Study Online FCP_FGT_AD-7.4 Exam Dumps to Pass

Category:

Comments:

0 Comments

Post Date:

August 25, 2024

FCP_FGT_AD-7.4 dumps questions can help you identify areas where you need to focus your studies. As you answer questions, you will be able to see which topics you are comfortable with and which ones you need to spend more time studying. Fortinet FCP_FGT_AD-7.4 dumps questions provide realistic practice for the certification exam. FCP_FGT_AD-7.4 dumps are designed to simulate the actual exam environment, and they will give you a chance to practice answering questions under time pressure. Study free Fortinet FCP_FGT_AD-7.4 online dumps below.

Page 1 of 6

1. The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.

What order must FortiGate use when the web filter profile has features enabled, such as safe search?

DNS-based web filter and proxy-based web filter

Static URL filter, FortiGuard category filter, and advanced filters

Static domain filter, SSL inspection filter, and external connectors filters

FortiGuard category filter and rating filter

2. Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

A. Log downloads from the GUI are limited to the current filter view

B. Log backups from the CLI cannot be restored to another FortiGate.

C. Log backups from the CLI can be configured to upload to FTP as a scheduled time

D. Log downloads from the GUI are stored as LZ4 compressed files.

3. FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.

Which two other security profiles can you apply to the security policy? (Choose two.)

A. Antivirus scanning

B. File filter

C. DNS filter

D. Intrusion prevention

4. Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

B. ADVPN is only supported with IKEv2.

C. Tunnels are negotiated dynamically between spokes.

D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2

proposals are defined in advance.

5. An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to the SSL-VPN.

How can this be achieved?

Assigning public IP addresses to SSL-VPN users

Configuring web bookmarks

Disabling split tunneling

Using web-only mode

6. An administrator wants to monitor their network for any probing attempts aimed to exploit existing vulnerabilities in their servers.

Which two items must they configure on their FortiGate to accomplish this? (Choose two.)

A web application firewall profile to check protocol constraints

A DoS policy, and log all UDP and TCP scan attempts

An IPS sensor to monitor all signatures applicable to the server

An application control profile, and set all application signatures to monitor

7. Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

diagnose sys top

execute ping

execute traceroute

diagnose sniffer packet any

get system arp

8. What are two functions of ZTNA? (Choose two.)

A. ZTNA manages access through the client only.

B. ZTNA manages access for remote users only.

C. ZTNA provides a security posture check.

D. ZTNA provides role-based access.

9. Examine this PAC file configuration.

Which of the following statements are true? (Choose two.)

Browsers can be configured to retrieve this PAC file from the FortiGate.

Any web request to the 172.25. 120.0/24 subnet is allowed to bypass the proxy.

All requests not made to Fortinet.com or the 172.25. 120.0/24 subnet, have to go through altproxy.corp.com: 8060.

Any web request fortinet.com is allowed to bypass the proxy.

10. Which scanning technique on FortiGate can be enabled only on the CLI?

A. Machine learning (AI) scan

B. Trojan scan

C. Antivirus scan

D. Ransomware scan

Page 2 of 6

11. Refer to the exhibit.

Which statement about the configuration settings is true?

When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.

When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.

When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.

The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same port.

12. Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

A. Local traffic logs

B. Forward traffic logs

C. System event logs

D. Security logs

13. Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

FortiSandbox

FortiCloud

FortiSIEM

FortiCache

FortiAnalyzer

14. Which two statements are correct about NGFW Policy-based mode? (Choose two.)

NGFW policy-based mode does not require the use of central source NAT policy

NGFW policy-based mode can only be applied globally and not on individual VDOMs

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

NGFW policy-based mode policies support only flow inspection

15. If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?

IP address

Once Internet Service is selected, no other object can be added

User or User Group

FQDN address

16. Refer to the exhibit.

Based on the ZTNA tag, the security posture of the remote endpoint has changed.

What will happen to endpoint active ZTNA sessions?

They will be re-evaluated to match the endpoint policy.

They will be re-evaluated to match the firewall policy.

They will be re-evaluated to match the ZTNA policy.

They will be re-evaluated to match the security policy.

17. An administrator has configured a strict RPF check on FortiGate.

How does strict RPF check work?

Strict RPF allows packets back to sources with all active routes.

Strict RPF checks the best route back to the source using the incoming interface.

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.

Strict RPF check is run on the first sent and reply packet of any new session.

18. Refer to the exhibit to view the application control profile.

Users who use Apple FaceTime video conferences are unable to set up meetings.

In this scenario, which statement is true?

A. Apple FaceTime belongs to the custom monitored filter.

B. The category of Apple FaceTime is being monitored.

C. Apple FaceTime belongs to the custom blocked filter.

D. The category of Apple FaceTime is being blocked.

19. Which two configuration settings are global settings? (Choose two.)

User & Device settings

Firewall policies

HA settings

FortiGuard settings

20. Refer to the exhibit.

The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A. The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.

B. The sensor will block all attacks aimed at Windows servers.

C. The sensor will reset all connections that match these signatures.

D. The sensor will gather a packet log for all matched traffic.

Page 3 of 6

21. Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)

A. Port block allocation

B. Fixed port range

C. One-to-one

D. Overload

22. Which three methods can you use to deliver the token code to a user who is configured to use two-factor authentication? (Choose three.)

Instant message app

FortiToken

Voicemail message

SMS text message

23. Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.

Which two statements are true? (Choose two.)

FortiGate SN FGVM010000065036 HA uptime has been reset.

FortiGate devices are not in sync because one device is down.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

FortiGate SN FGVM010000064692 has the higher HA priority.

24. Which two statements are true about collector agent standard access mode? (Choose two.)

A. Standard mode uses Windows convention-NetBios: DomainUsername.

B. Standard mode security profiles apply to organizational units (OU).

C. Standard mode security profiles apply to user groups.

D. Standard access mode supports nested groups.

25. Refer to the exhibits.

The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The first firewall policy has NAT enabled using IP pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?

10.200.1.1

10.0.1.254

10.200.1.10

10.200.1.100

26. Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.

The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.

Which policy will be highlighted, based on the input criteria?

Policy with ID 4.

Policy with ID 5.

Policies with ID 2 and 3.

Policy with ID 1.

27. An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.

Which DPD mode on FortiGate will meet the above requirement?

Disabled

On Demand

Enabled

On Idle

28. You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set up logging to use the FortiGate local disk.

What is the default behavior when the local disk is full?

Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of 95%.

No new log is recorded until you manually clear logs from the local disk.

Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.

No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.

29. An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.

Which subnet must the administrator configure for the local quick mode selector for site B?

A. 192.168.2.0/24

B. 192.168.0.0/8

C. 192.168.1.0/24

D. 192.168.3.0/24

30. Which two statements about the application control profile mode are true? (Choose two.)

A. It uses flow-based scanning techniques, regardless of the inspection mode used.

B. It cannot be used in conjunction with IPS scanning.

C. It can be selected in either flow-based or proxy-based firewall policy.

D. It can scan only unsecure protocols.

Page 4 of 6

31. What does the command diagnose debug fsso-polling refresh-user do?

It refreshes all users learned through agentless polling.

It displays status information and some statistics related to the polls done by FortiGate on each D

It refreshes user group information from any servers connected to FortiGate using a collector agent.

It enables agentless polling mode real-time debug.

32. Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

The client FortiGate requires a manually added route to remote subnets.

The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

The server FortiGate requires a CA certificate to verify the client FortiGate certificate.

The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VP

33. What devices form the core of the security fabric?

Two FortiGate devices and one FortiManager device

One FortiGate device and one FortiManager device

Two FortiGate devices and one FortiAnalyzer device

One FortiGate device and one FortiAnalyzer device

34. Which three criteria can FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

A. Services defined in the firewall policy

B. Highest to lowest priority defined in the firewall policy

C. Destination defined as Internet Services in the firewall policy

D. Lowest to highest policy ID number

E. Source defined as Internet Services in the firewall policy

35. A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and does not block the file, allowing it to be downloaded.

The administrator confirms that the traffic matches the configured firewall policy.

What are two reasons for the failed virus detection by FortiGate? (Choose two.)

A. The website is exempted from SSL inspection.

B. The EICAR test file exceeds the protocol options oversize limit.

C. The selected SSL inspection profile has certificate inspection enabled.

D. The browser does not trust the FortiGate self-signed CA certificate.

36. Refer to the exhibit.

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver.

Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

Disable match-vip in the Deny policy.

Set the Destination address as Deny_IP in the Allow-access policy.

Enable match-vip in the Deny policy.

Set the Destination address as Web_server in the Deny policy.

37. An administrator wants to block https://www.example.com/videos and allow all other URLs on the website.

What are two configuration changes that the administrator can make to satisfy the requirement? (Choose two.)

Configure web override for the URL and select a blocked FortiGuard subcategory

Enable full SSL inspection

Configure a video filter profile to block the URL

Configure a static URL filter entry for the URL and select Block as the action

38. What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

FortiGate automatically negotiates different local and remote addresses with the remote peer.

FortiGate automatically negotiates a new security association after the existing security association expires.

FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

39. What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

A. Traffic to botnetservers

B. Traffic to inappropriate web sites

C. Server information disclosure attacks

D. Credit card data leaks

E. SQL injection attacks

40. Refer to the exhibit, which contains a session list output.

Based on the information shown in the exhibit, which statement is true?

Port block allocation IP pool is used in the firewall policy

Destination NAT is disabled in the firewall policy

Overload NAT IP pool is used in the firewall policy

One-to-one NAT IP pool is used in the firewall policy

Page 5 of 6

41. View the exhibit.

A user at 192.168.32.15 is trying to access the web server at 172.16.32.254.

Which two statements best describe how the FortiGate will perform reverse path forwarding (RPF)

checks on this traffic? (Choose two.)

Strict RPF check will deny the traffic.

Loose RPF check will allow the traffic.

Strict RPF check will allow the traffic.

Loose RPF check will deny the traffic.

42. An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the Internet. The web server is connected to port1. The Internet is connected to port2. Both interfaces belong to the VDOM named Corporation.

What interface must be used as the source for the firewall policy that will allow this traffic?

ssl.root

ssl.Corporation

port2

port1

43. Examine the exhibit, which shows a firewall policy configured with multiple security profiles.

Which two security profiles are handled by the IPS engine? (Choose two.)

Web Filter

IPS

AntiVirus

Application Control

44. Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

On HQ-FortiGate, enable Diffie-Hellman Group 2.

On HQ-FortiGate, enable Auto-negotiate.

On Remote-FortiGate, set Seconds to 43200.

On HQ-FortiGate, set Encryption to AES256.

45. Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.

The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.

With this configuration, which statement is true?

A. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

B. A default static route is not required on the To_Internet VDOM to allow LAN users to access the internet.

C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root

VDOM is used only as a management VDOM.

46. An administrator has configured the following settings:

config system settings

set ses-denied-traffic enable

end

config system global

set block-session-timer 30

end

What are the two results of this configuration? (Choose two.)

Device detection on all interfaces is enforced for 30 seconds.

Denied users are blocked for 30 seconds.

The number of logs generated by denied traffic is reduced.

A session for denied traffic is created.

47. Which statement correctly describes the use of reliable logging on FortiGate?

Reliable logging is enabled by default in all configuration scenarios.

Reliable logging is required to encrypt the transmission of logs.

Reliable logging can be configured only using the CL

Reliable logging prevents the loss of logs when the local disk is full.

48. An administrator is configuring an Ipsec between site A and site B. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24.

How must the administrator configure the local quick mode selector for site B?

A. 192.16.3.0/24

B. 192.16.2.0/24

C. 192.16.1.0/24

D. 192.16.0.0/8

49. When configuring a firewall virtual wire pair policy, which following statement is true?

Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

Only a single virtual wire pair can be included in each policy.

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

Exactly two virtual wire pairs need to be included in each policy.

50. Which two settings must you configure when FortiGate is being deployed as a root FortiGate in a Security Fabric topology? (Choose two.)

FortiManager IP address

FortiAnalyzer IP address

Pre-authorize downstream FortiGate devices

Fabric name

Page 6 of 6

51. In which two ways can RPF checking be disabled? (Choose two.)

Enable anti-replay in firewall policy.

Enable asymmetric routing.

Disable strict-src-check under system settings.

Disable the RPF check at the FortiGate interface level for the source check.

52. Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

To detect intermediary NAT devices in the tunnel path.

To dynamically change phase 1 negotiation mode aggressive mode.

To encapsulation ESP packets in UDP packets using port 4500.

To force a new DH exchange with each phase 2 rekey

53. Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

A. Warning

B. Exempt

C. Allow

D. Learn

54. Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

SMT

IMA

ip_src_session

Location: server Protocol: SMTP

55. A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Enable Dead Peer Detection.

56. Which statement about firewall policy NAT is true?

DNAT is not supported.

DNAT can automatically apply to multiple firewall policies, based on DNAT rules.

You must configure SNAT for each firewall policy.

SNAT can automatically apply to multiple firewall policies, based on SNAT rules.

57. Which certificate value can FortiGate use to determine the relationship between the issuer and the

certificate?

Subject Key Identifier value

SMMIE Capabilities value

Subject value

Subject Alternative Name value

58. To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?

FortiManager

Root FortiGate

FortiAnalyzer

Downstream FortiGate

59. Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

A. Web filter in flow-based inspection

B. Antivirus in flow-based inspection

C. DNS filter

D. Web application firewall

E. Application control

60. An organization's employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

Change the session-ttl.

Change the login-timeout.

Change the idle-timeout.

Change the udp-idle-timer.

TAGS:

FCP_FGT_AD-7.4, FCP_FGT_AD-7.4 exam dumps

Notify of

Label

Name*

Email*

Website

Label

Name*

Email*

Website

0 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

Get FCP_FGT_AD-7.4 Dumps Full Version

Q&As: 200
Versions: PDF and Software Download Now

About Dumpsinfo

Dumpsinfo is a good platform providing the latest exam information and dumps questions for all IT certification exams. You can study all the latest exam dumps questions online.

[email protected]

Mon - Sat 9:00am - 6:00pm

Study Online FCP_FGT_AD-7.4 Exam Dumps to Pass

Related

Posts

FCP_ZCS_AD-7.4 Dumps Help You Study Objectives

Improve Your Knowledge with FCSS_NST_SE-7.4 Exam Dumps

Online FCP_FAZ_AD-7.4 Dumps Help You Understand Questions Well

FCP_FAZ_AN-7.4 Dumps Questions Increase Your Chance of Success

About Us

EMAIL

Services

Opening Hours