Free FCP_FGT_AD-7.4 Sample Questions — FCP - FortiGate 7.4 Administrator

What is the primary FortiGate election process when the HA override setting is disabled?

• A. Connected monitored ports > Priority > System uptime > FortiGate serial number
• B. Connected monitored ports > System uptime > Priority > FortiGate serial number
• C. Connected monitored ports > Priority > HA uptime > FortiGate serial number
• D. Connected monitored ports > HA uptime > Priority > FortiGate serial number

FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively. Which two statements are true about the requirements of connected physical interfaces on FortiGate? (Choose two.)

• A. Both interfaces must have the interface role assigned
• B. Both interfaces must have directly connected routes on the routing table
• C. Both interfaces must have DHCP enabled
• D. Both interfaces must have IP addresses assigned

Which two pieces of information are synchronized between FortiGate HA members? (Choose two.)

• A. OSPF adjacencies
• B. IPsec security associations
• C. BGP peerings
• D. DHCP leases

Which three CLI commands can you use to troubleshoot Layer 3 issues, if the issue is in neither the physical layer nor the link layer? (Choose three.)

• A. execute ping
• B. execute traceroute
• C. diagnose sys top
• D. get system arp
• E. diagnose sniffer packet any

An administrator must enable a DHCP server on one of the directly connected networks on FortiGate. However, the administrator is unable to complete the process on the GUI to enable the service on the interface. In this scenario, what prevents the administrator from enabling DHCP service?

• A. The role of the interface prevents setting a DHCP server
• B. The DHCP server setting is available only on the CLI
• C. Another interface is configured as the only DHCP server on FortiGate
• D. The FortiGate model does not support the DHCP server

A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the and does not block the file allowing it to be downloaded. The administrator confirms that the traffic matches the configured firewall policy. What are two reasons for the failed virus detection by FortiGate? (Choose two.)

• A. The selected SSL inspection profile has certificate inspection enabled
• B. The browser does not trust the FortiGate self-signed CA certificate
• C. The EICAR test file exceeds the protocol options oversize limit
• D. The website is exempted from SSL inspection

Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

• A. Downstream devices can connect to the upstream device from any of their VDOMs
• B. Each VDOM in the environment can be part of a different Security Fabric
• C. VDOMs without ports with connected devices are not displayed in the topology
• D. Security rating reports can be run individually for each configured VDOM

What are two features of the NGFW profile-based mode? (Choose two.)

• A. NGFW profile-based mode can only be applied globally and not on individual VDOMs
• B. NGFW profile-based mode must require the use of central source NAT policy
• C. NGFW profile-based mode policies support both flow inspection and proxy inspection
• D. NGFW profile-based mode supports applying applications and web filtering profiles in a firewall policy

Which two statements explain antivirus scanning modes? (Choose two.)

• A. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client
• B. In flow-based inspection mode files bigger than the buffer size are scanned
• C. In proxy-based inspection mode files bigger than the buffer size are scanned
• D. In proxy-based inspection mode antivirus scanning buffers the whole file for scanning, before sending it to the client

An administrator is configuring an IPsec VPN between site A and site В. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B?

• A. 192.168.3.0/24
• B. 192.168.0.0/8
• C. 192.168.2.0/24
• D. 192.168.1.0/24

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)

• A. The issuer must be a public CA
• B. The CA extension must be set to TRUE
• C. The Authority Key Identifier must be of type SSL
• D. The keyUsage extension must be set to keyCertSign

A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors. What is the reason for the certificate warning errors?

• A. The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate
• B. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions
• C. The browser does not recognize the certificate in use as signed by a trusted CA
• D. With full SSL inspection it is not possible to avoid certificate warning errors at the browser level

An administrator configured a FortiGate to act as a collector for agentless polling mode. What must the administrator add to the FortiGate device to retrieve AD user group information?

• A. RADIUS server
• B. DHCP server
• C. Windows server
• D. LDAP server

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?

• A. It uses UDP 8888
• B. It uses DNS over HTTPS
• C. It uses DNS over TLS
• D. It uses UDP 53

There are multiple dial-up IPsec VPNs configured in aggressive mode on the HQ FortiGate. The requirement is to connect dial-up users to their respective department VPN tunnels. Which phase 1 setting you can configure to match the user to the tunnel?

• A. Peer ID
• B. Local Gateway
• C. Dead Peer Detection
• D. IKE Mode Config