Updated Dec-2025 Exam Engine for FCP_FGT_AD-7.4 Exam Free Demo & 365 Day Updates
Exam Passing Guarantee FCP_FGT_AD-7.4 Exam with Accurate Quastions!
NEW QUESTION # 25
Which two inspection modes can you use to configure a firewall policy on a profile-based next- generation firewall (NGFW)? (Choose two.)
- A. Proxy-based inspection
- B. Flow-based inspection
- C. Certificate inspection
- D. Full Content inspection
Answer: A,B
Explanation:
The two inspection modes that you can use to configure a firewall policy on a profile-based next- generation firewall (NGFW) are:
A. Proxy-based inspection
Proxy-based inspection involves buffering and inspecting the entire content of the traffic before allowing it through. It offers in-depth content analysis.
C. Flow-based inspection
Flow-based inspection involves inspecting the traffic based on predefined signatures and patterns without buffering the entire content. It optimizes performance compared to proxy-based inspection.
So, the correct choices are A and C.
Profile based - Flow or proxy based.
Policy based - flow only.
NEW QUESTION # 26
Which statement about the IP authentication header (AH) used by IPsec is true?
- A. AH does not support perfect forward secrecy.
- B. AH provides strong data integrity but weak encryption.
- C. AH provides data integrity but no encryption.
- D. AH does not provide any data integrity or encryption.
Answer: C
Explanation:
The answer is C. AH provides data integrity but no encryption.
The correct statement about the IP Authentication Header (AH) used by IPsec is that AH provides data integrity and authentication but does not provide encryption.
"IPsec is a suite of protocols that is used for authenticating and encrypting traffic between two peers.
The three most used protocols in the suite are the following:
- Internet Key Exchange (IKE), which does the handshake, tunnel maintenance, and disconnection.
- Encapsulation Security Payload (ESP), which ensures data integrity and encryption.
- Authentication Header (AH), which offers only data integrity - not encryption."
NEW QUESTION # 27
Which three settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.)
- A. HTTPS
- B. Trusted host
- C. Trusted authentication
- D. SSH
- E. FortiTelemetry
Answer: A,B,D
Explanation:
To provide secure and restrictive administrative access to FortiGate, the following three settings and protocols can be used:
A. SSH (Secure Shell)
SSH is a secure protocol that allows secure remote access to the FortiGate command-line interface (CLI).
C. Trusted host
Configuring trusted hosts allows you to restrict administrative access to specified IP addresses, providing an additional layer of security.
D. HTTPS (Hypertext Transfer Protocol Secure)
HTTPS is a secure protocol that enables secure access to the FortiGate web-based graphical user interface (GUI).
So, the correct choices are A, C, and D.
NEW QUESTION # 28
The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.
What order must FortiGate use when the web filter profile has features enabled, such as safe search?
- A. DNS-based web filter and proxy-based web filter
- B. Static domain filter, SSL inspection filter, and external connectors filters
- C. FortiGuard category filter and rating filter
- D. Static URL filter, FortiGuard category filter, and advanced filters
Answer: D
Explanation:
The correct order for the HTTP inspection process in web filtering, specifically when features like safe search are enabled in the web filter profile, is:
B. Static URL filter, FortiGuard category filter, and advanced filters
This means that the FortiGate device will first check against the Static URL filter, followed by the FortiGuard category filter, and then any additional advanced filters configured in the web filter profile.
This sequence allows for a systematic evaluation of the URL against different criteria, ensuring comprehensive web filtering.
The HTTP Inspection Order (Static URL Filter -> FortiGuard Category Filter -> Advanced Filters)
NEW QUESTION # 29
Refer to the exhibits.


The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.
The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IPaddress 10.0.1.254/24.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?
- A. 10.200.1.1
- B. 10.200.1.99
- C. 10.200.1.149
- D. 10.200.1.49
Answer: B
NEW QUESTION # 30
Refer to the exhibit showing a FortiGuard connection debug output.
Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.)
- A. A local FortiManaqer is one of the servers FortiGate communicates with.
- B. One server was contacted to retrieve the contract information.
- C. FortiGate is usingdefaultFortiGuard communication settings.
- D. There is at least one server that lost packets consecutively.
Answer: B,C
NEW QUESTION # 31
You can configure FortiGate to store logs on syslog servers, FortiCloud, FortiSIEM, FortiAnalyzer, or FortiManager. These logging devices can also be used as a backup solution. Whenever possible, it is preferred to store logs externally.
If storing logs locally does not fit your requirements, you can store logs externally. You can configure FG to store logs on syslog servers, FortiCloud, FortiSIEM, FortiAnalyzer or FortiManager. These logging devices can also be used as a backup solution.
192.Examine this PAC file configuration.
Which of the following statements are true? (Choose two.)
- A. Any web request fortinet.com is allowed to bypass the proxy.
- B. Browsers can be configured to retrieve this PAC file from the FortiGate.
- C. Any web request to the 172.25. 120.0/24 subnet is allowed to bypass the proxy.
- D. All requests not made to Fortinet.com or the 172.25. 120.0/24 subnet, have to go through altproxy.corp.com: 8060.
Answer: A,B
Explanation:
The command direct bypass the proxy and it is a standard for pac files. And browsers can download de pac file from any server/fortigate.
NEW QUESTION # 32
Refer to the exhibit, which shows a partial configuration from the remote authentication server.
Why does the FortiGate administrator need this configuration?
- A. To set up a RADIUS server Secret
- B. To authenticate only the Training user group.
- C. To authenticate Any FortiGate user groups.
- D. To authenticate and match the Training OU on the RADIUS server.
Answer: D
Explanation:
The configuration shown in the exhibit indicates that the FortiGate is using a Fortinet-specific RADIUS attribute (Fortinet-Group-Name) with the value "Training." This setup allows the FortiGate to authenticate users against the RADIUS server and match them to the "Training" Organizational Unit (OU). By doing so, only users within this specific group or OU can be authenticated and allowed access through the FortiGate.
References:
* FortiOS 7.4.1 Administration Guide: RADIUS Server Configuration
NEW QUESTION # 33
Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)
- A. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
- B. Pre-shared key and certificate signature as authentication methods
- C. No certificate is required on the remote peer when you set the certificate signature as the authentication method
- D. Extended authentication (XAuth)to request the remote peer to provide a username and password
Answer: B,D
Explanation:
FortiGate supports both pre-shared key and certificate signature methods for IKEv1 authentication. These methods provide flexibility depending on the security requirements of the network. Additionally, FortiGate supports Extended Authentication (XAuth), which requests a username and password from the remote peer, enhancing security by adding an extra layer of authentication. The XAuth method does not necessarily make the authentication faster; it is an additional security measure.
References:
* FortiOS 7.4.1 Administration Guide: IPsec VPN Configuration
NEW QUESTION # 34
An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken.
Each site has a FortiGate VPN gateway.
What must an administrator do to achieve this objective?
- A. The administrator must use the user self-registration server.
- B. The administrator must use a FortiAuthenticator device.
- C. The administrator can use a third-party radius OTP server.
- D. The administrator can register the same FortiToken on more than one FortiGate.
Answer: B
Explanation:
B. The administrator must use a FortiAuthenticator device.
B is correct due to the FortiToken, a different OTP cannot use FortiToken. So we have to choose the fortiAuthenticator.
To achieve VPN user access for multiple sites using the same soft FortiToken, the administrator can use a FortiAuthenticator device. FortiAuthenticator is designed to provide centralized authentication services for Fortinet devices, including VPN authentication. It allows for the centralized management of user identities, authentication methods, and FortiTokens. By using FortiAuthenticator, the administrator can register the same FortiToken for users across multiple FortiGate devices, providing a seamless and centralized user access experience.
NEW QUESTION # 35
Refer to the exhibit.
Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit.
What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?
- A. The signature setting includes a group of other signatures.
- B. Traffic matching the signature will be allowed and logged.
- C. Traffic matching the signature will be silently dropped and logged.
- D. The signature setting uses a custom rating threshold.
Answer: C
NEW QUESTION # 36
An administrator must enable a DHCP server on one of the directly connected networks on FortiGate.
However, the administrator is unable to complete the process on the GUI to enable the service on the interface.
In this scenario, what prevents the administrator from enabling DHCP service?
- A. The role of the interface prevents setting a DHCP server.
- B. Another interface is configured as the only DHCP server on FortiGate.
- C. The FortiGate model does not support the DHCP server.
- D. The DHCP server setting is available only on the CLI.
Answer: A
Explanation:
FortiGate interfaces can be configured in different roles, such as WAN or LAN. If an interface is set as a
"WAN" role, you cannot configure it to act as a DHCP server through the GUI. The interface role must be set to "LAN" or "Undefined" to allow DHCP server configuration.
References:
* FortiOS 7.4.1 Administration Guide: DHCP Server Configuration
NEW QUESTION # 37
Which two statements are true about the RPF check? (Choose two.)
- A. The RPF check is run on the first sent and reply packet of any new session.
- B. RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks.
- C. The RPF check is run on the first sent packet of any new session.
- D. The RPF check is run on the first reply packet of any new session.
Answer: B,C
Explanation:
RPF protect against IP spoofin attacks. The source IP address is checked against the routing table for a return path. RPF is only carried out on: The first packet in the session, not on reply.
NEW QUESTION # 38
An administrator has configured the following settings:
What are the two results of this configuration? (Choose two.)
- A. Device detection on all interfaces is enforced for 30 minutes
- B. Denied users are blocked for 30 minutes
- C. The number of logs generated by denied traffic is reduced
- D. A session for denied traffic is created
Answer: C,D
Explanation:
C: A session for denied traffic is created.
D: The number of logs generated by denied traffic is reduced.
During the session, if a security profile detects a violation, FortiGate records the attack log immediately.
To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation.
This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions.
This determines how long a session will be kept in the session table by setting block-sessiontimer in the CLI. By default, it is set to 30 seconds.
NEW QUESTION # 39
Refer to the exhibits, which show the firewall policy and the security profile for Facebook.

Users are given access to the Facebook web application. They can play video content hosted on Facebook but they are unable to leave reactions on videos or other types of posts.
Which part of the configuration must you change to resolve the issue?
- A. Disable HTTP redirect to HTTPS on the web browser
- B. Get the additional application signatures required to add to the security policy
- C. Make the SSL inspection a deep content inspection
- D. Add Facebook to the URL category in the security policy
Answer: B
Explanation:
In the security profile, there are application overrides for specific Facebook-related features, such as
"Facebook" and "Facebook_Video.Play." However, the absence of specific signatures for actions like
"Facebook_Like.Button" might be preventing reactions. You need to ensure that the necessary application signatures for all desired Facebook features, including reactions (like buttons), are included in the security policy. Therefore, retrieving or adding those signatures would resolve the issue.
NEW QUESTION # 40
When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate.
Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate?
(Choose three.)
- A. Trust & Allow
- B. Block & Warning
- C. Allow
- D. Allow & Warning
- E. Block
Answer: A,D,E
NEW QUESTION # 41
Which two statements describe how the RPF check is used? (Choose two.)
- A. The RPF check is run on the first sent and reply packet of any new session.
- B. The RPF check is run on the first sent packet of any new session.
- C. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
- D. The RPF check is run on the first reply packet of any new session.
Answer: B,C
Explanation:
The Reverse Path Forwarding (RPF) check is run on the first sent packet of any new session to ensure that the packet arrives on a legitimate interface. This check protects the network from IP spoofing attacks by verifying that a return route exists from the receiving interface back to the source IP address. If the route is invalid or not found, the packet is discarded. Options B and C are incorrect because RPF checks are performed on the first sent packet, not the reply packet.
Reference:
FortiOS 7.4.1 Administration Guide: Reverse Path Forwarding (RPF) Check
NEW QUESTION # 42
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)
- A. Virtual IP addresses are used to distinguish between cluster members.
- B. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
- C. The primary device in the cluster is always assigned IP address 169.254.0.1.
- D. Heartbeat interfaces have virtual IP addresses that are manually assigned.
Answer: A,B
Explanation:
A). A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster: When a FortiGate device joins or leaves the High Availability (HA) cluster, there can be a change in the virtual IP address. The virtual IP address is typically associated with the primary unit in the cluster, and if there's a change in the cluster composition, the virtual IP may be reassigned to the new primary unit.
B). Virtual IP addresses are used to distinguish between cluster members:
Virtual IP addresses are indeed used to distinguish between cluster members. In an HA cluster, there is a virtual IP address that is associated with the primary unit. This virtual IP address serves as the gateway for devices on the network, and it helps ensure seamless failover in the event of a primary unit failure.
The other statements (C and D) are not accurate:
C). Heartbeat interfaces have virtual IP addresses that are manually assigned:
This statement is not correct. Heartbeat interfaces are used for communication between cluster members to monitor each other's status. Virtual IP addresses are typically associated with the cluster and are automatically assigned or reassigned based on the cluster configuration.
D). The primary device in the cluster is always assigned IP address 169.254.0.1:
This statement is not correct. The primary device in the cluster is assigned the virtual IP address associated with the cluster. The IP address 169.254.0.1 is typically reserved for certain link-local purposes and is not a standard IP address for the primary device in an HA cluster.
The correct statements regarding FortiGate HA cluster virtual IP addresses are:
A). A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
B). Virtual IP addresses are used to distinguish between cluster members.
Extra
A). When a FortiGate device joins or leaves the cluster, the virtual IP address associated with the cluster may change. The virtual IP address is assigned to the primary device in the cluster, and if that device fails, the virtual IP address will failover to the secondary device.
B). Virtual IP addresses are used to distinguish between cluster members. Each device in the cluster has a unique physical IP address, but they share a virtual IP address that is used by clients to communicate with the cluster as a whole. The virtual IP address is used to identify the cluster, and clients use it to connect to the cluster rather than connecting to a specific device.
A change in the heartbeat ip addresses might happend when a fortigate device joins or leaves the cluster. In those cases, the cluster renegotiates the heartsbeat ip address assignment, this time taking into account the serial number of any new device, or removing the serial number of any device that left the cluster & cluster uses these virtual ip addressesto: Distinguish the cluster member
NEW QUESTION # 43
Which three statements about security associations (SA) in IPsec are correct? (Choose three.)
- A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
- B. Both the phase 1 SA and phase 2 SA are bidirectional.
- C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.
- D. An SA never expires.
- E. Phase 2 SA expiration can be time-based, volume-based, or both.
Answer: A,C,E
Explanation:
The correct statements about security associations (SA) in IPsec are:
A. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.
C. A phase 1 SA is bidirectional, while a phase 2 SA is directional.
D. Phase 2 SA expiration can be time-based, volume-based, or both. Here's an explanation for the correct statements:
A. Phase 2 SAs (Security Associations) are established for the purpose of encrypting and decrypting the actual data that is exchanged through the IPsec tunnel. Phase 1 SAs, on the other hand, are primarily responsible for setting up the initial secure connection.
C. A phase 1 SA is bidirectional, meaning it covers both directions of communication between two peers.
However, a phase 2 SA is directional, and separate SAs are established for inbound and outbound traffic.
D. Phase 2 SAs can have expiration based on time, volume (data transferred), or a combination of both.
This allows for better control and security management in IPsec implementations.
NEW QUESTION # 44
Refer to the exhibits.
The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled using IP pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?
- A. 10.200.1.1
- B. 10.0.1.254
- C. 10.200.1.100
- D. 10.200.1.10
Answer: C
Explanation:
From LAN to WAN, the Source NAT will use the IPPOOL with address configured 10.200.1.100 Destination NAT, from WAN to LAN, will use the VIP The question says SNAT, so the only correct answer here (looking at the IP Pool) is D.
(Step 2): FortiGate uses as NAT IP the external IP address defined in the VIP when performing SNAT on all egress traffic sourced from the mapped address in the VIP, provided the matching firewall policy has NAT enabled.
Note that you can override the behavior described in step 2 by using an IP pool.
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD44529
NEW QUESTION # 45
The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.
Which order must FortiGate use when the web filter profile has features such as safe search enabled?
- A. DNS-based web filter and proxy-based web filter
- B. Static domain filter, SSL inspection filter, and external connectors filters
- C. FortiGuard category filter and rating filter
- D. Static URL filter, FortiGuard category filter, and advanced filters
Answer: D
Explanation:
When multiple web filtering features are enabled in FortiGate, the HTTP inspection process follows a specific sequence: Static URL Filter: This filter checks URLs against a predefined list of allowed or blocked URLs. FortiGuard Category Filter: This checks the category of the website using the FortiGuard database. Advanced Filters: These include features like -> "Safe Search" <-, YouTube EDU filtering, and other advanced filtering options. This order ensures efficient and layered filtering of web traffic based on various criteria.
NEW QUESTION # 46
......
Fortinet FCP_FGT_AD-7.4 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
Exam Questions for FCP_FGT_AD-7.4 Updated Versions With Test Engine: https://www.passcollection.com/FCP_FGT_AD-7.4_real-exams.html
Test Engine to Practice Test for FCP_FGT_AD-7.4 Valid and Updated Dumps: https://drive.google.com/open?id=1yj9HmOL93n4JLXDlD2oqz36PaQyiJ6oL

