Practice Free FCP_FGT_AD-7.4 Exam Online Questions
Which of the following SD-WAN load Cbalancing method use interface weight value to distribute traffic? (Choose two.)
- A . Source IP
- B . Spillover
- C . Volume
- D . Session
C,D
Explanation:
Session is the name of a mode. Spillover is not the real name for SD-WAN that is in ECMP. Spillover is called Usage in SD-WAN.
The correct load balancing method that uses interface weight values to distribute traffic is:
C. Volume
D. Session
Both Volume-based and Session-based load balancing methods in SD-WAN can use interface weight values to distribute traffic proportionally based on the weights assigned to each interface.
The FortiGate uses the weight that you assign to each interface to calculate a percentage of the total sessions that are allowed to connect through each interface.
The FortiGate uses the volume weight that you assign to each interface to calculate a percentage of the total bandwidth that’s allowed to go through each interface.
Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)
- A . diagnose sys top
- B . execute ping
- C . execute traceroute
- D . diagnose sniffer packet any
- E . get system arp
B,C,D
Explanation:
”dia sys top” is not for troubleshooting layer 3 issues rather for troubleshooting CPU and Memory issues diagnose sys top – list of processes with most CPU
get system arp – show interface, IP, MAC (physical layer)
"If you suspect that there is an IP address conflict. … you may need to look at the ARP table" – get system arp (ans. E), and two other answers, B and C – execute ping, execute traceroute.
B. execute ping: The ping command is a fundamental tool for checking the connectivity between two devices. It sends ICMP Echo Request packets to the destination and waits for ICMP Echo Reply packets. This can help you verify if there is connectivity at the IP layer.
C. execute traceroute: The traceroute command allows you to trace the route that packets take from the source to the destination. It shows the IP addresses of routers in the path and can help identify where a packet might be dropping or encountering issues.
D. diagnose sniffer packet any: The diagnose sniffer packet any command is used to capture and analyze packets on the FortiGate device. This can be helpful in inspecting the actual packets flowing through the device, allowing you to identify any anomalies or potential issues at the packet level. These commands are valuable for troubleshooting Layer 3 issues and gaining insights into the network behavior at the IP layer.
Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)
- A . FortiSIEM
- B . FortiCloud
- C . FortiCache
- D . FortiSandbox
- E . FortiAnalyzer
A,B,E
Explanation:
The three remote log storage options you can configure on FortiGate are:
Refer to the exhibit.
A user located behind the FortiGate device is trying to go to http://www.addictinggames.com (Addicting.Games). The exhibit shows the application detains and application control profile.
Based on this configuration, which statement is true?
- A . Addicting.Games will be blocked, based on the Filter Overrides configuration.
- B . Addicting.Games will be allowed only if the Filter Overrides action is set to Learn.
- C . Addicting.Games will be allowed, based on the Categories configuration.
- D . Addicting.Games will be allowed, based on the Application Overrides configuration.
D
Explanation:
Addicting.Games will be allowed, based on the Application Overrides configuration.
Based on the Scan order. Application and Filter overrides>>Category.
Application and Filter overrides follows the same rules as firewall policy. Application override will be considered first.
What does the command diagnose debug fsso-polling refresh-user do?
- A . It refreshes all users learned through agentless polling.
- B . It displays status information and some statistics related to the polls done by FortiGate on each DC.
- C . It refreshes user group information from any servers connected to FortiGate using a collector agent.
- D . It enables agentless polling mode real-time debug.
A
Explanation:
It refreshes all users learned through agentless polling.
The command diagnose debug fsso-polling refresh-user is used in Fortinet’s FortiGate firewall to refresh all users learned through agentless polling. This means it updates the list of users that have been identified through agentless polling methods, which may include methods such as monitoring network traffic to detect user activity. This command helps ensure that the firewall has the most up-to-date information about users on the network for security and access control purposes.
What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?
- A . Both can be enabled at the same time.
- B . Both support volume algorithms.
- C . Both control ECMP algorithms.
- D . Both use the same physical interface load balancing settings.
C
Explanation:
The correct answer is: C. Both control ECMP algorithms.
In the context of SD-WAN (Software-Defined Wide Area Network), ECMP (Equal-Cost Multi-Path) algorithms are used to determine the path packets should take through the network. Both IPv4 and SD-WAN ECMP algorithms control how traffic is load-balanced across multiple paths to a destination. While IPv4 ECMP operates at the network layer (Layer 3) of the OSI model, SD-WAN ECMP operates at a higher level, typically involving application-aware routing and more advanced traffic steering capabilities.
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)
- A . Log downloads from the GUI are limited to the current filter view
- B . Log backups from the CLI cannot be restored to another FortiGate.
- C . Log backups from the CLI can be configured to upload to FTP as a scheduled time
- D . Log downloads from the GUI are stored as LZ4 compressed files.
A,B
Explanation:
Which timeout setting can be responsible for deleting SSL VPN associated sessions?
- A . SSL VPN idle-timeout
- B . SSL VPN http-request-body-timeout
- C . SSL VPN login-timeout
- D . SSL VPN dtls-hello-timeout
A
Explanation:
SSL VPN idle-timeout
The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle-timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.
Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout using the Idle Logout setting on the GUI.
The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.
What order must FortiGate use when the web filter profile has features enabled, such as safe search?
- A . DNS-based web filter and proxy-based web filter
- B . Static URL filter, FortiGuard category filter, and advanced filters
- C . Static domain filter, SSL inspection filter, and external connectors filters
- D . FortiGuard category filter and rating filter
B
Explanation:
The correct order for the HTTP inspection process in web filtering, specifically when features like safe search are enabled in the web filter profile, is:
B. Static URL filter, FortiGuard category filter, and advanced filters
This means that the FortiGate device will first check against the Static URL filter, followed by the FortiGuard category filter, and then any additional advanced filters configured in the web filter profile. This sequence allows for a systematic evaluation of the URL against different criteria, ensuring comprehensive web filtering.
The HTTP Inspection Order (Static URL Filter -> FortiGuard Category Filter -> Advanced Filters)
Refer to the exhibit, which contains a session diagnostic output.
Which statement is true about the session diagnostic output?
- A . The session is in TCP ESTABLISHED state.
- B . The session is a bidirectional UDP connection.
- C . The session is a UDP unidirectional state.
- D . The session is a bidirectional TCP connection.
B
Explanation:
The session is a bidirectional UDP connection.
B. Protocol 17 means UDP and proto_state=1 is bidirectional (proto_state=0 is unidirectional) proto=17 -> UDP proto_state=01 -> UDP Reply seen
A is wrong