Fortinet FCP_FGT_AD-7.4 Exam Dumps & Practice Test Questions

Question 1:

Which two statements accurately describe the routing entries shown in this database table? (Select two.)

A. Every entry listed in the routing database is installed in the FortiGate routing table.
B. The port2 interface is indicated as inactive.
C. The two default routes have distinct administrative distances.
D. The default route on port2 is designated as the standby route.

Correct Answers: C and D

Explanation:

In FortiGate devices, the routing database contains all known routes, but not all of them are necessarily installed into the active routing table that controls actual traffic forwarding. Understanding how FortiGate handles routing entries involves knowledge of administrative distance and the concept of active versus standby routes.

Option A is incorrect because the routing database may hold multiple route entries to the same destination, but only the best route (lowest administrative distance or highest priority) is installed in the routing table. Other routes remain as backup or standby and are not actively used unless the primary route fails.

Option B cannot be concluded without explicit information. An interface marked inactive means it isn’t operational for routing, but the question does not confirm this status, so it’s not a safe assumption.

Option C is correct. When two default routes exist, they typically have different administrative distances. The administrative distance is a value that ranks the reliability of routes, with a lower value indicating higher priority. FortiGate uses this metric to decide which default route should be preferred.

Option D is also correct. The default route on port2 being marked as a standby route means it serves as a backup. If the primary default route fails, traffic will be redirected through this standby route to maintain network connectivity.

Therefore, the two correct statements are that the default routes have different administrative distances and that the port2 default route acts as the standby.

Question 2:

When SSL certificate inspection is enabled on FortiGate, which three sources of information does it use to determine the hostname of the SSL server? (Select three.)

A. The host field in the HTTP header
B. The Server Name Indication (SNI) extension within the client hello message
C. The Subject Alternative Name (SAN) field inside the server’s certificate
D. The subject field of the server certificate
E. The serial number of the server certificate

Correct Answers: A, B, and C

Explanation:

FortiGate devices perform SSL inspection by decrypting and analyzing SSL/TLS traffic to enforce security policies. Part of this inspection requires accurately identifying the hostname of the SSL server involved. FortiGate uses multiple pieces of information from different layers of the SSL handshake and HTTP traffic to determine this hostname.

A. Host field in the HTTP header:
Once the SSL session is decrypted, FortiGate examines the HTTP header, which contains a “Host” field specifying the requested domain name. This is a primary indicator of the server hostname the client wants to reach.

B. Server Name Indication (SNI):
The SNI is an extension in the SSL/TLS handshake that allows a client to specify the desired hostname before the encrypted session begins. This is especially important when multiple domains share the same IP address, allowing the server and firewall to apply the correct certificate and policies.

C. Subject Alternative Name (SAN) field:
This field in the SSL certificate lists all domain names for which the certificate is valid. FortiGate uses the SAN field to cross-check and confirm the hostname, as it can contain multiple domain names beyond the primary one.

Why other options don’t apply:
D. Subject field typically contains the main domain, but is less comprehensive than the SAN field, which covers multiple domains and is more accurate for hostname identification.
E. Serial number uniquely identifies the certificate itself but contains no domain or hostname information.

Hence, the host field, SNI, and SAN are the key sources FortiGate uses to identify the SSL server hostname during inspection.

Question 3:

What method does SD-WAN use to route traffic that does not match any of the defined SD-WAN rules?

A. All traffic from a specific source IP to a destination IP is always sent through the same interface.
B. Traffic is routed through the link that has the lowest latency.
C. Traffic is balanced based on the number of active sessions on each interface.
D. All traffic from a given source IP is directed to a single interface.

Correct Answer: B

Explanation:

SD-WAN (Software-Defined Wide Area Network) enhances network efficiency by dynamically selecting the best path for traffic based on real-time network conditions. When traffic does not match any explicit routing rule configured in the SD-WAN policy, the system defaults to an algorithm designed to optimize performance.

Option B is the correct answer because SD-WAN generally routes unclassified or unmatched traffic via the link with the lowest latency. Latency is a critical metric that reflects the delay between sending and receiving packets. Choosing the path with the lowest latency improves responsiveness and user experience, especially for real-time applications such as voice or video calls.

Why the other options are not correct:

• A: Sending all traffic between a source and destination IP pair through the same interface describes session-based routing, which is common in some contexts but not the default for unmatched traffic in SD-WAN. SD-WAN prioritizes network performance over static routing decisions.

• C: Load balancing based on the number of active sessions per interface is possible but not the primary mechanism used for traffic without matching SD-WAN rules. Session count balancing does not account for network quality factors like latency or packet loss, which are more critical for path selection.

• D: Routing all traffic from a source IP to one interface ignores the dynamic nature of SD-WAN, which aims to optimize path selection to maximize efficiency and reliability.

Therefore, for traffic that doesn’t fall under any defined SD-WAN rules, SD-WAN typically directs the traffic to the link with the best network performance, usually measured by the lowest latency.

Question 4:

Which IPsec VPN wizard template should a network administrator choose when configuring a VPN tunnel to allow a traveling sales employee secure remote access to the corporate network?

A. Remote Access
B. Site-to-Site
C. Dial-up User
D. Hub-and-Spoke

Correct Answer: A

Explanation:

When configuring a VPN connection for a mobile employee, such as a sales representative working remotely, the main goal is to provide secure and flexible access to internal corporate resources regardless of the employee’s physical location.

Option A, the Remote Access VPN template, is specifically designed to accommodate this use case. It allows individual users to connect securely from various remote locations — like hotels, airports, or home networks — using devices such as laptops or smartphones. This template supports user authentication and encryption to protect data transmitted over potentially untrusted public internet connections. The Remote Access VPN essentially extends the corporate network securely to the user’s device, enabling seamless access to internal applications and data as if the user were on-site.

The other options are less suitable:

• B. Site-to-Site VPN is meant for connecting two fixed locations (like office branches) securely over the internet. It’s not intended for individual users but for linking entire networks.

• C. Dial-up User is an outdated method that refers to remote connections using dial-up modems, which is irrelevant for modern IPsec VPN configurations.

• D. Hub-and-Spoke architecture is typically used to connect multiple branch offices to a central hub, providing secure inter-site connectivity but not intended for remote individual users.

Hence, the best choice for enabling secure remote access for a traveling employee is the Remote Access template.

Question 5:

The network diagram and configuration exhibits show a FortiGate device with associated firewall policy and IP pool settings. PCs PC1 and PC2 can access the internet without problems, but after adding a third PC (PC3), it fails to connect online. 

Based on the provided configuration details, which two steps should the administrator take to fix PC3’s internet connectivity? (Choose two.)

A. Add 10.0.1.3 as an address object in the firewall policy’s source field.
B. Change the IP pool’s end IP address to 192.2.0.12.
C. Create a new firewall policy specifically for PC3’s IP and place it at the top of the policy list.
D. Set the IP pool type to overload.

Answer: A, D

Explanation:

When PC3 cannot access the internet while PC1 and PC2 can, the problem often lies in how the firewall policies or IP pool are configured for new devices. The FortiGate firewall controls traffic by policies, and the IP pool manages NAT (Network Address Translation) for outbound traffic.

Option A addresses the firewall policy configuration. The firewall policy defines which source IP addresses are permitted. If PC3’s IP address (10.0.1.3) isn’t explicitly included or covered by the existing source objects in the firewall rules, traffic from PC3 will be blocked. Adding PC3’s IP address to the source field ensures it’s recognized and allowed by the firewall.

Option D involves the IP pool configuration, which is critical for NAT operations. The IP pool defines how internal IP addresses map to public IPs. If the pool is limited or not configured for multiple device reuse, new devices like PC3 can’t get a valid NAT address. Setting the IP pool type to overload allows multiple internal IPs to share a single public IP address through Port Address Translation (PAT), enabling PC3 to use the same public IP as PC1 and PC2.

Option B changes the IP range of the IP pool but does not guarantee solving the problem if the pool type isn’t appropriate. Option C creates a separate firewall policy for PC3, which may be unnecessary complexity if the existing policy can be adjusted to cover PC3.

In summary, ensuring PC3 is recognized by the firewall policy (Option A) and enabling IP address sharing via overload (Option D) are the most effective fixes for PC3’s connectivity issue.

Question 6:

An administrator needs to access the FortiGate device’s Command Line Interface (CLI) for management, but no network connectivity is available to the device. 

What method allows CLI access under these conditions?

A. CLI console widget
B. Serial console
C. Telnet console
D. SSH console

Answer: B

Explanation:

Accessing a FortiGate device’s CLI without network connectivity requires a direct, physical connection to the device. Normally, administrators access FortiGate CLI remotely over the network using secure protocols like SSH or, less securely, Telnet. However, if the network is down or the device is inaccessible remotely, these methods won’t work.

Option B, the serial console, provides this direct access. The serial console connection uses a physical serial cable plugged into the FortiGate’s console port and a computer’s serial port or a USB-to-serial adapter. This setup bypasses the network entirely, allowing the administrator to interact with the device’s CLI regardless of its network state. This method is crucial for troubleshooting, initial device setup, or recovery when remote access fails.

Option A, the CLI console widget, is a graphical interface within the FortiGate web GUI. It requires network access to the device’s web interface, so it’s unusable if there’s no connectivity.

Option C (Telnet) and Option D (SSH) are network-based remote access protocols. Both rely on active network communication. Without network connectivity, neither Telnet nor SSH sessions can be established.

Thus, the serial console is the most reliable and often the only way to access the CLI in a network outage or when initial device configuration requires direct connection.

Question 7:

According to the network diagram and configuration exhibits, PCs PC1 and PC2 behind a FortiGate device have internet access, but after adding PC3, it cannot connect online. 

Considering the firewall policy and IP pool configurations, which two adjustments will resolve the issue for PC3? (Choose two.)

A. Add 10.0.1.3 as an address object in the firewall policy’s source field.
B. Extend the IP pool’s end IP to 192.2.0.12.
C. Create a new firewall policy for PC3’s IP and place it at the top of the policy list.
D. Set the IP pool type to overload.

Answer: B, D

Explanation:

When a new PC such as PC3 cannot connect to the internet, but other devices on the same network can, the issue typically lies with the NAT IP pool configuration or firewall policy specifics.

Option B involves extending the IP pool’s range by increasing the end IP to 192.2.0.12. The IP pool manages the range of IP addresses used for translating internal device IPs to public IPs for outbound traffic. If the IP pool range is too narrow or exhausted, additional devices cannot be assigned a valid NAT IP, causing connectivity failure. Extending the pool range allows more devices to be serviced.

Option D sets the IP pool type to overload, which is a form of PAT (Port Address Translation). This allows multiple internal IPs to share a single public IP address simultaneously by differentiating traffic based on port numbers. This configuration is common for home or small business networks where public IPs are limited, and it enables PC3 to use the same public IP as PC1 and PC2, resolving access issues caused by insufficient unique public IPs.

Option A would be necessary only if the firewall policy restricts access to specific IP addresses and does not already include PC3’s address. However, if the policy applies to the entire subnet, this step is redundant.

Option C creates a separate firewall rule specifically for PC3. While functional, it introduces unnecessary complexity and is not the most efficient solution compared to adjusting the IP pool.

In conclusion, increasing the IP pool range and enabling overload (Options B and D) ensure that PC3 can obtain a valid NAT address and access the internet seamlessly.

Question 8:

A network administrator needs to manage a FortiGate device, but there is no available network connection to it. 

Which method enables the administrator to access the FortiGate's Command Line Interface (CLI) without relying on any network connectivity?

A. CLI console widget
B. Serial console
C. Telnet console
D. SSH console

Answer: B

Explanation:

When managing a FortiGate device without any network connectivity, the administrator must use a method that provides direct, physical access to the device's CLI. Among the options listed, the serial console is the only method that allows access independent of the network.

The CLI console widget (Option A) is part of the FortiGate's web-based graphical user interface (GUI). It requires an active network connection because it operates through the web browser connected to the FortiGate device. Without network access, this option is not viable.

Telnet (Option C) and SSH (Option D) are both remote terminal protocols that depend on network connectivity to function. Telnet is an unencrypted method, while SSH provides secure encrypted communication. Both require the FortiGate device to be reachable over the network, which isn’t the case here.

The serial console (Option B) is a physical interface typically accessible via a serial port or USB-to-serial adapter on the FortiGate device. By connecting a terminal program (such as PuTTY or Tera Term) to this port, administrators can interact directly with the device’s CLI. This approach is especially important for initial device setup, troubleshooting, or recovery scenarios when network connectivity is either absent or compromised.

Using the serial console enables the administrator to perform all configuration, management, and diagnostic tasks even when network interfaces are down. It serves as an essential fallback method ensuring continued access to the device regardless of network status.

In summary, because the serial console does not rely on network connectivity, it is the most suitable method for managing the FortiGate device under the described conditions.

Question 9:

A network administrator is configuring two redundant IPsec VPN tunnels on a FortiGate firewall using static routes. The goal is to have all traffic use the primary tunnel when both tunnels are operational, with the secondary tunnel automatically taking over if the primary fails. The administrator also wants FortiGate to quickly detect tunnel failure to enable fast failover. 

Which two configurations must be implemented?

A. Enable Dead Peer Detection
B. Enable Auto-negotiate and Autokey Keep Alive on phase 2
C. Assign a lower distance value to the static route for the primary tunnel and a higher distance to the secondary tunnel
D. Assign a higher distance value to the static route for the primary tunnel and a lower distance to the secondary tunnel

Answer: A, C

Explanation:

When configuring redundant IPsec VPN tunnels, the administrator’s primary objectives are to ensure that traffic flows through the preferred (primary) tunnel whenever it is available and to enable quick failover to the backup tunnel if the primary goes down. Achieving this requires careful configuration of tunnel monitoring and routing preferences.

Dead Peer Detection (DPD) (Option A) is a vital protocol that allows the FortiGate device to detect when the remote VPN peer is no longer responding. By enabling DPD, the FortiGate can promptly identify tunnel failures, triggering failover mechanisms to route traffic through the secondary tunnel with minimal delay. This ensures higher network availability and reliability.

The static route configuration (Option C) determines which tunnel is preferred for sending traffic. In routing, a lower administrative distance indicates higher priority. By setting a lower distance for the primary tunnel’s static route and a higher distance for the secondary tunnel’s route, the FortiGate prioritizes the primary tunnel under normal conditions. If the primary tunnel fails (detected via DPD), the route with the higher distance (secondary tunnel) becomes active.

Option B, enabling Auto-negotiate and Autokey Keep Alive on phase 2, helps maintain the VPN tunnels by refreshing keying material and negotiating parameters automatically. While useful for tunnel stability, it does not directly influence failover or route preference.

Option D incorrectly reverses the priorities by giving the primary tunnel a higher distance (lower priority), which would cause traffic to prefer the backup tunnel even when the primary is available. This contradicts the desired configuration.

In conclusion, enabling Dead Peer Detection ensures timely failure detection, and configuring static routes with appropriate administrative distances guarantees that the primary tunnel is preferred, with automatic failover to the secondary tunnel when needed.

Question 10:

A network administrator is reviewing the FortiGate logs and notices that several attempts to access a blocked website are still being logged as "action=accept" even though the URL is on a configured Web Filter block list. 

What is the most likely reason for this behavior?

A. The Web Filter profile is not applied to the correct security policy.
B. The FortiGuard Web Filter database is outdated.
C. The FortiGate is operating in flow-based inspection mode.
D. The SSL inspection profile is disabled, preventing content inspection.

Correct Answer: A

Explanation:

When a FortiGate firewall logs access attempts to a blocked website as "action=accept," it typically means that the security policy allowed the initial traffic flow—even if subsequent filtering actions (such as Web Filter blocks) occurred. This often causes confusion, as administrators might expect the traffic to be outright dropped.

The most likely explanation in this scenario is that the Web Filter profile has not been applied to the security policy handling that traffic. Web Filtering is a layer of security inspection that must be explicitly tied to a policy. If the Web Filter profile isn't linked, FortiGate will allow traffic based solely on the policy's permit action, and it won’t evaluate the website against the filtering database. Therefore, even if the website is on the block list, FortiGate doesn’t take any blocking action because it isn't instructed to do so.

Let’s look at the other options:

• B: If the FortiGuard database is outdated, it might fail to recognize the website as malicious, but this wouldn't result in a logged action of "accept" if the site was already known to be blocked. It would more likely result in "allow" due to misclassification—not “accept” without filtering.

• C: Flow-based mode does affect how packets are inspected, but FortiGate can still perform Web Filtering in this mode. It would not inherently bypass the filter unless misconfigured.

• D: SSL inspection is important for encrypted traffic, but if the traffic is unencrypted (HTTP), the Web Filter can still block it. Lack of SSL inspection doesn’t explain an “accept” log unless the site is HTTPS.