DUMPS
BASE
EXAM DUMPS
FORTINET
FCP_FGT_AD-7.6
28% OFF Automatically For You
FCP - FortiGate 7.6 Administrator
,1.Refer to the exhibit.
e
et
pl
om
Which route will be selected when trying to reach 10.20.30.254?
C
pt
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
em
tt
B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
A
t-
C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
rs
D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0] Fi
r
fo
Answer: A
)
03
Explanation:
8.
(V
The correct route to reach 10.20.30.254 would be:
ps
um
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
D
This route is more specific (10.20.30.0/24) compared to the other routes
.6
-7
(10.20.30.0/26 and 10.30.20.0/24) and would therefore be selected as the best
D
_A
match.
T
G
_F
P
FC
t
2.Which two IP pool types are useful for carrier-grade NAT deployments? (Choose
ne
i
two.)
rt
Fo
A. Port block allocation
id
al
B. Fixed port range
V
C. One-to-one
D. Overload
Answer: A,B
Explanation:
The two IP pool types that are useful for carrier-grade NAT (CGNAT) deployments
are:
A. Port block allocation
B. Fixed port range
A. Port block allocation: In this method, a range of ports is allocated to each internal
IP address. This allows multiple internal devices to share the same public IP address
,but use different port ranges, enabling more efficient use of IP addresses.
B. Fixed port range: This method allocates a fixed range of ports to each internal IP
address. It is similar to port block allocation but restricts the port range to a fixed set
of ports for each internal IP address, which can be useful for certain applications or
scenarios.
Both port block allocation and fixed port range allocation are commonly used in
CGNAT deployments to manage the mapping of internal private IP addresses to
public IP addresses and ports, allowing for efficient use of limited IPv4 addresses.
3.What is eXtended Authentication (XAuth)?
A. It is an IPsec extension that forces remote VPN users to authenticate using their
local ID.
e
et
B. It is an IPsec extension that forces remote VPN users to authenticate using their
pl
om
credentials (username and password).
C
C. It is an IPsec extension that authenticates remote VPN peers using a pre-shared
pt
em
key.
tt
D. It is an IPsec extension that authenticates remote VPN peers using digital
A
t-
rs
certificates. Fi
Answer: B
r
fo
)
Explanation:
03
8.
The correct answer is:
(V
B. It is an IPsec extension that forces remote VPN users to authenticate using their
ps
um
credentials (username and password).
D
eXtended Authentication (XAuth) is an IPsec extension that adds additional
.6
-7
authentication for remote VPN users after the initial IPsec phase 1 and phase 2
D
_A
negotiations. XAuth requires users to provide their credentials (username and
T
G
_F
password) in addition to the standard IPsec authentication, enhancing the security of
P
FC
the VPN connection.
t
nei
rt
Fo
id
4.What must you configure to enable proxy-based TCP session failover?
al
V
A. You must configure ha-configuration-sync under configure system ha.
B. You do not need to configure anything because all TCP sessions are automatically
failed over.
C. You must configure session-pickup-enable under configure system ha.
D. You must configure session-pickup-connectionless enable under configure system
ha.
Answer: C
Explanation:
The correct answer is:
C. You must configure session-pickup-enable under configure system ha.
To enable proxy-based TCP session failover on a Fortinet FortiGate firewall, you must
, configure the session-pickup-enable setting under the high availability (HA)
configuration. This setting allows the firewall to pick up and maintain TCP sessions
after a failover event, ensuring continuity of service for established connections.
5.An administrator needs to inspect all web traffic (including Internet web traffic)
coming from users connecting to the SSL-VPN.
How can this be achieved?
A. Assigning public IP addresses to SSL-VPN users
B. Configuring web bookmarks
C. Disabling split tunneling
D. Using web-only mode
Answer: C
e
et
Explanation:
pl
om
The correct answer is: C. Disabling split tunneling
C
Split tunneling allows VPN users to access both local and remote networks
pt
em
simultaneously. However, if you want to inspect all web traffic, including Internet
tt
traffic, coming from users connecting to the SSL-VPN, you should disable split
A
t-
rs
tunneling. Disabling split tunneling forces all user traffic through the VPN tunnel,
Fi
allowing you to inspect and control the traffic more effectively.
r
fo
)
03
8.
(V
6.Which NAT method translates the source IP address in a packet to another IP
ps
um
address?
D
A. DNAT
.6
-7
B. SNAT
D
_A
C. VIP
T
G
_F
D. IPPOOL
P
FC
Answer: B
t
ne
Explanation:
i
rt
The correct answer is: B. SNAT
Fo
id
SNAT (Source Network Address Translation), also known as MASQUERADE in
al
V
iptables, translates the source IP address in a packet to another IP address. It is
commonly used in scenarios where internal private IP addresses need to be
translated to a single public IP address when accessing the Internet, for example.
DNAT (Destination Network Address Translation) translates the destination IP
address in a packet to another IP address. VIP (Virtual IP) is used to designate a
single IP address that represents multiple servers for load balancing or high
availability purposes. IPPOOL typically refers to a range of IP addresses that can be
dynamically assigned to clients, such as in DHCP.
7.What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?
BASE
EXAM DUMPS
FORTINET
FCP_FGT_AD-7.6
28% OFF Automatically For You
FCP - FortiGate 7.6 Administrator
,1.Refer to the exhibit.
e
et
pl
om
Which route will be selected when trying to reach 10.20.30.254?
C
pt
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
em
tt
B. 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
A
t-
C. 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
rs
D. 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0] Fi
r
fo
Answer: A
)
03
Explanation:
8.
(V
The correct route to reach 10.20.30.254 would be:
ps
um
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
D
This route is more specific (10.20.30.0/24) compared to the other routes
.6
-7
(10.20.30.0/26 and 10.30.20.0/24) and would therefore be selected as the best
D
_A
match.
T
G
_F
P
FC
t
2.Which two IP pool types are useful for carrier-grade NAT deployments? (Choose
ne
i
two.)
rt
Fo
A. Port block allocation
id
al
B. Fixed port range
V
C. One-to-one
D. Overload
Answer: A,B
Explanation:
The two IP pool types that are useful for carrier-grade NAT (CGNAT) deployments
are:
A. Port block allocation
B. Fixed port range
A. Port block allocation: In this method, a range of ports is allocated to each internal
IP address. This allows multiple internal devices to share the same public IP address
,but use different port ranges, enabling more efficient use of IP addresses.
B. Fixed port range: This method allocates a fixed range of ports to each internal IP
address. It is similar to port block allocation but restricts the port range to a fixed set
of ports for each internal IP address, which can be useful for certain applications or
scenarios.
Both port block allocation and fixed port range allocation are commonly used in
CGNAT deployments to manage the mapping of internal private IP addresses to
public IP addresses and ports, allowing for efficient use of limited IPv4 addresses.
3.What is eXtended Authentication (XAuth)?
A. It is an IPsec extension that forces remote VPN users to authenticate using their
local ID.
e
et
B. It is an IPsec extension that forces remote VPN users to authenticate using their
pl
om
credentials (username and password).
C
C. It is an IPsec extension that authenticates remote VPN peers using a pre-shared
pt
em
key.
tt
D. It is an IPsec extension that authenticates remote VPN peers using digital
A
t-
rs
certificates. Fi
Answer: B
r
fo
)
Explanation:
03
8.
The correct answer is:
(V
B. It is an IPsec extension that forces remote VPN users to authenticate using their
ps
um
credentials (username and password).
D
eXtended Authentication (XAuth) is an IPsec extension that adds additional
.6
-7
authentication for remote VPN users after the initial IPsec phase 1 and phase 2
D
_A
negotiations. XAuth requires users to provide their credentials (username and
T
G
_F
password) in addition to the standard IPsec authentication, enhancing the security of
P
FC
the VPN connection.
t
nei
rt
Fo
id
4.What must you configure to enable proxy-based TCP session failover?
al
V
A. You must configure ha-configuration-sync under configure system ha.
B. You do not need to configure anything because all TCP sessions are automatically
failed over.
C. You must configure session-pickup-enable under configure system ha.
D. You must configure session-pickup-connectionless enable under configure system
ha.
Answer: C
Explanation:
The correct answer is:
C. You must configure session-pickup-enable under configure system ha.
To enable proxy-based TCP session failover on a Fortinet FortiGate firewall, you must
, configure the session-pickup-enable setting under the high availability (HA)
configuration. This setting allows the firewall to pick up and maintain TCP sessions
after a failover event, ensuring continuity of service for established connections.
5.An administrator needs to inspect all web traffic (including Internet web traffic)
coming from users connecting to the SSL-VPN.
How can this be achieved?
A. Assigning public IP addresses to SSL-VPN users
B. Configuring web bookmarks
C. Disabling split tunneling
D. Using web-only mode
Answer: C
e
et
Explanation:
pl
om
The correct answer is: C. Disabling split tunneling
C
Split tunneling allows VPN users to access both local and remote networks
pt
em
simultaneously. However, if you want to inspect all web traffic, including Internet
tt
traffic, coming from users connecting to the SSL-VPN, you should disable split
A
t-
rs
tunneling. Disabling split tunneling forces all user traffic through the VPN tunnel,
Fi
allowing you to inspect and control the traffic more effectively.
r
fo
)
03
8.
(V
6.Which NAT method translates the source IP address in a packet to another IP
ps
um
address?
D
A. DNAT
.6
-7
B. SNAT
D
_A
C. VIP
T
G
_F
D. IPPOOL
P
FC
Answer: B
t
ne
Explanation:
i
rt
The correct answer is: B. SNAT
Fo
id
SNAT (Source Network Address Translation), also known as MASQUERADE in
al
V
iptables, translates the source IP address in a packet to another IP address. It is
commonly used in scenarios where internal private IP addresses need to be
translated to a single public IP address when accessing the Internet, for example.
DNAT (Destination Network Address Translation) translates the destination IP
address in a packet to another IP address. VIP (Virtual IP) is used to designate a
single IP address that represents multiple servers for load balancing or high
availability purposes. IPPOOL typically refers to a range of IP addresses that can be
dynamically assigned to clients, such as in DHCP.
7.What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?
