Practice Free FCP_FGT_AD-7.6 Exam Online Questions
Question #11
Which two statements are correct about SLA targets? (Choose two.)
- A . You can configure only two SLA targets per one Performance SLA.
- B . SLA targets are optional.
- C . SLA targets are required for SD-WAN rules with a Best Quality strategy.
- D . SLA targets are used only when referenced by an SD-WAN rule.
Correct Answer: B,D
B,D
Explanation:
B. SLA targets are optional.
D. SLA targets are used only when referenced by an SD-WAN rule.
Incorrect:
B,D
Explanation:
B. SLA targets are optional.
D. SLA targets are used only when referenced by an SD-WAN rule.
Incorrect:
Question #12
An administrator is configuring an Ipsec between site A and site B. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24.
How must the administrator configure the local quick mode selector for site B?
- A . 192.16.3.0/24
- B . 192.16.2.0/24
- C . 192.16.1.0/24
- D . 192.16.0.0/8
Correct Answer: B
B
Explanation:
The local quick mode selector for site B should be configured to match the remote quick mode selector of site
B
Explanation:
The local quick mode selector for site B should be configured to match the remote quick mode selector of site
Question #13
In which two ways can RPF checking be disabled? (Choose two.)
- A . Enable anti-replay in firewall policy.
- B . Enable asymmetric routing.
- C . Disable strict-src-check under system settings.
- D . Disable the RPF check at the FortiGate interface level for the source check.
Correct Answer: B,D
B,D
Explanation:
B. Disabling the RPF check at the FortiGate interface level means that the FortiGate device won’t perform RPF checks for the specified interface, allowing traffic with source addresses that do not conform to RPF checks.
D. Enabling asymmetric routing means that the network allows different paths for incoming and outgoing traffic, and this can lead to situations where RPF checks may fail.
Option A is incorrect because enabling anti-replay in a firewall policy is not a method for disabling RPF checking. Anti-replay is a feature that helps prevent the insertion of malicious or duplicate packets into the network.
Option C is incorrect because disabling strict-src-check under system settings is not a valid option for
disabling RPF checking. Strict source checking is typically related to RPF checks, but disabling it might
not disable RPF checks entirely.
Reference:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD51279
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-Reverse-Path-Forwarding-RPF -per/ta-p/193338
B,D
Explanation:
B. Disabling the RPF check at the FortiGate interface level means that the FortiGate device won’t perform RPF checks for the specified interface, allowing traffic with source addresses that do not conform to RPF checks.
D. Enabling asymmetric routing means that the network allows different paths for incoming and outgoing traffic, and this can lead to situations where RPF checks may fail.
Option A is incorrect because enabling anti-replay in a firewall policy is not a method for disabling RPF checking. Anti-replay is a feature that helps prevent the insertion of malicious or duplicate packets into the network.
Option C is incorrect because disabling strict-src-check under system settings is not a valid option for
disabling RPF checking. Strict source checking is typically related to RPF checks, but disabling it might
not disable RPF checks entirely.
Reference:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD51279
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-Reverse-Path-Forwarding-RPF -per/ta-p/193338
Question #14
Which two statements are true about the Security Fabric rating? (Choose two.)
- A . The Security Fabric rating is a free service that comes bundled with all FortiGate devices.
- B . Many of the security issues can be fixed immediately by clicking Apply where available.
- C . The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.
- D . It provides executive summaries of the four largest areas of security focus.
Correct Answer: B,C
B,C
Explanation:
B. Many of the security issues can be fixed immediately by clicking Apply where available: This statement is true. The Security Fabric rating often identifies security issues that can be resolved immediately by clicking "Apply" where available, making it a valuable tool for quickly addressing security concerns.
C. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric: This statement is also true. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric to provide an overall security rating and analysis of the Security Fabric.
On checks that support Easy Apply, you can run the remediation on all the associated VDOMs.
To view the complete network, you must access the topology views on the root FortiGate in the Security
Fabric.
Incorrect:
B,C
Explanation:
B. Many of the security issues can be fixed immediately by clicking Apply where available: This statement is true. The Security Fabric rating often identifies security issues that can be resolved immediately by clicking "Apply" where available, making it a valuable tool for quickly addressing security concerns.
C. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric: This statement is also true. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric to provide an overall security rating and analysis of the Security Fabric.
On checks that support Easy Apply, you can run the remediation on all the associated VDOMs.
To view the complete network, you must access the topology views on the root FortiGate in the Security
Fabric.
Incorrect:
Question #15
What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?
- A . Both can be enabled at the same time.
- B . Both support volume algorithms.
- C . Both control ECMP algorithms.
- D . Both use the same physical interface load balancing settings.
Correct Answer: C
C
Explanation:
The correct answer is: C. Both control ECMP algorithms.
In the context of SD-WAN (Software-Defined Wide Area Network), ECMP (Equal-Cost Multi-Path) algorithms are used to determine the path packets should take through the network. Both IPv4 and SD-WAN ECMP algorithms control how traffic is load-balanced across multiple paths to a destination. While IPv4 ECMP operates at the network layer (Layer 3) of the OSI model, SD-WAN ECMP operates at a higher level, typically involving application-aware routing and more advanced traffic steering capabilities.
C
Explanation:
The correct answer is: C. Both control ECMP algorithms.
In the context of SD-WAN (Software-Defined Wide Area Network), ECMP (Equal-Cost Multi-Path) algorithms are used to determine the path packets should take through the network. Both IPv4 and SD-WAN ECMP algorithms control how traffic is load-balanced across multiple paths to a destination. While IPv4 ECMP operates at the network layer (Layer 3) of the OSI model, SD-WAN ECMP operates at a higher level, typically involving application-aware routing and more advanced traffic steering capabilities.
Question #16
Which security fabric feature causes an event trigger to monitor the network when a threat is detected?
- A . Security rating
- B . Optimization
- C . Automation stiches
- D . Fabric connectors
Correct Answer: C
C
Explanation:
Automation stitches
In the context of the Fortinet Security Fabric, automation stitches are responsible for orchestrating responses to security events. When a threat is detected, automation stitches can trigger events to monitor the network, coordinate responses, and ensure a synchronized defense across the entire security fabric. Therefore, option C is the correct answer.
Each automation stitch pairs an event trigger and one or more actions, it allows you to monitor your network and take appropiate action when SecFabric detects a threat.
C
Explanation:
Automation stitches
In the context of the Fortinet Security Fabric, automation stitches are responsible for orchestrating responses to security events. When a threat is detected, automation stitches can trigger events to monitor the network, coordinate responses, and ensure a synchronized defense across the entire security fabric. Therefore, option C is the correct answer.
Each automation stitch pairs an event trigger and one or more actions, it allows you to monitor your network and take appropiate action when SecFabric detects a threat.
Question #17
Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?
- A . Change the csf setting on ISFW (downstream) to set configuration-sync local.
- B . Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.
- C . Change the csf setting on both devices to set downstream-access enable.
- D . Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
Correct Answer: C
C
Explanation:
C is correct because D is already set to default (Global CMDB objects will be synchronized in Security Fabric.)
The root device has downstream access disabled, so it needs to be enabled to sync the object.
downstream-access – Enable/disable downstream device access to this device’s configuration and data.
disable – Disable downstream device access to this device’s configuration and data.
The CLI command "set fabric-object-unification" is only available on the root FortiGate.
C
Explanation:
C is correct because D is already set to default (Global CMDB objects will be synchronized in Security Fabric.)
The root device has downstream access disabled, so it needs to be enabled to sync the object.
downstream-access – Enable/disable downstream device access to this device’s configuration and data.
disable – Disable downstream device access to this device’s configuration and data.
The CLI command "set fabric-object-unification" is only available on the root FortiGate.
Question #18
Refer to the exhibit.
Examine the intrusion prevention system (IPS) diagnostic command shown in the exhibit.
If option 5 is used with the IPS diagnostic command and the outcome is a decrease in the CPU usage, what is the correct conclusion?
- A . The IPS engine is blocking all traffic.
- B . The IPS engine is inspecting a high volume of traffic.
- C . The IPS engine is unable to prevent an intrusion attack.
- D . The IPS engine will continue to run in a normal state.
Correct Answer: A
A
Explanation:
Option 5 in the IPS diagnostic command toggles the bypass status. If this option is used and results in a decrease in CPU usage, it means the IPS engine is no longer processing traffic, effectively blocking or bypassing the traffic. In this case, IPS is not inspecting the traffic anymore, leading to a decrease in CPU usage, which indicates that the traffic might be blocked instead of inspected.
A
Explanation:
Option 5 in the IPS diagnostic command toggles the bypass status. If this option is used and results in a decrease in CPU usage, it means the IPS engine is no longer processing traffic, effectively blocking or bypassing the traffic. In this case, IPS is not inspecting the traffic anymore, leading to a decrease in CPU usage, which indicates that the traffic might be blocked instead of inspected.
Question #19
An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?
- A . VLAN interface
- B . Software Switch interface
- C . Aggregate interface
- D . Redundant interface
Correct Answer: C
C
Explanation:
Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the only noticeable effect being a reduced bandwidth.
To increase network bandwidth and provide redundancy, an administrator can use an Aggregate Interface (also known as Link Aggregation or Port Channel). This interface type allows multiple physical interfaces to be combined into a single logical interface, providing increased bandwidth and fault tolerance. This logical interface appears as a single interface to the rest of the network, and it distributes traffic across the member interfaces.
C
Explanation:
Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the only noticeable effect being a reduced bandwidth.
To increase network bandwidth and provide redundancy, an administrator can use an Aggregate Interface (also known as Link Aggregation or Port Channel). This interface type allows multiple physical interfaces to be combined into a single logical interface, providing increased bandwidth and fault tolerance. This logical interface appears as a single interface to the rest of the network, and it distributes traffic across the member interfaces.
Question #20
Which three statements are true regarding session-based authentication? (Choose three.)
- A . HTTP sessions are treated as a single user.
- B . IP sessions from the same source IP address are treated as a single user.
- C . It can differentiate among multiple clients behind the same source IP address.
- D . It requires more resources.
- E . It is not recommended if multiple users are behind the source NAT
Correct Answer: A,C,D
A,C,D
Explanation:
These three statements are indeed true regarding session-based authentication:
A,C,D
Explanation:
These three statements are indeed true regarding session-based authentication: