Practice Free FCP_FGT_AD-7.6 Exam Online Questions
You have created a web filter profile named restrict media-profile with a daily category usage quota.
When you are adding the profile to the firewall policy, the restrict media-profile is not listed in the available web profile drop down.
What could be the reason?
- A . The firewall policy is in no-inspection mode instead of deep-inspection.
- B . The inspection mode in the firewall policy is not matching with web filter profile feature set.
- C . The web filter profile is already referenced in another firewall policy.
- D . The naming convention used in the web filter profile is restricting it in the firewall policy.
B
Explanation:
Web filter profiles with category usage quotas require the firewall policy to be in proxy-based (deep) inspection mode; if the inspection mode does not match this requirement, the profile will not appear in the drop-down list.
Refer to the exhibits.
Based on the current HA status, an administrator updates the override and priority parameters on HQ-NGFW-1 and HQ-NGFW-2 as shown in the exhibit.
What would be the expected outcome in the HA cluster?
- A . HQ-NGFW-1 will synchronize the override disable setting with HQ-NGFW-2.
- B . HQ-NGFW-2 will take over as the primary because it has the override enable setting and higher priority than HQ-NGFW-1.
- C . HQ-NGFW-1 will remain the primary because HQ-NGFW-2 has lower priority.
- D . The HA cluster will become out of sync because the override setting must match on all HA members.
B
Explanation:
With override enabled on HQ-NGFW-2 and its higher priority (110 vs. 90), HQ-NGFW-2 will become the primary device, preempting HQ-NGFW-1 despite the current primary status.
Refer to the exhibit, which contains a RADIUS server configuration.
An administrator added a configuration for a new RADIUS server. While configuring, the administrator enabled Include in every user group.
What is the impact of enabling Include in every user group in a RADIUS configuration?
- A . This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
- B . This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
- C . This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
- D . This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
A
Explanation:
Enabling Include in every user group in the RADIUS configuration means the RADIUS server is automatically added to all FortiGate user groups. As a result, any user who can authenticate successfully against that RADIUS server becomes a member of every FortiGate user group, without needing to be manually assigned. This can inadvertently grant excessive access if not carefully controlled.
An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is no inbound traffic.
Which DPD mode on FortiGate meets this requirement?
- A . Enabled
- B . On Idle
- C . Disabled
- D . On Demand
D
Explanation:
The "On Idle" DPD mode configures FortiGate to send DPD probes only when no inbound traffic is detected, meeting the requirement to send probes only when the tunnel is idle.
Which three statements explain a flow-based antivirus profile? (Choose three.)
- A . FortiGate buffers the whole file but transmits to the client at the same time.
- B . Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
- C . If a virus is detected, the last packet is delivered to the client.
- D . Flow-based inspection optimizes performance compared to proxy-based inspection.
- E . The IPS engine handles the process as a standalone.
ABD
Explanation:
Flow-based antivirus buffers the entire file while simultaneously transmitting data to the client to minimize latency.
Flow-based inspection combines multiple scanning techniques from proxy-based modes for efficient detection.
Flow-based inspection provides better performance by processing traffic on the fly without full proxy overhead.
You are analyzing connectivity problems caused by intermediate devices blocking traffic in SSL VPN environment.
In which two ways can you effectively resolve the problem? (Choose two.)
- A . You can turn off IKE fragmentation to fix large certificate negotiation problems.
- B . You should use IPsec to solve issues with fragment drops and large certificate exchanges.
- C . You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).
- D . You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.
AC
Explanation:
Disabling IKE fragmentation helps resolve issues caused by intermediate devices blocking large fragmented packets during certificate negotiation.
Using SSL VPN tunnel mode encapsulates traffic over HTTPS, bypassing blocks on ESP and UDP ports commonly used by IPsec.
Refer to the exhibit, which shows a partial configuration from the remote authentication server.
Why does the FortiGate administrator need this configuration?
- A . To set up a RADIUS server Secret.
- B . To authenticate Any FortiGate user groups.
- C . To authenticate and match the Training OU on the RADIUS server.
- D . To authenticate only the Training user group.
D
Explanation:
The Fortinet-Group-Name attribute is used to restrict authentication to users who belong specifically to the "Training" user group on the RADIUS server.
A FortiGate firewall policy is configured with active authentication, however, the user cannot authenticate when accessing a website.
Which protocol must FortiGate allow even though the user cannot authenticate?
- A . LDAP
- B . TACASC+
- C . Kerberos
- D . DNS
D
Explanation:
DNS traffic must be allowed so the user can resolve domain names and reach the authentication server or web resources, even if authentication initially fails.
Refer to the exhibits.
The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.
Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?
- A . Apple Face Time will be allowed, based on the Video/Audio category configuration.
- B . Apple Face Time will be blocked, based on the Excessive-Bandwidth filter configuration.
- C . Apple Face Time will be allowed, based on the Apple filter configuration.
- D . Apple Face Time will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
C
Explanation:
Apple FaceTime normally falls under Video/Audio and could be blocked by the Excessive-Bandwidth filter.
However, in this configuration, an override is applied under the Apple vendor filter with Monitor action.
Overrides take precedence over general filter actions. Therefore, FaceTime will not be blocked; instead, it will be monitored, and since only a few calls are made (not excessive bandwidth usage), it will be allowed based on the Apple filter configuration.
Refer to the exhibits.
The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.
The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.
Which additional configuration can the administrator add to a deny firewall policy, beyond the default behavior, to block Remote-User2 from accessing the Webserver?
- A . Disable match-vip in the Allow_access policy
- B . Configure a One-to-One IP Pool object in a new policy.
- C . Set the Destination address as Webserver in the Deny policy.
- D . Set the Destination address as Deny_IP in the Allow_access policy.
C
Explanation:
To block Remote-User2’s access to the Webserver, the deny policy must explicitly specify the Webserver as the destination address, otherwise, it denies traffic to all destinations, which is not the desired behavior.