Practice Free FCP_FGT_AD-7.4 Exam Online Questions
When configuring a firewall virtual wire pair policy, which following statement is true?
- A . Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.
- B . Only a single virtual wire pair can be included in each policy.
- C . Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.
- D . Exactly two virtual wire pairs need to be included in each policy.
C
Explanation:
Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.
Firewall virtual wire pair policies can include more than a single virtual wire pair. This capability can streamline the policy management process by eliminating the need to create multiple, similiar policies for each virtual wire pair. When creating or modifiying a policy, you can select the traffic direction for each VWP included in the policy.
Note: We tested to create a policy. We can use any number of virtual wire pairs. We can select 3 options
in traffic direction: in/out/both.
Which two policies must be configured to allow traffic on a policy-based next-generation firewall (NGFW) FortiGate? (Choose two.)
- A . Firewall policy
- B . Policy rule
- C . Security policy
- D . SSL inspection and authentication policy
C,D
Explanation:
NGFW policy based mode, you must configure a few policies to allow traffic:
SSL inspection & Authentication, Security policy.
Security policies work with SSL Inspection & Authentication policies to inspect traffic. To allow traffic from a specific user or user group, both Security and SSL Inspection & Authentication policies must be configured.
If you are using Policy Based Mode, SSL Inspection & Authentication (consolidated) and Security Policy are required to allow traffic.
Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?
- A . Local traffic logs
- B . Forward traffic logs
- C . System event logs
- D . Security logs
A
Explanation:
The type of logs on FortiGate that record information about traffic directly to and from the FortiGate management IP addresses is:
Which scanning technique on FortiGate can be enabled only on the CLI?
- A . Machine learning (AI) scan
- B . Trojan scan
- C . Antivirus scan
- D . Ransomware scan
A
Explanation:
The scanning technique on FortiGate that can be enabled only on the CLI (Command Line Interface) is:
Which two statements are true about the FGCP protocol? (Choose two.)
- A . Is used to discover FortiGate devices in different HA groups
- B . Not used when FortiGate is in Transparent mode
- C . Runs only over the heartbeat links
- D . Elects the primary FortiGate device
C,D
Explanation:
C. Runs only over the heartbeat links: FGCP utilizes heartbeat links for exchanging heartbeat packets to monitor the health of the cluster. While heartbeat links play a crucial role, other interfaces can also be used for synchronization and communication within the cluster.
D. Elects the primary FortiGate device: FGCP is responsible for the election of the primary FortiGate device in a high availability (HA) cluster. The primary FortiGate manages the traffic while the secondary FortiGate stays in standby mode.
Which two statements are true about the RPF check? (Choose two.)
- A . The RPF check is run on the first sent packet of any new session.
- B . The RPF check is run on the first reply packet of any new session.
- C . The RPF check is run on the first sent and reply packet of any new session.
- D . RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks.
A,D
Explanation:
RPF protect against IP spoofin attacks. The source IP address is checked against the routing table for a return path. RPF is only carried out on: The first packet in the session, not on reply.
An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the Internet. The web server is connected to port1. The Internet is connected to port2. Both interfaces belong to the VDOM named Corporation.
What interface must be used as the source for the firewall policy that will allow this traffic?
- A . ssl.root
- B . ssl.Corporation
- C . port2
- D . port1
B
Explanation:
ssl.Corporation
If you are working within a specific VDOM named "Corporation," and the SSL VPN is associated with
that VDOM, then the correct choice is:
B. ssl.Corporation
Using the "ssl.Corporation" interface as the source for the firewall policy makes sense in the context of a VDOM-specific SSL VPN.
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?
- A . On HQ-FortiGate, enable Diffie-Hellman Group 2.
- B . On HQ-FortiGate, enable Auto-negotiate.
- C . On Remote-FortiGate, set Seconds to 43200.
- D . On HQ-FortiGate, set Encryption to AES256.
D
Explanation:
D. On HQ-FortiGate, set Encryption to AES256.
A phase 2 proposal defines the algorithms supported by the peer for encrypting and decrypting the data over the tunnel. You can configure multiple proposals to offer more options to the remote peer when negotiating the IPsec SAs.
Like in phase 1, you need to select a combination of encryption and authentication algorithms. D is correct, the Encryption and authentication algorithm needs to match inorder for IPSEC be successfully established Encryption algorithm must be the same.
An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?
- A . 192.168.2.0/24
- B . 192.168.0.0/8
- C . 192.168.1.0/24
- D . 192.168.3.0/24
A
Explanation:
Refer to the exhibits.
Exhibit A.
Exhibit B.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?
- A . Change the csf setting on Local-FortiGate (root) to set configuration-sync local.
- B . Change the csf setting on ISFW (downstream) to set configuration-sync local.
- C . Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
- D . Change the csf setting on ISFW (downstream) to set fabric-object-unification default.
C
Explanation:
Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
The CLI command set fabric-object-unification is only available on the root FortiGate. When set to local, global objects will not be synchronized to downstream devices in the Security Fabric. The default value is default.
Option A will not synchronise global fabric objects downstream.