FCP_FGT_AD-7.4 Practice Test

Explanation

When FortiGate performs SSL/SSH full inspection and detects an invalid certificate, there are three valid actions it can take:
Allow & Warning: This action allows the session but generates a warning.
Block & Warning: This action blocks the session and generates a warning.
Block: This action blocks the session without generating a warning.

Actions such as "Trust & Allow" or just "Allow" without additional configurations are not applicable in the context of handling invalid certificates.

Explanation:

FortiGate's SD-WAN rule strategies for member selection include the following:

Manual with load balancing: This strategy allows an administrator to manually configure which SDWAN member interfaces to use for specific traffic.
Lowest Cost (SLA) with load balancing: This strategy prioritizes the link with the lowest cost that meets the SLA requirements.
Best Quality with load balancing: This strategy selects the link with the best performance metrics, such as latency, jitter, or packet loss.
Options D and E are incorrect because "Lowest Quality" is not a valid strategy, and "Lowest Cost without load balancing" contradicts the requirement for load balancing in the strategy name.

Explanation:

For SSL VPN to function correctly between two FortiGate devices, the following settings are required:

B. The server FortiGate requires a CA certificate to verify the client FortiGate certificate: The server FortiGate must have a Certificate Authority (CA) certificate installed to authenticate and verify the certificate presented by the client FortiGate device.

C. The client FortiGate requires a client certificate signed by the CA on the server FortiGate: The client FortiGate must have a client certificate that is signed by the same CA that the server FortiGate uses for verification. This ensures a secure SSL VPN connection between the two devices.

The other options are not directly necessary for establishing SSL VPN:

A. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN: This is incorrect as SSL VPN does not require a specific tunnel interface type; it typically uses an SSL VPN client profile.

D. The client FortiGate requires a manually added route to remote subnets: While routing may be necessary, it is not specifically required for the SSL VPN functionality between two FortiGates.

Explanation:

For a high-latency internet connection, the SSL VPN setting that should be adjusted is:
C. SSL VPN dtls-hello-timeout: This setting determines how long the FortiGate will wait for a DTLS hello message from the client. For high-latency connections, increasing this timeout will prevent SSL VPN negotiation failures caused by delays in receiving the DTLS hello message.

The other options are not suitable:

A. SSL VPN idle-timeout: This setting controls the idle time allowed before a session is terminated, which is not relevant to the initial connection establishment.

B. SSL VPN login-timeout: This setting controls the maximum time allowed for a user to log in, but does not affect connection negotiation.

D. SSL VPN session-ttl: This setting controls the total time-to-live for an SSL VPN session but does not directly address issues caused by high latency.

Explanation:

The Fortinet Single Sign-On (FSSO) Collector Agent supports three primary methods for Active Directory (AD) polling to collect user information:

WinSecLog: Monitors Windows Security Event Logs for login events.
WMI: Uses Windows Management Instrumentation to poll user login sessions.
NetAPI: Utilizes the Netlogon API to query domain controllers for user session data.

These methods allow the FortiGate to gather user logon information and enforce user-based policies effectively.