[Nov-2025] Latest FCP_FGT_AD-7.4 Exam Dumps for Pass Guaranteed
Reliable FCP in Network Security FCP_FGT_AD-7.4 Dumps PDF Nov 20, 2025 Recently Updated Questions
NEW QUESTION # 28
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)
- A. On HQ-FortiGate, set IKE mode to Main (ID protection).
- B. On Remote-FortiGate, set port2 as Interface.
- C. On both FortiGate devices, set Dead Peer Detection to On Demand.
- D. On HQ-FortiGate, disable Diffie-Helman group 2.
Answer: A,C
Explanation:
To bring Phase 1 up, the following changes can be made:
* A. On HQ-FortiGate, disable Diffie-Helman group 2: This is incorrect because Diffie-Hellman group 2 is already selected on both devices. Disabling it would not help.
* B. On Remote-FortiGate, set port2 as Interface: This is incorrect as both sides should be consistent in their interface settings for the IPsec tunnel, and the interface is correctly set to port1 on both FortiGates in the IPsec configuration.
* C. On both FortiGate devices, set Dead Peer Detection to On Demand: This is a valid option.
Setting Dead Peer Detection (DPD) to "On Demand" helps maintain the IPsec connection by checking if the peer is still available, which can help in some cases where the connection fails due to timeouts.
* D. On HQ-FortiGate, set IKE mode to Main (ID protection): This is also a valid option because the Remote-FortiGate is already set to Main mode (ID protection). Ensuring that both ends use the same mode is crucial for successful phase 1 negotiation.
Thus, the correct answers are:C. On both FortiGate devices, set Dead Peer Detection to On Demand.D.
On HQ-FortiGate, set IKE mode to Main (ID protection).
NEW QUESTION # 29
Refer to the exhibits.

The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details.
Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?
- A. Apple FaceTime will be allowed, based on the Video/Audio category configuration.
- B. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
- C. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
- D. Apple FaceTime will be allowed, based on the Apple filter configuration.
Answer: B
Explanation:
Based on the application sensor configuration and the filter details:
* D. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration: The
"Excessive-Bandwidth" filter is set to block, which includes "FaceTime" under its application signature.
As a result, FaceTime will be blocked regardless of the "Apple" filter configuration because the
"Excessive-Bandwidth" filter takes precedence due to its block action setting.
The other options are not correct:
* A. Apple FaceTime will be allowed, based on the Video/Audio category configuration: The Video
/Audio category is not relevant because FaceTime is specifically included in the Excessive-Bandwidth filter, which blocks it.
* B. Apple FaceTime will be allowed, based on the Apple filter configuration: Although the Apple filter is set to monitor, the block action of the Excessive-Bandwidth filter will override this.
* C. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow: The allow setting for the Apple filter is irrelevant in this context, as the block action in the Excessive-Bandwidth filter will prevail.
References
* FortiOS 7.4.1 Administration Guide - Application Control and Filtering, page 978.
* FortiOS 7.4.1 Administration Guide - Application Sensor Configuration, page 982.
NEW QUESTION # 30
Refer to the exhibit.
Which two statements are true about the routing entries in this database table? (Choose two.)
- A. Both default routes have different administrative distances.
- B. The port2 interface is marked as inactive.
- C. The default route on porc2 is marked as the standby route.
- D. All of the entries in the routing database table are installed in the FortiGate routing table.
Answer: A,C
Explanation:
The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances:
* The default route through port2 has an administrative distance of 20.
* The default route through port1 has an administrative distance of 10.
Administrative distance determines the priority of the route; a lower value is preferred. Here, the route through port1 with an administrative distance of 10 is the preferred route. The route through port2 with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed through port2.
Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table that port2 is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes.
References:
* FortiOS 7.4.1 Administration Guide: Default route configuration
* FortiOS 7.4.1 Administration Guide: Routing table explanation
NEW QUESTION # 31
Which two statements describe how the RPF check is used? (Choose two.)
- A. The RPF check is a mechanism that protects FortiGateand the network from IP spoofingattacks.
- B. The RPF check is run on the first sent and reply packet of any new session.
- C. The RPF check is run on the first sent packet of any new session.
- D. The RPF check is run on the first reply packet of any new session.
Answer: A,C
NEW QUESTION # 32
Which three statements explain a flow-based antivirus profile? (Choose three.)
- A. FortiGate buffers the whole file but transmits to the client at the same time.
- B. Flow-based inspection optimizes performance compared to proxy-based inspection
- C. If a virus is detected, the last packet is delivered to the client.
- D. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection
- E. The IPS engine handles the process as a standalone.
Answer: A,B,D
NEW QUESTION # 33
An administrator has configured a strict RPF check on FortiGate.
How does strict RPF check work?
- A. Strict RPF allows packets back to sources with all active routes.
- B. Strict RPF check is run on the first sent and reply packet of any new session.
- C. Strict RPF checks the best route back to the source using the incoming interface.
- D. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
Answer: C
Explanation:
Strict RPF (Reverse Path Forwarding) check ensures that the packet is received on the same interface that the FortiGate device would use to send traffic back to the source. It verifies that the best route to the source of the packet is through the same interface it arrived on, enhancing security by preventing IP spoofing. If the check fails, the packet is dropped.
NEW QUESTION # 34
Refer to the exhibit, which contains a radius server configuration.
An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.
What will be the impact of using Include in every user group option in a RADIUS configuration?
- A. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
- B. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
- C. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
- D. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
Answer: D
Explanation:
The Include in every User Group option adds the RADIUS server and all users that can authenticate against it, to every user group created on FortiGate. So, you should enable this option only in very specific scenarios (for example, when only administrators can authenticate against the RADIUS server and policies are ordered from least restrictive to most restrictive).
NEW QUESTION # 35
Refer to the exhibit to view the application control profile.


Based on the configuration, what will happen to Apple FaceTime?
- A. Apple FaceTime will be allowed, based on the Categories configuration.
- B. Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn.
- C. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
- D. Apple FaceTime will be allowed, based on the Apple filter configuration.
Answer: C
Explanation:
Apple facetime will be blocked according to the "Excessive Bandwidth" filter.
Facetime belongs to VoIP category which is monitored here and therefore should be allowed, however, because of the behavior of the facetime "Excessive-Bandwidth", the custom filter Excessive-Bandwidth will block Facetime and the lookup won't continue to the second filter.
The excessive bandwidth filter contains facetime and is referenced by the application sensor with the action to block. There is no reference to a bandwidth threshold at which point the filter is applied so the number of calls is irrelevant.
NEW QUESTION # 36
Refer to the exhibits, which show a diagram of a FortiGate device connected to the network. VIP object configuration, and the firewall policy configuration.


The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IP address 10.0.1.254/24.
If the host 10.200.3.1 sends a TCP SYN packet on port 8080 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be at the time FortiGate forwards the packet to the destination?
- A. 10.200.3.1, 10.0.1.10, and 8080, respectively
- B. 10.0.1.254, 10.200.1.10, and 8080, respectively
- C. 10.0.1.254, 10.0.1.10, and 80, respectively
- D. 10.200.3.1, 10.0.1.10, and 80, respectively
Answer: D
Explanation:
The source address remains 10.200.3.1 because FortiGate does not modify the source address by default unless NAT is applied (which is disabled in the policy).
The destination address is translated to 10.0.1.10 by the VIP (Virtual IP) object, as this is the internal server address mapped to the external IP 10.200.1.10.
The destination port is translated from 8080 to 80 as per the port forwarding rule configured in the VIP object.
NEW QUESTION # 37
Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.)
- A. Lowest Cost (SLA) without load balancing
- B. Manual with load balancing
- C. Best Quality with load balancing
- D. Lowest Quality (SLA) with load balancing
- E. Lowest Cost (SLA) with load balancing
Answer: B,C,D
NEW QUESTION # 38
Which two statements describe how the RPF check is used? (Choose two.)
- A. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks.
- B. The RPF check is run on the first sent and reply packet of any new session.
- C. The RPF check is run on the first sent packet of any new session.
- D. The RPF check is run on the first reply packet of any new session.
Answer: A,C
Explanation:
The Reverse Path Forwarding (RPF) check is run on the first sent packet of any new session to ensure that the packet arrives on a legitimate interface. This check protects the network from IP spoofing attacks by verifying that a return route exists from the receiving interface back to the source IP address. If the route is invalid or not found, the packet is discarded. Options B and C are incorrect because RPF checks are performed on the first sent packet, not the reply packet.
References:
* FortiOS 7.4.1 Administration Guide: Reverse Path Forwarding (RPF) Check
NEW QUESTION # 39
An administrator must enable a DHCP server on one of the directly connected networks on FortiGate. However, the administrator is unable to complete the process on the GUI to enable the service on the interface.
In this scenario, what prevents the administrator from enabling DHCP service?
- A. The role of the interface prevents setting a DHCP server.
- B. The FortiGate model does not support the DHCP server.
- C. The DHCP server setting is available only on the CLI.
- D. Another interface is configured as the only DHCP server on FortiGate.
Answer: A
Explanation:
FortiGate interfaces can be configured in different roles, such as WAN or LAN. If an interface is set as a "WAN" role, you cannot configure it to act as a DHCP server through the GUI. The interface role must be set to "LAN" or "Undefined" to allow DHCP server configuration.
Reference:
FortiOS 7.4.1 Administration Guide: DHCP Server Configuration
NEW QUESTION # 40
Refer to the exhibit.
The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity.
What must the administrator configure to answer this specific request from the NOC team?
- A. Increase the admintimeout value under config system accprofile super_admin.
- B. Increase the admintimeout value under config system global
- C. Enable the parameter Never Timeout in the admin profiles
- D. Increase the offline value of the Override idle Timeout parameter in the NOC_Access admin profile
Answer: B
Explanation:
To adjust the inactivity timeout for GUI sessions, the administrator should increase the admintimeout value in the global settings. This parameter controls how long an administrator's session can remain idle before it times out and disconnects. This is configured globally and affects all administrators, including those with the "NOC_Access" profile.
NEW QUESTION # 41
Refer to the exhibits.


An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?
- A. Change the csf setting on both devices to sec downscream-access enable.
- B. Change the csf setting on ISFW (downstream) to sec auchorizacion-requesc-cype certificace.
- C. Change the csf setting on ISFW (downstream) to sec configuration-sync local.
- D. Change the csf setting on Local-FortiGate (root) to sec fabric-object-unification default.
Answer: D
Explanation:
The current setting for the root FortiGate (Local-FortiGate) is fabric-object-unification local, which means that new address objects are not shared across the security fabric. Changing this setting to fabric-object-unification default will allow address objects to be synchronized and shared with downstream devices like the ISFW.
NEW QUESTION # 42
Refer to the exhibit to view the firewall policy.
Why would the firewall policy not block a well-known virus, for example eicar?
- A. The action on the firewall policy is not set to deny.
- B. The firewall policy is not configured in proxy-based inspection mode.
- C. Web filter is not enabled on the firewall policy to complement the antivirus profile.
- D. The firewall policy does not apply deep content inspection.
Answer: B
Explanation:
The firewall policy shown in the exhibit is configured in flow-based inspection mode. In flow-based inspection, certain security features, such as deep content inspection, might not be as effective as in proxy- based mode. Proxy-based inspection is necessary for thorough content inspection, which includes identifying and blocking well-known viruses like EICAR.
References:
* FortiOS 7.4.1 Administration Guide: Inspection Modes
NEW QUESTION # 43
The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile.
Which order must FortiGate use when the web filter profile has features such as safe search enabled?
- A. FortiGuard category filter and rating filter
- B. Static domain filter, SSL inspection filter, and external connectors filters
- C. Static URL filter, FortiGuard category filter, and advanced filters
- D. DNS-based web filter and proxy-based web filter
Answer: C
Explanation:
FortiGate applies web filters in the following order: Static URL filter, FortiGuard category filter, Web content filter, Web script filter, and Antivirus scanning.
NEW QUESTION # 44
......
Fortinet FCP_FGT_AD-7.4 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
Latest 2025 Realistic Verified FCP_FGT_AD-7.4 Dumps: https://passguide.validtorrent.com/FCP_FGT_AD-7.4-valid-exam-torrent.html