Fortinet FCP_FGT_AD-7.6 Test Engine Practice Test Questions, Exam Dumps
100% Free FCP_FGT_AD-7.6 Daily Practice Exam With 129 Questions
Fortinet FCP_FGT_AD-7.6 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
NEW QUESTION # 50
What are two features of FortiGate FSSO agentless polling mode? (Choose two.)
- A. FortiGate does not support workstation check.
- B. FortiGate uses the AD server as the collector agent.
- C. FortiGate directs the collector agent to use a remote LDAP server.
- D. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
Answer: A,D
NEW QUESTION # 51
A FortiGate administrator is required to reduce the attack surface on the SSL VPN portal.
Which SSL timer can you use to mitigate a denial of service (DoS) attack?
- A. SSL VPN dtls-hello-timeout
- B. SSL VPN http-request-header-timeout
- C. SSL VPN login-timeout
- D. SSL VPN idle-timeout
Answer: B
Explanation:
config vpn ssl settings
set http-request-header-timeout <1-60>
end
Timers can also help to mitigate DoS attacks with SSL VPN caused by partial HTTP requests.
NEW QUESTION # 52
Which two statements about the Security Fabric rating are true? (Choose two.)
- A. The Security Posture category provides PCI compliance results.
- B. A license is required to obtain an executive summary in the Security Rating section.
- C. Security Rating Insights are available only in the Security Rating page.
- D. The root FortiGate provides executive summaries of all the FortiGate devices in the Security Fabric.
Answer: B,D
Explanation:
A license is required to obtain an executive summary in the Security Rating section → Without the license, only limited Security Fabric rating details are shown.
The root FortiGate aggregates and provides executive summaries for all FortiGate devices in the Security Fabric, giving a consolidated security posture overview.
NEW QUESTION # 53
Refer to the exhibits.
Based on the current HA status, an administrator updates the override and priority parameters on HQ-NGFW-1 and HQ-NGFW-2 as shown in the exhibit.
What would be the expected outcome in the HA cluster?
- A. HQ-NGFW-1 will synchronize the override disable setting with HQ-NGFW-2.
- B. HQ-NGFW-1 will remain the primary because HQ-NGFW-2 has lower priority.
- C. The HA cluster will become out of sync because the override setting must match on all HA members.
- D. HQ-NGFW-2 will take over as the primary because it has the override enable setting and higher priority than HQ-NGFW-1.
Answer: D
Explanation:
With override enabled on HQ-NGFW-2 and its higher priority (110 vs. 90), HQ-NGFW-2 will become the primary device, preempting HQ-NGFW-1 despite the current primary status.
NEW QUESTION # 54
Which two statements describe characteristics of automation stitches? (Choose two.)
- A. Actions involve only devices included in the Security Fabric.
- B. Triggers can involve external connectors.
- C. An automation stitch can have multiple triggers.
- D. Multiple actions can run in parallel.
Answer: B,D
Explanation:
Automation stitches can execute multiple actions concurrently (in parallel).
Triggers for automation stitches can come from external connectors beyond just Fortinet devices.
NEW QUESTION # 55
Refer to the exhibits. Based on the current HA status, an administrator updates the override and priority parameters on HQ-NGFW-1 and HQ-NGFW-2 as shown in the exhibit.
What would be the expected outcome in the HA cluster?
- A. HQ-NGFW-1 will synchronize the override disable setting with HQ-NGFW-2.
- B. HQ-NGFW-1 will remain the primary because HQ-NGFW-2 has lower priority.
- C. The HA cluster will become out of sync because the override setting must match on all HA members.
- D. HQ-NGFW-2 will take over as the primary because it has the override enable setting and higher priority than HQ-NGFW-1.
Answer: D
Explanation:
With override enabled on HQ-NGFW-2 and its higher priority (110 vs. 90), HQ-NGFW-2 will become the primary device, preempting HQ-NGFW-1 despite the current primary status.
NEW QUESTION # 56
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
- A. Enable Dead Peer Detection.
- B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
- C. Use the VPN wizard to create an IPsec template for a redundant IPsec VPN tunnel.
- D. In the phase1-interface, enable npu-offload to detect a dead tunnel.
Answer: A,B
Explanation:
Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel → This ensures that the primary tunnel is always preferred, and the secondary is only used when the primary route is unavailable.
Enable Dead Peer Detection → DPD allows FortiGate to quickly detect when the primary tunnel is down, enabling faster failover to the backup tunnel.
NEW QUESTION # 57
What are two features of collector agent advanced mode? (Choose two.)
- A. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
- B. Advanced mode supports nested or inherited groups.
- C. Advanced mode uses the Windows convention - NetBios: Domain\Username.
- D. In advanced mode, security profiles can be applied only to user groups, not individual users.
Answer: A,B
Explanation:
Advanced mode supports nested or inherited groups, allowing FortiGate to recognize users that belong to subgroups within AD.
In advanced mode, FortiGate can be configured as an LDAP client and apply group filters, giving more granular control over user authentication and authorization.
NEW QUESTION # 58
Refer to the exhibit.
The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.
An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.
What are two solutions for satisfying the requirement? (Choose two.)
- A. Configure a separate firewall policy with action Deny and an FQDN address object for*.download.com as destination address.
- B. Set the Freeware and Software Downloads category Action to Warning.
- C. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
- D. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
Answer: C,D
NEW QUESTION # 59
A network administrator is reviewing firewall policies in both Interface Pair View and By Sequence View.
The policies appear in a different order in each view.
Why is the policy order different in these two views?
- A. By Sequence View groups policies based on rule priority, while Interface Pair View always follows the order of traffic logs.
- B. Interface Pair View sorts policies based on matching interfaces, while By Sequence View shows the actual processing order of rules.
- C. Policies in Interface Pair View are prioritized by security levels, while By Sequence View strictly follows the administrator's manual ordering.
- D. The firewall dynamically reorders policies in Interface Pair View based on recent traffic patterns, but By Sequence View remains static.
Answer: B
Explanation:
Interface Pair View organizes policies grouped by source and destination interfaces, whereas By Sequence View displays policies in the exact order they are processed by the firewall.
NEW QUESTION # 60
Refer to the exhibit. Based on this partial configuration, what are the two possible outcomes when FortiGate enters conserve mode? (Choose two.)
- A. FortiGate skips quarantine actions.
- B. FortiGate drops new sessions requiring inspection.
- C. Administrators must restart FortiGate to allow new session.
- D. Administrators cannot change the configuration.
Answer: A,D
Explanation:
System configuration cannot be changed because of the IPS Global configuration "fail-open enabled" FortiGate skips quarantine actions - again because of the IPS Global configuration "fail-open enabled"
NEW QUESTION # 61
Refer to the exhibit showing a debug flow output.
Which two conclusions can you make from the debug flow output? (Choose two.)
- A. The default gateway is configured on port2.
- B. The matching firewall policy denies the traffic.
- C. The debug flow is for UDP traffic.
- D. The RPF check fails.
Answer: A,B
NEW QUESTION # 62
Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.


An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.
The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.
Which additional configuration can the administrator add to a deny firewall policy, beyond the default behavior, to block Remote-User2 from accessing the Webserver?
- A. Set the Destination address as Deny_IP in the Allow_access policy.
- B. Configure a One-to-One IP Pool object in a new policy.
- C. Set the Destination address as Webserver in the Deny policy.
- D. Disable match-vip in the Allow_access policy
Answer: C
Explanation:
To block Remote-User2's access to the Webserver, the deny policy must explicitly specify the Webserver as the destination address; otherwise, it denies traffic to all destinations, which is not the desired behavior.
NEW QUESTION # 63
Refer to the exhibit. Why is the Antivirus scan switch grayed out when you are creating a new antivirus profile for FTP?
- A. The Feature Set for the profile is Flow-based but it must be Proxy-based.
- B. FortiGate, with less than 2 GB RAM, does not support the Antivirus scan feature.
- C. Antivirus scan is disabled under System -> Feature visibility.
- D. None of the inspected protocols are active in this profile.
Answer: D
Explanation:
The Antivirus scan switch is grayed out because none of the inspected protocols (HTTP, SMTP, POP3, IMAP, FTP, CIFS) have been enabled in the new antivirus profile. Until at least one protocol is turned on, FortiGate does not allow activation of the antivirus scan.
NEW QUESTION # 64
An administrator notices that some users are unable to establish SSL VPN connections, while others can connect without any issues.
What should the administrator check first?
- A. Ensure that forced tunneling is enabled to reroute all traffic through the SSL VPN
- B. Ensure that user traffic is hitting the firewall policy.
- C. Ensure that the HTTPS service is enabled on SSL VPN tunnel interface
- D. Ensure that the affected users are using the correct port number.
Answer: D
NEW QUESTION # 65
An administrator manages a FortiGate model that supports NTurbo.
How does NTurbo enhance performance for flow-based inspection?
- A. NTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces.
- B. NTurbo buffers the whole file and then sends it to the antivirus engine.
- C. NTurbo creates two inspection sessions on the FortiGate device.
- D. NTurbo offloads traffic to the content processor.
Answer: A
Explanation:
NTurbo enhances flow-based inspection performance by creating a fast data path between the IPS engine and the ingress/egress interfaces. This allows traffic to be inspected efficiently without needing to pass through the slower, traditional packet path, thus reducing CPU load and improving throughput during flow-based security inspections.
NEW QUESTION # 66
A remote user reports slow SSL VPN performance and frequent disconnections. The user is located in an area with poor internet connectivity.
What setting should the administrator adjust to improve the user's experience?
- A. Enable split tunneling to reduce VPN traffic.
- B. Configure the DTLS timeout to accommodate high-latency connections.
- C. Change the SSL VPN port to a non-standard port.
- D. Increase the session timeout for inactive sessions.
Answer: B
Explanation:
Adjusting the DTLS timeout helps maintain SSL VPN stability and performance in environments with poor or high-latency internet connectivity by allowing more time for packet retransmissions before dropping the connection.
NEW QUESTION # 67
Refer to the exhibit.
Based on this partial configuration, what are the two possible outcomes when FortiGate enters conserve mode? (Choose two.)
- A. FortiGate skips quarantine actions.
- B. FortiGate drops new sessions requiring inspection.
- C. Administrators cannot change the configuration.
- D. Administrators must restart FortiGate to allow new session.
Answer: A,B
Explanation:
In fail-open mode, FortiGate skips quarantine actions to maintain traffic flow despite IPS or antivirus failures.
FortiGate drops new sessions that require inspection when in conserve mode and fail-open is enabled, to protect the network from potentially harmful traffic.
NEW QUESTION # 68
Refer to the exhibits.
An administrator has observed the performance status outputs on an HA cluster for 55 seconds.
Which FortiGate is the primary?
- A. HQ-NGFW-1 with the parameter override setting
- B. HQ-NGFW-2 with the parameter priority setting
- C. HQ-NGFW-2 with the parameter memory-failover-threshold setting
- D. HQ-NGFW-1 with the parameter memory-failover-flip-timeout setting
Answer: A
Explanation:
The HA configuration shows that override is disabled (set override disable), but despite this, HQ-NGFW-1 has the higher priority (200) and is acting as the primary, as indicated by its higher resource usage and uptime.
Override allows the device with higher priority to take over as primary, so HQ-NGFW-1 is the primary device.
NEW QUESTION # 69
Refer to the exhibit. The administrator configured SD-WAN rules and set the FortiGate traffic log page to display SD-WAN-specific columns: SD-WAN Quality and SD- WAN Rule Name.
FortiGate allows the traffic according to policy ID 1 placed at the top. This is the policy that allows SD-WAN traffic. Despite these settings, the traffic logs do not show the name of the SD-WAN rule used to steer those traffic flows.
What could be the reason?
- A. There is no application control profile applied to the firewall policy.
- B. SD-WAN rule names do not appear immediately. The administrator must refresh the page.
- C. Destinations in the SD-WAN rules are configured for each application, but feature visibility is not enabled.
- D. FortiGate load balanced the traffic according to the implicit SD-WAN rule.
Answer: D
Explanation:
The SD-WAN traffic log does not display an SD-WAN rule name because the traffic is being forwarded by the implicit SD-WAN rule. If no explicit SD-WAN rule matches the traffic, FortiGate falls back to the default implicit rule, which balances traffic based on the configured strategy (such as volume or sessions). Since no explicit rule applied, the rule name field remains blank in the logs.
NEW QUESTION # 70
Refer to the exhibits.
Based on the current HA status, an administrator updates the override and priority parameters on HQ-NGFW-
1 and HQ-NGFW-2 as shown in the exhibit.
What would be the expected outcome in the HA cluster?
- A. HQ-NGFW-1 will synchronize the override disable setting with HQ-NGFW-2.
- B. HQ-NGFW-1 will remain the primary because HQ-NGFW-2 has lower priority.
- C. The HA cluster will become out of sync because the override setting must match on all HA members.
- D. HQ-NGFW-2 will take over as the primary because it has the override enable setting and higher priority than HQ-NGFW-1.
Answer: D
Explanation:
With override enabled on HQ-NGFW-2 and its higher priority (110 vs. 90), HQ-NGFW-2 will become the primary device, preempting HQ-NGFW-1 despite the current primary status.
NEW QUESTION # 71
You have configured the FortiGate device for FSSO. A user is successful in log-in to windows, but their access to the internet is denied.
What should the administrator check first?
- A. The FortiGate FSSO active users list for user's IP address.
- B. The FortiGate firewall policy settings for SSL decryption.
- C. Whether the user is assigned to the correct AD group.
- D. The windows event viewer for failed login attempts.
Answer: A
Explanation:
Checking the active users list verifies if FortiGate correctly associates the user with their IP address, ensuring proper policy enforcement for internet access.
NEW QUESTION # 72
You want to ensure that an SSL VPN user's authenticated session does not remain active after they disconnect from the VPN.
Which configuration will ensure this?
- A. Manually clear active firewall authentication sessions after a user disconnects.
- B. Enable settings to force the firewall authentication session to end when the SSL VPN session ends
- C. Increase the SSL VPN idle timeout to reduce the chance of early disconnections.
- D. Configure the firewall authentication session timeout to be lower than the SSL VPN session timeout.
Answer: B
Explanation:
Firewall policy authentication session is associated with SSL VPN tunnel session.
Firewall policy authentication session is forced to end when SSL VPN tunnel session ends.
Prevents reuse of authenticated SSL VPN firewall sessions (not yet expired) by a different user, after the initial user terminates the SSL VPN tunnel session.
NEW QUESTION # 73
Refer to the exhibit. FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles.
Which action must the administrator perform to consolidate the two policies into one?
- A. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy.
- B. Replace port1 and port2 with the any interface in a single firewall policy.
- C. Create an Aggregate interface that includes port1 and port2 to create a single firewall policy.
- D. Select port1 and port2 subnets in a single firewall policy.
Answer: A
Explanation:
Enabling Multiple Interface Policies allows you to select multiple interfaces (like port1 and port2) in a single firewall policy, consolidating access rules for both Sales and Engineering to the web server.
NEW QUESTION # 74
Refer to the exhibits. An administrator configured both members of an HA cluster at the same time. After one week of monitoring, the administrator wants to verify the HA failover performance.
How can the administrator force a failover?

- A. The administrator must set the monitored port to down on HQ-NGFW-1.
- B. The administrator must increase the HA priority on HQ-NGFW-2.
- C. The administrator must reset the HA uptime on HQ-NGFW-1.
- D. The administrator must set the parameter override to enable on HQ-NGFW-2.
Answer: A
Explanation:
Both FortiGates are in an active-passive (a-p) HA cluster with override disabled. This means failover is triggered only if the primary (HQ-NGFW-1) becomes unavailable or monitored interfaces fail. To test failover performance, the administrator can set the monitored interface (port1) down on HQ-NGFW-1, which will force a failover to HQ-NGFW-2.
NEW QUESTION # 75
......
Use Valid New FCP_FGT_AD-7.6 Test Notes & FCP_FGT_AD-7.6 Valid Exam Guide: https://www.easy4engine.com/FCP_FGT_AD-7.6-test-engine.html
FCP_FGT_AD-7.6 exam torrent Fortinet study guide: https://drive.google.com/open?id=1NHgYjtYBYjsY9kkss2-jOMhX7r1yXuVY

