ERASED TEST, YOU MAY BE INTERESTED ON FCP_FGT_AD-7.4: Fortinet FCP 3/6
COMMENTS |
STATISTICS |
RECORDS
|
|---|
TAKE THE TEST
|
Title of test:
FCP_FGT_AD-7.4: Fortinet FCP 3/6 Description: FCP Fortinet test Author: tchai tchai Other tests from this author Creation Date: 02/09/2024 Category: Geography Number of questions: 50 |
Share the Test:
New Comment
No comments about this test.
Content:
|
Which statement about the policy ID number of a firewall policy is true? It changes when firewall policies are reordered. It represents the number of objects used in the firewall policy. It is required to modify a firewall policy using the CLI. It defines the order in which rules are processed. Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two.) FortiGate uses the SMB protocol to read the event viewer logs from the DCs. FortiGate uses the AD server as the collector agent. FortiGate directs the collector agent to use a remote LDAP server. FortiGate does not support workstation check. Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.) Web filter in flow-based inspection Antivirus in flow-based inspection Application control DNS filter Web application firewall. An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective? The administrator must use a FortiAuthenticator device. The administrator can register the same FortiToken on more than one FortiGate. The administrator must use the user self-registration server. The administrator can use a third-party radius OTP server. A client workstation is connected to FortiGate port2. The FortiGate port1 is connected to an ISP router. port2 and port3 are both configured as a software switch. Which IP address must be configured on the workstation as the default gateway? The software switch interface IP address The router IP address The port2 IP address The FortiGate management IP address. Which two statements regarding the SD-WAN feature on FortiGate are true? (Choose two.) FortiGate supports only one SD-WAN interface per VDOM. An SD-WAN static route does not require a next-hop gateway IP address. SD-WAN provides route failover protection, but cannot load-balance traffic. Each member interface requires its own firewall policy to allow traffic. Which statement about video filtering on FortiGate is true? It inspects video files hosted on file sharing services. Full SSL inspection is not required. It is available only on a proxy-based firewall policy. Video filtering FortiGuard categories are based on web filter FortiGuard categories. The Priority attribute applies to which type of routes? Default routes Dynamic Static Directly connected routes. In this scenario, FGT1 has the following routing table: S* 0. 0. 0. 0/0 [10/0] via 10. 40. 72. 2, port1 C 172. 16. 32. 0/24 is directly connected, port2 C 10. 40. 72. 0/30 is directly connected, port1 A user at 192.168.32.15 is trying to access the web server at 172.16.32.254. Which of the following statements best describe how the FortiGate will perform reverse path forwarding checks on this traffic? (Choose two.) Loose RPF check will allow the traffic. Strict RPF check will allow the traffic. Loose RPF check will deny the traffic. Strict RPF check will deny the traffic. The exhibit contains a network diagram, firewall policies, and a firewall address object configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2. Remote-user2 is still able to access Webserver. Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.) Disable match-vip in the Deny policy. Enable match-vip in the Deny policy. Set the Destination address as Deny_IP in the Allow-access policy. Set the Destination address as Web_server in the Deny policy. Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites? FortiGate can inspect sub-application traffic regardless where it was originated. The security actions applied on the web applications will also be explicitly applied on the third-party websites. FortiGuard maintains only one signature of each web application that is unique. The application signature database inspects traffic only from the original web application server. Which two statements about firewall policy NAT using the outgoing interface IP address with fixed port disabled are true? (Choose two.) Port address translation is not used. Connections are tracked using source port and source MAC address. The source IP is translated to the outgoing interface IP. This is known as many-to-one NAT. Which of the following statements about route-based VPN is correct? It usually requires two firewall policies—one for each direction. Route-based VPNs do not support dynamic routing protocols. One policy controls both traffic directions. Route-based VPNs are incompatible with IPsec. What configuration setting must be enabled to allow VLAN-tagged traffic through a virtual wire pair? VLAN tagging on individual interfaces Transparent bridging Wildcard VLAN NAT mode. When is a new TCP session allocated? When a SYN packets is allowed When a FIN packet is received When a SYN/ACK packet is allowed When any ICMP packet is allowed. An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW). What must the administrator do to synchronize the address object? Change the csf setting on ISFW (downstream) to set fabric-object-unification default. Change the csf setting on Local-FortiGate (root) to set configuration-sync local. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default. Change the csf setting on ISFW (downstream) to set configuration-sync local. Which command would you use to identify the IP addresses of all authenticated users? diagnose firewall auth list diagnose firewall auth clear diagnose system session list get firewall user list. What happens if there is no matching central SNAT policy or no central SNAT policy configured? Traffic is rerouted through an alternate pathway. FortiGate drops traffic. The egress interface IP will be used. Traffic is passed without any NAT being applied. What devices form the core of the security fabric? Two FortiGate devices and one FortiManager device One FortiGate device and one FortiAnalyzer device Two FortiGate devices and one FortiAnalyzer device One FortiGate device and one FortiManager device. What is the default STP mode for FortiGate? FortiGate generates its own BPDUs for STP operations. FortiGate has all STP functions disabled. FortiGate actively participates in STP as a bridge. FortiGate passively forwards BPDUs. Based on the ZTNA tag, the security posture of the remote endpoint has changed. What will happen to endpoint active ZTNA sessions? They will be re-evaluated to match the security policy. They will be re-evaluated to match the endpoint policy. They will be re-evaluated to match the ZTNA policy. They will be re-evaluated to match the firewall policy. An organization's employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure? Change the udp idle timer. Change the session-ttl. Change the idle-timeout. Change the login timeout. Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? Administrators can access FortiGate only through the console port FortiGate will start sending all files to FortiSandbox for inspection FortiGate has entered conserve mode Administrators cannot change the configuration. When verifying SD-WAN traffic routing with the CLI packet capture tool, which verbosity level should you use? 1 9 6 4. When configuring a firewall virtual wire pair policy, which following statement is true? Any number of virtual wire pairs can be included, as long as the policy traffic direction is the same. Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings. Exactly two virtual wire pairs need to be included in each policy. Only a single virtual wire pair can be included in each policy. What is the purpose of the policy lookup feature on FortiGate? To block traffic based on input criteria To automatically adjust firewall settings based on traffic patterns. To update firewall policies based on real-time network analysis. To find a matching policy based on input criteria. Given the routing database shown in the exhibit, which two statements are correct? (Choose two.) The port3 default route has the lowest metric The port3 default route has the highest distance The port1 and port2 default routes are active in the routing table There will be eight routes active in the routing table. If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to? A root CA A person A CRL A subordinate CA. Which FQDN does FortiGate use to obtain IPS updates? update.fortiguard.net secure.fortinet.net ipsupdate.fortinet.com service.fortiguard.com. An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category. What are two solutions for satisfying the requirement? Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively. Set the Freeware and Software Downloads category Action to Warning. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address. Configure a web override rating for download.com and select Malicious Websites as the subcategory. What statement about the HTTP block page for application control is true? It is primarily effective for applications that use HTTP protocol for communication. It works for all types of applications. It can be used only for web applications. It is specifically used for blocking HTTP traffic for certain applications. What is the purpose of the link health monitor setting update-static-route? To monitor and log the health status of the link without affecting routing. It removes all static routes associated with the link health monitors interface. To prioritize traffic over the monitored link. It creates a new static route for the backup interface. Which TCP port does FortiGuard use for application control? 53 443 8888 80. Which CLI command can be used to determine the MAC address of a FortiGate's default gateway? get system arp get hardware nic diagnose ip arp list show system interface. When FortiGate uses RADIUS server for remote authentication, which statement about RADIUS is true? FortiGate must query remote RADIUS server using the distinguished name (dn). RADIUS group memberships are provided by vendor specific attributes (VSAs) configured on the RADIUS server RADIUS authenticates by directly querying the user's machine. RADIUS authentication is based on static IP assignments for each user. What type of logs are application control, web filter, antivirus, and DLP? Event Security System Traffic. Which two statements about IPsec authentication on FortiGate are correct? (Choose two.) For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password FortiGate supports pre-shared key and signature as authentication methods. Enabling XAuth results in a faster authentication because fewer packets are exchanged. A certificate is not required on the remote peer when you set the signature as the authentication method. Which of the following CLI commands can you use to view inactive routes? get router into routing-table all get router info route-table database get router info routing-table inactive show ip route inactive. With email alerts, you can trigger alert emails based on ____ or log severity level. event threat weight User activity Network traffic volume. In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit. What should the administrator do next to troubleshoot the problem? Run a sniffer on the web server. Capture the traffic using an external sniffer connected to port1. Execute another sniffer in the FortiGate, this time with the filter "host 10.0.1.10" Execute a debug flow. Which two statements describe how the RPF check is used? (Choose two.) The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks. The RPF check is run on the first sent and reply packet of any new session. The RPF check is run on the first sent packet of any new session. The RPF check is run on the first reply packet of any new session. On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager? (Choose two.) hourly real time on-demand store-and-upload. Which statements best describe auto discovery VPN (ADVPN)? (Choose two.) ADVPN is only supported with IKEv2. Tunnels are negotiated dynamically between spokes. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance. Which security action restricts SSL-VPN connections from users located in a specific country or region? Restricting hosts by MAC address Restricting hosts by IP address Restricting hosts by user agent Restricting hosts by session duration. What is the distance value for the following route? 10.200.2.0/24 [110/2] via 10.200.2.254, [25/0] 110 2 10 24. In an HA cluster operating in active-active mode, which path is taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate? Client > secondary FortiGate > primary FortiGate > web server Client > primary FortiGate > secondary FortiGate > primary FortiGate > web server Client > primary FortiGate > secondary FortiGate > web server Client > secondary FortiGate > web server. Examine the following log message attributes: hostname=www.youtube.com profiletype=""Webfilter_Profile"" profile=""default"" status=""passthrough""msg=""URL belongs to a category with warnings enabled"" Which two statements about the log are correct? (Choose two.) The category action was set to warning. The user failed authentication. The user was prompted to decide whether to proceed or go back. The website was allowed on the first attempt. Which three actions are valid for static URL filtering? (Choose three.) Warning Allow Block Shape Exempt. Which of the following may cause an NTLM authentication to occur? Traffic coming from an IP on the FSSO user list Traffic coming from an IP not on the FSSO user list Traffic destined to an external IP address Traffic originating from a device with no user logged in. What is included in the configuration of an authentication scheme? Authentication method Source IP address Encryption key strength Data retention policy. |
Report abuse