Practice Free FCP_FGT_AD-7.4 Exam Online Questions
Which two statements are correct when FortiGate enters conserve mode? (Choose two.)
- A . FortiGate halts complete system operation and requires a reboot to regain available resources
- B . FortiGate refuses to accept configuration changes
- C . FortiGate continues to run critical security actions, such as quarantine.
- D . FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in IPS is enabled
C, D
Explanation:
FortiGate continues to run critical security actions, such as quarantine.
Even in conserve mode, FortiGate prioritizes critical security functions to ensure basic protections are still in place, such as quarantining malicious traffic.
FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in IPS is enabled.
When the system is in conserve mode and the "fail-open" setting is enabled, FortiGate will allow traffic to pass without IPS inspection to ensure traffic flow continuity despite resource limitations.
An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?
- A . 192.168.2.0/24
- B . 192.168.0.0/8
- C . 192.168.1.0/24
- D . 192.168.3.0/24
A
Explanation:
Which are two benefits of using SD-WAN? (Choose two.)
- A . FortiGate performs per-packet distribution across multiple SD-WAN members.
- B . WAN is used effectively.
- C . Application steering is available.
- D . Firewall policies are not required.
B,C
Explanation:
The two benefits of using SD-WAN are:
B. WAN is used effectively.
SD-WAN optimizes the utilization of Wide Area Network (WAN) resources, improving efficiency and
performance in the network.
C. Application steering is available.
SD-WAN provides the capability to steer and prioritize traffic based on the specific applications, ensuring
better application performance and user experience.
The other options are not accurate:
A is incorrect because FortiGate typically performs per-session, not per-packet, distribution across multiple SD-WAN members.
D is incorrect because firewall policies may still be required, especially for security and traffic control purposes.
So, the correct choices are B and C.
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
- A . FortiGuard update servers
- B . System time
- C . Operating mode
- D . NGFW mode
C,D
Explanation:
C: Operating mode is per-VDOM setting. You can combine transparent mode VDOM’s with NAT mode VDOMs on the same physical Fortigate.
D: Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM.
A and B are incorrect: The firmware on your Fortigate and some settings, such as system time, apply to the entire device-they are not specific to each VDOM.
NGFW mode is a per-VDOM setting.
Operation mode is a per-VDOM setting. You can combine transparent mode VDOMs with NAT mode VDOMs on the same physical FortiGate.
An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?
- A . Disabled
- B . On Demand
- C . Enabled
- D . On Idle
D
Explanation:
The Dead Peer Detection (DPD) mode on FortiGate that will meet the requirement of sending DPD probes only when no traffic is observed in the tunnel is "On Idle."
Therefore, the correct answer is:
D. On Idle
Disabled:
DPD is turned off. No detection probes are sent.
On Demand:
DPD probes are sent when there is no traffic detected in the tunnel for a specified period.
Enabled:
DPD probes are sent periodically, regardless of whether there is traffic in the tunnel or not.
On Idle:
DPD probes are sent only when there is no traffic observed in the tunnel for a certain period. This mode is often preferred when you want to conserve bandwidth by sending DPD probes only when the tunnel is not actively transmitting data.
In the context of the administrator’s requirement to send DPD probes only when no traffic is observed in the tunnel, the appropriate choice is "On Idle." This ensures that the DPD probes are triggered only during periods of inactivity, helping to detect and address potential issues in a more bandwidth-efficient manner.
Which statement about the policy ID number of a firewall policy is true?
- A . It is required to modify a firewall policy using the CLI.
- B . It represents the number of objects used in the firewall policy.
- C . It changes when firewall policies are reordered.
- D . It defines the order in which rules are processed.
A
Explanation:
Which two pieces of information are synchronized between FortiGate HA members? (Choose two.)
- A . OSPF adjacencies
- B . IPsec security associations
- C . BGP peerings
- D . DHCP leases
B, D
Explanation:
IPsec security associations
IPsec security associations (SAs) are synchronized between HA members to ensure seamless failover
and continuity of VPN tunnels.
DHCP leases
DHCP lease information is synchronized between HA members to maintain consistent IP address assignments and prevent disruptions when failover occurs.
Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?
- A . Local traffic logs
- B . Forward traffic logs
- C . System event logs
- D . Security logs
A
Explanation:
The type of logs on FortiGate that record information about traffic directly to and from the FortiGate management IP addresses is:
Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.)
- A . Only the "any" interface can be chosen as an incoming interface.
- B . An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.
- C . Multiple interfaces can be selected as incoming and outgoing interfaces.
- D . A zone can be chosen as the outgoing interface.
C,D
Explanation:
C. Multiple interfaces can be selected as incoming and outgoing interfaces.
This statement is correct. You can specify multiple interfaces as both incoming and outgoing interfaces in a firewall policy.
D. A zone can be chosen as the outgoing interface.
This statement is correct as well. In FortiGate firewalls, you can choose a zone as the outgoing interface in a firewall policy, providing a convenient way to apply policies to multiple physical or logical interfaces grouped under the same zone.
So, the correct choices are C and D.
Which three methods are used by the collector agent for AD polling? (Choose three.)
- A . WMI
- B . Novell API
- C . WinSecLog
- D . NetAPI
- E . FortiGate polling
A,C,D
Explanation:
The correct options for the methods used by the collector agent for AD polling are: