Practice Free FCP_FGT_AD-7.4 Exam Online Questions
Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?
- A . The security actions applied on the web applications will also be explicitly applied on the third-party websites.
- B . The application signature database inspects traffic only from the original web application server.
- C . FortiGuard maintains only one signature of each web application that is unique.
- D . FortiGate can inspect sub-application traffic regardless where it was originated.
D
Explanation:
D. FortiGate can inspect sub-application traffic regardless of where it originated.
FortiGate is capable of inspecting traffic from web applications embedded in third-party websites, regardless of where the traffic originated. This allows FortiGate to provide comprehensive security measures for web applications, including those embedded in third-party websites. FortiOS gives administrators all the tools they need to inspect sub-application traffic.
Reference: https://help.fortinet.com/fortiproxy/11/Content/Admin%20Guides/FPX-AdminGuide/300_System/303d_Fo
rtiGuard.htm
Which two statements are correct about a software switch on FortiGate? (Choose two.)
- A . It can be configured only when FortiGate is operating in NAT mode
- B . Can act as a Layer 2 switch as well as a Layer 3 router
- C . All interfaces in the software switch share the same IP address
- D . It can group only physical interfaces
A,C
Explanation:
A is correct: "Only supported in NAT mode"
C is correct: "The interfaces share the same IP address and belong to the same broadcast domain.
Incorrect options:
B is incorrect: "Acts Like a traditional Layer 2 switch".
D is incorrect: "Can group multiple physical and wireless interfaces into a single virtual switch Interface"
Can group physical and wireless.
Only works on NAT mode.
Acts like traditional layer 3 switch.
Interfaces share same IP and broadcast domain.
Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?
- A . diagnose wad session list
- B . diagnose wad session list | grep hook-pre&&hook-out
- C . diagnose wad session list | grep hook=pre&&hook=out
- D . diagnose wad session list | grep "hook=pre"&"hook=out"
A
Explanation:
diagnose wad session list
Running the diagnose wad session list command will indeed display the sessions managed by the Web Application Firewall (WAF) module, and you can review the information in the output to analyze traffic from the client to the proxy and from the proxy to the servers.
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)
- A . SSH
- B . HTTPS
- C . FTM
- D . FortiTelemetry
A,B
Explanation:
The two protocols used to enable administrator access to a FortiGate device are:
Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)
- A . FG-traffic
- B . Mgmt
- C . FG-Mgmt
- D . Root
A,D
Explanation:
Root VDOM is created by default when VDOMs are enabled.
configure on Fortigate:
– captive portal authentication required
– Authentication failed message for Sales users
– Authentication success for HR users
– second policy used by HR users
In FortiOS, when setting up a FortiGate in split VDOM mode, the default VDOMs created are FG-traffic and Root.
So, in this case, the correct answers would be A. FG-traffic and D. Root.
View the exhibit.
date=2022-06-14 time=14:45:16 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd="root" policyid=2 identidx=1 sessionid=31232959 user="anonymous" group="ldap_users" srcip=192.168.1.24 srcport=63355 srcintf="port2" dstip=66.171.121.44 dstport=80 dstintf="port1" service="http" hostname="www.fortinet.com" profiletype="Webfilter_Profile" profile="default" status="passthrough" reqtype="direct" url="/" sentbyte=304 rcvdbyte=60135 msg="URL belongs to an allowed category in policy" method=domain class=0 cat=140 catdesc="custom1"
What two things does this raw log indicate? (Choose two.)
- A . FortiGate allowed the traffic to pass.
- B . 192.168.1.24 is the IP address for www.fortinet.com.
- C . The traffic matches the webfilter profile on firewall policy ID 2.
- D . The traffic originated from 66.171.121.44.
A,C
Explanation:
The raw log indicates the following:
An administrator is configuring an Ipsec between site A and site B. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24.
How must the administrator configure the local quick mode selector for site B?
- A . 192.16.3.0/24
- B . 192.16.2.0/24
- C . 192.16.1.0/24
- D . 192.16.0.0/8
B
Explanation:
The local quick mode selector for site B should be configured to match the remote quick mode selector of site
What must you configure to enable proxy-based TCP session failover?
- A . You must configure ha-configuration-sync under configure system ha.
- B . You do not need to configure anything because all TCP sessions are automatically failed over.
- C . You must configure session-pickup-enable under configure system ha.
- D . You must configure session-pickup-connectionless enable under configure system ha.
C
Explanation:
The correct answer is:
C. You must configure session-pickup-enable under configure system ha.
To enable proxy-based TCP session failover on a Fortinet FortiGate firewall, you must configure the session-pickup-enable setting under the high availability (HA) configuration. This setting allows the firewall to pick up and maintain TCP sessions after a failover event, ensuring continuity of service for established connections.
Refer to the exhibit, which contains a radius server configuration.
An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.
What will be the impact of using Include in every user group option in a RADIUS configuration?
- A . This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
- B . This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
- C . This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
- D . This option places the RADIUS server, and all users who can authenticate against that server, into
every RADIUS group.
A
Explanation:
The Include in every User Group option adds the RADIUS server and all users that can authenticate against it, to every user group created on FortiGate. So, you should enable this option only in very specific scenarios (for example, when only administrators can authenticate against the RADIUS server and policies are ordered from least restrictive to most restrictive).
Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)
- A . The client FortiGate requires a manually added route to remote subnets.
- B . The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
- C . The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
- D . The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
C,D
Explanation:
The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. The FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.
C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate:
When setting up SSL VPN between two FortiGate devices, the server FortiGate needs a CA (Certificate Authority) certificate to verify the client FortiGate’s certificate. This ensures that the client connecting to the VPN is authenticated and trusted.
D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN:
For the SSL VPN to function, the client FortiGate needs to have the SSL VPN tunnel interface type configured. This interface type is specifically designed for SSL VPN connections, allowing the client FortiGate to establish the VPN tunnel with the server FortiGate.
These two settings together ensure that the SSL VPN connection between the two FortiGate devices is properly authenticated and established, allowing secure communication between them.