Fortinet FCP_FGT_AD-7.4 Exam Practice Test Instant Access

Question 1

When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate.

Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.)

AAllow & Warning

BTrust & Allow

CAllow

DBlock & Warning

EBlock

Answer : B, C, E

When a certificate fails for any of the reasons above, you can configure any of the following actions: * Keep untrusted & Allow: FortiGate allows the website and lets the browser decide the action to take. FortiGate takes the certificate as untrusted. * Block: FortiGate blocks the content of the site. * Trust & Allow: FortiGate allows the website and takes the certificate as trusted.

Question 2

Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

ADownstream devices can connect to the upstream device from any of their VDOMs

BEach VDOM in the environment can be part of a different Security Fabric

CVDOMs without ports with connected devices are not displayed in the topology

DSecurity rating reports can be run individually for each configured VDOM

Answer : C

'When you configure FortiGate devices in multi-vdom mode and add them to the Security Fabric, each VDOM with its assigned ports is displayed when one or more devices are detected. Only the ports with discovered and connected devices appear in the Security Fabric view and, because of this, you must enable Device Detection on ports you want to have displayed in the Security Fabric. VDOMs without ports with connected devices are not displayed. All VDOMs configured must be part of a single Security Fabric.'

Question 3

Which statement is a characteristic of automation stitches?

AThey can be run only on devices in the Security Fabric.

BThey can be created only on downstream devices in the fabric.

CThey can have one or more triggers.

DThey can run multiple actions at the same time.

Answer : D

'To create an automation stitch, A TRIGGER EVENT (singular) and a response action or ACTIONS (plural) are selected.' See the documentation: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/351998

Question 4

A FortiGate firewall policy is configured with active authentication however, the user cannot authenticate when accessing a website.

Which protocol must FortiGate allow even though the user cannot authenticate?

AICMP

BDNS

CDHCP

DLDAP

Answer : B

Question 5

Refer to the exhibit which contains a RADIUS server configuration.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.

What is the impact of using the Include in every user group option in a RADIUS configuration?

AThis option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group

BThis option places all users into even/ RADIUS user group, including groups that are used for the LDAP server on FortiGate

CThis option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case is FortiAuthenticator

DThis option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group

Answer : A

By selecting the 'Include in every user group' option in the RADIUS configuration, FortiGate automatically includes this RADIUS server as an authentication source for all user groups. This means any user group configured on the FortiGate will authenticate using this RADIUS server, allowing users to authenticate against the server for any group they belong to.

Question 6

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

AOn HQ-FortiGate, disable Diffie-Helman group 2.

BOn Remote-FortiGate, set port2 as Interface.

COn both FortiGate devices, set Dead Peer Detection to On Demand.

DOn HQ-FortiGate, set IKE mode to Main (ID protection).

Answer : B, D

Based on the phase 1 configuration and the diagram shown in the exhibit, the administrator can make the following two configuration changes to bring phase 1 up:

B . On Remote-FortiGate, set port2 as Interface: The diagram indicates that port2 is currently not selected under 'Interface' for Remote-FortiGate. Aligning this setting with HQ-FortiGate, which has port1 set as Interface, might resolve inconsistencies.

D . On HQ-FortiGate, set IKE mode to Main (ID protection): The current setting on HQ-FortiGate is Aggressive for IKE mode, while Remote-FortiGate is set to Main mode. Matching these settings may help in establishing phase 1 of the IPsec tunnel.

Question 7

An administrator manages a FortiGate model that supports NTurbo.

How does NTurbo enhance performance for flow-based inspection?

ANTurbo offloads traffic to the content processor.

BNTurbo creates two inspection sessions on the FortiGate device.

CNTurbo buffers the whole file and then sends it to the antivirus engine.

DNTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces.

Answer : D

NTurbo creates a special data path to redirect traffic from the ingress interface to IPS, and from IPS to the egress interface. NTurbo allows firewall operations to be offloaded along this path, and still allows IPS to behave as a stage in the processing pipeline, reducing the workload on the FortiGate CPU and improving overall throughput. Hardware Acceleration https://docs.fortinet.com/document/fortigate/7.0.1/hardware-acceleration/896174/nturbo-offloads-flow-based-processing

Fortinet FCP - FortiGate 7.4 Administrator FCP_FGT_AD-7.4 Exam Practice Test