Use FCP_FGT_AD-7.6 Dumps to Obtain Fortinet Certification

Category:

Comments:

0 Comments

Post Date:

June 5, 2025

If you're serious about obtaining the FCP in Network Security certification, practicing with Fortinet FCP_FGT_AD-7.6 dumps questions is a must. By doing so, you'll become familiar with the exam format, identify knowledge gaps, develop time management skills, boost your confidence, and increase your chances of success. So, start practicing FCP_FGT_AD-7.6 exam dumps today and give yourself the best chance of passing the FCP_FGT_AD-7.6 exam! Test free FCP - FortiGate 7.6 Administrator FCP_FGT_AD-7.6 exam dumps below.

Page 1 of 9

1. Which two statements are true about the RPF check? (Choose two.)

The RPF check is run on the first sent packet of any new session.

The RPF check is run on the first reply packet of any new session.

The RPF check is run on the first sent and reply packet of any new session.

RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks.

2. Which two statements about advanced AD access mode for the FSSO collector, agent are true? (Choose two.)

A. FortiGate can act as an LDAP client to configure the group filters.

B. It uses the Windows convention for naming; that is, DomainUsername.

C. It supports monitoring of nested groups.

D. It is only supported if DC agents are deployed.

3. Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

A. Local traffic logs

B. Forward traffic logs

C. System event logs

D. Security logs

4. Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)

A. Port block allocation

B. Fixed port range

C. One-to-one

D. Overload

5. Which security fabric feature causes an event trigger to monitor the network when a threat is detected?

Security rating

Optimization

Automation stiches

Fabric connectors

6. When configuring a firewall virtual wire pair policy, which following statement is true?

Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

Only a single virtual wire pair can be included in each policy.

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

Exactly two virtual wire pairs need to be included in each policy.

7. An administrator has configured two-factor authentication to strengthen SSL VPN access.

Which additional best practice can an administrator implement?

Configure Source IP Pools

Configure different SSL VPN realms

Configure host check

Configure split tunneling in tunnel mode

8. Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command shown in the exhibit.

If option 5 is used with the IPS diagnostic command and the outcome is a decrease in the CPU usage, what is the correct conclusion?

The IPS engine is blocking all traffic.

The IPS engine is inspecting a high volume of traffic.

The IPS engine is unable to prevent an intrusion attack.

The IPS engine will continue to run in a normal state.

9. If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when central NAT is used?

The Services field removes the requirement of creating multiple VIPs for different services.

The Services field is used when several VIPs need to be bundled into VIP groups.

The Services field does not allow source NAT and destination NAT to be combined in the same policy.

The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single computer.

10. Which three methods are used by the collector agent for AD polling? (Choose three.)

A. WMI

B. Novell API

C. WinSecLog

D. NetAPI

E. FortiGate polling

Page 2 of 9

11. An administrator must enable a DHCP server on one of the directly connected networks on FortiGate. However, the administrator is unable to complete the process on the GUI to enable the service on the interface.

In this scenario, what prevents the administrator from enabling DHCP service?

The role of the interface prevents setting a DHCP server.

The DHCP server setting is available only on the CL

Another interface is configured as the only DHCP server on FortiGate.

The FortiGate model does not support the DHCP server.

12. When configuring a FortiGate in a multi-WAN setup, why would an administrator enable session preservation on an interface?

To allow the FortiGate to dynamically change interfaces for all active sessions when a WAN link fails

To make sure all sessions without source NAT enabled always use the primary WAN link

To improve security by forcing users to authenticate again when the WAN link changes

To ensure that existing SSL VPN connections remain on the same interface even if route changes occur

13. Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

SMT

IMA

ip_src_session

Location: server Protocol: SMTP

14. Refer to the exhibit.

What would be the impact of these settings on the Server certificate SNI check configuration on FortiGate?

FortiGate will accept and use the CN in the server certificate for URL filtering if the SNI does not match the CN or SAN fields.

FortiGate will accept the connection with a warning if the SNI does not match the CN or SAN fields.

FortiGate will close the connection if the SNI does not match the CN or SAN fields.

FortiGate will close the connection if the SNI does not match the CN and SAN fields

15. An administrator configured a FortiGate to act as a collector for agentless polling mode.

What must the administrator add to the FortiGate device to retrieve AD user group information?

LDAP server

RADIUS server

DHCP server

Windows server

16. Which two statements about antivirus scanning in a firewall policy set to proxy-based inspection mode, are true? (Choose two.)

A file does not need to be buffered completely before it is moved to the antivirus engine for scanning.

The client must wait for the antivirus scan to finish scanning before it receives the file.

FortiGate sends a reset packet to the client if antivirus reports the file as infected.

If a virus is detected, a block replacement message is displayed immediately.

17. Which three statements explain a flow-based antivirus profile? (Choose three.)

A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.

B. If a virus is detected, the last packet is delivered to the client.

C. The IPS engine handles the process as a standalone.

D. FortiGate buffers the whole file but transmits to the client at the same time.

E. Flow-based inspection optimizes performance compared to proxy-based inspection.

18. Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive mode? (Choose two.)

A. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.

B. Main mode cannot be used for dialup VPNs, while aggressive mode can.

C. Aggressive mode supports XAuth, while main mode does not.

D. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.

19. An administrator configured the antivirus profile in a firewall policy set to flow-based inspection mode. While testing the configuration, the administrator noticed that eicar.com test files can be downloaded using HTTPS protocol only.

What is causing this issue?

Hardware acceleration is in use.

The test file is larger than the oversize limit.

HTTPS protocol is not enabled under Inspected Protocols.

Full SSL inspection is disabled.

20. An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.

Which subnet must the administrator configure for the local quick mode selector for site B?

A. 192.168.2.0/24

B. 192.168.0.0/8

C. 192.168.1.0/24

D. 192.168.3.0/24

Page 3 of 9

21. A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

Pre-shared key

Dialup user

Dynamic DNS

Static IP address

22. Which three statements about SD-WAN performance SLAs are true? (Choose three.)

They rely on session loss and jitter.

They can be measured actively or passively.

They are applied in a SD-WAN rule lowest cost strategy.

They monitor the state of the FortiGate device.

All the SLAtargets can be configured.

23. Refer to the exhibit, which shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

The sensor will gather a packet log for all matched traffic.

The sensor will reset all connections that match these signatures.

The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature.

The sensor will block all attacks aimed at Windows servers.

24. A FortiGate firewall policy is configured with active authentication however, the user cannot authenticate when accessing a website.

Which protocol must FortiGate allow even though the user cannot authenticate?

ICMP

DNS

DHCP

LDAP

25. Refer to the exhibits.

Based on the current HA status, an administrator updates the override and priority parameters on HQ-NGFW-1 and HQ-NGFW-2 as shown in the exhibit.

What would be the expected outcome in the HA cluster?

HQ-NGFW-1 will synchronize the override disable setting with HQ-NGFW-2.

HQ-NGFW-2 will take over as the primary because it has the override enable setting and higher priority than HQ-NGFW- 1.

HQ-NGFW-1 will remain the primary because HQ-NGFW-2 has lower priority.

The HA cluster will become out of sync because the override setting must match on all HA members.

26. Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

A. SSH

B. HTTPS

C. FTM

D. FortiTelemetry

27. FortiGate is integrated with FortiAnalyzer and FortiManager.

When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or FortiManager?

Log ID

Policy ID

Sequence ID

Universally Unique Identifier

28. Refer to the exhibit:

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

The port3 default route has the lowest metric.

The port3 default route has the highest distance.

There will be eight routes active in the routing table.

The port1 and port2 default routes are active in the routing table.

29. Which two statements describe characteristics of automation stitches? (Choose two.)

Actions involve only devices included in the Security Fabric.

An automation stitch can have multiple triggers.

Multiple actions can run in parallel.

Triggers can involve external connectors.

30. An administrator wants to block https://www.example.com/videos and allow all other URLs on the website.

What are two configuration changes that the administrator can make to satisfy the requirement? (Choose two.)

Configure web override for the URL and select a blocked FortiGuard subcategory

Enable full SSL inspection

Configure a video filter profile to block the URL

Configure a static URL filter entry for the URL and select Block as the action

Page 4 of 9

31. Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

FortiSandbox

FortiCloud

FortiSIEM

FortiCache

FortiAnalyzer

32. A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode.

Which step is NOT part of the expected process?

The DC agent sends login event data directly to FortiGate.

The user logs into the windows domain.

The collector agent forwards login event data to FortiGate.

FortiGate determines user identity based on the IP address in the FSSO list.

33. When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?

remote user's public IP address

The public IP address of the FortiGate device.

The remote user's virtual IP address.

The internal IP address of the FortiGate device.

34. Refer to the exhibit, which shows a partial configuration from the remote authentication server.

Why does the FortiGate administrator need this configuration?

To authenticate only the Training user group.

To set up a RADIUS server Secret

To authenticate and match the Training OU on the RADIUS server.

To authenticate Any FortiGate user groups.

35. An employee needs to connect to the office through a high-latency internet connection.

Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

A. SSL VPN idle-timeout

B. SSL VPN login-timeout

C. SSL VPN dtls-hello-timeout

D. SSL VPN session-ttl

36. Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)

Manual with load balancing

Lowest Cost (SLA) with load balancing

Best Quality with load balancing

Lowest Quality (SLA) with load balancing

Lowest Cost (SLA) without load balancing

37. There are multiple dial-up IPsec VPNs configured in aggressive mode on the HQ FortiGate. The requirement is to connect dial-up users to their respective department VPN tunnels.

Which phase 1 setting you can configure to match the user to the tunnel?

Peer ID

Local Gateway

Dead Peer Detection

IKE Mode Config

38. An administrator notices that some users are unable to establish SSL VPN connections, while others can connect without any issues.

What should the administrator check first?

Ensure that the affected users are using the correct port number.

Ensure that user traffic is hitting the firewall policy.

Ensure that forced tunneling is enabled to reroute all traffic through the SSL VPN

Ensure that the HTTPS service is enabled on SSL VPN tunnel interface

39. An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the Internet. The web server is connected to port1. The Internet is connected to port2. Both interfaces belong to the VDOM named Corporation.

What interface must be used as the source for the firewall policy that will allow this traffic?

ssl.root

ssl.Corporation

port2

port1

40. Which two settings must you configure when FortiGate is being deployed as a root FortiGate in a Security Fabric topology? (Choose two.)

FortiManager IP address

FortiAnalyzer IP address

Pre-authorize downstream FortiGate devices

Fabric name

Page 5 of 9

41. FortiGuard categories can be overridden and defined in different categories. To create a web rating override for the example.com home page, the override must be configured using a specific syntax.

Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.)

A. www.example.com

B. www.example.com/index.html

C. www.example.com:443

D. example.com

42. Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

Access to the social networking web filter category was explicitly blocked to all users.

The action on firewall policy ID 1 is set to warning.

Social networking web filter category is configured with the action set to authenticate.

The name of the firewall policy is all_users_web.

43. Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

FortiGuard web filter cache

FortiGate hostname

NTP

DNS

44. Which method allows management access to the FortiGate CLI without network connectivity?

SSH console

CLI console widget

Serial console

Telnet console

45. Refer to the exhibit.

Which statement about the configuration settings is true?

When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.

When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.

When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.

The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same port.

46. Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

A. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password.

B. FortiGate supports pre-shared key and signature as authentication methods.

C. Enabling XAuth results in a faster authentication because fewer packets are exchanged.

D. A certificate is not required on the remote peer when you set the signature as the authentication

method.

47. Refer to the exhibits.

Exhibit A shows system performance output.

Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.

Based on the system performance output, which two results are correct? (Choose two.)

FortiGate will start sending all files to FortiSandbox for inspection.

FortiGate has entered conserve mode.

Administrators cannot change the configuration.

Administrators can access FortiGate only through the console port.

48. Refer to exhibit.

An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking.

On the Static URL Filter configuration, set Type to Simple.

On the Static URL Filter configuration, set Action to Exempt.

On the Static URL Filter configuration, set Action to Monitor.

49. An administrator wants to analyze and manage digital certificates to prevent browser warnings when users connect to the SSL VPN portal.

Which two statements describe how to correctly do this? (Choose two.)

The administrator can rely on the default FortiGate self-signed certificate to prevent all security warnings in the browser.

The administrator must disable HTTPS administrative access entirely to avoid certificate warnings.

The administrator can use a publicly trusted certificate from a known certificate authority (CA) to stop browser warnings.

The administrator can import the FortiGate self-signed certificate into each user’s browser as a trusted certificate.

50. Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

Downstream devices can connect to the upstream device from any of their VDOMs

Each VDOM in the environment can be part of a different Security Fabric

VDOMs without ports with connected devices are not displayed in the topology

Security rating reports can be run individually for each configured VDOM

Page 6 of 9

51. Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

A. Fabric Coverage

B. Automated Response

C. Security Posture

D. Optimization

52. Refer to the exhibit.

The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.

An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.

What are two solutions for satisfying the requirement? (Choose two.)

Configure a separate firewall policy with action Deny and an FQDN address object for *. download, com as destination address.

Set the Freeware and Software Downloads category Action to Warning

Configure a web override rating for download, com and select Malicious Websites as the subcategory.

Configure a static URL filter entry for download, com with Type and Action set to Wildcard and Block, respectively.

53. Refer to the exhibit.

Based on the ZTNA tag, the security posture of the remote endpoint has changed.

What will happen to endpoint active ZTNA sessions?

They will be re-evaluated to match the endpoint policy.

They will be re-evaluated to match the firewall policy.

They will be re-evaluated to match the ZTNA policy.

They will be re-evaluated to match the security policy.

54. A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.

What is the reason for the certificate warning errors?

The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile

The browser does not trust the certificate used by FortiGate for SSL inspection

The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

The matching firewall policy is set to proxy inspection mode

55. Which two statements describe how the RPF check is used? (Choose two.)

The RPF check is run on the first sent packet of any new session.

The RPF check is run on the first reply packet of any new session.

The RPF check is run on the first sent and reply packet of any new session.

The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.

56. Which three methods can you use to deliver the token code to a user who is configured to use two-factor authentication? (Choose three.)

Instant message app

FortiToken

Voicemail message

SMS text message

57. The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.

What order must FortiGate use when the web filter profile has features enabled, such as safe search?

DNS-based web filter and proxy-based web filter

Static URL filter, FortiGuard category filter, and advanced filters

Static domain filter, SSL inspection filter, and external connectors filters

FortiGuard category filter and rating filter

58. Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.

Which three pieces of information are included in the sniffer output? (Choose three.)

Interface name

Ethernet header

IP header

Application header

Packet payload

59. Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.

The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.

Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)

Enable match-vip in the Deny policy.

Set the Destination address as Webserver in the Deny policy.

Disable match-vip in the Deny policy.

Set the Destination address as Deny_IP in the Allow_access policy.

60. Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

A. FortiSIEM

B. FortiCloud

C. FortiCache

D. FortiSandbox

E. FortiAnalyzer

Page 7 of 9

61. You have configured an application control profile, set peer-to-peer traffic to Block under the Categories tab, and applied it to the firewall policy. However, your peer-to-peer traffic on known ports is passing through the FortiGate without being blocked.

What FortiGate settings should you check to resolve this issue?

FortiGuard category ratings

Application and Filter Overrides

Network Protocol Enforcement

Replacement Messages for UDP-based Applications

62. What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

A. FortiGate uses fewer resources.

B. FortiGate performs a more exhaustive inspection on traffic.

C. FortiGate adds less latency to traffic.

D. FortiGate allocates two sessions per connection.

63. An administrator is configuring an Ipsec between site A and site B. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24.

How must the administrator configure the local quick mode selector for site B?

A. 192.16.3.0/24

B. 192.16.2.0/24

C. 192.16.1.0/24

D. 192.16.0.0/8

64. Which two statements are true about an HA cluster? (Choose two.)

An HA cluster cannot have both in-band and out-of-band management interfaces at the same time.

Link failover triggers a failover if the administrator sets the interface down on the primary device.

When sniffing the heartbeat interface, the administrator must see the IP address 169.254.0.2.

HA incremental synchronization includes FIB entries and IPsec SAs.

65. Refer to the exhibit to view the authentication rule configuration.

In this scenario, which statement is true?

A. Session-based authentication is enabled

B. Policy-based authentication is enabled

C. IP-based authentication is enabled

D. Route-based authentication is enabled

66. Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Based on the exhibit, which statement is true?

The underlay zone contains port1 and

The d-wan zone contains no member.

The d-wan zone cannot be deleted.

The virtual-wan-link zone contains no member.

67. To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?

FortiManager

Root FortiGate

FortiAnalyzer

Downstream FortiGate

68. What is eXtended Authentication (XAuth)?

It is an IPsec extension that forces remote VPN users to authenticate using their local I

It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).

It is an IPsec extension that authenticates remote VPN peers using a pre-shared key.

It is an IPsec extension that authenticates remote VPN peers using digital certificates.

69. Which statement about firewall policy NAT is true?

DNAT is not supported.

DNAT can automatically apply to multiple firewall policies, based on DNAT rules.

You must configure SNAT for each firewall policy.

SNAT can automatically apply to multiple firewall policies, based on SNAT rules.

70. Refer to the exhibit.

The exhibit shows a FortiGate configuration.

How does FortiGate handle web proxy traffic coming from the IP address 10.2.1.200, that requires authorization?

It always authorizes the traffic without requiring authentication.

It drops the traffic

It authenticates the traffic using the authentication scheme SCHEME2.

It authenticates the traffic using the authentication scheme SCHEME1.

Page 8 of 9

71. When configuring a firewall virtual wire pair policy, which following statement is true?

Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same.

Only a single virtual wire pair can be included in each policy.

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

Exactly two virtual wire pairs need to be included in each policy.

72. In which two ways can RPF checking be disabled? (Choose two.)

Enable anti-replay in firewall policy.

Enable asymmetric routing.

Disable strict-src-check under system settings.

Disable the RPF check at the FortiGate interface level for the source check.

73. Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

A. Proxy-based inspection

B. Certificate inspection

C. Flow-based inspection

D. Full Content inspection

74. Refer to the exhibit.

The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories from SSL inspection, as shown in the exhibit.

For which two reasons are these web categories exempted? (Choose two.)

The FortiGate temporary certificate denies the browser’s access to websites that use HTTP Strict Transport Security.

These websites are in an allowlist of reputable domain names maintained by FortiGuard.

The resources utilization is optimized because these websites are in the trusted domain list on FortiGate.

The legal regulation aims to prioritize user privacy and protect sensitive information for these websites.

75. Refer to the exhibits.

The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The first firewall policy has NAT enabled using IP pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?

10.200.1.1

10.0.1.254

10.200.1.10

10.200.1.100

76. FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively.

Which two statements are true about the requirements of connected physical interfaces on FortiGate? (Choose two.)

Both interfaces must have the interface role assigned

Both interfaces must have directly connected routes on the routing table

Both interfaces must have DHCP enabled

Both interfaces must have IP addresses assigned

77. An administrator wanted to configure an IPS sensor to block traffic that triggers a signature set

number of times during a specific time period.

How can the administrator achieve the objective?

Use IPS group signatures, set rate-mode 60.

Use IPS packet logging option with periodical filter option.

Use IPS filter, rate-mode periodical option.

78. Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

To detect intermediary NAT devices in the tunnel path.

To dynamically change phase 1 negotiation mode aggressive mode.

To encapsulation ESP packets in UDP packets using port 4500.

To force a new DH exchange with each phase 2 rekey

79. Which three settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.)

A. SSH

B. FortiTelemetry

C. Trusted host

D. HTTPS

E. Trusted authentication

80. View the exhibit.

Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and VDOM2. Also, necessary firewall policies are configured in VDOM1 and VDOM2.

Which two static routes are required in the FortiGate configuration, to route traffic between both subnets through an inter-VDOM link? (Choose two.)

A static route in VDOM1 with the destination subnet matching the subnet assigned to the inter-VDOM link

A static route in VDOM2 for the destination subnet 10.0.1.0/24

A static route in VDOM1 for the destination subnet 10.0.2.0/24

A static route in VDOM2 with the destination subnet matching the subnet assigned to the inter-VDOM link

Page 9 of 9

81. In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy.

Instead of separate policies.

Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

The IP version of the sources and destinations in a firewall policy must be different.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

The IP version of the sources and destinations in a policy must match.

82. Refer to the exhibit.

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.

An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies. The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.

How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10 to the destination http:// www.fortinet.com? (Choose three.)

If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.

83. What are two features of FortiGate FSSO agentless polling mode? (Choose two.)

FortiGate directs the collector agent to use a remote LDAP server.

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

FortiGate does not support workstation check.

FortiGate uses the AD server as the collector agent.

84. An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to the SSL-VPN.

How can this be achieved?

Assigning public IP addresses to SSL-VPN users

Configuring web bookmarks

Disabling split tunneling

Using web-only mode

85. A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Enable Dead Peer Detection.

86. Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

A. NetAPI polling can increase bandwidth usage in large networks.

B. The NetSessionEnum function is used to track user logouts.

C. The collector agent must search security event logs.

D. The collector agent uses a Windows API to query DCs for user logins.

87. Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

On HQ-FortiGate, disable Diffie-Helman group 2.

On Remote-FortiGate, set port2 as Interface.

On both FortiGate devices, set Dead Peer Detection to On Demand.

On HQ-FortiGate, set IKE mode to Main (ID protection).

TAGS:

FCP_FGT_AD-7.6, FCP_FGT_AD-7.6 exam dumps

Notify of

Label

Name*

Email*

Website

Label

Name*

Email*

Website

0 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

Get FCP_FGT_AD-7.6 Dumps Full Version

Q&As: 292
Versions: PDF and Software Download Now

About Dumpsinfo

Dumpsinfo is a good platform providing the latest exam information and dumps questions for all IT certification exams. You can study all the latest exam dumps questions online.

[email protected]

Mon - Sat 9:00am - 6:00pm

Use FCP_FGT_AD-7.6 Dumps to Obtain Fortinet Certification

Related

Posts

Study Online FCSS_CDS_AR-7.6 Exam Dumps to Pass

Improve Your Knowledge with EMEA Advanced Support Exam Dumps

Use FCSS_SASE_AD-25 Dumps to Obtain Fortinet Certification

Use FCSS_NST_SE-7.6 Dumps to Obtain Fortinet Certification

About Us

EMAIL

Services

Opening Hours