Practice Free FCP_FGT_AD-7.6 Exam Online Questions
Question #41
Refer to the exhibit.
Based on the ZTNA tag, the security posture of the remote endpoint has changed.
What will happen to endpoint active ZTNA sessions?
- A . They will be re-evaluated to match the endpoint policy.
- B . They will be re-evaluated to match the firewall policy.
- C . They will be re-evaluated to match the ZTNA policy.
- D . They will be re-evaluated to match the security policy.
Correct Answer: C
C
Explanation:
C. They will be re-evaluated to match the ZTNA policy.
Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the endpoint is no longer compliant with the ZTNA policy.
C
Explanation:
C. They will be re-evaluated to match the ZTNA policy.
Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the endpoint is no longer compliant with the ZTNA policy.
Question #42
Examine the output from a debug flow:
Why did the FortiGate drop the packet?
- A . The next-hop IP address is unreachable.
- B . It failed the RPF check.
- C . It matched an explicitly configured firewall policy with the action DENY.
- D . It matched the default implicit firewall policy.
Correct Answer: D
D
Explanation:
It matched the default implicit firewall policy.
implicit firewall rule == (policy id 0)
traffic is denied by implicit firewall rule.
D
Explanation:
It matched the default implicit firewall policy.
implicit firewall rule == (policy id 0)
traffic is denied by implicit firewall rule.
Question #43
When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate.
Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.)
- A . Allow & Warning
- B . Trust & Allow
- C . Allow
- D . Block & Warning
- E . Block
Correct Answer: A, D, E
A, D, E
Explanation:
When FortiGate performs SSL/SSH full inspection and detects an invalid certificate, there are three valid actions it can take:
Allow & Warning: This action allows the session but generates a warning.
Block & Warning: This action blocks the session and generates a warning.
Block: This action blocks the session without generating a warning.
Actions such as "Trust & Allow" or just "Allow" without additional configurations are not applicable in the context of handling invalid certificates.
Reference: FortiOS 7.4.1 Administration Guide: Configuring SSL/SSH inspection profile
A, D, E
Explanation:
When FortiGate performs SSL/SSH full inspection and detects an invalid certificate, there are three valid actions it can take:
Allow & Warning: This action allows the session but generates a warning.
Block & Warning: This action blocks the session and generates a warning.
Block: This action blocks the session without generating a warning.
Actions such as "Trust & Allow" or just "Allow" without additional configurations are not applicable in the context of handling invalid certificates.
Reference: FortiOS 7.4.1 Administration Guide: Configuring SSL/SSH inspection profile
Question #44
A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not.
Which configuration option is the most effective way to support this request?
- A . Implement web filter quotas for the specified website
- B . Implement a DNS filter for the specified website.
- C . Implement a web filter category override for the specified website
- D . Implement web filter authentication for the specified website.
Correct Answer: D
D
Explanation:
Implement web filter authentication for the specified website.
Only some members can authenticated by providing their credentials.
– DNS filter & Web Filter Category Overide = Nobody can reach the site
– Web Filter Quotas = Everybody can reach
A could be a solution if you set custom categories and specify a webfilter to the group with access.. but B is the most efective and simple solution.
Since both C and D are working options, answer C needs one more Web filter profile – the one that will allow access to the category in which resides website’s domain name. In both cases a custom category is needed and a rating override, which will assign the website to that category. The question is "Which configuration option is the most effective way to support this request" in that case this is answer D
D
Explanation:
Implement web filter authentication for the specified website.
Only some members can authenticated by providing their credentials.
– DNS filter & Web Filter Category Overide = Nobody can reach the site
– Web Filter Quotas = Everybody can reach
A could be a solution if you set custom categories and specify a webfilter to the group with access.. but B is the most efective and simple solution.
Since both C and D are working options, answer C needs one more Web filter profile – the one that will allow access to the category in which resides website’s domain name. In both cases a custom category is needed and a rating override, which will assign the website to that category. The question is "Which configuration option is the most effective way to support this request" in that case this is answer D
Question #45
Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device.
Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.)
- A . FortiGate allocates port blocks per user, based on the configured range of internal IP addresses.
- B . FortiGate allocates port blocks on a first-come, first-served basis.
- C . FortiGate generates a system event log for every port block allocation made per user.
- D . FortiGate allocates 128 port blocks per user.
Correct Answer: B,C
B,C
Explanation:
B: FortiGate allocates port blocks on a first-come, first-served basis
C: For logging purposes, when FortiGate allocates a port block to a host, it generates a system event log to inform the administrator
Not A: FortiGate allocates a block size and number per host for a range of external addresses
Not D: It allows 8 blocks of 128 ports per host
FortiGate allocates port blocks on a first-come, first-served basis.
For logging purposes, when FortiGate allocates a port block to a host, it generates a system event log to inform the administrator.
B,C
Explanation:
B: FortiGate allocates port blocks on a first-come, first-served basis
C: For logging purposes, when FortiGate allocates a port block to a host, it generates a system event log to inform the administrator
Not A: FortiGate allocates a block size and number per host for a range of external addresses
Not D: It allows 8 blocks of 128 ports per host
FortiGate allocates port blocks on a first-come, first-served basis.
For logging purposes, when FortiGate allocates a port block to a host, it generates a system event log to inform the administrator.
Question #46
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
- A . Antivirus engine
- B . Intrusion prevention system engine
- C . Flow engine
- D . Detection engine
Correct Answer: B
B
Explanation:
B. Intrusion prevention system engine.
The Intrusion Prevention System (IPS) engine on FortiGate handles application control traffic, along with other functions such as detecting and preventing network attacks based on predefined signatures and behavioral analysis.
Application control can be configured in proxy-based and flow-based firewall policies. However, because application control uses the IPS engine, which uses flow-based inspection, inspection is always flow-based.
It uses an IPS engine to analyze network traffic and detect application traffic, even if the application is using standard or non-standard protocols and ports.
B
Explanation:
B. Intrusion prevention system engine.
The Intrusion Prevention System (IPS) engine on FortiGate handles application control traffic, along with other functions such as detecting and preventing network attacks based on predefined signatures and behavioral analysis.
Application control can be configured in proxy-based and flow-based firewall policies. However, because application control uses the IPS engine, which uses flow-based inspection, inspection is always flow-based.
It uses an IPS engine to analyze network traffic and detect application traffic, even if the application is using standard or non-standard protocols and ports.
Question #47
A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors.
What is the reason for the certificate warning errors?
- A . The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.
- B . The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
- C . The browser does not recognize the certificate in use as signed by a trusted CA.
- D . With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.
Correct Answer: C
C
Explanation:
The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate’s re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser’s trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites.
Reference: FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration
C
Explanation:
The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate’s re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser’s trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites.
Reference: FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration
Question #48
What does the command diagnose debug fsso-polling refresh-user do?
- A . It refreshes all users learned through agentless polling.
- B . It displays status information and some statistics related to the polls done by FortiGate on each DC.
- C . It refreshes user group information from any servers connected to FortiGate using a collector agent.
- D . It enables agentless polling mode real-time debug.
Correct Answer: A
A
Explanation:
It refreshes all users learned through agentless polling.
The command diagnose debug fsso-polling refresh-user is used in Fortinet’s FortiGate firewall to refresh all users learned through agentless polling. This means it updates the list of users that have been identified through agentless polling methods, which may include methods such as monitoring network traffic to detect user activity. This command helps ensure that the firewall has the most up-to-date information about users on the network for security and access control purposes.
A
Explanation:
It refreshes all users learned through agentless polling.
The command diagnose debug fsso-polling refresh-user is used in Fortinet’s FortiGate firewall to refresh all users learned through agentless polling. This means it updates the list of users that have been identified through agentless polling methods, which may include methods such as monitoring network traffic to detect user activity. This command helps ensure that the firewall has the most up-to-date information about users on the network for security and access control purposes.
Question #49
Which two statements are true about the RPF check? (Choose two.)
- A . The RPF check is run on the first sent packet of any new session.
- B . The RPF check is run on the first reply packet of any new session.
- C . The RPF check is run on the first sent and reply packet of any new session.
- D . RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks.
Correct Answer: A,D
A,D
Explanation:
RPF protect against IP spoofin attacks. The source IP address is checked against the routing table for a return path. RPF is only carried out on: The first packet in the session, not on reply.
A,D
Explanation:
RPF protect against IP spoofin attacks. The source IP address is checked against the routing table for a return path. RPF is only carried out on: The first packet in the session, not on reply.
Question #50
How do you format the FortiGate flash disk?
- A . Load the hardware test (HQIP) image.
- B . Select the format boot device option from the BIOS menu.
- C . Load a debug FortiOS image.
- D . Execute the CLI command execute formatlogdisk.
Correct Answer: B
B
Explanation:
Select the format boot device option from the BIOS menu.
Selecting the format boot device option from the BIOS menu allows you to format the FortiGate flash disk. This option is typically used when you need to reformat the flash disk to resolve issues or prepare it for a fresh installation of the operating system. However, it’s important to note that formatting the flash disk will erase all data on it, so it should be done carefully.
Reference:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD46582
https://kb.fortinet.com/kb/viewContent.do?externalId=10338
B
Explanation:
Select the format boot device option from the BIOS menu.
Selecting the format boot device option from the BIOS menu allows you to format the FortiGate flash disk. This option is typically used when you need to reformat the flash disk to resolve issues or prepare it for a fresh installation of the operating system. However, it’s important to note that formatting the flash disk will erase all data on it, so it should be done carefully.
Reference:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD46582
https://kb.fortinet.com/kb/viewContent.do?externalId=10338