Practice Free FCP_FGT_AD-7.6 Exam Online Questions
An administrator has configured a dialup IPsec VPN on FortiGate with add-route enabled. However, the static route is not showing in the routing table.
Which two statements about this scenario are correct? (Choose two.)
- A . The administrator must enable a dynamic routing protocol on the dialup interface.
- B . The administrator must use a policy route instead of a static route for add-route to work properly.
- C . The administrator must ensure phase 2 is successfully established.
- D . The administrator must define the remote network correctly in the phase 2 selectors.
CD
Explanation:
The administrator must ensure phase 2 is successfully established → The static route for the dialup VPN is only added after Phase 2 negotiation completes successfully.
The administrator must define the remote network correctly in the phase 2 selectors → The add-route feature installs a route based on the Phase 2 selectors, if they are incorrect, no route will appear in the routing table.
Refer to the exhibit.
Why is the Antivirus scan switch grayed out when you are creating a new antivirus profile for FTP?
- A . None of the inspected protocols are active in this profile.
- B . FortiGate, with less than 2 GB RAM, does not support the Antivirus scan feature.
- C . Antivirus scan is disabled under System -> Feature visibility.
- D . The Feature Set for the profile is Flow-based but it must be Proxy-based.
A
Explanation:
The Antivirus scan switch is grayed out because none of the inspected protocols (HTTP, SMTP, POP3, IMAP, FTP, CIFS) have been enabled in the new antivirus profile. Until at least one protocol is turned on, FortiGate does not allow activation of the antivirus scan.
An administrator wants to analyze and manage digital certificates to prevent browser warnings when users connect to the SSL VPN portal.
Which two statements describe how to correctly do this? (Choose two.)
- A . The administrator can rely on the default FortiGate self-signed certificate to prevent all security warnings in the browser.
- B . The administrator must disable HTTPS administrative access entirely to avoid certificate warnings.
- C . The administrator can use a publicly trusted certificate from a known certificate authority (CA) to stop browser warnings.
- D . The administrator can import the FortiGate self-signed certificate into each user’s browser as a trusted certificate.
CD
Explanation:
Using a publicly trusted certificate from a known CA prevents browser warnings without additional user action.
Importing the FortiGate self-signed certificate into users’ browsers as trusted eliminates warnings caused by untrusted certificates.
An administrator wants to form an HA cluster using the FGCP protocol.
Which two requirements must the administrator ensure both members fulfill? (Choose two.)
- A . They must have the same HA group ID.
- B . They must have the heartbeat interfaces in the same subnet.
- C . They must have the same number of configured VDOMs.
- D . They must have the same hard drive configuration.
AD
Explanation:
They must have the same HA group ID → Both FortiGate units must use the same HA group ID to join the same FGCP cluster.
They must have the same number of configured VDOMs → VDOM configurations must match across cluster members to ensure configuration and state synchronization.
Refer to the exhibit.
The administrator configured SD-WAN rules and set the FortiGate traffic log page to display SD-WAN-specific columns: SD-WAN Quality and SD- WAN Rule Name.
FortiGate allows the traffic according to policy ID 1 placed at the top. This is the policy that allows SD-WAN traffic. Despite these settings, the traffic logs do not show the name of the SD-WAN rule used to steer those traffic flows.
What could be the reason?
- A . SD-WAN rule names do not appear immediately. The administrator must refresh the page.
- B . There is no application control profile applied to the firewall policy.
- C . FortiGate load balanced the traffic according to the implicit SD-WAN rule.
- D . Destinations in the SD-WAN rules are configured for each application, but feature visibility is not enabled.
C
Explanation:
The SD-WAN traffic log does not display an SD-WAN rule name because the traffic is being forwarded by the implicit SD-WAN rule. If no explicit SD-WAN rule matches the traffic, FortiGate falls back to the default implicit rule, which balances traffic based on the configured strategy (such as volume or sessions). Since no explicit rule applied, the rule name field remains blank in the logs.
An administrator notices that some users are unable to establish SSL VPN connections, while others can connect without any issues.
What should the administrator check first?
- A . Ensure that the affected users are using the correct port number.
- B . Ensure that user traffic is hitting the firewall policy.
- C . Ensure that forced tunneling is enabled to reroute all traffic through the SSL VPN
- D . Ensure that the HTTPS service is enabled on SSL VPN tunnel interface
A
Explanation:
If user traffic is not matching the appropriate firewall policy that permits SSL VPN, users will be unable to establish connections, making this the first aspect to verify.
Refer to the exhibit, which shows a firewall policy to enable active authentication.
When attempting to access an external website using an active authentication method, the user is not presented with a login prompt.
What is the most likely reason for this situation?
- A . The Service DNS is required in the firewall policy.
- B . The Remote-users group must be set up correctly in the FSSO configuration.
- C . No matching user account exists for this user.
- D . The Remote-users group is not added to the Destination.
A
Explanation:
For active authentication (such as captive portal) to trigger, the FortiGate must intercept the user’s initial web request. This requires DNS traffic to pass through the FortiGate so it can redirect the request to the login page. If the firewall policy does not include the DNS service, the user’s browser resolves domains directly, and the authentication portal is never triggered.