Fortinet FCSS_EFW_AD-7.6 시험

Question No : 1

How will configuring set tcp-mss-sender and set tcp-mss-receiver in a firewall policy affect the size and handling of TCP packets in the network?

• A.The maximum segment size permitted in the firewall policy determines whether TCP packets are allowed or denied.
• B.Applying commands in a firewall policy determines the largest payload a device can handle in a single TCP segment.
• C.The administrator must consider the payload size of the packet and the size of the IP header to configure a correct value in the firewall policy.
• D.The TCP packet modifies the packet size only if the size of the packet is less than the one the administrator configured in the firewall policy.

답을 확인하기

정답:
Explanation:
The set tcp-mss-sender and set tcp-mss-receiver commands in a firewall policy allow an administrator to adjust the Maximum Segment Size (MSS) of TCP packets.
This setting controls the largest payload size that a device can handle in a single TCP segment, ensuring that packets do not exceed the allowed MTU (Maximum Transmission Unit) along the network path.
● set tcp-mss-sender adjusts the MSS value for outgoing TCP traffic.
● set tcp-mss-receiver adjusts the MSS value for incoming TCP traffic.
This helps prevent issues with fragmentation and MTU mismatches, improving network performance and avoiding retransmissions.

Question No : 2

The IT department discovered during the last network migration that all zero phase selectors in phase 2 IPsec configurations impacted network operations.
What are two valid approaches to prevent this during future migrations? (Choose two.)

• A.Use routing protocols to specify allowed subnets over the tunnel.
• B.Configure an IPsec-aggregate to create redundancy between each firewall peer.
• C.Clearly indicate to the VPN which segments will be encrypted in the phase two selectors.
• D.Configure an IP address on the IPsec interface of each firewall to establish unique peer connections and avoid impacting network operations.

답을 확인하기

정답:
Explanation:
Zero phase selectors in IPsec Phase 2 mean that no specific traffic selectors (subnets) are defined, allowing any traffic to be encrypted through the VPN tunnel. This can cause unintended traffic forwarding issues and disrupt network operations.
To prevent this from happening during future migrations:
● Using routing protocols ensures that only specific subnets are advertised over the tunnel. Dynamic routing (such as OSPF or BGP) helps define which networks should use the tunnel, preventing unintended traffic from being encrypted.
● Clearly defining phase 2 selectors avoids the problem of encrypting all traffic by explicitly stating the allowed source and destination subnets. This prevents the tunnel from affecting unrelated network traffic.

Question No : 3

Refer to the exhibit, which shows an OSPF network.



Which configuration must the administrator apply to optimize the OSPF database?

• A.Set a route map in the AS boundary FortiGate.
• B.Set the area 0.0.0.1 to the type STUB in the area border FortiGate.
• C.Set an access list in the AS boundary FortiGate.
• D.Set the area 0.0.0.1 to the type NSSA in the area border FortiGate.

답을 확인하기

정답:
Explanation:
The OSPF database optimization is necessary to reduce unnecessary routing information and improve network performance. In the given topology, Area 0.0.0.1 is a non-backbone area connected to Area 0.0.0.0 (the backbone area) through an Area Border Router (ABR).
To optimize OSPF in this scenario, configuring Area 0.0.0.1 as a Stub Area will:
● Reduce the size of the OSPF database by preventing external routes (from outside OSPF) from being injected into Area 0.0.0.1.
● Allow only intra-area and inter-area routes, meaning routers in Area 0.0.0.1 will rely on a default route for external destinations.
● Improve convergence time and reduce router processing load since fewer LSAs (Link-State Advertisements) are exchanged.

Question No : 4

An administrator configured the FortiGate devices in an enterprise network to join the Fortinet Security Fabric. The administrator has a list of IP addresses that must be blocked by the data center firewall. This list is updated daily.
How can the administrator automate a firewall policy with the daily updated list?

• A.With FortiNAC
• B.With FortiAnalyzer
• C.With a Security Fabric automation
• D.With an external connector from Threat Feeds

답을 확인하기

정답:
Explanation:
The best way to automate a firewall policy using a daily updated list of IP addresses is by using an external connector from Threat Feeds. This allows FortiGate to dynamically retrieve real-time threat intelligence from external sources and apply it directly to security policies.
By configuring Threat Feeds, the administrator can:
● Automatically update firewall policies with the latest malicious IPs daily.
● Block traffic from those IPs in real-time without manual intervention.
● Integrate with FortiGuard, third-party threat intelligence sources, or custom feeds (CSV, STIX/TAXII, etc.).

Question No : 5

An administrator received a FortiAnalyzer alert that a 1 ТВ disk filled up in a day. Upon investigation, they found thousands of unusual DNS log requests, such as JHCMQK.website.com, with no answers. They later discovered that DNS exfiltration was occurring through both UDP and TLS.
How can the administrator prevent this data theft technique?

• A.Create an inline-CASB to protect against DNS exfiltration.
• B.Configure a File Filter profile to prevent DNS exfiltration.
• C.Enable DNS Filter to protect against DNS exfiltration.
• D.Use an IPS profile and DNS exfiltration-related signatures.

답을 확인하기

정답:
Explanation:
The excessive DNS log requests with random subdomains suggest a DNS exfiltration attack, where attackers encode and transmit data via DNS queries. Since this technique can use both UDP and TLS (DoH - DNS over HTTPS), a comprehensive security approach is needed.
Using an IPS profile with DNS exfiltration-specific signatures allows FortiGate to:
● Detect and block abnormal DNS query patterns often used in exfiltration.
● Inspect encrypted DNS (DoH, DoT) traffic if SSL inspection is enabled.
● Identify known exfiltration domains and techniques based on FortiGuard threat intelligence.

Question No : 6

Refer to the exhibit, which shows a network diagram.



An administrator would like to modify the MED value advertised from FortiGate_1 to a BGP neighbor in the autonomous system 30.
What must the administrator configure on FortiGate_1 to implement this?

• A.route-map-out
• B.network-import-check
• C.prefix-list-out
• D.distribute-list-out

답을 확인하기

정답:
Explanation:
The Multi-Exit Discriminator (MED) is a BGP attribute used to influence the preferred path for incoming traffic from an external autonomous system (AS). The diagram shows that FortiGate_1 advertises MED 200, while FortiGate_2 advertises MED 300, meaning the ISP will prefer the route through FortiGate_1 because a lower MED is preferred in BGP.
To modify the MED value on FortiGate_1 for routes advertised to AS 30, the administrator must configure a route-map-out. A route map can match specific routes and set the MED value before sending them to the BGP neighbor.

Question No : 7

During the maintenance window, an administrator must sniff all the traffic going through a specific firewall policy, which is handled by NP6 interfaces. The output of the sniffer trace provides just a few packets.
Why is the output of sniffer trace limited?

• A.The traffic corresponding to the firewall policy is encrypted.
• B.auto-asic-off load is set to enable in the firewall policy,
• C.inspection-mode is set to proxy in the firewall policy.
• D.The option npudbg is not added in the diagnose sniff packet command.

답을 확인하기

정답:
Explanation:
FortiGate devices with NP6 (Network Processor 6) acceleration offload traffic directly to hardware, bypassing the CPU for improved performance. When auto-asic-offload is enabled in a firewall policy, most of the traffic does not reach the CPU, which means it won't be captured by the standard sniffer trace command.
Since NP6-accelerated traffic is handled entirely in hardware, only a small portion of initial packets (such as session setup packets or exceptions) might be seen in the sniffer output.
To capture all packets, the administrator must disable hardware offloading using:
config firewall policy
edit <policy_ID>
set auto-asic-offload disable
end
Disabling ASIC offload forces traffic to be processed by the CPU, allowing the sniffer tool to capture all packets.

Question No : 8

Refer to the exhibit, which shows the HA status of an active-passive cluster.



An administrator wants FortiGate_B to handle the Core2 VDOM traffic.
Which modification must the administrator apply to achieve this?
A. The administrator must disable override on FortiGate_A.
B. The administrator must change the priority from 100 to 160 for FortiGate_B.
C. The administrator must change the load balancing method on FortiGate_B.
D. The administrator must change the priority from 128 to 200 for FortiGate_B.

답을 확인하기

정답: D
Explanation:
The exhibit shows an active-passive HA (high availability) cluster with two virtual clusters, where FortiGate_A is the primary device for both Core1 and Core2. If the goal is to have FortiGate_B take over Core2 traffic, its priority must be higher than FortiGate_A for Virtual Cluster 2.
Currently, FortiGate_A has a priority of 150 for Core2, while FortiGate_B has 128. Increasing FortiGate_B’s priority to 200 ensures it becomes the primary for Virtual Cluster 2, taking over the Core2 VDOM traffic while keeping Core1 traffic on FortiGate_A.
Disabling override would prevent forced failovers but wouldn’t change the role distribution. Adjusting the load-balancing method is irrelevant in an active-passive setup, as it only applies to active-active configurations.

Question No : 9

Refer to the exhibit, which shows a LAN interface connected from FortiGate to two FortiSwitch devices.



What two conclusions can you draw from the corresponding LAN interface? (Choose two.)

• A.You must enable STP or RSTP on FortiGate and FortiSwitch to avoid layer 2 loopbacks.
• B.The LAN interface must use a 802.3ad type interface.
• C.This connection is using a FortiLInk to manage VLANs on FortiGate.
• D.FortiGate is using an SD-WAN-type interface to connect to a FortiSwitch device with MCLA

답을 확인하기

정답:
Explanation:
The diagram shows a FortiGate connected to two FortiSwitches, which suggests the use of FortiLink, Fortinet's protocol for managing switches directly from a FortiGate. Since multiple connections are being used, the LAN interface must be set to 802.3ad (LAG) mode to aggregate the links for redundancy and load balancing.
This setup allows FortiGate to handle VLAN assignments dynamically, as seen with VLAN 10 (192.168.15.1/24). FortiLink ensures seamless integration between FortiGate and FortiSwitches, making STP unnecessary because Fortinet's MCLAG prevents loops at Layer 2. SD-WAN, on the other hand, is used for WAN interfaces and does not apply to switch connectivity in this scenario.

Question No : 10

Refer to the exhibit, which shows the packet capture output of a three-way handshake between FortiGate and FortiManager Cloud.



What two conclusions can you draw from the exhibit? (Choose two.)

• A.FortiGate will receive a certificate that supports multiple domains because FortiManager operates in a cloud computing environment.
• B.FortiGate is connecting to the same IP server and will receive an independent certificate for its connection between FortiGate and FortiManager Cloud.
• C.If the TLS handshake contains 17 cipher suites it means the TLS version must be 1.0 on this three-way handshake.
• D.The wildcard for the domain *.fortinet-ca2.support.fortinet.com must be supported by FortiManager Cloud.

답을 확인하기

정답:

Question No : 11

Refer to the exhibit, which contains a partial command output.



The administrator has configured BGP on FortiGate. The status of this new BGP configuration is shown in the exhibit.
What configuration must the administrator consider next?

• A.Configure a static route to 100.65.4.1.
• B.Configure the local AS to 65300.
• C.Contact the remote peer administrator to enable BGP
• D.Enable ebgp-enforce-multihop.

답을 확인하기

정답:
Explanation:
From the BGP neighbor status output, the key issue is that BGP is stuck in the "Idle" state, meaning the FortiGate is unable to establish a BGP session with its peer 100.65.4.1 (Remote AS 65300).
The output also shows:
● "Not directly connected EBGP" → This means the BGP peer is not on the same subnet, requiring multihop BGP.
● "Update source is Loopback" → Since a loopback interface is used, FortiGate must be configured to allow BGP neighbors over multiple hops.
To resolve this issue, the administrator must enable ebgp-enforce-multihop, which allows BGP sessions to be established even when the neighbors are not directly connected.

Question No : 12

Refer to the exhibit, which contains the partial output of an OSPF command.



An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit.
What two conclusions can the administrator draw? (Choose two.)

• A.The FortiGate device is a backup designated router
• B.The FortiGate device is connected to multiple areas
• C.The FortiGate device injects external routing information
• D.The FortiGate device has OSPF ECMP enabled

답을 확인하기

정답:
Explanation:
The output of the get router info ospf status command provides key information about the OSPF (Open Shortest Path First) configuration on the FortiGate device.
The FortiGate device is connected to multiple areas
● The output states: "This router is an ABR"
● ABR (Area Border Router) means the device is connected to multiple OSPF areas and maintains routing information between them.
● This confirms that the FortiGate is not just in one area, but at least one backbone area (Area 0) and another OSPF area.
The FortiGate device injects external routing information
● The output states: "Supports opaque LSA"
● Opaque LSAs (Type 9, 10, and 11) are used in OSPF extensions, including those that support external route injection.
● Typically, ABRs or ASBRs (Autonomous System Boundary Routers) inject external routes, allowing routes from other routing protocols (such as BGP or static routes) to be advertised into OSPF.

Question No : 13

Refer to the exhibit, which shows a revision history window in the FortiManager device layer.



The IT team is trying to identify the administrator responsible for the most recent update in the
FortiGate device database.
Which conclusion can you draw about this scenario?

• A.This retrieved process was automatically triggered by a Remote FortiGate Directly (via CLI) script.
• B.The user script_manager is an API user from the Fortinet Developer Network (FDN) retrieving a configuration.
• C.To identify the user who created the event, check it on the Configuration and Installation widget on FortiGate within the FortiManager device layer.
• D.Find the user in the FortiManager system logs and use the type=script command to find the administrator user in the user field.

답을 확인하기

정답:
Explanation:
The Configuration Revision History window in FortiManager shows that the most recent configuration change (ID 10) was created by script_manager with the action Retrieved.
Since script_manager is a system-level script execution user, the IT team needs to find who actually triggered this script.
This can be done by:
● Checking the FortiManager system logs for script execution events.
● Using the type=script filter to locate the administrator associated with the script execution.

Question No : 14

Refer to the exhibit.



A pre-run CLI template that is used in zero-touch provisioning (ZTP) and low-touch provisioning (LTP) with FortiManager is shown.
The template is not assigned even though the configuration has already been installed on FortiGate.
What is true about this scenario?

• A.The administrator did not assign the template correctly when adding the model device because pre-CLI templates remain permanently assigned to the firewall
• B.Pre-run CLI templates are automatically unassigned after their initial installation
• C.Pre-run CLI templates for ZTP and LTP must be unassigned manually after the first installation to avoid conflicting error objects when importing a policy package
• D.The administrator must use post-run CLI templates that are designed for ZTP and LTP

답을 확인하기

정답:
Explanation:
In FortiManager, pre-run CLI templates are used in Zero-Touch Provisioning (ZTP) and Low-Touch Provisioning (LTP) to configure a FortiGate device before it is fully managed by FortiManager.
These templates apply configurations when a device is initially provisioned. Once the pre-run CLI template is executed, FortiManager automatically unassigns it from the device because it is not meant to persist like other policy configurations. This prevents conflicts and ensures that the FortiGate configuration is not repeatedly applied after the initial setup.

Question No : 15

Refer to the exhibit, which shows an ADVPN network



An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2.
What two options must the administrator configure in BGP? (Choose two.)

• A.set ebgp-enforce-multrhop enable
• B.set next-hop-self enable
• C.set ibgp-enforce-multihop advpn
• D.set attribute-unchanged next-hop

답을 확인하기

정답:
Explanation:
In this ADVPN (Auto-Discovery VPN) network, there are two hubs (Hub A and Hub B) connected via EBGP, while IBGP is used within each overlay. To ensure proper BGP routing between the overlays, the administrator must configure specific BGP options..
set ebgp-enforce-multihop enable
By default, EBGP requires directly connected neighbors. Since Hub A and Hub B are not directly connected but reach each other over an IPsec tunnel, multihop must be enabled for EBGP sessions to work.
set next-hop-self enable
In IBGP, the next-hop attribute does not change by default. When an IBGP route is advertised from a spoke to another hub or spoke, the next-hop needs to be updated to ensure proper reachability. Enabling next-hop-self forces the BGP speaker to advertise itself as the next-hop, ensuring that all spokes properly reach routes across the overlays.