Fortinet FCP_FGT_AD-7.6試験問題集で[2025年最新] 有効な試験練習問題集解答 [Q17-Q34]

Share

Fortinet FCP_FGT_AD-7.6試験問題集で[2025年最新] 有効な試験練習問題集解答

FCP_FGT_AD-7.6問題集で掴み取れ![最新2025]Fortinet試験合格させます

質問 # 17
A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode.
Which step is NOT part of the expected process?

  • A. FortiGate determines user identity based on the IP address in the FSSO list.
  • B. The DC agent sends login event data directly to FortiGate.
  • C. The collector agent forwards login event data to FortiGate.
  • D. The user logs into the windows domain.

正解:C

解説:
In DC Agent Mode, the DC agent sends login event data directly to FortiGate without involving a collector agent.


質問 # 18
When configuring firewall policies which of the following is true regarding the policy ID?

  • A. You can create a policy in CLI with policy ID 0.
  • B. It is mandatory to provide a policy ID while creating a firewall policy regardless of GUI or CLI.
  • C. A policy ID cannot be edited once a policy is created.
  • D. A firewall policy ID identifies the order of policy execution in firewall policies.

正解:C

解説:
Once a firewall policy is created, its policy ID is fixed and cannot be changed; this ID uniquely identifies the policy within the FortiGate configuration.


質問 # 19
Refer to the exhibit.

An administrator has configured an Application Overrides for the ABC.Com application signature and set the Action to Allow. This application control profile is then applied to a firewall policy that is scanning all outbound traffic. Logging is enabled in the firewall policy. To test the configuration, the administrator accessed the ABC.Com web site several times.
Why are there no logs generated under security logs for ABC.Com?

  • A. The ABC.Com is configured under application profile, which must be configured as a web filter profile.
  • B. The ABC.Com Action is set to Allow.
  • C. The ABC.Com is hitting the category Excessive-Bandwidth.
  • D. The ABC.Com Type is set as Application instead of Filter.

正解:B

解説:
When the action is set to Allow in an application override, traffic matching this override is allowed without generating security logs because it bypasses deeper inspection and blocking.


質問 # 20
Which three statements explain a flow-based antivirus profile? (Choose three.)

  • A. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
  • B. Flow-based inspection optimizes performance compared to proxy-based inspection.
  • C. If a virus is detected, the last packet is delivered to the client.
  • D. The IPS engine handles the process as a standalone.
  • E. FortiGate buffers the whole file but transmits to the client at the same time.

正解:A、B、E

解説:
Flow-based antivirus buffers the entire file while simultaneously transmitting data to the client to minimize latency.
Flow-based inspection combines multiple scanning techniques from proxy-based modes for efficient detection.
Flow-based inspection provides better performance by processing traffic on the fly without full proxy overhead.


質問 # 21
A remote user reports slow SSL VPN performance and frequent disconnections. The user is located in an area with poor internet connectivity.
What setting should the administrator adjust to improve the user's experience?

  • A. Change the SSL VPN port to a non-standard port.
  • B. Configure the DTLS timeout to accommodate high-latency connections.
  • C. Enable split tunneling to reduce VPN traffic.
  • D. Increase the session timeout for inactive sessions.

正解:B

解説:
Adjusting the DTLS timeout helps maintain SSL VPN stability and performance in environments with poor or high-latency internet connectivity by allowing more time for packet retransmissions before dropping the connection.


質問 # 22
What is the primary FortiGate election process when the HA override setting is enabled?

  • A. Connected monitored ports > System uptime > Priority > FortiGate serial number
  • B. Connected monitored ports > Priority > System uptime > FortiGate serial number
  • C. Connected monitored ports > Priority > HA uptime > FortiGate serial number
  • D. Connected monitored ports > HA uptime > Priority > FortiGate serial number

正解:C

解説:
When HA override is enabled, FortiGate uses the following election order: number of connected monitored ports, then device priority, followed by HA uptime, and finally FortiGate serial number as a tiebreaker.


質問 # 23
An administrator wants to analyze and manage digital certificates to prevent browser warnings when users connect to the SSL VPN portal.
Which two statements describe how to correctly do this? (Choose two.)

  • A. The administrator can use a publicly trusted certificate from a known certificate authority (CA) to stop browser warnings.
  • B. The administrator must disable HTTPS administrative access entirely to avoid certificate warnings.
  • C. The administrator can import the FortiGate self-signed certificate into each user's browser as a trusted certificate.
  • D. The administrator can rely on the default FortiGate self-signed certificate to prevent all security warnings in the browser.

正解:A、C

解説:
Using a publicly trusted certificate from a known CA prevents browser warnings without additional user action.
Importing the FortiGate self-signed certificate into users' browsers as trusted eliminates warnings caused by untrusted certificates.


質問 # 24
Refer to the exhibit, which shows a partial configuration from the remote authentication server.

Why does the FortiGate administrator need this configuration?

  • A. To authenticate and match the Training OU on the RADIUS server.
  • B. To authenticate only the Training user group.
  • C. To set up a RADIUS server Secret.
  • D. To authenticate Any FortiGate user groups.

正解:B

解説:
The Fortinet-Group-Name attribute is used to restrict authentication to users who belong specifically to the "Training" user group on the RADIUS server.


質問 # 25
You are analyzing connectivity problems caused by intermediate devices blocking traffic in SSL VPN environment.
In which two ways can you effectively resolve the problem? (Choose two.)

  • A. You can turn off IKE fragmentation to fix large certificate negotiation problems.
  • B. You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.
  • C. You should use IPsec to solve issues with fragment drops and large certificate exchanges.
  • D. You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).

正解:A、D

解説:
Disabling IKE fragmentation helps resolve issues caused by intermediate devices blocking large fragmented packets during certificate negotiation.
Using SSL VPN tunnel mode encapsulates traffic over HTTPS, bypassing blocks on ESP and UDP ports commonly used by IPsec.


質問 # 26
Refer to the exhibit.

The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories from SSL inspection, as shown in the exhibit.
For which two reasons are these web categories exempted? (Choose two.)

  • A. The resources utilization is optimized because these websites are in the trusted domain list on FortiGate.
  • B. The legal regulation aims to prioritize user privacy and protect sensitive information for these websites.
  • C. These websites are in an allowlist of reputable domain names maintained by FortiGuard.
  • D. The FortiGate temporary certificate denies the browser's access to websites that use HTTP Strict Transport Security.

正解:B、D

解説:
FortiGate's temporary SSL certificate may cause access denial to sites using HTTP Strict Transport Security (HSTS), so such sites are exempted from deep SSL inspection.
Legal regulations require exemption of certain categories to protect user privacy and sensitive information, so these web categories are excluded from SSL inspection.


質問 # 27
You have configured an application control profile, set peer-to-peer traffic to Block under the Categories tab, and applied it to the firewall policy. However, your peer-to-peer traffic on known ports is passing through the FortiGate without being blocked.
What FortiGate settings should you check to resolve this issue?

  • A. FortiGuard category ratings
  • B. Replacement Messages for UDP-based Applications
  • C. Application and Filter Overrides
  • D. Network Protocol Enforcement

正解:D

解説:
Network Protocol Enforcement settings control how FortiGate inspects and enforces protocols on traffic, including peer-to-peer applications on known ports. If not properly enabled, peer-to-peer traffic may bypass blocking despite the application control profile.


質問 # 28
Which two statements are correct when FortiGate enters conserve mode? (Choose two.)

  • A. FortiGate refuses to accept configuration changes.
  • B. FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in IPS is enabled.
  • C. FortiGate halts complete system operation and requires a reboot to regain available resources.
  • D. FortiGate continues to run critical security actions, such as quarantine.

正解:A、B

解説:
In conserve mode, FortiGate restricts configuration changes to preserve system stability.
When IPS fail-open is enabled, FortiGate continues forwarding traffic without IPS inspection during resource constraints (conserve mode).


質問 # 29
Refer to the exhibit.

As an administrator you have created an IPS profile, but it is not performing as expected. While testing you got the output as shown in the exhibit.
What could be the possible reason of the diagnose output shown in the exhibit?

  • A. Administrator entered the command diagnose test application ipsmonitor 99.
  • B. Administrator entered the command diagnose test application ipsmonitor 5.
  • C. FortiGate entered into IPS fail open state.
  • D. There is a no firewall policy configured with an IPS security profile.

正解:D

解説:
The output shows the IPS engine count as 0, indicating no active IPS engines are running. This typically means no firewall policy is referencing the IPS security profile, so the IPS profile is not being applied or triggered.


質問 # 30
Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Based on the exhibit, which statement is true?

  • A. The Underlay zone is the zone by default.
  • B. port2 and port3 are not assigned to a zone.
  • C. The Underlay zone contains no member.
  • D. The virtual-wan-link and overlay zones can be deleted.

正解:A

解説:
The Underlay zone is the default SD-WAN zone, typically representing the physical interfaces in the SD-WAN configuration before overlay or virtual links are added.


質問 # 31
Refer to the exhibit.

The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity.
What must the administrator configure to answer this specific request from the NOC team?

  • A. Move NOC_Access to the top of the list to ensure all profile settings take effect.
  • B. Increase the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile.
  • C. Increase the admintimeout value under config system accprofile NOC_Access.
  • D. Ensure that all NOC_Access users are assigned the super_admin role to guarantee access

正解:C

解説:
The admintimeout setting in the admin access profile controls the inactivity timeout for GUI sessions. Increasing this value will extend the session duration before automatic disconnection.


質問 # 32
A network administrator is reviewing firewall policies in both Interface Pair View and By Sequence View. The policies appear in a different order in each view.
Why is the policy order different in these two views?

  • A. Policies in Interface Pair View are prioritized by security levels, while By Sequence View strictly follows the administrator's manual ordering.
  • B. The firewall dynamically reorders policies in Interface Pair View based on recent traffic patterns, but By Sequence View remains static.
  • C. Interface Pair View sorts policies based on matching interfaces, while By Sequence View shows the actual processing order of rules.
  • D. By Sequence View groups policies based on rule priority, while Interface Pair View always follows the order of traffic logs.

正解:C

解説:
Interface Pair View organizes policies grouped by source and destination interfaces, whereas By Sequence View displays policies in the exact order they are processed by the firewall.


質問 # 33
An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is no inbound traffic.
Which DPD mode on FortiGate meets this requirement?

  • A. Enabled
  • B. Disabled
  • C. On Idle
  • D. On Demand

正解:A

解説:
The "On Idle" DPD mode configures FortiGate to send DPD probes only when no inbound traffic is detected, meeting the requirement to send probes only when the tunnel is idle.


質問 # 34
......


Fortinet FCP_FGT_AD-7.6 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • VPN:このセクションでは、ネットワークセキュリティエンジニアのスキルを評価し、仮想プライベートネットワーク(VPN)ソリューションの設定と導入について検証します。受験者は、SSL VPNを実装して社内リソースへの安全なリモートアクセスを許可し、メッシュ型または部分冗長型のトポロジでIPsec VPNを構成して、分散ネットワーク拠点間の暗号化通信を確保する必要があります。
トピック 2
  • ファイアウォールポリシーと認証:このセクションでは、ファイアウォール管理者のスキルを評価し、セキュリティポリシーの実装と管理について学びます。基本および高度なファイアウォールルールの設定、送信元NAT(SNAT)および宛先NAT(DNAT)オプションの適用、そして様々なファイアウォール認証方式の適用が含まれます。また、ネットワーク全体のユーザーアクセスを効率化するためのFortinetシングルサインオン(FSSO)の導入と設定についても学びます。
トピック 3
  • コンテンツ検査:このセクションでは、ネットワークセキュリティエンジニアのスキルを評価し、FortiGateのコンテンツ検査機能の設定と管理について学びます。受験者は、デジタル証明書を使用した暗号化トラフィック検査の理解、FortiGateの検査モードの特定と適用、Webフィルタリングポリシーの設定を行う必要があります。また、ネットワークアプリケーションの使用状況を監視・制御するためのアプリケーション制御の実装、マルウェアを検出・ブロックするためのアンチウイルスプロファイルの設定、そして脅威や脆弱性からネットワークを保護するための侵入防止システム(IPS)の設定能力も評価されます。
トピック 4
  • 導入とシステム構成:このセクションでは、ネットワークセキュリティエンジニアのスキルを評価し、FortiGateデバイスを本番環境に導入するための基本的なタスクを網羅します。受験者は、初期設定、基本的な接続の確立、そしてデバイスをFortinet Security Fabricに統合できることが求められます。また、FortiGate Cluster Protocol(FGCP)の高可用性設定を構成し、リソースと接続の問題をトラブルシューティングして、システムの稼働状態とネットワークの稼働時間を確保できる必要があります。
トピック 5
  • ルーティング:このセクションでは、ファイアウォール管理者のスキルを評価し、FortiGateデバイスのルーティング機能の設定について学びます。ネットワーク内外のトラフィックを誘導するためのスタティックルートの定義と適用、複数のWAN接続間でトラフィック負荷を効率的に分散・均衡化するためのソフトウェア定義WAN(SD-WAN)の設定などが含まれます。

 

FCP_FGT_AD-7.6試験問題集PDF正確率保証と更新された問題:https://www.goshiken.com/Fortinet/FCP_FGT_AD-7.6-mondaishu.html

合格させるFCP_FGT_AD-7.6試験にはリアル試験エンジンPDFには45問題あります:https://drive.google.com/open?id=1vETYf3Ocu0FLHbQTCoyo76ULGe4_4jR8