Practice Free FCP_FGT_AD-7.4 Exam Online Questions
Question #11
What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
- A . It limits the scanning of application traffic to the browser-based technology category only.
- B . It limits the scanning of application traffic to the DNS protocol only.
- C . It limits the scanning of application traffic to use parent signatures only.
- D . It limits the scanning of application traffic to the application category only.
Correct Answer: A
A
Explanation:
A
Explanation:
Question #12
Which statement about the policy ID number of a firewall policy is true?
- A . It is required to modify a firewall policy using the CLI.
- B . It represents the number of objects used in the firewall policy.
- C . It changes when firewall policies are reordered.
- D . It defines the order in which rules are processed.
Correct Answer: A
A
Explanation:
A
Explanation:
Question #13
Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?
- A . By default, FortiGate uses WINS servers to resolve names.
- B . By default, the SSL VPN portal requires the installation of a client’s certificate.
- C . By default, split tunneling is enabled.
- D . By default, the admin GUI and SSL VPN portal use the same HTTPS port.
Correct Answer: C
C
Explanation:
There is a Trap here… C and D have something right but the trick is the question…
Under SSL VPN settings you can see that port is 443 (same of https admin port)
BUT the question is about a SSL VPN Setting FOR A VPN PORTAL… so if you go to SSL VPN Portals and hit "Create new" you will see Tunnel Mode and Split Tunnel enabled by default… so, the correct answer is C.
Split tunneling is a feature that allows a remote VPN user to tunnel only specific, protected traffic back to the corporate network, while other traffic (e.g., internet traffic) is sent directly to its destination. This can help optimize bandwidth usage and reduce the load on the corporate network.
In the context of SSL VPN settings for an SSL VPN portal on FortiGate, if split tunneling is enabled by default, it means that the remote user’s internet-bound traffic will not be forced through the corporate network but will be sent directly to the internet. This can improve performance and reduce latency for non-corporate internet traffic.
Extra explanation:
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-sslvpn/SSLVPN_Examples/Split_Tunnel.htm#:~:text=Split%20Tunnel,SSL%20VPN%20on%20FortiGate%20units.
C
Explanation:
There is a Trap here… C and D have something right but the trick is the question…
Under SSL VPN settings you can see that port is 443 (same of https admin port)
BUT the question is about a SSL VPN Setting FOR A VPN PORTAL… so if you go to SSL VPN Portals and hit "Create new" you will see Tunnel Mode and Split Tunnel enabled by default… so, the correct answer is C.
Split tunneling is a feature that allows a remote VPN user to tunnel only specific, protected traffic back to the corporate network, while other traffic (e.g., internet traffic) is sent directly to its destination. This can help optimize bandwidth usage and reduce the load on the corporate network.
In the context of SSL VPN settings for an SSL VPN portal on FortiGate, if split tunneling is enabled by default, it means that the remote user’s internet-bound traffic will not be forced through the corporate network but will be sent directly to the internet. This can improve performance and reduce latency for non-corporate internet traffic.
Extra explanation:
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-sslvpn/SSLVPN_Examples/Split_Tunnel.htm#:~:text=Split%20Tunnel,SSL%20VPN%20on%20FortiGate%20units.
Question #14
Which three statements are true regarding session-based authentication? (Choose three.)
- A . HTTP sessions are treated as a single user.
- B . IP sessions from the same source IP address are treated as a single user.
- C . It can differentiate among multiple clients behind the same source IP address.
- D . It requires more resources.
- E . It is not recommended if multiple users are behind the source NAT
Correct Answer: A,C,D
A,C,D
Explanation:
These three statements are indeed true regarding session-based authentication:
A,C,D
Explanation:
These three statements are indeed true regarding session-based authentication:
Question #15
Which NAT method translates the source IP address in a packet to another IP address?
- A . DNAT
- B . SNAT
- C . VIP
- D . IPPOOL
Correct Answer: B
B
Explanation:
The correct answer is: B. SNAT
SNAT (Source Network Address Translation), also known as MASQUERADE in iptables, translates the source IP address in a packet to another IP address. It is commonly used in scenarios where internal private IP addresses need to be translated to a single public IP address when accessing the Internet, for example. DNAT (Destination Network Address Translation) translates the destination IP address in a packet to another IP address. VIP (Virtual IP) is used to designate a single IP address that represents multiple servers for load balancing or high availability purposes. IPPOOL typically refers to a range of IP addresses that can be dynamically assigned to clients, such as in DHCP.
B
Explanation:
The correct answer is: B. SNAT
SNAT (Source Network Address Translation), also known as MASQUERADE in iptables, translates the source IP address in a packet to another IP address. It is commonly used in scenarios where internal private IP addresses need to be translated to a single public IP address when accessing the Internet, for example. DNAT (Destination Network Address Translation) translates the destination IP address in a packet to another IP address. VIP (Virtual IP) is used to designate a single IP address that represents multiple servers for load balancing or high availability purposes. IPPOOL typically refers to a range of IP addresses that can be dynamically assigned to clients, such as in DHCP.
Question #16
View the exhibit.
Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and VDOM2. Also, necessary firewall policies are configured in VDOM1 and VDOM2.
Which two static routes are required in the FortiGate configuration, to route traffic between both subnets through an inter-VDOM link? (Choose two.)
- A . A static route in VDOM1 with the destination subnet matching the subnet assigned to the inter-VDOM link
- B . A static route in VDOM2 for the destination subnet 10.0.1.0/24
- C . A static route in VDOM1 for the destination subnet 10.0.2.0/24
- D . A static route in VDOM2 with the destination subnet matching the subnet assigned to the inter-
VDOM link
Correct Answer: B,C
B,C
Explanation:
The two static routes required in the FortiGate configuration to route traffic between both subnets through an inter-VDOM link are:
B. A static route in VDOM2 for the destination subnet 10.0.1.0/24
C. A static route in VDOM1 for the destination subnet 10.0.2.0/24
In VDOM1, a static route for the destination subnet 10.0.2.0/24 is needed to route traffic destined for VDOM2’s subnet through the inter-VDOM link.
In VDOM2, a static route for the destination subnet 10.0.1.0/24 is needed to route traffic destined for VDOM1’s subnet through the inter-VDOM link.
B,C
Explanation:
The two static routes required in the FortiGate configuration to route traffic between both subnets through an inter-VDOM link are:
B. A static route in VDOM2 for the destination subnet 10.0.1.0/24
C. A static route in VDOM1 for the destination subnet 10.0.2.0/24
In VDOM1, a static route for the destination subnet 10.0.2.0/24 is needed to route traffic destined for VDOM2’s subnet through the inter-VDOM link.
In VDOM2, a static route for the destination subnet 10.0.1.0/24 is needed to route traffic destined for VDOM1’s subnet through the inter-VDOM link.
Question #17
Which two IP pool types enable you to identify user connections without having to log user traffic? (Choose two.)
- A . Fixed port range
- B . Port block allocation
- C . One-to-one
- D . Overload
Correct Answer: A,B
A,B
Explanation:
A,B
Explanation:
Question #18
Refer to the exhibit.
Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
- A . The IPS engine was inspecting high volume of traffic.
- B . The IPS engine was unable to prevent an intrusion attack.
- C . The IPS engine was blocking all traffic.
- D . The IPS engine will continue to run in a normal state.
Correct Answer: A
A
Explanation:
If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode.
In this mode, the IPS engine is still running, but it is not inspecting traffic.
If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.
If the CPU use remains high after enabling IPS bypass mode, it usually indicates a problem in the IPS engine, which you must report to Fortinet Support.
If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode. In this mode, the IPS engine is still running, but it is not inspecting traffic. If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.
A
Explanation:
If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode.
In this mode, the IPS engine is still running, but it is not inspecting traffic.
If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.
If the CPU use remains high after enabling IPS bypass mode, it usually indicates a problem in the IPS engine, which you must report to Fortinet Support.
If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode. In this mode, the IPS engine is still running, but it is not inspecting traffic. If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.
Question #19
If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when central NAT is used?
- A . The Services field removes the requirement of creating multiple VIPs for different services.
- B . The Services field is used when several VIPs need to be bundled into VIP groups.
- C . The Services field does not allow source NAT and destination NAT to be combined in the same policy.
- D . The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a
single computer.
Correct Answer: A
A
Explanation:
The Services option has been added to VIP objects. When services and port forward are configured, only a single mapped port can be configured. However, multiple external ports can be mapped to that single internal port. This configuration was made possible to allow for complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT, and not requiring numerous VIPs to be bundled into VIP groups. VIPs with different services are considered non-overlapping.
When the Services field is configured in a Virtual IP (VIP), it allows you to specify multiple services or ports for the same VIP. This eliminates the need to create separate VIPs for different services, as you can define multiple services within a single VIP using the Services field. This is particularly useful for simplifying configuration and management.
A
Explanation:
The Services option has been added to VIP objects. When services and port forward are configured, only a single mapped port can be configured. However, multiple external ports can be mapped to that single internal port. This configuration was made possible to allow for complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT, and not requiring numerous VIPs to be bundled into VIP groups. VIPs with different services are considered non-overlapping.
When the Services field is configured in a Virtual IP (VIP), it allows you to specify multiple services or ports for the same VIP. This eliminates the need to create separate VIPs for different services, as you can define multiple services within a single VIP using the Services field. This is particularly useful for simplifying configuration and management.
Question #20
Which three actions are valid for static URL filtering? (Choose three.)
- A . Block
- B . Warning
- C . Shape
- D . Exempt
- E . Allow
Correct Answer: A,D,E
A,D,E
Explanation:
The correct actions for static URL filtering in FortiGate are:
A,D,E
Explanation:
The correct actions for static URL filtering in FortiGate are: