Itfreedumps provides the latest online questions for all IT certifications,

such as IBM, Microsoft, CompTIA, Huawei, and so on.

Hot exams are available below.

AZ-204 Developing Solutions for Microsoft Azure

820-605 Cisco Customer Success Manager

MS-203 Microsoft 365 Messaging

HPE2-T37 Using HPE OneView

300-415 Implementing Cisco SD-WAN Solutions (ENSDWI)

DP-203 Data Engineering on Microsoft Azure

500-220 Engineering Cisco Meraki Solutions v1.0

NACE-CIP1-001 Coating Inspector Level 1

NACE-CIP2-001 Coating Inspector Level 2

200-301 Implementing and Administering Cisco Solutions

Share some FCP_FGT_AD-7.6 exam online questions below.

1.To complete the final step of a Security Fabric configuration, an administrator must authorize all the
devices on which device?
A. FortiManager
B. Root FortiGate
C. FortiAnalyzer
D. Downstream FortiGate
Answer: C
Explanation:
The correct answer is C. FortiAnalyzer.
Explanation:
In a Security Fabric configuration, after the devices are added to the Security Fabric, the final step is
to authorize these devices. This authorization process is typically done through FortiAnalyzer, which
manages and controls the Security Fabric. FortiAnalyzer allows administrators to centrally manage
and monitor the Security Fabric, including authorizing devices to participate in the Security Fabric.
All devices must be authorized on the root Fortigate, and then after this step all must be authorized on
the FortiAnalyzer.

2.Which timeout setting can be responsible for deleting SSL VPN associated sessions?
A. SSL VPN idle-timeout
B. SSL VPN http-request-body-timeout
C. SSL VPN login-timeout
D. SSL VPN dtls-hello-timeout
Answer: A
Explanation:
SSL VPN idle-timeout
The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it
is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN
client or disconnects from the network), the session timer begins to count down. If the timer reaches
the idle-timeout value before the user reconnects or sends any new traffic, the session will be
terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.
Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can
change this timeout using the Idle Logout setting on the GUI.

3.Which three settings and protocols can be used to provide secure and restrictive administrative
access to FortiGate? (Choose three.)
A. SSH
B. FortiTelemetry
C. Trusted host
D. HTTPS
E. Trusted authentication
Answer: A,C,D
Explanation:
To provide secure and restrictive administrative access to FortiGate, the following three settings and
protocols can be used:
A. SSH (Secure Shell)
SSH is a secure protocol that allows secure remote access to the FortiGate command-line interface
(CLI).
C. Trusted host
Configuring trusted hosts allows you to restrict administrative access to specified IP addresses,
providing an additional layer of security.
D. HTTPS (Hypertext Transfer Protocol Secure)
HTTPS is a secure protocol that enables secure access to the FortiGate web-based graphical user
interface (GUI).
So, the correct choices are A, C, and D.
4.Which two protocol options are available on the CLI but not on the GUI when configuring an SD-
WAN Performance SLA? (Choose two.)
A. udp-echo
B. DNS
C. TWAMP
D. ping
Answer: A,C
Explanation:
The correct answers are:
A. udp-echo
The udp-echo protocol option is available on the CLI for configuring an SD-WAN Performance SLA.
C. TWAMP
The TWAMP (Two-Way Active Measurement Protocol) is another protocol option available on the CLI
for SD-WAN Performance SLA.
So, the correct choices are A and C.
In the GUI appears HTTP, DNS and Ping.

5.When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it
detects an invalid certificate.
Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate?
(Choose three.)
A. Allow & Warning
B. Trust & Allow
C. Allow
D. Block & Warning
E. Block
Answer: A, D, E
Explanation:
When FortiGate performs SSL/SSH full inspection and detects an invalid certificate, there are three
valid actions it can take:
Allow & Warning: This action allows the session but generates a warning.
Block & Warning: This action blocks the session and generates a warning.
Block: This action blocks the session without generating a warning.
Actions such as "Trust & Allow" or just "Allow" without additional configurations are not applicable in
the context of handling invalid certificates.
Reference: FortiOS 7.4.1 Administration Guide: Configuring SSL/SSH inspection profile

6.Which two statements about the application control profile mode are true? (Choose two.)
A. It uses flow-based scanning techniques, regardless of the inspection mode used.
B. It cannot be used in conjunction with IPS scanning.
C. It can be selected in either flow-based or proxy-based firewall policy.
D. It can scan only unsecure protocols.
Answer: A,C
Explanation:
The two statements about the application control profile mode that are true are:
A. It uses flow-based scanning techniques, regardless of the inspection mode used.
The application control profile can be applied in both flow-based and proxy-based inspection modes,
and it utilizes flow-based scanning techniques for application identification.
C. It can be selected in either flow-based or proxy-based firewall policy.
You can choose the application control profile in either flow-based or proxy-based firewall policies,
providing flexibility in the application of application control.
The other options are not accurate:
B is incorrect because the application control profile can be used in conjunction with IPS (Intrusion
Prevention System) scanning.
D is incorrect because the application control profile can scan both secure and unsecure protocols.
So, the correct choices are A and C.

7.Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)
A. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
B. The client FortiGate requires a manually added route to remote subnets.
C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.
Answer: C,D
Explanation:
C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate. Incorrect:
A. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
B. The client FortiGate requires a manually added route to remote subnets. (dynamically)
The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type.
When an SSL VPN client connection is established, the client dynamically adds a route to the subnets
that are returned by the SSL VPN server.
This configuration requires proper CA certificate installation as the SSL VPN client FortiGate/user
uses PSK and a PKI client certificate to authenticate. The FortiGate devices must have the proper CA
certificate installed to verify the certificate chain to the root CA that signed the certificate.

8.Which two settings must you configure when FortiGate is being deployed as a root FortiGate in a
Security Fabric topology? (Choose two.)
A. FortiManager IP address
B. FortiAnalyzer IP address
C. Pre-authorize downstream FortiGate devices
D. Fabric name
Answer: B,D
Explanation:
The correct choices for settings to configure when FortiGate is being deployed as a root FortiGate in
a Security Fabric topology are:
B. FortiAnalyzer IP address - This setting is required to send logs and reports to the FortiAnalyzer for
analysis and storage.
D. Fabric name - This setting is essential to identify the Security Fabric and differentiate it from other
fabrics in the network.

9.An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the
Internet. The web server is connected to port1. The Internet is connected to port2. Both interfaces
belong to the VDOM named Corporation.
What interface must be used as the source for the firewall policy that will allow this traffic?
A. ssl.root
B. ssl.Corporation
C. port2
D. port1
Answer: B
Explanation:
ssl.Corporation
If you are working within a specific VDOM named "Corporation," and the SSL VPN is associated with
that VDOM, then the correct choice is:
B. ssl.Corporation
Using the "ssl.Corporation" interface as the source for the firewall policy makes sense in the context
of a VDOM-specific SSL VPN.

10.Which additional load balancing method is supported in equal cost multipath (ECMP) load
balancing when SD-WAN is enabled?
A. Volume based
B. Source-destination IP based
C. Source IP based
D. Weight based
Answer: A
Explanation:
Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-
WAN is enabled.
What is load balancing method?
Load balancing means are regarded as a form of an algorithms or method that is used to rightly share
an incoming server request or traffic in the midst or among servers that is from the server pool.
Note that Volume load balancing method is supported in equal cost multipath (ECMP) load balancing
when SD-WAN is enabled as that is its role.

11.An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

A. Device detection on all interfaces is enforced for 30 minutes
B. Denied users are blocked for 30 minutes
C. A session for denied traffic is created
D. The number of logs generated by denied traffic is reduced
Answer: C, D
Explanation:
C. A session for denied traffic is created.
D. The number of logs generated by denied traffic is reduced.
During the session, if a security profile detects a violation, FortiGate records the attack log
immediately. To reduce the number of log messages generated and improve performance, you can
enable a session table entry of dropped traffic. This creates the denied session in the session table
and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate
does not have to do a policy lookup for each new packet matching the denied session, which reduces
CPU usage and log generation.
This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block
sessions. This determines how long a session will be kept in the session table by setting block-
sessiontimer in the CLI. By default, it is set to 30 seconds.

12.Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither
the physical layer nor the link layer? (Choose three.)
A. diagnose sys top
B. execute ping
C. execute traceroute
D. diagnose sniffer packet any
E. get system arp
Answer: B,C,D
Explanation:
”dia sys top” is not for troubleshooting layer 3 issues rather for troubleshooting CPU and Memory
issues diagnose sys top - list of processes with most CPU
get system arp - show interface, IP, MAC (physical layer)
"If you suspect that there is an IP address conflict. ... you may need to look at the ARP table" - get
system arp (ans. E), and two other answers, B and C - execute ping, execute traceroute.
B. execute ping: The ping command is a fundamental tool for checking the connectivity between two
devices. It sends ICMP Echo Request packets to the destination and waits for ICMP Echo Reply
packets. This can help you verify if there is connectivity at the IP layer.
C. execute traceroute: The traceroute command allows you to trace the route that packets take from
the source to the destination. It shows the IP addresses of routers in the path and can help identify
where a packet might be dropping or encountering issues.
D. diagnose sniffer packet any: The diagnose sniffer packet any command is used to capture and
analyze packets on the FortiGate device. This can be helpful in inspecting the actual packets flowing
through the device, allowing you to identify any anomalies or potential issues at the packet level.
These commands are valuable for troubleshooting Layer 3 issues and gaining insights into the
network behavior at the IP layer.

13.Which statements best describe auto discovery VPN (ADVPN). (Choose two.)
A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other
spokes.
B. ADVPN is only supported with IKEv2.
C. Tunnels are negotiated dynamically between spokes.
D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2
proposals are defined in advance.
Answer: A,C
Explanation:
A. "It requires the use of dynamic routing protocols so that spokes can learn the routes to other
spokes." This statement is accurate. Auto Discovery VPN (ADVPN) often works in conjunction with
dynamic routing protocols to allow spokes to dynamically learn routes to other spokes. This dynamic
routing capability enhances the scalability and flexibility of the VPN.
C. "Tunnels are negotiated dynamically between spokes."
This statement is also accurate. In ADVPN, the tunnels between spokes are negotiated dynamically,
meaning the VPN connections are established on-demand without requiring manual configuration for
each potential spoke.
Therefore, both statements A and C are correct, and they provide a comprehensive view of Auto
Discovery VPN (ADVPN) functionalities.
14.Examine the exhibit, which shows a firewall policy configured with multiple security profiles.

Which two security profiles are handled by the IPS engine? (Choose two.)
A. Web Filter
B. IPS
C. AntiVirus
D. Application Control
Answer: B,D
Explanation:
When the FortiGate is set for proxy inspection mode, the IPS engine will handle the Application
Control and IPS security profiles.
The security profiles that will be handled by the IPS engine when the FortiGate is set for proxy
inspection mode are Application Control and IPS. In this mode, the FortiGate acts as an intermediary
between the client and the server, intercepting and inspecting traffic to enforce security policies. The
IPS engine is responsible for analyzing network traffic and identifying any malicious or suspicious
activity based on predefined rules and signatures.
15.Refer to the exhibit.

Based on the ZTNA tag, the security posture of the remote endpoint has changed.
What will happen to endpoint active ZTNA sessions?
A. They will be re-evaluated to match the endpoint policy.
B. They will be re-evaluated to match the firewall policy.
C. They will be re-evaluated to match the ZTNA policy.
D. They will be re-evaluated to match the security policy.
Answer: C
Explanation:
C. They will be re-evaluated to match the ZTNA policy.
Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the
endpoint is no longer compliant with the ZTNA policy.

16.Which statement about traffic flow in an active-active HA cluster is true?

A. The SYN packet from the client always arrives at the primary device first.
B. The secondary device responds to the primary device with a SYN/ACK, and then the primary
device forwards the SYN/ACK to the client.
C. All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat
interfaces to redistribute to the sessions.
D. The ACK from the client is received on the physical MAC address of the primary device.
Answer: A
Explanation:
The correct statement about traffic flow in an active-active High Availability (HA) cluster is:
A. The SYN packet from the client always arrives at the primary device first.
In an active-active HA cluster, the primary device typically handles the initial SYN packet from the
client.
The primary device then determines how to distribute the traffic among the cluster members.
The other statements are not accurate:
B is incorrect because the secondary device does not respond to the primary device with a SYN/ACK.
The response is usually handled by the primary device.
C is incorrect because in an active-active HA cluster, each FortiGate device has its own unique virtual
MAC addresses for the HA heartbeat interfaces.
D is incorrect because the ACK from the client is generally processed by the same device that
received the initial SYN packet, which is typically the primary device.
So, the correct choice is A.

17.What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose
two.)
A. FortiGate uses fewer resources.
B. FortiGate performs a more exhaustive inspection on traffic.
C. FortiGate adds less latency to traffic.
D. FortiGate allocates two sessions per connection.
Answer: A,C
Explanation:
A. FortiGate uses fewer resources.
C. FortiGate adds less latency to traffic.
Flow-based inspection is a type of traffic inspection that is used by some firewall devices, including
FortiGate, to analyze network traffic. It is designed to be more efficient and less resource-intensive
than proxy-based inspection, and it offers several benefits over this approach.
Two benefits of flow-based inspection compared to proxy-based inspection are:
FortiGate uses fewer resources: Flow-based inspection uses fewer resources than proxy-based
inspection, which can help to improve the performance of the firewall device and reduce the impact
on overall system performance.
FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic than proxy-
based inspection, which can be important for real-time applications or other types of traffic that
require low latency.
A. Fewer resources since it does not need to keep much in memory.
C. Samples traffic while it goes by, and only does makes allow or deny decision with the last package.
So client does not have to wait on FortiGate to scan the bulk of the packtets.

18.Refer to the exhibit.

FortiGate has two separate firewall policies for Sales and Engineering to access the same web server
with the same security profiles.
Which action must the administrator perform to consolidate the two policies into one?
A. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy
B. Create an Interface Group that includes port1 and port2 to create a single firewall policy
C. Select port1 and port2 subnets in a single firewall policy.
D. Replace port1 and port2 with the any interface in a single firewall policy.
Answer: B
Explanation:
To consolidate the two separate firewall policies for Sales and Engineering departments accessing
the same web server, you can create an Interface Group that includes both port1 (Sales) and port2
(Engineering). Once the Interface Group is created, you can use this group as a single incoming
interface in a single firewall policy. This approach reduces the number of policies, making
management more efficient.
Reference: FortiOS 7.4.1 Administration Guide: Firewall Policy Configuration

19.Refer to the FortiGuard connection debug output.

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)
A. There is at least one server that lost packets consecutively.
B. One server was contacted to retrieve the contract information.
C. A local FortiManager is one of the servers FortiGate communicates with.
D. FortiGate is using default FortiGuard communication settings.
Answer: B,D
Explanation:
B is correct, one server has the flag DI which means it was contacted to retrieve contract information.
A: no server has packets dropped
C: No local(ip) fortimanager can be seen
D:......Anycast is enabled by default(as it says on the study guide) so its not using default settings.
still, it
uses HTTPS(TCP) and port 443 under tcp so we can consider this a default setting.
"by default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering with
FortiGuard or FortiManager"
We did check ourFortiGate and its configured the same.
Anycast is Enabled by default, but A and C are definitely incorrect.

20.What are three key routing principles in SD-WAN? (Choose three.)

A. By default. SD-WAN members are skipped if they do not have a valid route to the destination
B. By default. SD-WAN rules are skipped if only one route to the destination is available
C. By default. SD-WAN rules are skipped if the best route to the destination is not an SD-WAN
member
D. SD-WAN rules have precedence over any other type of routes
E. Regular policy routes have precedence over SD-WAN rules
Answer: A, C, D
Explanation:
By default, SD-WAN members are skipped if they do not have a valid route to the destination SD-
WAN ensures that only members with valid routes to the destination are considered during routing
decisions.
By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member
If the best route is not an SD-WAN member, SD-WAN rules are bypassed and standard routing takes
over.
SD-WAN rules have precedence over any other type of routes
SD-WAN rules are evaluated first, meaning they take precedence over other routing mechanisms,
such as static routes or policy-based routes.

21.An organization requires remote users to send external application data running on their PCs and
access FTP resources through an SSUTLS connection.
Which FortiGate configuration can achieve this goal?
A. SSL VPN quick connection
B. SSL VPN tunnel
C. SSL VPN bookmark
D. Zero trust network access
Answer: B
Explanation:
An SSL VPN tunnel allows remote users to securely connect to the organization's network and
transmit all traffic, including external application data and FTP resources, through an encrypted
SSL/TLS connection. This ensures secure access to the network while supporting various protocols
such as FTP and other application-specific traffic from the user's PC.

22.Which statement regarding the firewall policy authentication timeout is true?

A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets
coming from the user's source IP.
B. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address
after this timer has expired.
C. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets
coming from the user's source MAC.
D. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address
after this timer has expired.
Answer: A
Explanation:
A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets
coming from the user's source IP.
The firewall policy authentication timeout is an idle timeout, meaning that it measures the duration of
inactivity for a user. If the FortiGate does not see any packets coming from the user's source IP within
the specified timeout period, it considers the user to be idle and may remove the temporary policy
associated with that user.
*** If there is no traffic received from the user IP address for the configured auth-timeout (5 minutes
by default), user authentication entry will be removed.
* If the user tries to access resources now, FortiGate will prompt the user to authenticate again.
The firewall policy authentication timeout is indeed often an idle timeout, and the FortiGate considers
a
user to be "idle" if it does not detect any packets coming from the user's source IP within the specified
time period.
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

23.Which two statements about incoming and outgoing interfaces in firewall policies are true?
(Choose two.)
A. Only the "any" interface can be chosen as an incoming interface.
B. An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.
C. Multiple interfaces can be selected as incoming and outgoing interfaces.
D. A zone can be chosen as the outgoing interface.
Answer: C,D
Explanation:
C. Multiple interfaces can be selected as incoming and outgoing interfaces.
This statement is correct. You can specify multiple interfaces as both incoming and outgoing
interfaces in a firewall policy.
D. A zone can be chosen as the outgoing interface.
This statement is correct as well. In FortiGate firewalls, you can choose a zone as the outgoing
interface in a firewall policy, providing a convenient way to apply policies to multiple physical or logical
interfaces grouped under the same zone.
So, the correct choices are C and D.

24.Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security
fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?
A. Change the csf setting on Local-FortiGate (root) to sec fabric-object-unification default.
B. Change the csf setting on both devices to sec downscream-access enable.
C. Change the csf setting on ISFW (downstream) to sec auchorizacion-requesc-cype certificace.
D. Change the csf setting on ISFW (downstream) to sec configuration-sync local.
Answer: A
Explanation:
The current setting for the root FortiGate (Local-FortiGate) is fabric-object-unification local, which
means that new address objects are not shared across the security fabric. Changing this setting to
fabric-object-unification default will allow address objects to be synchronized and shared with
downstream devices like the ISFW.

25.An administrator has configured two-factor authentication to strengthen SSL VPN access.
Which additional best practice can an administrator implement?
A. Configure Source IP Pools
B. Configure different SSL VPN realms
C. Configure host check
D. Configure split tunneling in tunnel mode
Answer: C
Explanation:
C is correct. Security check option.
For context, Host Check uses the FortiClient to check that certain conditions on the remote PC are
met, such as having AV installed, that there is a specific file located on the PC, that a certain process
is running on the PC, or that specific registry entries exist on the PC. Host Check basically ensures
that the PC with the VPN Client installed is setup according to your organizations standards.
When implementing two-factor authentication for SSL VPN access, configuring a host check is an
additional best practice. A host check involves checking the security posture and compliance of the
connecting device before granting access. This can include checking for the presence of antivirus
software, ensuring that the device is up-to-date with patches, and verifying other security-related
configurations.
This additional layer of security helps ensure that the devices connecting to the SSL VPN meet
certain security requirements, reducing the risk of compromised devices gaining access to the
network. It adds an extra level of assurance that the connecting devices are not only authenticating
through two factors (such as username/password and a token) but also adhering to security policies.

26.Which statement about the policy ID number of a firewall policy is true?

A. It is required to modify a firewall policy using the CLI.
B. It represents the number of objects used in the firewall policy.
C. It changes when firewall policies are reordered.
D. It defines the order in which rules are processed.
Answer: A
Explanation:
A. It is required to modify a firewall policy using the CLI.
The policy ID number is often used to identify and modify a firewall policy using the CLI. It helps
specify which policy you are referring to when making modifications. It is required to modify a firewall
policy using the CLI.

27.Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true?
(Choose two.)
A. If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-
mode.
B. If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.
C. If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be
part of ECMP
D. If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.
Answer: A D
Explanation:
When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi-Path
(ECMP) is configured using the load-balance-mode parameter under SD-WAN settings. However, if
SD-WAN is disabled, the ECMP load balancing algorithm can be configured under config system
settings. This flexibility allows FortiGate to control traffic routing behavior based on the network
configuration and requirements.
Reference: FortiOS 7.4.1 Administration Guide: ECMP Configuration

28.A team manager has decided that, while some members of the team need access to a particular
website, the majority of the team does not.
Which configuration option is the most effective way to support this request?
A. Implement web filter quotas for the specified website
B. Implement a DNS filter for the specified website.
C. Implement a web filter category override for the specified website
D. Implement web filter authentication for the specified website.
Answer: D
Explanation:
Implement web filter authentication for the specified website.
Only some members can authenticated by providing their credentials.
- DNS filter & Web Filter Category Overide = Nobody can reach the site
- Web Filter Quotas = Everybody can reach
A could be a solution if you set custom categories and specify a webfilter to the group with access..
but B is the most efective and simple solution.
Since both C and D are working options, answer C needs one more Web filter profile - the one that
will allow access to the category in which resides website's domain name. In both cases a custom
category is needed and a rating override, which will assign the website to that category. The question
is "Which configuration option is the most effective way to support this request" in that case this is
answer D

29.An administrator must disable RPF check to investigate an issue.

Which method is best suited to disable RPF without affecting features like antivirus and intrusion
prevention system?
A. Enable asymmetric routing, so the RPF check will be bypassed.
B. Disable the RPF check at the FortiGate interface level for the source check.
C. Disable the RPF check at the FortiGate interface level for the reply check.
D. Enable asymmetric routing at the interface level.
Answer: B
Explanation:
"B" is the answer be careful question are very tricky. RPF methods in NSE guide says: Two ways to
disable RFP.
1 Enable asymetric routing, which disables RPF checking system wide (but not at interface level is
through the CLI command config system settings)
2 Disable RPF checkking at the interface level (the only way at the interface level in the CLI
command).
A incorrect. If you enable asymetric routing, RPF not will be bypass because is disable.
B Correct. You have to disable the RPF check an the interface level, for the source.
C Is incorrect is for the source D is incorrect: Asymetric routing is not enable at interface level.
RPF checking can be disabled in the ways. If you enable asymmetric routing, it will disable RPF
checking system wide. However this reduces the security of you network greatly. Features such us
ANTIVIRUS, and IPS become non-effective.
So, if you need to disable RPF checking, you can do so at the interface level using the command:
config system interface
edit
set src-check [enable | disable]
end

30.Which statement about the IP authentication header (AH) used by IPsec is true?
A. AH does not provide any data integrity or encryption.
B. AH does not support perfect forward secrecy.
C. AH provides data integrity but no encryption.
D. AH provides strong data integrity but weak encryption.
Answer: C
Explanation:
The answer is C. AH provides data integrity but no encryption.
The correct statement about the IP Authentication Header (AH) used by IPsec is that AH provides
data integrity and authentication but does not provide encryption.
"IPsec is a suite of protocols that is used for authenticating and encrypting traffic between two peers.
The three most used protocols in the suite are the following:
- Internet Key Exchange (IKE), which does the handshake, tunnel maintenance, and disconnection.
- Encapsulation Security Payload (ESP), which ensures data integrity and encryption.
- Authentication Header (AH), which offers only data integrity - not encryption."

31.Refer to the exhibit.

Which statement about this firewall policy list is true?

A. The Implicit group can include more than one deny firewall policy.
B. The firewall policies are listed by ID sequence view.
C. The firewall policies are listed by ingress and egress interfaces pairing view.
D. LAN to WAN. WAN to LAN. and Implicit are sequence grouping view lists.
Answer: C
Explanation:
The firewall policy list in the exhibit is arranged in the "Interface Pair View," where policies are
grouped by their incoming (ingress) and outgoing (egress) interface pairs. Each section (LAN to
WAN, WAN to LAN, etc.) groups policies based on these interface pairings. This view helps
administrators quickly identify which policies apply to specific traffic flows between network interfaces.
Options A and D are incorrect because the Implicit group typically does not include more than one
deny policy, and there is no "sequence grouping view" in FortiGate. Option B is incorrect as the list is
not displayed strictly by ID sequence.
Reference: FortiOS 7.4.1 Administration Guide: Firewall Policy Views

32.Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and
VIP configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet,
the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture
incoming web traffic to the server and does not see any output.
Based on the information shown in the exhibit, what configuration change must the administrator
make to fix the connectivity issue?
A. Configure a loopback interface with address 203.0.113.2/32.
B. In the VIP configuration, enable arp-reply.
C. Enable port forwarding on the server to map the external service port to the internal service port.
D. In the firewall policy configuration, enable match-vip.
Answer: B
Explanation:
In the routing table of the ISP we can see that the route is C (connected) which means that if there is
no
ARP entry, traffic will be dropped by the ISP, and this is why there is no packets in the forti sniffer.
The external interface address is different from the external address configured in the VIP. This is not
a problem as long as the upstream network has its routing properly set. You can also enable ARP
reply on the VPN (enabled by default, here disabled) to facilitate routing on the upstream network.
Enabling ARP reply is usually not required in most networks because the routing tables on the
adjacent devices contain the correct next hop information, so the networks are reachable. However,
sometimes the routing configuration is not fully correct, and having ARP reply enabled can solve the
issue for you. For this reason, it’s a best practice to keep ARP reply enabled.

33.Which two statements correctly describe auto discovery VPN (ADVPN)? (Choose two.)
A. IPSec tunnels are negotiated dynamically between spokes.
B. ADVPN is supported only with IKEv2.
C. It recommends the use of dynamic routing protocols, so that spokes can learn the routes to other
spokes.
D. Every spoke requires a static tunnel to be configured to other spokes, so that phase 1 and phase 2
proposals are defined in advance.
Answer: A,C
Explanation:
The correct statements describing auto discovery VPN (ADVPN) are:
A. IPSec tunnels are negotiated dynamically between spokes.
C. It recommends the use of dynamic routing protocols, so that spokes can learn the routes to other
spokes.
A. In ADVPN, tunnels are negotiated dynamically between spokes, meaning that spokes do not need
to have predefined static tunnels. The spokes dynamically establish tunnels based on the
requirements,
which can simplify the configuration and management of VPN connections.
C. ADVPN often relies on dynamic routing protocols (such as OSPF or BGP) to allow spokes to
dynamically learn routes to other spokes. This dynamic behavior enhances scalability and ease of
configuration.
Option B is incorrect because ADVPN is not limited to IKEv2; it can be used with IKEv1 as well.
Option D is incorrect because ADVPN is designed to establish tunnels dynamically, and it doesn't
require every spoke to have static tunnels configured in advance.

34.A FortiGate administrator is required to reduce the attack surface on the SSL VPN portal.
Which SSL timer can you use to mitigate a denial of service (DoS) attack?
A. SSL VPN dcls-hello-timeout
B. SSL VPN http-request-header-timeout
C. SSL VPN login-timeout
D. SSL VPN idle-timeout
Answer: B
Explanation:
The SSL VPN http-request-header-timeout timer is used to mitigate denial of service (DoS) attacks by
limiting the amount of time the FortiGate waits for the client to send an HTTP request header after a
connection is established. This helps reduce the attack surface by preventing potential attacks that
exploit prolonged connection times without fully completing requests.

35.Refer to the exhibit.

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication
scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with
a form-based authentication scheme for the FortiGate local user database. Users will be prompted for
authentication.
How will FortiGate process the traffic when the HTTP request comes from a machine with the source
IP 10.0.1.10 to the destination http:// www.fortinet.com? (Choose three.)
A. If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.
B. If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.
C. If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.
D. If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be
allowed.
E. If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.
Answer: B,C,D
Explanation:
- Browser CAT2 & Local subnet & User B --> deny
- Browser CAT1 & Local subnet & User all --> accept Above exhibits only users from Chrome and IE
are allowed.
Chrome and IE use the same system proxy setting. Proxy rule is accept for all users with these two
browsers.
C: hit the 3rd rule.

36.Which two statements are correct when FortiGate enters conserve mode? (Choose two.)
A. FortiGate halts complete system operation and requires a reboot to regain available resources
B. FortiGate refuses to accept configuration changes
C. FortiGate continues to run critical security actions, such as quarantine.
D. FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in
IPS is enabled
Answer: C, D
Explanation:
FortiGate continues to run critical security actions, such as quarantine.
Even in conserve mode, FortiGate prioritizes critical security functions to ensure basic protections are
still in place, such as quarantining malicious traffic.
FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in
IPS is enabled.
When the system is in conserve mode and the "fail-open" setting is enabled, FortiGate will allow
traffic to pass without IPS inspection to ensure traffic flow continuity despite resource limitations.

37.Refer to the exhibit.

Which contains a network diagram and routing table output. The Student is unable to access
Webserver.
What is the cause of the problem and what is the solution for the problem?
A. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a
static route to 10.0.4.0/24 through wan1.
B. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a
static route to 10.0.4.0/24 through wan1.
C. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a
static route to 203.0.114.24/32 through port3.
D. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a
static route to 203.0.114.24/32 through port3.
Answer: C
Explanation:
The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static
route to 203.0.114.24/32 through port3.
Option C is the correct answer based on the provided information, let's analyze it:
Option C states: "The first reply packet for Student failed the RPF check. This issue can be resolved
by adding a static route to 203.0.114.24/32 through port3."
The issue is related to the first reply packet from the Student failing the Reverse Path Forwarding
(RPF) check and that adding a static route to 203.0.114.24/32 through "port3" will resolve the
problem, then you can go ahead with this solution.
In a typical RPF check scenario, it ensures that the incoming packet is arriving on the expected
interface based on the routing table. Adding a static route to 203.0.114.24/32 through "port3" may
indeed resolve the RPF issue if the routing is misconfigured.
Option C is the correct solution based on your network setup and further analysis, you can proceed
with implementing that static route to see if it resolves the issue. Additionally, it's a good practice to
monitor the network to ensure that the problem is indeed resolved after making the change.

38.Which two statements correctly describe the differences between IPsec main mode and IPsec
aggressive mode? (Choose two.)
A. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does
not.
B. Main mode cannot be used for dialup VPNs, while aggressive mode can.
C. Aggressive mode supports XAuth, while main mode does not.
D. Six packets are usually exchanged during main mode, while only three packets are exchanged
during aggressive mode.
Answer: A,D
Explanation:
The correct statements describing the differences between IPsec main mode and IPsec aggressive
mode are:
A. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does
not.
In aggressive mode, the first packet contains identification information (such as the peer ID), whereas
in main mode, the first packet does not contain such details, providing a higher level of security.
D. Six packets are usually exchanged during main mode, while only three packets are exchanged
during aggressive mode.
Main mode typically involves the exchange of six packets to establish the IPsec tunnel, whereas
aggressive mode streamlines the process with a reduced exchange of three packets.
The other statements (B and C) are not accurate:
B is incorrect because main mode can be used for dialup VPNs, and it is commonly used in such
scenarios.
C is incorrect because both aggressive mode and main mode support Extended Authentication
(XAuth), and XAuth is not exclusive to aggressive mode.
 39.An administrator must enable a DHCP server on one of the directly connected networks on
FortiGate. However, the administrator is unable to complete the process on the GUI to enable the
service on the interface.
In this scenario, what prevents the administrator from enabling DHCP service?
A. The role of the interface prevents setting a DHCP server.
B. The DHCP server setting is available only on the CLI.
C. Another interface is configured as the only DHCP server on FortiGate.
D. The FortiGate model does not support the DHCP server.
Answer: A
Explanation:
FortiGate interfaces can be configured in different roles, such as WAN or LAN. If an interface is set as
a "WAN" role, you cannot configure it to act as a DHCP server through the GUI. The interface role
must be set to "LAN" or "Undefined" to allow DHCP server configuration.
Reference: FortiOS 7.4.1 Administration Guide: DHCP Server Configuration

40.Which three statements are true regarding session-based authentication? (Choose three.)
A. HTTP sessions are treated as a single user.
B. IP sessions from the same source IP address are treated as a single user.
C. It can differentiate among multiple clients behind the same source IP address.
D. It requires more resources.
E. It is not recommended if multiple users are behind the source NAT
Answer: A,C,D
Explanation:
These three statements are indeed true regarding session-based authentication:
A. HTTP sessions are treated as a single user: Session-based authentication can treat multiple HTTP
sessions as a single user, providing a consolidated view of user activity.
C. It can differentiate among multiple clients behind the same source IP address: Session-based
authentication is capable of distinguishing between multiple clients behind the same source IP
address.
D. It requires more resources: Session-based authentication may require more resources compared
to simpler authentication methods due to the additional processing involved in tracking and managing
user sessions.
For A: Each session-based authenticated user is counted as a single user using their authentication
membership (RADIUS, LDAP, FSSO, local database etc.) to match users in other sessions. So one
authenticated user in multiple sessions is still one user.

Get FCP_FGT_AD-7.6 exam dumps full

version.

Powered by TCPDF (www.tcpdf.org)