Free Practice Questions for Fortinet FCSS_EFW_AD-7.6 Exam

The MAC address e0:23:ff:fc:00:86 follows the format used in FortiGate High Availability (HA) clusters. When FortiGate devices are in an HA configuration, they use virtual MAC addresses for failover and redundancy purposes.

The suspicious packet is related to a cluster that has VDOMs enabled:

FortiGate devices with Virtual Domains (VDOMs) enabled use specific MAC address ranges to differentiate HA-related traffic. This MAC address is likely part of that mechanism.

The suspicious packet is related to a cluster with a group-id value lower than 255:

FortiGate HA clusters assign virtual MAC addresses based on the group ID. The last octet (00:86) corresponds to a group ID that is below 255, confirming this option.

The Internet Service Database (ISDB) in FortiGate is used to enforce content filtering at Layer 3 (Network Layer) and Layer 4 (Transport Layer) of the OSI model by identifying applications based on their predefined IP addresses and ports.

FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard:

● FortiGate retrieves and updates a predefined list of IPs and ports for different internet services from FortiGuard.

● This allows FortiGate to block specific services at Layer 3 and Layer 4 without requiring deep packet inspection.

The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard:

● ISDB works by matching traffic to known IP addresses and ports of categorized services.

● When an application or service is blocked, FortiGate prevents communication by denying traffic based on its destination IP and port number.

ADVPN (Auto-Discovery VPN) 2.0 is the optimal solution for enabling direct spoke-to-spoke communication without passing through the hub, while also allowing automatic link selection based on quality metrics.

● Dynamic Direct Tunnels:

● ADVPN 2.0 allows spokes to establish direct IPsec tunnels dynamically based on traffic patterns, reducing latency and improving performance.

● Unlike static VPNs, spokes do not need to pre-configure tunnels for each other.

● Automatic Link Optimization:

● ADVPN 2.0 monitors the quality of multiple internet connections on each spoke.

● It automatically switches to the best available connection when the primary link degrades or fails.

● This is achieved by dynamically adjusting BGP-based routing or leveraging SD-WAN integration.

The diagram shows a multi-area OSPF network where:

● FortiGate A is in OSPF Area 0 (Backbone area).

● FortiGate B is in OSPF Area 0.0.0.1 and is connected to an RIP network.

To ensure that OSPF Area 0 (0.0.0.0) learns routes from the external RIP network, FortiGate B must redistribute RIP routes into OSPF.

Steps to achieve this:

1. Enable route redistribution on FortiGate B to inject RIP-learned routes into OSPF.

2. This allows OSPF Area 0.0.0.1 to forward RIP routes to OSPF Area 0 (0.0.0.0), making the external network visible.

When FortiGate is operating in proxy mode with full SSL inspection enabled, it inspects encrypted HTTPS traffic by default on port 443. However, some websites may use non-standard HTTPS ports (such as 8443), which FortiGate does not inspect unless explicitly configured.

To ensure that FortiGate inspects HTTPS traffic on port 8443, administrators must manually add port 8443 in the Protocol Port Mapping section of the SSL/SSH Inspection Profile. This allows FortiGate to treat HTTPS traffic on port 8443 the same as traffic on port 443, enabling proper inspection and enforcement of FortiGuard category-based web filtering.

The exhibit shows an active-passive HA (high availability) cluster with two virtual clusters, where FortiGate_A is the primary device for both Core1 and Core2. If the goal is to have FortiGate_B take over Core2 traffic, its priority must be higher than FortiGate_A for Virtual Cluster 2.

Currently, FortiGate_A has a priority of 150 for Core2, while FortiGate_B has 128. Increasing FortiGate_B’s priority to 200 ensures it becomes the primary for Virtual Cluster 2, taking over the Core2 VDOM traffic while keeping Core1 traffic on FortiGate_A.

Disabling override would prevent forced failovers but wouldn’t change the role distribution. Adjusting the load-balancing method is irrelevant in an active-passive setup, as it only applies to active-active configurations.

The OSPF database optimization is necessary to reduce unnecessary routing information and improve network performance. In the given topology, Area 0.0.0.1 is a non-backbone area connected to Area 0.0.0.0 (the backbone area) through an Area Border Router (ABR).

To optimize OSPF in this scenario, configuring Area 0.0.0.1 as a Stub Area will:

● Reduce the size of the OSPF database by preventing external routes (from outside OSPF) from being injected into Area 0.0.0.1.

● Allow only intra-area and inter-area routes, meaning routers in Area 0.0.0.1 will rely on a default route for external destinations.

● Improve convergence time and reduce router processing load since fewer LSAs (Link-State Advertisements) are exchanged.

The excessive DNS log requests with random subdomains suggest a DNS exfiltration attack, where attackers encode and transmit data via DNS queries. Since this technique can use both UDP and TLS (DoH - DNS over HTTPS), a comprehensive security approach is needed.

Using an IPS profile with DNS exfiltration-specific signatures allows FortiGate to:

● Detect and block abnormal DNS query patterns often used in exfiltration.

● Inspect encrypted DNS (DoH, DoT) traffic if SSL inspection is enabled.

● Identify known exfiltration domains and techniques based on FortiGuard threat intelligence.

When adding an additional FortiGate to an enterprise network that is already reaching its resource limits, the goal is to distribute traffic efficiently and ensure high availability.

FGSP (FortiGate Session Life Support Protocol) with external load balancers

FGSP allows session-aware load balancing between multiple FortiGate units without requiring them to be in an HA (High Availability) cluster.

With external load balancers, incoming traffic is evenly distributed across multiple FortiGate devices.

This approach is useful for scaling out traffic handling capacity while ensuring that sessions remain synchronized between firewalls.

FGSP is effective when stateful failover is required but without the constraints of traditional HA.

FGCP (FortiGate Clustering Protocol) in active-active mode and with switches

FGCP active-active mode enables multiple FortiGate devices to share traffic loads, increasing throughput and efficiency.

Active-active mode is suitable for balancing UTM processing across multiple FortiGates, making it ideal when resource limits are a concern.

Using switches ensures redundancy and avoids single points of failure in the network.

This mode is commonly used in enterprise networks where both scalability and redundancy are required.