Fortinet FCSS_EFW_AD-7.6 Online Practice Questions and Exam Preparation

Fortinet FCSS_EFW_AD-7.6 Online Questions & Answers

• Question 1:

  Refer to the exhibit, which shows theADVPNIPsec interface representing the VPN IPsec phase 1 from Hub A to Spoke 1 and Spoke 2, and from Hub # to Spoke 3 and Spoke 4.

  

  An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2. What must the administrator configure in the phase 1 VPN IPsec configuration of theADVPNtunnels?

  A. set auto-discovery-sender enable and set network-id x
  B. set auto-discovery-forwarder enable and set remote-as x
  C. set auto-discovery-crossover enable and set enforce-multihop enable
  D. set auto-discovery-receiver enable and set npu-offload enable
  C. set auto-discovery-crossover enable and set enforce-multihop enable

  ---

  explanation:

  Explanation

  When configuringADVPN (Auto-Discovery VPN)to connectoverlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.

  #set auto-discovery-crossover enable

  # Thisallows cross-hub tunnel discoveryin an ADVPN deployment where multiple hubs are used.

  # SinceHub A and Hub Bbelong to different overlays, enablingcrossover discoveryensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.

  #set enforce-multihop enable

  # This setting ensures thatBGP peers using loopback interfacescan establish connectivityeven if they are not directly connected.

  #Multihop BGP sessionsare required when usingloopback addresses as BGP peer sourcesbecause the connection might need to traverse multiple routers before reaching the BGP neighbor.

  # This is especially useful inADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.

• Question 2:

  Refer to the exhibit, which shows the HA status of an active-passive cluster.

  

  An administrator wants FortiGate_B to handle the Core2 VDOM traffic. Which modification must the administrator apply to achieve this?

  A. The administrator must disable override on FortiGate_A.
  B. The administrator must change the priority from 100 to 160 for FortiGate_B.
  C. The administrator must change the load balancing method on FortiGate_B.
  D. The administrator must change the priority from 128 to 200 for FortiGate_B.
  D. The administrator must change the priority from 128 to 200 for FortiGate_B.

  ---

  explanation:

  Explanation

  The exhibit shows an active-passive HA (high availability) cluster with two virtual clusters, where FortiGate_A is the primary device for both Core1 and Core2. If the goal is to haveFortiGate_B take over Core2 traffic , its priority must be higher than FortiGate_A for Virtual Cluster 2 .

  Currently, FortiGate_A has a priority of 150 for Core2, while FortiGate_B has 128 . Increasing FortiGate_B's priority to 200 ensures it becomes the primary for Virtual Cluster 2 , taking over the Core2 VDOM traffic while keeping Core1 traffic on FortiGate_A.

  Disabling override would prevent forced failovers but wouldn't change the role distribution. Adjusting the load-balancing method is irrelevant in an active-passive setup , as it only applies to active-active configurations.

• Question 3:

  Refer to the exhibit, which shows the VDOM section of a FortiGate device.

  

  An administrator discovers that webfilter stopped working in Core1 and Core2 after a maintenance window. Which two reasons could explain why webfilter stopped working? (Choose two.)

  A. The root VDOM does not have access to FortiManager in a closed network.
  B. The root VDOM does not have a VDOM link to connect with the Corel and Core2 VDOMs.
  C. The Core1 and Core2 VDOMs must also be enabled as Management VDOMs to receive FortiGuard updates
  D. The root VDOM does not have access to any valid public FDN.
  B. The root VDOM does not have a VDOM link to connect with the Corel and Core2 VDOMs.
  D. The root VDOM does not have access to any valid public FDN.

  ---

  explanation:

  Explanation

  Since Core1 and Core2 are not designated as management VDOMs, they rely on the root VDOM for connectivity to external resources such as FortiGuard updates. If the root VDOM lacks a VDOM link to these VDOMs or cannot reach FortiGuard services, security features like web filtering will stop working.

• Question 4:

  Refer to the exhibits. The exhibits show a network topology, a firewall policy, and an SSL/SSH inspection profile configuration.

  

  

  Why is FortiGate unable to detect HTTPS attacks on firewall policy ID 3 targeting the Linux server?

  A. The administrator must set the policy to inspection mode to analyze the HTTPS packets as expected.
  B. The administrator must enable HTTPS in the protocol port mapping of the deep- inspection SSL/SSH inspection profile.
  C. The administrator must enable SSL inspection of the SSL server and upload the certificate of the Linux server website to the SSL/SSH inspection profile.
  D. The administrator must enable cipher suites in the SSL/SSH inspection profile to decrypt the message.
  C. The administrator must enable SSL inspection of the SSL server and upload the certificate of the Linux server website to the SSL/SSH inspection profile.

  ---

  explanation:

  Explanation

  The FortiGate SSL/SSH inspection profile is configured for Full SSL Inspection , which is necessary to analyze encrypted HTTPS traffic. However, the firewallpolicy is protecting an SSL server (the Linux server hosting the website) , and

  currently, the SSL/SSH profile only applies to client-side SSL inspection .

  To detect HTTPS-based attacks targeting the Linux server:

  # FortiGate must act as an SSL intermediary to inspect encrypted traffic destined for the web server.

  # The administrator must upload the SSL certificate of the Linux web server to FortiGate so that the server- side SSL inspection can decrypt incoming HTTPS traffic before analyzing it.

• Question 5:

  Refer to the exhibit, which contains a partial VPN configuration.

  

  What can you conclude from this VPN IPsec phase 1 configuration?

  A. This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.
  B. Peer IDs are unencrypted and exposed, creating a security risk.
  C. FortiGate will not add a route to its routing or forwarding information base when the dynamic tunnel is negotiated.
  D. A separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks.
  A. This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.

  ---

  explanation:

  Explanation

  This IPsec Phase 1 configuration defines a dynamic VPN tunnel that can accept connections from multiple peers. The settings chosen here suggest a configuration optimized fornetworks with intermittent traffic patterns while ensuring

  resources are used efficiently.

  Key configurations and their impact:

  # set type dynamic # This allows multiple peers to establish connections dynamically without needing predefined IP addresses.

  # set ike-version 2 # Uses IKEv2 , which is more efficient and supports features like EAP authentication and reduced rekeying overhead. # set dpd on-idle # Dead Peer Detection (DPD) is triggered only when the tunnel is idle , reducing

  unnecessary keep-alive packets and improving resource utilization. # set add-route enable # FortiGate automatically adds the route to the routing table when the tunnel is established, ensuring connectivity when needed.

  # set proposal aes128-sha256 aes256-sha256 # Uses strong encryption and hashing algorithms, ensuring a secure connection.

  # set keylife 28800 # Sets a longer key lifetime (8 hours), reducing the frequency of rekeying, which is beneficial for stable connections.

  Because DPD is set to on-idle , the tunnel will not constantly send keep-alive messages but will still ensure connectivity when traffic is detected. This makes the configuration ideal fornetworks with regular but non- continuous traffic , balancing

  security and resource efficiency.

• Question 6:

  Refer to the exhibit, which shows a command output.

  

  FortiGate_A and FortiGate_B are members of an FGSP cluster in an enterprise network.

  While testing the cluster using the ping command, the administrator monitors packet loss and found that the session output on FortiGate_B is as shown in the exhibit.

  What could be the cause of this output on FortiGate_B?

  A. The session synchronization is encrypted.
  B. session-pickup-connectionless is set to disable on FortiGate_B.
  C. FortiGate_B is configured in passive mode.
  D. FortiGate_A and FortiGate_B have the same standalone-group-id value.
  B. session-pickup-connectionless is set to disable on FortiGate_B.

  ---

  explanation:

  Explanation

  The Fortinet FGSP (FortiGate Session Life Support Protocol) cluster allows session synchronization between two FortiGate devices to provide seamless failover. However, ICMP (ping) is a connectionless protocol , and by default, FortiGate

  does not synchronize connectionless sessions unless explicitly enabled.

  In the exhibit:

  # The command get system session list | grep icmp on FortiGate_B returns no output , meaning that ICMP sessions are not being synchronized from FortiGate_A.

  # If session-pickup-connectionless is disabled, FortiGate_B will not receive ICMP sessions , causing packet loss during failover.

• Question 7:

  Refer to the exhibit, which shows a partial enterprise network.

  

  An administrator would like the area 0.0.0.0 to detect the external network. What must the administrator configure?

  A. Enable RIP redistribution on FortiGate
  C. Configure a virtual link between FortiGate A and
  D. Set the area 0.0.0.l type to stub on FortiGate A and
  A. Enable RIP redistribution on FortiGate

  ---

  explanation:

  Explanation

  The diagram shows a multi-area OSPF network where:

  # FortiGate A is in OSPF Area 0 (Backbone area).

  # FortiGate B is in OSPF Area 0.0.0.1 and is connected to an RIP network .

  To ensure that OSPF Area 0 (0.0.0.0) learns routes from the external RIP network , FortiGate B must redistribute RIP routes into OSPF .

  Steps to achieve this:

  1.Enable route redistribution on FortiGate B to inject RIP-learned routes into OSPF.

  2.This allows OSPF Area 0.0.0.1 to forward RIP routes to OSPF Area 0 (0.0.0.0) , making the external network visible.

• Question 8:

  Refer to the exhibit.

  A pre-run CLI template that is used in zero-touch provisioning (ZTP) and low-touch provisioning (LTP) with FortiManager is shown.

  

  The template is not assigned even though the configuration has already been installed on FortiGate. What is true about this scenario?

  A. The administrator did not assign the template correctly when adding the model device because pre-CLI templates remain permanently assigned to the firewall
  B. Pre-run CLI templates are automatically unassigned after their initial installation
  C. Pre-run CLI templates for ZTP and LTP must be unassigned manually after the first installation to avoid conflicting error objects when importing a policy package
  D. The administrator must use post-run CLI templates that are designed for ZTP and LTP
  B. Pre-run CLI templates are automatically unassigned after their initial installation

  ---

  explanation:

  Explanation

  In FortiManager pre-run CLI templates , are used in Zero-Touch Provisioning (ZTP) and Low-Touch Provisioning (LTP) to configure a FortiGate device before it is fully managed by FortiManager.

  These templates apply configurations when a device is initially provisioned. Once the pre-run CLI template is executed , FortiManager automatically unassigns it from the device because it is not meant to persist like other policy configurations. This prevents conflicts and ensures that the FortiGate configuration isnot repeatedly applied after the initial setup.

• Question 9:

  An administrator must enable direct communication between multiple spokes in a company's network. Each spoke has more than one internet connection. The requirement is for the spokes to connect directly without passing through the hub, and for the links to automatically switch to the best available connection. How can this automatic detection and optimal link utilization between spokes be achieved?

  A. Set up OSPF routing over static VPN tunnels between spokes.
  B. Utilize ADVPN 2.0 to facilitate dynamic direct tunnels and automatic link optimization.
  C. Establish static VPN tunnels between spokes with predefined backup routes.
  D. Implement SD-WAN policies at the hub to manage spoke link quality.
  B. Utilize ADVPN 2.0 to facilitate dynamic direct tunnels and automatic link optimization.

  ---

  explanation:

  Explanation

  ADVPN (Auto-Discovery VPN) 2.0is the optimal solution for enablingdirect spoke-to-spoke communication without passing through the hub, while also allowing automatic link selection based on quality metrics.

  #Dynamic Direct Tunnels:

  # ADVPN 2.0 allows spokes to establish direct IPsec tunnels dynamically based on traffic patterns, reducing latency and improving performance.

  # Unlike static VPNs, spokes do not need to pre-configure tunnels for each other.

  #Automatic Link Optimization:

  # ADVPN 2.0 monitors the quality of multiple internet connections on each spoke.

  # It automatically switches to the best available connection when the primary link degrades or fails.

  # This is achieved by dynamically adjusting BGP-based routing or leveraging SD-WAN integration.

• Question 10:

  An administrator wants to scale the IBGP sessions and optimize the routing table in an IBGP network. Which parameter should the administrator configure?

  A. network-import-check
  B. ibgp-enforce-multihop
  C. neighbor-group
  D. route-reflector-client
  D. route-reflector-client

  ---

  explanation:

  Explanation

  In anIBGP (Internal BGP) network, all routers must befully meshed, meaning every router must establish a BGP session with every other router in the sameautonomous system (AS). Thisdoes not scale wellin large networks due to the

  exponential increase in BGP sessions.

  Tooptimize and scale IBGP,Route Reflectors (RRs)are used. ARoute Reflector (RR)reduces the number ofIBGP peer connectionsby allowing acentralized router (RR)to redistribute IBGP routes to other IBGP peers (calledclients). This

  eliminates the need for afull mesh, significantlyreducing BGP session overhead.

  By configuring theroute-reflector-clientsetting on IBGP peers, an administrator can:

  #Scale IBGP sessionsby reducing the number of direct BGP peer connections.

  #Optimize the routing tableby ensuring routes are efficiently propagated within the IBGP network. #Eliminate the need for full mesh topology, making IBGP more manageable.