Fortinet FCP_FGT_AD-7.6 시험

Question No : 1

When configuring firewall policies which of the following is true regarding the policy ID?

• A.It is mandatory to provide a policy ID while creating a firewall policy regardless of GUI or CL
• B.A firewall policy ID identifies the order of policy execution in firewall policies.
• C.You can create a policy in CLI with policy ID 0.
• D.A policy ID cannot be edited once a policy is created.

답을 확인하기

정답:
Explanation:
Once a firewall policy is created, its policy ID is fixed and cannot be changed; this ID uniquely identifies the policy within the FortiGate configuration.

Question No : 2

You have configured an application control profile, set peer-to-peer traffic to Block under the Categories tab, and applied it to the firewall policy. However, your peer-to-peer traffic on known ports is passing through the FortiGate without being blocked.
What FortiGate settings should you check to resolve this issue?

• A.FortiGuard category ratings
• B.Application and Filter Overrides
• C.Network Protocol Enforcement
• D.Replacement Messages for UDP-based Applications

답을 확인하기

정답:
Explanation:
Network Protocol Enforcement settings control how FortiGate inspects and enforces protocols on traffic, including peer-to-peer applications on known ports. If not properly enabled, peer-to-peer traffic may bypass blocking despite the application control profile.

Question No : 3

Refer to the exhibit.



FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles.
Which action must the administrator perform to consolidate the two policies into one?

• A.Create an Aggregate interface that includes port1 and port2 to create a single firewall policy.
• B.Select port1 and port2 subnets in a single firewall policy.
• C.Replace port1 and port2 with the any interface in a single firewall policy.
• D.Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy.

답을 확인하기

정답:
Explanation:
Enabling Multiple Interface Policies allows you to select multiple interfaces (like port1 and port2) in a single firewall policy, consolidating access rules for both Sales and Engineering to the web server.

Question No : 4

You are analyzing connectivity problems caused by intermediate devices blocking traffic in SSL VPN environment.
In which two ways can you effectively resolve the problem? (Choose two.)

• A.You can turn off IKE fragmentation to fix large certificate negotiation problems.
• B.You should use IPsec to solve issues with fragment drops and large certificate exchanges.
• C.You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).
• D.You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.

답을 확인하기

정답:
Explanation:
Disabling IKE fragmentation helps resolve issues caused by intermediate devices blocking large fragmented packets during certificate negotiation.
Using SSL VPN tunnel mode encapsulates traffic over HTTPS, bypassing blocks on ESP and UDP ports commonly used by IPsec.

Question No : 5

When configuring a FortiGate in a multi-WAN setup, why would an administrator enable session preservation on an interface?

• A.To allow the FortiGate to dynamically change interfaces for all active sessions when a WAN link fails
• B.To make sure all sessions without source NAT enabled always use the primary WAN link
• C.To improve security by forcing users to authenticate again when the WAN link changes
• D.To ensure that existing SSL VPN connections remain on the same interface even if route changes occur

답을 확인하기

정답:
Explanation:
Session preservation keeps active sessions, such as SSL VPNs, tied to the original interface to prevent disruption when WAN routes change.

Question No : 6

FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively.
Which two statements about the requirements of connected physical interfaces on FortiGate are true? (Choose two.)

• A.Both interfaces must have the interface role assigned.
• B.Both interfaces must have directly connected routes on the routing table.
• C.Both interfaces must have DHCP enabled and interfaces set to LAN and DMZ roles assigned.
• D.Both interfaces must have IP addresses assigned.

답을 확인하기

정답:
Explanation:
Interfaces must have directly connected routes in the routing table to forward traffic correctly.
Interfaces must have IP addresses assigned to communicate within their respective networks.

Question No : 7

Refer to the exhibit.



An administrator has created a new firewall address to use as the destination for a static route.
Why is the administrator not able to select the new address in the Destination field of the new static route?

• A.In the new static route, the administrator must select Named Address.
• B.In the new firewall address, the FQDN address must first beresolved.
• C.In the new static route, the administrator must first set the interface to port2.
• D.In the new firewall address, Routing configuration must be enabled.

답을 확인하기

정답:
Explanation:
To use an FQDN-based address object as a destination in a static route, the "Routing configuration" option must be enabled in the firewall address settings. Without this, the address cannot be selected for routing.

Question No : 8

An administrator notices that some users are unable to establish SSL VPN connections, while others can connect without any issues.
What should the administrator check first?

• A.Ensure that the affected users are using the correct port number.
• B.Ensure that user traffic is hitting the firewall policy.
• C.Ensure that forced tunneling is enabled to reroute all traffic through the SSL VPN
• D.Ensure that the HTTPS service is enabled on SSL VPN tunnel interface

답을 확인하기

정답:
Explanation:
If user traffic is not matching the appropriate firewall policy that permits SSL VPN, users will be unable to establish connections, making this the first aspect to verify.

Question No : 9

A network administrator is reviewing firewall policies in both Interface Pair View and By Sequence View.
The policies appear in a different order in each view.
Why is the policy order different in these two views?

• A.Policies in Interface Pair View are prioritized by security levels, while By Sequence View strictly follows the administrator's manual ordering.
• B.By Sequence View groups policies based on rule priority, while Interface Pair View always follows the order of traffic logs.
• C.The firewall dynamically reorders policies in Interface Pair View based on recent traffic patterns, but By Sequence View remains static.
• D.Interface Pair View sorts policies based on matching interfaces, while By Sequence View shows the actual processing order of rules.

답을 확인하기

정답:
Explanation:
Interface Pair View organizes policies grouped by source and destination interfaces, whereas By Sequence View displays policies in the exact order they are processed by the firewall.

Question No : 10

A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode.
Which step is NOT part of the expected process?

• A.The DC agent sends login event data directly to FortiGate.
• B.The user logs into the windows domain.
• C.The collector agent forwards login event data to FortiGate.
• D.FortiGate determines user identity based on the IP address in the FSSO list.

답을 확인하기

정답:
Explanation:
In DC Agent Mode, the DC agent sends login event data directly to FortiGate without involving a collector agent.

Question No : 11

Refer to the exhibit.



What would be the impact of these settings on the Server certificate SNI check configuration on FortiGate?

• A.FortiGate will accept and use the CN in the server certificate for URL filtering if the SNI does not match the CN or SAN fields.
• B.FortiGate will accept the connection with a warning if the SNI does not match the CN or SAN fields.
• C.FortiGate will close the connection if the SNI does not match the CN or SAN fields.
• D.FortiGate will close the connection if the SNI does not match the CN and SAN fields

답을 확인하기

정답:
Explanation:
With the Server certificate SNI check set to Strict, FortiGate enforces that the SNI must match either the Common Name (CN) or Subject Alternative Name (SAN) in the server certificate; otherwise, it closes the connection.

Question No : 12

You have configured the below commands on a FortiGate.



What would be the impact of this configuration on FortiGate?

• A.FortiGate will enable strict RPF on ail its interfaces and port1 will be enable for asymmetric routing.
• B.FortiGate will enable strict RPF on all its interfaces and port1 will be exempted from RPF checks.
• C.Port1 will be enabled with flexible RP
• D.and all other interfaces will be enabled for strict RPF
• E.The global configuration will take precedence and FortiGate will enable strict RPF on all interfaces.

답을 확인하기

정답:
Explanation:
The global setting enables strict source checking (RPF) on all interfaces by default. The per-interface setting disables the source check on port1, exempting it from strict RPF enforcement.

Question No : 13

A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy.
When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and does not block the file, allowing it to be downloaded.
The administrator confirms that the traffic matches the configured firewall policy.
What are two reasons for the failed virus detection by FortiGate? (Choose two.)

• A.The selected SSL inspection profile has certificate inspection enabled.
• B.The website is exempted from SSL inspection.
• C.The El CAR test file exceeds the protocol options oversize limit.
• D.The browser does not trust the FortiGate self-signed CA certificate.

답을 확인하기

정답:
Explanation:
If the website is exempted from SSL inspection, FortiGate cannot scan HTTPS traffic for viruses.
If the browser does not trust FortiGate's self-signed CA certificate, SSL inspection fails, and traffic is not decrypted or scanned.

Question No : 14

Which two statements are true about an HA cluster? (Choose two.)

• A.An HA cluster cannot have both in-band and out-of-band management interfaces at the same time.
• B.Link failover triggers a failover if the administrator sets the interface down on the primary device.
• C.When sniffing the heartbeat interface, the administrator must see the IP address 169.254.0.2.
• D.HA incremental synchronization includes FIB entries and IPsec SAs.

답을 확인하기

정답:
Explanation:
Setting an interface down on the primary device triggers a failover due to link failover detection.
HA incremental synchronization includes forwarding information base (FIB) entries and IPsec security associations (SAs) to maintain session continuity.

Question No : 15

Which three statements about SD-WAN performance SLAs are true? (Choose three.)

• A.They rely on session loss and jitter.
• B.They can be measured actively or passively.
• C.They are applied in a SD-WAN rule lowest cost strategy.
• D.They monitor the state of the FortiGate device.
• E.All the SLA targets can be configured.

답을 확인하기

정답:
Explanation:
SD-WAN SLAs monitor metrics like packet loss and jitter to evaluate link performance.
SLA measurements can be performed using active probing or passive monitoring.
Administrators can configure all SLA target parameters to define performance criteria.