Page: 1
/ 14
Total 89 questions
Fortinet FCP_FGT_AD-7.4 FCP - FortiGate 7.4 Administrator Exam Practice Test
Question 1
Refer to the exhibits.
The exhibits show a diagram of a FortiGate device connected to the network, and the firewall policies configuration VIP configuration and IP pool configuration on the FortiGate device
The WAN (port1) interface has the IP address 10.200. l. 1/24 The LAN (port3) interface has the IP address 10.0.1.254/24
The first firewall policy has NAT enabled using the IP pool The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?
Answer : D
NAT Configuration: The first firewall policy has NAT enabled using the configured IP pool.
IP Pool Configuration: The IP pool is configured with an external IP range of 10.200.1.100.
Source NAT: When traffic is being NATed, the source IP address is replaced with an IP from the configured pool. In this scenario, the specific IP defined in the pool is 10.200.1.100.
Thus, any internet-bound traffic from the workstation (10.0.1.10) will have its source IP address NATed to 10.200.1.100.
Question 2
An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSUTLS connection.
Which FortiGate configuration can achieve this goal?
Answer : B
An SSL VPN tunnel allows remote users to securely connect to the organization's network and transmit all traffic, including external application data and FTP resources, through an encrypted SSL/TLS connection. This ensures secure access to the network while supporting various protocols such as FTP and other application-specific traffic from the user's PC.
Question 3
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.
Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?
Answer : B
In this scenario, the FortiGate device is using a Virtual IP (VIP) to map the public IP address (203.0.113.2) to the internal IP address of the web server (172.16.1.10). The fact that the administrator does not see any sniffer output for incoming traffic suggests that the FortiGate is not responding to ARP requests for the public IP address (203.0.113.2).
Enabling arp-reply in the VIP configuration allows the FortiGate to respond to ARP requests for the public IP, thereby allowing traffic to reach the FortiGate, which will then forward it to the web server based on the VIP mapping.
Question 4
An administrator has configured the following settings:
What are the two results of this configuration? (Choose two.)
Answer : B, C
A session for denied traffic is created.
The command set ses-denied-traffic enable ensures that sessions for denied traffic are logged, meaning a session will be created for traffic that is denied by security policies.
The number of logs generated by denied traffic is reduced.
The set block-session-timer 30 command sets a timer to prevent excessive logging of denied traffic within a short period, which helps reduce the number of logs generated by repeated denied traffic sessions. This timer blocks sessions for a specified period (30 seconds in this case) to avoid overwhelming the log system with repetitive entries.
Question 5
FortiGuard categories can be overridden and defined in different categories. To create a web rating override for the example.com home page the override must be configured using a specific syntax.
Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.)
Answer : B, D
www.example.com
This syntax targets the main domain, which is a common way to configure a web rating override for the home page of a website.
example.com
This syntax also correctly targets the main domain without specifying a subdomain (like 'www'), which is valid for configuring a web rating override for the entire site, including the home page.
Question 6
Refer to the exhibit.
The administrator configured SD-WAN rules and set the FortiGate traffic log page to display SD-WAN-specific columns: SD-WAN Quality and SD-WAN Rule Name.
FortiGate allows the traffic according to policy ID 1. This is the policy that allows SD-WAN traffic.
Despite these settings the traffic logs do not show the name of the SD-WAN rule used to steer those traffic flows.
What can be the reason?
Answer : A
If the SD-WAN traffic logs do not show the specific SD-WAN rule name, it likely means that FortiGate is using the default or implicit SD-WAN rule to balance traffic. The implicit rule comes into effect when no explicit SD-WAN rule is matched, and as a result, the SD-WAN rule name is not displayed in the logs. The default behavior is to load balance the traffic across available interfaces based on SD-WAN strategy.
Question 7
Which two statements are true about the FGCP protocol? (Choose two.)
Answer : B, D
FGCP elects the primary FortiGate device
FGCP is responsible for electing the primary (active) device in a FortiGate HA (High Availability) cluster, ensuring proper role assignment between the primary and secondary devices.
FGCP runs only over the heartbeat links
FGCP runs over the dedicated heartbeat links between FortiGate devices in the HA cluster, ensuring synchronization and communication between the devices for failover and redundancy purposes.
All Official Question Types