FCP_FGT_AD-7.4 Fortinet FCP - FortiGate 7.4 Administrator Free Practice Exam Questions (2025 Updated)

The serial console method allows management access to the FortiGate CLI without relying on network connectivity. This method involves directly connecting a computer to the FortiGate device using a serial cable (such as a DB-9 to RJ-45 cable or USB to RJ-45 cable) and using terminal emulation software to interact with the FortiGate CLI. This method is essential for situations where network-based access methods (such as SSH or Telnet) are not available or feasible.

References:

FortiOS 7.4.1 Administration Guide: Console connection

The Fortinet Single Sign-On (FSSO) Collector Agent supports three primary methods for Active Directory (AD) polling to collect user information:

WinSecLog:Monitors Windows Security Event Logs for login events.

WMI:Uses Windows Management Instrumentation to poll user login sessions.

NetAPI:Utilizes the Netlogon API to query domain controllers for user session data.

These methods allow the FortiGate to gather user logon information and enforce user-based policies effectively.

References:

FortiOS 7.4.1 Administration Guide: FSSO Configuration

To consolidate the two separate firewall policies for Sales and Engineering departments accessing the same web server, you can create an Interface Group that includes bothport1(Sales) andport2(Engineering). Once the Interface Group is created, you can use this group as a single incoming interface in a single firewall policy. This approach reduces the number of policies, making management more efficient.

References:

FortiOS 7.4.1 Administration Guide: Firewall Policy Configuration

The source address remains 10.200.3.1 because FortiGate does not modify the source address by default unless NAT is applied (which is disabled in the policy).

The destination address is translated to 10.0.1.10 by the VIP (Virtual IP) object, as this is the internal server address mapped to the external IP 10.200.1.10.

The destination port is translated from 8080 to 80 as per the port forwarding rule configured in the VIP object.

The "d-wan" zone in FortiGate SD-WAN configuration is the default SD-WAN zone created when SD-WAN is enabled. This zone contains all the interfaces assigned to SD-WAN and is essential for the functionality of the SD-WAN feature. The "d-wan" zone cannot be deleted because it is required for SD-WAN operations. Option A is incorrect because the underlay zone does notcontain port1. Options B and D are incorrect because they incorrectly describe the configuration of zones.

References:

FortiOS 7.4.1 Administration Guide: SD-WAN Zone Configuration

Firewall authentication generally requires the DNS service to be enabled in the firewall policy to correctly resolve hostnames during the authentication process. If DNS is not allowed in the firewall policy, the FortiGate cannot resolve external domains, and as a result, the user may not be presented with the login prompt when attempting to access an external website.

References:

FortiOS 7.4.1 Administration Guide: Firewall Authentication Configuration

When multiple web filtering features are enabled in FortiGate, the HTTP inspection process follows a specific sequence: Static URL Filter: This filter checks URLs against a predefined list of allowed or blocked URLs. FortiGuard Category Filter: This checks the category of the website using the FortiGuard database. Advanced Filters: These include features like -> "Safe Search" <-, YouTube EDU filtering, and other advanced filtering options. This order ensures efficient and layered filtering of web traffic based on various criteria.

To configure redundant IPsec VPN tunnels on FortiGate with failover capability, the following two key configuration changes are required:

A. Enable Dead Peer Detection (DPD):Dead Peer Detection is crucial for detecting if the remote peer is unreachable. By enabling DPD, FortiGate can quickly detect a dead tunnel, ensuring a faster failover to the secondary tunnel when the primary tunnel goes down.

C. Configure a lower distance on the static route for the primary tunnel and a higher distance on the static route for the secondary tunnel:The static route with the lower distance (higher priority) will be used when both tunnels are operational. If the primary tunnel fails, the higher distance (lower priority) route for the secondary tunnel will take over, ensuring traffic is routed correctly.

The other options are not suitable:

B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels:This option is not directly related to the requirements of failover between two IPsec VPN tunnels.

D. Configure a higher distance on the static route for the primary tunnel and a lower distance on the static route for the secondary tunnel:This would prioritize the secondary tunnel over the primary tunnel, which is opposite to the desired configuration.

References

FortiOS 7.4.1 Administration Guide -Configuring IPsec VPN, page 1320.

FortiOS 7.4.1 Administration Guide -Redundant VPN Configuration, page 1335.

NGFW (Next Generation Firewall) profile-based mode in FortiGate allows policies to use both flow-based and proxy-based inspection modes, providing flexibility depending on security and performance requirements. Additionally, profile-based mode supports applying applications and web filtering profiles directly in a firewall policy, allowing granular control over the traffic.

References:

FortiOS 7.4.1 Administration Guide: NGFW Mode Configuration

FortiGate's application control can differentiate between parent and child applications and allows administrators to configure distinct actions for each. For example, it can identify Facebook (parent application) and specific functions within it (child applications) like Facebook video or chat, enabling more granular control over application traffic.

To retrieve AD user group information in agentless polling mode, the administrator must add an LDAP server to the FortiGate device​.

FortiGate supports both pre-shared key and certificate signature methods for IKEv1 authentication. These methods provide flexibility depending on the security requirements of the network. Additionally, FortiGate supports Extended Authentication (XAuth), which requests a username and password from the remote peer, enhancing security by adding an extra layer of authentication. The XAuth method does not necessarily make the authentication faster; it is an additional security measure.

References:

FortiOS 7.4.1 Administration Guide: IPsec VPN Configuration

To deny access to the web server for Remote-User2 while allowing Remote-User1 to access the same web server, two configuration changes can be made:

Enable match-vip in the Deny policy:By enabling thematch-vipoption in the Deny policy, the FortiGate will check for virtual IP (VIP) objects during policy matching. This setting allows the firewall policy to correctly identify and block traffic directed to a specific mapped IP address, such as the web server, when using a VIP configuration.

Set the Destination address as Webserver in the Deny policy:Setting the Destination address to "Webserver" in the Deny policy ensures that the policy specifically targets traffic attempting to reach the web server. This configuration helps to precisely control which traffic should be blocked, focusing the Deny policy on the intended destination.

References:

FortiOS 7.4.1 Administration Guide: Deny matching with a policy with a virtual IP applied​

FortiOS 7.4.1 Administration Guide: Configuring Policies with VIPs

www.example.com

This syntax targets the main domain, which is a common way to configure a web rating override for the home page of a website.

example.com

This syntax also correctly targets the main domain without specifying a subdomain (like "www"), which is valid for configuring a web rating override for the entire site, including the home page.

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

Flow-based inspection allows real-time scanning of files as they are being transmitted, with minimal impact on performance.

In proxy-based inspection mode antivirus scanning buffers the whole file for scanning, before sending it to the client.

Proxy-based inspection mode holds the file completely, scans it for threats, and only sends the file to the client if no threats are detected.