answer is (C).NEW QUESTION 18Refer to the exhibit.A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)  On HQ-FortiGate, disable Diffie-Helman group 2.  On Remote-FortiGate, set port2 as Interface.  On both FortiGate devices, set Dead Peer Detection to On Demand.  On HQ-FortiGate, set IKE mode to Main (ID protection). To bring Phase 1 up, the following changes can be made:* A. On HQ-FortiGate, disable Diffie-Helman group 2: This is incorrect because Diffie-Hellman group 2 is already selected on both devices. Disabling it would not help.* B. On Remote-FortiGate, set port2 as Interface: This is incorrect as both sides should be consistent in their interface settings for the IPsec tunnel, and the interface is correctly set to port1 on both FortiGates in the IPsec configuration.* C. On both FortiGate devices, set Dead Peer Detection to On Demand: This is a valid option.Setting Dead Peer Detection (DPD) to “On Demand” helps maintain the IPsec connection by checking if the peer is still available, which can help in some cases where the connection fails due to timeouts.* D. On HQ-FortiGate, set IKE mode to Main (ID protection): This is also a valid option because the Remote-FortiGate is already set to Main mode (ID protection). Ensuring that both ends use the same mode is crucial for successful phase 1 negotiation.Thus, the correct answers are:C. On both FortiGate devices, set Dead Peer Detection to On Demand.D.On HQ-FortiGate, set IKE mode to Main (ID protection).NEW QUESTION 19Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?  SMTP.Login.Brute.Force  IMAP.Login.brute.Force  ip_src_session  Location: server Protocol: SMTP IMAP.Login.brute.ForceAnomalies can be zero-day or denial of service attackAre Detected by behaivoral analysis:Rate Based IPS Signatures.DoS Policies.Protocol Constraint Inspections.DoS policy disabled in this scenario.NEW QUESTION 20Refer to the exhibits, which show the firewall policy and an antivirus profile configuration.Why is the user unable to receive a block replacement message when downloading an infected file for the first time?  The intrusion prevention security profile must be enabled when using flow-based inspection mode.  The option to send files to FortiSandbox for inspection is enabled.  The firewall policy performs a full content inspection on the file.  Flow-based inspection is used, which resets the last packet to the user. In flow-based inspection mode, FortiGate sends a reset (RST) packet to the client instead of providing a replacement message, which causes the block message not to be displayed.NEW QUESTION 21A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.Which two key configuration changes must the administrator make on FortiGate to meet the requirements?(Choose two.)  Enable Dead Peer Detection  Enable Auto-negotiate and AutokeyKeep Alive on the phase 2 configuration of both tunnels.  Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.  Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel. NEW QUESTION 22Refer to the exhibit.Which contains a network diagram and routing table output. The Student is unable to access Webserver.What is the cause of the problem and what is the solution for the problem?  The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.  The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.  The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.  The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.Option C is the correct answer based on the provided information, let’s analyze it:Option C states: “The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.” The issue is related to the first reply packet from the Student failing the Reverse Path Forwarding (RPF) check and that adding a static route to 203.0.114.24/32 through “port3” will resolve the problem, then you can go ahead with this solution.In a typical RPF check scenario, it ensures that the incoming packet is arriving on the expected interface based on the routing table. Adding a static route to 203.0.114.24/32 through “port3” may indeed resolve the RPF issue if the routing is misconfigured.Option C is the correct solution based on your network setup and further analysis, you can proceed with implementing that static route to see if it resolves the issue. Additionally, it’s a good practice to monitor the network to ensure that the problem is indeed resolved after making the change.NEW QUESTION 23An administrator has configured central DNAT and virtual IPs.Which item can be selected in the firewall policy Destination field?  An IP pool  A VIP object  A VIP group  The mapped IP address object of the VIP object – when central NAT is enabled => put the mapped IP address of the VIP object.– when central NAT is disabled => put the VIP object.In the context of central DNAT and virtual IPs in FortiGate, the correct option for the firewall policy Destination field is:D. The mapped IP address object of the VIP objectWhen configuring central DNAT, you typically select the mapped IP address object associated with the VIP object in the firewall policy Destination field. This mapped IP address represents the internal destination to which traffic will be redirected.So, the correct choice is D.NEW QUESTION 24Refer to the exhibits.An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).What must the administrator do to synchronize the address object?  Change the csf setting on ISFW (downstream) to set configuration-sync local.  Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.  Change the csf setting on both devices to set downstream-access enable.  Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default. C is correct because D is already set to default (Global CMDB objects will be synchronized in Security Fabric.) The root device has downstream access disabled, so it needs to be enabled to sync the object.downstream-access – Enable/disable downstream device access to this device’s configuration and data.disable – Disable downstream device access to this device’s configuration and data.The CLI command “set fabric-object-unification” is only available on the root FortiGate.NEW QUESTION 25Refer to the exhibits.FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit.What would be the expected outcome in the HA cluster?  FGT-1 will remain the primary because FGT-2 has lower priority.  FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1.  FGT-1 will synchronize the override disable setting with FGT-2.  The HA cluster will become out of sync because the override setting must match on all HA members. With the override setting enabled and a higher priority configured on FGT-2, it will preempt FGT-1 and become the primary unit in the HA cluster.NEW QUESTION 26Refer to the exhibits.The exhibits show a firewall policy (Exhibit A) and an antivirus profile (Exhibit B).Why is the user unable to receive a block replacement message when downloading an infected file for the first time?  The volume of traffic being inspected is too high for this model of FortiGate.  The intrusion prevention security profile needs to be enabled when using flow-based inspection mode.  The firewall policy performs the full content inspection on the file.  The flow-based inspection is used, which resets the last packet to the user. The flow-based inspection is used, which resets the last packet to the user.Key to right answer is “unable to receive a block replacement message when downloading an infected file for the first time”.* “ONLY” If the virus is detected at the “START” of the connection, the IPS engine sends the block replacement message immediately* When a virus is detected on a TCP session (FIRST TIME), but where “SOME PACKETS” have been already forwarded to the receiver, FortiGate “resets the connection” and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can’t be opened. The IPS engine also caches the URL of the infected file, so that if a “SECOND ATTEMPT” to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.Two possible scenarios can occur when a virus is detected:– When a virus is detected on a TCP session where some packets have been already forwarded to the receiver, FG resets the connection and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can’t be opened. The IPS engine also caches the URL of the infected file, so that IF A SECOND ATTEMPT TO TRANSMIT THE FILE IS MADE, THE IPS ENGINE WILL SEND A BLOCK REPLACEMENT MESSAGE to the client instead of scanning the file again.– If the virus is detected at the start of the connection, the IPS engine sends the block replacement message immediately.In flow based inspection, when a virus is detected on a TCP session where some packets have been already forwarded to the receiver, FortiGate resets the connection and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can’t be opened. The IPS engine also caches the URL of the infected file, so that if a second attempt to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.NEW QUESTION 27A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad.Which IPsec Wizard template must the administrator apply?  Remote Access  Site to Site  Dial up User  iHub-and-Spoke For configuring an IPsec VPN tunnel for a sales employee traveling abroad, the “Remote Access” template is the most appropriate choice. This template is designed to allow remote users to securely connect to the internal network of an organization from any location using FortiClient or a compatible client. The other options, such as “Site to Site,” “Dial up User,” and “iHub-and-Spoke,” are used for connecting different networks or sites, not individual remote users.References:* FortiOS 7.4.1 Administration Guide: IPsec Wizard Template TypesNEW QUESTION 28Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?  Intrusion prevention system engine  Detection engine  Flow engine  Antivirus engine A: Intrusion prevention system engineIPS Engine is used by Application Control, AV, Web filter and Email filter.Application control can be configured in proxy-based and flow-based firewall policies. However, because application control uses the IPS engine, which uses flow-based inspection, inspection is always flow- based.It uses an IPS engine to analyze network traffic and detect application traffic, even if the application is using standard or non-standard protocols and ports.NEW QUESTION 29Refer to the exhibit.FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles.Which action must the administrator perform to consolidate the two policies into one?  Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy  Create an Interface Group that includes port1 and port2 to create a single firewall policy  Select port1 and port2 subnets in a single firewall policy.  Replace port1 and port2 with the any interface in a single firewall policy. To consolidate the two separate firewall policies for Sales and Engineering departments accessing the same web server, you can create an Interface Group that includes both port1 (Sales) and port2 (Engineering). Once the Interface Group is created, you can use this group as a single incoming interface in a single firewall policy. This approach reduces the number of policies, making management more efficient.References:* FortiOS 7.4.1 Administration Guide: Firewall Policy ConfigurationNEW QUESTION 30Which statements best describe auto discovery VPN (ADVPN). (Choose two.)  It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.  ADVPN is only supported with IKEv2.  Tunnels are negotiated dynamically between spokes.  Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance. A: “It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.” This statement is accurate. Auto Discovery VPN (ADVPN) often works in conjunction with dynamic routing protocols to allow spokes to dynamically learn routes to other spokes. This dynamic routing capability enhances the scalability and flexibility of the VPN.C: “Tunnels are negotiated dynamically between spokes.”This statement is also accurate. In ADVPN, the tunnels between spokes are negotiated dynamically, meaning the VPN connections are established on-demand without requiring manual configuration for each potential spoke.Therefore, both statements A and C are correct, and they provide a comprehensive view of Auto Discovery VPN (ADVPN) functionalities.NEW QUESTION 31Refer to the exhibit.Review the Intrusion Prevention System (IPS) profile signature settings.Which statement is correct in adding the FTP .Login.Failed signature to the IPS sensor profile?  Traffic matching the signature will be silently dropped and logged.  The signature setting uses a custom rating threshold.  The signature setting includes a group of other signatures.  Traffic matching the signature will be allowed and logged. “pass” is only default action.The Pass action on the specific signature would only be chosen, if the Action (on the top) was set to Default. But instead its set to Block, se the action is will be to block and drop.Select Allow to allow traffic to continue to its destination. Select Monitor to allow traffic to continue to its destination and log the activity. Select Block to silently drop traffic matching any of the signatures included in the entry. Select Reset to generate a TCP RST packet whenever the signature is triggered.Select Default to use the default action of the signatures.If you enable Packet logging, FortiGate saves a copy of the packet that matches the signature.NEW QUESTION 32Refer to the exhibits.The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook.Users are given access to the Facebook web application. They can play video content hosted on Facebook, but they are unable to leave reactions on videos or other types of posts.Which part of the policy configuration must you change to resolve the issue?  Force access to Facebook using the HTTP service.  Make the SSL inspection a deep content inspection.  Add Facebook in the URL category in the security policy.  Get the additional application signatures required to add to the security policy. Needs SSL full inspection.They can play video (tick) content hosted on Facebook, but they are unable to leave reactions on videos or other types of posts.This indicate that the rule are partially working as they can watch video but can’t react, i.e. liking the content. So, must be an issue with the SSL inspection rather then adding an app rule.The lock logo behind Facebook_like.Button indicates that SSL Deep Inspection is Required. All other Application Signatures Facebook and Facebook_Video.Play does not require SSL inspection. Hence that the users can play video content. If you look up the Application Signature for Facebook_like.Button it will say “Requires SSL Deep Inspection”.FortiGate needs to perform full SSL inspection. Without full SSL inspection, FortiGate cannot inspect encrypted traffic.NEW QUESTION 33Which two statements are true about collector agent advanced mode? (Choose two.)  Security profiles can be applied only to user groups, nor individual users.  FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.  Advanced mode supports nested or inherited groups.  Advanced mode uses Windows convention-NetBios: DomainUsername. In FortiGate’s FSSO (Fortinet Single Sign-On) feature, the collector agent operates in either standard mode or advanced mode.Here’s an explanation of the statements:B. FortiGate can be configured as an LDAP client, and group filters can be configured on FortiGate:In advanced mode, FortiGate can act as an LDAP client, allowing it to directly query Active Directory for user and group information. Group filters can be configured on FortiGate to selectively include or exclude specific groups in the FSSO process. This provides more flexibility and control over which groups are considered for FSSO integration.C. Advanced mode supports nested or inherited groups:In advanced mode, FortiGate can recognize and utilize nested group structures in Active Directory.Nested groups refer to groups that contain other groups as members. With advanced mode, FortiGate can accurately reflect the group memberships and apply policies accordingly.These features enhance the capabilities of FSSO in advanced mode, making it suitable for environments with complex group structures and the need for more granular control over user and group policies.– In advanced mode, you can configure FortiGate as an LDAP client and configure the group filters on FortiGate.– Also, advanced mode supports nested or inherited groups.D. Incorrect, Netbios is Standard mode.A. Incorrect, in Advanced mode, FortiGate can apply security profiles to individual users, user groups, and OUs.NEW QUESTION 34Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?  By default, FortiGate uses WINS servers to resolve names.  By default, the SSL VPN portal requires the installation of a client’s certificate.  By default, split tunneling is enabled.  By default, the admin GUI and SSL VPN portal use the same HTTPS port. There is a Trap here… C and D have something right but the trick is the question…Under SSL VPN settings you can see that port is 443 (same of https admin port) BUT the question is about a SSL VPN Setting FOR A VPN PORTAL… so if you go to SSL VPN Portals and hit “Create new” you will see Tunnel Mode and Split Tunnel enabled by default… so, the correct answer is C.Split tunneling is a feature that allows a remote VPN user to tunnel only specific, protected traffic back to the corporate network, while other traffic (e.g., internet traffic) is sent directly to its destination. This can help optimize bandwidth usage and reduce the load on the corporate network.In the context of SSL VPN settings for an SSL VPN portal on FortiGate, if split tunneling is enabled by default, it means that the remote user’s internet-bound traffic will not be forced through the corporate network but will be sent directly to the internet. This can improve performance and reduce latency for non-corporate internet traffic.Extra explanation:https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-sslvpn/SSLVPN_Examples/Split_Tunnel.htm#:~:text=Split%20Tunnel,SSL%20VPN%20on%20FortiGate%20units.NEW QUESTION 35Refer to the exhibit.Examine the intrusion prevention system (IPS) diagnostic command.Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?  The IPS engine was inspecting high volume of traffic.  The IPS engine was unable to prevent an intrusion attack.  The IPS engine was blocking all traffic.  The IPS engine will continue to run in a normal state. If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode.In this mode, the IPS engine is still running, but it is not inspecting traffic.If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.If the CPU use remains high after enabling IPS bypass mode, it usually indicates a problem in the IPS engine, which you must report to Fortinet Support.If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode. In this mode, the IPS engine is still running, but it is not inspecting traffic. If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.NEW QUESTION 36Refer to the exhibit.An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)  The Detection Mode setting is not set to Passive.  Administrator didn’t configure a gateway for the SD-WAN members, or configured gateway is not valid.  The configured participants are not SD-WAN members.  The Enable probe packets setting is not enabled. The correct answers are:B. Administrator didn’t configure a gateway for the SD-WAN members, or configured gateway is not valid.D. The Enable probe packets setting is not enabled.Explanation:For option B, if the gateway for the SD-WAN members is not configured or is not valid, the FortiGate will not be able to send traffic through the SD-WAN members to reach the servers.For option D, if the “Enable probe packets” setting is not enabled, the FortiGate will not send probe packets to the specified servers to check the health of the SD-WAN members.A. The Detection Mode setting is not set to Passive.NO – passive mode uses session information from the configured policyC. The configured participants are not SD-WAN members.NO – It is not possible to add participants that do not belong to the SW-WANNEW QUESTION 37Which three statements are true regarding session-based authentication? (Choose three.)  HTTP sessions are treated as a single user.  IP sessions from the same source IP address are treated as a single user.  It can differentiate among multiple clients behind the same source IP address.  It requires more resources.  It is not recommended if multiple users are behind the source NAT These three statements are indeed true regarding session-based authentication:A. HTTP sessions are treated as a single user: Session-based authentication can treat multiple HTTP sessions as a single user, providing a consolidated view of user activity.C. It can differentiate among multiple clients behind the same source IP address: Session-based authentication is capable of distinguishing between multiple clients behind the same source IP address.D. It requires more resources: Session-based authentication may require more resources compared to simpler authentication methods due to the additional processing involved in tracking and managing user sessions.For A: Each session-based authenticated user is counted as a single user using their authentication membership (RADIUS, LDAP, FSSO, local database etc.) to match users in other sessions. So one authenticated user in multiple sessions is still one user. Loading … True FCP_FGT_AD-7.4 Exam Extraordinary Practice For the Exam: https://www.validbraindumps.com/FCP_FGT_AD-7.4-exam-prep.html --------------------------------------------------- Images: https://free.validbraindumps.com/wp-content/plugins/watu/loading.gif https://free.validbraindumps.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2024-09-26 16:41:32 Post date GMT: 2024-09-26 16:41:32 Post modified date: 2024-09-26 16:41:32 Post modified date GMT: 2024-09-26 16:41:32