PassLeader just published the NEWEST Fortinet FCP_FGT_AD-7.6 exam dumps! And, PassLeader offer two types of the FCP_FGT_AD-7.6 dumps — FCP_FGT_AD-7.6 VCE dumps and FCP_FGT_AD-7.6 PDF dumps, both VCE and PDF contain the NEWEST FCP_FGT_AD-7.6 exam questions, they will help you PASSING the Fortinet FCP_FGT_AD-7.6 exam easily! Now, get the NEWEST FCP_FGT_AD-7.6 dumps in VCE and PDF from PassLeader — https://www.passleader.com/fcp-fgt-ad-7-6.html (99 Q&As Dumps)
What’s more, part of that PassLeader FCP_FGT_AD-7.6 dumps now are free — https://drive.google.com/drive/folders/1l2Xp4fmvZPw4KvHCmy14sKNV0J5qfpAW
NEW QUESTION 71
Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)
A. The host field in the HTTP header.
B. The server name indication (SNI) extension in the client hello message.
C. The subject alternative name (SAN) field in the server certificate.
D. The subject field in the server certificate.
E. The serial number in the server certificate.
Answer: BCD
Explanation:
When SSL certificate inspection is enabled on a FortiGate device, the system uses the following three pieces of information to identify the hostname of the SSL server:
– Server Name Indication (SNI) extension in the client hello message (option B): the SNI is an extension in the client hello message of the SSL/TLS protocol. It indicates the hostname the client is attempting to connect to. This allows FortiGate to identify the server’s hostname during the SSL handshake.
– Subject Alternative Name (SAN) field in the server certificate (option C): the SAN field in the server certificate lists additional hostnames or IP addresses that the certificate is valid for. FortiGate inspects this field to confirm the identity of the server.
– Subject field in the server certificate (option D): the Subject field contains the primary hostname or domain name for which the certificate was issued. FortiGate uses this information to match and validate the server’s identity during SSL certificate inspection.
NEW QUESTION 72
Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)
A. Lowest Cost (SLA) without load balancing.
B. Manual with load balancing.
C. Lowest Quality (SLA) with load balancing.
D. Lowest Cost (SLA) with load balancing.
E. Best Quality with load balancing.
Answer: ADE
Explanation:
– Lowest Cost (SLA) without load balancing: this is a valid strategy, selecting the path with the lowest cost that meets SLA requirements.
– Lowest Cost (SLA) with load balancing: also valid; it distributes sessions across the lowest-cost links that satisfy the SLA.
– Best Quality with load balancing: valid; it chooses the best-performing link based on SLA metrics such as latency, jitter, and packet loss, while also distributing sessions.
NEW QUESTION 73
What are two characteristics of HA cluster heartbeat IP addresses in a FortiGate device? (Choose two.)
A. Heartbeat interfaces have virtual IP addresses that are manually assigned.
B. Heartbeat IP addresses are used to distinguish between cluster members.
C. The heartbeat interface of the primary device in the cluster is always assigned IP address 169.254.0.1.
D. A change in the heartbeat IP address happens when a FortiGate device joins or leaves the cluster.
Answer: BD
Explanation:
– Heartbeat IP addresses are used to distinguish between cluster members: each FortiGate in the HA cluster uses unique heartbeat IPs so members can identify one another.
– A change in the heartbeat IP address happens when a FortiGate device joins or leaves the cluster: heartbeat IPs are dynamically reassigned when the cluster membership changes to maintain proper communication.
NEW QUESTION 74
You are encountering connectivity problems caused by intermediate devices blocking IPsec traffic. In which two ways can you effectively resolve the problem? (Choose two.)
A. You should use the protocol IKEv2.
B. You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).
C. You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.
D. You can turn on fragmentation to fix large certificate negotiation problems.
Answer: BD
NEW QUESTION 75
When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate. Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.)
A. Allow
B. Trust & Allow
C. Allow & Warning
D. Block
E. Block & Warning
Answer: ACD
Explanation:
When FortiGate performs SSL/SSH full inspection, it can be configured to take one of several actions upon detecting an invalid certificate:
– Allow: lets the traffic through without restriction.
– Allow & Warning: permits the traffic but warns the user about the certificate issue.
– Block: denies the traffic outright to prevent insecure connections.
NEW QUESTION 76
You want to ensure that an SSL VPN user’s authenticated session does not remain active after they disconnect from the VPN. Which configuration will ensure this?
A. Configure the firewall authentication session timeout to be lower than the SSL VPN session timeout.
B. Manually clear active firewall authentication sessions after a user disconnects.
C. Increase the SSL VPN idle timeout to reduce the chance of early disconnections.
D. Enable settings to force the firewall authentication session to end when the SSL VPN session ends.
Answer: D
Explanation:
To ensure that an authenticated SSL VPN user session does not persist after disconnecting, you must enable the setting that forces the firewall authentication session to end when the SSL VPN session ends. This ensures that once the VPN disconnects, the associated firewall authentication state is immediately cleared, preventing unintended access.
NEW QUESTION 77
An administrator has configured a dialup IPsec VPN on FortiGate with add-route enabled. However, the static route is not showing in the routing table. Which two statements about this scenario are correct? (Choose two.)
A. The administrator must enable a dynamic routing protocol on the dialup interface.
B. The administrator must use a policy route instead of a static route for add-route to work properly.
C. The administrator must ensure phase 2 is successfully established.
D. The administrator must define the remote network correctly in the phase 2 selectors.
Answer: CD
Explanation:
– The administrator must ensure phase 2 is successfully established: the static route for the dialup VPN is only added after Phase 2 negotiation completes successfully.
– The administrator must define the remote network correctly in the phase 2 selectors: the add-route feature installs a route based on the Phase 2 selectors; if they are incorrect, no route will appear in the routing table.
NEW QUESTION 78
An administrator configured a FortiGate device to act as a collector for agentless polling mode. What must the administrator add to the FortiGate device to retrieve AD user group information?
A. TACACS server.
B. LDAP server.
C. RADIUS server.
D. Keycloak server.
Answer: B
Explanation:
In agentless polling mode, FortiGate directly queries Active Directory to obtain user and group information. To do this, the administrator must configure an LDAP server on the FortiGate, which allows it to retrieve user group membership details from AD.
NEW QUESTION 79
What are two features of FortiGate FSSO agentless polling mode? (Choose two.)
A. FortiGate directs the collector agent to use a remote LDAP server.
B. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
C. FortiGate does not support workstation check.
D. FortiGate uses the AD server as the collector agent.
Answer: BD
Explanation:
– FortiGate uses the SMB protocol to read the event viewer logs from the DCs: in agentless polling mode, FortiGate connects directly to the AD domain controllers using SMB to collect logon events.
– FortiGate uses the AD server as the collector agent: there is no external FSSO collector; instead, the FortiGate itself polls the AD servers, effectively treating them as the source of logon information.
NEW QUESTION 80
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?
A. The browser does not trust the certificate used by FortiGate for SSL inspection.
B. The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile.
C. The matching firewall policy is set to proxy inspection mode.
D. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
Answer: A
Explanation:
When full SSL inspection is enabled, FortiGate decrypts and re-signs HTTPS traffic using its own SSL inspection certificate. If the FortiGate CA certificate is not imported and trusted by the client’s browser or OS, the browser sees it as untrusted and displays certificate warning errors. HTTP traffic is unaffected since it does not use certificates.
NEW QUESTION 81
An administrator wants to form an HA cluster using the FGCP protocol. Which two requirements must the administrator ensure both members fulfill? (Choose two.)
A. They must have the same HA group ID.
B. They must have the heartbeat interfaces in the same subnet.
C. They must have the same number of configured VDOMs.
D. They must have the same hard drive configuration.
Answer: AC
Explanation:
– They must have the same HA group ID: both FortiGate units must use the same HA group ID to join the same FGCP cluster.
– They must have the same number of configured VDOMs: VDOM configurations must match across cluster members to ensure configuration and state synchronization.
NEW QUESTION 82
FortiGate is integrated with FortiAnalyzer and FortiManager. When creating a firewall policy, which attribute must an administrator include to enhance functionality and enable log recording on FortiAnalyzer and FortiManager?
A. Policy ID
B. Log ID
C. Universally Unique Identifier
D. Sequence ID
Answer: C
Explanation:
FortiGate uses a Universally Unique Identifier (UUID) for each firewall policy. This UUID is synchronized with FortiAnalyzer and FortiManager, allowing them to reliably identify the policy even if the policy ID or sequence changes. This ensures consistent log recording and enhanced functionality across integrated devices.
NEW QUESTION 83
An administrator manages a FortiGate model that supports NTurbo. How does NTurbo acceleration enhance antivirus performance?
A. For proxy-based inspection, NTurbo offloads traffic to the content processor.
B. For flow-based inspection, NTurbo establishes a dedicated data path to redirect traffic between the IPS engine and FortiGate ingress and egress interfaces.
C. For proxy-based inspection, NTurbo buffers the whole file and then sends it to the antivirus engine.
D. For flow-based inspection, NTurbo creates two inspection sessions on the FortiGate device.
Answer: B
Explanation:
With flow-based inspection, NTurbo improves antivirus performance by establishing a dedicated fast data path that redirects traffic between the IPS engine and the FortiGate ingress/egress interfaces. This reduces CPU overhead, allowing antivirus scanning to happen at higher throughput without requiring full proxy-based buffering.
NEW QUESTION 84
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?
A. It uses DNS over TLS.
B. It uses DNS over HTTPS.
C. It uses UDP 8888.
D. It uses UDP 53.
Answer: D
Explanation:
When FortiGuard servers are configured as DNS servers on FortiGate with default settings, the DNS queries are sent using the standard DNS protocol over UDP port 53.
NEW QUESTION 85
What are two features of collector agent advanced mode? (Choose two.)
A. Advanced mode supports nested or inherited groups.
B. In advanced mode, security profiles can be applied only to user groups, not individual users.
C. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
D. Advanced mode uses the Windows convention – NetBios: Domain\Username.
Answer: AC
Explanation:
Advanced mode supports nested or inherited groups, allowing FortiGate to recognize users that belong to subgroups within AD. In advanced mode, FortiGate can be configured as an LDAP client and apply group filters, giving more granular control over user authentication and authorization.
NEW QUESTION 86
An administrator needs to analyze and resolve port conflicts between SSL VPN and HTTPS administrative access on the same interface. In which two ways can this be done? (Choose two.)
A. Disable SSL VPN if HTTPS administrative access is using port 443 on any interface.
B. Keep port 443 for both SSL VPN and HTTPS administrative access on the same interface without any problems.
C. Run SSL VPN on one interface using port 443 and enable HTTPS administrative access on a different interface, also using port 443.
D. Change the port number for either the SSL VPN service or the HTTPS administrative service if both are on the same interface.
Answer: CD
Explanation:
You can keep port 443 for SSL VPN on one interface and also use port 443 for HTTPS admin access on a different interface. Since the services are bound to different interfaces, no conflict occurs. If both SSL VPN and HTTPS admin access are required on the same interface, you must change the port number for one of the services to avoid a port conflict.
NEW QUESTION 87
Which two statements about the Security Fabric rating are true? (Choose two.)
A. A license is required to obtain an executive summary in the Security Rating section.
B. The root FortiGate provides executive summaries of all the FortiGate devices in the Security Fabric.
C. The Security Posture category provides PCI compliance results.
D. Security Rating Insights are available only in the Security Rating page.
Answer: AB
Explanation:
– A license is required to obtain an executive summary in the Security Rating section: without the license, only limited Security Fabric rating details are shown.
– The root FortiGate aggregates and provides executive summaries for all FortiGate devices in the Security Fabric: giving a consolidated security posture overview.
NEW QUESTION 88
A FortiGate administrator is required to reduce the attack surface on the SSL VPN portal. Which SSL timer can you use to mitigate a denial of service (DoS) attack?
A. SSL VPN http-request-header-timeout
B. SSL VPN dtls-hello-timeout
C. SSL VPN login-timeout
D. SSL VPN idle-timeout
Answer: A
Explanation:
The SSL VPN http-request-header-timeout defines how long FortiGate waits to receive the full HTTP request header from a client. Reducing this timer helps mitigate slow HTTP DoS attacks (such as Slowloris) on the SSL VPN portal by preventing malicious clients from holding connections open for too long without completing requests.
NEW QUESTION 89
You are encountering connectivity problems caused by intermediate devices blocking IPsec traffic. In which two ways can you effectively resolve the problem? (Choose two.)
A. You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).
B. You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.
C. You can turn on fragmentation to fix large certificate negotiation problems.
D. You should use the protocol IKEv2.
Answer: AD
Explanation:
– Using SSL VPN tunnel mode avoids issues with blocked ESP (IP protocol 50) and UDP ports (500/4500), since SSL VPN uses HTTPS (TCP 443), which is usually allowed.
– Switching to IKEv2 helps with NAT traversal and firewall compatibility because it supports UDP encapsulation on port 4500 and is more robust than IKEv1.
NEW QUESTION 90
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes. All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover. Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
A. In the phase1-interface, enable npu-offload to detect a dead tunnel.
B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
C. Enable Dead Peer Detection.
D. Use the VPN wizard to create an IPsec template for a redundant IPsec VPN tunnel.
Answer: BC
Explanation:
– Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel: this ensures that the primary tunnel is always preferred, and the secondary is only used when the primary route is unavailable.
– Enable Dead Peer Detection: DPD allows FortiGate to quickly detect when the primary tunnel is down, enabling faster failover to the backup tunnel.
NEW QUESTION 91
……
Learning the PassLeader FCP_FGT_AD-7.6 dumps with VCE and PDF for 100% passing Fortinet certification — https://www.passleader.com/fcp-fgt-ad-7-6.html (99 Q&As Dumps)
BONUS!!! Download part of PassLeader FCP_FGT_AD-7.6 dumps for free — https://drive.google.com/drive/folders/1l2Xp4fmvZPw4KvHCmy14sKNV0J5qfpAW