[2025年07月25日]FCP_FGT_AD-7.4試験問題集PDF正確率保証と更新された問題
合格させるFCP_FGT_AD-7.4試験にはリアルテストエンジンPDFには91問題あります
Fortinet FCP_FGT_AD-7.4 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
質問 # 12
Which three methods are used by the collector agent for AD polling? (Choose three.)
- A. FortiGate polling
- B. WMI
- C. FSSO REST API
- D. WinSecLog
- E. NetAPI
正解:B、D、E
解説:
The Fortinet Single Sign-On (FSSO) Collector Agent supports three primary methods for Active Directory (AD) polling to collect user information:
WinSecLog: Monitors Windows Security Event Logs for login events.
WMI: Uses Windows Management Instrumentation to poll user login sessions.
NetAPI: Utilizes the Netlogon API to query domain controllers for user session data.
These methods allow the FortiGate to gather user logon information and enforce user-based policies effectively.
Reference:
FortiOS 7.4.1 Administration Guide: FSSO Configuration
質問 # 13
Refer to the exhibit, which contains a radius server configuration.
An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.
What will be the impact of using Include in every user group option in a RADIUS configuration?
- A. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
- B. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
- C. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
- D. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
正解:C
解説:
The Include in every User Group option adds the RADIUS server and all users that can authenticate against it, to every user group created on FortiGate. So, you should enable this option only in very specific scenarios (for example, when only administrators can authenticate against the RADIUS server and policies are ordered from least restrictive to most restrictive).
質問 # 14
Which scanning technique on FortiGate can be enabled only on the CLI?
- A. Antivirus scan
- B. Ransomware scan
- C. Trojan scan
- D. Machine learning (AI) scan
正解:D
解説:
The scanning technique on FortiGate that can be enabled only on the CLI (Command Line Interface) is:
A. Machine learning (AI) scan
While most scanning techniques on FortiGate can be configured through the GUI (Graphical User Interface) or CLI, the machine learning (AI) scan is a feature that can only be enabled and configured using the CLI.
The AI scan is an optional feature that must be enabled in the CLI. You can configure the action for the AI scan to enable, monitor, or disable using the CLI command in the antivirus settings.
質問 # 15
Refer to the exhibit.
Given the interfaces shown in the exhibit, which two statements are true? (Choose two.)
- A. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
- B. port1 is a native VLAN.
- C. Traffic between port2 and port2-vlan1 is allowed by default.
- D. port1-vlan1 and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.
正解:B、D
解説:
C: port1-vlan1 and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.
D: port1 is a native VLAN.
Incorrect:
A: Traffic between port2 and port2-vlan1 is allowed by default.
B: port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
質問 # 16
Refer to the exhibit.
Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?
- A. All traffic from a source IP is sent to the same interface
- B. Traffic is distributed based on the number of sessions through each interface.
- C. All traffic from a source IP to a destination IP is sent to the same interface.
- D. Traffic is sent to the link with the lowest latency.
正解:C
解説:
For traffic that does not match any of the defined SD-WAN rules, the default implicit SD-WAN rule is applied. By default, the FortiGate uses a "source-destination IP-based" algorithm, which means all traffic from a specific source IP to a specific destination IP is sent through the same interface. This ensures that a consistent path is used for traffic between the same source and destination IP addresses. Options B, C, and D do not apply because the default algorithm does not prioritize by latency, session count, or source IP alone.
References:
* FortiOS 7.4.1 Administration Guide: SD-WAN Load Balancing Algorithms
質問 # 17
A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors.
What is the reason for the certificate warning errors?
- A. The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.
- B. With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.
- C. The browser does not recognize the certificate in use as signed by a trusted CA.
- D. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
正解:C
解説:
The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate's re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser's trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites.
References:
* FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration
質問 # 18
Refer to the exhibits, which show the system performance output and the default configuration of high memory usage thresholds in a FortiGate.

Based on the system performance output, what can be the two possible outcomes? (Choose two.)
- A. Administrators can access FortiGate onlythrough the console port.
- B. Administrators cannot change the configuration.
- C. FortiGate will start sending all files to FortiSandbox for inspection.
- D. FortiGate has entered conserve mode.
正解:A、D
解説:
Based on the system performance output provided, the memory usage on the FortiGate device is at 90%, which is above the green threshold (82%) but below the red threshold (88%). Given this high memory usage, the FortiGate device will enter "conserve mode" to prevent further resource exhaustion. In conserve mode:
* B. FortiGate has entered conserve mode: When the memory usage reaches or exceeds certain thresholds (in this case, the green and red thresholds), the FortiGate enters conserve mode to protect itself from running out of memory entirely. This mode limits some functionalities to reduce memory usage and avoid a potential system crash.
* D. Administrators can access FortiGate only through the console port: During conserve mode, administrative access might be restricted, and administrators may only be able to connect to the device via the console port. This restriction is in place to ensure that the FortiGate can be managed directly, even under low resource conditions.
The other options are not correct:
* A. FortiGate will start sending all files to FortiSandbox for inspection: This is unrelated to memory usage and conserve mode.
* C. Administrators cannot change the configuration: While access may be limited, configuration changes can still be made via the console port.
References
* FortiOS 7.4.1 Administration Guide - Monitoring System Resources and Performance, page 325.
* FortiOS 7.4.1 Administration Guide - Conserve Mode, page 330.
質問 # 19
To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?
- A. FortiAnalyzer
- B. Root FortiGate
- C. Downstream FortiGate
- D. FortiManager
正解:A
解説:
The correct answer is C. FortiAnalyzer.
Explanation:
In a Security Fabric configuration, after the devices are added to the Security Fabric, the final step is to authorize these devices. This authorization process is typically done through FortiAnalyzer, which manages and controls the Security Fabric. FortiAnalyzer allows administrators to centrally manage and monitor the Security Fabric, including authorizing devices to participate in the Security Fabric.
All devices must be authorized on the root Fortigate, and then after this step all must be authorized on the FortiAnalyzer.
質問 # 20
Refer to the exhibit.

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.
How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP
10.0.1.10 to the destination http:// www.fortinet.com? (Choose three.)
- A. If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.
- B. If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.
- C. If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.
- D. If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.
- E. If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.
正解:B、D、E
解説:
- Browser CAT2 & Local subnet & User B --> deny
- Browser CAT1 & Local subnet & User all --> accept Above exhibits only users from Chrome and IE are allowed.
Chrome and IE use the same system proxy setting. Proxy rule is accept for all users with these two browsers.
C: hit the 3rd rule.
質問 # 21
Refer to the exhibits.

The exhibits show the application sensor configuration and theExcessive-BandwidthandApplefilter details.
Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?
- A. Apple FaceTime will be allowed, based on the Apple filter configuration.
- B. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
- C. Apple FaceTime will be allowed, based on the Video/Audio category configuration.
- D. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
正解:D
質問 # 22
Which two statements are correct about a software switch on FortiGate? (Choose two.)
- A. It can group only physical interfaces
- B. All interfaces in the software switch share the same IP address
- C. Can act as a Layer 2 switch as well as a Layer 3 router
- D. It can be configured only when FortiGate is operating in NAT mode
正解:B、D
解説:
A is correct: "Only supported in NAT mode"
C is correct: "The interfaces share the same IP address and belong to the same broadcast domain.
Incorrect options:
B is incorrect: "Acts Like a traditional Layer 2 switch".
D is incorrect: "Can group multiple physical and wireless interfaces into a single virtual switch Interface" Can group physical and wireless.
Only works on NAT mode.
Acts like traditional layer 3 switch.
Interfaces share same IP and broadcast domain.
質問 # 23
Refer to the exhibit, which shows a partial configuration from the remote authentication server.
Why does the FortiGate administrator need this configuration?
- A. To authenticate Any FortiGate user groups.
- B. To authenticate only the Training user group.
- C. To authenticate and match the Training OU on the RADIUS server.
- D. To set up a RADIUS server Secret
正解:C
解説:
The configuration shown in the exhibit indicates that the FortiGate is using a Fortinet-specific RADIUS attribute (Fortinet-Group-Name) with the value "Training." This setup allows the FortiGate to authenticate users against the RADIUS server and match them to the "Training" Organizational Unit (OU). By doing so, only users within this specific group or OU can be authenticated and allowed access through the FortiGate.
References:
* FortiOS 7.4.1 Administration Guide: RADIUS Server Configuration
質問 # 24
Refer to the exhibits.


The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.
The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.
Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.)
- A. Set the Destination address as Deny_IP in the Allow_access policy.
- B. Disable match-vip in the Deny policy.
- C. Enable match-vip in the Deny policy.
- D. Set the Destination address as Webserver in the Deny policy.
正解:C、D
解説:
To deny access to the web server for Remote-User2 while allowing Remote-User1 to access the same web server, two configuration changes can be made:
Enable match-vip in the Deny policy:
By enabling the match-vip option in the Deny policy, the FortiGate will check for virtual IP (VIP) objects during policy matching. This setting allows the firewall policy to correctly identify and block traffic directed to a specific mapped IP address, such as the web server, when using a VIP configuration.
Set the Destination address as Webserver in the Deny policy:
Setting the Destination address to "Webserver" in the Deny policy ensures that the policy specifically targets traffic attempting to reach the web server. This configuration helps to precisely control which traffic should be blocked, focusing the Deny policy on the intended destination.
Reference:
FortiOS 7.4.1 Administration Guide: Deny matching with a policy with a virtual IP applied FortiOS 7.4.1 Administration Guide: Configuring Policies with VIPs
質問 # 25
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?
- A. It uses UDP 53.
- B. It uses DNS over HTTPS.
- C. It uses UDP 8888.
- D. It uses DNS over TLS.
正解:D
解説:
By default, DNS queries to FortiGuard servers use UDP port 53.
When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers.
質問 # 26
Which additional load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled?
- A. Source-destination IP based
- B. Volume based
- C. Weight based
- D. Source IP based
正解:B
解説:
Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD- WAN is enabled.
What is load balancing method?
Load balancing means are regarded as a form of an algorithms or method that is used to rightly share an incoming server request or traffic in the midst or among servers that is from the server pool.
Note that Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled as that is its role.
質問 # 27
Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)
- A. System time
- B. FortiGuard update servers
- C. NGFW mode
- D. Operating mode
正解:C、D
解説:
C: Operating mode is per-VDOM setting. You can combine transparent mode VDOM's with NAT mode VDOMs on the same physical Fortigate.
D: Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM.
A and B are incorrect: The firmware on your Fortigate and some settings, such as system time, apply to the entire device-they are not specific to each VDOM.
NGFW mode is a per-VDOM setting.
Operation mode is a per-VDOM setting. You can combine transparent mode VDOMs with NAT mode VDOMs on the same physical FortiGate.
質問 # 28
......
最新をゲットせよ!FCP_FGT_AD-7.4認定練習テスト問題試験問題集:https://jp.fast2test.com/FCP_FGT_AD-7.4-premium-file.html