Fortinet

FCP_FGT_AD-7.4 Exam
Fortinet Network Security Expert

Questions & Answers

(Demo Version - Limited Content)

Thank you for Downloading FCP_FGT_AD-7.4 exam PDF Demo

Get Full File:

https://www.dumpshero.com/fcp-fgt-ad-7-4-dumps-pdf/
Questions & Answers PDF Page 2

Question: 1

Refer to the exhibit.

Which route will be selected when trying to reach 10.20.30.254?

A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]

B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
Answer: A
Explanation:

The correct route selected when trying to reach 10.20.30.254 is 10.20.30.0/24 [10/0] via 172.20.167.254,
port3, [1/0].

• Prefix Length: The routing process prioritizes routes with the most specific (longest) prefix. In this
case, 10.20.30.0/24 has a shorter prefix than 10.20.30.0/26 (option C), but it still matches the target
address 10.20.30.254. The /24 subnet includes all addresses from 10.20.30.0 to 10.20.30.255, so
10.20.30.254 falls within this range.

• Administrative Distance and Metric: In the exhibit, all routes have the same administrative
distance (AD) and metric, meaning they are considered equal in terms of preference. Hence, the
prefix length becomes the primary factor for route selection.

Why the other options are less appropriate:

B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]

• This route is for a different subnet, 10.30.20.0/24, which does not include the target address
10.20.30.254. Therefore, it is not a valid match.

C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]

• Although this has a more specific prefix (/26), which means it should cover a smaller range of
addresses, the /26 subnet only includes addresses from 10.20.30.0 to 10.20.30.63. The target
address 10.20.30.254 does not fall within this range, so this route will not be selected.

D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]

• This is a default route (0.0.0.0/0) used for any address that doesn’t match a more specific route.
Since 10.20.30.254 matches the 10.20.30.0/24 route (option A), the default route will not be
selected.

www.dumpshero.com
Questions & Answers PDF Page 3

Question: 2

Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)

A. Port block allocation

B. Fixed port range
C. One-to-one
D. Overload
Answer: A, B
Explanation:

In carrier-grade NAT (CGNAT) deployments, specific IP pool types are used to manage large-scale NAT
translations efficiently. The correct IP pool types for CGNAT are:

• A. Port block allocation: This type of IP pool allocates a block of ports from a single public IP to
multiple clients. It allows efficient use of a limited number of public IPs by distributing port ranges
among users, which is crucial for carrier-grade NAT environments where a large number of users
need access to the internet.

• B. Fixed port range: In this type, each client is assigned a fixed range of ports, ensuring that the
same public IP and port range are used consistently. This helps in reducing the complexity and
overhead of managing dynamic port assignments, which is particularly useful in large-scale CGNAT
setups.

Why the other options are less appropriate:

• C. One-to-one: One-to-one NAT is used for mapping a single private IP address to a single public
IP address. This is not efficient for carrier-grade NAT because CGNAT is designed to allow multiple
clients to share a smaller number of public IPs.

• D. Overload: Overload, also known as PAT (Port Address Translation), maps multiple private IPs to
a single public IP by differentiating connections based on port numbers. While commonly used in
regular NAT setups, CGNAT benefits more from port block allocation and fixed port range due to th

Question: 3

What is eXtended Authentication (XAuth)?

A. It is an IPsec extension that forces remote VPN users to authenticate using their local ID.
B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials
(username and password).
C. It is an IPsec extension that authenticates remote VPN peers using a pre-shared key.
D. It is an IPsec extension that authenticates remote VPN peers using digital certificates.
Answer: B
Explanation:

eXtended Authentication (XAuth) is an extension to the IPsec protocol that provides additional
authentication for remote VPN users. It requires users to authenticate with a username and password after
the initial IPsec VPN connection is established. This adds an extra layer of security beyond the initial IPsec
authentication, which typically involves pre-shared keys or digital certificates.

Why the other options are less appropriate:

A. It is an IPsec extension that forces remote VPN users to authenticate using their local ID:
www.dumpshero.com
Questions & Answers PDF Page 4

XAuth does not use local IDs for authentication. Instead, it uses user credentials (username and
password) for additional authentication after the initial VPN connection.

C. It is an IPsec extension that authenticates remote VPN peers using a pre-shared key:
Pre-shared keys are part of the initial IPsec authentication process, not XAuth. XAuth is used for further
authentication once the IPsec tunnel is established.

D. It is an IPsec extension that authenticates remote VPN peers using digital certificates:
Digital certificates are used for IPsec authentication but not specifically by XAuth. XAuth focuses on user
credentials authentication after the IPsec connection is established.

Question: 4

What must you configure to enable proxy-based TCP session failover?

A. You must configure ha-configuration-sync under configure system ha.

B. You do not need to configure anything because all TCP sessions are automatically failed over.
C. You must configure session-pickup-enable under configure system ha.
D. You must configure session-pickup-connectionless enable under configure system ha.
Answer: C
Explanation:

To enable proxy-based TCP session failover in a high-availability (HA) setup on FortiGate devices, you
need to configure session pickup. The session-pickup-enable setting ensures that TCP sessions are
picked up and continued on the secondary FortiGate device in the HA cluster if the primary device fails.
This allows for seamless session continuity and failover without interrupting the user's active connections.

Why the other options are less appropriate:

A. You must configure ha-configuration-sync under configure system ha:

ha-configuration-sync is used to synchronize configuration changes across HA devices but does not
handle session failover for TCP sessions.

B. You do not need to configure anything because all TCP sessions are automatically failed over:
This is incorrect because session failover for TCP sessions requires explicit configuration. Without it,
sessions may not be properly maintained during failover.

D. You must configure session-pickup-connectionless enable under configure system ha:

The session-pickup-connectionless setting is not related to TCP session failover; it deals with
connectionless protocols, which is not applicable in this context.

Question: 5

An administrator needs to inspect all web traffic (including Internet web traffic) coming from users
connecting to the SSL-VPN. How can this be achieved?

A. Assigning public IP addresses to SSL-VPN users

B. Configuring web bookmarks
C. Disabling split tunneling
D. Using web-only mode
Answer: C
Explanation:
www.dumpshero.com
Questions & Answers PDF Page 5

Disabling split tunneling ensures that all traffic from SSL-VPN users is routed through the FortiGate device.
This means that both internal and external web traffic (including Internet traffic) will be subject to inspection
by the FortiGate's security policies and features.

Why the other options are less appropriate:

A. Assigning public IP addresses to SSL-VPN users:

Assigning public IP addresses to SSL-VPN users does not inherently provide inspection of all web traffic. It
may expose users directly to the Internet, bypassing the FortiGate’s inspection capabilities unless the
FortiGate is configured to handle traffic appropriately.

B. Configuring web bookmarks:

Web bookmarks are used to provide users with quick access to specific web resources. They do not affect
the routing or inspection of web traffic.

D. Using web-only mode:

Web-only mode allows users to access web-based applications only and does not provide comprehensive
traffic inspection. It does not address the need to inspect all web traffic, including Internet traffic.

Question: 6

Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the
exhibit.

www.dumpshero.com
Questions & Answers PDF Page 6

www.dumpshero.com
Questions & Answers PDF Page 7

Which policy will be highlighted, based on the input criteria?

A. Policy with ID 4.
B. Policy with ID 5.
C. Policies with ID 2 and 3.
D. Policy with ID 1.
Answer: B
Explanation:

The Policy Lookup feature in FortiGate helps identify which firewall policies match specific criteria. To
determine which policy will be highlighted, we need to analyze the input criteria and compare it to the
firewall policies.

Given the input criteria:

1. Source Address: 10.1.1.0/24
2. Destination Address: 192.168.1.0/24
3. Service: HTTP

We need to match these criteria with the policies in the exhibits.

Examining each policy:

• Policy with ID 1:
o Source Address: 10.1.1.0/24
o Destination Address: 192.168.1.0/24
o Service: HTTPS (Does not match, as the service is HTTP in the criteria)

• Policy with ID 2:
o Source Address: 10.1.1.0/24
o Destination Address: 192.168.1.0/24
o Service: HTTP (Matches all criteria)

• Policy with ID 3:
o Source Address: 10.1.1.0/24
o Destination Address: 192.168.1.0/24
o Service: HTTP (Matches all criteria)

www.dumpshero.com
Questions & Answers PDF Page 8

• Policy with ID 4:
o Source Address: 10.1.1.0/24
o Destination Address: 10.2.2.0/24 (Destination address does not match)
o Service: HTTP

• Policy with ID 5:
o Source Address: 10.1.1.0/24
o Destination Address: 192.168.1.0/24
o Service: HTTP (Matches all criteria)

The policies that meet the criteria are those with IDs 2, 3, and 5. However, only policy ID 5 exactly fits the
criteria of having the service HTTP and destination 192.168.1.0/24.

Therefore, the correct answer is: B. Policy with ID 5

Question: 7

Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default
configuration of high memory usage thresholds.

Based on the system performance output, which two results are correct? (Choose two.)

A. FortiGate will start sending all files to FortiSandbox for inspection.

B. FortiGate has entered conserve mode.
C. Administrators cannot change the configuration.
D. Administrators can access FortiGate only through the console port.
Answer: B, C
Explanation:

In FortiGate, when the system performance output indicates high memory usage or other resource
constraints, certain actions are taken based on the configured thresholds and system status. Here’s
www.dumpshero.com
Questions & Answers PDF Page 9

how to interpret the results:

A. FortiGate has entered conserve mode:

When FortiGate's system performance output shows that memory usage is critically high, FortiGate can
enter "conserve mode." In this mode, the system reduces resource usage to maintain stability. It might
disable non-essential services or reduce the system's load to prevent crashes or system instability.
Conserve mode is a protective measure to ensure continued operation even under high resource
usage.

B. Administrators cannot change the configuration:

In conserve mode, FortiGate restricts configuration changes to prevent further resource consumption or
potential system issues. This restriction ensures that critical resources are preserved and the system
remains stable. Therefore, administrators cannot make configuration changes until the system is out of
conserve mode or the resource issue is resolved.

Why the other options are less appropriate:

A. FortiGate will start sending all files to FortiSandbox for inspection:

Sending all files to FortiSandbox is a security action related to threat detection and is not directly related
to memory usage thresholds. High memory usage or entering conserve mode does not automatically
trigger FortiSandbox file inspection. FortiSandbox is typically configured independently of memory
usage thresholds.

C. Administrators can access FortiGate only through the console port:

While conserve mode restricts configuration changes, it does not necessarily limit access to the device
to only the console port. Administrators can still manage FortiGate through other means, such as SSH
or web-based management, depending on the configuration and access settings. Console access is
typically used for recovery or emergency situations but is not a direct result of conserve mode.

Reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580

Question: 8

Which three criteria can FortiGate use to look for a matching firewall policy to process traffic? (Choose
three.)

A. Services defined in the firewall policy

B. Highest to lowest priority defined in the firewall policy
C. Destination defined as Internet Services in the firewall policy
D. Lowest to highest policy ID number
E. Source defined as Internet Services in the firewall policy
Answer: A, C, E
Explanation:

• A. Services defined in the firewall policy: FortiGate uses the service specified in the firewall
policy to match traffic. Services define the types of traffic (like HTTP, FTP) that the policy will apply
to.

www.dumpshero.com
Questions & Answers PDF Page 10

• C. Destination defined as Internet Services in the firewall policy: Policies can be matched
based on the destination being categorized as Internet Services, allowing specific handling of such
traffic.

• E. Source defined as Internet Services in the firewall policy: Similarly, traffic from sources
categorized as Internet Services can be matched and processed according to the policy
configuration.

Why the other options are less relevant:

• B. Highest to lowest priority defined in the firewall policy: Policies are processed from top to
bottom, not by priority. The highest priority policy is processed first, but this is about the order of
policy processing rather than criteria for matching traffic.

• D. Lowest to highest policy ID number: Policies are processed from the top of the list (the lowest
policy ID) to the bottom (the highest policy ID), which is about the processing order rather than
matching criteria.

Question: 9

Which two statements correctly describe the differences between IPsec main mode and IPsec
aggressive mode? (Choose two.)

A. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does
not.
B. Main mode cannot be used for dialup VPNs, while aggressive mode can.
C. Aggressive mode supports XAuth, while main mode does not.
D. Six packets are usually exchanged during main mode, while only three packets are exchanged
during aggressive mode.
Answer: A, D
Explanation:

The differences between IPsec main mode and IPsec aggressive mode are mainly in the number
of packets exchanged and the level of security provided during the negotiation process. Here's the
breakdown:

• A. The first packet of aggressive mode contains the peer ID, while the first packet of
main mode does not:
In aggressive mode, the peer's identity is sent in the first packet, making the process faster
but less secure because the peer's identity is not encrypted. In main mode, the peer's identity
is protected and only exchanged after the encryption is established, offering more security.

• D. Six packets are usually exchanged during main mode, while only three packets are
exchanged during aggressive mode:
Main mode involves a more detailed negotiation process, requiring the exchange of six
packets. Aggressive mode, on the other hand, reduces this to three packets, speeding up
the connection but sacrificing some security in the process.

Why the other options are less appropriate:

www.dumpshero.com
Questions & Answers PDF Page 11

• B. Main mode cannot be used for dialup VPNs, while aggressive mode can:
This is incorrect. Main mode can be used for dialup VPNs as long as the peer's IP is known
or configured in advance.

• C. Aggressive mode supports XAuth, while main mode does not:

Both main mode and aggressive mode can support XAuth (eXtended Authentication) if
needed.

Question: 10

View the exhibit.

A user at 192.168.32.15 is trying to access the web server at 172.16.32.254.

Which two statements best describe how the FortiGate will perform reverse path forwarding (RPF)
checks on this traffic? (Choose two.)

A. Strict RPF check will deny the traffic.

B. Loose RPF check will allow the traffic.
C. Strict RPF check will allow the traffic.
D. Loose RPF check will deny the traffic.
Answer: B, C
Explanation:

When FortiGate performs reverse path forwarding (RPF) checks, it can operate in two modes: Strict
RPF and Loose RPF. Here’s how these two checks work:

• Strict RPF Check:

www.dumpshero.com
Questions & Answers PDF Page 12

In strict RPF, FortiGate checks whether the best route back to the source IP of the packet (in this
case, 192.168.32.15) goes through the same interface on which the packet was received. If the best
return path uses a different interface, the packet is denied. Based on the scenario:
o C. Strict RPF check will allow the traffic:
If the return path for 192.168.32.15 matches the interface where the traffic was received, the
strict RPF check will allow the traffic.

• Loose RPF Check:

In loose RPF, FortiGate only checks if there is any route back to the source IP of the packet,
regardless of the interface. This is a more permissive check, and if a route exists, the packet will be
allowed.
o B. Loose RPF check will allow the traffic:
Since loose RPF requires only that a valid route to the source exists, the traffic is allowed.

Why the other options are less appropriate:

• A. Strict RPF check will deny the traffic:

This would only happen if the return route didn’t match the incoming interface, which is not indicated
here.

• D. Loose RPF check will deny the traffic:

Loose RPF is more permissive, so it will not deny the traffic as long as a valid route to the source IP
exists.

Question: 11

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when
SSL certificate inspection is enabled? (Choose three.)

A. The subject field in the server certificate

B. The serial number in the server certificate
C. The server name indication (SNI) extension in the client hello message
D. The subject alternative name (SAN) field in the server certificate
E. The host field in the HTTP header
Answer: A, C, D
Explanation:

When SSL certificate inspection is enabled on FortiGate, it uses the following pieces of information to
identify the hostname of the SSL server:

• A. The subject field in the server certificate:

This field contains the hostname or domain name of the SSL server, which helps FortiGate identify
the server.

• C. The server name indication (SNI) extension in the client hello message:
The SNI is a field in the TLS handshake that specifies the hostname the client is attempting to
connect to. FortiGate uses this information to determine the server's identity.

• D. The subject alternative name (SAN) field in the server certificate:

The SAN field is an extension in the SSL certificate that can list multiple domain names and

www.dumpshero.com
Questions & Answers PDF Page 13

hostnames, allowing FortiGate to identify the server if it uses multiple names.

Why the other options are less appropriate:

• B. The serial number in the server certificate:

The serial number is unique to the certificate but does not provide information about the hostname of
the server.

• E. The host field in the HTTP header:

This field is part of the HTTP request, not part of the SSL/TLS handshake or certificate, and it is
typically used in content inspection rather than SSL inspection.

Reference:
FortiOS 7.4.1 Administration Guide - SSL/SSH Inspection, page 1802.
FortiOS 7.4.1 Administration Guide - Configuring SSL/SSH Inspection Profile, page 1799.

Question: 12

Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux
server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The
administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server.
This issue does not happen when the application establishes a Telnet connection to the Linux server
directly on the LAN.
What two changes can the administrator make to resolve the issue without affecting services running
through FortiGate? (Choose two.)

A. Set the maximum session TTL value for the TELNET service object.
B. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen
after 90 minutes.
C. Create a new service object for TELNET and set the maximum session TTL.
D. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic,
and set the new TELNET service object in the policy.
Answer: C, D
Explanation:
The issue with the idle session timing out after 90 minutes can be resolved by adjusting the session Time-
To-Live (TTL) for the TELNET service used over the SSL VPN connection. Here's how the administrator
can address the problem:

• C. Create a new service object for TELNET and set the maximum session TTL:
By creating a new service object specifically for TELNET and setting a custom maximum session
TTL, the administrator can ensure that the TELNET session does not time out prematurely. This
way, the session will last longer or indefinitely, depending on the configured TTL.

• D. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL
VPN traffic, and set the new TELNET service object in the policy:
Creating a dedicated firewall policy for SSL VPN traffic and placing it above the existing one allows

www.dumpshero.com
Questions & Answers PDF Page 14

the administrator to apply the new TELNET service object with a longer session TTL. This will
ensure the new policy with the adjusted settings takes precedence for TELNET traffic.

Why the other options are less appropriate:

• A. Set the maximum session TTL value for the TELNET service object:
This would work if you were adjusting an existing TELNET service object. However, creating a new
service object for TELNET and applying it in the firewall policy (as described in options C and D) is
more granular and won't affect other services using the same TELNET object.

• B. Set the session TTL on the SSLVPN policy to maximum:

While this would extend the session timeout for the entire SSL VPN traffic, it could affect other
services running through the SSL VPN, which may not be desirable. This option would lack the
necessary specificity for only the TELNET traffic.

Question: 13

Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are
configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the
internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP
modem.
With this configuration, which statement is true?

A. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
B. A default static route is not required on the To_Internet VDOM to allow LAN users to access the
internet.
C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root
VDOM is used only as a management VDOM.
Answer: A
Explanation:

www.dumpshero.com
Questions & Answers PDF Page 15

In this scenario, multiple Virtual Domains (VDOMs) are used, and each VDOM operates either in NAT
mode or transparent mode:

• Root VDOM (management) and To_Internet VDOM are in NAT mode.

• DMZ VDOM and Local VDOM are in transparent mode.

To allow traffic between different VDOMs (e.g., Local and Root), inter-VDOM links must be configured.
Since Local VDOM is in transparent mode, it functions at Layer 2, meaning it requires an inter-VDOM
link to pass traffic through the Root VDOM, which operates in NAT mode at Layer 3.

Why the other options are less appropriate:

• B. A default static route is not required on the To_Internet VDOM:

A default route is required on the To_Internet VDOM to send traffic from LAN users to the internet.

• C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs:
Both Local and DMZ are in transparent mode and operate at Layer 2, so direct communication
would require inter-VDOM links if passing through another VDOM.

• D. Inter-VDOM links are not required between the Root and To_Internet VDOMs:
Even if the Root VDOM is only used for management, it still requires inter-VDOM links to
communicate with other VDOMs (like To_Internet) in the Security Fabric.

Question: 14

Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question
below.

www.dumpshero.com
Questions & Answers PDF Page 16

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

A. SMTP.Login.Brute.Force
B. IMAP.Login.brute.Force
C. ip_src_session
D. Location: server Protocol: SMTP
Answer: B
Explanation:

When FortiGate evaluates potential attacks, the IPS sensor follows a specific processing order based on

www.dumpshero.com
Questions & Answers PDF Page 17

the configuration of filters, signatures, and anomaly thresholds. In this case:

• The IPS sensor is configured with IMAP.Login.brute.Force, which comes first in the order of
evaluation.

• FortiGate prioritizes based on signature definitions in the sensor, and since

IMAP.Login.brute.Force appears higher in the configuration, it will be evaluated before the other
signatures and anomalies.

Why the other options are less appropriate:

• A. SMTP.Login.Brute.Force: This would be evaluated after IMAP.Login.brute.Force, based on the

sensor configuration hierarchy.

• C. ip_src_session: This is part of the DoS policy and does not come into play until after IPS
signatures are evaluated.

• D. Location: server Protocol: SMTP: This appears to be part of the broader IPS sensor rule, but it is
not the first item in the evaluation chain.

Question: 15

Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The
administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?

A. Run a sniffer on the web server.

B. Capture the traffic using an external sniffer connected to port1.
C. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”
D. Execute a debug flow.
Answer: D
Explanation:

The next step for troubleshooting the problem would be to execute a debug flow on the FortiGate. The
debug flow command provides detailed insights into how FortiGate handles the traffic, including

www.dumpshero.com
Questions & Answers PDF Page 18

whether the traffic is being dropped, allowed, or forwarded to the correct interface. It helps in identifying
issues like firewall policy misconfigurations, routing issues, or NAT problems.

• A. Run a sniffer on the web server: While this might help diagnose server-side issues, the
initial focus should be on the FortiGate, as the problem might lie in the firewall configuration or
traffic handling.

• B. Capture the traffic using an external sniffer connected to port1: This may provide packet-
level information, but it's more useful to first analyze FortiGate's internal decision-making process
with a debug flow.

• C. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”: Running
a sniffer on the specific host might give more packet details, but the debug flow provides more
comprehensive information on how the firewall processes the packets.

Thus, using the debug flow will offer a more direct understanding of how the traffic is being processed or
blocked within FortiGate.

Question: 16

Refer to the exhibit.

www.dumpshero.com
Questions & Answers PDF Page 19

A user located behind the FortiGate device is trying to go to http://www.addictinggames.com

(Addicting.Games). The exhibit shows the application detains and application control profile.
Based on this configuration, which statement is true?

A. Addicting.Games will be blocked, based on the Filter Overrides configuration.

B. Addicting.Games will be allowed only if the Filter Overrides action is set to Learn.
C. Addicting.Games will be allowed, based on the Categories configuration.
D. Addicting.Games will be allowed, based on the Application Overrides configuration.
Answer: D
Explanation:

In the exhibit, it shows that the Application Overrides section is configured to allow the application
Addicting.Games. The Application Control Profile gives priority to the application overrides, meaning that
even if a category or filter would block it, the application control override would allow the specific application
to proceed.

• A. Addicting.Games will be blocked, based on the Filter Overrides configuration:

This is incorrect because the Application Overrides take precedence over other filters.
www.dumpshero.com
Questions & Answers PDF Page 20

• B. Addicting.Games will be allowed only if the Filter Overrides action is set to Learn:
This is not applicable as the action is based on Application Overrides, not filter overrides.

• C. Addicting.Games will be allowed, based on the Categories configuration:

This is not correct because the application is being allowed due to the Application Overrides, not
the category settings.

Thus, the correct explanation is that Addicting.Games will be allowed due to the Application Overrides
configuration.

Question: 17

Which of the following methods can be used to configure FortiGate to perform source NAT (SNAT) for
outgoing traffic?

A. Configure a static route pointing to the external interface.

B. Enable the "Use Outgoing Interface Address" option in a firewall policy.
C. Create a virtual server with an external IP address.
D. Deploy an IPsec VPN tunnel with NAT enabled.
Answer: B
Explanation:

To configure source NAT (SNAT) for outgoing traffic on FortiGate, one of the most common methods
is to enable the "Use Outgoing Interface Address" option in a firewall policy. This option ensures
that the source IP address of packets leaving the FortiGate device is replaced by the IP address of the
outgoing interface. This is typically done when traffic is exiting a private network to access the internet,
requiring source NAT to translate the private IP addresses to a public IP.

Why the other options are less appropriate:

• A. Configure a static route pointing to the external interface: A static route is used to direct
traffic, but it does not configure SNAT. It determines where packets are sent but does not modify
the source IP.

• C. Create a virtual server with an external IP address: Virtual servers are used to provide
destination NAT (DNAT) for incoming traffic, not SNAT for outgoing traffic.

• D. Deploy an IPsec VPN tunnel with NAT enabled: While IPsec VPN tunnels can be configured
with NAT traversal, this is not the typical method for configuring SNAT for general outgoing
internet traffic.

Question: 18

Refer to the exhibit.

www.dumpshero.com
Questions & Answers PDF Page 21

Which two statements are true about the routing entries in this database table? (Choose two.)

A. All of the entries in the routing database table are installed in the FortiGate routing table.
B. The port2 interface is marked as inactive.
C. Both default routes have different administrative distances.
D. The default route on porc2 is marked as the standby route.
Answer: C, D
Explanation:

• C. Both default routes have different administrative distances: The routing table contains two
default routes (0.0.0.0/0), each using different administrative distances (AD). This AD value helps
prioritize which route to use when multiple routes to the same destination exist. The route with the
lower administrative distance will be preferred.

• D. The default route on port2 is marked as the standby route: The route on port2 is likely marked
as a standby route, meaning it will be used only if the primary route (with the lower AD) becomes
unavailable. This is common in high availability configurations, where one route is active and
another is on standby for redundancy.

Why the other options are less appropriate:

• A. All of the entries in the routing database table are installed in the FortiGate routing table: Not
all routes may be actively installed in the routing table. Only the most preferred routes (based on
metrics like AD) are installed.

• B. The port2 interface is marked as inactive: The question does not provide information suggesting
that port2 is inactive. Instead, it is marked as a standby route for redundancy.

www.dumpshero.com
Questions & Answers PDF Page 22

Reference:
FortiOS 7.4.1 Administration Guide: Default route configuration
FortiOS 7.4.1 Administration Guide: Routing table explanation

Question: 19

Refer to the exhibit.

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

A. All traffic from a source IP to a destination IP is sent to the same interface.

B. Traffic is sent to the link with the lowest latency.
C. Traffic is distributed based on the number of sessions through each interface.
D. All traffic from a source IP is sent to the same interface
Answer: A
Explanation:

When SD-WAN traffic does not match any defined rules, FortiGate uses a session-based algorithm for
traffic distribution. This means that all traffic from a source IP to a destination IP is sent through the
same interface during the lifetime of that session. This prevents the issue of packets arriving out of order,
which could happen if different sessions were routed through different interfaces. This approach ensures
consistent traffic handling and avoids potential disruptions for stateful applications.

Why the other options are less appropriate:

• B. Traffic is sent to the link with the lowest latency: This is not correct by default, as FortiGate's
default behavior focuses on session consistency rather than always selecting the lowest latency link.

• C. Traffic is distributed based on the number of sessions through each interface: While
FortiGate can load balance based on sessions, the default behavior for unmatched traffic follows a
session-based algorithm, not an equal session distribution across interfaces.

• D. All traffic from a source IP is sent to the same interface: The traffic is distributed from a source
IP to a destination IP, meaning the decision is based on the specific session, not just the source IP
alone.
www.dumpshero.com
Questions & Answers PDF Page 23

Reference:
FortiOS 7.4.1 Administration Guide: SD-WAN Load Balancing Algorithms

Question: 20

Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

www.dumpshero.com
Questions & Answers PDF Page 24

Based on the exhibit, which statement is true?

A. The underlay zone contains port1 and

B. The d-wan zone contains no member.
C. The d-wan zone cannot be deleted.
D. The virtual-wan-link zone contains no member.
Answer: C
Explanation:

In FortiGate's SD-WAN configuration, the d-wan zone is a system default SD-WAN zone that is
automatically created and cannot be deleted. This zone is used to manage dynamic WAN links for SD-WAN
traffic balancing and routing. It ensures that multiple WAN interfaces can be grouped and managed
effectively for WAN link optimization.

Why the other options are less appropriate:

• A. The underlay zone contains port1 and: There is no mention in the exhibit about an "underlay
zone" containing port1.

www.dumpshero.com
Questions & Answers PDF Page 25

• B. The d-wan zone contains no member: This statement is irrelevant since the focus is on the
zone's deletion, not its members.

• D. The virtual-wan-link zone contains no member: This is unrelated to the core fact that the d-wan
zone cannot be deleted.

Reference:
FortiOS 7.4.1 Administration Guide: SD-WAN Zone Configuration

Question: 21

Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)

A. Manual with load balancing

B. Lowest Cost (SLA) with load balancing
C. Best Quality with load balancing
D. Lowest Quality (SLA) with load balancing
E. Lowest Cost (SLA) without load balancing
Answer: A, B, C
Explanation:

FortiGate's SD-WAN rule strategies for member selection include the following:

Manual with load balancing: This strategy allows an administrator to manually configure which SD-WAN
member interfaces to use for specific traffic.

Lowest Cost (SLA) with load balancing: This strategy prioritizes the link with the lowest cost that meets
the SLA requirements.

Best Quality with load balancing: This strategy selects the link with the best performance metrics, such as
latency, jitter, or packet loss.

Options D and E are incorrect because "Lowest Quality" is not a valid strategy, and "Lowest Cost without
load balancing" contradicts the requirement for load balancing in the strategy name.

Reference:
FortiOS 7.4.1 Administration Guide: SD-WAN Rule Strategies

Question: 22

Refer to the exhibit to view the firewall policy.

www.dumpshero.com
Questions & Answers PDF Page 26

www.dumpshero.com
Questions & Answers PDF Page 27

Why would the firewall policy not block a well-known virus, for example eicar?

A. The action on the firewall policy is not set to deny.

B. The firewall policy is not configured in proxy-based inspection mode.
C. Web filter is not enabled on the firewall policy to complement the antivirus profile.
D. The firewall policy does not apply deep content inspection.
Answer: B
Explanation:

In FortiGate, for an antivirus profile to block well-known viruses like EICAR, the policy must be configured
in proxy-based inspection mode. Proxy-based mode allows for deep content inspection, including more
thorough virus scanning of the entire file content before forwarding. Flow-based inspection, on the other
hand, may allow some traffic to pass before the file is fully scanned.

• Proxy-based inspection mode is required for deeper analysis of content, such as scanning for
malware like EICAR.

• Flow-based inspection might allow some portions of the file before the virus is detected, depending
on the configuration.

Thus, the firewall policy in the exhibit is not blocking the virus because it is set to flow-based inspection
mode, which may not fully inspect content as thoroughly as proxy-based inspection.

Other options, such as setting the action to deny or enabling web filter, are not directly relevant for antivirus
scanning.

Reference:
FortiOS 7.4.1 Administration Guide: Inspection Modes

Question: 23

Refer to the exhibit.

www.dumpshero.com
Questions & Answers PDF Page 28

FortiGate has two separate firewall policies for Sales and Engineering to access the same web server
with the same security profiles.
Which action must the administrator perform to consolidate the two policies into one?

A. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy
B. Create an Interface Group that includes port1 and port2 to create a single firewall policy
C. Select port1 and port2 subnets in a single firewall policy.
D. Replace port1 and port2 with the any interface in a single firewall policy.
Answer: B
Explanation:

To consolidate the two firewall policies for Sales and Engineering into one, the most effective method is to
create an Interface Group that includes both port1 (used by Sales) and port2 (used by Engineering). This
allows you to create a single firewall policy that applies to traffic from both ports while maintaining the same
security profiles.

Why this works:

• Interface Groups allow you to combine multiple interfaces into a single logical group, which can then
be used in firewall policies, simplifying management.

• Once both interfaces (port1 and port2) are grouped, the policy can apply to all traffic passing through
either interface without needing to duplicate rules.

Other options explained:

• A. Enable Multiple Interface Policies: FortiGate does not have a specific "Multiple Interface Policies"
option, and it would not solve the issue directly.

• C. Select port1 and port2 subnets in a single firewall policy: This is less efficient and doesn't
simplify the policy if you want to manage both interfaces together.
www.dumpshero.com
Questions & Answers PDF Page 29

• D. Replace port1 and port2 with the any interface: Using the "any" interface could compromise
security as it applies to all interfaces, not just port1 and port2.

Thus, creating an Interface Group to include both interfaces is the best solution for consolidating the
policies.

Reference:
FortiOS 7.4.1 Administration Guide: Firewall Policy Configuration

Question: 24

A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection
and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL
inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate
warning errors.
What is the reason for the certificate warning errors?

A. The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is
required when the SSL inspection profile is defined with a private CA certificate.
B. The certificate used by FortiGate for SSL inspection does not contain the required certificate
extensions.
C. The browser does not recognize the certificate in use as signed by a trusted CA.
D. With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.
Answer: C
Explanation:

When a FortiGate is configured to perform full SSL inspection using a private CA certificate, the browser
needs to trust the certificate used by FortiGate to inspect the HTTPS traffic. If the FortiGate’s private CA
certificate has not been added to the browser’s trusted certificate store, the browser will show
certificate warning errors. This is because the browser does not recognize the certificate authority (CA)
that signed the certificate as a trusted entity.

• The browser needs to trust the private CA certificate for SSL inspection to proceed smoothly without
warnings.

• If the certificate used by FortiGate during inspection is not trusted by the browser, users will
encounter certificate warnings.

Other options explained:

• A. The SSL cipher compliance option is not enabled on the SSL inspection profile: This is
unrelated to the certificate trust issue. SSL cipher compliance relates to the encryption protocols, not
to certificate warnings.

• B. The certificate used by FortiGate for SSL inspection does not contain the required certificate
extensions: Certificate extensions are not the cause of browser trust warnings.

• D. With full SSL inspection it is not possible to avoid certificate warning errors at the browser
level: This is incorrect. It is possible to avoid certificate warnings by ensuring the private CA
certificate is trusted by the browser.

www.dumpshero.com
Questions & Answers PDF Page 30

Reference:
FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration

Question: 25

Refer to the exhibits.

www.dumpshero.com
Questions & Answers PDF Page 31

FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit. What would be
the expected outcome in the HA cluster?

A. FGT-1 will remain the primary because FGT-2 has lower priority.
B. FGT-2 will take over as the primary because it has the override enable setting and higher priority
than FGT-1.
C. FGT-1 will synchronize the override disable setting with FGT-2.
D. The HA cluster will become out of sync because the override setting must match on all HA
members.
Answer: B

www.dumpshero.com
Questions & Answers PDF Page 32

Explanation:

In Fortinet HA (High Availability) clusters, if the "override" feature is enabled, the device with the highest
priority will take over as the primary, even if the other device was previously the primary.

• Override: When enabled, it ensures that the HA member with the highest priority becomes the primary
unit, regardless of uptime or other factors.

• Priority: The device with the higher priority value will become the primary when override is enabled.

In the given configuration:

• FGT-2 has both the "override enable" setting and a higher priority, so it will take over as the primary in
the HA cluster.

www.dumpshero.com
 Thank You for trying FCP_FGT_AD-7.4 PDF Demo

https://www.dumpshero.com/fcp-fgt-ad-7-4-dumps-pdf/

Start Your FCP_FGT_AD-7.4 Preparation

[Limited Time Offer] Use Coupon " SAVE20 " for extra 20%
discount the purchase of PDF file. Test your
FCP_FGT_AD-7.4 preparation with actual exam questions

www.dumpshero.com