FCP - FortiGate 7 6 Administrator FCP_FGT_AD-7 6 Practice Test PDF 2025

Text Material Preview

Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
1 / 20
Exam : FCP_FGT_AD-7.6
Title :
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
FCP - FortiGate 7.6
Administrator
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
2 / 20
1.Refer to the exhibit.
Which route will be selected when trying to reach 10.20.30.254?
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]
Answer: A
Explanation:
The correct route to reach 10.20.30.254 would be:
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
This route is more specific (10.20.30.0/24) compared to the other routes (10.20.30.0/26 and
10.30.20.0/24) and would therefore be selected as the best match.
2.Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)
A. Port block allocation
B. Fixed port range
C. One-to-one
D. Overload
Answer: A,B
Explanation:
The two IP pool types that are useful for carrier-grade NAT (CGNAT) deployments are:
A. Port block allocation
B. Fixed port range
A. Port block allocation: In this method, a range of ports is allocated to each internal IP address. This
allows multiple internal devices to share the same public IP address but use different port ranges,
enabling more efficient use of IP addresses.
B. Fixed port range: This method allocates a fixed range of ports to each internal IP address. It is similar
to port block allocation but restricts the port range to a fixed set of ports for each internal IP address,
which can be useful for certain applications or scenarios.
Both port block allocation and fixed port range allocation are commonly used in CGNAT deployments to
manage the mapping of internal private IP addresses to public IP addresses and ports, allowing for
efficient use of limited IPv4 addresses.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
3 / 20
3.What is eXtended Authentication (XAuth)?
A. It is an IPsec extension that forces remote VPN users to authenticate using their local ID.
B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username
and password).
C. It is an IPsec extension that authenticates remote VPN peers using a pre-shared key.
D. It is an IPsec extension that authenticates remote VPN peers using digital certificates.
Answer: B
Explanation:
The correct answer is:
B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username
and password).
eXtended Authentication (XAuth) is an IPsec extension that adds additional authentication for remote
VPN users after the initial IPsec phase 1 and phase 2 negotiations. XAuth requires users to provide their
credentials (username and password) in addition to the standard IPsec authentication, enhancing the
security of the VPN connection.
4.What must you configure to enable proxy-based TCP session failover?
A. You must configure ha-configuration-sync under configure system ha.
B. You do not need to configure anything because all TCP sessions are automatically failed over.
C. You must configure session-pickup-enable under configure system ha.
D. You must configure session-pickup-connectionless enable under configure system ha.
Answer: C
Explanation:
The correct answer is:
C. You must configure session-pickup-enable under configure system ha.
To enable proxy-based TCP session failover on a Fortinet FortiGate firewall, you must configure the
session-pickup-enable setting under the high availability (HA) configuration. This setting allows the
firewall to pick up and maintain TCP sessions after a failover event, ensuring continuity of service for
established connections.
5.An administrator needs to inspect all web traffic (including Internet web traffic) coming from users
connecting to the SSL-VPN.
How can this be achieved?
A. Assigning public IP addresses to SSL-VPN users
B. Configuring web bookmarks
C. Disabling split tunneling
D. Using web-only mode
Answer: C
Explanation:
The correct answer is: C. Disabling split tunneling
Split tunneling allows VPN users to access both local and remote networks simultaneously. However, if
you want to inspect all web traffic, including Internet traffic, coming from users connecting to the SSL-VPN,
you should disable split tunneling. Disabling split tunneling forces all user traffic through the VPN tunnel,
allowing you to inspect and control the traffic more effectively.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
4 / 20
6.Which NAT method translates the source IP address in a packet to another IP address?
A. DNAT
B. SNAT
C. VIP
D. IPPOOL
Answer: B
Explanation:
The correct answer is: B. SNAT
SNAT (Source Network Address Translation), also known as MASQUERADE in iptables, translates the
source IP address in a packet to another IP address. It is commonly used in scenarios where internal
private IP addresses need to be translated to a single public IP address when accessing the Internet, for
example. DNAT (Destination Network Address Translation) translates the destination IP address in a
packet to another IP address. VIP (Virtual IP) is used to designate a single IP address that represents
multiple servers for load balancing or high availability purposes. IPPOOL typically refers to a range of IP
addresses that can be dynamically assigned to clients, such as in DHCP.
7.What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?
A. Both can be enabled at the same time.
B. Both support volume algorithms.
C. Both control ECMP algorithms.
D. Both use the same physical interface load balancing settings.
Answer: C
Explanation:
The correct answer is: C. Both control ECMP algorithms.
In the context of SD-WAN (Software-Defined Wide Area Network), ECMP (Equal-Cost Multi-Path)
algorithms are used to determine the path packets should take through the network. Both IPv4 and
SD-WAN ECMP algorithms control how traffic is load-balanced across multiple paths to a destination.
While IPv4 ECMP operates at the network layer (Layer 3) of the OSI model, SD-WAN ECMP operates at
a higher level, typically involving application-aware routing and more advanced traffic steering
capabilities.
8.Refer to the exhibit.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
5 / 20
Which statement about the configuration settings is true?
A. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.
B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
C. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.
D. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same
port.
Answer: B
Explanation:
B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
In this scenario, the remote user is accessing the FortiGate device using HTTPS (port 443), which is
typically used for SSL-VPN access. Therefore, when accessing the device at that address and port, the
SSL-VPN login page should open for the user to authenticate and establish a VPN connection.
9.What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?
A. It limits the scanning of application traffic to the browser-based technology category only.
B. It limits the scanning of application traffic to the DNS protocol only.
C.It limits the scanning of application traffic to use parent signatures only.
D. It limits the scanning of application traffic to the application category only.
Answer: A
Explanation:
A. It limits the scanning of application traffic to the browser-based technology category only.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
6 / 20
You can configure the URL Category within the same security policy; however, adding a URL filter causes
application control to scan applications in only the browser-based technology category, for example,
Facebook Messenger on the Facebook website.
10.Refer to the exhibits.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
7 / 20
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the
exhibit.
Which policy will be highlighted, based on the input criteria?
A. Policy with ID 4.
B. Policy with ID 5.
C. Policies with ID 2 and 3.
D. Policy with ID 1.
Answer: B
Explanation:
Policy with ID 5.
It's coming from port 3 - hits Facebook-Web (Application) from the screenshot it show that it allows http
and https traffic (80, 443).
There are 3 rules related to port3
and two rules source LOCAL_CLIENT
this would leave us with Rule 1 & 5
Rule one Service is = ULL_UDP
Rule five = Internet Services
Destination port we are looking for is 443 (usually this is TCP)
So it had to be PID5
We are looking for a policy that will allow or deny traffic from the source interface Port3 and source IP
address 10.1.1.10 (LOCAL_CLIENT) to facebook.com TCP port 443 (HTTPS). There are only two
policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are evaluated from top
to bottom. This means that the first policy that matches the traffic is applied, and subsequent policies are
not evaluated. Based on the Policy Lookup criteria, Policy ID 5 will be highlighted.
11.FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
8 / 20
to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)
A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same
subnet.
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in
different subnets.
Answer: B,C
Explanation:
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VL
AN/ta-p/192843?externalID=FD43883
Each interface (physical or VLAN) can belong to only one VDOM.
Meaning that sub-interfaces (VLANs) from the same physical interface can have the same VLAN ID as
long as they are not assign to the same VDOM.
VLAN
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-int
erface/ta-p/197640
* VLANs can be created on any physical or aggregate (802.3ad) interfaces
- The same VLAN number cannot be configured twice on the same physical interface
- The same VLAN number can be used on different physical interfaces
- The usable VLAN ID range is from 1 to 4094
* VDOM interface assignment
- Two VDOMs cannot share the same interface or VLAN
- A VLAN sub-interface can belong to a different VDOM than the physical interface it is attached to.
12.An administrator has configured a strict RPF check on FortiGate.
How does strict RPF check work?
A. Strict RPF allows packets back to sources with all active routes.
B. Strict RPF checks the best route back to the source using the incoming interface.
C. Strict RPF checks only for the existence of at least one active route back to the source using the
incoming interface.
D. Strict RPF check is run on the first sent and reply packet of any new session.
Answer: B
Explanation:
B. Strict RPF checks the best route back to the source using the incoming interface.
Strict: In this mode, Fortigate also verifies that the matching route is the best route in the routing table.
That is, if the route in table contains a matching route for the source address and the incoming interface,
but there is a better route for the source address through another interface the RPF check fails.
The Strict Reverse Path Forwarding (RPF) check is a security feature that helps prevent source IP
address spoofing. When enabled, the FortiGate unit checks the source IP address of each incoming
packet and compares it to the routing table to ensure that the packet arrives on the expected interface.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
9 / 20
Here's an explanation of the statement:
B. Strict RPF checks the best route back to the source using the incoming interface.
When the FortiGate unit receives a packet, it checks the source IP address and verifies that the packet
arrives on the expected interface based on the routing table. The "best route back to the source" refers to
the route in the routing table that would be used to send packets back to the source IP address. If the
incoming interface matches the expected interface based on the routing table, the check passes. If not,
the packet may be considered as potentially spoofed, and it might be dropped or subjected to further
security measures.
This strict RPF check helps in preventing IP address spoofing, which is a common technique used in
various network attacks.
Loose RPF checks for any route and Strict RPF check for best route
13.An administrator has configured the following settings:
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)
A. Device detection on all interfaces is enforced for 30 seconds.
B. Denied users are blocked for 30 seconds.
C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created.
Answer: C,D
Explanation:
The timer config any way is by seconds.
ses-denied-traffic Enable/disable including denied session in the session table. block-session-timer
Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
C. The number of logs generated by denied traffic is reduced.
D. A session for denied traffic is created.
During the session, if a security profile detects a violation, FortiGate records the attack log immediately.
To reduce the number of log messages generated and improve performance, you can enable a session
table entry of dropped traffic. This creates the denied session in the session table and, if the session is
denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a
policy lookup for each new packet matching the denied session, which reduces CPU usage and log
generation. This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for
block sessions. This determines how long a session will be kept in the session table by setting
block-sessiontimer in the CLI. By default, it is set to 30 seconds.
Reference and download study guide:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-into-the/ta-p/195478
14.Refer to the exhibits.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
10 / 20
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
11 / 20
The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for
Facebook.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook, but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?
A. Force access to Facebook using the HTTP service.
B. Make the SSL inspection a deep content inspection.
C. Add Facebook in the URL category in the security policy.
D. Get the additional application signatures required to add to the security policy.
Answer: B
Explanation:
Needs SSL full inspection.
They can play video (tick) content hosted on Facebook, but they are unable to leave reactions on videos
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
12 / 20
or other types of posts.
This indicate that the rule are partially working as they can watch video but can't react, i.e. liking the
content. So, must be an issue with the SSL inspection rather then adding an app rule.
The lock logo behind Facebook_like.Button indicates that SSL Deep Inspection is Required. All other
Application Signatures Facebook and Facebook_Video.Play does not require SSL inspection. Hence that
the users can play video content. If you look up the Application Signature for Facebook_like.Button it will
say "Requires SSL Deep Inspection".
FortiGate needs to perform full SSL inspection. Without full SSL inspection, FortiGate cannot inspect
encrypted traffic.
15.Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security
fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?
A. Change the csf setting on ISFW (downstream) to set configuration-sync local.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
13 / 20
B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.
C. Change the csf setting on both devices to set downstream-access enable.
D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
Answer: C
Explanation:
C is correct because D is already set to default (Global CMDB objects will be synchronized in Security
Fabric.)
The root device has downstream access disabled, so it needs to be enabled to sync the object.
downstream-access - Enable/disable downstream device access to this device's configuration and data.
disable - Disable downstream device access to this device's configuration and data.
The CLI command "set fabric-object-unification" is only available on the root FortiGate.
16.Refer to the exhibits.
Exhibit A shows system performance output.
Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.
Based on the system performance output, which two results are correct? (Choose two.)
A. FortiGate will start sending all files to FortiSandbox for inspection.
B. FortiGate has entered conserve mode.
C. Administrators cannot change the configuration.
D. Administrators can access FortiGate only through the console port.
Answer: B,C
Explanation:
What actions does FortiGate take to preserve memory while in conserve mode?
• FortiGate does not accept configuration changes, because they might increase memory usage.
• FortiGate does not run any quarantine action, including forwarding suspicious files to FortiSandbox.
• You can configure the fail-open setting under config ips global to control how the IPS engine behaves
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
14 / 20
when the IPS socket buffer is full.
Based on the system performance output, it appears that FortiGate has entered conserve mode and
administrators cannot change the configuration.
FortiGate has entered conserve mode: When FortiGate enters conserve mode, it reduces its operational
capacity in order to conserve resources and improve performance. This may be necessary if the system is
experiencing high levels of traffic or if there are issues with resource utilization.
Administrators cannot change the configuration: When the system is in conserve mode, administrators
may not be able to change the configuration. This is because the system is prioritizing resource
conservation over other activities, and making changes to the configuration may require additional
resources that are not available.
It is important to note that FortiGate will not start sending all files to FortiSandbox for inspection, and
administrators may still be able to access FortiGate through other means besides the console port. "If
memory usage goes above the percentage of total RAM defined as the red threshold, FortiGate enters
conserve mode."
"FortiGate does not accept configuration changes, because they might increase memory usage."
Reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580
17.Refer to the exhibit showing a debug flow output.
What two conclusions can you make from the debug flow output? (Choose two.)
A. The debug flow is for ICMP traffic.
B. The default route is required to receive a reply.
C. A new traffic session was created.
D. A firewall policy allowed the connection.
Answer: A,C
Explanation:
ICMP proto = 1
New session
As protocol=1 thats why its ICMP.
Reference: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
18.An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting
in both sites has been configured as Static IP Address. For site A, the local quick mode selector is
192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?
A. 192.168.2.0/24
B. 192.168.0.0/8
C. 192.168.1.0/24
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
15 / 20
D. 192.168.3.0/24
Answer: A
Explanation:
A. 192.168.2.0/24
For the IPsec VPN between site A and site B, the local quick mode selector for site B should match the
remote quick mode selector for site A, which is 192.168.2.0/24.
Quick mode selectors need to be mirrored on both side, so the remote network on site A is the local
network on site B.
For an IPsec VPN between site A and site B, the administrator has configured the local quick mode
selector for site A as 192.168.1.0/24 and the remote quick mode selector as 192.168.2.0/24. This means
that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach the 192.168.2.0/24
subnet at site B.
To complete the configuration, the administrator must configure the local quick mode selector for site B.
To do this, the administrator must use the same subnet as the remote quick mode selector for site A,
which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at site B to reach the
192.168.1.0/24 subnet at site A.
Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24.19.Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose
two.)
A. The client FortiGate requires a manually added route to remote subnets.
B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
Answer: C,D
Explanation:
The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. The
FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA that
signed the certificate.
C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate:
When setting up SSL VPN between two FortiGate devices, the server FortiGate needs a CA (Certificate
Authority) certificate to verify the client FortiGate's certificate. This ensures that the client connecting to
the VPN is authenticated and trusted.
D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN:
For the SSL VPN to function, the client FortiGate needs to have the SSL VPN tunnel interface type
configured. This interface type is specifically designed for SSL VPN connections, allowing the client
FortiGate to establish the VPN tunnel with the server FortiGate.
These two settings together ensure that the SSL VPN connection between the two FortiGate devices is
properly authenticated and established, allowing secure communication between them.
20.Which statement correctly describes the use of reliable logging on FortiGate?
A. Reliable logging is enabled by default in all configuration scenarios.
B. Reliable logging is required to encrypt the transmission of logs.
C. Reliable logging can be configured only using the CLI.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
16 / 20
D. Reliable logging prevents the loss of logs when the local disk is full.
Answer: B
Explanation:
Reliable logging prevents the loss of logs when the local disk is full.
On a FortiGate device, reliable logging is a feature that helps to prevent the loss of log messages when
the local disk is full. When reliable logging is enabled, the FortiGate will store log messages in a buffer
until they can be written to the local disk. This helps to ensure that log messages are not lost due to a full
disk, allowing administrators to maintain an accurate record of activity on the network.
Reliable logging is not enabled by default in all configuration scenarios, and it does not encrypt the
transmission of logs or require the use of the CLI to be configured. However, it is a useful feature to
enable in order to maintain a comprehensive record of activity on the network and help with
troubleshooting and security analysis.
Reliable logging on FortiGate is used to prevent the loss of logs when the connection between FortiOS
and FortiAnalyzer is disrupted. When reliable mode is enabled, logs are cached in a FortiOS memory
queue. FortiOS sends logs to FortiAnalyzer, and FortiAnalyzer uses seq_no to track received logs.
The other statements are incorrect:
Reliable logging is not enabled by default in all configuration scenarios. It must be enabled explicitly.
Reliable logging is not required to encrypt the transmission of logs. Encryption can be configured
separately.
Reliable logging can be configured using the CLI or the FortiGate web interface.
The question is asking what describes the correct use meaning what is the main function of reliable
logging wouldn't that be preventing loss of logs since disk is full by sending to Analyzer making D the
correct answer.
The question is asking what describes the correct use meaning what is the main function of reliable
logging wouldn't that be preventing loss of logs since disk is full by sending to Analyzer making D the
correct answer.
You can encrypt the logs if you are sending your logs to cloud, but the main purpose of reliable logging is
to make sure that all the logs you send are been received by the server.
You can encrypt the traffic, but it does not require, the most specific option is D.
21.Refer to the exhibits.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
17 / 20
The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration
information.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
18 / 20
the IP address 10.0.1.10?
A. 10.200.1.1
B. 10.0.1.254
C. 10.200.1.10
D. 10.200.1.100
Answer: D
Explanation:
From LAN to WAN, the Source NAT will use the IPPOOL with address configured 10.200.1.100
Destination NAT, from WAN to LAN, will use the VIP
The question says SNAT, so the only correct answer here (looking at the IP Pool) is D.
(Step 2): FortiGate uses as NAT IP the external IP address defined in the VIP when performing SNAT on
all egress traffic sourced from the mapped address in the VIP, provided the matching firewall policy has
NAT enabled.
Note that you can override the behavior described in step 2 by using an IP pool.
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD44529
22.Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP
configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the
connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming
web traffic to the server and does not see any output.
Based on the information shown in the exhibit, what configuration change must the administrator make to
fix the connectivity issue?
A. Configure a loopback interface with address 203.0.113.2/32.
B. In the VIP configuration, enable arp-reply.
C. Enable port forwarding on the server to map the external service port to the internal service port.
D. In the firewall policy configuration, enable match-vip.
Answer: B
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
19 / 20
Explanation:
In the routing table of the ISP we can see that the route is C (connected) which means that if there is no
ARP entry, traffic will be dropped by the ISP, and this is why there is no packets in the forti sniffer.
The external interface address is different from the external address configured in the VIP. This is not a
problem as long as the upstream network has its routing properly set. You can also enable ARP reply on
the VPN (enabled by default, here disabled) to facilitate routing on the upstream network.
Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent
devices contain the correct next hop information, so the networks are reachable. However, sometimes the
routing configuration is not fully correct, and having ARP reply enabled can solve the issue for you. For
this reason, it’s a best practice to keep ARP reply enabled.
23.Which two statements are true about the FGCP protocol? (Choose two.)
A. FGCP elects the primary FortiGate device.
B. FGCP is notused when FortiGate is in transparent mode.
C. FGCP runs only over the heartbeat links.
D. FGCP is used to discover FortiGate devices in different HA groups.
Answer: A,C
Explanation:
A. FGCP elects the primary FortiGate device.
C. FGCP runs only over the heartbeat links.
The FGCP (FortiGate Clustering Protocol) is a protocol that is used to manage high availability (HA)
clusters of FortiGate devices.
It performs several functions, including the following:
FGCP elects the primary FortiGate device: In an HA cluster, FGCP is used to determine which FortiGate
device will be the primary device, responsible for handling traffic and making decisions about what to
allow or block. FGCP uses a variety of factors, such as the device's priority, to determine which device
should be the primary.
FGCP runs only over the heartbeat links: FGCP communicates between FortiGate devices in the HA
cluster using the heartbeat links. These are dedicated links that are used to exchange status and control
information between the devices. FGCP does not run over other types of links, such as data links.
FortiGate HA uses the Fortinet-proprietary FortiGate Clustering Protocol (FGCP) to discover members,
elect the primary FortiGate, synchronize data among members, and monitor the health of members.
To discover and monitor members, the members broadcast heartbeat packets over all configured
heartbeat interfaces.
24.A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec
VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must
be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead
tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the requirements?
(Choose two.)
A. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static
route for the secondary tunnel.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
Pass Fortinet FCP_FGT_AD-7.6 Exam | Latest FCP_FGT_AD-7.6 Dumps & Practice Exams -
Cert007
20 / 20
B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the
static route for the secondary tunnel.
C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
D. Enable Dead Peer Detection.
Answer: B,D
Explanation:
To set up redundant IPsec VPN tunnels on FortiGate and meet the specified requirements, the
administrator should make the following key configuration changes:
B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static
route for the secondary tunnel.
By configuring a lower administrative distance for the static route of the primary tunnel, the FortiGate will
prefer this route when both tunnels are up. If the primary tunnel goes down, the higher administrative
distance on the static route for the secondary tunnel will cause the FortiGate to use the secondary tunnel.
D. Enable Dead Peer Detection.
Dead Peer Detection (DPD) should be enabled to detect the status of the VPN tunnels. If the FortiGate
detects that the primary tunnel is no longer responsive (dead), it can trigger the failover to the secondary
tunnel, ensuring a faster tunnel failover.
So, the correct choices are B and D.
25.What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)
A. FortiGate uses fewer resources.
B. FortiGate performs a more exhaustive inspection on traffic.
C. FortiGate adds less latency to traffic.
D. FortiGate allocates two sessions per connection.
Answer: A,C
Explanation:
A. FortiGate uses fewer resources.
C. FortiGate adds less latency to traffic.
Flow-based inspection is a type of traffic inspection that is used by some firewall devices, including
FortiGate, to analyze network traffic. It is designed to be more efficient and less resource-intensive than
proxy-based inspection, and it offers several benefits over this approach.
Two benefits of flow-based inspection compared to proxy-based inspection are:
FortiGate uses fewer resources: Flow-based inspection uses fewer resources than proxy-based
inspection, which can help to improve the performance of the firewall device and reduce the impact on
overall system performance.
FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic than proxy-based
inspection, which can be important for real-time applications or other types of traffic that require low
latency.
A. Fewer resources since it does not need to keep much in memory.
C. Samples traffic while it goes by, and only does makes allow or deny decision with the last package.
So client does not have to wait on FortiGate to scan the bulk of the packtets.
https://www.cert007.com/exam/fcp_fgt_ad-7-6/
https://www.cert007.com/exam/fcp_fgt_ad-7-6/