[Full-Version] 2025 New GetValidTest FCP_FGT_AD-7.4 PDF Recently Updated Questions
FCP_FGT_AD-7.4 Exam with Guarantee Updated 91 Questions
NEW QUESTION # 27
Which timeout setting can be responsible for deleting SSL VPN associated sessions?
- A. SSL VPN login-timeout
- B. SSL VPN idle-timeout
- C. SSL VPN dtls-hello-timeout
- D. SSL VPN http-request-body-timeout
Answer: B
Explanation:
The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle- timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.
Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout using the Idle Logout setting on the GUI.
NEW QUESTION # 28
An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken.
Each site has a FortiGate VPN gateway.
What must an administrator do to achieve this objective?
- A. The administrator must use the user self-registration server.
- B. The administrator can register the same FortiToken on more than one FortiGate.
- C. The administrator must use a FortiAuthenticator device.
- D. The administrator can use a third-party radius OTP server.
Answer: C
Explanation:
B. The administrator must use a FortiAuthenticator device.
B is correct due to the FortiToken, a different OTP cannot use FortiToken. So we have to choose the fortiAuthenticator.
To achieve VPN user access for multiple sites using the same soft FortiToken, the administrator can use a FortiAuthenticator device. FortiAuthenticator is designed to provide centralized authentication services for Fortinet devices, including VPN authentication. It allows for the centralized management of user identities, authentication methods, and FortiTokens. By using FortiAuthenticator, the administrator can register the same FortiToken for users across multiple FortiGate devices, providing a seamless and centralized user access experience.
NEW QUESTION # 29
View the exhibit.
Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and VDOM2.
Also, necessary firewall policies are configured in VDOM1 and VDOM2.
Which two static routes are required in the FortiGate configuration, to route traffic between both subnets through an inter-VDOM link? (Choose two.)
- A. A static route in VDOM2 with the destination subnet matching the subnet assigned to the inter- VDOM link
- B. A static route in VDOM2 for the destination subnet 10.0.1.0/24
- C. A static route in VDOM1 for the destination subnet 10.0.2.0/24
- D. A static route in VDOM1 with the destination subnet matching the subnet assigned to the inter-VDOM link
Answer: B,C
Explanation:
The two static routes required in the FortiGate configuration to route traffic between both subnets through an inter-VDOM link are:
B. A static route in VDOM2 for the destination subnet 10.0.1.0/24
C. A static route in VDOM1 for the destination subnet 10.0.2.0/24
In VDOM1, a static route for the destination subnet 10.0.2.0/24 is needed to route traffic destined for VDOM2's subnet through the inter-VDOM link.
In VDOM2, a static route for the destination subnet 10.0.1.0/24 is needed to route traffic destined for VDOM1's subnet through the inter-VDOM link.
NEW QUESTION # 30
Refer to the exhibit.
Why did FortiGate drop the packet?
- A. It failed the RPF check.
- B. 11 matched an explicitly configured firewall policy with the action DENY
- C. The next-hop IP address is unreachable.
- D. It matched the default implicit firewall policy
Answer: D
NEW QUESTION # 31
To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?
- A. Downstream FortiGate
- B. FortiAnalyzer
- C. Root FortiGate
- D. FortiManager
Answer: B
Explanation:
The correct answer is C. FortiAnalyzer.
Explanation:
In a Security Fabric configuration, after the devices are added to the Security Fabric, the final step is to authorize these devices. This authorization process is typically done through FortiAnalyzer, which manages and controls the Security Fabric. FortiAnalyzer allows administrators to centrally manage and monitor the Security Fabric, including authorizing devices to participate in the Security Fabric.
All devices must be authorized on the root Fortigate, and then after this step all must be authorized on the FortiAnalyzer.
NEW QUESTION # 32
Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)
- A. FortiSandbox
- B. FortiCloud
- C. FortiCache
- D. FortiAnalyzer
- E. FortiSIEM
Answer: B,D,E
Explanation:
The three remote log storage options you can configure on FortiGate are:
A. FortiSIEM
FortiSIEM is a comprehensive security information and event management (SIEM) solution that allows for centralized log storage and analysis.
B. FortiCloud
FortiCloud provides cloud-based services, including log storage, for Fortinet devices, allowing for remote log storage and management.
E. FortiAnalyzer
FortiAnalyzer is a dedicated log and analysis appliance that provides centralized log storage, reporting, and analysis capabilities for Fortinet devices.
So, the correct choices are A, B, and E.
Fortisandbox is not a logging solution.
NEW QUESTION # 33
Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)
- A. The client FortiGate requires a manually added route to remote subnets.
- B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
- C. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.
- D. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
Answer: C,D
Explanation:
C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate. Incorrect:
A. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
B. The client FortiGate requires a manually added route to remote subnets. (dynamically) The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. When an SSL VPN client connection is established, the client dynamically adds a route to the subnets that are returned by the SSL VPN server.
This configuration requires proper CA certificate installation as the SSL VPN client FortiGate/user uses PSK and a PKI client certificate to authenticate. The FortiGate devices must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.
NEW QUESTION # 34
Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.
Which policy will be highlighted, based on the input criteria?
- A. Policy with ID 4.
- B. Policy with ID 5.
- C. Policies with ID 2 and 3.
- D. Policy with ID 1.
Answer: B
Explanation:
Policy with ID 5.
It's coming from port 3 - hits Facebook-Web (Application) from the screenshot it show that it allows http and https traffic (80, 443).
There are 3 rules related to port3
and two rules source LOCAL_CLIENT
this would leave us with Rule 1 & 5
Rule one Service is = ULL_UDP
Rule five = Internet Services
Destination port we are looking for is 443 (usually this is TCP)
So it had to be PID5
We are looking for a policy that will allow or deny traffic from the source interface Port3 and source IP address 10.1.1.10 (LOCAL_CLIENT) to facebook.com TCP port 443 (HTTPS). There are only two policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are evaluated from top to bottom. This means that the first policy that matches the traffic is applied, and subsequent policies are not evaluated. Based on the Policy Lookup criteria, Policy ID 5 will be highlighted.
NEW QUESTION # 35
Refer to the exhibit.
Based on the ZTNA tag, the security posture of the remote endpoint has changed.
What will happen to endpoint active ZTNA sessions?
- A. They will be re-evaluated to match the firewall policy.
- B. They will be re-evaluated to match the ZTNA policy.
- C. They will be re-evaluated to match the security policy.
- D. They will be re-evaluated to match the endpoint policy.
Answer: B
Explanation:
C: They will be re-evaluated to match the ZTNA policy.
Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the endpoint is no longer compliant with the ZTNA policy.
NEW QUESTION # 36
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)
- A. The serial number in the server certificate.
- B. The server name indication (SNI) extension in the client hello message.
- C. The subject alternative name (SAN) field in the server certificate.
- D. The subject field in the server certificate.
- E. The host field in the HTTP header.
Answer: B,C,D
NEW QUESTION # 37
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
- A. The collector agent uses a Windows API to query DCs for user logins.
- B. The collector agent must search Windows application event logs.
- C. NetAPI polling can increase bandwidth usage in large networks.
- D. The NetSessionEnum function is used to track user logouts.
Answer: D
NEW QUESTION # 38
An administrator has configured a strict RPF check on FortiGate.
How does strict RPF check work?
- A. Strict RPF checks the best route back to the source using the incoming interface.
- B. Strict RPF check is run on the first sent and reply packet of any new session.
- C. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
- D. Strict RPF allows packets back to sources with all active routes.
Answer: A
NEW QUESTION # 39
Refer to the exhibit.
The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.
An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.
What are two solutions for satisfying the requirement? (Choose two.)
- A. Configure a static URL filter entry for download, com with Type and Action set to Wildcard and Block, respectively.
- B. Configure a web override rating for download, com and select Malicious Websites as the subcategory.
- C. Set the Freeware and Software Downloads category Action to Warning
- D. Configure a separate firewall policy with action Deny and an FQDN address object for *. download, com as destination address.
Answer: A,D
Explanation:
To block access specifically to download.com while allowing other sites in the "Freeware and Software Downloads" category, you can create a separate firewall policy with a deny action specifically for the FQDN *.download.com. This approach allows blocking this particular site without affecting the other sites in the same category. Alternatively, configuring a static URL filter entry with the type set to Wildcard and action set to Block will also achieve the desired effect by directly blocking the specific URL without impacting other sites in the category.
Reference:
FortiOS 7.4.1 Administration Guide: URL filter configuration
NEW QUESTION # 40
Which method allows management access to the FortiGate CLI without network connectivity?
- A. Serial console
- B. SSH console
- C. CLI console widget
- D. Telnet console
Answer: A
Explanation:
The serial console method allows management access to the FortiGate CLI without relying on network connectivity. This method involves directly connecting a computer to the FortiGate device using a serial cable (such as a DB-9 to RJ-45 cable or USB to RJ-45 cable) and using terminal emulation software to interact with the FortiGate CLI. This method is essential for situations where network-based access methods (such as SSH or Telnet) are not available or feasible.
Reference:
FortiOS 7.4.1 Administration Guide: Console connection
NEW QUESTION # 41
Refer to the exhibit.
Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit.
What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?
- A. Traffic matching the signature will be allowed and logged.
- B. The signature setting includes a group of other signatures.
- C. The signature setting uses a custom rating threshold.
- D. Traffic matching the signature will be silently dropped and logged.
Answer: A
Explanation:
The exhibit shows that the "FTP.Login.Failed" IPS signature is set with the action "Pass" and packet logging enabled. This means that any traffic matching this signature will be allowed through the FortiGate, and the traffic details will be logged for monitoring and analysis purposes.
References:
* FortiOS 7.4.1 Administration Guide: IPS Signature Actions
NEW QUESTION # 42
Which two statements are correct about SLA targets? (Choose two.)
- A. SLA targets are required for SD-WAN rules with a Best Quality strategy.
- B. SLA targets are optional.
- C. You can configure only two SLA targets per one Performance SLA.
- D. SLA targets are used only when referenced by an SD-WAN rule.
Answer: B,D
Explanation:
B). SLA targets are optional.
D). SLA targets are used only when referenced by an SD-WAN rule.
Incorrect:
A). You can configure only two SLA targets per one Performance SLA. (more is possible)
C). SLA targets are required for SD-WAN rules with a Best Quality strategy. (not required) If the health check is used in an SD-WAN rule that uses Manual or Best Quality strategies, enabling SLA Target is optional. If the health check is used in an SD-WAN rule that uses Lowest Cost (SLA) or Maximum Bandwidth (SLA) strategies, then SLA Target is enabled.
Enable SLA Targetsand configure the constraints. To add multiple SLA targets, use the CLI.
NEW QUESTION # 43
Refer to the exhibit to view the firewall policy.
Why would the firewall policy not block a well-known virus, for example eicar?
- A. The firewall policy does not apply deep content inspection.
- B. The action on the firewall policy is not set to deny.
- C. Web filter is not enabled on the firewall policy to complement the antivirus profile.
- D. The firewall policy is not configured in proxy-based inspection mode.
Answer: D
Explanation:
The firewall policy shown in the exhibit is configured in flow-based inspection mode. In flow-based inspection, certain security features, such as deep content inspection, might not be as effective as in proxy- based mode. Proxy-based inspection is necessary for thorough content inspection, which includes identifying and blocking well-known viruses like EICAR.
References:
* FortiOS 7.4.1 Administration Guide: Inspection Modes
NEW QUESTION # 44
Which of statement is true about SSL VPN web mode?
- A. The tunnel is up while the client is connected
- B. It supports a limited number of protocols
- C. It assigns a virtual IP address to the client
- D. The external network application sends data through the VPN
Answer: B
Explanation:
C: It supports a limited number of protocols
SSL VPN web mode typically supports a limited number of protocols compared to the full SSL VPN tunnel mode. This limitation is due to the nature of web-based applications and the restrictions of running within a web browser.
Web mode requires only a web browser, but supports a limited number of protocols.
A is incorrect - External network applications running on the user's PC cannot send data across the VPN.
C is correct - Web mode requires only a web browser, but supports a limited number of protocols.
NEW QUESTION # 45
Refer to the exhibit.
Which two statements are true about the routing entries in this database table? (Choose two.)
- A. The port2 interface is marked as inactive.
- B. Both default routes have different administrative distances.
- C. All of the entries in the routing database table are installed in the FortiGate routing table.
- D. The default route on porc2 is marked as the standby route.
Answer: B,D
Explanation:
The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances:
The default route through port2 has an administrative distance of 20.
The default route through port1 has an administrative distance of 10.
Administrative distance determines the priority of the route; a lower value is preferred. Here, the route through port1 with an administrative distance of 10 is the preferred route. The route through port2 with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed through port2.
Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table that port2 is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes.
Reference:
FortiOS 7.4.1 Administration Guide: Default route configuration
FortiOS 7.4.1 Administration Guide: Routing table explanation
NEW QUESTION # 46
Which statements about the firmware upgrade process on an active-active HA cluster are true?
(Choose two.)
- A. Traffic load balancing is temporally disabled while upgrading the firmware.
- B. Uninterruptable upgrade is enabled by default.
- C. The firmware image must be manually uploaded to each FortiGate.
- D. Only secondary FortiGate devices are rebooted.
Answer: A,B
Explanation:
The correct statements are:
C. Uninterruptable upgrade is enabled by default: This statement is true. Uninterruptable upgrade (also known as "non-stop upgrade" or NSU) is enabled by default in an active-active HA cluster. This allows the cluster to upgrade the firmware without interrupting traffic.
D. Traffic load balancing is temporarily disabled while upgrading the firmware: This statement is true.
During the firmware upgrade process, traffic load balancing is temporarily disabled to avoid potential issues that may arise from traffic distribution while the firmware is being upgraded.
NEW QUESTION # 47
FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.
Which two other security profiles can you apply to the security policy? (Choose two.)
- A. DNS filter
- B. Antivirus scanning
- C. Intrusion prevention
- D. File filter
Answer: B,C
Explanation:
Security policy: If the traffic is allowed as per the consolidated policy, FortiGate will then process it based on the security policy to analyze additional criteria, such as URL categories for web filtering and application control. Also, if enabled, the security policy further inspects traffic using security profiles such as IPS and AV.
When FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy, you can also apply Antivirus scanning and Intrusion Prevention security profiles. These additional security profiles enhance the overall security posture of the network.
Extra explanation:
In addition to web filtering and application control, you can apply the following security profiles to the security policy on a FortiGate firewall:
A. Antivirus scanning: This profile scans traffic for viruses, malware, and other malicious content to prevent them from entering the network.
D. Intrusion prevention: This profile protects against network threats by inspecting traffic for known attack patterns and malicious activities, helping to prevent unauthorized access and data breaches. So, the correct answers are A. Antivirus scanning and D. Intrusion prevention
NEW QUESTION # 48
Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?
- A. Each VDOM in the environment can be part of a different Security Fabric
- B. Security rating reports can be run individually for each configured VDOM
- C. Downstream devices can connect to the upstream device from any of their VDOMs
- D. VDOMs without ports with connected devices are not displayed in the topology
Answer: D
Explanation:
"When you configure FortiGate devices in multi-vdom mode and add them to the Security Fabric, each VDOM with its assigned ports is displayed when one or more devices are detected. Only the ports with discovered and connected devices appear in the Security Fabric view and, because of this, you must enable Device Detection on ports you want to have displayed in the Security Fabric. VDOMs without ports with connected devices are not displayed. All VDOMs configured must be part of a single Security Fabric."
NEW QUESTION # 49
Refer to the exhibits.


The exhibits show a diagram of a FortiGate device connected to the network, as well as the firewall policy and IP pool configuration on the FortiGate device.
Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.
Based on the information shown in the exhibit, which two configuration options can the administrator use to fix the connectivity issue for PC3? (Choose two.)
- A. In the firewall policy configuration, add 10. o. l. 3 as an address object in the source field.
- B. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.
- C. In the IP pool configuration, set cype to overload.
- D. In the IP pool configuration, set endig to 192.2.0.12.
Answer: C,D
Explanation:
To resolve the issue of PC3 not being able to access the internet, the administrator needs to adjust the IP pool configuration or the firewall policy. The following two options will fix the connectivity issue:
* B. In the IP pool configuration, set the ending IP to 192.2.0.12: The current IP pool range is
192.2.0.10-192.2.0.11, which only provides two IP addresses for network address translation (NAT). To allow PC3 to access the internet, the IP pool should be expanded to include an additional IP address by changing the end of the range to 192.2.0.12.
* D. In the IP pool configuration, set type to overload: Instead of using a one-to-one NAT, changing the type to overload will allow multiple internal addresses (such as PC1, PC2, and PC3) to share a single external IP address. This will solve the issue without needing additional public IP addresses.
The other options are not suitable:
* A. In the firewall policy configuration, add 10.0.1.3 as an address object in the source field: This option is unnecessary since the firewall policy already allows all addresses from the source (LAN port3).
* C. Configure another firewall policy that matches only the address of PC3 as the source, and then place the policy on top of the list: This option is redundant and would not resolve the underlying issue with the IP pool configuration.
References
* FortiOS 7.4.1 Administration Guide - Configuring Firewall Policies, page 512.
* FortiOS 7.4.1 Administration Guide - Configuring NAT with IP Pools, page 518.
NEW QUESTION # 50
Which statement regarding the firewall policy authentication timeout is true?
- A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC.
- B. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired.
- C. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.
- D. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.
Answer: D
Explanation:
A. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP.
The firewall policy authentication timeout is an idle timeout, meaning that it measures the duration of inactivity for a user. If the FortiGate does not see any packets coming from the user's source IP within the specified timeout period, it considers the user to be idle and may remove the temporary policy associated with that user.
*** If there is no traffic received from the user IP address for the configured auth-timeout (5 minutes by default), user authentication entry will be removed.
* If the user tries to access resources now, FortiGate will prompt the user to authenticate again.
The firewall policy authentication timeout is indeed often an idle timeout, and the FortiGate considers a user to be "idle" if it does not detect any packets coming from the user's source IP within the specified time period.
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221
NEW QUESTION # 51
......
Latest FCP_FGT_AD-7.4 Pass Guaranteed Exam Dumps Certification Sample Questions: https://troytec.getvalidtest.com/FCP_FGT_AD-7.4-brain-dumps.html