[2024年10月29日] FCP_FGT_AD-7.4問題集でFCP in Network Security合格確定させる練習問題集 [Q21-Q41]

Share

[2024年10月29日]Fast2test FCP_FGT_AD-7.4問題集でFCP in Network Security合格確定させる練習問題集

Fortinet FCP_FGT_AD-7.4実際にある問題とブレーン問題集

質問 # 21
Which timeout setting can be responsible for deleting SSL VPN associated sessions?

  • A. SSL VPN idle-timeout
  • B. SSL VPN dtls-hello-timeout
  • C. SSL VPN http-request-body-timeout
  • D. SSL VPN login-timeout

正解:A

解説:
SSL VPN idle-timeout
The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle- timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.
Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout using the Idle Logout setting on the GUI.


質問 # 22
When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate.
Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate?
(Choose three.)

  • A. Allow & Warning
  • B. Trust & Allow
  • C. Allow
  • D. Block & Warning
  • E. Block

正解:A、B、E


質問 # 23
Refer to the exhibit to view the firewall policy.

Why would the firewall policy not block a well-known virus, for example eicar?

  • A. The firewall policy is not configured in proxy-based inspection mode.
  • B. The action on the firewall policy is not set to deny.
  • C. The firewall policy does not apply deep content inspection.
  • D. Web filter is not enabled on the firewall policy to complement the antivirus profile.

正解:C


質問 # 24
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

  • A. Operating mode
  • B. NGFW mode
  • C. System time
  • D. FortiGuard update servers

正解:A、B

解説:
C: Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.
D: Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM.
A and B are incorrect: The firmware on your Fortigate and some settings, such as system time, apply to the entire device-they are not specific to each VDOM.
NGFW mode is a per-VDOM setting.
Operation mode is a per-VDOM setting. You can combine transparent mode VDOMs with NAT mode VDOMs on the same physical FortiGate.


質問 # 25
Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive mode? (Choose two.)

  • A. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.
  • B. Main mode cannot be used for dialup VPNs, while aggressive mode can.
  • C. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.
  • D. Aggressive mode supports XAuth, while main mode does not.

正解:A、C

解説:
The correct statements describing the differences between IPsec main mode and IPsec aggressive mode are:
A. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.
In aggressive mode, the first packet contains identification information (such as the peer ID), whereas in main mode, the first packet does not contain such details, providing a higher level of security.
D. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.
Main mode typically involves the exchange of six packets to establish the IPsec tunnel, whereas aggressive mode streamlines the process with a reduced exchange of three packets.
The other statements (B and C) are not accurate:
B is incorrect because main mode can be used for dialup VPNs, and it is commonly used in such scenarios.
C is incorrect because both aggressive mode and main mode support Extended Authentication (XAuth), and XAuth is not exclusive to aggressive mode.


質問 # 26
Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

  • A. The debug flow is for ICMP traffic.
  • B. A firewall policy allowed the connection.
  • C. A new traffic session was created.
  • D. The default route is required to receive a reply.

正解:A、C

解説:
ICMP proto = 1
New session
As protocol=1 thats why its ICMP.
Reference: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml


質問 # 27
An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

  • A. A session for denied traffic is created
  • B. The number of logs generated by denied traffic is reduced
  • C. Device detection on all interfaces is enforced for 30 minutes
  • D. Denied users are blocked for 30 minutes

正解:A、B

解説:
C: A session for denied traffic is created.
D: The number of logs generated by denied traffic is reduced.
During the session, if a security profile detects a violation, FortiGate records the attack log immediately.
To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation.
This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions.
This determines how long a session will be kept in the session table by setting block-sessiontimer in the CLI. By default, it is set to 30 seconds.


質問 # 28
Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session?

  • A. To allow for out-of-order packets that could arrive after the FIN/ACK packets.
  • B. To finish any inspection operations.
  • C. To remove the NAT operation.
  • D. To generate logs

正解:A

解説:
To allow for out-of-order packets that could arrive after the FIN/ACK packets.
TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.
When a session is closed by both sides, FortiGate keeps it in the session table for a few seconds more, to allow any out-of-order packets that could arrive after the FIN/ACK packet. This is the state value. One of the reasons FortiGate keeps TCP sessions in the session table for several seconds, even after both sides have terminated the session, is indeed to allow for out-of-order packets that could arrive after the FIN/ACK packets. This helps in handling potential network delays and ensuring that all relevant packets are processed before fully closing the session.


質問 # 29
Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

  • A. The client FortiGate requires a manually added route to remote subnets.
  • B. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.
  • C. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
  • D. The server FortiGate requires a CA certificate to verify the client FortiGate certificate.

正解:C、D

解説:
For SSL VPN to function correctly between two FortiGate devices, the following settings are required:
* B. The server FortiGate requires a CA certificate to verify the client FortiGate certificate: The server FortiGate must have a Certificate Authority (CA) certificate installed to authenticate and verify the certificate presented by the client FortiGate device.
* C. The client FortiGate requires a client certificate signed by the CA on the server FortiGate: The client FortiGate must have a client certificate that is signed by the same CA that the server FortiGate uses for verification. This ensures a secure SSL VPN connection between the two devices.
The other options are not directly necessary for establishing SSL VPN:
* A. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: This is incorrect as SSL VPN does not require a specific tunnel interface type; it typically uses an SSL VPN client profile.
* D. The client FortiGate requires a manually added route to remote subnets: While routing may be necessary, it is not specifically required for the SSL VPN functionality between two FortiGates.
References
* FortiOS 7.4.1 Administration Guide - Configuring SSL VPN, page 1203.
* FortiOS 7.4.1 Administration Guide - SSL VPN Authentication, page 1210.


質問 # 30
Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.)

  • A. An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.
  • B. Multiple interfaces can be selected as incoming and outgoing interfaces.
  • C. Only the "any" interface can be chosen as an incoming interface.
  • D. A zone can be chosen as the outgoing interface.

正解:B、D

解説:
C. Multiple interfaces can be selected as incoming and outgoing interfaces.
This statement is correct. You can specify multiple interfaces as both incoming and outgoing interfaces in a firewall policy.
D. A zone can be chosen as the outgoing interface.
This statement is correct as well. In FortiGate firewalls, you can choose a zone as the outgoing interface in a firewall policy, providing a convenient way to apply policies to multiple physical or logical interfaces grouped under the same zone.
So, the correct choices are C and D.


質問 # 31
Refer to the exhibit.


The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.
How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP
10.0.1.10 to the destination http:// www.fortinet.com? (Choose three.)

  • A. If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.
  • B. If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.
  • C. If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.
  • D. If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.
  • E. If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

正解:C、D、E

解説:
- Browser CAT2 & Local subnet & User B --> deny
- Browser CAT1 & Local subnet & User all --> accept Above exhibits only users from Chrome and IE are allowed.
Chrome and IE use the same system proxy setting. Proxy rule is accept for all users with these two browsers.
C: hit the 3rd rule.


質問 # 32
Which two configuration settings are global settings? (Choose two.)

  • A. Firewall policies
  • B. FortiGuard settings
  • C. User & Device settings
  • D. HA settings

正解:B、D

解説:
The two configuration settings that are global settings are:
C. HA settings - High Availability settings are typically configured globally to manage failover and redundancy.
D. FortiGuard settings - FortiGuard settings for security services and updates are also configured globally to ensure consistent protection across the network.
HA configuration overview. The purpose of an HA configuration is to reduce downtime when a zone or instance becomes unavailable. This might happen during a zonal outage, or when an instance runs out of memory. With HA, your data continues to be available to client applications.
FortiGuard > Settings provides a central location for configuring and enabling your FortiManager system's built-in FDS as an FDN override server.


質問 # 33
Consider the topology:
Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server.
This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.
What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

  • A. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.
  • B. Create a new service object for TELNET and set the maximum session TTL.
  • C. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.
  • D. Set the maximum session TTL value for the TELNET service object.

正解:B、C

解説:
The key here is performing the task without affecting any of the other services.
C. Create a new service object for TELNET and set the maximum session TTL: By creating a new service object specifically for TELNET and setting the maximum session TTL, you can control the idle session timeout for Telnet connections established through the SSL VPN.
D. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy: Creating a new firewall policy and placing it above the existing SSLVPN policy allows you to apply the new TELNET service object with the modified session TTL, ensuring that the idle session timeout does not occur after 90 minutes.
- Not A - Changing the maximum TTL value for TELNET will affect every other policy that references the TELNET service
- Not B - Changing the session TTL on the SSLVPN policy will impact other services referenced in the policy.


質問 # 34
Which two statements are correct about NGFW Policy-based mode? (Choose two.)

  • A. NGFW policy-based mode can only be applied globally and not on individual VDOMs
  • B. NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy
  • C. NGFW policy-based mode does not require the use of central source NAT policy
  • D. NGFW policy-based mode policies support only flow inspection

正解:B、D

解説:
C: NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy.
In NGFW policy-based mode, you can define applications and web filtering categories directly within the firewall policy. This allows you to apply specific controls and restrictions based on the types of applications and content, offering a more granular approach to managing network traffic.
D: NGFW policy-based mode policies support only flow inspection.
In NGFW (Next-Generation Firewall) policy-based mode, the emphasis is on flow inspection. Flow inspection involves evaluating the traffic based on predefined rules and policies without deep packet inspection of the content. This mode is optimized for efficiently processing large volumes of traffic by analyzing the flow of data and making decisions based on factors such as source, destination, ports, and protocol.


質問 # 35
An administrator manages a FortiGate model that supports NTurbo.
How does NTurbo enhance performance for flow-based inspection?

  • A. NTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces.
  • B. NTurbo buffers the whole file and then sends it to the antivirus engine.
  • C. NTurbo offloads traffic to the content processor.
  • D. NTurbo creates two inspection sessions on the FortiGate device.

正解:C


質問 # 36
Refer to the exhibits.



The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.
The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.
Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)

  • A. Disable match-vip in the Deny policy.
  • B. Set the Destination address as Deny_IP in the Allow_access policy.
  • C. Enable match-vip in the Deny policy.
  • D. Set the Destination address as Webserver in the Deny policy.

正解:C、D


質問 # 37
Refer to the exhibits, which show the firewall policy and an antivirus profile configuration.

Why is the user unable to receive a block replacement message when downloading an infected file for the first time?

  • A. Flow-based inspection is used, which resets the last packet to the user.
  • B. The option to send files to FortiSandbox for inspection is enabled.
  • C. The intrusion prevention security profile must be enabled when using flow-based inspection mode.
  • D. The firewall policy performs a full content inspection on the file.

正解:A

解説:
In flow-based inspection mode, FortiGate sends a reset (RST) packet to the client instead of providing a replacement message, which causes the block message not to be displayed.


質問 # 38
Refer to the exhibit.

Which statement about this firewall policy list is true?

  • A. The Implicit group can include more than one deny firewall policy.
  • B. LAN to WAN. WAN to LAN. and Implicit are sequence grouping view lists.
  • C. The firewall policies are listed by ingress and egress interfaces pairing view.
  • D. The firewall policies are listed by ID sequence view.

正解:C

解説:
The firewall policy list in the exhibit is arranged in the "Interface Pair View," where policies are grouped by their incoming (ingress) and outgoing (egress) interface pairs. Each section (LAN to WAN, WAN to LAN, etc.) groups policies based on these interface pairings. This view helps administrators quickly identify which policies apply to specific traffic flows between network interfaces. Options A and D are incorrect because the Implicit group typically does not include more than one deny policy, and there is no "sequence grouping view" in FortiGate. Option B is incorrect as the list is not displayed strictly by ID sequence.
References:
* FortiOS 7.4.1 Administration Guide: Firewall Policy Views


質問 # 39
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

  • A. Pre-shared key
  • B. Dialup user
  • C. Static IP address
  • D. Dynamic DNS

正解:B

解説:
In a scenario where the remote peer IP address is dynamic, and the remote peer does not support a dynamic DNS update service, the appropriate choice for configuring the remote gateway on FortiGate is:
B. Dialup user
Configuring the remote gateway as a dialup user allows flexibility for dynamic remote peer IP addresses without relying on dynamic DNS. Dialup user configurations are suitable for scenarios where the remote peer's IP address may change dynamically, and it is not possible to use a static IP address or dynamic DNS.
The peer IP is not static.
D cannot be correct as the remote peer has a dynamic address so this will not be known to the local side as it may change.
The same goes for dynamic.
PSK is not an option, the answer is B.


質問 # 40
Refer to the exhibits.



FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit.
What would be the expected outcome in the HA cluster?

  • A. The HA cluster will become out of sync because the override setting must match on all HA members.
  • B. FGT-1 will synchronize the override disable setting with FGT-2.
  • C. FGT-1 will remain the primary because FGT-2 has lower priority.
  • D. FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1.

正解:D


質問 # 41
......

最新FCP_FGT_AD-7.4合格保証 試験問題集でには正確で最新な 問題:https://jp.fast2test.com/FCP_FGT_AD-7.4-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어