CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Fortinet
  5. FCP_FGT_AD-7.4

Free FCP_FGT_AD-7.4 Exam Braindumps (page: 11)

Page 10 of 23
PDF with 89 Questions

Refer to the exhibits.







The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IPaddress 10.0.1.254/24.

Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

  1. 10.200.1.1
  2. 10.200.1.149
  3. 10.200.1.99
  4. 10.200.1.49

Answer(s): D

Explanation:

The traffic from the user on Local-Client (10.0.1.10) pinging the IP address of Remote-FortiGate (10.200.3.1) will match the firewall policy with the service "PING traffic". According to the firewall policy:
Policy ID 6 is set for PING traffic and uses the NAT IP pool "SNAT-Remote1", which is defined as 10.200.1.99.



Refer to the exhibit.



A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

  1. On HQ-FortiGate, disable Diffie-Helman group 2.
  2. On Remote-FortiGate, set port2 as Interface.
  3. On both FortiGate devices, set Dead Peer Detection to On Demand.
  4. On HQ-FortiGate, set IKE mode to Main (ID protection).

Answer(s): C,D

Explanation:

To bring Phase 1 up, the following changes can be made:
A . On HQ-FortiGate, disable Diffie-Helman group 2: This is incorrect because Diffie-Hellman group 2 is already selected on both devices. Disabling it would not help. B . On Remote-FortiGate, set port2 as Interface: This is incorrect as both sides should be consistent in their interface settings for the IPsec tunnel, and the interface is correctly set to port1 on both FortiGates in the IPsec configuration.
C . On both FortiGate devices, set Dead Peer Detection to On Demand: This is a valid option. Setting Dead Peer Detection (DPD) to "On Demand" helps maintain the IPsec connection by checking if the peer is still available, which can help in some cases where the connection fails due to timeouts. D . On HQ-FortiGate, set IKE mode to Main (ID protection): This is also a valid option because the Remote-FortiGate is already set to Main mode (ID protection). Ensuring that both ends use the same mode is crucial for successful phase 1 negotiation.
Thus, the correct answers are:
C . On both FortiGate devices, set Dead Peer Detection to On Demand. D . On HQ-FortiGate, set IKE mode to Main (ID protection).



A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering.
When visiting any HTTPS websites, the browser reports certificate warning errors.

What is the reason for the certificate warning errors?

  1. The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.
  2. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
  3. The browser does not recognize the certificate in use as signed by a trusted CA.
  4. With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.

Answer(s): C

Explanation:

The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate's re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser's trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites.


Reference:

FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration



Refer to the exhibit.



FortiGate is configured for firewall authentication.
When attempting to access an external website, the user is not presented with a login prompt.

What is the most likely reason for this situation?

  1. The Service DNS is required in the firewall policy.
  2. The user is using an incorrect user name.
  3. The Remote-users group is not added to the Destination.
  4. No matching user account exists for this user.

Answer(s): A

Explanation:

Firewall authentication generally requires the DNS service to be enabled in the firewall policy to correctly resolve hostnames during the authentication process. If DNS is not allowed in the firewall policy, the FortiGate cannot resolve external domains, and as a result, the user may not be presented with the login prompt when attempting to access an external website.


Reference:

FortiOS 7.4.1 Administration Guide: Firewall Authentication Configuration






Post your Comments and Discuss Fortinet FCP_FGT_AD-7.4 exam with other Community members:

FCP_FGT_AD-7.4 Discussions & Posts