This page was exported from IT Certification Exam Braindumps [ http://blog.braindumpsit.com ] Export date:Sat Apr 5 1:22:02 2025 / +0000 GMT ___________________________________________________ Title: FCP_FGT_AD-7.4 Practice Exam and Study Guides - Verified By BraindumpsIT Updated 90 Questions [Q30-Q52] --------------------------------------------------- FCP_FGT_AD-7.4 Practice Exam and Study Guides - Verified By BraindumpsIT Updated 90 Questions 2025 Updated Verified Pass FCP_FGT_AD-7.4 Study Guides & Best Courses QUESTION 30Refer to the exhibit.Which route will be selected when trying to reach 10.20.30.254?  10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]  10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]  10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]  0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0] The correct route to reach 10.20.30.254 would be:A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]This route is more specific (10.20.30.0/24) compared to the other routes (10.20.30.0/26 and10.30.20.0/24) and would therefore be selected as the best match.QUESTION 31Which inspection mode does FortiGate use for application profiles if it is configured as a profile-based next- generation firewall (NGFW)?  Full content inspection  Proxy-based inspection  Certificate inspection  Flow-based inspection QUESTION 32Which timeout setting can be responsible for deleting SSL VPN associated sessions?  SSL VPN idle-timeout  SSL VPN http-request-body-timeout  SSL VPN login-timeout  SSL VPN dtls-hello-timeout The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle- timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout using the Idle Logout setting on the GUI.QUESTION 33What are three key routing principles in SD-WAN? (Choose three.)  By default. SD-WAN members are skipped if they do not have a valid route to the destination  By default. SD-WAN rules are skipped if only one route to the destination is available  By default. SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member  SD-WAN rules have precedence over any other type of routes  Regular policy routes have precedence over SD-WAN rules By default, SD-WAN members are skipped if they do not have a valid route to the destination SD-WAN ensures that only members with valid routes to the destination are considered during routing decisions.By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member If the best route is not an SD-WAN member, SD-WAN rules are bypassed and standard routing takes over.SD-WAN rules have precedence over any other type of routesSD-WAN rules are evaluated first, meaning they take precedence over other routing mechanisms, such as static routes or policy-based routes.QUESTION 34Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)  The client FortiGate requires a client certificate signed by the CA on the server FortiGate.  The client FortiGate requires a manually added route to remote subnets.  The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.  Server FortiGate requires a CA certificate to verify the client FortiGate certificate. C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate. Incorrect:A. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.B. The client FortiGate requires a manually added route to remote subnets. (dynamically) The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. When an SSL VPN client connection is established, the client dynamically adds a route to the subnets that are returned by the SSL VPN server.This configuration requires proper CA certificate installation as the SSL VPN client FortiGate/user uses PSK and a PKI client certificate to authenticate. The FortiGate devices must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.QUESTION 35Which two statements are correct about NGFW Policy-based mode? (Choose two.)  NGFW policy-based mode does not require the use of central source NAT policy  NGFW policy-based mode can only be applied globally and not on individual VDOMs  NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy  NGFW policy-based mode policies support only flow inspection C: NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy.In NGFW policy-based mode, you can define applications and web filtering categories directly within the firewall policy. This allows you to apply specific controls and restrictions based on the types of applications and content, offering a more granular approach to managing network traffic.D: NGFW policy-based mode policies support only flow inspection.In NGFW (Next-Generation Firewall) policy-based mode, the emphasis is on flow inspection. Flow inspection involves evaluating the traffic based on predefined rules and policies without deep packet inspection of the content. This mode is optimized for efficiently processing large volumes of traffic by analyzing the flow of data and making decisions based on factors such as source, destination, ports, and protocol.QUESTION 36Which three statements about security associations (SA) in IPsec are correct? (Choose three.)  Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.  An SA never expires.  A phase 1 SA is bidirectional, while a phase 2 SA is directional.  Phase 2 SA expiration can be time-based, volume-based, or both.  Both the phase 1 SA and phase 2 SA are bidirectional. The correct statements about security associations (SA) in IPsec are:A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.D. Phase 2 SA expiration can be time-based, volume-based, or both. Here’s an explanation for the correct statements:A. Phase 2 SAs (Security Associations) are established for the purpose of encrypting and decrypting the actual data that is exchanged through the IPsec tunnel. Phase 1 SAs, on the other hand, are primarily responsible for setting up the initial secure connection.C. A phase 1 SA is bidirectional, meaning it covers both directions of communication between two peers.However, a phase 2 SA is directional, and separate SAs are established for inbound and outbound traffic.D. Phase 2 SAs can have expiration based on time, volume (data transferred), or a combination of both.This allows for better control and security management in IPsec implementations.QUESTION 37Refer to the exhibit.Why did FortiGate drop the packet?  11 matched an explicitly configured firewall policy with the action DENY  It failed the RPF check.  The next-hop IP address is unreachable.  It matched the default implicit firewall policy QUESTION 38An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is outbound traffic but no response from the peer.Which DPD mode on FortiGate meets this requirement?  On Demand  On Idle  Disabled  Enabled The On Demand mode for Dead Peer Detection (DPD) on FortiGate sends DPD probes only when there is outbound traffic and no response from the peer. This mode is used to detect if the peer is still available without continuously sending DPD probes, reducing unnecessary traffic.QUESTION 39Which inspection mode does FortiGate use for application profiles if it is configured as a profile-based next- generation firewall (NGFW)?  Full content inspection  Proxy-based inspection  Certificate inspection  Flow-based inspection When FortiGate is configured in NGFW profile-based mode, it primarily uses flow-based inspection for application profiles. Flow-based inspection provides faster processing and lower latency by inspecting traffic in real-time without buffering, making it suitable for scenarios where performance is a priority.References:* FortiOS 7.4.1 Administration Guide: Inspection ModesQUESTION 40Which two statements are correct about SLA targets? (Choose two.)  You can configure only two SLA targets per one Performance SLA.  SLA targets are optional.  SLA targets are required for SD-WAN rules with a Best Quality strategy.  SLA targets are used only when referenced by an SD-WAN rule. B). SLA targets are optional.D). SLA targets are used only when referenced by an SD-WAN rule.Incorrect:A). You can configure only two SLA targets per one Performance SLA. (more is possible) C). SLA targets are required for SD-WAN rules with a Best Quality strategy. (not required) If the health check is used in an SD-WAN rule that uses Manual or Best Quality strategies, enabling SLA Target is optional. If the health check is used in an SD-WAN rule that uses Lowest Cost (SLA) or Maximum Bandwidth (SLA) strategies, then SLA Target is enabled.Enable SLA Targetsand configure the constraints. To add multiple SLA targets, use the CLI.QUESTION 41Refer to the web filter raw logs.Based on the raw logs shown in the exhibit, which statement is correct?  Access to the social networking web filter category was explicitly blocked to all users.  The action on firewall policy ID 1 is set to warning.  Social networking web filter category is configured with the action set to authenticate.  The name of the firewall policy is all_users_web. C is correct. We have two logs, first with action deny and second with passthrough.A incorrect – second log shows: action=”passthrough”.B incorrect – Firewall action can be allow or deny.D incorrect – CLI don’t show policy name, only ID.Remember … action=”passthrough” mean that authentication has occurred/ At first attempt from the same IP source connection is blocked, but a warning message is displayed. At the second attempt with the same IP source connection passtrough, so considering the first block and the second pass, the user must authenticate to be granted with access.QUESTION 42Which three actions are valid for static URL filtering? (Choose three.)  Block  Warning  Shape  Exempt  Allow The correct actions for static URL filtering in FortiGate are:A. Block: This action blocks access to the specified URL or category.D. Exempt: This action exempts the specified URL or category from filtering.E. Allow: This action allows access to the specified URL or category.So, the correct choices are A, D, and E.QUESTION 43Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?  Local traffic logs  Forward traffic logs  System event logs  Security logs The type of logs on FortiGate that record information about traffic directly to and from the FortiGate management IP addresses is: A. Local traffic logsA). Local traffic logs: These logs record information about traffic that is processed by the FortiGate unit itself, including traffic directed to and from the FortiGate management IP addresses.The other options are not specifically focused on the management IP addresses:B). Forward traffic logs: These logs generally pertain to traffic that is forwarded through the FortiGate unit.C). System event logs: These logs capture system-level events, but they may not specifically address traffic to and from management IP addresses.D). Security logs: While security logs can provide information about security-related events, they may not be specific to the management IP addresses.QUESTION 44Which inspection mode does FortiGate use for application profiles if it is configured as a profile-based next-generation firewall (NGFW)?  Full content inspection  Proxy-based inspection  Certificate inspection  Flow-based inspection When FortiGate is configured in NGFW profile-based mode, it primarily uses flow-based inspection for application profiles. Flow-based inspection provides faster processing and lower latency by inspecting traffic in real-time without buffering, making it suitable for scenarios where performance is a priority.Reference:FortiOS 7.4.1 Administration Guide: Inspection ModesQUESTION 45Examine this FortiGate configuration:Examine the output of the following debug command:Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection?  It is allowed, but with no inspection  It is allowed and inspected as long as the inspection is flow based  It is dropped.  It is allowed and inspected, as long as the only inspection required is antivirus. C because it exceeded the Extreme memory threshold.“However, if the memory usage exceeds the extreme threshold, new sessions are ALWAYS DROPPED, regardless of the FortiGate configuration.” if the memory usage keeps increasing, it might exceed the extreme threshold. While the memory usage is above this highest threshold, all new sessions are dropped.Note: “Extreme threshold is when the memory usage goes above 95%, and all NEW sessions are dropped.QUESTION 46Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)  The issuer must be a public CA  The CA extension must be set to TRUE  The Authority Key Identifier must be of type SSL  The keyUsage extension must be set to The CA extension must be set to TRUEThis indicates that the certificate can be used to issue other certificates, a requirement for it to function as a CA.The keyUsage extension must be set to keyCertSignThis specifies that the certificate can be used to sign other certificates, which is essential for a CA certificate.QUESTION 47Refer to the exhibit.Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit.What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?  Traffic matching the signature will be allowed and logged.  The signature setting uses a custom rating threshold.  The signature setting includes a group of other signatures.  Traffic matching the signature will be silently dropped and logged. The exhibit shows that the “FTP.Login.Failed” IPS signature is set with the action “Pass” and packet logging enabled. This means that any traffic matching this signature will be allowed through the FortiGate, and the traffic details will be logged for monitoring and analysis purposes.References:* FortiOS 7.4.1 Administration Guide: IPS Signature ActionsQUESTION 48Refer to the exhibit.The exhibit shows theFortiGuard Category Based Filtersection of a corporate web filter profile.An administrator must block access todownload.com, which belongs to theFreeware and Software Downloadscategory. The administrator must also allow other websites in the same category.What are two solutions for satisfying the requirement? (Choose two.)  Configure a separate firewall policy with action Deny and an FQDN address object for *. download, com as destination address.  Set the Freeware and Software Downloads category Action to Warning  Configure a web override rating for download, com and select Malicious Websites as the subcategory.  Configure a static URL filter entry for download, com with Type and Action set to Wildcard and Block, respectively. QUESTION 49Refer to the exhibit, which shows the IPS sensor configuration.If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)  The sensor will gather a packet log for all matched traffic.  The sensor will reset all connections that match these signatures.  The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.  The sensor will block all attacks aimed at Windows servers. The IPS sensor configuration shows that:* The Microsoft.Windows.iSCSI.Target.DoS signature is set to “Monitor” with packet logging enabled, meaning that while traffic matching this signature will be allowed, it will also be logged for further analysis.* The generic Windows filter is set to “Block,” meaning that all other attacks matching this filter will be blocked. However, the sensor will not reset connections or log packets unless specified.Therefore, the sensor will allow attackers matching the specific DoS signature while blocking other attacks against Windows.References:* FortiOS 7.4.1 Administration Guide: IPS ConfigurationQUESTION 50Which two statements describe how the RPF check is used? (Choose two.)  The RPF check is run on the first sent packet of any new session.  The RPF check is run on the first reply packet of any new session.  The RPF check is run on the first sent and reply packet of any new session.  The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks. The Reverse Path Forwarding (RPF) check is run on the first sent packet of any new session to ensure that the packet arrives on a legitimate interface. This check protects the network from IP spoofing attacks by verifying that a return route exists from the receiving interface back to the source IP address. If the route is invalid or not found, the packet is discarded. Options B and C are incorrect because RPF checks are performed on the first sent packet, not the reply packet.References:* FortiOS 7.4.1 Administration Guide: Reverse Path Forwarding (RPF) CheckQUESTION 51A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?  Pre-shared key  Dialup user  Dynamic DNS  Static IP address In a scenario where the remote peer IP address is dynamic, and the remote peer does not support a dynamic DNS update service, the appropriate choice for configuring the remote gateway on FortiGate is:B. Dialup userConfiguring the remote gateway as a dialup user allows flexibility for dynamic remote peer IP addresses without relying on dynamic DNS. Dialup user configurations are suitable for scenarios where the remote peer’s IP address may change dynamically, and it is not possible to use a static IP address or dynamic DNS.The peer IP is not static.D cannot be correct as the remote peer has a dynamic address so this will not be known to the local side as it may change.The same goes for dynamic.PSK is not an option, the answer is B.QUESTION 52What is the primary FortiGate election process when the HA override setting is disabled?  Connected monitored ports > System uptime > Priority > FortiGate Serial number  Connected monitored ports > HA uptime > Priority > FortiGate Serial number  Connected monitored ports > Priority > HA uptime > FortiGate Serial number  Connected monitored ports > Priority > System uptime > FortiGate Serial number If Override DISABLED then: ports > HA Uptime > Priority > SN.If Overrrid ENABLED then: ports > Priority > HA Uptime > SN.The FortiGate election process when the HA override setting is disabled follows the criteria you provided:Connected monitored ports: The FortiGate with more connected monitored ports is preferred.HA uptime: The FortiGate with the longer High Availability (HA) uptime (less recently rebooted in HA) is preferred.Priority: Priority is used as a tiebreaker. If two FortiGates have the same number of connected monitored ports and the same HA uptime, the one with the higher priority is preferred.FortiGate Serial number: The FortiGate Serial number is used as a final tiebreaker if all other criteria are the same. Loading … Ultimate Guide to the FCP_FGT_AD-7.4 - Latest Edition Available Now: https://www.braindumpsit.com/FCP_FGT_AD-7.4_real-exam.html --------------------------------------------------- Images: https://blog.braindumpsit.com/wp-content/plugins/watu/loading.gif https://blog.braindumpsit.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2025-01-12 09:27:34 Post date GMT: 2025-01-12 09:27:34 Post modified date: 2025-01-12 09:27:34 Post modified date GMT: 2025-01-12 09:27:34