FCP_FGT_AD-7.4 (August 2025)

Which two pieces of information are synchronized between FortiGate HA members? (Choose two.). DHCP leases. OSPF adjacencies. IPsec security associations. BGP peerings.

How can you disable RPF (Reverse Path Forwarding) checking?. Disable strict-src-check under system settings. Disable src-check on the interface level settings. Unset fail-alert-interfaces on the interface level settings. Disable fail-detect on the interface level settings.

An administrator configured a web filtering profile to block all social networking sites except Twitter. However, users are redirected to a FortiGuard block page when accessing twitter.com. Based on the exhibit, which configuration change will allow Twitter while blocking other social networking sites?. In the FortiGuard Category Based Filter, set Action to Warning for Social Networking. In the Static URL Filter, set Type to Simple. In the Static URL Filter, set Action to Exempt. In the Static URL Filter, set Action to Monitor.

An administrator is configuring an IPsec VPN between Site A and Site B. The Remote Gateway setting on both sites is configured as Static IP Address.Site A Configuration:Local Quick Mode Selector: 192.168.1.0/24, Remote Quick Mode Selector: 192.168.2.0/24 Which subnet must the administrator configure for the Local Quick Mode Selector for Site B?. 192.168.0.0/8. 192.168.2.0/24. 192.168.3.0/24. 192.168.1.0/24.

An administrator added a RADIUS server configuration and selected the "Include in every user group" option. What is the impact of this setting?. This option places the RADIUS server and all its authenticated users into every RADIUS group. This option places all users into every RADIUS user group, including LDAP server groups on FortiGate. This option places the RADIUS server and its authenticated users into every FortiGate user group. This option places all FortiGate users/groups into the RADIUS server (e.g., FortiAuthenticator).

A FortiGate administrator needs to reduce the attack surface on the SSL VPN portal. Which SSL timer can be used to mitigate a denial of service (DoS) attack?. SSLVPN dtls-hello-timeout. SSLVPN login-timeout. SSLVPN idle-timeout. SSLVPN http-request-header-timeout.

What are three key routing principles in SD-WAN? (Choose three.). SD-WAN rules have precedence over any other type of routes. By default, SD-WAN members are skipped if they do not have a valid route to the destination. Regular policy routes have precedence over SD-WAN rules. By default, SD-WAN rules are skipped if only one route to the destination is available. By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.

The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity. What must the administrator configure to meet this request?. Increase the admintimeout** value under config system global. Increase the override Idle Timeout parameter in the NOC_Access admin profile. Increase the admintimeout** value under config system accprofile super_admin. Enable the Never Timeout parameter in the admin profiles.

Which statement about this firewall policy list is true?. LAN to WAN, WAN to LAN, and Implicit are sequence grouping view lists. The firewall policies are listed by ingress and egress interfaces pairing view. The firewall policies are listed by ID sequence view. The Implicit group can include more than one deny firewall policy.

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?. The collector agent must search Windows application event logs. The NetSessionEnum function is used to track user logouts. The collector agent uses a Windows API to query DCs for user logins. NetAPI polling can increase bandwidth usage in large networks.

Refer to the exhibits, which show the firewall policy and security profile for Facebook. Users can access Facebook and play videos but cannot leave reactions on posts. Which part of the configuration must be changed to resolve this issue?. Disable HTTP redirect to HTTPS on the web browser. Get additional application signatures to add to the security policy. Add Facebook to the URL category in the security policy. Change SSL inspection to deep content inspection.

Refer to the exhibits, which show the firewall policy and antivirus profile configuration. Why is the user unable to receive a block replacement message when downloading an infected file for the first time?. The firewall policy performs full-content inspection on the file. The intrusion prevention security profile must be enabled when using flow-based inspection mode. Flow-based inspection is used, which resets the last packet to the user. The option to send files to FortiSandbox for inspection is enabled.

Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. Phase 1 is up, but Phase 2 fails to establish. Based on the Phase 2 configuration shown in the exhibit, which two changes will resolve the issue? (Choose two.). On Remote-FortiGate, set Seconds (key lifetime) to 43200. On HQ-FortiGate, set Encryption to AES256. On Remote-FortiGate, set Remote Address to 10.0.1.0/255.255.255.0. On HQ-FortiGate, enable Diffie-Hellman Group 2.

A FortiGate firewall policy is configured with active authentication, but the user cannot authenticate when accessing a website. Which protocol must FortiGate allow to enable authentication, even if the user cannot initially authenticate?. ICMP. LDAP. DNS. DHCP.

Which two statements explain antivirus scanning modes? (Choose two.). In proxy-based inspection mode, files bigger than the buffer size are scanned. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client. In flow-based inspection mode, files bigger than the buffer size are scanned. In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

Which three CLI commands can you use to troubleshoot Layer 3 issues, if the issue is in neither the physical layer nor the link layer? (Choose three.). get system arp. diagnose sys top. diagnose sniffer packet any. execute traceroute. execute ping.

An administrator has configured a strict RPF check on FortiGate. How does strict RPF check work?. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface. Strict RPF checks the best route back to the source using the incoming interface. Strict RPF allows packets back to sources with all active routes. Strict RPF check is run on the first sent and reply packet of any new session.

What are two features of collector agent advanced mode? (Choose two.). In advanced mode, security profiles can be applied only to user groups, not individual users. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate. Advanced mode uses the Windows convention - NetBios: Domain\Username. Advanced mode supports nested or inherited groups.

Which three statements explain a flow-based antivirus profile? (Choose three.). If a virus is detected, the last packet is delivered to the client. The IPS engine handles the process as a standalone. Flow-based inspection optimizes performance compared to proxy-based inspection. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection. FortiGate buffers the whole file but transmits to the client at the same time.

What are two features of FortiGate FSSO agentless polling mode? (Choose two.). FortiGate does not support workstation check. FortiGate directs the collector agent to use a remote LDAP server. FortiGate uses the SMB protocol to read the event viewer logs from the DCs. FortiGate uses the AD server as the collector agent.

Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.). FortiGate is using default FortiGuard communication settings. One server was contacted to retrieve the contract information. A local FortiManager is one of the servers FortiGate communicates with. There is at least one server that lost packets consecutively.

An administrator has configured the following settings: config system settings set qsg-denied-traffic enable end config system global set block-session-timer 30 end What are the two results of this configuration? (Choose two.). A session for denied traffic is created. Device detection on all interfaces is enforced for 30 minutes. The number of logs generated by denied traffic is reduced. Denied users are blocked for 30 minutes.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the Security Fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW). What must the administrator do to synchronize the address object?. Change the CSF setting on Local-FortiGate (root) to set fabric-object-unification default. Change the CSF setting on ISFW (downstream) to set configuration-sync local. Change the CSF setting on ISFW (downstream) to set authorization-request-type certificate. Change the CSF setting on both devices to set downstream-access enable.

A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and allows it to be downloaded. The administrator confirms that the traffic matches the configured firewall policy. What are two reasons for the failed virus detection by FortiGate? (Choose two.). The website is exempted from SSL inspection. The browser does not trust the FortiGate self-signed CA certificate. The selected SSL inspection profile has certificate inspection enabled. The EICAR test file exceeds the protocol options oversize limit.

An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is outbound traffic but no response from the peer. Which DPD mode on FortiGate meets this requirement?. On Demand. Enable. Disabled. On Idle.

FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks, respectively. Which two statements are true about the requirements of connected physical interfaces on FortiGate? (Choose two.). Both interfaces must have directly connected routes on the routing table. Both interfaces must have IP addresses assigned. Both interfaces must have the interface role assigned. Both interfaces must have DHCP enabled.

The exhibits show a diagram of a FortiGate device connected to the network and the firewall configuration. An administrator created a Deny policy with default settings to block Webserver access for Remote-User2. The policy should allow Remote-User1 to access the Webserver while preventing Remote-User2 from accessing it. Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.). Enable match-vip in the Deny policy. Set the Destination address as Deny_IP in the Allow_access policy. Set the Destination address as Webserver in the Deny policy. Disable match-vip in the Deny policy.

What two conclusions can you make from the debug flow output? (Choose two.). A new traffic session was created. The default route is required to receive a reply. The debug flow is for ICMP traffic. A firewall policy allowed the connection.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router. When the administrator tries to access the webserver public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a packet capture on FortiGate for incoming web traffic to the server and sees no output. Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?. Configure a loopback interface with address 203.0.113.2. In the VIP configuration, enable ARP reply. In the firewall policy configuration, enable match-vip. Enable port forwarding on the server to map the external service port to the internal service port.

Examine the intrusion prevention system (IPS) diagnostic command shown in the exhibit. If option 5 is used with the IPS diagnostic command and the outcome is a decrease in CPU usage, what is the correct conclusion?. The IPS engine is inspecting a high volume of traffic. The IPS engine is blocking all traffic. The IPS engine will continue to run in a normal state. The IPS engine is unable to prevent an intrusion attack.

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for the example.com homepage, the override must be configured with a specific syntax. Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.). www.example.com/index.htm. www.example.com. www.example.com:443. example.com.

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?. The option "invalid SSL certificates" is set to allow on the SSL/SSH inspection profile. The matching firewall policy is set to proxy inspection mode. The browser does not trust the certificate used by FortiGate for SSL inspection. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles. Which action must the administrator perform to consolidate the two policies into one?. Select port1 and port2 subnets in a single firewall policy. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy. Replace port1 and port2 with the any interface in a single firewall policy. Create an Interface Group that includes port1 and port2 to create a single firewall policy.

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?. Antivirus engine. Intrusion prevention system engine. Internet Service Database (ISDB) engine. Application control engine.

Which statement is correct regarding the use of application control for inspecting web applications?. Application control does not display a replacement message for a blocked web application. Application control does not require SSL inspection to identify web applications. Application control signatures are included in the Fortinet Antivirus engine. Application control can identify child and parent applications, and perform different actions on them.

Refer to the exhibits. The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to the SSL VPN?. Change the idle-timeout. Change the server IP address. Change the SSL VPN port on the client. Change the SSL VPN portal to the tunnel.

Based on the routing database shown in the exhibit, which two conclusions can you make about the routes? (Choose two.). The port3 default route has the highest distance. The port1 and port2 default routes are active in the routing table. The port3 default route has the lowest metric. There will be eight routes active in the routing table.

The exhibits show: - A diagram of a FortiGate device connected to the network - Firewall policies configuration - VIP configuration - IP pool configuration Network Configuration: - WAN (port1): IP address 10.200.1.1/24 - LAN (port3): IP address 10.0.1.254/24 Firewall Policies: - First policy: NAT enabled using an IP pool - Second policy: Configured with a VIP as the destination address Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with IP address 10.0.1.10?. 10.200.1.10. 10.200.1.100. 10.200.1.1. 10.0.1.254.

Which two statements are correct when FortiGate enters conserve mode? (Choose two.). FortiGate refuses to accept configuration changes. FortiGate halts complete system operation and requires a reboot to regain available resources. FortiGate continues to run critical security actions, such as quarantine. FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in IPS is enabled.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IP address 10.0.1.254/24. If the host 10.200.3.1 sends a TCP SYN packet on port 8080 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be when FortiGate forwards it to the destination?. 10.0.1.254, 10.200.1.10, and 8080, respectively. 10.200.3.1, 10.0.1.10, and 80, respectively. 10.200.3.1, 10.0.4.10, and 8080, respectively. 10.0.1.254, 10.0.1.10, and 80, respectively.

Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit. What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?. Traffic matching the signature will be allowed and logged. The signature setting includes a group of other signatures. Traffic matching the signature will be silently dropped and logged. The signature setting uses a custom rating threshold.

Which two attributes are required for a certificate to be used as a CA certificate in SSL inspection? (Choose two.). The KeyUsage extension must be set to KeyCertSign. The CA extension must be set to TRUE. The Authority Key Identifier must be of type SSL. The issuer must be a public CA.

FGT-1 and FGT-2 are updated with the HA configuration commands shown in the exhibit. What would be the expected outcome in the HA cluster?. FGT-1 will synchronize the override disable setting with FGT-2. The HA cluster will become out of sync because the override setting must match on all HA members. FGT-1 will remain the primary because FGT-2 has a lower priority. FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1.

The administrator configured SD-WAN rules and enabled SD-WAN-specific columns (SD-WAN Quality and SD-WAN Rule Name) in the FortiGate traffic log. The traffic is allowed by Policy ID 1 (the policy permitting SD-WAN traffic), but the logs do not show the SD-WAN rule name used to steer the traffic. What could be the reason?. FortiGate load-balanced the traffic according to the implicit SD-WAN rule. SD-WAN rule names do not appear immediately; the administrator needs to refresh the page. Destinations in the SD-WAN rules are configured per application, but the feature visibility is not enabled. There is no application control profile applied to the firewall policy.

There are multiple dialup IPsec VPNs configured in aggressive mode on the HQ FortiGate. The requirement is to connect dial-up users to their respective department VPN tunnels. Which phase setting can you configure to match the user to the tunnel?. Dead Peer Detection. Local Gateway. IKE Mode Config. Peer ID.

An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection. Which FortiGate configuration can achieve this goal?. SSL VPN tunnel. SSL VPN bookmark. SSL VPN quick connection. Zero trust network access.

Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?. Each VDOM in the environment can be part of a different Security Fabric. VDOMs without ports with connected devices are not displayed in the topology. Downstream devices can connect to the upstream device from any of their VDOMs. Security rating reports can be run individually for each configured VDOM.

Which two statements are true about the FGCP protocol? (Choose two.). FGCP is used to discover FortiGate devices in different HA groups. FGCP elects the primary FortiGate device. FGCP runs only over the heartbeat links. FGCP is not used when FortiGate is in transparent mode.

An administrator cannot enable a DHCP server on a FortiGate interface via GUI. What prevents this?. The DHCP server setting is available only on the CLI. The FortiGate model does not support DHCP server. Another interface is configured as the only DHCP server on FortiGate. The role of the interface prevents setting a DHCP server.

Which three statements about SD-WAN zones are true? (Choose three.). You can use an SD-WAN zone in static route definitions. An SD-WAN zone can contain physical and logical interfaces. You can define up to three SD-WAN zones per FortiGate device. An SD-WAN zone must contain at least two members. An SD-WAN zone is a logical grouping of members.

Which three pieces of information does FortiGate use to identify the SSL server hostname during certificate inspection? (Choose three.). Server Name Indication (SNI) in the client hello. Subject Alternative Name (SAN) in the server certificate. Serial number in the server certificate. Host field in the HTTP header. Subject field in the server certificate.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct when adding the FTP.Login.Failed signature to the IPS sensor profile?. The signature setting includes a group of other signatures. Traffic matching the signature will be allowed and logged. Traffic matching the signature will be silently dropped and logged. The signature setting uses a custom rating threshold.

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled (e.g., safe search)?. Static URL filter → FortiGuard category filter → Advanced filters. FortiGuard category filter → Rating filter. DNS-based web filter → Proxy-based web filter. Static domain filter → SSL inspection filter → External connectors filters.

Refer to the exhibit to view the firewall policy. Why would the firewall policy not block a well-known virus (e.g., EICAR)?. The firewall policy does not apply deep content inspection. The firewall policy must be configured in proxy-based inspection mode. The action on the firewall policy must be set to deny. Web filter should be enabled on the firewall policy to complement the antivirus profile.

The exhibit contains: - A network diagram - A central SNAT policy - An IP pool configuration Network Configuration: - WAN (port1): IP address 10.200.1.1/24 - LAN (port3): IP address 10.0.1.254/24 A firewall policy allows all traffic from LAN (port3) to WAN (port1) with Central NAT enabled. When a user on Local-Client (10.0.1.10) pings Remote-FortiGate (10.200.3.1), which IP address will be used for source NAT (SNAT)?. 10.200.1.1. 10.200.1.149. 10.200.1.99. 10.200.1.49.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output shown in the exhibit. What should the administrator do next to troubleshoot the problem?. Execute another sniffer in the FortiGate with the filter host 10.0.1.10. Capture the traffic using an external sniffer connected to port1. Execute a debug flow. Run a sniffer on the web server.

What is the primary FortiGate HA election process when HA override is disabled?. Connected monitored ports > System uptime > Priority > Serial number. Connected monitored ports > Priority > HA uptime > Serial number. Connected monitored ports > HA uptime > Priority > Serial number. Connected monitored ports > Priority > System uptime > Serial number.

Which two statements describe how the RPF check is used? (Choose two.). The RPF check is run on the first sent packet of any new session. The RPF check is run on the first reply packet of any new session. The RPF check is run on the first sent and reply packet of any new session. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Which inspection mode does FortiGate use for application profiles in profile-based NGFW mode?. Full Content inspection. Certificate inspection. Flow-based inspection. Proxy-based inspection.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. Phase 1 fails to establish, even after verifying the pre-shared keys match on both devices. Based on the Phase 1 configuration and diagram shown in the exhibit, which two configuration changes will resolve the issue? (Choose two.). On HQ-FortiGate, disable Diffie-Hellman Group 2. On Remote FortiGate, set port2 as the Interface. On both FortiGate devices, set Dead Peer Detection (DPD) to On Demand. On HQ-FortiGate, set IKE mode to Main (ID Protection).

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes. Requirements: - All traffic must be routed through the primary tunnel when both tunnels are up. - The secondary tunnel must be used only if the primary tunnel goes down. - In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover. Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.). Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel. Enable Dead Peer Detection. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile. An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category. What are two solutions for satisfying the requirement? (Choose two.). Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively. Configure a separate firewall policy with action Deny and an FQDN address object for *, download.com as destination address. Configure a web override rating for download.com and select Malicious Websites as the subcategory. Set the Freeware and Software Downloads category Action to Warning.

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?. It uses UDP 53. It uses DNS over TLS. It uses DNS over HTTPS. It uses UDP 8888.

Which two features of IPsec IKv1 authentication are supported by Fortigate? (Choose two.). Extended authentication (XAuth) to request the remote peer to provide a username and password. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged. Pre-shared key and certificate signature as authentication methods. No certificate is required on the remote peer when you set the certificate signature as the authentication method.

Refer to the exhibits, which show the system performance output and the default configuration of high memory usage thresholds in a FortiGate. Based on the system output, what are the two possible outcomes? (Choose two.). Administrators can access FortiGate only through the console port. FortiGate will start sending all files to FortiSandbox for inspection. Administrators cannot change the configuration. FortiGate has entered conserve mode.

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.). The client FortiGate requires a client certificate signed by the CA on the server FortiGate. The client FortiGate requires a manually added route to remote subnets. The server FortiGate requires a CA certificate to verify the client FortiGate certificate. The client FortiGate uses the SSL VPN tunnel interface type to connect to SSL VPN.

When a firewall policy is created, which attribute is added to support logging to FortiAnalyzer/FortiManager?. Policy ID. Sequence ID. Universally Unique Identifier. Log ID.

To set up redundant IPsec VPN tunnels with static routes and fast failover, which two configurations are needed? (Choose two.). Lower distance for primary tunnel static route, higher for secondary. Enable Dead Peer Detection (DPD). Higher distance for primary tunnel static route, lower for secondary. Enable Auto-negotiate/Autokey Keep Alive in Phase 2.

Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network. VIP configuration, firewall policy, and the sniffer CLI output on the FortiGate device. The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IP address 10.0.1.254/24. The webserver host (10.0.1.10) must use its VIP external IP address as the source NAT (SNAT) when it pings remote server (10.200.3.1). Which two statements are valid to achieve this goal? (Choose two.). Create a new firewall policy before Internet_Access for the webserver and apply the IP pool. Enable NAT on the Allow_access firewall policy. Disable NAT on the Internet_Access firewall policy. Disable port forwarding on the VIP object.

Refer to the exhibits, which show: - Application sensor configuration. - Excessive-Bandwidth and Apple filter details. Based on the configuration, what will happen to Apple FaceTime if there are only a few calls (low volume)?. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow. Apple FaceTime will be allowed, based on the Apple filter configuration. Apple FaceTime will be allowed, based on the Video/Audio category configuration.

Which two statements are true about the routing entries in this database table? (Choose two.). The port2 interface is marked as inactive. Both default routes have different administrative distances. All entries in the routing database table are installed in the FortiGate routing table. The default route on port2 is marked as the standby route.

Refer to the exhibits, which show: - A network diagram of a FortiGate device. - Firewall policy and IP pool configuration. Scenario: - PC1 and PC2 can access the internet successfully. - PC3 (newly added) cannot connect to the internet. Which two configuration changes will resolve PC3's connectivity issue? (Choose two.). In the IP pool configuration, set endip to 192.2.0.12. In the firewall policy, add 10.0.1.3 (PC3's IP) as a source address object. Configure a new firewall policy for PC3's IP and place it at the top of the policy list. In the IP pool configuration, set type to overload.

What are two features of the NGFW profile-based mode? (Choose two.). NGFW profile-based mode supports applying applications and web filtering profiles in a firewall policy. NGFW profile-based mode can only be applied globally and not on individual VDOMs. NGFW profile-based mode policies support both flow inspection and proxy inspection. NGFW profile-based mode must require the use of central source NAT policy.

Which two statements are true regarding FortiGate HA configuration synchronization? (Choose two.). Incremental configuration synchronization can occur only from changes made on the primary FortiGate device. Checksums of devices will be different from each other because some configuration items are not synced to other HA members. Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster. Checksums of devices are compared against each other to ensure configurations are the same.

A network administrator has configured an SSL/SSH inspection profile for full SSL inspection using a private CA certificate. The firewall policy allowing traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors. What is the reason for these certificate warnings?. With full SSL inspection, it is impossible to avoid browser-level certificate warnings. The SSL cipher compliance option is not enabled on the SSL inspection profile (required for private CA certificates). The certificate used by FortiGate lacks required extensions. The browser does not recognize the certificate as signed by a trusted CA.

A network administrator is configuring an IPsec VPN tunnel for a sales employee traveling abroad. Which IPsec Wizard template must the administrator apply?. Remote Access. Dial-up User. Site-to-Site. Hub-and-Spoke.

Refer to the exhibit, which shows a partial configuration from the remote authentication server. Why does the FortiGate administrator need this configuration?. To set up a RADIUS server Secret. To authenticate and match the Training OU on the RADIUS server. To authenticate any FortiGate user groups. To authenticate only the Training user group.

An administrator manages a FortiGate model that supports NTurbo. How does NTurbo enhance performance for flow-based inspection?. NTurbo buffers the whole file and then sends it to the antivirus engine. NTurbo creates two inspection sessions on the FortiGate device. NTurbo offloads traffic to the content processor. NTurbo creates a special data path to redirect traffic between the IPS engine and its ingress and egress interfaces.

When FortiGate performs SSL/SSH full inspection, you can configure its response to invalid certificates. Which three actions can FortiGate take when detecting an invalid certificate? (Choose three.). Block & Warning. Allow & Warning. Block. Allow. Trust & Allow.

An administrator configured a FortiGate to act as a collector for agentless polling mode. What must the administrator add to the FortiGate device to retrieve Active Directory (AD) user group information?. LDAP server. RADIUS server. Windows server. DHCP server.

Which algorithm does SD-WAN use to distribute traffic that does not match any SD-WAN rules?. All traffic from a source IP is sent to the same interface. Traffic is sent to the link with the lowest latency. All traffic from a source IP to a destination IP is sent to the same interface. Traffic is distributed based on the number of sessions through each interface.

Which statement is a characteristic of automation stitches?. They can have one or more triggers. They can be run only on devices in the Security Fabric. They can be created only on downstream devices in the fabric. They can run multiple actions at the same time.

Which method allows management access to the FortiGate CLI without network connectivity?. CLI console widget. Telnet console. SSH console. Serial console.

Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI. Based on the exhibit, which statement is true?. The d-wan zone contains no member. The virtual-wan-link zone contains no member. The underlay zone contains port1 and port2. The d-wan zone cannot be deleted.

An employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?. SSL VPN login-timeout. SSL VPN session-ttl. SSL VPN idle-timeout. SSL VPN dtls-hello-timeout.

Which three methods are used by the collector agent for Active Directory (AD) polling? (Choose three.). FortiGate polling. NetAPI. WMI. FSSO REST API. WinSecLog.

FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with identical security profiles. Which action must the administrator perform to consolidate these policies into one?. Select port1 and port2 subnets in a single firewall policy. Replace port1 and port2 with the any interface in a single firewall policy. Create an Interface Group that includes port1 and port2 to create a single firewall policy. Interface in a single firewall policy.

Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.). Lowest Cost (SLA) with load balancing. Manual with load balancing. Best Quality with load balancing. Lowest Quality (SLA) with load balancing. Lowest Cost (SLA) without load balancing.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.). The sensor will gather a packet log for all matched traffic. The sensor will allow attackers matching the Microsoft.Windows/SCSI.Target.DoS signature. The sensor will reset all connections that match these signatures. The sensor will block all attacks aimed at Windows servers.

Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.). If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based. If SD-WAN is enabled, you control the load-balancing algorithm with the parameter load-balance-mode. If SD-WAN is disabled, you configure the load-balancing algorithm in config system settings. If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP.

FortiGate is configured for firewall authentication, but when a user attempts to access an external website, no login prompt appears. What is the most likely reason?. The user is using an incorrect username. The Remote-users group is not added to the Destination. No matching user account exists for this user. The Service DNS is required in the firewall policy.

Why did FortiGate drop the packet?. The next-hop IP address is unreachable. It failed the RPF (Reverse Path Forwarding) check. It matched the default implicit firewall policy. It matched an explicitly configured firewall policy with the action DENY.

A network diagram of a FortiGate device.IP pool configuration and firewall policy objects.Network Configuration:WAN (port1): IP address 10.200.1.1/24. LAN (port3): IP address 10.0.1.254/24. Scenario: When the user on Local-Client (10.0.1.10) pings Remote-FortiGate (10.200.3.1), which IP address will be used for source NAT (SNAT)?. 10.200.1.1. 10.200.1.149. 10.200.1.99. 10.200.1.49.