New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Fortinet FCP_FGT_AD-7.4 FCP - FortiGate 7.4 Administrator Exam Practice Test

Demo: 25 questions
Total 86 questions

FCP - FortiGate 7.4 Administrator Questions and Answers

Question 1

Which statement is a characteristic of automation stitches?

Options:

A.

They can be run only on devices in the Security Fabric.

B.

They can be created only on downstream devices in the fabric.

C.

They can have one or more triggers.

D.

They can run multiple actions at the same time.

Question 2

Which three statements explain a flow-based antivirus profile? (Choose three.)

Options:

A.

Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection

B.

Flow-based inspection optimizes performance compared to proxy-based inspection

C.

FortiGate buffers the whole file but transmits to the client at the same time.

D.

If a virus is detected, the last packet is delivered to the client.

E.

The IPS engine handles the process as a standalone.

Question 3

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

Options:

A.

The host field in the HTTP header.

B.

The server name indication (SNI) extension in the client hello message.

C.

The subject alternative name (SAN) field in the server certificate.

D.

The subject field in the server certificate.

E.

The serial number in the server certificate.

Question 4

Refer to the exhibit to view the firewall policy.

Why would the firewall policy not block a well-known virus, for example eicar?

Options:

A.

The action on the firewall policy is not set to deny.

B.

The firewall policy is not configured in proxy-based inspection mode.

C.

Web filter is not enabled on the firewall policy to complement the antivirus profile.

D.

The firewall policy does not apply deep content inspection.

Question 5

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)

Options:

A.

The issuer must be a public CA

B.

The CA extension must be set to TRUE

C.

The Authority Key Identifier must be of type SSL

D.

The keyUsage extension must be set to

Question 6

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.

Which order must FortiGate use when the web filter profile has features such as safe search enabled?

Options:

A.

FortiGuard category filter and rating filter

B.

Static domain filter, SSL inspection filter, and external connectors filters

C.

DNS-based web filter and proxy-based web filter

D.

Static URL filter, FortiGuard category filter, and advanced filters

Question 7

Refer to the exhibit.

The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.

An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.

What are two solutions for satisfying the requirement? (Choose two.)

Options:

A.

Configure a separate firewall policy with action Deny and an FQDN address object for *. download, com as destination address.

B.

Set the Freeware and Software Downloads category Action to Warning

C.

Configure a web override rating for download, com and select Malicious Websites as the subcategory.

D.

Configure a static URL filter entry for download, com with Type and Action set to Wildcard and Block, respectively.

Question 8

Which two statements are correct when FortiGate enters conserve mode? (Choose two.)

Options:

A.

FortiGate halts complete system operation and requires a reboot to regain available resources

B.

FortiGate refuses to accept configuration changes

C.

FortiGate continues to run critical security actions, such as quarantine.

D.

FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in IPS is enabled

Question 9

A FortiGate administrator is required to reduce the attack surface on the SSL VPN portal.

Which SSL timer can you use to mitigate a denial of service (DoS) attack?

Options:

A.

SSL VPN dcls-hello-timeout

B.

SSL VPN http-request-header-timeout

C.

SSL VPN login-timeout

D.

SSL VPN idle-timeout

Question 10

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

Options:

A.

Configure a loopback interface with address 203.0.113.2/32.

B.

In the VIP configuration, enable arp-reply.

C.

In the firewall policy configuration, enable match-vip.

D.

Enable port forwarding on the server to map the external service port to the internal service port.

Question 11

Refer to the exhibit.

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

Options:

A.

All traffic from a source IP to a destination IP is sent to the same interface.

B.

Traffic is sent to the link with the lowest latency.

C.

Traffic is distributed based on the number of sessions through each interface.

D.

All traffic from a source IP is sent to the same interface

Question 12

An administrator configured a FortiGate to act as a collector for agentless polling mode.

What must the administrator add to the FortiGate device to retrieve AD user group information?

Options:

A.

LDAP server

B.

RADIUS server

C.

DHCP server

D.

Windows server

Question 13

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

Options:

A.

On HQ-FortiGate, disable Diffie-Helman group 2.

B.

On Remote-FortiGate, set port2 as Interface.

C.

On both FortiGate devices, set Dead Peer Detection to On Demand.

D.

On HQ-FortiGate, set IKE mode to Main (ID protection).

Question 14

Refer to the exhibit, which shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

Options:

A.

The sensor will gather a packet log for all matched traffic.

B.

The sensor will reset all connections that match these signatures.

C.

The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.

D.

The sensor will block all attacks aimed at Windows servers.

Question 15

Refer to the exhibit.

Based on the routing database shown in the exhibit which two conclusions can you make about the routes? (Choose two.)

Options:

A.

There will be eight routes active in the routing table

B.

The port1 and port2 default routes are active in the routing table

C.

The port3 default route has the highest distance

D.

The port3 default route has the lowest metric

Question 16

Which method allows management access to the FortiGate CLI without network connectivity?

Options:

A.

SSH console

B.

CLI console widget

C.

Serial console

D.

Telnet console

Question 17

Which three CLI commands, can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

Options:

A.

execute ping

B.

execute traceroute

C.

diagnose sys top

D.

get system arp

E.

diagnose sniffer packet any

Question 18

Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

Options:

A.

The debug flow is for ICMP traffic.

B.

A firewall policy allowed the connection.

C.

A new traffic session was created.

D.

The default route is required to receive a reply.

Question 19

Refer to the exhibits.

The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.

Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

Options:

A.

Apple FaceTime will be allowed, based on the Video/Audio category configuration.

B.

Apple FaceTime will be allowed, based on the Apple filter configuration.

C.

Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.

D.

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

Question 20

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.

What is the reason for the certificate warning errors?

Options:

A.

The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile

B.

The browser does not trust the certificate used by FortiGate for SSL inspection

C.

The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

D.

The matching firewall policy is set to proxy inspection mode

Question 21

A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy.

When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the

and does not block the file allowing it to be downloaded.

The administrator confirms that the traffic matches the configured firewall policy.

What are two reasons for the failed virus detection by FortiGate? (Choose two.)

Options:

A.

The selected SSL inspection profile has certificate inspection enabled

B.

The browser does not trust the FortiGate self-siqned CA certificate

C.

The EICAR test file exceeds the protocol options oversize limit

D.

The website is exempted from SSL inspection

Question 22

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

Options:

A.

Enable Dead Peer Detection

B.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

C.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

D.

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Question 23

When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate.

Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.)

Options:

A.

Allow & Warning

B.

Trust & Allow

C.

Allow

D.

Block & Warning

E.

Block

Question 24

Which two statements describe how the RPF check is used? (Choose two.)

Options:

A.

The RPF check is run on the first sent packet of any new session.

B.

The RPF check is run on the first reply packet of any new session.

C.

The RPF check is run on the first sent and reply packet of any new session.

D.

The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.

Question 25

Refer to the exhibits.

The SSL VPN connection fails when a user attempts to connect to it.

What should the user do to successfully connect to the SSL VPN?

Options:

A.

Change the SSL VPN portal to the tunnel.

B.

Change the idle timeout.

C.

Change the server IP address.

D.

Change the SSL VPN port on the client.

Demo: 25 questions
Total 86 questions