Free Fortinet FCP_FGT_AD-7.

4 Exam Questions By Marks - Page 1

Free Questions for FCP_FGT_AD-7.4

Shared by Marks on 03-03-2025
For More Free Questions and Preparation Resources

Check the Links on Last Page

 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 2

Question 1
Question Type: MultipleChoice

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The
administrator has determined that phase 1 status is up, but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, which two configuration changes will
bring phase 2 up? (Choose two.)

Options:
A- On Remote-FortiGate, set Seconds to 43200.
B- On HQ-FortiGate, enable Diffie-Hellman Group 2.
C- On HQ-FortiGate, set Encryption to AES256.
D- On Remote-FortiGate, set Remote Address to 10.0.1.0/255.255.255.0.

Answer:
C, D
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 3

Question 2
Question Type: MultipleChoice

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, VIP configuration,
firewall policy. and the sniffer CLI output on the FortiGate device.

The WAN (port1) interface has the IP address 10.200.1.1 /24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The webserver host (10. 0.1. 10) must use its VIP external IP address as the source NAT (SNAT)
when It pings remote server (10.200.3.1).
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 4

Which two statements are valid to achieve this goal? (Choose two.)

Options:
A- Enable NAT on the Allow_access firewall policy.
B- Create a new firewall policy before lnternet_Access for the webserver and apply the IP pool.
C- Disable NAT on the lnternet_Access firewall policy.
D- Disable port forwarding on the VIP object.

Answer:
A, D

Explanation:
Enable NAT on the Allow_access firewall policy (A):

The Allow_access firewall policy must have NAT enabled to allow the webserver to use its VIP
external IP address (10.200.1.10) as the source NAT when initiating traffic, such as pings, to the
remote server.

Disable port forwarding on the VIP object (D):

Port forwarding is designed for specific port mapping, typically for services like HTTP or HTTPS. To
use the VIP external IP as a source NAT, port forwarding should be disabled. Disabling port
forwarding ensures that the full VIP IP address is used without being tied to specific ports.

Why other options are not correct:

B . Create a new firewall policy before Internet_Access for the webserver and apply the IP pool:

This is unnecessary as the VIP object itself is used for SNAT in this case, and an additional firewall
policy is not required.

C . Disable NAT on the Internet_Access firewall policy:

Disabling NAT on this policy would prevent the NAT functionality needed for the webserver to use
the VIP external IP address as the source IP.

Thus, enabling NAT on the Allow_access policy and disabling port forwarding on the VIP
configuration are the valid steps to achieve the goal.
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 5

Question 3
Question Type: MultipleChoice

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall
policies configuration VIP configuration and IP pool configuration on the FortiGate device

The WAN (port1) interface has the IP address 10.200. l. 1/24 The LAN (port3) interface has the IP
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 6

address 10.0.1.254/24

The first firewall policy has NAT enabled using the IP pool The second firewall policy is configured
with a VIP as the destination address.

Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation
with the IP address 10.0.1.10?

Options:
A- 10.200.1.1
B- 10.200.1.10
C- 10.0.1.254
D- 10.200.1.100

Answer:
D

Explanation:
NAT Configuration: The first firewall policy has NAT enabled using the configured IP pool.

IP Pool Configuration: The IP pool is configured with an external IP range of 10.200.1.100.

Source NAT: When traffic is being NATed, the source IP address is replaced with an IP from the
configured pool. In this scenario, the specific IP defined in the pool is 10.200.1.100.

Thus, any internet-bound traffic from the workstation (10.0.1.10) will have its source IP address
NATed to 10.200.1.100.

Question 4
Question Type: MultipleChoice

Refer to the exhibits.

Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 7
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 8

The SSL VPN connection fails when a user attempts to connect to it.

What should the user do to successfully connect to the SSL VPN?

Options:
A- Change the SSL VPN portal to the tunnel.
B- Change the idle timeout.
C- Change the server IP address.
D- Change the SSL VPN port on the client.

Answer:
D

Explanation:
The SSL VPN is configured to listen on port 11443 on the FortiGate device, as shown in the SSL
VPN settings in the exhibit. However, the user is attempting to connect to the server using port
1443, as displayed in the VPN connection status. The mismatch between the ports is causing the
connection failure. To resolve this, the user should change the client configuration to use port
11443 to match the FortiGate SSL VPN configuration.
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 9

Question 5
Question Type: MultipleChoice

Refer to the exhibits.

 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 10

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the
security fabric. After synchronization, this object is not available on the downstream FortiGate
(ISFW).

What must the administrator do to synchronize the address object?

Options:
A- Change the csf setting on Local-FortiGate (root) to sec fabric-object-unification default.
B- Change the csf setting on both devices to sec downscream-access enable.
C- Change the csf setting on ISFW (downstream) to sec auchorizacion-requesc-cype certificace.
D- Change the csf setting on ISFW (downstream) to sec configuration-sync local.

Answer:
A

Explanation:
Set object synchronization (fabric-object-unification) to default or local on a downstream device.
When set to local, the device does not synchronize objects from the root, but will still participate
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 11

in sending the synchronized object downstream.

https://docs.fortinet.com/document/fortigate/6.4.0/new-features/520820/improvements-to-synchr
onizing-objects-across-the-security-fabric-6-4-4

Question 6
Question Type: MultipleChoice

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

Options:
A- The NetSessionEnum function is used to track user logouts.
B- NetAPI polling can increase bandwidth usage in large networks.
C- The collector agent must search Windows application event logs.
D- The collector agent uses a Windows API to query DCs for user logins.

Answer:
A

Question 7
Question Type: MultipleChoice

What are two features of FortiGate FSSO agentless polling mode? (Choose two.)

Options:
A- FortiGate directs the collector agent to use a remote LDAP server.
B- FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
C- FortiGate does not support workstation check.
D- FortiGate uses the AD server as the collector agent.

Answer:
B, C
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 12

Explanation:
FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

In agentless polling mode, FortiGate directly connects to the Domain Controllers (DCs) using the
SMB protocol to read event logs and detect user login events.

FortiGate does not support workstation check.

In agentless polling mode, FortiGate does not perform workstation checks. It relies on polling the
event logs from the Domain Controllers to identify user logins.

Question 8
Question Type: MultipleChoice

Refer to the exhibit.

Based on the routing database shown in the exhibit which two conclusions can you make about
the routes? (Choose two.)

Options:
A- There will be eight routes active in the routing table
B- The port1 and port2 default routes are active in the routing table
C- The port3 default route has the highest distance
D- The port3 default route has the lowest metric
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 13

Answer:
B, C

Explanation:
The port1 and port2 default routes are active in the routing table

The routes with 0.0.0.0/0 for both port1 and port2 are marked with an asterisk * and > symbol,
which indicates that these routes are active and selected in the routing table.

The port3 default route has the highest distance

The route via port3 has a distance of [20/0], which is higher than the distances for the routes via
port1 [10/0] and port2 [30/0]. This indicates that the port3 default route has the highest distance.

Question 9
Question Type: MultipleChoice

Which two pieces of information are synchronized between FortiGate HA members? (Choose two.)

Options:
A- OSPF adjacencies
B- IPsec security associations
C- BGP peerings
D- DHCP leases

Answer:
B, D

Explanation:
IPsec security associations

IPsec security associations (SAs) are synchronized between HA members to ensure seamless
failover and continuity of VPN tunnels.

DHCP leases
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 14

DHCP lease information is synchronized between HA members to maintain consistent IP address

assignments and prevent disruptions when failover occurs.

Question 10
Question Type: MultipleChoice

FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and
DMZ networks respectively.

Which two statements are true about the requirements of connected physical interfaces on
FortiGate? (Choose two.)

Options:
A- Both interfaces must have the interface role assigned
B- Both interfaces must have directly connected routes on the routing table
C- Both interfaces must have DHCP enabled
D- Both interfaces must have IP addresses assigned

Answer:
B, D

Explanation:
Both interfaces must have directly connected routes on the routing table

In NAT mode, each interface must have a corresponding entry in the routing table, typically as a
directly connected route, to route traffic between them effectively.

Both interfaces must have IP addresses assigned

In NAT mode, each interface must have an IP address to participate in routing and NAT
operations. The IP addresses allow the FortiGate to forward traffic between different network
segments.

Question 11
Question Type: MultipleChoice
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 15

An administrator is configuring an IPsec VPN between site A and site . The Remote Gateway
setting in both sites has been configured as Static IP Address.

For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is
192.168.2.0/24.

Which subnet must the administrator configure for the local quick mode selector for site B?

Options:
A- 192.168.3.0/24
B- 192.168.0.0/8
C- 192.168.2.0/24
D- 192.168.1.0/24

Answer:
C
 Free Fortinet FCP_FGT_AD-7.4 Exam Questions By Marks - Page 16

To Get Premium Files for FCP_FGT_AD-7.4

Visit
https://www.p2pexams.com/products/fcp_fgt_ad-7.4

For More Free Questions Visit

https://www.p2pexams.com/fortinet/pdf/fcp-fgt-ad-7.4