Practice Free FCP_FGT_AD-7.6 Exam Online Questions
Question #60
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)
- A . The keyUsage extension must be set to keyCertSign.
- B . The CA extension must be set to TRUE.
- C . The issuer must be a public CA.
- D . The common name on the subject field must use a wildcard name.
Correct Answer: A,B
A,B
Explanation:
Full SSL inspection – Certificate requirements:
FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.
The CA=True value identifies the certificate as a CA certificate. The KryUsage =KeyCertSign value indicates that the certificate corresponding private key is permitted to sign certificates. see RFC 5280 section 4.2.1.9 basic Constraints.
Although it appears as though the user browser is connected to the web server, the browser is connected to FortiGate. FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.
A,B
Explanation:
Full SSL inspection – Certificate requirements:
FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.
The CA=True value identifies the certificate as a CA certificate. The KryUsage =KeyCertSign value indicates that the certificate corresponding private key is permitted to sign certificates. see RFC 5280 section 4.2.1.9 basic Constraints.
Although it appears as though the user browser is connected to the web server, the browser is connected to FortiGate. FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.
Question #62
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?
- A . It uses UDP 8888.
- B . It uses DNS over HTTPS.
- C . It uses DNS over TLS.
- D . It uses UDP 53.
Correct Answer: C
C
Explanation:
By default, DNS queries to FortiGuard servers use UDP port 53.
C
Explanation:
By default, DNS queries to FortiGuard servers use UDP port 53.
Question #63
If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when central NAT is used?
- A . The Services field removes the requirement of creating multiple VIPs for different services.
- B . The Services field is used when several VIPs need to be bundled into VIP groups.
- C . The Services field does not allow source NAT and destination NAT to be combined in the same policy.
- D . The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a
single computer.
Correct Answer: A
A
Explanation:
The Services option has been added to VIP objects. When services and port forward are configured, only a single mapped port can be configured. However, multiple external ports can be mapped to that single internal port. This configuration was made possible to allow for complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT, and not requiring numerous VIPs to be bundled into VIP groups. VIPs with different services are considered non-overlapping.
When the Services field is configured in a Virtual IP (VIP), it allows you to specify multiple services or ports for the same VIP. This eliminates the need to create separate VIPs for different services, as you can define multiple services within a single VIP using the Services field. This is particularly useful for simplifying configuration and management.
A
Explanation:
The Services option has been added to VIP objects. When services and port forward are configured, only a single mapped port can be configured. However, multiple external ports can be mapped to that single internal port. This configuration was made possible to allow for complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT, and not requiring numerous VIPs to be bundled into VIP groups. VIPs with different services are considered non-overlapping.
When the Services field is configured in a Virtual IP (VIP), it allows you to specify multiple services or ports for the same VIP. This eliminates the need to create separate VIPs for different services, as you can define multiple services within a single VIP using the Services field. This is particularly useful for simplifying configuration and management.
Question #64
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?
- A . The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile
- B . The browser does not trust the certificate used by FortiGate for SSL inspection
- C . The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
- D . The matching firewall policy is set to proxy inspection mode
Correct Answer: B
B
Explanation:
When full SSL inspection is enabled, FortiGate intercepts HTTPS traffic, decrypts it for inspection, and re-encrypts it using its own SSL certificate before forwarding it to the browser. If the browser does not trust the SSL certificate being used by FortiGate for re-encryption, it will display certificate warning errors. To resolve this, the certificate used by FortiGate for SSL inspection must be installed and trusted in the browser’s certificate store.
B
Explanation:
When full SSL inspection is enabled, FortiGate intercepts HTTPS traffic, decrypts it for inspection, and re-encrypts it using its own SSL certificate before forwarding it to the browser. If the browser does not trust the SSL certificate being used by FortiGate for re-encryption, it will display certificate warning errors. To resolve this, the certificate used by FortiGate for SSL inspection must be installed and trusted in the browser’s certificate store.
Question #65
Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?
- A . Change the csf setting on Local-FortiGate (root) to sec fabric-object-unification default.
- B . Change the csf setting on both devices to sec downscream-access enable.
- C . Change the csf setting on ISFW (downstream) to sec auchorizacion-requesc-cype certificace.
- D . Change the csf setting on ISFW (downstream) to sec configuration-sync local.
Correct Answer: A
A
Explanation:
The current setting for the root FortiGate (Local-FortiGate) is fabric-object-unification local, which means that new address objects are not shared across the security fabric. Changing this setting to fabric-object-unification default will allow address objects to be synchronized and shared with downstream devices like the ISFW.
A
Explanation:
The current setting for the root FortiGate (Local-FortiGate) is fabric-object-unification local, which means that new address objects are not shared across the security fabric. Changing this setting to fabric-object-unification default will allow address objects to be synchronized and shared with downstream devices like the ISFW.
Question #66
Examine this PAC file configuration.
Which of the following statements are true? (Choose two.)
- A . Browsers can be configured to retrieve this PAC file from the FortiGate.
- B . Any web request to the 172.25. 120.0/24 subnet is allowed to bypass the proxy.
- C . All requests not made to Fortinet.com or the 172.25. 120.0/24 subnet, have to go through altproxy.corp.com: 8060.
- D . Any web request fortinet.com is allowed to bypass the proxy.
Correct Answer: A, D
A, D
Explanation:
The command direct bypass the proxy and it is a standard for pac files. And browsers can download de pac file from any server/fortigate.
A, D
Explanation:
The command direct bypass the proxy and it is a standard for pac files. And browsers can download de pac file from any server/fortigate.
Question #67
Refer to the exhibit to view the application control profile.
Users who use Apple FaceTime video conferences are unable to set up meetings.
In this scenario, which statement is true?
- A . Apple FaceTime belongs to the custom monitored filter.
- B . The category of Apple FaceTime is being monitored.
- C . Apple FaceTime belongs to the custom blocked filter.
- D . The category of Apple FaceTime is being blocked.
Correct Answer: C
C
Explanation:
Apple FaceTime belongs to the custom blocked filter.
FaceTime categorized (filtered) under "Excessive-Bandwidth" and custom filter override set to block this.
Also we know that users can’t use FaceTime.
Apple FaceTime falls under (VoIP Catagory), (Excessive-Bandwidth Behavior) and (Vendor as Apple).
C
Explanation:
Apple FaceTime belongs to the custom blocked filter.
FaceTime categorized (filtered) under "Excessive-Bandwidth" and custom filter override set to block this.
Also we know that users can’t use FaceTime.
Apple FaceTime falls under (VoIP Catagory), (Excessive-Bandwidth Behavior) and (Vendor as Apple).
Question #68
View the exhibit.
Which two behaviors result from this full (deep) SSL configuration? (Choose two.)
- A . The browser bypasses all certificate warnings and allows the connection.
- B . A temporary trusted FortiGate certificate replaces the server certificate, even when the server certificate is untrusted.
- C . A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
- D . A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.
Correct Answer: C,D
C,D
Explanation:
C. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
D. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.
In a full (deep) SSL configuration, a temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted, and a temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
The behavior that results from this full (deep) SSL configuration is that a temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted. Additionally, a temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
C,D
Explanation:
C. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
D. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.
In a full (deep) SSL configuration, a temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted, and a temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
The behavior that results from this full (deep) SSL configuration is that a temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted. Additionally, a temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
Question #69
Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)
- A . Shut down/reboot a downstream FortiGate device.
- B . Disable FortiAnalyzer logging for a downstream FortiGate device.
- C . Log in to a downstream FortiSwitch device.
- D . Ban or unban compromised hosts.
Correct Answer: A,D
A,D
Explanation:
A,D
Explanation:
Question #70
Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.)
- A . Only the "any" interface can be chosen as an incoming interface.
- B . An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.
- C . Multiple interfaces can be selected as incoming and outgoing interfaces.
- D . A zone can be chosen as the outgoing interface.
Correct Answer: C,D
C,D
Explanation:
C. Multiple interfaces can be selected as incoming and outgoing interfaces.
This statement is correct. You can specify multiple interfaces as both incoming and outgoing interfaces in a firewall policy.
D. A zone can be chosen as the outgoing interface.
This statement is correct as well. In FortiGate firewalls, you can choose a zone as the outgoing interface in a firewall policy, providing a convenient way to apply policies to multiple physical or logical interfaces grouped under the same zone.
So, the correct choices are C and D.
C,D
Explanation:
C. Multiple interfaces can be selected as incoming and outgoing interfaces.
This statement is correct. You can specify multiple interfaces as both incoming and outgoing interfaces in a firewall policy.
D. A zone can be chosen as the outgoing interface.
This statement is correct as well. In FortiGate firewalls, you can choose a zone as the outgoing interface in a firewall policy, providing a convenient way to apply policies to multiple physical or logical interfaces grouped under the same zone.
So, the correct choices are C and D.