Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Home
Fortinet
Fortinet Network Security Expert
FCP_FGT_AD-7.6
FortiGate 7.6 Administrator FCP_FGT_AD-7.6 Questions and Answers

Pass the Fortinet Network Security Expert FCP_FGT_AD-7.6 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam FCP_FGT_AD-7.6 Premium Access

View all detail and faqs for the FCP_FGT_AD-7.6 exam

Go to Exam

364 Students Passed

95% Average Score

93% Same Questions

Viewing page 1 out of 2 pages

Viewing questions 1-10 out of questions

Questions # 1:

Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Question # 1

Based on the exhibit, which statement is true?

Options:

The Underlay zone is the zone by default.

The Underlay zone contains no member.

port2 and port3 are not assigned to a zone.

The virtual-wan-link and overlay zones can be deleted.

Answer

Explanation

The Underlay zone is the default SD-WAN zone, typically representing the physical interfaces in the SD-WAN configuration before overlay or virtual links are added.

Questions # 2:

A network administrator is reviewing firewall policies in both Interface Pair View and By Sequence View. The policies appear in a different order in each view.

Why is the policy order different in these two views?

Options:

Policies in Interface Pair View are prioritized by security levels, while By Sequence View strictly follows the administrator’s manual ordering.

By Sequence View groups policies based on rule priority, while Interface Pair View always follows the order of traffic logs.

The firewall dynamically reorders policies in Interface Pair View based on recent traffic patterns, but By Sequence View remains static.

Interface Pair View sorts policies based on matching interfaces, while By Sequence View shows the actual processing order of rules.

Answer

Explanation

Interface Pair View organizes policies grouped by source and destination interfaces, whereas By Sequence View displays policies in the exact order they are processed by the firewall.

Questions # 3:

You are analyzing connectivity problems caused by intermediate devices blocking traffic in SSL VPN environment.

In which two ways can you effectively resolve the problem? (Choose two.)

Options:

You can turn off IKE fragmentation to fix large certificate negotiation problems.

You should use IPsec to solve issues with fragment drops and large certificate exchanges.

You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).

You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.

Answer

A, C

Explanation

Disabling IKE fragmentation helps resolve issues caused by intermediate devices blocking large fragmented packets during certificate negotiation.

Using SSL VPN tunnel mode encapsulates traffic over HTTPS, bypassing blocks on ESP and UDP ports commonly used by IPsec.

Questions # 4:

Refer to the exhibit.

Question # 4

As an administrator you have created an IPS profile, but it is not performing as expected. While testing you got the output as shown in the exhibit.

What could be the possible reason of the diagnose output shown in the exhibit?

Options:

There is a no firewall policy configured with an IPS security profile.

FortiGate entered into IPS fail open state.

Administrator entered the command diagnose test application ipsmonitor 5.

Administrator entered the command diagnose test application ipsmonitor 99.

Answer

Explanation

The output shows the IPS engine count as 0, indicating no active IPS engines are running. This typically means no firewall policy is referencing the IPS security profile, so the IPS profile is not being applied or triggered.

Questions # 5:

Refer to the exhibit.

Question # 5

The NOC team connects to the FortiGate GUI with theNOC_Accessadmin profile. They request that their GUI sessions do not disconnect too early during inactivity.

What must the administrator configure to answer this specific request from the NOC team?

Options:

Move NOC_Access to the top of the list to ensure all profile settings take effect.

Increase the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile.

Ensure that all NOC_Access users are assigned the super_admin role to guarantee access

Increase the admintimeout value under config system accprofile NOC_Access.

Answer

Explanation

The admintimeout setting in the admin access profile controls the inactivity timeout for GUI sessions. Increasing this value will extend the session duration before automatic disconnection.

Questions # 6:

A FortiGate firewall policy is configured with active authentication, however, the user cannot authenticate when accessing a website.

Which protocol must FortiGate allow even though the user cannot authenticate?

Options:

LDAP

TACASC+

Kerberos

DNS

Answer

Explanation

DNS traffic must be allowed so the user can resolve domain names and reach the authentication server or web resources, even if authentication initially fails.

Questions # 7:

Refer to the exhibits.

Question # 7

Based on the current HA status, an administrator updates theoverrideandpriorityparameters on HQ-NGFW-1 and HQ-NGFW-2 as shown in the exhibit.

What would be the expected outcome in the HA cluster?

Options:

HQ-NGFW-1 will synchronize the override disable setting with HQ-NGFW-2.

HQ-NGFW-2 will take over as the primary because it has the override enable setting and higher priority than HQ-NGFW-1.

HQ-NGFW-1 will remain the primary because HQ-NGFW-2 has lower priority.

The HA cluster will become out of sync because the override setting must match on all HA members.

Answer

Explanation

With override enabled on HQ-NGFW-2 and its higher priority (110 vs. 90), HQ-NGFW-2 will become the primary device, preempting HQ-NGFW-1 despite the current primary status.

Questions # 8:

FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively.

Which two statements about the requirements of connected physical interfaces on FortiGate are true? (Choose two.)

Options:

Both interfaces must have the interface role assigned.

Both interfaces must have directly connected routes on the routing table.

Both interfaces must have DHCP enabled and interfaces set to LAN and DMZ roles assigned.

Both interfaces must have IP addresses assigned.

Answer

B, D

Explanation

Interfaces must have directly connected routes in the routing table to forward traffic correctly.

Interfaces must have IP addresses assigned to communicate within their respective networks.

Questions # 9:

An administrator wanted to configure an IPS sensor to block traffic that triggers a signature set number of times during a specific time period.

How can the administrator achieve the objective?

Options:

Use IPS group signatures, set rate-mode 60.

Use IPS packet logging option with periodical filter option.

Use IPS filter, rate-mode periodical option.

Answer

Explanation

The IPS filter with the rate-mode set to "periodical" allows the administrator to block traffic that triggers a signature a specified number of times within a defined time period, meeting the requirement.

Questions # 10:

Refer to the exhibit.

Question # 10

The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories from SSL inspection, as shown in the exhibit.

For which two reasons are these web categories exempted? (Choose two.)

Options:

The FortiGate temporary certificate denies the browser’s access to websites that use HTTP Strict Transport Security.

These websites are in an allowlist of reputable domain names maintained by FortiGuard.

The resources utilization is optimized because these websites are in the trusted domain list on FortiGate.

The legal regulation aims to prioritize user privacy and protect sensitive information for these websites.

Answer

A, D

Explanation

FortiGate's temporary SSL certificate may cause access denial to sites using HTTP Strict Transport Security (HSTS), so such sites are exempted from deep SSL inspection.

Legal regulations require exemption of certain categories to protect user privacy and sensitive information, so these web categories are excluded from SSL inspection.

Viewing page 1 out of 2 pages

Viewing questions 1-10 out of questions