FCP_FGT_AD-7.6

When configuring the Fortinet Security Fabric with split-task VDOMs enabled on all Fortigate devices, which downstream VDOM is used to join the Security Fabric?. FG-traffic VDOM. root VDOM. Customer VDOM. Global VDOM.

Which Fortigate security feature is designed to protect internal servers against application-layer attacks such as SQL injecttions?. Denial of Service. Web application Firewall. Antivirus. Application Control.

Which two statements are true regarding the Fortinet Collector Agent in advanced mode for FSSO integration? (Choose two.). Security profiles can only be applied to user groups, not individual users. Fortigate can be configured as an LDAP client, and group filters are configured on the Fortigate. Advance mode supports nested or inherited Active Directory groups. Advanced mode uses the Windows naming convention NetBIOS: Domain\Username.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?. By default, Fortigate uses WINS servers to resolve names. By default, the SSL VPN portal requires the installation of a client´s certificate. By default, split tunneling is enabled. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Which statements are true regarding backing up logs from the CLI and downloading logs from the GUI on a Fortigate device? (Choose two.). Logs downloads from the GUI are limited to the current filter view. Log backups from the CLI cannot be restored to another Fortigate. Log backups from the CLI can be configured to upload to an FTP server at a scheduled time. Log downloads from the GUI are stored as LZ4 compressed files.

Which certificate fiel dows Fortigate use to determine the relationship between a certificate and its issuer?. Subject Key Identifier value. S/MIME Capabilities value. Subjet value. Subjet Alternative Name value.

Which two statements are true about the Fortinet Security Fabric rating feature? (Choose two.). The Security Fabric rating is a free service included with all Fortigate devices. Many identified security issues can be remediated immediately by clicking Apply where supported. The Security Fabric rating must be executed on the root Fortigate in the Security Fabric topology. It provides executive summaries across the four largest security focus areas.

Which two statements accurately describe Fortigate´s route lookup behavior when determining the appropriate gateway for a session? (Choose two.). Route lookup is performed on the first packet from the session originator. Route lookup is performed on the last packet sent by the responder. Route lookup is performed on every packet, regardless of direction. Route lookup is performed on the first reply packet from the responder.

An administrator want to configure VPN user access across multiple sites using the same soft FortiToken for authentication. Each site has its own Fortigate VPN gateway. What must the administrator do to enable this setup?. Register the same FortiToken directly on multiple Fortigate devices. Deploy a FortiAuthenticator device to centralize FortiToken management. Use a third-party Radius server supporting OTP authentication. Use The user self-registration server feature to distribute tokens.

Which three statements about IPsc Security Associations (SAs) are correct? (Choose three.). Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel. An SA never expires. A Phase 1 SA is bidiriectional, while a Phase 2 SA is a directional. Phase 2 SA expiration can be time-base, volume-base, or both. Both the Phase 1 SA and Phase 2 SA are bidirectional.

Refer to the exhibit. As an administrator you have created an IPS profile, but it is not performing as expected. While testing you got the output as shown in the exhibit. What could be the possible reason of the diagnose output shown in the exhibit?. There is a no firewall policy configured with an IPS security profile. FortiGate entered into IPS fail open state. Administrator entered the command diagnose test application ipsmonitor 5. Administrator entered the command diagnose test application ipsmonitor 99.

You have created a web filter profile named restrict_media-profile with a daily category usage quota. When you are adding the profile to the firewall policy, the restrict_media-profile is not listed in the available web profile drop down. What could be the reason?. The firewall policy is in no-inspection mode instead of deep-inspection. The inspection mode in the firewall policy is not matching with web filter profile feature set. The web filter profile is already referenced in another firewall policy. The naming convention used in the web filter profile is restricting it in the firewall policy.

Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true? (Choose two.). If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-based. If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP. If SD-WAN is disabled, you configure the load balancing algorithm in config system settings. If SD-WAN is enabled, you control the load balancing algorithm with the parameter load-balance-mode.

Refer to the exhibit. The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories from SSL inspection, as shown in the exhibit. For which two reasons are these web categories exempted? (Choose two.). The FortiGate temporary certificate denies the browser’s access to websites that use HTTP Strict Transport Security. These websites are in an allowlist of reputable domain names maintained by FortiGuard. The resources utilization is optimized because these websites are in the trusted domain list on FortiGate. The legal regulation aims to prioritize user privacy and protect sensitive information for these websites.

Refer to the exhibit. Based on this partial configuration, what are the two possible outcomes when FortiGate enters conserve mode? (Choose two.). Administrators cannot change the configuration. FortiGate skips quarantine actions. Administrators must restart FortiGate to allow new session. FortiGate drops new sessions requiring inspection.

An administrator wanted to configure an IPS sensor to block traffic that triggers a signature set number of times during a specific time period. How can the administrator achieve the objective?. Use IPS group signatures, set rate-mode 60. Use IPS packet logging option with periodical filter option. Use IPS filter, rate-mode periodical option. Use IPS filter, rate-mode periodical option.

A FortiGate firewall policy is configured with active authentication, however, the user cannot authenticate when accessing a website. Which protocol must FortiGate allow even though the user cannot authenticate?. LDAP. TACASC+. Kerberos. DNS.

Refer to the exhibit. FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles. Which action must the administrator perform to consolidate the two policies into one?. Create an Aggregate interface that includes port1 and port2 to create a single firewall policy. Select port1 and port2 subnets in a single firewall policy. Replace port1 and port2 with the any interface in a single firewall policy. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy.

Refer to the exhibit. FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles. Which action must the administrator perform to consolidate the two policies into one?. Create an Aggregate interface that includes port1 and port2 to create a single firewall policy. Select port1 and port2 subnets in a single firewall policy. Replace port1 and port2 with the any interface in a single firewall policy. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy.

Refer to the exhibit. An administrator configured the Web Filter Profile to block access to all social networking sites except Facebook. However, when users try to access Facebook.com, they are redirected to a FortiGuard web filtering block page. Based on the exhibits, which configuration change must the administrator make to allow Facebook while blocking all other social networking sites?. Change the Feature set of Web Filter Profile as Proxy-based. Set the Action as Exempt for www.facebook.com in the Static URL Filter. Change the type as Simple in the Static URL Filter section. Set the Social Networking action as warning in the FortiGuard Category Based Filter.