Practice Free FCP_FGT_AD-7.6 Exam Online Questions
By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.
Which CLI command causes FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?
- A . set webfilter-force-off disable
- B . set webfilter-cache disable
- C . set protocol tcp
- D . set fortiguard-anycast disable
D
Explanation:
The CLI command that causes FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering is:
D. set fortiguard-anycast disable
Disabling FortiGuard Anycast will cause FortiGate to use a direct connection (unreliable protocol) instead of the anycast-based connection for communication with FortiGuard servers. This may be necessary in certain scenarios where anycast is causing issues, and a direct connection is preferred.
By default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering with FortiGuard or FortiManager. Other ports and protocols are available by disabling the FortiGuard anycast setting on the CLI.
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)
- A . Log downloads from the GUI are limited to the current filter view
- B . Log backups from the CLI cannot be restored to another FortiGate.
- C . Log backups from the CLI can be configured to upload to FTP as a scheduled time
- D . Log downloads from the GUI are stored as LZ4 compressed files.
A,B
Explanation:
Consider the topology:
Application on a Windows machine <–{SSL VPN} –>FGT–> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.
What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)
- A . Set the maximum session TTL value for the TELNET service object.
- B . Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.
- C . Create a new service object for TELNET and set the maximum session TTL.
- D . Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic,
and set the new TELNET service object in the policy.
C,D
Explanation:
The key here is performing the task without affecting any of the other services.
C. Create a new service object for TELNET and set the maximum session TTL: By creating a new service object specifically for TELNET and setting the maximum session TTL, you can control the idle session timeout for Telnet connections established through the SSL VPN.
D. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy: Creating a new firewall policy and placing it above the existing SSLVPN policy allows you to apply the new TELNET service object with the modified session TTL, ensuring that the idle session timeout does not occur after 90 minutes.
– Not A – Changing the maximum TTL value for TELNET will affect every other policy that references the TELNET service
– Not B – Changing the session TTL on the SSLVPN policy will impact other services referenced in the policy.
Refer to the exhibit.
The exhibit shows a FortiGate configuration.
How does FortiGate handle web proxy traffic coming from the IP address 10.2.1.200, that requires authorization?
- A . It always authorizes the traffic without requiring authentication.
- B . It drops the traffic
- C . It authenticates the traffic using the authentication scheme SCHEME2.
- D . It authenticates the traffic using the authentication scheme SCHEME1.
D
Explanation:
It authenticates the traffic using the authentication scheme SCHEME1.
What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting.
Which three statements about security associations (SA) in IPsec are correct? (Choose three.)
- A . Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
- B . An SA never expires.
- C . A phase 1 SA is bidirectional, while a phase 2 SA is directional.
- D . Phase 2 SA expiration can be time-based, volume-based, or both.
- E . Both the phase 1 SA and phase 2 SA are bidirectional.
A,C,D
Explanation:
The correct statements about security associations (SA) in IPsec are:
Refer to the exhibit.
The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access the internet. The To_Internet VDOM is the only VDOM with internet access and is directly connected to ISP modem.
With this configuration, which statement is true?
- A . Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.
- B . A default static route is not required on the To_Internet VDOM to allow LAN users to access the internet.
- C . Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.
- D . Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root
VDOM is used only as a management VDOM.
A
Explanation:
An administrator has configured the following settings:
What are the two results of this configuration? (Choose two.)
- A . Device detection on all interfaces is enforced for 30 minutes
- B . Denied users are blocked for 30 minutes
- C . A session for denied traffic is created
- D . The number of logs generated by denied traffic is reduced
C, D
Explanation:
C. A session for denied traffic is created.
D. The number of logs generated by denied traffic is reduced.
During the session, if a security profile detects a violation, FortiGate records the attack log immediately. To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation.
This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-sessiontimer in the CLI. By default, it is set to 30 seconds.
Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)
- A . Pre-shared key and certificate signature as authentication methods
- B . Extended authentication (XAuth)to request the remote peer to provide a username and password
- C . Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
- D . No certificate is required on the remote peer when you set the certificate signature as the authentication method
A, B
Explanation:
FortiGate supports both pre-shared key and certificate signature methods for IKEv1 authentication.
These methods provide flexibility depending on the security requirements of the network.
Additionally, FortiGate supports Extended Authentication (XAuth), which requests a username and password from the remote peer, enhancing security by adding an extra layer of authentication. The XAuth method does not necessarily make the authentication faster; it is an additional security measure.
Reference: FortiOS 7.4.1 Administration Guide: IPsec VPN Configuration
Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)
- A . The client FortiGate requires a manually added route to remote subnets.
- B . The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
- C . The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
- D . The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
C,D
Explanation:
The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. The FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.
C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate:
When setting up SSL VPN between two FortiGate devices, the server FortiGate needs a CA (Certificate Authority) certificate to verify the client FortiGate’s certificate. This ensures that the client connecting to the VPN is authenticated and trusted.
D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN:
For the SSL VPN to function, the client FortiGate needs to have the SSL VPN tunnel interface type configured. This interface type is specifically designed for SSL VPN connections, allowing the client FortiGate to establish the VPN tunnel with the server FortiGate.
These two settings together ensure that the SSL VPN connection between the two FortiGate devices is properly authenticated and established, allowing secure communication between them.
Which inspection mode does FortiGate use for application profiles if it is configured as a profile-based next-generation firewall (NGFW)?
- A . Full content inspection
- B . Proxy-based inspection
- C . Certificate inspection
- D . Flow-based inspection
D
Explanation:
When FortiGate is configured in NGFW profile-based mode, it primarily uses flow-based inspection for application profiles. Flow-based inspection provides faster processing and lower latency by inspecting traffic in real-time without buffering, making it suitable for scenarios where performance is a priority.
Reference: FortiOS 7.4.1 Administration Guide: Inspection Modes