Practice Free FCP_FGT_AD-7.4 Exam Online Questions
Question #31
Which statement correctly describes the use of reliable logging on FortiGate?
- A . Reliable logging is enabled by default in all configuration scenarios.
- B . Reliable logging is required to encrypt the transmission of logs.
- C . Reliable logging can be configured only using the CLI.
- D . Reliable logging prevents the loss of logs when the local disk is full.
Correct Answer: D
D
Explanation:
Reliable logging prevents the loss of logs when the local disk is full.
On a FortiGate device, reliable logging is a feature that helps to prevent the loss of log messages when the local disk is full. When reliable logging is enabled, the FortiGate will store log messages in a buffer until they can be written to the local disk. This helps to ensure that log messages are not lost due to a full disk, allowing administrators to maintain an accurate record of activity on the network.
Reliable logging is not enabled by default in all configuration scenarios, and it does not encrypt the transmission of logs or require the use of the CLI to be configured. However, it is a useful feature to enable in order to maintain a comprehensive record of activity on the network and help with troubleshooting and security analysis.
Reliable logging on FortiGate is used to prevent the loss of logs when the connection between FortiOS and FortiAnalyzer is disrupted. When reliable mode is enabled, logs are cached in a FortiOS memory queue. FortiOS sends logs to FortiAnalyzer, and FortiAnalyzer uses seq_no to track received logs. The other statements are incorrect:
Reliable logging is not enabled by default in all configuration scenarios. It must be enabled explicitly. Reliable logging is not required to encrypt the transmission of logs. Encryption can be configured separately.
Reliable logging can be configured using the CLI or the FortiGate web interface.
The question is asking what describes the correct use meaning what is the main function of reliable logging wouldn’t that be preventing loss of logs since disk is full by sending to Analyzer making D the correct answer.
The question is asking what describes the correct use meaning what is the main function of reliable logging wouldn’t that be preventing loss of logs since disk is full by sending to Analyzer making D the correct answer.
You can encrypt the logs if you are sending your logs to cloud, but the main purpose of reliable logging is to make sure that all the logs you send are been received by the server.
You can encrypt the traffic, but it does not require, the most specific option is D.
D
Explanation:
Reliable logging prevents the loss of logs when the local disk is full.
On a FortiGate device, reliable logging is a feature that helps to prevent the loss of log messages when the local disk is full. When reliable logging is enabled, the FortiGate will store log messages in a buffer until they can be written to the local disk. This helps to ensure that log messages are not lost due to a full disk, allowing administrators to maintain an accurate record of activity on the network.
Reliable logging is not enabled by default in all configuration scenarios, and it does not encrypt the transmission of logs or require the use of the CLI to be configured. However, it is a useful feature to enable in order to maintain a comprehensive record of activity on the network and help with troubleshooting and security analysis.
Reliable logging on FortiGate is used to prevent the loss of logs when the connection between FortiOS and FortiAnalyzer is disrupted. When reliable mode is enabled, logs are cached in a FortiOS memory queue. FortiOS sends logs to FortiAnalyzer, and FortiAnalyzer uses seq_no to track received logs. The other statements are incorrect:
Reliable logging is not enabled by default in all configuration scenarios. It must be enabled explicitly. Reliable logging is not required to encrypt the transmission of logs. Encryption can be configured separately.
Reliable logging can be configured using the CLI or the FortiGate web interface.
The question is asking what describes the correct use meaning what is the main function of reliable logging wouldn’t that be preventing loss of logs since disk is full by sending to Analyzer making D the correct answer.
The question is asking what describes the correct use meaning what is the main function of reliable logging wouldn’t that be preventing loss of logs since disk is full by sending to Analyzer making D the correct answer.
You can encrypt the logs if you are sending your logs to cloud, but the main purpose of reliable logging is to make sure that all the logs you send are been received by the server.
You can encrypt the traffic, but it does not require, the most specific option is D.
Question #32
An administrator has configured the following settings:
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)
- A . Device detection on all interfaces is enforced for 30 seconds.
- B . Denied users are blocked for 30 seconds.
- C . The number of logs generated by denied traffic is reduced.
- D . A session for denied traffic is created.
Correct Answer: C,D
C,D
Explanation:
The timer config any way is by seconds.
ses-denied-traffic Enable/disable including denied session in the session table. block-session-timer
Duration in seconds for blocked sessions (1 – 300 sec (5 minutes), default = 30).
C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created.
During the session, if a security profile detects a violation, FortiGate records the attack log immediately. To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation. This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-sessiontimer in the CLI. By default, it is set to 30 seconds.
Reference and download study guide:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-int
o-the/ta-p/195478
C,D
Explanation:
The timer config any way is by seconds.
ses-denied-traffic Enable/disable including denied session in the session table. block-session-timer
Duration in seconds for blocked sessions (1 – 300 sec (5 minutes), default = 30).
C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created.
During the session, if a security profile detects a violation, FortiGate records the attack log immediately. To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation. This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-sessiontimer in the CLI. By default, it is set to 30 seconds.
Reference and download study guide:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-int
o-the/ta-p/195478
Question #33
Which two statements about antivirus scanning in a firewall policy set to proxy-based inspection mode, are true? (Choose two.)
- A . A file does not need to be buffered completely before it is moved to the antivirus engine for scanning.
- B . The client must wait for the antivirus scan to finish scanning before it receives the file.
- C . FortiGate sends a reset packet to the client if antivirus reports the file as infected.
- D . If a virus is detected, a block replacement message is displayed immediately.
Correct Answer: B,D
B,D
Explanation:
In a firewall policy set to proxy-based inspection mode:
B. The client must wait for the antivirus scan to finish scanning before it receives the file.
In proxy-based inspection, the client may need to wait for the antivirus scan to complete before receiving the file. The file may need to be fully scanned before being delivered to the client, depending on the specific configuration and circumstances.
D. If a virus is detected, a block replacement message is displayed immediately.
If a virus is detected during the antivirus scan in proxy-based inspection mode, FortiGate can generate a block replacement message immediately, informing the user that the file is infected. So, both statements B and D are valid in the context of proxy-based inspection mode.
B,D
Explanation:
In a firewall policy set to proxy-based inspection mode:
B. The client must wait for the antivirus scan to finish scanning before it receives the file.
In proxy-based inspection, the client may need to wait for the antivirus scan to complete before receiving the file. The file may need to be fully scanned before being delivered to the client, depending on the specific configuration and circumstances.
D. If a virus is detected, a block replacement message is displayed immediately.
If a virus is detected during the antivirus scan in proxy-based inspection mode, FortiGate can generate a block replacement message immediately, informing the user that the file is infected. So, both statements B and D are valid in the context of proxy-based inspection mode.
Question #34
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
- A . FortiGuard update servers
- B . System time
- C . Operating mode
- D . NGFW mode
Correct Answer: C,D
C,D
Explanation:
C: Operating mode is per-VDOM setting. You can combine transparent mode VDOM’s with NAT mode VDOMs on the same physical Fortigate.
D: Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM.
A and B are incorrect: The firmware on your Fortigate and some settings, such as system time, apply to the entire device-they are not specific to each VDOM.
NGFW mode is a per-VDOM setting.
Operation mode is a per-VDOM setting. You can combine transparent mode VDOMs with NAT mode VDOMs on the same physical FortiGate.
C,D
Explanation:
C: Operating mode is per-VDOM setting. You can combine transparent mode VDOM’s with NAT mode VDOMs on the same physical Fortigate.
D: Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM.
A and B are incorrect: The firmware on your Fortigate and some settings, such as system time, apply to the entire device-they are not specific to each VDOM.
NGFW mode is a per-VDOM setting.
Operation mode is a per-VDOM setting. You can combine transparent mode VDOMs with NAT mode VDOMs on the same physical FortiGate.
Question #35
An administrator has configured central DNAT and virtual IPs.
Which item can be selected in the firewall policy Destination field?
- A . An IP pool
- B . A VIP object
- C . A VIP group
- D . The mapped IP address object of the VIP object
Correct Answer: D
D
Explanation:
– when central NAT is enabled => put the mapped IP address of the VIP object.
– when central NAT is disabled => put the VIP object.
In the context of central DNAT and virtual IPs in FortiGate, the correct option for the firewall policy
Destination field is:
D. The mapped IP address object of the VIP object
When configuring central DNAT, you typically select the mapped IP address object associated with the VIP object in the firewall policy Destination field. This mapped IP address represents the internal destination to which traffic will be redirected.
So, the correct choice is D.
D
Explanation:
– when central NAT is enabled => put the mapped IP address of the VIP object.
– when central NAT is disabled => put the VIP object.
In the context of central DNAT and virtual IPs in FortiGate, the correct option for the firewall policy
Destination field is:
D. The mapped IP address object of the VIP object
When configuring central DNAT, you typically select the mapped IP address object associated with the VIP object in the firewall policy Destination field. This mapped IP address represents the internal destination to which traffic will be redirected.
So, the correct choice is D.
Question #36
Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?
- A . To remove the NAT operation.
- B . To generate logs
- C . To finish any inspection operations.
- D . To allow for out-of-order packets that could arrive after the FIN/ACK packets.
Correct Answer: D
D
Explanation:
To allow for out-of-order packets that could arrive after the FIN/ACK packets.
TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.
When a session is closed by both sides, FortiGate keeps it in the session table for a few seconds more, t‹ allow any out-of-order packets that could arrive after the FIN/ACK packet. This is the state value. One of the reasons FortiGate keeps TCP sessions in the session table for several seconds, even after both sides have terminated the session, is indeed to allow for out-of-order packets that could arrive after the FIN/ACK packets. This helps in handling potential network delays and ensuring that all relevant packets are processed before fully closing the session.
D
Explanation:
To allow for out-of-order packets that could arrive after the FIN/ACK packets.
TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.
When a session is closed by both sides, FortiGate keeps it in the session table for a few seconds more, t‹ allow any out-of-order packets that could arrive after the FIN/ACK packet. This is the state value. One of the reasons FortiGate keeps TCP sessions in the session table for several seconds, even after both sides have terminated the session, is indeed to allow for out-of-order packets that could arrive after the FIN/ACK packets. This helps in handling potential network delays and ensuring that all relevant packets are processed before fully closing the session.
Question #37
If the Issuer and Subject values are the same in a digital certificate, to which type of entity was the certificate issued?
- A . A subordinate CA
- B . A root CA
- C . A user
- D . A CRL
Correct Answer: B
B
Explanation:
If the Issuer and Subject values are the same in a digital certificate, it typically indicates that the certificate is a self-signed certificate.
Therefore, the correct answer is:
B. A root CA (Certificate Authority)
A self-signed certificate is one where the entity that issued the certificate is also the entity identified by the certificate. In the context of a Certificate Authority (CA), this is often referred to as a root CA certificate. Root CA certificates are at the top of the certificate hierarchy and are used to sign other certificates, creating a chain of trust in a Public Key Infrastructure (PKI).
B
Explanation:
If the Issuer and Subject values are the same in a digital certificate, it typically indicates that the certificate is a self-signed certificate.
Therefore, the correct answer is:
B. A root CA (Certificate Authority)
A self-signed certificate is one where the entity that issued the certificate is also the entity identified by the certificate. In the context of a Certificate Authority (CA), this is often referred to as a root CA certificate. Root CA certificates are at the top of the certificate hierarchy and are used to sign other certificates, creating a chain of trust in a Public Key Infrastructure (PKI).
Question #38
Which statement about firewall policy NAT is true?
- A . DNAT is not supported.
- B . DNAT can automatically apply to multiple firewall policies, based on DNAT rules.
- C . You must configure SNAT for each firewall policy.
- D . SNAT can automatically apply to multiple firewall policies, based on SNAT rules.
Correct Answer: C
C
Explanation:
C. You must configure SNAT for each firewall policy.
The correct statement about firewall policy Nat (Network Address Translation) is: You must configure SNAT for each firewall policy.
SNAT (Source Network Address Translation) and DNAT (Destination Network Address Translation) are important components of a firewall’s policy.
C
Explanation:
C. You must configure SNAT for each firewall policy.
The correct statement about firewall policy Nat (Network Address Translation) is: You must configure SNAT for each firewall policy.
SNAT (Source Network Address Translation) and DNAT (Destination Network Address Translation) are important components of a firewall’s policy.
Question #39
Which timeout setting can be responsible for deleting SSL VPN associated sessions?
- A . SSL VPN idle-timeout
- B . SSL VPN http-request-body-timeout
- C . SSL VPN login-timeout
- D . SSL VPN dtls-hello-timeout
Correct Answer: A
A
Explanation:
The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle-
timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.
Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout using the Idle Logout setting on the GUI.
A
Explanation:
The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle-
timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.
Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout using the Idle Logout setting on the GUI.
Question #40
How do you format the FortiGate flash disk?
- A . Load the hardware test (HQIP) image.
- B . Select the format boot device option from the BIOS menu.
- C . Load a debug FortiOS image.
- D . Execute the CLI command execute formatlogdisk.
Correct Answer: B
B
Explanation:
Select the format boot device option from the BIOS menu.
Selecting the format boot device option from the BIOS menu allows you to format the FortiGate flash disk. This option is typically used when you need to reformat the flash disk to resolve issues or prepare it for a fresh installation of the operating system. However, it’s important to note that formatting the flash disk will erase all data on it, so it should be done carefully.
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46582 https://kb.fortinet.com/kb/viewContent.do?externalId=10338
B
Explanation:
Select the format boot device option from the BIOS menu.
Selecting the format boot device option from the BIOS menu allows you to format the FortiGate flash disk. This option is typically used when you need to reformat the flash disk to resolve issues or prepare it for a fresh installation of the operating system. However, it’s important to note that formatting the flash disk will erase all data on it, so it should be done carefully.
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46582 https://kb.fortinet.com/kb/viewContent.do?externalId=10338