User Account Shopping Cart
Practice Exams:
View All


FCP_FGT_AD-7.4 Fortinet Practice Test Questions and Exam Dumps

Question No 1: 

Which two statements are true about the routing entries in this database table? (Choose two.)

A. All of the entries in the routing database table are installed in the FortiGate routing table.
B. The port2 interface is marked as inactive.
C. Both default routes have different administrative distances.
D. The default route on port2 is marked as the standby route.

Answer:

C. Both default routes have different administrative distances.
D. The default route on port2 is marked as the standby route.

Explanation:

In FortiGate devices, the routing database is crucial for determining how network traffic is forwarded. When analyzing routing table entries, it's essential to understand specific components like administrative distance, route priorities, and route status (e.g., active or standby).

  1. Option A: "All of the entries in the routing database table are installed in the FortiGate routing table."
     This is incorrect. Not all entries in the routing database are necessarily installed in the routing table. Routes are evaluated based on factors like administrative distance and route preference. If there is a more preferred route (e.g., lower administrative distance), it will be selected for installation in the routing table, while others may be ignored.

  2. Option B: "The port2 interface is marked as inactive."
     This is incorrect unless explicitly shown in the exhibit. An inactive interface typically means it is not in use for routing purposes. However, this cannot be confirmed without visual context from the exhibit.

  3. Option C: "Both default routes have different administrative distances."
     This is correct. The administrative distance (AD) is used to determine the trustworthiness of a route. If two default routes are present, each will likely have a different AD, with the route having the lower AD being preferred for traffic routing.

  4. Option D: "The default route on port2 is marked as the standby route."
     This is also correct. In FortiGate devices, standby routes are configured when multiple routes exist to the same destination (such as a default route). The standby route is used when the primary route is unavailable, ensuring network redundancy.

Thus, the correct answers are C and D.

Question No 2:

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

A. The host field in the HTTP header.
B. The server name indication (SNI) extension in the client hello message.
C. The subject alternative name (SAN) field in the server certificate.
D. The subject field in the server certificate.
E. The serial number in the server certificate.

Answer:

A. The host field in the HTTP header.
B. The server name indication (SNI) extension in the client hello message.
C. The subject alternative name (SAN) field in the server certificate.

Explanation:

When SSL certificate inspection is enabled, FortiGate devices decrypt and inspect the traffic to identify the server involved in the communication. FortiGate uses various methods to extract and verify the hostname of the SSL server:

  1. A. The host field in the HTTP header:
    This field contains the domain name requested by the client. In an HTTPS request, this is often the first piece of information FortiGate uses to identify the hostname. This is a common method used in web traffic to route the request to the correct server.

  2. B. The server name indication (SNI) extension in the client hello message:
    SNI is an extension in the SSL/TLS protocol that allows clients to specify the desired hostname during the initial connection handshake. FortiGate uses the SNI to identify the target server and apply the appropriate inspection policy, especially when multiple SSL certificates are hosted on the same IP address.

  3. C. The subject alternative name (SAN) field in the server certificate:
    The SAN field in the server’s SSL certificate contains alternative domain names that the certificate is valid for. FortiGate can use the SAN field to further confirm the hostname of the server by matching the request to the SAN values.

Why the Other Options Are Incorrect:

  • D. The subject field in the server certificate:
     The subject field generally contains the primary domain name (like www.example.com) for which the certificate is issued, but it's not as comprehensive as the SAN field in identifying hostnames, especially in cases where multiple domain names are included.

  • E. The serial number in the server certificate:
     The serial number is a unique identifier for the certificate itself and does not contain any information about the hostname.

Thus, the correct pieces of information used by FortiGate are A, B, and C.

Question No 3: 

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

A. All traffic from a source IP to a destination IP is sent to the same interface.
B. Traffic is sent to the link with the lowest latency.
C. Traffic is distributed based on the number of sessions through each interface.
D. All traffic from a source IP is sent to the same interface.

Answer:

B. Traffic is sent to the link with the lowest latency.

Explanation:

SD-WAN (Software-Defined Wide Area Network) offers dynamic path selection based on various criteria, such as performance, reliability, and security. When traffic does not match any predefined rules in the SD-WAN configuration, it follows an automatic load balancing algorithm to determine the most appropriate path.

Option B: Traffic is sent to the link with the lowest latency.
This is correct. SD-WAN typically uses dynamic path selection to prioritize traffic over the link with the lowest latency. The goal is to ensure the most responsive and efficient use of network resources. For example, if one link has higher latency than another, SD-WAN will route traffic through the low-latency link to optimize performance.

Why the Other Options Are Incorrect:

  • A. All traffic from a source IP to a destination IP is sent to the same interface.
     This is typically true for session-based routing but is not a default algorithm for traffic that does not match SD-WAN rules. Instead, SD-WAN generally distributes traffic based on the best performing link rather than sticking to a fixed route for a particular IP pair.

  • C. Traffic is distributed based on the number of sessions through each interface.
     While session-based load balancing is an option, it is not the primary method for traffic distribution if no rules match. The algorithm tends to prioritize link quality (e.g., latency) over session count.

  • D. All traffic from a source IP is sent to the same interface.
    This is not accurate for SD-WAN’s default load balancing, which aims to optimize performance by selecting the best path for traffic.

Thus, the correct choice is B. SD-WAN typically uses latency as a key factor in routing unclassified traffic.

Question No 4: 

A network administrator is setting up an IPsec VPN tunnel for a sales employee who is traveling abroad. The administrator needs to ensure that the employee can securely access the corporate network from a remote location.

Which IPsec VPN Wizard template should the administrator apply to configure this VPN tunnel?

A. Remote Access
B. Site to Site
C. Dial-up User
D. Hub-and-Spoke

Answer: A. Remote Access

Explanation:

When setting up an IPsec VPN tunnel for a remote employee, the objective is to provide secure access to the corporate network from outside the company’s internal network. The type of VPN configuration you select depends on the nature of the remote connection required.

  1. Option A: Remote Access
    The Remote Access template is the most appropriate choice for a sales employee traveling abroad. This template is designed specifically for employees who need to connect to the corporate network from a remote location, such as a hotel, airport, or home office. The Remote Access configuration typically includes settings for the client device (e.g., laptop, smartphone) to securely authenticate and establish a tunnel to the corporate network. It allows the employee to access the company's internal resources as if they were physically on-site. This option is tailored for individuals who connect from various locations, often using public or private internet connections.

  2. Option B: Site to Site
    The Site to Site template is used to establish a secure connection between two fixed locations (e.g., two offices). This option would be suitable if there were two physical sites that needed a constant, secure connection, but it is not designed for individual remote users.

  3. Option C: Dial-up User
    The Dial-up User template is a legacy option that was used for remote connections over dial-up modems. This is not relevant in modern configurations, especially for an employee traveling abroad using standard internet connections.

  4. Option D: Hub-and-Spoke
    The Hub-and-Spoke template is typically used in scenarios where there is one central location (the hub) and multiple remote sites (spokes). This setup is more appropriate for connecting multiple branch offices to a central headquarters, rather than for individual users.

Thus, the correct template for a traveling employee requiring remote access to the corporate network is A. Remote Access.

Question No 5: 

The exhibits display a network diagram of a FortiGate device and its associated firewall policy and IP pool configuration. In this setup, two PCs, PC1 and PC2, are successfully accessing the internet. However, when the administrator adds a third PC (PC3) to the network, PC3 cannot establish a connection to the internet.

Based on the given configuration and the exhibits, which two of the following options can the administrator use to resolve the connectivity issue for PC3? (Choose two.)

A. In the firewall policy configuration, add 10.0.1.3 as an address object in the source field.
B. In the IP pool configuration, set endip to 192.2.0.12.
C. Configure another firewall policy that matches only the address of PC3 as the source, and then place the policy at the top of the list.
D. In the IP pool configuration, set the type to overload.

Answer:

A. In the firewall policy configuration, add 10.0.1.3 as an address object in the source field.
D. In the IP pool configuration, set the type to overload.

Explanation:

In this scenario, PC3 is unable to connect to the internet despite PC1 and PC2 having successful connections. This suggests a misconfiguration either in the firewall policy or the IP pool, as the FortiGate device is responsible for managing network traffic and providing internet access.

  1. Option A: In the firewall policy configuration, add 10.0.1.3 as an address object in the source field.
    When new devices, such as PC3, are added to the network, they need to be recognized by the firewall policy to allow traffic to pass through. If PC3's IP address (10.0.1.3) is not included in the existing firewall policy, it may be blocked or not accounted for. By adding PC3's IP address to the source field of the firewall policy, the device can be recognized and allowed access to the internet. This step ensures that the firewall does not inadvertently block PC3.

  2. Option D: In the IP pool configuration, set the type to overload.
    The IP pool in FortiGate is used for NAT (Network Address Translation), where internal IP addresses are mapped to a single or range of public IPs when users access external resources. If PC3 cannot access the internet, it's possible that the existing IP pool configuration does not support additional devices. By configuring the IP pool to use overload, the system can reuse a single public IP for multiple devices. This allows PC3 to access the internet using the same public IP as PC1 and PC2, thus resolving the issue.

  3. Option B: In the IP pool configuration, set endip to 192.2.0.12.
    This option modifies the range of IPs available for NAT, but it may not directly address the issue of PC3's connectivity unless the IP pool is exhausted.

  4. Option C: Configure another firewall policy that matches only the address of PC3 as the source, and then place the policy at the top of the list.
    This option could potentially resolve the issue, but it is a more complex solution and may not be necessary if the existing firewall policy can be modified to include PC3.

Therefore, the most effective solutions are A and D to ensure that PC3 can successfully connect to the internet.

Question No 6: 

A network administrator needs to access the FortiGate CLI (Command Line Interface) for management purposes, but there is no network connectivity available to the device. 

Which of the following methods allows management access to the FortiGate CLI in this scenario?

A. CLI console widget
B. Serial console
C. Telnet console
D. SSH console

Answer: B. Serial console

Explanation:

In situations where a FortiGate device is inaccessible via network connections (such as SSH or Telnet) or if the network is down, administrators may need an alternative method to access the FortiGate CLI. The key option in this scenario is the serial console.

  1. Option B: Serial console
    The serial console provides a direct physical connection to the FortiGate device. It is typically done using a serial cable (often a console cable) that connects from the administrator’s computer to the console port of the FortiGate unit. This method is particularly useful when the device is not reachable through its network interfaces, and it is independent of the device's network settings or issues. This ensures that administrators can always access the CLI for troubleshooting, configuration changes, or system recovery. The serial console is the most reliable method when network connectivity is unavailable.

  2. Option A: CLI console widget
    The CLI console widget is a browser-based feature found in the FortiGate GUI, but it requires network connectivity to access the web interface of the device. Thus, it does not solve the issue of network unavailability.

  3. Option C: Telnet console
    Telnet is a network-based protocol used to access the CLI of devices over a network. However, this method is only viable if the device has network connectivity, and it is not recommended due to its lack of encryption. In the case where the network is down, Telnet cannot be used.

  4. Option D: SSH console
    SSH is another network-based protocol for accessing the FortiGate CLI securely. Similar to Telnet, SSH requires network connectivity to function, so it is not applicable in situations where the network is unavailable.

In summary, when there is no network connectivity, the serial console (Option B) is the most effective method for management access to the FortiGate CLI.

Question No 7:

In the network setup shown in the exhibit, two PCs (PC1 and PC2) connected behind the FortiGate device are able to access the internet without issues. However, when the administrator adds a third PC (PC3) to the network, PC3 is unable to connect to the internet. The exhibit includes the configuration for the firewall policy and the IP pool settings on the FortiGate device.

Which two configuration changes can the administrator make to resolve the internet connectivity issue for PC3? (Choose two.)

A. In the firewall policy configuration, add 10.0.1.3 as an address object in the source field.
B. In the IP pool configuration, set endip to 192.2.0.12.
C. Configure another firewall policy that matches only the address of PC3 as the source, and place the policy at the top of the list.
D. In the IP pool configuration, set the type to overload.

Answer:

B. In the IP pool configuration, set endip to 192.2.0.12.
D. In the IP pool configuration, set the type to overload.

Explanation:

When a new PC (PC3) is added to a network and is unable to access the internet, the issue often relates to how IP addresses are assigned and managed by the firewall and IP pool settings. In this scenario, PCs PC1 and PC2 are successfully accessing the internet, which suggests that the firewall and IP pool configurations are functioning properly for those two devices. However, the addition of PC3 introduces a problem, likely caused by IP pool limitations or misconfigurations.

  1. Option B: In the IP pool configuration, set endip to 192.2.0.12.
    The issue could be that the IP pool range does not accommodate the additional device. The IP pool defines a range of IP addresses that are assigned to outgoing traffic (like PCs accessing the internet). By expanding the range by adjusting the endip to a higher value, such as 192.2.0.12, the administrator ensures that PC3 can receive an IP address from the pool, enabling internet access. This change is essential when there are multiple devices behind the FortiGate, and the pool needs to include enough addresses for all connected devices.

  2. Option D: In the IP pool configuration, set the type to overload.
    Overload is commonly used in Network Address Translation (NAT) to allow multiple devices within the same network to share a single public IP address. If PC1 and PC2 are already using the available IP addresses in the pool, setting the type to overload enables the devices (including PC3) to share the same address, effectively resolving the issue of limited IP pool addresses and ensuring internet access.

  3. Option A: In the firewall policy configuration, add 10.0.1.3 as an address object in the source field.
    This step would be unnecessary if the firewall policy already applies to all devices within the network range, including PC3. There’s no need to create a specific rule for PC3 unless it has a unique requirement.

  4. Option C: Configure another firewall policy that matches only the address of PC3 as source, and place the policy on top of the list.
     While this might work, it adds unnecessary complexity. The existing firewall policies should already handle traffic from PC3 if configured correctly, so creating a specific rule for PC3 is not the most efficient solution.

By correctly adjusting the IP pool and enabling address overload, the administrator can ensure that all devices, including PC3, have access to the internet.

Question No 8:

A network administrator needs to manage the FortiGate device but there is no network connectivity available. 

Which method allows the administrator to access the FortiGate CLI (Command Line Interface) for management purposes without requiring network connectivity?

A. CLI console widget
B. Serial console
C. Telnet console
D. SSH console

Answer: B. Serial console

Explanation:

In situations where there is no network connectivity to a FortiGate device, it is essential to use an alternative method to gain access to the device for management and troubleshooting. The available options can be evaluated based on their requirements for network access.

  1. Option A: CLI console widget
    The CLI console widget is a feature typically used within FortiGate's graphical user interface (GUI). This option requires network connectivity and would not be suitable for situations where there is no network access to the FortiGate device.

  2. Option B: Serial console
    The serial console is the correct answer. It provides direct physical access to the FortiGate device, allowing administrators to manage and configure the device even without network connectivity. The serial console interface uses a physical serial cable connected to a serial port on the FortiGate appliance, often a COM port or a USB-to-serial adapter. Through a terminal program (like PuTTY or Tera Term), administrators can interact with the CLI directly without the need for the device to be network-connected. This is particularly useful in initial setup or recovery scenarios when network access is not available.

  3. Option C: Telnet console
    Telnet requires network connectivity to establish a remote management session. Therefore, it cannot be used when there is no network connection to the FortiGate device.

  4. Option D: SSH console
    SSH (Secure Shell) is another method for remotely accessing the CLI of the FortiGate device, but it also requires network connectivity. Without network access, SSH will not be available for use.

In summary, the serial console provides the only method for managing a FortiGate device without network access, making it an essential tool for recovery or configuration in isolated environments.

Question No 9: 

A network administrator is setting up redundant IPsec VPN tunnels on a FortiGate device using two IPsec VPN tunnels and static routes. The administrator wants to ensure that all traffic is routed through the primary tunnel when both tunnels are active. If the primary tunnel goes down, the secondary tunnel should take over. Additionally, the administrator requires FortiGate to detect when a tunnel is down to speed up the failover process.

Which two key configuration changes must the administrator make on the FortiGate device to meet these requirements?

Options:

A. Enable Dead Peer Detection.
B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
D. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Answer:

A. Enable Dead Peer Detection.
C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Explanation:

To ensure that the IPsec VPN tunnels on a FortiGate device are properly set up for redundancy and failover, the administrator must configure specific settings to manage routing and tunnel status detection.

  1. Option A: Enable Dead Peer Detection (DPD)
    Dead Peer Detection is a protocol used to monitor the status of VPN peers. Enabling DPD allows the FortiGate device to detect if a tunnel goes down (i.e., if the peer becomes unreachable) and trigger a failover to the secondary tunnel. This ensures that traffic can seamlessly switch to the backup tunnel without significant delay, thus improving the network's reliability and uptime.

  2. Option B: Enable Auto-negotiate and Autokey Keep Alive on Phase 2 of both tunnels
    While this option helps maintain the connection and keep the tunnels alive by periodically refreshing the keying material, it is not directly related to the failover mechanism. Auto-negotiation and Autokey Keep Alive assist in the stability of the tunnels but do not manage the tunnel’s failover behavior based on routing priorities.

  3. Option C: Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel
    This option configures the static routes in such a way that the primary tunnel is preferred by default. The static route for the primary tunnel should have a lower distance value (indicating higher priority), while the secondary tunnel route should have a higher distance value, ensuring that it is only used when the primary tunnel becomes unavailable. This is a key step in achieving tunnel redundancy and proper failover.

  4. Option D: Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel
    This option would incorrectly prioritize the secondary tunnel over the primary one, which is the opposite of what is required. The primary tunnel should have the preferred route distance.

In conclusion, to meet the requirements for redundant IPsec VPN tunnels with proper failover on FortiGate, enabling Dead Peer Detection (DPD) and configuring the static route distances appropriately are the essential steps.


Avanset - #1 VCE Player & Designer
How to Open VCE Files

Use VCE Exam Simulator to open VCE files

VCE Player for MAC
Sign UpSign Up Learn MoreLearn More Full VersionFull Version
UP

LIMITED OFFER: GET 30% Discount

This is ONE TIME OFFER

ExamSnap Discount Offer
Enter Your Email Address to Receive Your 30% Discount Code

A confirmation link will be sent to this email address to verify your login. *We value your privacy. We will not rent or sell your email address.

Download Free Demo of VCE Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.