Fortinet FCP_FGT_AD-7.6 Exam Practice Test Instant Access

Question 1

When configuring firewall policies which of the following is true regarding the policy ID?

AIt is mandatory to provide a policy ID while creating a firewall policy regardless of GUI or CLI.

BA firewall policy ID identifies the order of policy execution in firewall policies.

CYou can create a policy in CLI with policy ID 0.

DA policy ID cannot be edited once a policy is created.

Answer : D

Once a firewall policy is created, its policy ID is fixed and cannot be changed; this ID uniquely identifies the policy within the FortiGate configuration.

Question 2

A FortiGate firewall policy is configured with active authentication, however, the user cannot authenticate when accessing a website.

Which protocol must FortiGate allow even though the user cannot authenticate?

ALDAP

BTACASC+

CKerberos

DDNS

Answer : D

DNS traffic must be allowed so the user can resolve domain names and reach the authentication server or web resources, even if authentication initially fails.

Question 3

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.

The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.

Which additional configuration can the administrator add to a deny firewall policy, beyond the default behavior, to block Remote-User2 from accessing the Webserver?

ADisable match-vip in the Allow_access policy

BConfigure a One-to-One IP Pool object in a new policy.

CSet the Destination address as Webserver in the Deny policy.

DSet the Destination address as Deny_IP in the Allow_access policy.

Answer : C

To block Remote-User2's access to the Webserver, the deny policy must explicitly specify the Webserver as the destination address; otherwise, it denies traffic to all destinations, which is not the desired behavior.

Question 4

When configuring a FortiGate in a multi-WAN setup, why would an administrator enable session preservation on an interface?

ATo allow the FortiGate to dynamically change interfaces for all active sessions when a WAN link fails

BTo make sure all sessions without source NAT enabled always use the primary WAN link

CTo improve security by forcing users to authenticate again when the WAN link changes

DTo ensure that existing SSL VPN connections remain on the same interface even if route changes occur

Answer : D

Session preservation keeps active sessions, such as SSL VPNs, tied to the original interface to prevent disruption when WAN routes change.

Question 5

Refer to the exhibits.

The exhibits show the system performance output and default configuration of high memory usage thresholds on a FortiGate device.

Based on the system performance output, what are the two possible outcomes? (Choose two.)

AFortiGate has entered conserve mode.

BAdministrators can access FortiGate only through the console port.

CAdministrators can change the configuration.

DFortiGate drops new sessions.

Answer : C, D

Since memory usage is at 90%, exceeding the red threshold (88%), FortiGate enters a state where configuration changes are still allowed.

In this state, FortiGate drops new sessions to preserve resources and maintain stability.

Question 6

A remote user reports slow SSL VPN performance and frequent disconnections. The user is located in an area with poor internet connectivity.

What setting should the administrator adjust to improve the user's experience?

AEnable split tunneling to reduce VPN traffic.

BChange the SSL VPN port to a non-standard port.

CIncrease the session timeout for inactive sessions.

DConfigure the DTLS timeout to accommodate high-latency connections.

Answer : D

Adjusting the DTLS timeout helps maintain SSL VPN stability and performance in environments with poor or high-latency internet connectivity by allowing more time for packet retransmissions before dropping the connection.

Question 7

You have configured the FortiGate device for FSSO. A user is successful in log-in to windows, but their access to the internet is denied.

What should the administrator check first?

AWhether the user is assigned to the correct AD group.

BThe FortiGate firewall policy settings for SSL decryption.

CThe FortiGate FSSO active users list for user's IP address.

DThe windows event viewer for failed login attempts.

Answer : C

Checking the active users list verifies if FortiGate correctly associates the user with their IP address, ensuring proper policy enforcement for internet access.

Fortinet FCP_FGT_AD-7.6 FCP - FortiGate 7.6 Administrator Exam Practice Test