Practice Free FCP_FGT_AD-7.6 Exam Online Questions
Question #51
What is the primary FortiGate election process when the HA override setting is disabled?
- A . Connected monitored ports > System uptime > Priority > FortiGate Serial number
- B . Connected monitored ports > HA uptime > Priority > FortiGate Serial number
- C . Connected monitored ports > Priority > HA uptime > FortiGate Serial number
- D . Connected monitored ports > Priority > System uptime > FortiGate Serial number
Correct Answer: B
B
Explanation:
If Override DISABLED then: ports > HA Uptime > Priority > SN.
If Overrrid ENABLED then: ports > Priority > HA Uptime > SN.
The FortiGate election process when the HA override setting is disabled follows the criteria you provided:
Connected monitored ports: The FortiGate with more connected monitored ports is preferred.
HA uptime: The FortiGate with the longer High Availability (HA) uptime (less recently rebooted in HA) is preferred.
Priority: Priority is used as a tiebreaker. If two FortiGates have the same number of connected monitored ports and the same HA uptime, the one with the higher priority is preferred.
FortiGate Serial number: The FortiGate Serial number is used as a final tiebreaker if all other criteria are the same.
B
Explanation:
If Override DISABLED then: ports > HA Uptime > Priority > SN.
If Overrrid ENABLED then: ports > Priority > HA Uptime > SN.
The FortiGate election process when the HA override setting is disabled follows the criteria you provided:
Connected monitored ports: The FortiGate with more connected monitored ports is preferred.
HA uptime: The FortiGate with the longer High Availability (HA) uptime (less recently rebooted in HA) is preferred.
Priority: Priority is used as a tiebreaker. If two FortiGates have the same number of connected monitored ports and the same HA uptime, the one with the higher priority is preferred.
FortiGate Serial number: The FortiGate Serial number is used as a final tiebreaker if all other criteria are the same.
Question #52
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?
- A . On HQ-FortiGate, enable Diffie-Hellman Group 2.
- B . On HQ-FortiGate, enable Auto-negotiate.
- C . On Remote-FortiGate, set Seconds to 43200.
- D . On HQ-FortiGate, set Encryption to AES256.
Correct Answer: D
D
Explanation:
D. On HQ-FortiGate, set Encryption to AES256.
A phase 2 proposal defines the algorithms supported by the peer for encrypting and decrypting the data over the tunnel. You can configure multiple proposals to offer more options to the remote peer when negotiating the IPsec SAs.
Like in phase 1, you need to select a combination of encryption and authentication algorithms. D is correct, the Encryption and authentication algorithm needs to match inorder for IPSEC be successfully established Encryption algorithm must be the same.
D
Explanation:
D. On HQ-FortiGate, set Encryption to AES256.
A phase 2 proposal defines the algorithms supported by the peer for encrypting and decrypting the data over the tunnel. You can configure multiple proposals to offer more options to the remote peer when negotiating the IPsec SAs.
Like in phase 1, you need to select a combination of encryption and authentication algorithms. D is correct, the Encryption and authentication algorithm needs to match inorder for IPSEC be successfully established Encryption algorithm must be the same.
Question #53
An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken.
Each site has a FortiGate VPN gateway.
What must an administrator do to achieve this objective?
- A . The administrator can register the same FortiToken on more than one FortiGate.
- B . The administrator must use a FortiAuthenticator device.
- C . The administrator can use a third-party radius OTP server.
- D . The administrator must use the user self-registration server.
Correct Answer: B
B
Explanation:
B. The administrator must use a FortiAuthenticator device.
B is correct due to the FortiToken, a different OTP cannot use FortiToken. So we have to choose the fortiAuthenticator.
To achieve VPN user access for multiple sites using the same soft FortiToken, the administrator can use a FortiAuthenticator device. FortiAuthenticator is designed to provide centralized authentication services for Fortinet devices, including VPN authentication. It allows for the centralized management of user identities, authentication methods, and FortiTokens. By using FortiAuthenticator, the administrator can register the same FortiToken for users across multiple FortiGate devices, providing a seamless and centralized user access experience.
B
Explanation:
B. The administrator must use a FortiAuthenticator device.
B is correct due to the FortiToken, a different OTP cannot use FortiToken. So we have to choose the fortiAuthenticator.
To achieve VPN user access for multiple sites using the same soft FortiToken, the administrator can use a FortiAuthenticator device. FortiAuthenticator is designed to provide centralized authentication services for Fortinet devices, including VPN authentication. It allows for the centralized management of user identities, authentication methods, and FortiTokens. By using FortiAuthenticator, the administrator can register the same FortiToken for users across multiple FortiGate devices, providing a seamless and centralized user access experience.
Question #54
When configuring a firewall virtual wire pair policy, which following statement is true?
- A . Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.
- B . Only a single virtual wire pair can be included in each policy.
- C . Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.
- D . Exactly two virtual wire pairs need to be included in each policy.
Correct Answer: C
C
Explanation:
Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.
We tested to create a policy. We can use any number of virtual wire pairs. We can select 3 options in traffic direction: in/out/both.
Firewall virtual wire pair policies can include more than a single virtual wire pair. This capability can streamline the policy management process by eliminating the need to create multiple, similar policies for each virtual wire pair. When creating or modifying a policy, you can select the traffic direction for each VWP included in the policy.
C
Explanation:
Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.
We tested to create a policy. We can use any number of virtual wire pairs. We can select 3 options in traffic direction: in/out/both.
Firewall virtual wire pair policies can include more than a single virtual wire pair. This capability can streamline the policy management process by eliminating the need to create multiple, similar policies for each virtual wire pair. When creating or modifying a policy, you can select the traffic direction for each VWP included in the policy.
Question #55
Refer to the exhibit.
Which two statements are true about the routing entries in this database table? (Choose two.)
- A . All of the entries in the routing database table are installed in the FortiGate routing table.
- B . The port2 interface is marked as inactive.
- C . Both default routes have different administrative distances.
- D . The default route on porc2 is marked as the standby route.
Correct Answer: C, D
C, D
Explanation:
The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances:
The default route through port2 has an administrative distance of 20.
The default route through port1 has an administrative distance of 10.
Administrative distance determines the priority of the route; a lower value is preferred. Here, the route through port1 with an administrative distance of 10 is the preferred route. The route through port2 with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed through port2.
Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table that port2 is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes.
Reference: FortiOS 7.4.1 Administration Guide: Default route configuration
FortiOS 7.4.1 Administration Guide: Routing table explanation
C, D
Explanation:
The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances:
The default route through port2 has an administrative distance of 20.
The default route through port1 has an administrative distance of 10.
Administrative distance determines the priority of the route; a lower value is preferred. Here, the route through port1 with an administrative distance of 10 is the preferred route. The route through port2 with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed through port2.
Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table that port2 is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes.
Reference: FortiOS 7.4.1 Administration Guide: Default route configuration
FortiOS 7.4.1 Administration Guide: Routing table explanation
Question #56
Which NAT method translates the source IP address in a packet to another IP address?
- A . DNAT
- B . SNAT
- C . VIP
- D . IPPOOL
Correct Answer: B
B
Explanation:
The correct answer is: B. SNAT
SNAT (Source Network Address Translation), also known as MASQUERADE in iptables, translates the source IP address in a packet to another IP address. It is commonly used in scenarios where internal private IP addresses need to be translated to a single public IP address when accessing the Internet, for example. DNAT (Destination Network Address Translation) translates the destination IP address in a packet to another IP address. VIP (Virtual IP) is used to designate a single IP address that represents multiple servers for load balancing or high availability purposes. IPPOOL typically refers to a range of IP addresses that can be dynamically assigned to clients, such as in DHCP.
B
Explanation:
The correct answer is: B. SNAT
SNAT (Source Network Address Translation), also known as MASQUERADE in iptables, translates the source IP address in a packet to another IP address. It is commonly used in scenarios where internal private IP addresses need to be translated to a single public IP address when accessing the Internet, for example. DNAT (Destination Network Address Translation) translates the destination IP address in a packet to another IP address. VIP (Virtual IP) is used to designate a single IP address that represents multiple servers for load balancing or high availability purposes. IPPOOL typically refers to a range of IP addresses that can be dynamically assigned to clients, such as in DHCP.
Question #57
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?
- A . FortiGate automatically negotiates different local and remote addresses with the remote peer.
- B . FortiGate automatically negotiates a new security association after the existing security association expires.
- C . FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
- D . FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
Correct Answer: D
D
Explanation:
When IPsec SAs expire, FortiGate needs to negotiate new SAs to continue sending and receiving traffic over the IPsec tunnel. Technically, FortiGate deletes the expired SAs from the respective phase 2 selectors, and installs new ones. If IPsec SA renegotiation takes too much time, then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away. The latter prevents traffic disruption by IPsec SA renegotiation. Enable auto-negotiate by default enabling auto-keep-alive too which brings up tunnel automatically. Answer B is little bit tricky, auto-negotiate will negotiate new SA "before" existing SA expired not "after" existing SA expired.
D
Explanation:
When IPsec SAs expire, FortiGate needs to negotiate new SAs to continue sending and receiving traffic over the IPsec tunnel. Technically, FortiGate deletes the expired SAs from the respective phase 2 selectors, and installs new ones. If IPsec SA renegotiation takes too much time, then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away. The latter prevents traffic disruption by IPsec SA renegotiation. Enable auto-negotiate by default enabling auto-keep-alive too which brings up tunnel automatically. Answer B is little bit tricky, auto-negotiate will negotiate new SA "before" existing SA expired not "after" existing SA expired.
Question #58
On FortiGate, which type of logs record information about traffic directly to and from the FortiGate management IP addresses?
- A . Forward traffic logs
- B . Local traffic logs
- C . Security logs
- D . System event logs
Correct Answer: B
B
Explanation:
Local traffic logs
Local traffic logs contain information about traffic directly to and from the FortiGate management IP addresses. They also include connections to the GUI and FortiGuard queries.
B
Explanation:
Local traffic logs
Local traffic logs contain information about traffic directly to and from the FortiGate management IP addresses. They also include connections to the GUI and FortiGuard queries.
Question #59
Which statement is a characteristic of automation stitches?
- A . They can be run only on devices in the Security Fabric.
- B . They can be created only on downstream devices in the fabric.
- C . They can have one or more triggers.
- D . They can run multiple actions at the same time.
Correct Answer: C
C
Explanation:
Automation stitches on FortiGate can have one or more triggers, which are conditions or events that activate the automation stitch. The trigger defines when the automation stitch should execute the defined actions. Actions within a stitch can be executed sequentially or in parallel, depending on the configuration.
Reference: FortiOS 7.4.1 Administration Guide: Automation Stitches
C
Explanation:
Automation stitches on FortiGate can have one or more triggers, which are conditions or events that activate the automation stitch. The trigger defines when the automation stitch should execute the defined actions. Actions within a stitch can be executed sequentially or in parallel, depending on the configuration.
Reference: FortiOS 7.4.1 Administration Guide: Automation Stitches
Question #60
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)
- A . The keyUsage extension must be set to keyCertSign.
- B . The CA extension must be set to TRUE.
- C . The issuer must be a public CA.
- D . The common name on the subject field must use a wildcard name.
Correct Answer: A,B
A,B
Explanation:
Full SSL inspection – Certificate requirements:
FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.
The CA=True value identifies the certificate as a CA certificate. The KryUsage =KeyCertSign value indicates that the certificate corresponding private key is permitted to sign certificates. see RFC 5280 section 4.2.1.9 basic Constraints.
Although it appears as though the user browser is connected to the web server, the browser is connected to FortiGate. FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.
A,B
Explanation:
Full SSL inspection – Certificate requirements:
FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.
The CA=True value identifies the certificate as a CA certificate. The KryUsage =KeyCertSign value indicates that the certificate corresponding private key is permitted to sign certificates. see RFC 5280 section 4.2.1.9 basic Constraints.
Although it appears as though the user browser is connected to the web server, the browser is connected to FortiGate. FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.