FCP_FGT_AD-7.4 Exam Dumps - Fortinet Network Security Expert Questions and Answers

NTurbo enhances performance for flow-based inspection by offloading traffic to the content processor​.

When FortiGate performs SSL/SSH full inspection and detects an invalid certificate, there are three valid actions it can take:

Allow & Warning: This action allows the session but generates a warning.

Block & Warning: This action blocks the session and generates a warning.

Block: This action blocks the session without generating a warning.

Actions such as "Trust & Allow" or just "Allow" without additional configurations are not applicable in the context of handling invalid certificates.

References:

FortiOS 7.4.1 Administration Guide: Configuring SSL/SSH inspection profile

To block access specifically to download.com while allowing other sites in the "Freeware and Software Downloads" category, you can create a separate firewall policy with a deny action specifically for the FQDN *.download.com. This approach allows blocking this particular site without affecting the other sites in the same category. Alternatively, configuring a static URL filter entry with the type set to Wildcard and action set to Block will also achieve the desired effect by directly blocking the specific URL without impacting other sites in the category.

References:

FortiOS 7.4.1 Administration Guide: URL filter configuration

In the security profile, there are application overrides for specific Facebook-related features, such as "Facebook" and "Facebook_Video.Play." However, the absence of specific signatures for actions like "Facebook_Like.Button" might be preventing reactions. You need to ensure that the necessary application signatures for all desired Facebook features, including reactions (like buttons), are included in the security policy. Therefore, retrieving or adding those signatures would resolve the issue.

www.example.com

This syntax targets the main domain, which is a common way to configure a web rating override for the home page of a website.

example.com

This syntax also correctly targets the main domain without specifying a subdomain (like "www"), which is valid for configuring a web rating override for the entire site, including the home page.

The traffic from the user on Local-Client (10.0.1.10) pinging the IP address of Remote-FortiGate (10.200.3.1) will match the firewall policy with the service "PING traffic". According to the firewall policy:

Policy ID 6 is set for PING traffic and uses the NAT IP pool "SNAT-Remote1", which is defined as 10.200.1.99.

To retrieve AD user group information in agentless polling mode, the administrator must add an LDAP server to the FortiGate device​.

Based on the application sensor configuration and the filter details:

D. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration: The "Excessive-Bandwidth" filter is set to block, which includes "FaceTime" under its application signature. As a result, FaceTime will be blocked regardless of the "Apple" filter configuration because the "Excessive-Bandwidth" filter takes precedence due to its block action setting.

The other options are not correct:

A. Apple FaceTime will be allowed, based on the Video/Audio category configuration: The Video/Audio category is not relevant because FaceTime is specifically included in the Excessive-Bandwidth filter, which blocks it.

B. Apple FaceTime will be allowed, based on the Apple filter configuration: Although the Apple filter is set to monitor, the block action of the Excessive-Bandwidth filter will override this.

C. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow: The allow setting for the Apple filter is irrelevant in this context, as the block action in the Excessive-Bandwidth filter will prevail.

References

FortiOS 7.4.1 Administration Guide - Application Control and Filtering, page 978.

FortiOS 7.4.1 Administration Guide - Application Sensor Configuration, page 982.

The "d-wan" zone in FortiGate SD-WAN configuration is the default SD-WAN zone created when SD-WAN is enabled. This zone contains all the interfaces assigned to SD-WAN and is essential for the functionality of the SD-WAN feature. The "d-wan" zone cannot be deleted because it is required for SD-WAN operations. Option A is incorrect because the underlay zone does not contain port1. Options B and D are incorrect because they incorrectly describe the configuration of zones.

References:

FortiOS 7.4.1 Administration Guide: SD-WAN Zone Configuration

For a high-latency internet connection, the SSL VPN setting that should be adjusted is:

C. SSL VPN dtls-hello-timeout: This setting determines how long the FortiGate will wait for a DTLS hello message from the client. For high-latency connections, increasing this timeout will prevent SSL VPN negotiation failures caused by delays in receiving the DTLS hello message.

The other options are not suitable:

A. SSL VPN idle-timeout: This setting controls the idle time allowed before a session is terminated, which is not relevant to the initial connection establishment.

B. SSL VPN login-timeout: This setting controls the maximum time allowed for a user to log in, but does not affect connection negotiation.

D. SSL VPN session-ttl: This setting controls the total time-to-live for an SSL VPN session but does not directly address issues caused by high latency.

References

FortiOS 7.4.1 Administration Guide - SSL VPN Configuration, page 1415.