Free FCP_FGT_AD-7.4 Exam Dumps

Question 11

Refer to the exhibits.
FCP_FGT_AD-7.4 dumps exhibit

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.
The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.
Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)

A. Enable match-vip in the Deny policy.
B. Set the Destination address as Webserver in the Deny policy.
C. Disable match-vip in the Deny policy.
D. Set the Destination address as Deny_IP in the Allow_access policy.

Correct Answer:AB

Question 12

Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.
FCP_FGT_AD-7.4 dumps exhibit
When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

A. SMTP.Login.Brute.Force
B. IMAP.Login.brute.Force
C. ip_src_session
D. Location: server Protocol: SMTP

Correct Answer:B
When FortiGate evaluates potential attacks, the IPS sensor follows a specific processing order based on the configuration of filters, signatures, and anomaly thresholds. In this case:
• The IPS sensor is configured with IMAP.Login.brute.Force, which comes first in the order of evaluation.
• FortiGate prioritizes based on signature definitions in the sensor, and since IMAP.Login.brute.Force appears higher in the configuration, it will be evaluated before the other signatures and anomalies.
Why the other options are less appropriate:
• A. SMTP.Login.Brute.Force: This would be evaluated after IMAP.Login.brute.Force, based on the sensor configuration hierarchy.
• C. ip_src_session: This is part of the DoS policy and does not come into play until after IPS signatures are evaluated.
• D. Location: server Protocol: SMTP: This appears to be part of the broader IPS sensor rule, but it is not the first item in the evaluation chain.

Question 13

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

A. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
B. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
C. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
D. The client FortiGate requires a manually added route to remote subnets.

Correct Answer:BC
For SSL VPN to function correctly between two FortiGate devices, the following settings are required:
FCP_FGT_AD-7.4 dumps exhibit B. The server FortiGate requires a CA certificate to verify the client FortiGate certificate: The server FortiGate must have a Certificate Authority (CA) certificate installed to authenticate and verify the certificate presented by the client FortiGate device.
C. The client FortiGate requires a client certificate signed by the CA on the server FortiGate: The client FortiGate must have a client certificate that is signed by the same CA that the server FortiGate uses for verification. This ensures a secure SSL VPN connection between the two devices.
The other options are not directly necessary for establishing SSL VPN:
FCP_FGT_AD-7.4 dumps exhibit A. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: This is incorrect as SSL VPN does not require a specific tunnel interface type; it typically uses an SSL VPN client profile.
D. The client FortiGate requires a manually added route to remote subnets: While routing may be necessary, it is not specifically required for the SSL VPN functionality between two FortiGates.
References
FCP_FGT_AD-7.4 dumps exhibit FortiOS 7.4.1 Administration Guide - Configuring SSL VPN, page 1203.
FortiOS 7.4.1 Administration Guide - SSL VPN Authentication, page 1210.

Question 14

Refer to the exhibit.
FCP_FGT_AD-7.4 dumps exhibit
Which two statements are true about the routing entries in this database table? (Choose two.)

A. All of the entries in the routing database table are installed in the FortiGate routing table.
B. The port2 interface is marked as inactive.
C. Both default routes have different administrative distances.
D. The default route on porc2 is marked as the standby route.

Correct Answer:CD
The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances: FCP_FGT_AD-7.4 dumps exhibit The default route through port2 has an administrative distance of 20.
The default route through port1 has an administrative distance of 10.
Administrative distance determines the priority of the route; a lower value is preferred. Here, the route through port1 with an administrative distance of 10 is the preferred route. The route through port2 with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed through port2.
Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table that port2 is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes.
References:
FCP_FGT_AD-7.4 dumps exhibit FortiOS 7.4.1 Administration Guide: Default route configuration
FortiOS 7.4.1 Administration Guide: Routing table

Question 15

Refer to the exhibit, which shows a partial configuration from the remote authentication server.
FCP_FGT_AD-7.4 dumps exhibit
Why does the FortiGate administrator need this configuration?

A. To authenticate only the Training user group.
B. To set up a RADIUS server Secret
C. To authenticate and match the Training OU on the RADIUS server.
D. To authenticate Any FortiGate user groups.

Correct Answer:A