[2025年12月10日] FCP_FGT_AD-7.6テストエンジンお試しセット、FCP_FGT_AD-7.6問題集PDF [Q76-Q92]

Share

[2025年12月10日] FCP_FGT_AD-7.6テストエンジンお試しセット、FCP_FGT_AD-7.6問題集PDF

最新のFortinet FCP_FGT_AD-7.6のPDFと問題集で(2025)無料試験問題解答


Fortinet FCP_FGT_AD-7.6 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Routing: This section of the exam measures the skills of firewall administrators and covers the configuration of routing features on FortiGate devices. It includes defining and applying static routes for directing traffic within and outside the network, as well as setting up Software-Defined WAN (SD-WAN) to distribute and balance traffic loads across multiple WAN connections efficiently.
トピック 2
  • Firewall policies and authentication: This section of the exam measures the skills of firewall administrators and covers the implementation and management of security policies. It involves configuring basic and advanced firewall rules, applying Source NAT (SNAT) and Destination NAT (DNAT) options, and enforcing various firewall authentication methods. The section also includes deploying and configuring Fortinet Single Sign-On (FSSO) to streamline user access across the network.
トピック 3
  • VPN: This section of the exam measures the skills of network security engineers and covers the configuration and deployment of Virtual Private Network (VPN) solutions. Candidates are required to implement SSL VPNs to grant secure remote access to internal resources and configure IPsec VPNs in either meshed or partially redundant topologies to ensure encrypted communication between distributed network locations.
トピック 4
  • Deployment and system configuration: This section of the exam measures the skills of network security engineers and covers essential tasks for setting up a FortiGate device in a production environment. Candidates are expected to perform the initial configuration, establish basic connectivity, and integrate the device within the Fortinet Security Fabric. They must also be able to configure a FortiGate Cluster Protocol (FGCP) high availability setup and troubleshoot resource and connectivity issues to ensure system readiness and network uptime.
トピック 5
  • Content inspection: This section of the exam measures the skills of network security engineers and covers the setup and management of content inspection features on FortiGate. Candidates must demonstrate an understanding of encrypted traffic inspection using digital certificates, identify and apply FortiGate inspection modes, and configure web filtering policies. The ability to implement application control for monitoring and regulating network application usage, configure antivirus profiles to detect and block malware, and set up Intrusion Prevention Systems (IPS) to shield the network from threats and vulnerabilities is also assessed.

 

質問 # 76
Refer to the exhibit. Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

  • A. All traffic from a source IP is sent to the same interface
  • B. All traffic from a source IP to a destination IP is sent to the same interface.
  • C. Traffic is sent to the link with the lowest latency.
  • D. Traffic is distributed based on the number of sessions through each interface.

正解:B

解説:
For traffic that does not match any of the defined SD-WAN rules, the default implicit SD-WAN rule is applied. By default, the FortiGate uses a "source-destination IP-based" algorithm, which means all traffic from a specific source IP to a specific destination IP is sent through the same interface.
This ensures that a consistent path is used for traffic between the same source and destination IP addresses.


質問 # 77
What are two characteristics of HA cluster heartbeat IP addresses in a FortiGate device?
(Choose two.)

  • A. The heartbeat interface of the primary device in the cluster is always assigned IP address
    169.254.0.1.
  • B. Heartbeat interfaces have virtual IP addresses that are manually assigned.
  • C. Heartbeat IP addresses are used to distinguish between cluster members.
  • D. A change in the heartbeat IP address happens when a FortiGate device joins or leaves the cluster.

正解:C、D

解説:
Heartbeat IP addresses are used to distinguish between cluster members → Each FortiGate in the HA cluster uses unique heartbeat IPs so members can identify one another.
A change in the heartbeat IP address happens when a FortiGate device joins or leaves the cluster → Heartbeat IPs are dynamically reassigned when the cluster membership changes to maintain proper communication.


質問 # 78
An administrator configured a FortiGate device to act as a collector for agentless polling mode.
What must the administrator add to the FortiGate device to retrieve AD user group information?

  • A. Keycloak server
  • B. LDAP server
  • C. TACACS server
  • D. RADIUS server

正解:B

解説:
In agentless polling mode, FortiGate directly queries Active Directory to obtain user and group information. To do this, the administrator must configure an LDAP server on the FortiGate, which allows it to retrieve user group membership details from AD.


質問 # 79
FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively.
Which two statements about the requirements of connected physical interfaces on FortiGate are true? (Choose two.)

  • A. Both interfaces must have DHCP enabled and interfaces set to LAN and DMZ roles assigned.
  • B. Both interfaces must have the interface role assigned.
  • C. Both interfaces must have directly connected routes on the routing table.
  • D. Both interfaces must have IP addresses assigned.

正解:C、D

解説:
Interfaces must have directly connected routes in the routing table to forward traffic correctly.
Interfaces must have IP addresses assigned to communicate within their respective networks.


質問 # 80
Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re- entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

  • A. On HQ-FortiGate, set IKE mode to Main (ID protection).
  • B. On both FortiGate devices, set Dead Peer Detection to On Demand.
  • C. On Remote-FortiGate, set port2 as Interface.
  • D. On HQ-FortiGate, disable Diffie-Helman group 2.

正解:A、C

解説:
On the HQ-FortiGate the IKE phase 1 mode is set to Aggressive, while on the Remote-FortiGate it is set to Main (ID protection). Both sides must use the same IKE mode for phase 1 to come up, so changing HQ-FortiGate to Main mode resolves this mismatch.
On the Remote-FortiGate, the phase 1 Interface is configured as port1, but according to the diagram the WAN-facing interface with IP 10.10.200.10 is port2. The local interface in the IPsec configuration must match the physical WAN interface, so changing it to port2 is required for the tunnel to establish.


質問 # 81
Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Based on the exhibit, which statement is true?

  • A. The Underlay zone is the zone by default.
  • B. The Underlay zone contains no member.
  • C. The virtual-wan-link and overlay zones can be deleted.
  • D. port2 and port3 are not assigned to a zone.

正解:A

解説:
The Underlay zone is the default SD-WAN zone, typically representing the physical interfaces in the SD- WAN configuration before overlay or virtual links are added.


質問 # 82
Refer to the exhibit.

An administrator has configured an Application Overrides for the ABC.Com application signature and set the Action to Allow. This application control profile is then applied to a firewall policy that is scanning all outbound traffic. Logging is enabled in the firewall policy. To test the configuration, the administrator accessed the ABC.Com web site several times.
Why are there no logs generated under security logs for ABC.Com?

  • A. The ABC.Com is configured under application profile, which must be configured as a web filter profile.
  • B. The ABC.Com Action is set to Allow.
  • C. The ABC.Com Type is set as Application instead of Filter.
  • D. The ABC.Com is hitting the category Excessive-Bandwidth.

正解:B

解説:
When the action is set to Allow in an application override, traffic matching this override is allowed without generating security logs because it bypasses deeper inspection and blocking.


質問 # 83
Refer to the exhibit. Why is the Antivirus scan switch grayed out when you are creating a new antivirus profile for FTP?

  • A. FortiGate, with less than 2 GB RAM, does not support the Antivirus scan feature.
  • B. The Feature Set for the profile is Flow-based but it must be Proxy-based.
  • C. None of the inspected protocols are active in this profile.
  • D. Antivirus scan is disabled under System -> Feature visibility.

正解:C

解説:
The Antivirus scan switch is grayed out because none of the inspected protocols (HTTP, SMTP, POP3, IMAP, FTP, CIFS) have been enabled in the new antivirus profile. Until at least one protocol is turned on, FortiGate does not allow activation of the antivirus scan.


質問 # 84
An administrator has configured a dialup IPsec VPN on FortiGate with add-route enabled.
However, the static route is not showing in the routing table.
Which two statements about this scenario are correct? (Choose two.)

  • A. The administrator must enable a dynamic routing protocol on the dialup interface.
  • B. The administrator must ensure phase 2 is successfully established.
  • C. The administrator must use a policy route instead of a static route for add-route to work properly.
  • D. The administrator must define the remote network correctly in the phase 2 selectors.

正解:B、D

解説:
The administrator must ensure phase 2 is successfully established → The static route for the dialup VPN is only added after Phase 2 negotiation completes successfully.
The administrator must define the remote network correctly in the phase 2 selectors → The add- route feature installs a route based on the Phase 2 selectors; if they are incorrect, no route will appear in the routing table.


質問 # 85
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?

  • A. The browser does not trust the certificate used by FortiGate for SSL inspection.
  • B. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
  • C. The matching firewall policy is set to proxy inspection mode.
  • D. The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile

正解:A

解説:
When full SSL inspection is enabled, FortiGate decrypts and re-signs HTTPS traffic using its own SSL inspection certificate. If the FortiGate CA certificate is not imported and trusted by the client's browser or OS, the browser sees it as untrusted and displays certificate warning errors. HTTP traffic is unaffected since it does not use certificates.


質問 # 86
Refer to the exhibits. An administrator has observed the performance status outputs on an HA cluster for 55 seconds.

Which FortiGate is the primary?

  • A. HQ-NGFW-2 with the parameter priority setting
  • B. HQ-NGFW-2 with the parameter memory-failover-threshold setting
  • C. HQ-NGFW-1 with the parameter memory-failover-flip-timeout setting
  • D. HQ-NGFW-1 with the parameter override setting

正解:D

解説:
The HA configuration shows that override is disabled (set override disable), but despite this, HQ- NGFW-1 has the higher priority (200) and is acting as the primary, as indicated by its higher resource usage and uptime. Override allows the device with higher priority to take over as primary, so HQ- NGFW-1 is the primary device.


質問 # 87
Refer to the exhibits.




The exhibits show a diagram of a FortiGate device connected to the network, VIP configuration, firewall policy, and the sniffer CLI output on the FortiGate device.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The webserver host (10.0.1.10) must use its VIP external IP address as the source NAT (SNAT) when it pings remote server (10.200.3.1).
Which two statements are valid to achieve this goal? (Choose two.)

  • A. Enable NAT on the Allow_access firewall policy.
  • B. Disable NAT on the Internet_Access firewall policy.
  • C. Create a new firewall policy before Internet_Access for the webserver and apply the IP pool.
  • D. Disable port forwarding on the VIP object.

正解:C、D

解説:
The current VIP is configured with port forwarding, so it only applies to TCP/80 traffic. To use the VIP's external address (10.200.1.200) as the source for any outbound sessions (such as ICMP ping), the VIP must be a full static 1-to-1 NAT, which requires disabling port forwarding.
You then need a dedicated firewall policy for the webserver that is placed before the generic Internet_Access policy and that uses an IP pool with 10.200.1.200. Traffic from 10.0.1.10 will match this policy first and be SNATed to 10.200.1.200, so the remote server 10.200.3.1 sees the VIP external IP as the source.


質問 # 88
Refer to the exhibit.

What would be the impact of these settings on the Server certificate SNI check configuration on FortiGate?

  • A. FortiGate will accept and use the CN in the server certificate for URL filtering if the SNI does not match the CN or SAN fields.
  • B. FortiGate will close the connection if the SNI does not match the CN or SAN fields.
  • C. FortiGate will close the connection if the SNI does not match the CN and SAN fields
  • D. FortiGate will accept the connection with a warning if the SNI does not match the CN or SAN fields.

正解:C

解説:
With the Server certificate SNI check set to Strict, FortiGate enforces that the SNI must match either the Common Name (CN) or Subject Alternative Name (SAN) in the server certificate; otherwise, it closes the connection.


質問 # 89
Refer to the exhibits.



The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

  • A. 10.200.1.149
  • B. 10.200.1.1
  • C. 10.200.1.49
  • D. 10.200.1.99

正解:D

解説:
All_TCP doesn't include ICMP. So you would match rule ID 2, in which uses IP Poop remote 1.


質問 # 90
Refer to the exhibits. An administrator configured the Web Filter Profile to block access to all social networking sites except Facebook. However, when users try to access Facebook.com, they are redirected to a FortiGuard web filtering block page.
Based on the exhibits, which configuration change must the administrator make to allow Facebook while blocking all other social networking sites?

  • A. Set the Action as Exempt for www.facebook.com in the Static URL Filter.
  • B. Change the type as Simple in the Static URL Filter section.
  • C. Set the Social Networking action as warning in the FortiGuard Category Based Filter.
  • D. Change the Feature set of Web Filter Profile as Proxy-based.

正解:A

解説:
The FortiGuard category filter is blocking Social Networking, which includes Facebook. Although a static URL filter entry for www.facebook.com exists, its action is set to Monitor, so it does not override the category block. To allow Facebook while blocking other social networking sites, the action for www.facebook.com in the Static URL Filter must be set to Exempt. This explicitly bypasses category filtering for that URL.


質問 # 91
Refer to the exhibit showing a debug flow output.

Which two conclusions can you make from the debug flow output? (Choose two.)

  • A. The RPF check fails.
  • B. The debug flow is for UDP traffic.
  • C. The default gateway is configured on port2.
  • D. The matching firewall policy denies the traffic.

正解:C、D


質問 # 92
......

あなたを合格させるNetwork Security FCP_FGT_AD-7.6試験問題集で2025年12月10日には129問あります:https://www.jpntest.com/shiken/FCP_FGT_AD-7.6-mondaishu

FCP_FGT_AD-7.6無料試験学習ガイド!(更新された129問あります):https://drive.google.com/open?id=1xAwv-zMrUWHwOSSh6hut42yUT_KoKbJq

弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

オンラインサポート時間:( UTC+9 ) 9:00-24:00
月曜日から土曜日まで

サポート:現在連絡