FCSS_EFW_AD-7.6 시험 - Fortinet실제시험문제와 답 - 57문항

Question No : 1

A company's users on an IPsec VPN between FortiGate A and B have experienced intermittent issues since implementing VXLAN. The administrator suspects that packets exceeding the 1500-byte default MTU are causing the problems.
In which situation would adjusting the interface’s maximum MTU value help resolve issues caused by protocols that add extra headers to IP packets?

A.Adjust the MTU on interfaces only if FortiGate has the FortiGuard enterprise bundle, which allows MTU modification.
B.Adjust the MTU on interfaces in all FortiGate devices that support the latest family of Fortinet SPUs: NP7, CP9 and SP5.
C.Adjust the MTU on interfaces in controlled environments where all devices along the path allow MTU interface changes.
D.Adjust the MTU on interfaces only in wired connections like PPPoE, optic fiber, and ethernet cable.

정답:
Explanation:
When using IPsec VPNs and VXLAN, additional headers are added to packets, which can exceed the default 1500-byte MTU. This can lead to fragmentation issues, dropped packets, or degraded performance.
To resolve this, the MTU (Maximum Transmission Unit) should be adjusted only if all devices in the network path support it. Otherwise, some devices may still drop or fragment packets, leading to continued issues.
Why adjusting MTU helps:
● VXLAN adds a 50-byte overhead to packets.
● IPsec adds additional encapsulation (ESP, GRE, etc.), increasing the packet size.
● If packets exceed the MTU, they may be fragmented or dropped, causing intermittent connectivity issues.
● Lowering the MTU on interfaces ensures packets stay within the supported size limit across all network devices.

Question No : 2

Refer to the exhibit, which contains a partial VPN configuration.

What can you conclude from this VPN IPsec phase 1 configuration?

A.This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.
B.Peer IDs are unencrypted and exposed, creating a security risk.
C.FortiGate will not add a route to its routing or forwarding information base when the dynamic tunnel is negotiated.
D.A separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks.

정답:
Explanation:
This IPsec Phase 1 configuration defines a dynamic VPN tunnel that can accept connections from multiple peers. The settings chosen here suggest a configuration optimized for networks with intermittent traffic patterns while ensuring resources are used efficiently.
Key configurations and their impact:
● set type dynamic → This allows multiple peers to establish connections dynamically without needing predefined IP addresses.
● set ike-version 2 → Uses IKEv2, which is more efficient and supports features like EAP authentication and reduced rekeying overhead.
● set dpd on-idle → Dead Peer Detection (DPD) is triggered only when the tunnel is idle, reducing unnecessary keep-alive packets and improving resource utilization.
● set add-route enable → FortiGate automatically adds the route to the routing table when the tunnel is established, ensuring connectivity when needed.
● set proposal aes128-sha256 aes256-sha256 → Uses strong encryption and hashing algorithms, ensuring a secure connection.
● set keylife 28800 → Sets a longer key lifetime (8 hours), reducing the frequency of rekeying, which is beneficial for stable connections.
Because DPD is set to on-idle, the tunnel will not constantly send keep-alive messages but will still ensure connectivity when traffic is detected. This makes the configuration ideal for networks with regular but non-continuous traffic, balancing security and resource efficiency.

Question No : 3

Refer to the exhibit, which shows a physical topology and a traffic log.

The administrator is checking on FortiAnalyzer traffic from the device with IP address 10.1.10.1, located behind the FortiGate ISFW device.
The firewall policy in on the ISFW device does not have UTM enabled and the administrator is surprised to see a log with the action Malware, as shown in the exhibit.
What are the two reasons FortiAnalyzer would display this log? (Choose two.)

A.Security rating is enabled in ISF
B.ISFW is in a Security Fabric environment.
C.ISFW is not connected to FortiAnalyzer and must go through NGFW-1.
D.The firewall policy in NGFW-1 has UTM enabled.

정답:
Explanation:
From the exhibit, ISFW is part of a Security Fabric environment with NGFW-1 as the Fabric Root. In this architecture, FortiGate devices share security intelligence, including logs and detected threats.
ISFW is in a Security Fabric environment:
● Security Fabric allows devices like ISFW to receive threat intelligence from NGFW-1, even if UTM is not enabled locally.
● If NGFW-1 detects malware from IP 10.1.10.1 to 89.238.73.97, this information can be propagated to ISFW and FortiAnalyzer.
The firewall policy in NGFW-1 has UTM enabled:
● Even though ISFW does not have UTM enabled, NGFW-1 (which sits between ISFW and the external network) does have UTM enabled and is scanning traffic.
● Since NGFW-1 detects malware in the session, it logs the event, which is then sent to FortiAnalyzer.

Question No : 4

What does the command set forward-domain <domain_ID> in a transparent VDOM interface do?

A.It configures the interface to prioritize traffic based on the domain ID, enhancing quality of service for specified VLANs.
B.It isolates traffic within a specific VLAN by assigning a broadcast domain to an interface based on the VLAN I
C.It restricts the interface to managing traffic only from the specified VLAN, effectively segregating network traffic.
D.It assigns a unique domain ID to the interface, allowing it to operate across multiple VLANs within the same VDO

정답:
Explanation:
In a transparent mode Virtual Domain (VDOM) configuration, FortiGate operates as a Layer 2 bridge rather than performing Layer 3 routing. The set forward-domain <domain_ID> command is used to control how traffic is forwarded between interfaces within the same transparent VDOM.
A forward-domain acts as a broadcast domain, meaning only interfaces with the same forward-domain ID can exchange traffic. This setting is commonly used to separate different VLANs or network segments within the transparent VDOM while still allowing FortiGate to apply security policies.

Question No : 5

An administrator must enable direct communication between multiple spokes in a company's network. Each spoke has more than one internet connection.
The requirement is for the spokes to connect directly without passing through the hub, and for the links to automatically switch to the best available connection.
How can this automatic detection and optimal link utilization between spokes be achieved?

A.Set up OSPF routing over static VPN tunnels between spokes.
B.Utilize ADVPN 2.0 to facilitate dynamic direct tunnels and automatic link optimization.
C.Establish static VPN tunnels between spokes with predefined backup routes.
D.Implement SD-WAN policies at the hub to manage spoke link quality.

정답:
Explanation:
ADVPN (Auto-Discovery VPN) 2.0 is the optimal solution for enabling direct spoke-to-spoke communication without passing through the hub, while also allowing automatic link selection based on quality metrics.
● Dynamic Direct Tunnels:
● ADVPN 2.0 allows spokes to establish direct IPsec tunnels dynamically based on traffic patterns, reducing latency and improving performance.
● Unlike static VPNs, spokes do not need to pre-configure tunnels for each other.
● Automatic Link Optimization:
● ADVPN 2.0 monitors the quality of multiple internet connections on each spoke.
● It automatically switches to the best available connection when the primary link degrades or fails.
● This is achieved by dynamically adjusting BGP-based routing or leveraging SD-WAN integration.

Question No : 6

Which two statements about IKEv2 are true if an administrator decides to implement IKEv2 in the VPN topology? (Choose two.)

A.It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.
B.It supports interoperability with devices using IKEv1.
C.It exchanges a minimum of two messages to establish a secure tunnel.
D.It supports the extensible authentication protocol (EAP).

정답:
Explanation:
IKEv2 (Internet Key Exchange version 2) is an improvement over IKEv1, offering enhanced security, efficiency, and flexibility in VPN configurations.
It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.
IKEv2 supports stronger cryptographic algorithms, including Elliptic Curve Diffie-Hellman (ECDH) groups such as ECP256 and ECP384, providing improved security compared to IKEv1.
It supports the extensible authentication protocol (EAP).
IKEv2 natively supports EAP authentication, which allows integration with external authentication mechanisms such as RADIUS, certificates, and smart cards. This is particularly useful for remote access VPNs where user authentication must be flexible and secure.

Question No : 7

Refer to the exhibit, which shows the ADVPN network topology and partial BGP configuration.

Which two parameters must an administrator configure in the config neighbor range for spokes shown in the exhibit? (Choose two.)

A.set max-neighbor-num 2
B.set neighbor-group advpn
C.set route-reflector-client enable
D.set prefix 172.16.1.0 255.255.255.0

정답:
Explanation:
In the given ADVPN (Auto-Discovery VPN) topology, BGP is being used to dynamically establish routes between spokes. The neighbor-range configuration is crucial for simplifying BGP peer setup by automatically assigning neighbors based on their IP range.
set neighbor-group advpn
● The neighbor-group parameter is used to apply pre-defined settings (such as AS number) to dynamically discovered BGP neighbors.
● The advpn neighbor-group is already defined in the configuration, and assigning it to the neighbor-range ensures consistent BGP settings for all spoke neighbors.
set prefix 172.16.1.0 255.255.255.0
● This command allows dynamic BGP peer discovery by defining a range of potential neighbor IPs (172.16.1.1 - 172.16.1.255).
● Since each spoke has a unique /32 IP within this subnet, this ensures that any spoke within the 172.16.1.0/24 range can automatically establish a BGP session with the hub.

Question No : 8

Refer to the exhibit, which shows a partial enterprise network.

An administrator would like the area 0.0.0.0 to detect the external network.
What must the administrator configure?

A.Enable RIP redistribution on FortiGate
B.Configure a distribute-route-map-in on FortiGate
C.Configure a virtual link between FortiGate A and
D.Set the area 0.0.0.l type to stub on FortiGate A and

정답:
Explanation:
The diagram shows a multi-area OSPF network where:
● FortiGate A is in OSPF Area 0 (Backbone area).
● FortiGate B is in OSPF Area 0.0.0.1 and is connected to an RIP network.
To ensure that OSPF Area 0 (0.0.0.0) learns routes from the external RIP network, FortiGate B must redistribute RIP routes into OSPF.
Steps to achieve this:

Question No : 9

An administrator is extensively using VXLAN on FortiGate.
Which specialized acceleration hardware does FortiGate need to improve its performance?

A.NP7
B.SP5
C.СР9
D.NTurbo

정답:
Explanation:
VXLAN (Virtual Extensible LAN) is an overlay network technology that extends Layer 2 networks over Layer 3 infrastructure. When VXLAN is used extensively on FortiGate, hardware acceleration is crucial for maintaining performance.
● NP7 (Network Processor 7) is Fortinet’s latest network processor designed to accelerate high-performance networking features, including:
● VXLAN encapsulation/decapsulation
● IPsec VPN offloading
● Firewall policy enforcement
● Advanced threat protection at wire speed
NP7 significantly reduces latency and improves throughput when handling VXLAN traffic, making it the best choice for large-scale VXLAN deployments.

Question No : 10

An administrator applied a block-all IPS profile for client and server targets to secure the server, but the database team reported the application stopped working immediately after.
How can an administrator apply IPS in a way that ensures it does not disrupt existing applications in the network?

A.Use an IPS profile with all signatures in monitor mode and verify patterns before blocking.
B.Limit the IPS profile to server targets only to avoid blocking connections from the server to clients.
C.Select flow mode in the IPS profile to accurately analyze application patterns.
D.Set the IPS profile signature action to default to discard all possible false positives.

정답:
Explanation:
Applying an aggressive IPS profile without prior testing can disrupt legitimate applications by incorrectly identifying normal traffic as malicious.
To prevent disruptions while still monitoring for threats:
● Enable IPS in "Monitor Mode" first:
● This allows FortiGate to log and analyze potential threats without actively blocking traffic.
● Administrators can review logs and fine-tune IPS signatures to minimize false positives before switching to blocking mode.
● Verify and adjust signature patterns:
● Some signatures might trigger unnecessary blocks for legitimate application traffic.
● By analyzing logs, administrators can disable or modify specific rules causing false positives.

Question No : 11

What is the initial step performed by FortiGate when handling the first packets of a session?

A.Installation of the session key in the network processor (NP)
B.Data encryption and decryption
C.Security inspections such as ACL, HPE, and IP integrity header checking
D.Offloading the packets directly to the content processor (CP)

정답:
Explanation:
When FortiGate processes the first packets of a session, it follows a sequence of steps to determine how the traffic should be handled before establishing a session.
The initial step involves:
● Access Control List (ACL) checks: Determines if the traffic should be allowed or blocked based on predefined security rules.
● Hardware Packet Engine (HPE) inspections: Ensures that packet headers are valid and comply with protocol standards.
● IP Integrity Header Checking: Verifies if the IP headers are intact and not malformed or spoofed. Once these security inspections are completed and the session is validated, FortiGate then installs the session in hardware (if offloading is enabled) or processes it in software.

Question No : 12

Refer to the exhibit, which shows an ADVPN network.

The client behind Spoke-1 generates traffic to the device located behind Spoke-2.
What is the first message that the hub sends to Spoke-1 to bring up the dynamic tunnel?

A.Shortcut query
B.Shortcut offer
C.Shortcut reply
D.Shortcut forward

정답:
Explanation:
In an ADVPN (Auto-Discovery VPN) network, a dynamic VPN tunnel is established on-demand between spokes to optimize traffic flow and reduce latency.
Process:

Question No : 13

A user reports that their computer was infected with malware after accessing a secured HTTPS website. However, when the administrator checks the FortiGate logs, they do not see that the website was detected as insecure despite having an SSL certificate and correct profiles applied on the policy.
How can an administrator ensure that FortiGate can analyze encrypted HTTPS traffic on a website?

A.The administrator must enable reputable websites to allow only SSL/TLS websites rated by FortiGuard web filter.
B.The administrator must enable URL extraction from SNI on the SSL certificate inspection to ensure the TLS three-way handshake is correctly analyzed by FortiGate.
C.The administrator must enable DNS over TLS to protect against fake Server Name Indication (SNI) that cannot be analyzed in common DNS requests on HTTPS websites.
D.The administrator must enable full SSL inspection in the SSL/SSH Inspection Profile to decrypt packets and ensure they are analyzed as expected.

정답:
Explanation:
FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless it decrypts it first. If only certificate inspection is enabled, FortiGate can see the certificate details (such as the domain and issuer) but cannot inspect the actual web content.
To fully analyze the traffic and detect potential malware threats:
● Full SSL inspection (Deep Packet Inspection) must be enabled in the SSL/SSH Inspection Profile.
● This allows FortiGate to decrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.
● Without full SSL inspection, threats embedded in encrypted traffic may go undetected.

Question No : 14

Refer to the exhibits.

The Administrators section of a root FortiGate device and the Security Fabric Settings section of a downstream FortiGate device are shown.
When prompted to sign in with Security Fabric in the downstream FortiGate device, a user enters the AdminSSO credentials.
What is the next status for the user?

A.The user is prompted to create an SSO administrator account for AdminSS
B.The user receives an authentication failure message.
C.The user accesses the downstream FortiGate with super_admin_readonly privileges.
D.The user accesses the downstream FortiGate with super_admin privileges.

정답:
Explanation:
From the Root FortiGate - System Administrator Configuration exhibit:
● The AdminSSO account has the super_admin_readonly role.
From the Downstream FortiGate - Security Fabric Settings exhibit:
● The Security Fabric role is set to Join Existing Fabric, meaning it will authenticate with the root FortiGate.
● SAML Single Sign-On (SSO) is enabled, and the default admin profile is set to
super_admin_readonly.
When the AdminSSO user logs into the downstream FortiGate using SSO, the authentication request is sent to the root FortiGate, where AdminSSO has super_admin_readonly permissions. Since the downstream FortiGate inherits this permission through the Security Fabric configuration, the user will be granted super_admin_readonly access.

Question No : 15

Why does the ISDB block layers 3 and 4 of the OSI model when applying content filtering? (Choose two.)

A.FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard.
B.The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard.
C.The ISDB works in proxy mode, allowing the analysis of packets in layers 3 and 4 of the OSI model.
D.The ISDB limits access by URL and domain.

정답:
Explanation:
The Internet Service Database (ISDB) in FortiGate is used to enforce content filtering at Layer 3 (Network Layer) and Layer 4 (Transport Layer) of the OSI model by identifying applications based on their predefined IP addresses and ports.
FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard:
● FortiGate retrieves and updates a predefined list of IPs and ports for different internet services from FortiGuard.
● This allows FortiGate to block specific services at Layer 3 and Layer 4 without requiring deep packet inspection.
The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard:
● ISDB works by matching traffic to known IP addresses and ports of categorized services.
● When an application or service is blocked, FortiGate prevents communication by denying traffic based on its destination IP and port number.

Fortinet FCSS_EFW_AD-7.6 시험