The safer , easier way to help you pass any IT exams. 1 / 22 Fortinet FCP_FGT_AD-7.6 Exam FCP - FortiGate 7.6 Administrator https://www.passquestion.com/fcp_fgt_ad-7-6.html 35% OFF on All, Including FCP_FGT_AD-7.6 Questions and Answers P ass Fortinet FCP_FGT_AD-7.6 Exam with PassQuestion FCP_FGT_AD-7.6 questions and answers in the first attempt. https://www.passquestion.com/ The safer , easier way to help you pass any IT exams. 2 / 22 1 Refer to the exhibit. Which route will be selected when trying to reach 10.20.30.254? A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0] B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0] C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0] D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0] Answer: A Explanation: The correct route to reach 10.20.30.254 would be: A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0] This route is more specific (10.20.30.0/24) compared to the other routes (10.20.30.0/26 and 10.30.20.0/24) and would therefore be selected as the best match. 2.Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.) A. Port block allocation B. Fixed port range C. One-to-one D. Overload Answer: A,B Explanation: The two IP pool types that are useful for carrier-grade NAT (CGNAT) deployments are: A. Port block allocation B. Fixed port range A. Port block allocation: In this method, a range of ports is allocated to each internal IP address. This allows multiple internal devices to share the same public IP address but use different port ranges, enabling more efficient use of IP addresses. B. Fixed port range: This method allocates a fixed range of ports to each internal IP address. It is similar to port block allocation but restricts the port range to a fixed set of ports for each internal IP address, which can be useful for certain applications or scenarios. Both port block allocation and fixed port range allocation are commonly used in CGNAT deployments to manage the mapping of internal private IP addresses to public IP addresses and ports, allowing for efficient use of limited IPv4 addresses. The safer , easier way to help you pass any IT exams. 3 / 22 3.What is eXtended Authentication (XAuth)? A. It is an IPsec extension that forces remote VPN users to authenticate using their local ID. B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password). C. It is an IPsec extension that authenticates remote VPN peers using a pre-shared key. D. It is an IPsec extension that authenticates remote VPN peers using digital certificates. Answer: B Explanation: The correct answer is: B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password). eXtended Authentication (XAuth) is an IPsec extension that adds additional authentication for remote VPN users after the initial IPsec phase 1 and phase 2 negotiations. XAuth requires users to provide their credentials (username and password) in addition to the standard IPsec authentication, enhancing the security of the VPN connection. 4.What must you configure to enable proxy-based TCP session failover? A. You must configure ha-configuration-sync under configure system ha. B. You do not need to configure anything because all TCP sessions are automatically failed over. C. You must configure session-pickup-enable under configure system ha. D. You must configure session-pickup-connectionless enable under configure system ha. Answer: C Explanation: The correct answer is: C. You must configure session-pickup-enable under configure system ha. To enable proxy-based TCP session failover on a Fortinet FortiGate firewall, you must configure the session-pickup-enable setting under the high availability (HA) configuration. This setting allows the firewall to pick up and maintain TCP sessions after a failover event, ensuring continuity of service for established connections. 5.An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to the SSL-VPN. How can this be achieved? A. Assigning public IP addresses to SSL-VPN users B. Configuring web bookmarks C. Disabling split tunneling D. Using web-only mode Answer: C Explanation: The correct answer is: C. Disabling split tunneling Split tunneling allows VPN users to access both local and remote networks simultaneously. However, if you want to inspect all web traffic, including Internet traffic, coming from users connecting to the SSL-VPN, you should disable split tunneling. Disabling split tunneling forces all user traffic through the VPN tunnel, allowing you to inspect and control the traffic more effectively. The safer , easier way to help you pass any IT exams. 4 / 22 6.Which NAT method translates the source IP address in a packet to another IP address? A. DNAT B. SNAT C. VIP D. IPPOOL Answer: B Explanation: The correct answer is: B. SNAT SNAT (Source Network Address Translation), also known as MASQUERADE in iptables, translates the source IP address in a packet to another IP address. It is commonly used in scenarios where internal private IP addresses need to be translated to a single public IP address when accessing the Internet, for example. DNAT (Destination Network Address Translation) translates the destination IP address in a packet to another IP address. VIP (Virtual IP) is used to designate a single IP address that represents multiple servers for load balancing or high availability purposes. IPPOOL typically refers to a range of IP addresses that can be dynamically assigned to clients, such as in DHCP. 7.What is the common feature shared between IPv4 and SD-WAN ECMP algorithms? A. Both can be enabled at the same time. B. Both support volume algorithms. C. Both control ECMP algorithms. D. Both use the same physical interface load balancing settings. Answer: C Explanation: The correct answer is: C. Both control ECMP algorithms. In the context of SD-WAN (Software-Defined Wide Area Network), ECMP (Equal-Cost Multi-Path) algorithms are used to determine the path packets should take through the network. Both IPv4 and SD-WAN ECMP algorithms control how traffic is load-balanced across multiple paths to a destination. While IPv4 ECMP operates at the network layer (Layer 3) of the OSI model, SD-WAN ECMP operates at a higher level, typically involving application-aware routing and more advanced traffic steering capabilities. 8.Refer to the exhibit. The safer , easier way to help you pass any IT exams. 5 / 22 Which statement about the configuration settings is true? A. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens. B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens. C. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens. D. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same port. Answer: B Explanation: B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens. In this scenario, the remote user is accessing the FortiGate device using HTTPS (port 443), which is typically used for SSL-VPN access. Therefore, when accessing the device at that address and port, the SSL-VPN login page should open for the user to authenticate and establish a VPN connection. 9.What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode? A. It limits the scanning of application traffic to the browser-based technology category only. B. It limits the scanning of application traffic to the DNS protocol only. C. It limits the scanning of application traffic to use parent signatures only. D. It limits the scanning of application traffic to the application category only. Answer: A Explanation: A. It limits the scanning of application traffic to the browser-based technology category only. The safer , easier way to help you pass any IT exams. 6 / 22 You can configure the URL Category within the same security policy; however, adding a URL filter causes application control to scan applications in only the browser-based technology category, for example, Facebook Messenger on the Facebook website. 10.Refer to the exhibits. The safer , easier way to help you pass any IT exams. 7 / 22 The exhibits show the firewall policies and the objects used in the firewall policies. The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit. Which policy will be highlighted, based on the input criteria? A. Policy with ID 4. B. Policy with ID 5. C. Policies with ID 2 and 3. D. Policy with ID 1. Answer: B Explanation: Policy with ID 5. It's coming from port 3 - hits Facebook-Web (Application) from the screenshot it show that it allows http and https traffic (80, 443). There are 3 rules related to port3 and two rules source LOCAL_CLIENT this would leave us with Rule 1 & 5 Rule one Service is = ULL_UDP Rule five = Internet Services Destination port we are looking for is 443 (usually this is TCP) So it had to be PID5 We are looking for a policy that will allow or deny traffic from the source interface Port3 and source IP address 10.1.1.10 (LOCAL_CLIENT) to facebook.com TCP port 443 (HTTPS). There are only two policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are evaluated from top to bottom. This means that the first policy that matches the traffic is applied, and subsequent policies are not evaluated. Based on the Policy Lookup criteria, Policy ID 5 will be highlighted. 11.FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added The safer , easier way to help you pass any IT exams. 8 / 22 to the same physical interface. In this scenario, what are two requirements for the VLAN ID? (Choose two.) A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet. B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs. C. The two VLAN subinterfaces must have different VLAN IDs. D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets. Answer: B,C Explanation: B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs. C. The two VLAN subinterfaces must have different VLAN IDs. https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VL AN/ta-p/192843?externalID=FD43883 Each interface (physical or VLAN) can belong to only one VDOM. Meaning that sub-interfaces (VLANs) from the same physical interface can have the same VLAN ID as long as they are not assign to the same VDOM. VLAN https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-int erface/ta-p/197640 * VLANs can be created on any physical or aggregate (802.3ad) interfaces - The same VLAN number cannot be configured twice on the same physical interface - The same VLAN number can be used on different physical interfaces - The usable VLAN ID range is from 1 to 4094 * VDOM interface assignment - Two VDOMs cannot share the same interface or VLAN - A VLAN sub-interface can belong to a different VDOM than the physical interface it is attached to. 12.An administrator has configured a strict RPF check on FortiGate. How does strict RPF check work? A. Strict RPF allows packets back to sources with all active routes. B. Strict RPF checks the best route back to the source using the incoming interface. C. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface. D. Strict RPF check is run on the first sent and reply packet of any new session. Answer: B Explanation: B. Strict RPF checks the best route back to the source using the incoming interface. Strict: In this mode, Fortigate also verifies that the matching route is the best route in the routing table. That is, if the route in table contains a matching route for the source address and the incoming interface, but there is a better route for the source address through another interface the RPF check fails. The Strict Reverse Path Forwarding (RPF) check is a security feature that helps prevent source IP address spoofing. When enabled, the FortiGate unit checks the source IP address of each incoming packet and compares it to the routing table to ensure that the packet arrives on the expected interface. The safer , easier way to help you pass any IT exams. 9 / 22 Here's an explanation of the statement: B. Strict RPF checks the best route back to the source using the incoming interface. When the FortiGate unit receives a packet, it checks the source IP address and verifies that the packet arrives on the expected interface based on the routing table. The "best route back to the source" refers to the route in the routing table that would be used to send packets back to the source IP address. If the incoming interface matches the expected interface based on the routing table, the check passes. If not, the packet may be considered as potentially spoofed, and it might be dropped or subjected to further security measures. This strict RPF check helps in preventing IP address spoofing, which is a common technique used in various network attacks. Loose RPF checks for any route and Strict RPF check for best route 13.An administrator has configured the following settings: config system settings set ses-denied-traffic enable end config system global set block-session-timer 30 end What are the two results of this configuration? (Choose two.) A. Device detection on all interfaces is enforced for 30 seconds. B. Denied users are blocked for 30 seconds. C. The number of logs generated by denied traffic is reduced. D. A session for denied traffic is created. Answer: C,D Explanation: The timer config any way is by seconds. ses-denied-traffic Enable/disable including denied session in the session table. block-session-timer Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30). C. The number of logs generated by denied traffic is reduced. D. A session for denied traffic is created. During the session, if a security profile detects a violation, FortiGate records the attack log immediately. To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation. This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-sessiontimer in the CLI. By default, it is set to 30 seconds. Reference and download study guide: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-int o-the/ta-p/195478 14.Refer to the exhibits. The safer , easier way to help you pass any IT exams. 10 / 22 The safer , easier way to help you pass any IT exams. 11 / 22 The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook. Users are given access to the Facebook web application. They can play video content hosted on Facebook, but they are unable to leave reactions on videos or other types of posts. Which part of the policy configuration must you change to resolve the issue? A. Force access to Facebook using the HTTP service. B. Make the SSL inspection a deep content inspection. C. Add Facebook in the URL category in the security policy. D. Get the additional application signatures required to add to the security policy. Answer: B Explanation: Needs SSL full inspection. They can play video (tick) content hosted on Facebook, but they are unable to leave reactions on videos The safer , easier way to help you pass any IT exams. 12 / 22 or other types of posts. This indicate that the rule are partially working as they can watch video but can't react, i.e. liking the content. So, must be an issue with the SSL inspection rather then adding an app rule. The lock logo behind Facebook_like.Button indicates that SSL Deep Inspection is Required. All other Application Signatures Facebook and Facebook_Video.Play does not require SSL inspection. Hence that the users can play video content. If you look up the Application Signature for Facebook_like.Button it will say "Requires SSL Deep Inspection". FortiGate needs to perform full SSL inspection. Without full SSL inspection, FortiGate cannot inspect encrypted traffic. 15.Refer to the exhibits. An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW). What must the administrator do to synchronize the address object? A. Change the csf setting on ISFW (downstream) to set configuration-sync local. The safer , easier way to help you pass any IT exams. 13 / 22 B. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate. C. Change the csf setting on both devices to set downstream-access enable. D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default. Answer: C Explanation: C is correct because D is already set to default (Global CMDB objects will be synchronized in Security Fabric.) The root device has downstream access disabled, so it needs to be enabled to sync the object. downstream-access - Enable/disable downstream device access to this device's configuration and data. disable - Disable downstream device access to this device's configuration and data. The CLI command "set fabric-object-unification" is only available on the root FortiGate. 16.Refer to the exhibits. Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two results are correct? (Choose two.) A. FortiGate will start sending all files to FortiSandbox for inspection. B. FortiGate has entered conserve mode. C. Administrators cannot change the configuration. D. Administrators can access FortiGate only through the console port. Answer: B,C Explanation: What actions does FortiGate take to preserve memory while in conserve mode? • FortiGate does not accept configuration changes, because they might increase memory usage. • FortiGate does not run any quarantine action, including forwarding suspicious files to FortiSandbox. • You can configure the fail-open setting under config ips global to control how the IPS engine behaves The safer , easier way to help you pass any IT exams. 14 / 22 when the IPS socket buffer is full. Based on the system performance output, it appears that FortiGate has entered conserve mode and administrators cannot change the configuration. FortiGate has entered conserve mode: When FortiGate enters conserve mode, it reduces its operational capacity in order to conserve resources and improve performance. This may be necessary if the system is experiencing high levels of traffic or if there are issues with resource utilization. Administrators cannot change the configuration: When the system is in conserve mode, administrators may not be able to change the configuration. This is because the system is prioritizing resource conservation over other activities, and making changes to the configuration may require additional resources that are not available. It is important to note that FortiGate will not start sending all files to FortiSandbox for inspection, and administrators may still be able to access FortiGate through other means besides the console port. "If memory usage goes above the percentage of total RAM defined as the red threshold, FortiGate enters conserve mode." "FortiGate does not accept configuration changes, because they might increase memory usage." Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580 17.Refer to the exhibit showing a debug flow output. What two conclusions can you make from the debug flow output? (Choose two.) A. The debug flow is for ICMP traffic. B. The default route is required to receive a reply. C. A new traffic session was created. D. A firewall policy allowed the connection. Answer: A,C Explanation: ICMP proto = 1 New session As protocol=1 thats why its ICMP. Reference: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml 18.An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B? A. 192.168.2.0/24 B. 192.168.0.0/8 C. 192.168.1.0/24 The safer , easier way to help you pass any IT exams. 15 / 22 D. 192.168.3.0/24 Answer: A Explanation: A. 192.168.2.0/24 For the IPsec VPN between site A and site B, the local quick mode selector for site B should match the remote quick mode selector for site A, which is 192.168.2.0/24. Quick mode selectors need to be mirrored on both side, so the remote network on site A is the local network on site B. For an IPsec VPN between site A and site B, the administrator has configured the local quick mode selector for site A as 192.168.1.0/24 and the remote quick mode selector as 192.168.2.0/24. This means that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach the 192.168.2.0/24 subnet at site B. To complete the configuration, the administrator must configure the local quick mode selector for site B. To do this, the administrator must use the same subnet as the remote quick mode selector for site A, which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at site B to reach the 192.168.1.0/24 subnet at site A. Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24. 19.Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.) A. The client FortiGate requires a manually added route to remote subnets. B. The client FortiGate requires a client certificate signed by the CA on the server FortiGate. C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate. D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN. Answer: C,D Explanation: The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. The FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate. C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate: When setting up SSL VPN between two FortiGate devices, the server FortiGate needs a CA (Certificate Authority) certificate to verify the client FortiGate's certificate. This ensures that the client connecting to the VPN is authenticated and trusted. D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: For the SSL VPN to function, the client FortiGate needs to have the SSL VPN tunnel interface type configured. This interface type is specifically designed for SSL VPN connections, allowing the client FortiGate to establish the VPN tunnel with the server FortiGate. These two settings together ensure that the SSL VPN connection between the two FortiGate devices is properly authenticated and established, allowing secure communication between them. 20.Which statement correctly describes the use of reliable logging on FortiGate? A. Reliable logging is enabled by default in all configuration scenarios. B. Reliable logging is required to encrypt the transmission of logs. C. Reliable logging can be configured only using the CLI. The safer , easier way to help you pass any IT exams. 16 / 22 D. Reliable logging prevents the loss of logs when the local disk is full. Answer: B Explanation: Reliable logging prevents the loss of logs when the local disk is full. On a FortiGate device, reliable logging is a feature that helps to prevent the loss of log messages when the local disk is full. When reliable logging is enabled, the FortiGate will store log messages in a buffer until they can be written to the local disk. This helps to ensure that log messages are not lost due to a full disk, allowing administrators to maintain an accurate record of activity on the network. Reliable logging is not enabled by default in all configuration scenarios, and it does not encrypt the transmission of logs or require the use of the CLI to be configured. However, it is a useful feature to enable in order to maintain a comprehensive record of activity on the network and help with troubleshooting and security analysis. Reliable logging on FortiGate is used to prevent the loss of logs when the connection between FortiOS and FortiAnalyzer is disrupted. When reliable mode is enabled, logs are cached in a FortiOS memory queue. FortiOS sends logs to FortiAnalyzer, and FortiAnalyzer uses seq_no to track received logs. The other statements are incorrect: Reliable logging is not enabled by default in all configuration scenarios. It must be enabled explicitly. Reliable logging is not required to encrypt the transmission of logs. Encryption can be configured separately. Reliable logging can be configured using the CLI or the FortiGate web interface. The question is asking what describes the correct use meaning what is the main function of reliable logging wouldn't that be preventing loss of logs since disk is full by sending to Analyzer making D the correct answer. The question is asking what describes the correct use meaning what is the main function of reliable logging wouldn't that be preventing loss of logs since disk is full by sending to Analyzer making D the correct answer. You can encrypt the logs if you are sending your logs to cloud, but the main purpose of reliable logging is to make sure that all the logs you send are been received by the server. You can encrypt the traffic, but it does not require, the most specific option is D. 21.Refer to the exhibits. The safer , easier way to help you pass any IT exams. 17 / 22 The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information. The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IP address 10.0.1.254/24. The first firewall policy has NAT enabled using IP pool. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with The safer , easier way to help you pass any IT exams. 18 / 22 the IP address 10.0.1.10? A. 10.200.1.1 B. 10.0.1.254 C. 10.200.1.10 D. 10.200.1.100 Answer: D Explanation: From LAN to WAN, the Source NAT will use the IPPOOL with address configured 10.200.1.100 Destination NAT, from WAN to LAN, will use the VIP The question says SNAT, so the only correct answer here (looking at the IP Pool) is D. (Step 2): FortiGate uses as NAT IP the external IP address defined in the VIP when performing SNAT on all egress traffic sourced from the mapped address in the VIP, provided the matching firewall policy has NAT enabled. Note that you can override the behavior described in step 2 by using an IP pool. Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD44529 22.Refer to the exhibit. The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router. When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output. Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue? A. Configure a loopback interface with address 203.0.113.2/32. B. In the VIP configuration, enable arp-reply. C. Enable port forwarding on the server to map the external service port to the internal service port. D. In the firewall policy configuration, enable match-vip. Answer: B The safer , easier way to help you pass any IT exams. 19 / 22 Explanation: In the routing table of the ISP we can see that the route is C (connected) which means that if there is no ARP entry, traffic will be dropped by the ISP, and this is why there is no packets in the forti sniffer. The external interface address is different from the external address configured in the VIP. This is not a problem as long as the upstream network has its routing properly set. You can also enable ARP reply on the VPN (enabled by default, here disabled) to facilitate routing on the upstream network. Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent devices contain the correct next hop information, so the networks are reachable. However, sometimes the routing configuration is not fully correct, and having ARP reply enabled can solve the issue for you. For this reason, it ’ s a best practice to keep ARP reply enabled. 23.Which two statements are true about the FGCP protocol? (Choose two.) A. FGCP elects the primary FortiGate device. B. FGCP is not used when FortiGate is in transparent mode. C. FGCP runs only over the heartbeat links. D. FGCP is used to discover FortiGate devices in different HA groups. Answer: A,C Explanation: A. FGCP elects the primary FortiGate device. C. FGCP runs only over the heartbeat links. The FGCP (FortiGate Clustering Protocol) is a protocol that is used to manage high availability (HA) clusters of FortiGate devices. It performs several functions, including the following: FGCP elects the primary FortiGate device: In an HA cluster, FGCP is used to determine which FortiGate device will be the primary device, responsible for handling traffic and making decisions about what to allow or block. FGCP uses a variety of factors, such as the device's priority, to determine which device should be the primary. FGCP runs only over the heartbeat links: FGCP communicates between FortiGate devices in the HA cluster using the heartbeat links. These are dedicated links that are used to exchange status and control information between the devices. FGCP does not run over other types of links, such as data links. FortiGate HA uses the Fortinet-proprietary FortiGate Clustering Protocol (FGCP) to discover members, elect the primary FortiGate, synchronize data among members, and monitor the health of members. To discover and monitor members, the members broadcast heartbeat packets over all configured heartbeat interfaces. 24.A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes. All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover. Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.) A. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel. The safer , easier way to help you pass any IT exams. 20 / 22 B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel. C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels. D. Enable Dead Peer Detection. Answer: B,D Explanation: To set up redundant IPsec VPN tunnels on FortiGate and meet the specified requirements, the administrator should make the following key configuration changes: B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel. By configuring a lower administrative distance for the static route of the primary tunnel, the FortiGate will prefer this route when both tunnels are up. If the primary tunnel goes down, the higher administrative distance on the static route for the secondary tunnel will cause the FortiGate to use the secondary tunnel. D. Enable Dead Peer Detection. Dead Peer Detection (DPD) should be enabled to detect the status of the VPN tunnels. If the FortiGate detects that the primary tunnel is no longer responsive (dead), it can trigger the failover to the secondary tunnel, ensuring a faster tunnel failover. So, the correct choices are B and D. 25.What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.) A. FortiGate uses fewer resources. B. FortiGate performs a more exhaustive inspection on traffic. C. FortiGate adds less latency to traffic. D. FortiGate allocates two sessions per connection. Answer: A,C Explanation: A. FortiGate uses fewer resources. C. FortiGate adds less latency to traffic. Flow-based inspection is a type of traffic inspection that is used by some firewall devices, including FortiGate, to analyze network traffic. It is designed to be more efficient and less resource-intensive than proxy-based inspection, and it offers several benefits over this approach. Two benefits of flow-based inspection compared to proxy-based inspection are: FortiGate uses fewer resources: Flow-based inspection uses fewer resources than proxy-based inspection, which can help to improve the performance of the firewall device and reduce the impact on overall system performance. FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic than proxy-based inspection, which can be important for real-time applications or other types of traffic that require low latency. A. Fewer resources since it does not need to keep much in memory. C. Samples traffic while it goes by, and only does makes allow or deny decision with the last package. So client does not have to wait on FortiGate to scan the bulk of the packtets. 26.FortiGuard categories can be overridden and defined in different categories. To create a web rating override for the example.com home page, the override must be configured using a specific syntax.