• Home
  • Articles
  • Verified FCP_FGT_AD-7.6 Q&As - Pass Guarantee FCP_FGT_AD-7.6 Exam Dumps [Q72-Q89]

Verified FCP_FGT_AD-7.6 Q&As - Pass Guarantee FCP_FGT_AD-7.6 Exam Dumps [Q72-Q89]

Share

Verified FCP_FGT_AD-7.6 Q&As - Pass Guarantee FCP_FGT_AD-7.6 Exam Dumps

Check the Free demo of our FCP_FGT_AD-7.6 Exam Dumps with 129 Questions

NEW QUESTION # 72
Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, which two configuration changes will bring phase 2 up? (Choose two.)

  • A. On HQ-NGFW. set Encryption to AES256.
  • B. On HQ-NGFW, enable Diffie-Hellman Group 2.
  • C. On BR1-FGT, set Seconds to 43200.
  • D. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0.

Answer: C,D

Explanation:
The key lifetime (Seconds) must match on both sides; BR1-FGT is set to 14400, so setting it to
43200 matches HQ-NGFW.
The remote address on BR1-FGT should match the HQ-NGFW's local subnet (10.0.11.0/24), but it is currently set incorrectly as 172.20.1.0/24. Changing it to 10.0.11.0/255.255.255.0 will align the Phase 2 selectors.


NEW QUESTION # 73
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

  • A. The collector agent must search Windows application event logs.
  • B. The NetSessionEnum function is used to track user logouts.
  • C. NetAPI polling can increase bandwidth usage in large networks.
  • D. The collector agent uses a Windows API to query DCs for user logins.

Answer: B


NEW QUESTION # 74
Refer to the exhibit.

An administrator has configured an Application Overrides for the ABC.Com application signature and set the Action to Allow. This application control profile is then applied to a firewall policy that is scanning all outbound traffic. Logging is enabled in the firewall policy. To test the configuration, the administrator accessed the ABC.Com web site several times.
Why are there no logs generated under security logs for ABC.Com?

  • A. The ABC.Com Action is set to Allow.
  • B. The ABC.Com is hitting the category Excessive-Bandwidth.
  • C. The ABC.Com is configured under application profile, which must be configured as a web filter profile.
  • D. The ABC.Com Type is set as Application instead of Filter.

Answer: A

Explanation:
When the action is set to Allow in an application override, traffic matching this override is allowed without generating security logs because it bypasses deeper inspection and blocking.


NEW QUESTION # 75
Refer to the exhibits.



An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?

  • A. Change the csfsetting on both devices to set downstream-access enable.
  • B. Change the csfsetting on ISFW (downstream) to set authorization-request-type certificate.
  • C. Change the csfsetting on ISFW (downstream) to set configuration-sync local.
  • D. Change the csfsetting on Local-FortiGate (root) to set fabric object-unification default.

Answer: A

Explanation:
In a Fortinet Security Fabric setup, the root FortiGate (Local-FortiGate) synchronizes configuration objects, such as address objects, downstream to subordinate FortiGates.
For this synchronization to work, the downstream FortiGate (ISFW) must have the downstream- access option enabled in its CSF (Cooperative Security Fabric) settings.
In the exhibit:
The Local-FortiGate has downstream-access disable, meaning it cannot push configuration

changes downstream.
The ISFW also has downstream-access disable, preventing it from accepting synced objects.

To fix this, downstream-access must be enabled on both FortiGates to allow configuration synchronization.


NEW QUESTION # 76
You are analyzing connectivity problems caused by intermediate devices blocking traffic in SSL VPN environment.
In which two ways can you effectively resolve the problem? (Choose two.)

  • A. You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.
  • B. You should use IPsec to solve issues with fragment drops and large certificate exchanges.
  • C. You can turn off IKE fragmentation to fix large certificate negotiation problems.
  • D. You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).

Answer: C,D

Explanation:
Disabling IKE fragmentation helps resolve issues caused by intermediate devices blocking large fragmented packets during certificate negotiation.
Using SSL VPN tunnel mode encapsulates traffic over HTTPS, bypassing blocks on ESP and UDP ports commonly used by IPsec.


NEW QUESTION # 77
Which two statements describe how the RPF check is used? (Choose two.)

  • A. The RPF check is run on the first sent packet of any new session.
  • B. The RPF check is run on the first sent and reply packet of any new session.
  • C. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
  • D. The RPF check is run on the first reply packet of any new session.

Answer: A,C

Explanation:
The RPF (Reverse Path Forwarding) check is used to prevent IP spoofing attacks by verifying that the source IP address of a received packet is reachable through the same interface it arrived on. If not, the packet is dropped, ensuring traffic legitimacy.
The RPF check runs on the first sent packet of any new session to validate that the route to the source IP is consistent with the interface it's received on. This helps FortiGate detect spoofed or asymmetric routing scenarios early in the session establishment.


NEW QUESTION # 78
Refer to the exhibits. A web filter profile configuration and firewall policy configuration are shown.
You are trying to access www.facebook.com, but you are redirected to a FortiGuard web filtering block page.
Based on the exhibits, what is the possible cause of the issue?


  • A. The web filter profile feature set is configured incorrectly.
  • B. The web rating override configuration is incorrect.
  • C. For www.facebook.com, the URL filter action is incorrect.
  • D. The firewall policy inspection mode is incorrect.

Answer: B

Explanation:
The web filter profile shows a URL filter override for www.facebook.com with action Monitor, which should allow access. However, the block page shows FortiGuard categorizing www.facebook.com as Malicious Websites and blocking it. This indicates that the web rating override configuration is incorrect (the override is not applied properly), so FortiGuard's default category action takes precedence and blocks the site.


NEW QUESTION # 79
Refer to the exhibits. Based on the current HA status, an administrator updates the override and priority parameters on HQ-NGFW-1 and HQ-NGFW-2 as shown in the exhibit.

What would be the expected outcome in the HA cluster?

  • A. The HA cluster will become out of sync because the override setting must match on all HA members.
  • B. HQ-NGFW-2 will take over as the primary because it has the override enable setting and higher priority than HQ-NGFW-1.
  • C. HQ-NGFW-1 will remain the primary because HQ-NGFW-2 has lower priority.
  • D. HQ-NGFW-1 will synchronize the override disable setting with HQ-NGFW-2.

Answer: B

Explanation:
With override enabled on HQ-NGFW-2 and its higher priority (110 vs. 90), HQ-NGFW-2 will become the primary device, preempting HQ-NGFW-1 despite the current primary status.


NEW QUESTION # 80
An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is no inbound traffic.
Which DPD mode on FortiGate meets this requirement?

  • A. On Demand
  • B. Disabled
  • C. Enabled
  • D. On Idle

Answer: A


NEW QUESTION # 81

Refer to the exhibits.
You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits.
Which two factors can you observe from these configurations? (Choose two.)

  • A. Facebook access is allowed but you cannot play Facebook videos based on Video/Audio category filter settings.
  • B. YouTube search is allowed based on the Google Application and Filter override settings.
  • C. YouTube access is blocked based on Excessive-Bandwidth Application and Filter override settings.
  • D. Facebook access is blocked based on the category filter settings.

Answer: C,D


NEW QUESTION # 82
Refer to the exhibit. An administrator has configured an Application Overrides for the ABC.Com application signature and set the Action to Allow. This application control profile is then applied to a firewall policy that is scanning all outbound traffic. Logging is enabled in the firewall policy. To test the configuration, the administrator accessed the ABC.Com web site several times.

Why are there no logs generated under security logs for ABC.Com?

  • A. The ABC.Com Action is set to Allow.
  • B. The ABC.Com is hitting the category Excessive-Bandwidth.
  • C. The ABC.Com is configured under application profile, which must be configured as a web filter profile.
  • D. The ABC.Com Type is set as Application instead of Filter.

Answer: A

Explanation:
When the action is set to Allow in an application override, traffic matching this override is allowed without generating security logs because it bypasses deeper inspection and blocking.


NEW QUESTION # 83
Refer to the exhibit.

Which two statements are true about the routing entries in this database table? (Choose two.)

  • A. The port2 interface is marked as inactive.
  • B. The default route on port2 is marked as the standby route.
  • C. All of the entries in the routing database table are installed in the FortiGate routing table.
  • D. Both default routes have different administrative distances.

Answer: B,D

Explanation:
The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances:
* The default route through port2 has an administrative distance of 20.
* The default route through port1 has an administrative distance of 10.
Administrative distance determines the priority of the route; a lower value is preferred. Here, the route through port1 with an administrative distance of 10 is the preferred route. The route through port2 with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed through port2.
Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table that port2 is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes.
References:
FortiOS 7.4.1 Administration Guide: Default route configuration
FortiOS 7.4.1 Administration Guide: Routing table explanation


NEW QUESTION # 84
Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.
The WAN (port2) interface has the IP address 100.65.0.101/24.
The LAN (port4) interface has the IP address 10.0.11.254/24.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on HQ-PC-1 (10.0.11.50) pings the IP address of BR-FGT (100.65.1.111)

  • A. 100.65.0.49
  • B. 100.65.0.101
  • C. 100.65.0.99
  • D. 100.65.0.149

Answer: C

Explanation:
The ping traffic policy uses the IP pool named SNAT-Remote1, which has the external IP range 100.65.0.99.
Therefore, traffic matching this policy (ping from HQ-PC-1 to BR1-FGT) will use 100.65.0.99 for source NAT.


NEW QUESTION # 85
You are encountering connectivity problems caused by intermediate devices blocking IPsec traffic.
In which two ways can you effectively resolve the problem? (Choose two.)

  • A. You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or
    4500).
  • B. You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.
  • C. You should use the protocol IKEv2.
  • D. You can turn on fragmentation to fix large certificate negotiation problems.

Answer: A,D


NEW QUESTION # 86
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re- entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

  • A. On HQ-FortiGate, disable Diffie-Helman group 2.
  • B. On HQ-FortiGate, set IKE mode to Main (ID protection).
  • C. On both FortiGate devices, set Dead Peer Detection to On Demand.
  • D. On Remote-FortiGate, set port2 as Interface.

Answer: B,D

Explanation:
On the HQ-FortiGate the IKE phase 1 mode is set to Aggressive, while on the Remote-FortiGate it is set to Main (ID protection). Both sides must use the same IKE mode for phase 1 to come up, so changing HQ-FortiGate to Main mode resolves this mismatch.
On the Remote-FortiGate, the phase 1 Interface is configured as port1, but according to the diagram the WAN-facing interface with IP 10.10.200.10 is port2. The local interface in the IPsec configuration must match the physical WAN interface, so changing it to port2 is required for the tunnel to establish.


NEW QUESTION # 87
Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Based on the exhibit, which statement is true?

  • A. The Underlay zone contains no member.
  • B. The Underlay zone is the zone by default.
  • C. port2 and port3 are not assigned to a zone.
  • D. The virtual-wan-link and overlay zones can be deleted.

Answer: A

Explanation:
The Underlay zone is the default SD-WAN zone, typically representing the physical interfaces in the SD- WAN configuration before overlay or virtual links are added.


NEW QUESTION # 88
Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Based on the exhibit, which statement is true?

  • A. The Underlay zone contains no member.
  • B. port2 and port3 are not assigned to a zone.
  • C. The Underlay zone is the zone by default.
  • D. The virtual-wan-link and overlay zones can be deleted.

Answer: C

Explanation:
The Underlay zone is the default SD-WAN zone, typically representing the physical interfaces in the SD-WAN configuration before overlay or virtual links are added.


NEW QUESTION # 89
......

Get professional help from our FCP_FGT_AD-7.6 Dumps PDF: https://testking.vceprep.com/FCP_FGT_AD-7.6-latest-vce-prep.html

Related Articles

more
Fortinet FCP_FGT_AD-7.6 Certification Practice Exam