Fortinet FCP_FGT_AD-7.4 Dumps Updated to V11.03: Read the FCP_FGT_AD-7.4 Free Dumps (Part 1, Q1-Q40) Online to Start Preparation

1. Refer to the exhibit.

Which route will be selected when trying to reach 10.20.30.254?

A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]

B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]

C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]

D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]

2. Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)

A. Port block allocation

B. Fixed port range

C. One-to-one

D. Overload

3. What is eXtended Authentication (XAuth)?

4. What must you configure to enable proxy-based TCP session failover?

5. An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to the SSL-VPN.

How can this be achieved?

6. Which NAT method translates the source IP address in a packet to another IP address?

7. What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?

8. Refer to the exhibit.

Which statement about the configuration settings is true?

9. What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A. It limits the scanning of application traffic to the browser-based technology category only.

B. It limits the scanning of application traffic to the DNS protocol only.

C. It limits the scanning of application traffic to use parent signatures only.

D. It limits the scanning of application traffic to the application category only.

10. Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.

The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.

Which policy will be highlighted, based on the input criteria?

11. FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, what are two requirements for the VLAN ID? (Choose two.)

12. An administrator has configured a strict RPF check on FortiGate.

How does strict RPF check work?

13. An administrator has configured the following settings:

config system settings

set ses-denied-traffic enable

end

config system global

set block-session-timer 30

end

What are the two results of this configuration? (Choose two.)

14. Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook.

Users are given access to the Facebook web application. They can play video content hosted on Facebook, but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

15. Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).

What must the administrator do to synchronize the address object?

16. Refer to the exhibits.

Exhibit A shows system performance output.

Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.

Based on the system performance output, which two results are correct? (Choose two.)

17. Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

18. An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.

Which subnet must the administrator configure for the local quick mode selector for site B?

A. 192.168.2.0/24

B. 192.168.0.0/8

C. 192.168.1.0/24

D. 192.168.3.0/24

19. Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

20. Which statement correctly describes the use of reliable logging on FortiGate?

21. Refer to the exhibits.

The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The first firewall policy has NAT enabled using IP pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?

22. Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

23. Which two statements are true about the FGCP protocol? (Choose two.)

A. FGCP elects the primary FortiGate device.

B. FGCP is not used when FortiGate is in transparent mode.

C. FGCP runs only over the heartbeat links.

D. FGCP is used to discover FortiGate devices in different HA groups.

24. A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

25. What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

A. FortiGate uses fewer resources.

B. FortiGate performs a more exhaustive inspection on traffic.

C. FortiGate adds less latency to traffic.

D. FortiGate allocates two sessions per connection.

26. FortiGuard categories can be overridden and defined in different categories. To create a web rating override for the example.com home page, the override must be configured using a specific syntax.

Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.)

A. www.example.com

B. www.example.com/index.html

C. www.example.com:443

D. example.com

27. Refer to exhibit.

An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

28. Which three statements explain a flow-based antivirus profile? (Choose three.)

A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

B. If a virus is detected, the last packet is delivered to the client.

C. The IPS engine handles the process as a standalone.

D. FortiGate buffers the whole file but transmits to the client at the same time.

E. Flow-based inspection optimizes performance compared to proxy-based inspection.

29. Which three criteria can FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

A. Services defined in the firewall policy

B. Highest to lowest priority defined in the firewall policy

C. Destination defined as Internet Services in the firewall policy

D. Lowest to highest policy ID number

E. Source defined as Internet Services in the firewall policy

30. What are two functions of ZTNA? (Choose two.)

A. ZTNA manages access through the client only.

B. ZTNA manages access for remote users only.

C. ZTNA provides a security posture check.

D. ZTNA provides role-based access.

31. A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

32. Which timeout setting can be responsible for deleting SSL VPN associated sessions?

33. Which statement is correct regarding the use of application control for inspecting web applications?

34. A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and does not block the file, allowing it to be downloaded.

The administrator confirms that the traffic matches the configured firewall policy.

What are two reasons for the failed virus detection by FortiGate? (Choose two.)

A. The website is exempted from SSL inspection.

B. The EICAR test file exceeds the protocol options oversize limit.

C. The selected SSL inspection profile has certificate inspection enabled.

D. The browser does not trust the FortiGate self-signed CA certificate.

35. Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic.

Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

B. The traffic sourced from the client and destined to the server is sent to FGT-1.

C. The cluster can load balance ICMP connections to the secondary.

D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them

to the secondary.

36. Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)

37. Which two configuration settings are global settings? (Choose two.)

38. Which additional load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled?

39. Examine the exhibit, which shows a firewall policy configured with multiple security profiles.

Which two security profiles are handled by the IPS engine? (Choose two.)

40. Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive mode? (Choose two.)

A. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.

B. Main mode cannot be used for dialup VPNs, while aggressive mode can.

C. Aggressive mode supports XAuth, while main mode does not.

D. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.