Fortinet

FCP_FGT_AD-7.4
FCP - FortiGate 7.4 Administrator

QUESTION & ANSWERS

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4
QUESTION: 1

Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

Option A : Pre-shared key and certificate signature as authentication methods

Option B : Extended authentication (XAuth)to request the remote peer to provide a username and
password

Option C : Extended authentication (XAuth) for faster authentication because fewer packets are
exchanged

Option D :

No certificate is required on the remote peer when you set the certificate signature as the authentication
method

Correct Answer: A,B

Explanation/Reference:

FortiGate supports both pre-shared key and certificate signature methods for IKEv1 authentication. These methods provide

flexibility depending on the security requirements of the network. Additionally, FortiGate supports Extended Authentication

(XAuth), which requests a username and password from the remote peer, enhancing security by adding an extra layer of

authentication. The XAuth method does not necessarily make the authentication faster; it is an additional security measure.

References: FortiOS 7.4.1 Administration Guide: IPsec VPN Configuration

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4

QUESTION: 2

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

Option A : The client FortiGate requires a manually added route to remote subnets.
Option B : The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
Option C : The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
Option D : The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.

Correct Answer: B,C

Explanation/Reference:

The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type.

The FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA that signed the

certificate.

"The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type"

"The FortiGate devices must have the proper CA certificate installed to verify the certificate chain to the root CA that signed

the certificate."

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4

QUESTION: 3

An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

Option A : Device detection on all interfaces is enforced for 30 minutes

Option B : Denied users are blocked for 30 minutes
Option C : A session for denied traffic is created
Option D : The number of logs generated by denied traffic is reduced

Correct Answer: C,D

Explanation/Reference:

"During the session, if a security profile detects a violation, FortiGate records the attack log immediately. To reduce the

number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This

creates the denied session in the session table and, if the session is denied, all packets of that session are also denied. This

ensures that FortiGate does not have to do a policy lookup for each new packet matching the denied session, which reduces

CPU usage and log generation.

This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions. This determines how

long a session will be kept in the session table by setting block-sessiontimer in the CLI. By default, it is set to 30 seconds."

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4
QUESTION: 4

Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two
statements are true? (Choose two.)

Option A : FortiGate SN FGVM010000065036 HA uptime has been reset.

Option B : FortiGate devices are not in sync because one device is down.
Option C : FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
Option D : FortiGate SN FGVM010000064692 has the higher HA priority.

Correct Answer: A,D

Explanation/Reference:

1. Override is disable by default - OK

2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime

of the other FortiGate devices, it becomes the primary" The QUESTION NO: here is : HA Uptime of

FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study

Guide.

HA age of fortinet SNxxx64682 is only 198seconds, HA by age need more than 300 seconds as estated in the reference "If HA

age difference is less than 5 minutes (300 seconds), the device priority and FortiGate serial number selects the cluster unit to

become the primary unit."

B. FortiGate devices are not in sync because one device is down. (not in exhibit)

C. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime. (no greater than 300 sec)

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4
QUESTION: 5

Refer to the exhibit:

Option A : A. The port3 default route has the lowest metric.

Option B : B. The port3 default route has the highest distance.
Option C : C. There will be eight routes active in the routing table.
Option D : D. The port1 and port2 default routes are active in the routing table.

Correct Answer: D

Explanation/Reference:

Correct answer: BD

*> mean active routes

first square bracked mean administrative distance

second bracket square mean priority (valid only on static routes)

metric applies only in multiroutes with same administrative distance.

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4

QUESTION: 6

Refer to the exhibit.

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).

Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.

Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP
address of Remote-FortiGate (10.200.3.1)?

Option A : 10.200.1.149

Option B : 10.200.1.1

Option C : 10.200.1.49

Option D : 10.200.1.99
 https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4

Correct Answer: D

Explanation/Reference:

It's D because of the protocol number.

Ping is ICMP protocol - protocol number = 1

=> SNAT policy ID 1 is policy that used.

=> Translated address is "SNAT-Remote1" that 10.200.1.99

QUESTION: 7

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all
FortiGate devices?

Option A : FG-traffic VDOM

Option B : Root VDOM
Option C : Customer VDOM
Option D : Global VDOM

Correct Answer: B

Explanation/Reference:

If you enable split-task VDOM mode on the upstream FGT device, it can allow downstream FGT devices to join the Security

Fabric in the root and FG-Traffic VDOMs. If split-task VDOM mode is enabled on the downstream FortiGate, it can only connect

to the upstream FortiGate through the downstream FortiGate interface on the root VDOM.

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4

QUESTION: 8
Refer to the exhibits.
The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.
The policy should work such that Remote-User1 must be able to access the Webserver while preventing
Remote-User2 from accessing the Webserver. Which two configuration changes can the administrator make
to the policy to deny Webserver access for Remote-User2? (Choose two.)

Option A : Enable match-vip in the Deny policy.

Option B : Set the Destination address as Webserver in the Deny policy.

Option C : Disable match-vip in the Deny policy.

Option D : Set the Destination address as Deny_IP in the Allow_access policy.

Correct Answer: A,B

Explanation/Reference:

To deny access to the web server for Remote-User2 while allowing Remote-User1 to access the same web server, two

configuration changes can be made: Enable match-vip in the Deny policy:By enabling the match-vip option in the Deny policy,

the FortiGate will check for virtual IP (VIP) objects during policy matching. This setting allows the firewall policy to correctly

identify and block traffic directed to a specific mapped IP address, such as the web server, when using a VIP configuration. Set

the Destination address as Webserver in the Deny policy:Setting the Destination address to "Webserver" in the Deny policy

ensures that the policy specifically targets traffic attempting to reach the web server. This configuration helps to precisely

control which traffic should be blocked, focusing the Deny policy on the intended destination. References: FortiOS 7.4.1

Administration Guide: Deny matching with a policy with a virtual IP applied FortiOS 7.4.1 Administration Guide: Configuring

Policies with VIPs

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4

QUESTION: 9

Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.)

Option A : Only the "any" interface can be chosen as an incoming interface.

Option B : An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.
Option C : Multiple interfaces can be selected as incoming and outgoing interfaces.
Option D : A zone can be chosen as the outgoing interface.

Correct Answer: C,D

Explanation/Reference:
C. Multiple interfaces can be selected as incoming and outgoing interfaces.

This statement is correct. You can specify multiple interfaces as both incoming and outgoing interfaces in a firewall policy.

D. A zone can be chosen as the outgoing interface.

This statement is correct as well. In FortiGate firewalls, you can choose a zone as the outgoing interface in a firewall policy,

providing a convenient way to apply policies to multiple physical or logical interfaces grouped under the same zone.

So, the correct choices are C and D.

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4

QUESTION: 10

Refer to the exhibits.Exhibit A.

Option A : A. Change the csf setting on Local-FortiGate (root) to set configuration-sync local.
Option B : B. Change the csf setting on ISFW (downstream) to set configuration-sync local.
Option C : C. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
Option D : D. Change the csf setting on ISFW (downstream) to set fabric-object-unification default.

Correct Answer: C

Explanation/Reference:

Correct answer: C

C. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

"The CLI command set fabric-object-unification is only available on the root FortiGate. When set to local, global objects will not

be synchronized to downstream devices in the Security Fabric. The default value is default"

Option A will not synchronise global fabric objects downstream.

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4

QUESTION: 11

Refer to the exhibit.

Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit. What do you
conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?

Option A : Traffic matching the signature will be silently dropped and logged.

Option B : The signature setting uses a custom rating threshold.

Option C : The signature setting includes a group of other signatures.

Option D : raffic matching the signature will be allowed and logged.

Correct Answer: A

Explanation/Reference:

"pass" is only default action.

The Pass action on the specific signature would only be chosen, if the Action (on the top) was set to Default. But
instead its set to Block, se the action is will be to block and drop.

"Select Allow to allow traffic to continue to its destination. Select Monitor to allow traffic to continue to its destination
and log the activity. Select Block to silently drop traffic matching any of the signatures included in the entry. Select
Reset to generate a TCP RST packet whenever the signature is triggered. Select Default to use the default action of
the signatures."

"If you enable Packet logging, FortiGate saves a copy of the packet that matches the signature."

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4

QUESTION: 12

View the exhibit.

Which two behaviors result from this full (deep) SSL configuration? (Choose two.)

Option A : The browser bypasses all certificate warnings and allows the connection.
Option B : A temporary trusted FortiGate certificate replaces the server certificate, even when the server
certificate is untrusted.
Option C : A temporary trusted FortiGate certificate replaces the server certificate when the server
certificate is trusted.
Option D : A temporary untrusted FortiGate certificate replaces the server certificate when the server
certificate is untrusted.

Correct Answer: B

QUESTION: 13

Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

Option A : Shut down/reboot a downstream FortiGate device.

Option B : Disable FortiAnalyzer logging for a downstream FortiGate device.
Option C : Log in to a downstream FortiSwitch device.
Option D : Ban or unban compromised hosts.

Correct Answer: A,D

Explanation/Reference:

A. Shut down/reboot a downstream FortiGate device.

This is correct. The root FortiGate has the ability to control the power state of downstream FortiGate devices.

D. Ban or unban compromised hosts.

This is also correct. The root FortiGate can take actions to ban or unban compromised hosts, helping to manage and control
security incidents.

Therefore, the correct answers are A and D.

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4

QUESTION: 14

Which two configuration settings are global settings? (Choose two.)

Option A : User & Device settings

Option B : Firewall policies
Option C : HA settings
Option D : FortiGuard settings

Correct Answer: C,D

Explanation/Reference:

HA configuration overview. The purpose of an HA configuration is to reduce downtime when a zone or instance becomes

unavailable. This might happen during a zonal outage, or when an instance runs out of memory. With HA, your data continues

to be available to client applications.

FortiGuard > Settings provides a central location for configuring and enabling your FortiManager system's built-in FDS as an

FDN override server.

https://www.dumpscollege.com/exam/FCP_FGT_AD-7.4

QUESTION: 15

Which statement about the IP authentication header (AH) used by IPsec is true?

Option A : AH does not provide any data integrity or encryption.

Option B : AH does not support perfect forward secrecy.
Option C : AH provides data integrity but no encryption.
Option D : AH provides strong data integrity but weak encryption.

Correct Answer: C

Explanation/Reference:
C. AH provides data integrity but no encryption.

Then, I acknowledge the correction. The correct statement about the IP Authentication Header (AH) used by IPsec is that AH

provides data integrity and authentication but does not provide encryption.

"IPsec is a suite of protocols that is used for authenticating and encrypting traffic between two peers. The threemost used

protocols in the suite are the following:

- Internet Key Exchange (IKE), which does the handshake, tunnel maintenance, and disconnection.

- Encapsulation Security Payload (ESP), which ensures data integrity and encryption.

- Authentication Header (AH), which offers only data integrity - not encryption."

QUESTION: 16

Which two statements about the application control profile mode are true? (Choose two.)

Option A : It uses flow-based scanning techniques, regardless of the inspection mode used.
Option B : It cannot be used in conjunction with IPS scanning.
Option C : It can be selected in either flow-based or proxy-based firewall policy.
Option D : It can scan only unsecure protocols.

Correct Answer: A,C

Explanation/Reference:

The two statements about the application control profile mode that are true are:

A. It uses flow-based scanning techniques, regardless of the inspection mode used.

The application control profile can be applied in both flow-based and proxy-based inspection modes, and it utilizes flow-based

scanning techniques for application identification.

C. It can be selected in either flow-based or proxy-based firewall policy.

You can choose the application control profile in either flow-based or proxy-based firewall policies, providing flexibility in the

application of application control.

The other options are not accurate:

B is incorrect because the application control profile can be used in conjunction with IPS (Intrusion Prevention System)

scanning.
D is incorrect because the application control profile can scan both secure and unsecure protocols.

So, the correct choices are A and C.

QUESTION: 17

An administrator has a requirement to keep an application session from timing out on port 80. What two
changes can the administrator make to resolve the issue without affecting any existing services running
through FortiGate? (Choose two.)

Option A : Create a new firewall policy with the new HTTP service and place it above the existing HTTP
policy.
Option B : Create a new service object for HTTP service and set the session TTL to never
Option C : Set the TTL value to never under config system-ttl
Option D : Set the session TTL on the HTTP policy to maximum

Correct Answer: A,B

Explanation/Reference:

key is: without affecting any existing services.

So define new service on TCP80 with no session-ttl expire. Make new FW policy and place above other HTTP policy.

Reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Session-timeout-settings/ta-p/191228

QUESTION: 18

An administrator is running the following sniffer command:diagnose sniffer packet any "host 10.0.2.10"
3What information will be included in the sniffer output? (Choose three.)

Option A : IP header
Option B : Ethernet header
Option C : Packet payload
Option D : Application header
Option E : Interface name
 Correct Answer: A,B,C

Explanation/Reference:

It really depends on the Verbosity Level. This specific question for Verbosity level 3 is ABC.

C is correct:

Verbose levels in detail:

1: print header of packets.

2: print header and data from IP of packets.

3: print header and data from Ethernet of packets.

4: print header of packets with interface name.

5: print header and data from IP of packets with interface name.

6: print header and data from Ethernet of packets with interface name.

Reference:

https://kb.fortinet.com/kb/documentLink.do?externalID=11186

QUESTION: 19

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is
true about the DNS connection to a FortiGuard server?

Option A : It uses UDP 8888.

Option B : It uses DNS over HTTPS.

Option C : It uses DNS over TLS.

Option D : It uses UDP 53.

Correct Answer: C
Explanation/Reference:

By default, DNS queries to FortiGuard servers use UDP port 53.

QUESTION: 20

Refer to the exhibit.

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme,
users, and firewall address.

An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a
form-based authentication scheme for the FortiGate local user database. Users will be prompted for
authentication.

How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP
10.0.1.10 to the destination http:// www.fortinet.com? (Choose three.)

Option A : If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

Option B : If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

Option C : If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

Option D : If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be
allowed.

Option E : If a Mozilla Firefox browser is used with User-C credentials, the HTTP request will be denied.

Correct Answer: B,C,D

Explanation/Reference:

- Browser CAT2 & Local subnet & User B --> deny

- Browser CAT1 & Local subnet & User all --> accept

Above exhibits only users from Chrome and IE are allowed.

Chrome and IE use the same system proxy setting. Proxy rule is accept for all users with these two browsers.

C: hit the 3rd rule.

QUESTION: 21

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN
tunnels and static routes.All traffic must be routed through the primary tunnel when both tunnels are up. The
secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to
detect a dead tunnel to speed up tunnel failover.Which two key configuration changes must the
administrator make on FortiGate to meet the requirements? (Choose two.)

Option A : Configure a higher distance on the static route for the primary tunnel, and a lower distance on
the static route for the secondary tunnel.
Option B : Configure a lower distance on the static route for the primary tunnel, and a higher distance on
the static route for the secondary tunnel.
Option C : Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
 Option D : Enable Dead Peer Detection.

Correct Answer: B,D

Explanation/Reference:

To set up redundant IPsec VPN tunnels on FortiGate and meet the specified requirements, the administrator should make the

following key configuration changes:

B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route

for the secondary tunnel.

By configuring a lower administrative distance for the static route of the primary tunnel, the FortiGate will prefer this route

when both tunnels are up. If the primary tunnel goes down, the higher administrative distance on the static route for the

secondary tunnel will cause the FortiGate to use the secondary tunnel.

D. Enable Dead Peer Detection.

Dead Peer Detection (DPD) should be enabled to detect the status of the VPN tunnels. If the FortiGate detects that the primary

tunnel is no longer responsive (dead), it can trigger the failover to the secondary tunnel, ensuring a faster tunnel failover.

So, the correct choices are B and D.

QUESTION: 22

An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the Internet.
The web server is connected to port1. The Internet is connected to port2. Both interfaces belong to the
VDOM named Corporation. What interface must be used as the source for the firewall policy that will allow
this traffic?

Option A : ssl.root
Option B : ssl.Corporation
Option C : port2
Option D : port1

Correct Answer: B

Explanation/Reference:

ssl.Corporation

If you are working within a specific VDOM named "Corporation," and the SSL VPN is associated with that VDOM, then the
correct choice is:

B. ssl.Corporation

Using the "ssl.Corporation" interface as the source for the firewall policy makes sense in the context of a VDOM-specific SSL

VPN.

QUESTION: 23

Which two statements correctly describe auto discovery VPN (ADVPN)? (Choose two.)

Option A : IPSec tunnels are negotiated dynamically between spokes.

Option B : ADVPN is supported only with IKEv2.
Option C : It recommends the use of dynamic routing protocols, so that spokes can learn the routes to
other spokes.
Option D : Every spoke requires a static tunnel to be configured to other spokes, so that phase 1 and
phase 2 proposals are defined in advance.

Correct Answer: A,C

Explanation/Reference:

The correct statements describing auto discovery VPN (ADVPN) are:

A. IPSec tunnels are negotiated dynamically between spokes.

C. It recommends the use of dynamic routing protocols, so that spokes can learn the routes to other spokes.

Explanation:

A. In ADVPN, tunnels are negotiated dynamically between spokes, meaning that spokes do not need to have predefined static

tunnels. The spokes dynamically establish tunnels based on the requirements, which can simplify the configuration and

management of VPN connections.

C. ADVPN often relies on dynamic routing protocols (such as OSPF or BGP) to allow spokes to dynamically learn routes to other

spokes. This dynamic behavior enhances scalability and ease of configuration.

Option B is incorrect because ADVPN is not limited to IKEv2; it can be used with IKEv1 as well.

Option D is incorrect because ADVPN is designed to establish tunnels dynamically, and it doesn't require every spoke to have

static tunnels configured in advance.

QUESTION: 24

FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks
respectively. Which two statements are true about the requirements of connected physical interfaces on
FortiGate? (Choose two.)

Option A : Both interfaces must have the interface role assigned

Option B : Both interfaces must have directly connected routes on the routing table
Option C : Both interfaces must have DHCP enabled
Option D : Both interfaces must have IP addresses assigned

Correct Answer: B,D

Explanation/Reference:

Both interfaces must have directly connected routes on the routing table In NAT mode, each interface must have a

corresponding entry in the routing table, typically as a directly connected route, to route traffic between them effectively. Both

interfaces must have IP addresses assigned In NAT mode, each interface must have an IP address to participate in routing and

NAT operations. The IP addresses allow the FortiGate to forward traffic between different network segments.

QUESTION: 25

Which statement about video filtering on FortiGate is true?

Option A : Full SSL Inspection is not required.

Option B : It is available only on a proxy-based firewall policy.
Option C : It inspects video files hosted on file sharing services.
Option D : Video filtering FortiGuard categories are based on web filter FortiGuard categories.

Correct Answer: B

Explanation/Reference:

"To apply the video filter profile, proxy-based firewall polices currently allow you to enable the video filter profile. You must

enable full SSL inspection on the firewall policy."

B. It is available only on a proxy-based firewall policy.

Explanation:
B. It is available only on a proxy-based firewall policy.

Video filtering on FortiGate is typically implemented using a proxy-based inspection mode. In this mode, FortiGate acts as a

proxy for web traffic, allowing it to inspect and filter content, including videos. This is because proxy-based inspection allows

for more granular control and filtering of web traffic compared to flow-based inspection.

Why Other Options Are Incorrect:

A. Full SSL Inspection is not required.

This is incorrect because full SSL inspection is often required for effective filtering of encrypted video content. Without

decrypting SSL/TLS traffic, FortiGate may not be able to fully inspect and filter videos.

C. It inspects video files hosted on file sharing services.

This is incorrect because video filtering is focused on streaming content and does not typically inspect video files on file

sharing services.

D. Video filtering FortiGuard categories are based on web filter FortiGuard categories.

This is incorrect because video filtering categories are distinct from web filtering categories. While both use FortiGuard, their

categories and filtering methods can differ.

Therefore, B is correct because video filtering on FortiGate is indeed available only through proxy-based firewall policies.

QUESTION: 26

Refer to the exhibit.

A user located behind the FortiGate device is trying to go to http://www.addictinggames.com
(Addicting.Games). The exhibit shows the application detains and application control profile.

Based on this configuration, which statement is true?

Option A : Addicting.Games will be blocked, based on the Filter Overrides configuration.

Option B : Addicting.Games will be allowed only if the Filter Overrides action is set to Learn.

Option C : Addicting.Games will be allowed, based on the Categories configuration.

Option D : Addicting.Games will be allowed, based on the Application Overrides configuration.

Correct Answer: D