Free Practice Questions for Fortinet FCSS_EFW_AD-7.4 Exam

TheConfiguration Revision Historywindow inFortiManagershows that the most recent configuration change (ID 10) was created byscript_managerwith the actionRetrieved.

Sincescript_manageris a system-level script execution user, the IT team needs to findwho actually triggered this script. This can be done by:

● Checking theFortiManager system logsforscript execution events.

● Using thetype=scriptfilter to locate the administrator associated with the script execution.

IKEv2 (Internet Key Exchange version 2) is an improvement over IKEv1, offering enhanced security, efficiency, and flexibility in VPN configurations.

It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.

IKEv2 supports stronger cryptographic algorithms, includingElliptic Curve Diffie-Hellman (ECDH)groups such asECP256 and ECP384, providing improved security compared to IKEv1.

It supports the extensible authentication protocol (EAP).

IKEv2 natively supports EAP authentication, which allows integration with external authentication mechanisms such asRADIUS, certificates, and smart cards. This is particularly useful forremote access VPNswhere user authentication must be flexible and secure.

FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless itdecryptsit first. Ifonly certificate inspectionis enabled, FortiGate can see the certificate details (such as the domain and issuer) butcannot inspect the actual web content.

To fully analyze the traffic and detect potential malware threats:

●Full SSL inspection (Deep Packet Inspection)must be enabled in theSSL/SSH Inspection Profile.

● This allows FortiGate todecrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.

● Without full SSL inspection, threats embedded in encrypted traffic may go undetected.

When multiple remote sites connect to thesame hubusingoverlapping subnets, FortiGate needs to determine which route should be used for traffic forwarding. Theroute-overlapsetting in IPsec Phase 2 allows FortiGate to handle this scenario by deciding whether to keep theexisting route(use-old) or replace it with anew route(use-new).

In anECMP (Equal-Cost Multi-Path) routing setup,both routes should be retained and balanced, but FortiGate does not supportECMP directly over overlapping routesin IPsec Phase 2. Instead, an administrator must decide which connection takes precedence usingroute-overlapsettings.

Theset tcp-mss-senderandset tcp-mss-receivercommands in afirewall policyallow an administrator to adjust theMaximum Segment Size (MSS)of TCP packets.

This setting controls thelargest payload sizethat a device can handle in a singleTCP segment, ensuring that packets do not exceed the allowed MTU (Maximum Transmission Unit) along the network path.

●set tcp-mss-senderadjusts the MSS value foroutgoing TCP traffic.

●set tcp-mss-receiveradjusts the MSS value forincoming TCP traffic.

This helps prevent issues withfragmentationandMTU mismatches, improving network performance and avoiding retransmissions.

neighbor-group:

● This command is used to group multipleBGP neighborswith the same configuration, reducing redundant configuration.

● Instead of defining individual BGP settings for each spoke, the administrator can create aneighbor-groupand apply the same policies, reducing manual work.

neighbor-range:

● This command allows the configuration ofa range of neighbor IPs dynamically, reducing the need to manually define each spoke neighbor.

● It automatically addsBGP neighborsthat match a given prefix, simplifying deployment.

The diagram shows amulti-area OSPF networkwhere:

●FortiGate Ais inOSPF Area 0 (Backbone area).

●FortiGate Bis inOSPF Area 0.0.0.1and is connected to anRIP network.

To ensure thatOSPF Area 0 (0.0.0.0) learns routes from the external RIP network, FortiGate B mustredistribute RIP routes into OSPF.

Steps to achieve this:

1.Enable route redistribution on FortiGate Bto inject RIP-learned routes into OSPF.

2. This allows OSPFArea 0.0.0.1to forward RIP routes toOSPF Area 0 (0.0.0.0), making the external network visible.