CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Fortinet
  5. FCP_FGT_AD-7.4

Free FCP_FGT_AD-7.4 Exam Braindumps (page: 4)

Page 3 of 23
PDF with 88 Questions

Refer to the exhibit.

The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.

An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.

What are two solutions for satisfying the requirement? (Choose two.)

  1. Configure a separate firewall policy with action Deny and an FQDN address object for *. download, com as destination address.
  2. Set the Freeware and Software Downloads category Action to Warning
  3. Configure a web override rating for download, com and select Malicious Websites as the subcategory.
  4. Configure a static URL filter entry for download, com with Type and Action set to Wildcard and Block, respectively.

Answer(s): A,D

Explanation:

To block access specifically to download.com while allowing other sites in the "Freeware and Software Downloads" category, you can create a separate firewall policy with a deny action specifically for the FQDN *.download.com. This approach allows blocking this particular site without affecting the other sites in the same category. Alternatively, configuring a static URL filter entry with the type set to Wildcard and action set to Block will also achieve the desired effect by directly blocking the specific URL without impacting other sites in the category.


Reference:

FortiOS 7.4.1 Administration Guide: URL filter configuration



A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

  1. Enable Dead Peer Detection
  2. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
  3. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
  4. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Answer(s): A,C

Explanation:

To configure redundant IPsec VPN tunnels on FortiGate with failover capability, the following two key configuration changes are required:
A . Enable Dead Peer Detection (DPD): Dead Peer Detection is crucial for detecting if the remote peer is unreachable. By enabling DPD, FortiGate can quickly detect a dead tunnel, ensuring a faster failover to the secondary tunnel when the primary tunnel goes down. C . Configure a lower distance on the static route for the primary tunnel and a higher distance on the static route for the secondary tunnel: The static route with the lower distance (higher priority) will be used when both tunnels are operational. If the primary tunnel fails, the higher distance (lower priority) route for the secondary tunnel will take over, ensuring traffic is routed correctly.
The other options are not suitable:
B . Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels: This option is not directly related to the requirements of failover between two IPsec VPN tunnels. D . Configure a higher distance on the static route for the primary tunnel and a lower distance on the static route for the secondary tunnel: This would prioritize the secondary tunnel over the primary tunnel, which is opposite to the desired configuration.


Reference:

FortiOS 7.4.1 Administration Guide - Configuring IPsec VPN, page 1320. FortiOS 7.4.1 Administration Guide - Redundant VPN Configuration, page 1335.



Refer to the exhibits.

The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.

Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

  1. Apple FaceTime will be allowed, based on the Video/Audio category configuration.
  2. Apple FaceTime will be allowed, based on the Apple filter configuration.
  3. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
  4. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

Answer(s): D

Explanation:

Based on the application sensor configuration and the filter details:
D . Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration: The "Excessive-Bandwidth" filter is set to block, which includes "FaceTime" under its application signature. As a result, FaceTime will be blocked regardless of the "Apple" filter configuration because the "Excessive-Bandwidth" filter takes precedence due to its block action setting.
The other options are not correct:
A . Apple FaceTime will be allowed, based on the Video/Audio category configuration: The Video/Audio category is not relevant because FaceTime is specifically included in the Excessive- Bandwidth filter, which blocks it.
B . Apple FaceTime will be allowed, based on the Apple filter configuration: Although the Apple filter is set to monitor, the block action of the Excessive-Bandwidth filter will override this. C . Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow: The allow setting for the Apple filter is irrelevant in this context, as the block action in the Excessive-Bandwidth filter will prevail.


Reference:

FortiOS 7.4.1 Administration Guide - Application Control and Filtering, page 978. FortiOS 7.4.1 Administration Guide - Application Sensor Configuration, page 982.



An employee needs to connect to the office through a high-latency internet connection.
Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

  1. SSL VPN idle-timeout
  2. SSL VPN login-timeout
  3. SSL VPN dtls-hello-timeout
  4. SSL VPN session-ttl

Answer(s): C

Explanation:

For a high-latency internet connection, the SSL VPN setting that should be adjusted is:
C . SSL VPN dtls-hello-timeout: This setting determines how long the FortiGate will wait for a DTLS hello message from the client. For high-latency connections, increasing this timeout will prevent SSL VPN negotiation failures caused by delays in receiving the DTLS hello message.
The other options are not suitable:
A . SSL VPN idle-timeout: This setting controls the idle time allowed before a session is terminated, which is not relevant to the initial connection establishment. B . SSL VPN login-timeout: This setting controls the maximum time allowed for a user to log in, but does not affect connection negotiation.
D . SSL VPN session-ttl: This setting controls the total time-to-live for an SSL VPN session but does not directly address issues caused by high latency.


Reference:

FortiOS 7.4.1 Administration Guide - SSL VPN Configuration, page 1415.






Post your Comments and Discuss Fortinet FCP_FGT_AD-7.4 exam with other Community members:

FCP_FGT_AD-7.4 Discussions & Posts