FCP_FGT_AD-7 6 FCP - FortiGate 7 6 Administrator Dumps

Text Material Preview

Download Valid Fortinet FCP_FGT_AD-7.6 Exam Dumps For Best Preparation
1 / 11
Exam : FCP_FGT_AD-7.6
Title :
https://www.passcert.com/FCP_FGT_AD-7.6.html
FCP - FortiGate 7.6
Administrator
Download Valid Fortinet FCP_FGT_AD-7.6 Exam Dumps For Best Preparation
2 / 11
1.Refer to the exhibit.
Which route will be selected when trying to reach 10.20.30.254?
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
Answer: A
Explanation:
The correct route to reach 10.20.30.254 would be:
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
This route is more specific (10.20.30.0/24) compared to the other routes (10.20.30.0/26 and
10.30.20.0/24) and would therefore be selected as the best match.
2.Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)
A. Port block allocation
B. Fixed port range
C. One-to-one
D. Overload
Answer: A,B
Explanation:
The two IP pool types that are useful for carrier-grade NAT (CGNAT) deployments are:
A. Port block allocation
B. Fixed port range
A. Port block allocation: In this method, a range of ports is allocated to each internal IP address. This
allows multiple internal devices to share the same public IP address but use different port ranges,
enabling more efficient use of IP addresses.
B. Fixed port range: This method allocates a fixed range of ports to each internal IP address. It is similar
to port block allocation but restricts the port range to a fixed set of ports for each internal IP address,
which can be useful for certain applications or scenarios.
Both port block allocation and fixed port range allocation are commonly used in CGNAT deployments to
manage the mapping of internal private IP addresses to public IP addresses and ports, allowing for
efficient use of limited IPv4 addresses.
Download Valid Fortinet FCP_FGT_AD-7.6 Exam Dumps For Best Preparation
3 / 11
3.What is eXtended Authentication (XAuth)?
A. It is an IPsec extension that forces remote VPN users to authenticate using their local ID.
B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username
and password).
C. It is an IPsec extension that authenticates remote VPN peers using a pre-shared key.
D. It is an IPsec extension that authenticates remote VPN peers using digital certificates.
Answer: B
Explanation:
The correct answer is:
B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username
and password).
eXtended Authentication (XAuth) is an IPsec extension that adds additional authentication for remote
VPN users after the initial IPsec phase 1 and phase 2 negotiations. XAuth requires users to provide their
credentials (username and password) in addition to the standard IPsec authentication, enhancing the
security of the VPN connection.
4.What must you configure to enable proxy-based TCP session failover?
A. You must configure ha-configuration-sync under configure system ha.
B. You do not need to configure anything because all TCP sessions are automatically failed over.
C. You must configure session-pickup-enable under configure system ha.
D. You must configure session-pickup-connectionless enable under configure system ha.
Answer: C
Explanation:
The correct answer is:
C. You must configure session-pickup-enable under configure system ha.
To enable proxy-based TCP session failover on a Fortinet FortiGate firewall, you must configure the
session-pickup-enable setting under the high availability (HA) configuration. This setting allows the
firewall to pick up and maintain TCP sessions after a failover event, ensuring continuity of service for
established connections.
5.An administrator needs to inspect all web traffic (including Internet web traffic) coming from users
connecting to the SSL-VPN.
How can this be achieved?
A. Assigning public IP addresses to SSL-VPN users
B. Configuring web bookmarks
C. Disabling split tunneling
D. Using web-only mode
Answer: C
Explanation:
The correct answer is: C. Disabling split tunneling
Split tunneling allows VPN users to access both local and remote networks simultaneously. However, if
you want to inspect all web traffic, including Internet traffic, coming from users connecting to the SSL-VPN,
you should disable split tunneling. Disabling split tunneling forces all user traffic through the VPN tunnel,
allowing you to inspect and control the traffic more effectively.
Download Valid Fortinet FCP_FGT_AD-7.6 Exam Dumps For Best Preparation
4 / 11
6.Which NAT method translates the source IP address in a packet to another IP address?
A. DNAT
B. SNAT
C. VIP
D. IPPOOL
Answer: B
Explanation:
The correct answer is: B. SNAT
SNAT (Source Network Address Translation), also known as MASQUERADE in iptables, translates the
source IP address in a packet to another IP address. It is commonly used in scenarios where internal
private IP addresses need to be translated to a single public IP address when accessing the Internet, for
example. DNAT (Destination Network Address Translation) translates the destination IP address in a
packet to another IP address. VIP (Virtual IP) is used to designate a single IP address that represents
multiple servers for load balancing or high availability purposes. IPPOOL typically refers to a range of IP
addresses that can be dynamically assigned to clients, such as in DHCP.
7.What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?
A. Both can be enabled at the same time.
B. Both support volume algorithms.
C. Both control ECMP algorithms.
D. Both use the same physical interface load balancing settings.
Answer: C
Explanation:
The correct answer is: C. Both control ECMP algorithms.
In the context of SD-WAN (Software-Defined Wide Area Network), ECMP (Equal-Cost Multi-Path)
algorithms are used to determine the path packets should take through the network. Both IPv4 and
SD-WAN ECMP algorithms control how traffic is load-balanced across multiple paths to a destination.
While IPv4 ECMP operates at the network layer (Layer 3) of the OSI model, SD-WAN ECMP operates at
a higher level, typically involving application-aware routing and more advanced traffic steering
capabilities.
8.Refer to the exhibit.
Download Valid Fortinet FCP_FGT_AD-7.6 Exam Dumps For Best Preparation
5 / 11
Which statement about the configuration settings is true?
A. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.
B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
C. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.
D. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same
port.
Answer: B
Explanation:
B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
In this scenario, the remote user is accessing the FortiGate device using HTTPS (port 443), which is
typically used for SSL-VPN access. Therefore, when accessing the device at that address and port, the
SSL-VPN login page should open for the user to authenticate and establish a VPN connection.
9.What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?
A. It limits the scanning of application traffic to the browser-based technology category only.
B. It limits the scanning of application traffic to the DNS protocol only.
C. It limits the scanning of application traffic to use parent signatures only.
D. It limits the scanning of application traffic to the application category only.
Answer: A
Explanation:
A. It limits the scanning of application traffic to the browser-based technology category only.
Download Valid Fortinet FCP_FGT_AD-7.6 Exam Dumps For Best Preparation
6 / 11
You can configure the URL Category within the same security policy; however, adding a URL filter causesapplication control to scan applications in only the browser-based technology category, for example,
Facebook Messenger on the Facebook website.
10.Refer to the exhibits.
Download Valid Fortinet FCP_FGT_AD-7.6 Exam Dumps For Best Preparation
7 / 11
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the
exhibit.
Which policy will be highlighted, based on the input criteria?
A. Policy with ID 4.
B. Policy with ID 5.
C. Policies with ID 2 and 3.
D. Policy with ID 1.
Answer: B
Explanation:
Policy with ID 5.
It's coming from port 3 - hits Facebook-Web (Application) from the screenshot it show that it allows http
and https traffic (80, 443).
There are 3 rules related to port3
and two rules source LOCAL_CLIENT
this would leave us with Rule 1 & 5
Rule one Service is = ULL_UDP
Rule five = Internet Services
Destination port we are looking for is 443 (usually this is TCP)
So it had to be PID5
We are looking for a policy that will allow or deny traffic from the source interface Port3 and source IP
address 10.1.1.10 (LOCAL_CLIENT) to facebook.com TCP port 443 (HTTPS). There are only two
policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are evaluated from top
to bottom. This means that the first policy that matches the traffic is applied, and subsequent policies are
not evaluated. Based on the Policy Lookup criteria, Policy ID 5 will be highlighted.
11.FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added
Download Valid Fortinet FCP_FGT_AD-7.6 Exam Dumps For Best Preparation
8 / 11
to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)
A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same
subnet.
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in
different subnets.
Answer: B,C
Explanation:
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VL
AN/ta-p/192843?externalID=FD43883
Each interface (physical or VLAN) can belong to only one VDOM.
Meaning that sub-interfaces (VLANs) from the same physical interface can have the same VLAN ID as
long as they are not assign to the same VDOM.
VLAN
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-int
erface/ta-p/197640
* VLANs can be created on any physical or aggregate (802.3ad) interfaces
- The same VLAN number cannot be configured twice on the same physical interface
- The same VLAN number can be used on different physical interfaces
- The usable VLAN ID range is from 1 to 4094
* VDOM interface assignment
- Two VDOMs cannot share the same interface or VLAN
- A VLAN sub-interface can belong to a different VDOM than the physical interface it is attached to.
12.An administrator has configured a strict RPF check on FortiGate.
How does strict RPF check work?
A. Strict RPF allows packets back to sources with all active routes.
B. Strict RPF checks the best route back to the source using the incoming interface.
C. Strict RPF checks only for the existence of at least one active route back to the source using the
incoming interface.
D. Strict RPF check is run on the first sent and reply packet of any new session.
Answer: B
Explanation:
B. Strict RPF checks the best route back to the source using the incoming interface.
Strict: In this mode, Fortigate also verifies that the matching route is the best route in the routing table.
That is, if the route in table contains a matching route for the source address and the incoming interface,
but there is a better route for the source address through another interface the RPF check fails.
The Strict Reverse Path Forwarding (RPF) check is a security feature that helps prevent source IP
address spoofing. When enabled, the FortiGate unit checks the source IP address of each incoming
packet and compares it to the routing table to ensure that the packet arrives on the expected interface.
Download Valid Fortinet FCP_FGT_AD-7.6 Exam Dumps For Best Preparation
9 / 11
Here's an explanation of the statement:
B. Strict RPF checks the best route back to the source using the incoming interface.
When the FortiGate unit receives a packet, it checks the source IP address and verifies that the packet
arrives on the expected interface based on the routing table. The "best route back to the source" refers to
the route in the routing table that would be used to send packets back to the source IP address. If the
incoming interface matches the expected interface based on the routing table, the check passes. If not,
the packet may be considered as potentially spoofed, and it might be dropped or subjected to further
security measures.
This strict RPF check helps in preventing IP address spoofing, which is a common technique used in
various network attacks.
Loose RPF checks for any route and Strict RPF check for best route
13.An administrator has configured the following settings:
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)
A. Device detection on all interfaces is enforced for 30 seconds.
B. Denied users are blocked for 30 seconds.
C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created.
Answer: C,D
Explanation:
The timer config any way is by seconds.
ses-denied-traffic Enable/disable including denied session in the session table. block-session-timer
Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created.
During the session, if a security profile detects a violation, FortiGate records the attack log immediately.
To reduce the number of log messages generated and improve performance, you can enable a session
table entry of dropped traffic. This creates the denied session in the session table and, if the session is
denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a
policy lookup for each new packet matching the denied session, which reduces CPU usage and log
generation. This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for
block sessions. This determines how long a session will be kept in the session table by setting
block-sessiontimer in the CLI. By default, it is set to 30 seconds.
Reference and download study guide:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-int
o-the/ta-p/195478
14.Refer to the exhibits.
Download Valid Fortinet FCP_FGT_AD-7.6 Exam Dumps For Best Preparation
10 / 11
Download Valid Fortinet FCP_FGT_AD-7.6 Exam Dumps For Best Preparation
11 / 11
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for
Facebook.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook, but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?
A. Force access to Facebook using the HTTP service.
B. Make the SSL inspection a deep content inspection.
C. Add Facebook in the URL category in the security policy.
D. Get the additional application signatures required to add to the security policy.
Answer: B