Practice Free FCP_FGT_AD-7.6 Exam Online Questions
A FortiGate administrator is required to reduce the attack surface on the SSL VPN portal.
Which SSL timer can you use to mitigate a denial of service (DoS) attack?
- A . SSL VPN http-request-header-timeout
- B . SSL VPN dtls-hello-timeout
- C . SSL VPN login-timeout
- D . SSL VPN idle-timeout
A
Explanation:
The SSL VPN http-request-header-timeout defines how long FortiGate waits to receive the full HTTP request header from a client. Reducing this timer helps mitigate slow HTTP DoS attacks (such as Slowloris) on the SSL VPN portal by preventing malicious clients from holding connections open for too long without completing requests.
Refer to the exhibit.
The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity.
What must the administrator configure to answer this specific request from the NOC team?
- A . Move NOC_Access to the top of the list to ensure all profile settings take effect.
- B . Increase the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile.
- C . Ensure that all NOC_Access users are assigned the super admin role to guarantee access
- D . Increase the admi timeout value under config system accprofile NOC_Access.
D
Explanation:
The admi timeout setting in the admin access profile controls the inactivity timeout for GUI sessions.
Increasing this value will extend the session duration before automatic disconnection.
Refer to the exhibit.
FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles.
Which action must the administrator perform to consolidate the two policies into one?
- A . Create an Aggregate interface that includes port1 and port2 to create a single firewall policy.
- B . Select port1 and port2 subnets in a single firewall policy.
- C . Replace port1 and port2 with the any interface in a single firewall policy.
- D . Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy.
D
Explanation:
Enabling Multiple Interface Policies allows you to select multiple interfaces (like port1 and port2) in a single firewall policy, consolidating access rules for both Sales and Engineering to the web server.
Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)
- A . If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.
- B . If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP.
- C . If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.
- D . If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.
CD
Explanation:
When SD-WAN is disabled, FortiGate supports volume-based ECMP mode via the v4-ecmp-mode parameter.
When SD-WAN is enabled, the load balancing algorithm is controlled by the load-balance-mode parameter within the SD-WAN configuration.
Which three statements about SD-WAN performance SLAs are true? (Choose three.)
- A . They rely on session loss and jitter.
- B . They can be measured actively or passively.
- C . They are applied in a SD-WAN rule lowest cost strategy.
- D . They monitor the state of the FortiGate device.
- E . All the SLA targets can be configured.
BCE
Explanation:
SD-WAN SLAs monitor metrics like packet loss and jitter to evaluate link performance.
SLA measurements can be performed using active probing or passive monitoring.
Administrators can configure all SLA target parameters to define performance criteria.
An administrator needs to analyze and resolve port conflicts between SSL VPN and HTTPS administrative access on the same interface.
In which two ways can this be done? (Choose two.)
- A . Disable SSL VPN if HTTPS administrative access is using port 443 on any interface.
- B . Keep port 443 for both SSL VPN and HTTPS administrative access on the same interface without any problems.
- C . Run SSL VPN on one interface using port 443 and enable HTTPS administrative access on a different interface, also using port 443.
- D . Change the port number for either the SSL VPN service or the HTTPS administrative service if both are on the same interface.
CD
Explanation:
You can keep port 443 for SSL VPN on one interface and also use port 443 for HTTPS admin access on a different interface. Since the services are bound to different interfaces, no conflict occurs.
If both SSL VPN and HTTPS admin access are required on the same interface, you must change the port number for one of the services to avoid a port conflict.
An administrator has configured the following settings:
What are the two results of this configuration? (Choose two.)
- A . Denied users are blocked for 30 minutes.
- B . A session for denied traffic is created.
- C . Session helpers are disabled for denied traffic.
- D . The number of logs generated by denied traffic is reduced.
BD
Explanation:
set ses-denied-traffic enable → ensures FortiGate creates a session entry even for denied traffic.
set block-session-timer 30 → sets the duration (30 seconds) that denied sessions remain in the session table. This prevents repeated logging for every packet in the same denied flow, thereby reducing the number of logs generated.
FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively.
Which two statements about the requirements of connected physical interfaces on FortiGate are true? (Choose two.)
- A . Both interfaces must have the interface role assigned.
- B . Both interfaces must have directly connected routes on the routing table.
- C . Both interfaces must have DHCP enabled and interfaces set to LAN and DMZ roles assigned.
- D . Both interfaces must have IP addresses assigned.
BD
Explanation:
Interfaces must have directly connected routes in the routing table to forward traffic correctly.
Interfaces must have IP addresses assigned to communicate within their respective networks.
Refer to the exhibit showing a debug flow output.
Which two conclusions can you make from the debug flow output? (Choose two.)
- A . The default gateway is configured on port2.
- B . The RPF check fails.
- C . The debug flow is for UDP traffic.
- D . The matching firewall policy denies the traffic.
AD
Explanation:
The default gateway is configured on port2 → The debug output shows find a route: flag=00000000 gw-0.0.0.0 via port2, which indicates that the default route (0.0.0.0/0) points out port2.
The matching firewall policy denies the traffic → The log line Denied by forward policy check (policy 2) confirms that policy 2 matched and explicitly dropped the traffic.
Which two statements about the Security Fabric rating are true? (Choose two.)
- A . A license is required to obtain an executive summary in the Security Rating section.
- B . The root FortiGate provides executive summaries of all the FortiGate devices in the Security Fabric.
- C . The Security Posture category provides PCI compliance results.
- D . Security Rating Insights are available only in the Security Rating page.
AB
Explanation:
A license is required to obtain an executive summary in the Security Rating section → Without the license, only limited Security Fabric rating details are shown.
The root FortiGate aggregates and provides executive summaries for all FortiGate devices in the Security Fabric, giving a consolidated security posture overview.