Total 89 Questions
Last Updated On : 26-Nov-2025
An administrator must enable a DHCP server on one of the directly connected networks on FortiGate. However, the administrator is unable to complete the process on the GUI to enable the service on the interface. In this scenario, what prevents the administrator from enabling DHCP service?
A. The role of the interface prevents setting a DHCP server.
B. The DHCP server setting is available only on the CLI.
C. Another interface is configured as the only DHCP server on FortiGate.
D. The FortiGate model does not support the DHCP server.
Explanation:
FortiGate interfaces can be configured in different roles, such as WAN or LAN. If an interface is set as a "WAN" role, you cannot configure it to act as a DHCP server through the GUI. The interface role must be set to "LAN" or "Undefined" to allow DHCP server configuration.
The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. Which order must FortiGate use when the web filter profile has features such as safe search enabled?
A. FortiGuard category filter and rating filter
B. Static domain filter, SSL inspection filter, and external connectors filters
C. DNS-based web filter and proxy-based web filter
D. Static URL filter, FortiGuard category filter, and advanced filters
Explanation:
FortiGate applies web filters in the following order: Static URL filter, FortiGuard category filter, Web content filter, Web script filter, and Antivirus scanning.
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes. All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover. Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
A. Enable Dead Peer Detection
B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
D. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
Explanation:
To configure redundant IPsec VPN tunnels on FortiGate with failover capability, the following two key configuration changes are required:
A. Enable Dead Peer Detection (DPD): Dead Peer Detection is crucial for detecting if the remote peer is unreachable. By enabling DPD, FortiGate can quickly detect a dead tunnel, ensuring a faster failover to the secondary tunnel when the primary tunnel goes down.
C. Configure a lower distance on the static route for the primary tunnel and a higher distance on the static route for the secondary tunnel: The static route with the lower distance (higher priority) will be used when both tunnels are operational. If the primary tunnel fails, the higher distance (lower priority) route for the secondary tunnel will take over, ensuring traffic is routed correctly.
The other options are not suitable:
B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels:
This option is not directly related to the requirements of failover between two IPsec VPN tunnels.
D. Configure a higher distance on the static route for the primary tunnel and a lower distance on the static route for the secondary tunnel: This would prioritize the secondary tunnel over the primary tunnel, which is opposite to the desired configuration.
Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)
A. Pre-shared key and certificate signature as authentication methods
B. Extended authentication (XAuth)to request the remote peer to provide a username and password
C. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged
D. No certificate is required on the remote peer when you set the certificate signature as the authentication method
Explanation:
FortiGate supports both pre-shared key and certificate signature methods for IKEv1 authentication. These methods provide flexibility depending on the security requirements of the network. Additionally, FortiGate supports Extended Authentication (XAuth), which requests a username and password from the remote peer, enhancing security by adding an extra layer of authentication. The XAuth method does not necessarily make the authentication faster; it is an additional security measure.
An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is outbound traffic but no response from the peer.
Which DPD mode on FortiGate meets this requirement?
A. On Demand
B. On Idle
C. Disabled
D. Enabled
Which two statements are correct when FortiGate enters conserve mode? (Choose two.)
A. FortiGate halts complete system operation and requires a reboot to regain available resources
B. FortiGate refuses to accept configuration changes
C. FortiGate continues to run critical security actions, such as quarantine.
D. FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in IPS is enabled
Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
A. Internet Service Database (ISDB) engine
B. Intrusion prevention system engine
C. Antivirus engine
D. Application control engine
| Page 4 out of 13 Pages |
| FCP_FGT_AD-7.4 Practice Test Home | Previous |
Our new Timed FCP_FGT_AD-7.4 Exam Simulation replicates the exact format, question count, and strict time limit of the real test.
We don't just test your knowledge; we build your Fortinet exam-day stamina and speed, so you can answer with confidence when it matters most.
Copyright © - All Rights Reserved