Pass the Fortinet Fortinet Network Security Expert FCP_FGT_AD-7.4 Questions and answers with CertsForce

Based on the system performance output provided, the memory usage on the FortiGate device is at 90%, which is above the green threshold (82%) but below the red threshold (88%). Given this high memory usage, the FortiGate device will enter "conserve mode" to prevent further resource exhaustion. In conserve mode:

B. FortiGate has entered conserve mode:When the memory usage reaches or exceeds certain thresholds (in this case, the green and red thresholds), the FortiGate enters conserve mode to protect itself from running out of memory entirely. This mode limits some functionalities to reduce memory usage and avoid a potential system crash.

D. Administrators can access FortiGate only through the console port:During conserve mode, administrative access might be restricted, and administrators may only be able to connect to the device via the console port. This restriction is in place to ensure that the FortiGate can be managed directly, even under low resource conditions.

The other options are not correct:

A. FortiGate will start sending all files to FortiSandbox for inspection:This is unrelated to memory usage and conserve mode.

C. Administrators cannot change the configuration:While access may be limited, configuration changes can still be made via the console port.

References

FortiOS 7.4.1 Administration Guide -Monitoring System Resources and Performance, page 325.

FortiOS 7.4.1 Administration Guide -Conserve Mode, page 330.

Advanced mode allows for configuration as an LDAP client and supports group filtering directly on the FortiGate, as well as nested or inherited groups.

The selected SSL inspection profile has certificate inspection enabled

If the SSL inspection profile is set to certificate inspection instead of full SSL inspection, FortiGate will only inspect the certificate of the HTTPS connection but will not decrypt and inspect the actual traffic content, leading to a failure in virus detection.

The website is exempted from SSL inspection

If the website hosting the EICAR test file is exempt from SSL inspection, FortiGate will not decrypt the traffic, meaning it cannot inspect the file content for viruses, resulting in the file being downloaded without detection.

The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate's re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser's trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites.

References:

FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration

The source address remains 10.200.3.1 because FortiGate does not modify the source address by default unless NAT is applied (which is disabled in the policy).

The destination address is translated to 10.0.1.10 by the VIP (Virtual IP) object, as this is the internal server address mapped to the external IP 10.200.1.10.

The destination port is translated from 8080 to 80 as per the port forwarding rule configured in the VIP object.

Firewall authentication generally requires the DNS service to be enabled in the firewall policy to correctly resolve hostnames during the authentication process. If DNS is not allowed in the firewall policy, the FortiGate cannot resolve external domains, and as a result, the user may not be presented with the login prompt when attempting to access an external website.

References:

FortiOS 7.4.1 Administration Guide: Firewall Authentication Configuration

"When you configure FortiGate devices in multi-vdom mode and add them to the Security Fabric, each VDOM with its assigned ports is displayed when one or more devices are detected. Only the ports with discovered and connected devices appear in the Security Fabric view and, because of this, you must enable Device Detection on ports you want to have displayed in the Security Fabric. VDOMs without ports with connected devices are not displayed. All VDOMs configured must be part of a single Security Fabric."