New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

FCP_FGT_AD-7.4 Questions and Answers

Question # 6

FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively.

Which two statements are true about the requirements of connected physical interfaces on FortiGate? (Choose two.)

A.

Both interfaces must have the interface role assigned

B.

Both interfaces must have directly connected routes on the routing table

C.

Both interfaces must have DHCP enabled

D.

Both interfaces must have IP addresses assigned

Full Access
Question # 7

Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).

What must the administrator do to synchronize the address object?

A.

Change the csf setting on Local-FortiGate (root) to sec fabric-object-unification default.

B.

Change the csf setting on both devices to sec downscream-access enable.

C.

Change the csf setting on ISFW (downstream) to sec auchorizacion-requesc-cype certificace.

D.

Change the csf setting on ISFW (downstream) to sec configuration-sync local.

Full Access
Question # 8

Refer to the exhibit.

FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles.

Which action must the administrator perform to consolidate the two policies into one?

A.

Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy

B.

Create an Interface Group that includes port1 and port2 to create a single firewall policy

C.

Select port1 and port2 subnets in a single firewall policy.

D.

Replace port1 and port2 with the any interface in a single firewall policy.

Full Access
Question # 9

Refer to the exhibit which contains a RADIUS server configuration.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.

What is the impact of using the Include in every user group option in a RADIUS configuration?

A.

This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group

B.

This option places all users into even/ RADIUS user group, including groups that are used for the LDAP server on FortiGate

C.

This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case is FortiAuthenticator

D.

This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group

Full Access
Question # 10

Which two statements are true regarding FortiGate HA configuration synchronization? (Choose two.)

A.

Checksums of devices are compared against each other to ensure configurations are the same.

B.

Incremental configuration synchronization can occur only from changes made on the primary FortiGate device.

C.

Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster

D.

Checksums of devices will be different from each other because some configuration items are not synced to other HA members.

Full Access
Question # 11

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.

The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.

Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)

A.

Enable match-vip in the Deny policy.

B.

Set the Destination address as Webserver in the Deny policy.

C.

Disable match-vip in the Deny policy.

D.

Set the Destination address as Deny_IP in the Allow_access policy.

Full Access
Question # 12

Refer to the exhibit, which shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A.

The sensor will gather a packet log for all matched traffic.

B.

The sensor will reset all connections that match these signatures.

C.

The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.

D.

The sensor will block all attacks aimed at Windows servers.

Full Access
Question # 13

Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)

A.

If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.

B.

If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.

C.

If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP

D.

If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.

Full Access
Question # 14

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

A.

Internet Service Database (ISDB) engine

B.

Intrusion prevention system engine

C.

Antivirus engine

D.

Application control engine

Full Access
Question # 15

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

A.

Configure a loopback interface with address 203.0.113.2/32.

B.

In the VIP configuration, enable arp-reply.

C.

In the firewall policy configuration, enable match-vip.

D.

Enable port forwarding on the server to map the external service port to the internal service port.

Full Access
Question # 16

An administrator configured a FortiGate to act as a collector for agentless polling mode.

What must the administrator add to the FortiGate device to retrieve AD user group information?

A.

LDAP server

B.

RADIUS server

C.

DHCP server

D.

Windows server

Full Access
Question # 17

An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

A.

SSL VPN idle-timeout

B.

SSL VPN login-timeout

C.

SSL VPN dtls-hello-timeout

D.

SSL VPN session-ttl

Full Access
Question # 18

Refer to the exhibit.

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

A.

All traffic from a source IP to a destination IP is sent to the same interface.

B.

Traffic is sent to the link with the lowest latency.

C.

Traffic is distributed based on the number of sessions through each interface.

D.

All traffic from a source IP is sent to the same interface

Full Access
Question # 19

Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command shown in the exhibit.

If option 5 is used with the IPS diagnostic command and the outcome is a decrease in the CPU usage, what is the correct conclusion?

A.

The IPS engine is blocking all traffic.

B.

The IPS engine is inspecting a high volume of traffic.

C.

The IPS engine is unable to prevent an intrusion attack.

D.

The IPS engine will continue to run in a normal state.

Full Access
Question # 20

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

A.

The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.

B.

The server FortiGate requires a CA certificate to verify the client FortiGate certificate.

C.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

D.

The client FortiGate requires a manually added route to remote subnets.

Full Access
Question # 21

A FortiGate administrator is required to reduce the attack surface on the SSL VPN portal.

Which SSL timer can you use to mitigate a denial of service (DoS) attack?

A.

SSL VPN dcls-hello-timeout

B.

SSL VPN http-request-header-timeout

C.

SSL VPN login-timeout

D.

SSL VPN idle-timeout

Full Access
Question # 22

Refer to the exhibit showing a FortiGuard connection debug output.

Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.)

A.

One server was contacted to retrieve the contract information.

B.

There is at least one server that lost packets consecutively.

C.

A local FortiManaqer is one of the servers FortiGate communicates with.

D.

FortiGate is using default FortiGuard communication settings.

Full Access
Question # 23

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

A.

The NetSessionEnum function is used to track user logouts.

B.

NetAPI polling can increase bandwidth usage in large networks.

C.

The collector agent must search Windows application event logs.

D.

The collector agent uses a Windows API to query DCs for user logins.

Full Access
Question # 24

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.

What is the reason for the certificate warning errors?

A.

The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile

B.

The browser does not trust the certificate used by FortiGate for SSL inspection

C.

The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

D.

The matching firewall policy is set to proxy inspection mode

Full Access
Question # 25

Refer to the exhibits, which show a diagram of a FortiGate device connected to the network. VIP object configuration, and the firewall policy configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IP address 10.0.1.254/24.

If the host 10.200.3.1 sends a TCP SYN packet on port 8080 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be at the time FortiGate forwards the packet to the destination?

A.

10.0.1.254, 10.200.1.10, and 8080, respectively

B.

10.0.1.254, 10.0.1.10, and 80, respectively

C.

10.200.3.1, 10.0.1.10, and 80, respectively

D.

10.200.3.1, 10.0.1.10, and 8080, respectively

Full Access