Pass the Fortinet Network Security Expert FCP_FGT_AD-7.4 Questions and answers with ValidTests

The SSL VPN is configured to listen on port11443on the FortiGate device, as shown in the SSL VPN settings in the exhibit. However, the user is attempting to connect to the server using port1443, as displayed in the VPN connection status. The mismatch between the ports is causing the connection failure. To resolve this, the user should change the client configuration to use port11443to match the FortiGate SSL VPN configuration.

To disable RPF (Reverse Path Forwarding) checking on a FortiGate interface, you need to disable the src-check option in the interface settings. This action disables the RPF check, allowing traffic to bypass the verification that it is arriving on the correct interface based on the routing table.

To resolve the issue of PC3 not being able to access the internet, the administrator needs to adjust the IP pool configuration or the firewall policy. The following two options will fix the connectivity issue:

B. In the IP pool configuration, set the ending IP to 192.2.0.12:The current IP pool range is 192.2.0.10-192.2.0.11, which only provides two IP addresses for network address translation (NAT). To allow PC3 to access the internet, the IP pool should be expanded to include an additional IP address by changing the end of the range to 192.2.0.12.

D. In the IP pool configuration, set type to overload:Instead of using a one-to-one NAT, changing the type to overload will allow multiple internal addresses (such as PC1, PC2, and PC3) to share a single external IP address. This will solve the issue without needing additional public IP addresses.

The other options are not suitable:

A. In the firewall policy configuration, add 10.0.1.3 as an address object in the source field:This option is unnecessary since the firewall policy already allows all addresses from the source (LAN port3).

C. Configure another firewall policy that matches only the address of PC3 as the source, and then place the policy on top of the list:This option is redundant and would not resolve the underlying issue with the IP pool configuration.

References

FortiOS 7.4.1 Administration Guide -Configuring Firewall Policies, page 512.

FortiOS 7.4.1 Administration Guide -Configuring NAT with IP Pools, page 518.

When a certificate fails for any of the reasons above, you can configure any of the following actions: • Keep untrusted & Allow: FortiGate allows the website and lets the browser decide the action to take. FortiGate takes the certificate as untrusted. • Block: FortiGate blocks the content of the site. • Trust & Allow: FortiGate allows the website and takes the certificate as trusted.

NAT Configuration: The first firewall policy has NAT enabled using the configured IP pool.

IP Pool Configuration: The IP pool is configured with an external IP range of 10.200.1.100.

Source NAT: When traffic is being NATed, the source IP address is replaced with an IP from the configured pool. In this scenario, the specific IP defined in the pool is 10.200.1.100.

Thus, any internet-bound traffic from the workstation (10.0.1.10) will have its source IP address NATed to 10.200.1.100.

To consolidate the two separate firewall policies for Sales and Engineering departments accessing the same web server, you can create an Interface Group that includes bothport1(Sales) andport2(Engineering). Once the Interface Group is created, you can use this group as a single incoming interface in a single firewall policy. This approach reduces the number of policies, making management more efficient.

References:

FortiOS 7.4.1 Administration Guide: Firewall Policy Configuration

The Fortinet Single Sign-On (FSSO) Collector Agent supports three primary methods for Active Directory (AD) polling to collect user information:

WinSecLog:Monitors Windows Security Event Logs for login events.

WMI:Uses Windows Management Instrumentation to poll user login sessions.

NetAPI:Utilizes the Netlogon API to query domain controllers for user session data.

These methods allow the FortiGate to gather user logon information and enforce user-based policies effectively.

References:

FortiOS 7.4.1 Administration Guide: FSSO Configuration

When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi-Path (ECMP) is configured using theload-balance-modeparameter under SD-WAN settings. However, if SD-WAN is disabled, the ECMP load balancing algorithm can be configured underconfig system settings. This flexibility allows FortiGate to control traffic routing behavior based on the network configuration and requirements.

References:

FortiOS 7.4.1 Administration Guide: ECMP Configuration

SD-WAN rules are matched only if the best route to the destination points to SD-WAN

SD-WAN member is selected only if it has a route to the destination

https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-sd-branch-architecture-for-mssps/768108/sd-wan-routing-logic

SDWAN rules are 'policy routes', but regular policy routes have precedence over SD-WAN rules.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explaining-the-SD-WAN-rule-matching-process/ta-p/284325