Free Practice Questions for Fortinet FCP_FGT_AD-7.4 Exam

The source address remains 10.200.3.1 because FortiGate does not modify the source address by default unless NAT is applied (which is disabled in the policy).

The destination address is translated to 10.0.1.10 by the VIP (Virtual IP) object, as this is the internal server address mapped to the external IP 10.200.1.10.

The destination port is translated from 8080 to 80 as per the port forwarding rule configured in the VIP object.

If fortigate is used as an SSL VPN client, it needs a ssl virtual tunnel interface to connect to the SSL VPN server. This is the client virtual interface that the vpn server will assign the temporary IP address toduring the lifetime of an ssl connection. The SSL VPN server also needs a correct CA certificate to authenticate/trust client's certificate.

When using multiple dial-up IPsec VPNs in aggressive mode, the Peer ID setting in Phase 1 can be used to distinguish between different VPN tunnels. Each dial-up user or department can be assigned a unique Peer ID, allowing the FortiGate to match the incoming VPN request to the correct tunnel based on the Peer ID value.

NAT Configuration: The first firewall policy has NAT enabled using the configured IP pool.

IP Pool Configuration: The IP pool is configured with an external IP range of 10.200.1.100.

Source NAT: When traffic is being NATed, the source IP address is replaced with an IP from the configured pool. In this scenario, the specific IP defined in the pool is 10.200.1.100.

Thus, any internet-bound traffic from the workstation (10.0.1.10) will have its source IP address NATed to 10.200.1.100.

The selected SSL inspection profile has certificate inspection enabled

If the SSL inspection profile is set to certificate inspection instead of full SSL inspection, FortiGate will only inspect the certificate of the HTTPS connection but will not decrypt and inspect the actual traffic content, leading to a failure in virus detection.

The website is exempted from SSL inspection

If the website hosting the EICAR test file is exempt from SSL inspection, FortiGate will not decrypt the traffic, meaning it cannot inspect the file content for viruses, resulting in the file being downloaded without detection.

FortiGate's application control can differentiate between parent and child applications and allows administrators to configure distinct actions for each. For example, it can identify Facebook (parent application) and specific functions within it (child applications) like Facebook video or chat, enabling more granular control over application traffic.

The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate's re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser's trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites.

References:

FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration

To retrieve AD user group information in agentless polling mode, the administrator must add an LDAP server to the FortiGate device​.

The sniffer output shows that packets from the web client are reaching the FortiGate and being forwarded to the web server, but there is no indication that the web server is responding. To troubleshoot this issue, executing a debug flow will help analyze the traffic path and pinpoint where the problem might be occurring, such as a possible issue in firewall policy or route settings that is causing the server not to respond correctly.

References:

FortiOS 7.4.1 Administration Guide: Troubleshooting network connectivity