Fortinet FCP_FGT_AD-7.4 Exam Practice Test Instant Access

Question 1

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, VIP configuration, firewall policy. and the sniffer CLI output on the FortiGate device.

The WAN (port1) interface has the IP address 10.200.1.1 /24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The webserver host (10. 0.1. 10) must use its VIP external IP address as the source NAT (SNAT) when It pings remote server (10.200.3.1).

Which two statements are valid to achieve this goal? (Choose two.)

AEnable NAT on the Allow_access firewall policy.

BCreate a new firewall policy before lnternet_Access for the webserver and apply the IP pool.

CDisable NAT on the lnternet_Access firewall policy.

DDisable port forwarding on the VIP object.

Answer : A, D

Enable NAT on the Allow_access firewall policy (A):

The Allow_access firewall policy must have NAT enabled to allow the webserver to use its VIP external IP address (10.200.1.10) as the source NAT when initiating traffic, such as pings, to the remote server.

Disable port forwarding on the VIP object (D):

Port forwarding is designed for specific port mapping, typically for services like HTTP or HTTPS. To use the VIP external IP as a source NAT, port forwarding should be disabled. Disabling port forwarding ensures that the full VIP IP address is used without being tied to specific ports.

Why other options are not correct:

B . Create a new firewall policy before Internet_Access for the webserver and apply the IP pool:

This is unnecessary as the VIP object itself is used for SNAT in this case, and an additional firewall policy is not required.

C . Disable NAT on the Internet_Access firewall policy:

Disabling NAT on this policy would prevent the NAT functionality needed for the webserver to use the VIP external IP address as the source IP.

Thus, enabling NAT on the Allow_access policy and disabling port forwarding on the VIP configuration are the valid steps to achieve the goal.

Question 2

Refer to the exhibit.

The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity.

What must the administrator configure to answer this specific request from the NOC team?

AEnable the parameter Never Timeout in the admin profiles

BIncrease the admintimeout value under config system accprofile super_admin.

CIncrease the admintimeout value under config system global

DIncrease the offline value of the Override idle Timeout parameter in the NOC_Access admin profile

Answer : D

'You can override the idle timeout setting per administartor profile using the Override Idle Timeout setting. You can configure an administrator profile to increase inactivity timeout and facilitate use of the GUI for central monitoring. Then Override Idel Timeout setting allows the admintimeout value, under the config system accprofile, to be overridden per access profile.'

Question 3

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.

What is the reason for the certificate warning errors?

AThe option invalid SSL certificates is set to allow on the SSL/SSH inspection profile

BThe browser does not trust the certificate used by FortiGate for SSL inspection

CThe certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

DThe matching firewall policy is set to proxy inspection mode

Answer : B

When full SSL inspection is enabled, FortiGate intercepts HTTPS traffic, decrypts it for inspection, and re-encrypts it using its own SSL certificate before forwarding it to the browser. If the browser does not trust the SSL certificate being used by FortiGate for re-encryption, it will display certificate warning errors. To resolve this, the certificate used by FortiGate for SSL inspection must be installed and trusted in the browser's certificate store.

Question 4

An administrator has configured a strict RPF check on FortiGate.

How does strict RPF check work?

AStrict RPF checks the best route back to the source using the incoming interface.

BStrict RPF allows packets back to sources with all active routes.

CStrict RPF checks only for the existence of at least one active route back to the source using the incoming interface.

DStrict RPF check is run on the first sent and reply packet of any new session.

Answer : A

Strict RPF (Reverse Path Forwarding) check ensures that the packet is received on the same interface that the FortiGate device would use to send traffic back to the source. It verifies that the best route to the source of the packet is through the same interface it arrived on, enhancing security by preventing IP spoofing. If the check fails, the packet is dropped.

Question 5

Which three statements about SD-WAN zones are true? (Choose three.)

AAn SD-WAN zone can contain physical and logical interfaces

BYou can use an SD-WAN zone in static route definitions

CYou can define up to three SD-WAN zones per FortiGate device

DAn SD-WAN zone must contains at least two members

EAn SD-WAN zone is a logical grouping of members

Answer : A, B, E

An SD-WAN zone can contain physical and logical interfaces

SD-WAN zones can include both physical and logical interfaces, allowing flexible configuration for different network types.

You can use an SD-WAN zone in static route definitions

SD-WAN zones can be referenced in static routes, enabling dynamic path selection based on SD-WAN rules.

An SD-WAN zone is a logical grouping of members

An SD-WAN zone is a logical grouping of interfaces (members), used to simplify the management and application of SD-WAN rules.

Question 6

An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is outbound traffic but no response from the peer.

Which DPD mode on FortiGate meets this requirement?

AOn Demand

BOn Idle

CDisabled

DEnabled

Answer : A

The On Demand mode for Dead Peer Detection (DPD) on FortiGate sends DPD probes only when there is outbound traffic and no response from the peer. This mode is used to detect if the peer is still available without continuously sending DPD probes, reducing unnecessary traffic.

Question 7

Which three CLI commands, can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)

Aexecute ping

Bexecute traceroute

Cdiagnose sys top

Dget system arp

Ediagnose sniffer packet any

Answer : A, B, E

Fortinet FCP_FGT_AD-7.4 FCP - FortiGate 7.4 Administrator Exam Practice Test