Practice Free FCP_FGT_AD-7.6 Exam Online Questions
Question #31
Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?
- A . FG-traffic VDOM
- B . Root VDOM
- C . Customer VDOM
- D . Global VDOM
Correct Answer: B
B
Explanation:
If you enable split-task VDOM mode on the upstream FGT device, it can allow downstream FGT devices to join the Security Fabric in the root and FG-Traffic VDOMs. If split-task VDOM mode is enabled on the downstream FortiGate, it can only connect to the upstream FortiGate through the downstream FortiGate interface on the root VDOM.
B
Explanation:
If you enable split-task VDOM mode on the upstream FGT device, it can allow downstream FGT devices to join the Security Fabric in the root and FG-Traffic VDOMs. If split-task VDOM mode is enabled on the downstream FortiGate, it can only connect to the upstream FortiGate through the downstream FortiGate interface on the root VDOM.
Question #32
An administrator wants to block https://www.example.com/videos and allow all other URLs on the website.
What are two configuration changes that the administrator can make to satisfy the requirement? (Choose two.)
- A . Configure web override for the URL and select a blocked FortiGuard subcategory
- B . Enable full SSL inspection
- C . Configure a video filter profile to block the URL
- D . Configure a static URL filter entry for the URL and select Block as the action
Correct Answer: B,D
B,D
Explanation:
If the goal is to block the specific URL https://www.example.com/videos and allow all other URLs on the website, the correct configuration changes are:
B. Enable full SSL inspection.
Enabling full SSL inspection allows the FortiGate to inspect and filter HTTPS traffic, including the specific URL https://www.example.com/videos.
D. Configure a static URL filter entry for the URL and select Block as the action.
Create a static URL filter entry for the specific URL https://www.example.com/videos and set the action to Block. This will block access to the specified URL.
Enabling full SSL inspection is necessary to inspect and filter HTTPS traffic effectively, including the specific URL within the encrypted traffic.
So, the correct choices are B and D.
B,D
Explanation:
If the goal is to block the specific URL https://www.example.com/videos and allow all other URLs on the website, the correct configuration changes are:
B. Enable full SSL inspection.
Enabling full SSL inspection allows the FortiGate to inspect and filter HTTPS traffic, including the specific URL https://www.example.com/videos.
D. Configure a static URL filter entry for the URL and select Block as the action.
Create a static URL filter entry for the specific URL https://www.example.com/videos and set the action to Block. This will block access to the specified URL.
Enabling full SSL inspection is necessary to inspect and filter HTTPS traffic effectively, including the specific URL within the encrypted traffic.
So, the correct choices are B and D.
Question #33
Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.)
- A . If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.
- B . If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based.
- C . If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP
- D . If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.
Correct Answer: A D
A D
Explanation:
When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi-Path (ECMP) is configured using the load-balance-mode parameter under SD-WAN settings. However, if SD-WAN is disabled, the ECMP load balancing algorithm can be configured under config system settings. This flexibility allows FortiGate to control traffic routing behavior based on the network configuration and requirements.
Reference: FortiOS 7.4.1 Administration Guide: ECMP Configuration
A D
Explanation:
When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi-Path (ECMP) is configured using the load-balance-mode parameter under SD-WAN settings. However, if SD-WAN is disabled, the ECMP load balancing algorithm can be configured under config system settings. This flexibility allows FortiGate to control traffic routing behavior based on the network configuration and requirements.
Reference: FortiOS 7.4.1 Administration Guide: ECMP Configuration
Question #34
An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement?
- A . Disabled
- B . On Demand
- C . Enabled
- D . On Idle
Correct Answer: D
D
Explanation:
The Dead Peer Detection (DPD) mode on FortiGate that will meet the requirement of sending DPD probes only when no traffic is observed in the tunnel is "On Idle."
Therefore, the correct answer is:
D. On Idle
Disabled:
DPD is turned off. No detection probes are sent.
On Demand:
DPD probes are sent when there is no traffic detected in the tunnel for a specified period.
Enabled:
DPD probes are sent periodically, regardless of whether there is traffic in the tunnel or not.
On Idle:
DPD probes are sent only when there is no traffic observed in the tunnel for a certain period. This mode is often preferred when you want to conserve bandwidth by sending DPD probes only when the tunnel is not actively transmitting data.
In the context of the administrator’s requirement to send DPD probes only when no traffic is observed in the tunnel, the appropriate choice is "On Idle." This ensures that the DPD probes are triggered only during periods of inactivity, helping to detect and address potential issues in a more bandwidth-efficient manner.
D
Explanation:
The Dead Peer Detection (DPD) mode on FortiGate that will meet the requirement of sending DPD probes only when no traffic is observed in the tunnel is "On Idle."
Therefore, the correct answer is:
D. On Idle
Disabled:
DPD is turned off. No detection probes are sent.
On Demand:
DPD probes are sent when there is no traffic detected in the tunnel for a specified period.
Enabled:
DPD probes are sent periodically, regardless of whether there is traffic in the tunnel or not.
On Idle:
DPD probes are sent only when there is no traffic observed in the tunnel for a certain period. This mode is often preferred when you want to conserve bandwidth by sending DPD probes only when the tunnel is not actively transmitting data.
In the context of the administrator’s requirement to send DPD probes only when no traffic is observed in the tunnel, the appropriate choice is "On Idle." This ensures that the DPD probes are triggered only during periods of inactivity, helping to detect and address potential issues in a more bandwidth-efficient manner.
Question #35
Refer to the exhibit.
Which route will be selected when trying to reach 10.20.30.254?
- A . 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
- B . 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
- C . 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
- D . 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
Correct Answer: A
A
A
Explanation:
The correct route to reach 10.20.30.254 would be:
Question #36
Which two statements are true about the FGCP protocol? (Choose two.)
- A . FGCP elects the primary FortiGate device.
- B . FGCP is not used when FortiGate is in transparent mode.
- C . FGCP runs only over the heartbeat links.
- D . FGCP is used to discover FortiGate devices in different HA groups.
Correct Answer: A,C
A,C
Explanation:
A,C
Explanation:
Question #37
An administrator wants to monitor their network for any probing attempts aimed to exploit existing vulnerabilities in their servers.
Which two items must they configure on their FortiGate to accomplish this? (Choose two.)
- A . A web application firewall profile to check protocol constraints
- B . A DoS policy, and log all UDP and TCP scan attempts
- C . An IPS sensor to monitor all signatures applicable to the server
- D . An application control profile, and set all application signatures to monitor
Correct Answer: B,C
B,C
Explanation:
B. Configure a DoS policy and log all UDP and TCP scan attempts.
A Denial of Service (DoS) policy can help monitor and mitigate scan attempts. By logging UDP and TCP scan attempts, the administrator can identify potential probing activities.
C. Configure an IPS sensor to monitor all signatures applicable to the server.
An Intrusion Prevention System (IPS) sensor is crucial for monitoring and preventing various types of attacks, including those targeting server vulnerabilities. Monitoring all relevant IPS signatures enhances the detection capabilities.
So, the correct choices are indeed B and C.
B,C
Explanation:
B. Configure a DoS policy and log all UDP and TCP scan attempts.
A Denial of Service (DoS) policy can help monitor and mitigate scan attempts. By logging UDP and TCP scan attempts, the administrator can identify potential probing activities.
C. Configure an IPS sensor to monitor all signatures applicable to the server.
An Intrusion Prevention System (IPS) sensor is crucial for monitoring and preventing various types of attacks, including those targeting server vulnerabilities. Monitoring all relevant IPS signatures enhances the detection capabilities.
So, the correct choices are indeed B and C.
Question #37
An administrator wants to monitor their network for any probing attempts aimed to exploit existing vulnerabilities in their servers.
Which two items must they configure on their FortiGate to accomplish this? (Choose two.)
- A . A web application firewall profile to check protocol constraints
- B . A DoS policy, and log all UDP and TCP scan attempts
- C . An IPS sensor to monitor all signatures applicable to the server
- D . An application control profile, and set all application signatures to monitor
Correct Answer: B,C
B,C
Explanation:
B. Configure a DoS policy and log all UDP and TCP scan attempts.
A Denial of Service (DoS) policy can help monitor and mitigate scan attempts. By logging UDP and TCP scan attempts, the administrator can identify potential probing activities.
C. Configure an IPS sensor to monitor all signatures applicable to the server.
An Intrusion Prevention System (IPS) sensor is crucial for monitoring and preventing various types of attacks, including those targeting server vulnerabilities. Monitoring all relevant IPS signatures enhances the detection capabilities.
So, the correct choices are indeed B and C.
B,C
Explanation:
B. Configure a DoS policy and log all UDP and TCP scan attempts.
A Denial of Service (DoS) policy can help monitor and mitigate scan attempts. By logging UDP and TCP scan attempts, the administrator can identify potential probing activities.
C. Configure an IPS sensor to monitor all signatures applicable to the server.
An Intrusion Prevention System (IPS) sensor is crucial for monitoring and preventing various types of attacks, including those targeting server vulnerabilities. Monitoring all relevant IPS signatures enhances the detection capabilities.
So, the correct choices are indeed B and C.
Question #39
FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)
- A . The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
- B . The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
- C . The two VLAN subinterfaces must have different VLAN IDs.
- D . The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in
different subnets.
Correct Answer: B,C
B,C
Explanation:
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs. https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VL AN/ta-p/192843?externalID=FD43883
Each interface (physical or VLAN) can belong to only one VDOM.
Meaning that sub-interfaces (VLANs) from the same physical interface can have the same VLAN ID as
long as they are not assign to the same VDOM.
VLAN
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interface/ta-p/197640
* VLANs can be created on any physical or aggregate (802.3ad) interfaces
– The same VLAN number cannot be configured twice on the same physical interface
– The same VLAN number can be used on different physical interfaces
– The usable VLAN ID range is from 1 to 4094
* VDOM interface assignment
– Two VDOMs cannot share the same interface or VLAN
– A VLAN sub-interface can belong to a different VDOM than the physical interface it is attached to.
B,C
Explanation:
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs. https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VL AN/ta-p/192843?externalID=FD43883
Each interface (physical or VLAN) can belong to only one VDOM.
Meaning that sub-interfaces (VLANs) from the same physical interface can have the same VLAN ID as
long as they are not assign to the same VDOM.
VLAN
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interface/ta-p/197640
* VLANs can be created on any physical or aggregate (802.3ad) interfaces
– The same VLAN number cannot be configured twice on the same physical interface
– The same VLAN number can be used on different physical interfaces
– The usable VLAN ID range is from 1 to 4094
* VDOM interface assignment
– Two VDOMs cannot share the same interface or VLAN
– A VLAN sub-interface can belong to a different VDOM than the physical interface it is attached to.
Question #40
Which of the following SD-WAN load Cbalancing method use interface weight value to distribute traffic? (Choose two.)
- A . Source IP
- B . Spillover
- C . Volume
- D . Session
Correct Answer: C,D
C,D
Explanation:
Session is the name of a mode. Spillover is not the real name for SD-WAN that is in ECMP. Spillover is called Usage in SD-WAN.
The correct load balancing method that uses interface weight values to distribute traffic is:
C. Volume
D. Session
Both Volume-based and Session-based load balancing methods in SD-WAN can use interface weight values to distribute traffic proportionally based on the weights assigned to each interface.
The FortiGate uses the weight that you assign to each interface to calculate a percentage of the total sessions that are allowed to connect through each interface.
The FortiGate uses the volume weight that you assign to each interface to calculate a percentage of the total bandwidth that’s allowed to go through each interface.
C,D
Explanation:
Session is the name of a mode. Spillover is not the real name for SD-WAN that is in ECMP. Spillover is called Usage in SD-WAN.
The correct load balancing method that uses interface weight values to distribute traffic is:
C. Volume
D. Session
Both Volume-based and Session-based load balancing methods in SD-WAN can use interface weight values to distribute traffic proportionally based on the weights assigned to each interface.
The FortiGate uses the weight that you assign to each interface to calculate a percentage of the total sessions that are allowed to connect through each interface.
The FortiGate uses the volume weight that you assign to each interface to calculate a percentage of the total bandwidth that’s allowed to go through each interface.