Fortinet FCP - FortiGate 7.4 Administrator FCP_FGT_AD-7.4 Exam Dumps: Updated Questions & Answers (October 2025)

NAT Configuration: The first firewall policy has NAT enabled using the configured IP pool.

IP Pool Configuration: The IP pool is configured with an external IP range of 10.200.1.100.

Source NAT: When traffic is being NATed, the source IP address is replaced with an IP from the configured pool. In this scenario, the specific IP defined in the pool is 10.200.1.100.

Thus, any internet-bound traffic from the workstation (10.0.1.10) will have its source IP address NATed to 10.200.1.100.

By selecting the "Include in every user group" option in the RADIUS configuration, FortiGate automatically includes this RADIUS server as an authentication source for all user groups. This means any user group configured on the FortiGate will authenticate using this RADIUS server, allowing users to authenticate against the server for any group they belong to.

Enable NAT on the Allow_access firewall policy (A):

The Allow_access firewall policy must have NAT enabled to allow the webserver to use its VIP external IP address (10.200.1.10) as the source NAT when initiating traffic, such as pings, to the remote server.

Disable port forwarding on the VIP object (D):

Port forwarding is designed for specific port mapping, typically for services like HTTP or HTTPS. To use the VIP external IP as a source NAT, port forwarding should be disabled. Disabling port forwarding ensures that the full VIP IP address is used without being tied to specific ports.

Why other options are not correct:

B. Create a new firewall policy before Internet_Access for the webserver and apply the IP pool:

This is unnecessary as the VIP object itself is used for SNAT in this case, and an additional firewall policy is not required.

C. Disable NAT on the Internet_Access firewall policy:

Disabling NAT on this policy would prevent the NAT functionality needed for the webserver to use the VIP external IP address as the source IP.

Thus, enabling NAT on the Allow_access policy and disabling port forwarding on the VIP configuration are the valid steps to achieve the goal.

If the SD-WAN traffic logs do not show the specific SD-WAN rule name, it likely means that FortiGate is using the default or implicit SD-WAN rule to balance traffic. The implicit rule comes into effect when no explicit SD-WAN rule is matched, and as a result, the SD-WAN rule name is not displayed in the logs. The default behavior is to load balance the traffic across available interfaces based on SD-WAN strategy.

The serial console method allows management access to the FortiGate CLI without relying on network connectivity. This method involves directly connecting a computer to the FortiGate device using a serial cable (such as a DB-9 to RJ-45 cable or USB to RJ-45 cable) and using terminal emulation software to interact with the FortiGate CLI. This method is essential for situations where network-based access methods (such as SSH or Telnet) are not available or feasible.

References:

FortiOS 7.4.1 Administration Guide: Console connection

When SSL certificate inspection is enabled on a FortiGate device, the system uses the following three pieces of information to identify the hostname of the SSL server:

Server Name Indication (SNI) extension in the client hello message (B):The SNI is an extension in the client hello message of the SSL/TLS protocol. It indicates the hostname the client is attempting to connect to. This allows FortiGate to identify the server's hostname during the SSL handshake.

Subject Alternative Name (SAN) field in the server certificate (C):The SAN field in the server certificate lists additional hostnames or IP addresses that the certificate is valid for. FortiGate inspects this field to confirm the identity of the server.

Subject field in the server certificate (D):The Subject field contains the primary hostname or domain name for which the certificate was issued. FortiGate uses this information to match and validate the server’s identity during SSL certificate inspection.

The other options are not used in SSL certificate inspection for hostname identification:

Host field in the HTTP header (A):This is part of the HTTP request, not the SSL handshake, and is not used for SSL certificate inspection.

Serial number in the server certificate (E):The serial number is used for certificate management and revocation, not for hostname identification.

References

FortiOS 7.4.1 Administration Guide -SSL/SSH Inspection, page 1802.

FortiOS 7.4.1 Administration Guide -Configuring SSL/SSH Inspection Profile, page 1799.

An SD-WAN zone can contain physical and logical interfaces

SD-WAN zones can include both physical and logical interfaces, allowing flexible configuration for different network types.

You can use an SD-WAN zone in static route definitions

SD-WAN zones can be referenced in static routes, enabling dynamic path selection based on SD-WAN rules.

An SD-WAN zone is a logical grouping of members

An SD-WAN zone is a logical grouping of interfaces (members), used to simplify the management and application of SD-WAN rules.

When a certificate fails for any of the reasons above, you can configure any of the following actions: • Keep untrusted & Allow: FortiGate allows the website and lets the browser decide the action to take. FortiGate takes the certificate as untrusted. • Block: FortiGate blocks the content of the site. • Trust & Allow: FortiGate allows the website and takes the certificate as trusted.