Practice Free FCP_FGT_AD-7.6 Exam Online Questions
Question #1
FortiGate is integrated with FortiAnalyzer and FortiManager.
When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or FortiManager?
- A . Log ID
- B . Policy ID
- C . Sequence ID
- D . Universally Unique Identifier
Correct Answer: D
D
Explanation:
When a firewall policy is created in FortiGate integrated with FortiAnalyzer and FortiManager, a Universally Unique Identifier (UUID) is added to the policy to support logging and management.
D
Explanation:
When a firewall policy is created in FortiGate integrated with FortiAnalyzer and FortiManager, a Universally Unique Identifier (UUID) is added to the policy to support logging and management.
Question #2
Which three settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.)
- A . SSH
- B . FortiTelemetry
- C . Trusted host
- D . HTTPS
- E . Trusted authentication
Correct Answer: A,C,D
A,C,D
Explanation:
To provide secure and restrictive administrative access to FortiGate, the following three settings and protocols can be used:
A,C,D
Explanation:
To provide secure and restrictive administrative access to FortiGate, the following three settings and protocols can be used:
Question #3
Which method allows management access to the FortiGate CLI without network connectivity?
- A . SSH console
- B . CLI console widget
- C . Serial console
- D . Telnet console
Correct Answer: C
C
Explanation:
The serial console method allows management access to the FortiGate CLI without relying on network connectivity. This method involves directly connecting a computer to the FortiGate device using a serial cable (such as a DB-9 to RJ-45 cable or USB to RJ-45 cable) and using terminal emulation software to interact with the FortiGate CLI. This method is essential for situations where network-based access methods (such as SSH or Telnet) are not available or feasible.
Reference: FortiOS 7.4.1 Administration Guide: Console connection
C
Explanation:
The serial console method allows management access to the FortiGate CLI without relying on network connectivity. This method involves directly connecting a computer to the FortiGate device using a serial cable (such as a DB-9 to RJ-45 cable or USB to RJ-45 cable) and using terminal emulation software to interact with the FortiGate CLI. This method is essential for situations where network-based access methods (such as SSH or Telnet) are not available or feasible.
Reference: FortiOS 7.4.1 Administration Guide: Console connection
Question #4
Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)
- A . Web filter in flow-based inspection
- B . Antivirus in flow-based inspection
- C . DNS filter
- D . Web application firewall
- E . Application control
Correct Answer: A,B,E
A,B,E
Explanation:
A,B,E
Explanation:
Question #5
If the Issuer and Subject values are the same in a digital certificate, to which type of entity was the certificate issued?
- A . A subordinate CA
- B . A root CA
- C . A user
- D . A CRL
Correct Answer: B
B
Explanation:
If the Issuer and Subject values are the same in a digital certificate, it typically indicates that the certificate is a self-signed certificate.
Therefore, the correct answer is:
B. A root CA (Certificate Authority)
A self-signed certificate is one where the entity that issued the certificate is also the entity identified by the certificate. In the context of a Certificate Authority (CA), this is often referred to as a root CA certificate. Root CA certificates are at the top of the certificate hierarchy and are used to sign other certificates, creating a chain of trust in a Public Key Infrastructure (PKI).
B
Explanation:
If the Issuer and Subject values are the same in a digital certificate, it typically indicates that the certificate is a self-signed certificate.
Therefore, the correct answer is:
B. A root CA (Certificate Authority)
A self-signed certificate is one where the entity that issued the certificate is also the entity identified by the certificate. In the context of a Certificate Authority (CA), this is often referred to as a root CA certificate. Root CA certificates are at the top of the certificate hierarchy and are used to sign other certificates, creating a chain of trust in a Public Key Infrastructure (PKI).
Question #6
Which two statements are true about collector agent standard access mode? (Choose two.)
- A . Standard mode uses Windows convention-NetBios: DomainUsername.
- B . Standard mode security profiles apply to organizational units (OU).
- C . Standard mode security profiles apply to user groups.
- D . Standard access mode supports nested groups.
Correct Answer: A,C
A,C
Explanation:
A,C
Explanation:
Question #7
Refer to the exhibit, which shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)
- A . The sensor will gather a packet log for all matched traffic.
- B . The sensor will reset all connections that match these signatures.
- C . The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.
- D . The sensor will block all attacks aimed at Windows servers.
Correct Answer: C, A
C, A
Explanation:
The IPS sensor configuration shows that:
The Microsoft.Windows.iSCSI.Target.DoS signature is set to "Monitor" with packet logging enabled, meaning that while traffic matching this signature will be allowed, it will also be logged for further analysis.
The generic Windows filter is set to "Block," meaning that all other attacks matching this filter will be blocked. However, the sensor will not reset connections or log packets unless specified.
Therefore, the sensor will allow attackers matching the specific DoS signature while blocking other
attacks against Windows.
Reference: FortiOS 7.4.1 Administration Guide: IPS Configuration
C, A
Explanation:
The IPS sensor configuration shows that:
The Microsoft.Windows.iSCSI.Target.DoS signature is set to "Monitor" with packet logging enabled, meaning that while traffic matching this signature will be allowed, it will also be logged for further analysis.
The generic Windows filter is set to "Block," meaning that all other attacks matching this filter will be blocked. However, the sensor will not reset connections or log packets unless specified.
Therefore, the sensor will allow attackers matching the specific DoS signature while blocking other
attacks against Windows.
Reference: FortiOS 7.4.1 Administration Guide: IPS Configuration
Question #8
Refer to the exhibit.
Review the Intrusion Prevention System (IPS) profile signature settings.
Which statement is correct in adding the FTP .Login.Failed signature to the IPS sensor profile?
- A . Traffic matching the signature will be silently dropped and logged.
- B . The signature setting uses a custom rating threshold.
- C . The signature setting includes a group of other signatures.
- D . Traffic matching the signature will be allowed and logged.
Correct Answer: A
A
Explanation:
"pass" is only default action.
The Pass action on the specific signature would only be chosen, if the Action (on the top) was set to Default. But instead its set to Block, se the action is will be to block and drop.
Select Allow to allow traffic to continue to its destination. Select Monitor to allow traffic to continue to its destination and log the activity. Select Block to silently drop traffic matching any of the signatures included in the entry. Select Reset to generate a TCP RST packet whenever the signature is triggered. Select Default to use the default action of the signatures.
If you enable Packet logging, FortiGate saves a copy of the packet that matches the signature.
A
Explanation:
"pass" is only default action.
The Pass action on the specific signature would only be chosen, if the Action (on the top) was set to Default. But instead its set to Block, se the action is will be to block and drop.
Select Allow to allow traffic to continue to its destination. Select Monitor to allow traffic to continue to its destination and log the activity. Select Block to silently drop traffic matching any of the signatures included in the entry. Select Reset to generate a TCP RST packet whenever the signature is triggered. Select Default to use the default action of the signatures.
If you enable Packet logging, FortiGate saves a copy of the packet that matches the signature.
Question #9
Which two configuration settings are global settings? (Choose two.)
- A . User & Device settings
- B . Firewall policies
- C . HA settings
- D . FortiGuard settings
Correct Answer: C,D
C,D
Explanation:
The two configuration settings that are global settings are:
C. HA settings – High Availability settings are typically configured globally to manage failover and redundancy.
D. FortiGuard settings – FortiGuard settings for security services and updates are also configured globally to ensure consistent protection across the network.
HA configuration overview. The purpose of an HA configuration is to reduce downtime when a zone or instance becomes unavailable. This might happen during a zonal outage, or when an instance runs out of memory. With HA, your data continues to be available to client applications.
FortiGuard > Settings provides a central location for configuring and enabling your FortiManager system’s built-in FDS as an FDN override server.
C,D
Explanation:
The two configuration settings that are global settings are:
C. HA settings – High Availability settings are typically configured globally to manage failover and redundancy.
D. FortiGuard settings – FortiGuard settings for security services and updates are also configured globally to ensure consistent protection across the network.
HA configuration overview. The purpose of an HA configuration is to reduce downtime when a zone or instance becomes unavailable. This might happen during a zonal outage, or when an instance runs out of memory. With HA, your data continues to be available to client applications.
FortiGuard > Settings provides a central location for configuring and enabling your FortiManager system’s built-in FDS as an FDN override server.
Question #10
Which additional load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled?
- A . Volume based
- B . Source-destination IP based
- C . Source IP based
- D . Weight based
Correct Answer: A
A
Explanation:
Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled.
What is load balancing method?
Load balancing means are regarded as a form of an algorithms or method that is used to rightly share an incoming server request or traffic in the midst or among servers that is from the server pool.
Note that Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled as that is its role.
A
Explanation:
Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled.
What is load balancing method?
Load balancing means are regarded as a form of an algorithms or method that is used to rightly share an incoming server request or traffic in the midst or among servers that is from the server pool.
Note that Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled as that is its role.