FCSS_EFW_AD-7.4 Fortinet FCSS - Enterprise Firewall 7.4 Administrator Free Practice Exam Questions (2025 Updated)

When FortiGate is operating inproxy modewithfull SSL inspection enabled, it inspects encrypted HTTPS traffic by default onport 443. However, some websites may usenon-standard HTTPS ports(such as 8443), which FortiGate does not inspect unless explicitly configured.

To ensure that FortiGate inspects HTTPS traffic onport 8443, administrators mustmanually add port 8443in theProtocol Port Mappingsection of theSSL/SSH Inspection Profile. This allows FortiGate to treat HTTPS traffic on port 8443 the same as traffic on port 443, enabling proper inspection and enforcement ofFortiGuard category-based web filtering.

In this scenario, thecorporate networkand thenew remote office networkneed to communicate over theInternet, which requires asecure and dynamic routing method. Since both networks are usingOSPF (Open Shortest Path First)as the routing protocol, the best approach is to establish anOSPF over IPsec VPNto ensure secure and dynamic route propagation.

OSPF is already running on the corporate network, and extending it over an IPsec tunnel allows dynamic route exchange between the corporate FortiGate and the remote office FortiGate.IPsec provides encryptionfor traffic over the Internet, ensuring secure communication.OSPF over IPsec eliminates the need for manual static routes, allowing automatic route updates if networks change.

The new remote office's192.168.1.0/24 subnetwill be advertised dynamically to the corporate network without additional configuration.

When FortiGate processes the first packets of a session, it follows a sequence of steps to determine how the traffic should be handled before establishing a session. The initial step involves:

● Access Control List (ACL) checks: Determines if the traffic should be allowed or blocked based on predefined security rules.

● Hardware Packet Engine (HPE) inspections: Ensures that packet headers are valid and comply with protocol standards.

● IP Integrity Header Checking: Verifies if the IP headers are intact and not malformed or spoofed.

Once these security inspections are completed and the session is validated, FortiGate then installs the session in hardware (if offloading is enabled) or processes it in software.

ADVPN (Auto-Discovery VPN) 2.0is the optimal solution for enablingdirect spoke-to-spoke communicationwithout passing through the hub, while also allowingautomatic link selectionbased on quality metrics.

●Dynamic Direct Tunnels:

● ADVPN 2.0 allowsspokes to establish direct IPsec tunnels dynamicallybased on traffic patterns, reducing latency and improving performance.

● Unlike static VPNs, spokes do not need to pre-configure tunnels for each other.

●Automatic Link Optimization:

● ADVPN 2.0monitors the qualityof multiple internet connections on each spoke.

● It automatically switches to the best available connection when the primary linkdegrades or fails.

● This is achieved by dynamically adjusting BGP-based routing or leveraging SD-WAN integration.

Whenadding an additional FortiGateto an enterprise network that is already reaching itsresource limits, the goal is to distribute traffic efficiently and ensurehigh availability.

FGSP (FortiGate Session Life Support Protocol) with external load balancers

FGSP allowssession-aware load balancingbetween multiple FortiGate units without requiring them to be in an HA (High Availability) cluster.

Withexternal load balancers, incoming traffic isevenly distributedacross multiple FortiGate devices.

This approach is useful forscaling outtraffic handling capacity while ensuring that sessions remainsynchronizedbetween firewalls.

FGSP is effectivewhen stateful failover is requiredbut without the constraints of traditional HA.

FGCP (FortiGate Clustering Protocol) in active-active mode and with switches

FGCPactive-active modeenables multiple FortiGate devices toshare traffic loads, increasing throughput and efficiency.

Active-active mode is suitable forbalancing UTM processingacross multiple FortiGates, making it ideal whenresource limits are a concern.

Usingswitchesensures redundancy and avoids single points of failure in the network.

This mode is commonly used inenterprise networkswhere bothscalability and redundancyare required.

The issue occurs because FortiGate enforces the "do not fragment" (DF) bit in the packet, and the packet size exceeds the MTU of the network path. When the Windows PC1 (with an MTU of 1500 bytes) attempts to send a 1400-byte packet, the FortiGate interface (with an MTU of 1000 bytes) needs to fragment it. However, since the DF bit is set, FortiGate drops the packet instead of fragmenting it.

To resolve this, the user should adjust the ping packet size to fit within the path MTU. In this case, reducing the packet size to972 bytes(1000 bytes MTU minus 28 bytes for the IP and ICMP headers) should allow successful transmission.

From theRoot FortiGate - System Administrator Configurationexhibit:

● TheAdminSSOaccount has thesuper_admin_readonlyrole.

From theDownstream FortiGate - Security Fabric Settingsexhibit:

● TheSecurity Fabric roleis set toJoin Existing Fabric, meaning it will authenticate with the root FortiGate.

●SAML Single Sign-On (SSO) is enabled, and thedefault admin profileis set tosuper_admin_readonly.

When theAdminSSOuser logs into the downstream FortiGate usingSSO, the authentication request is sent to the root FortiGate, where AdminSSO hassuper_admin_readonlypermissions. Since the downstream FortiGate inherits this permission through the Security Fabric configuration, the user will be grantedsuper_admin_readonlyaccess.

When designing anADVPN (Auto-Discovery VPN) networkfor alarge enterprisewith spokes that havevarying numbers of internet links, the main challenge is tominimize the number of peer connections and routesat the hub while maintainingscalability and efficiency.

Using a dynamic routing protocol (such as BGP or OSPF) with loopback interfaces helps in several ways:

●Reduces the number of peer connectionsat the hub byusing a single loopback address per spokeinstead of individual physical interfaces.

●Enables simplified route advertisementby dynamically learning and propagating routes instead of manually configuring static routes.

●Supports multiple internet links per spokeefficiently, as dynamic routing can automatically adjust to the best available path.

●Allows seamless failoverif a spoke’s internet link fails, ensuring continuous connectivity.

Theset tcp-mss-senderandset tcp-mss-receivercommands in afirewall policyallow an administrator to adjust theMaximum Segment Size (MSS)of TCP packets.

This setting controls thelargest payload sizethat a device can handle in a singleTCP segment, ensuring that packets do not exceed the allowed MTU (Maximum Transmission Unit) along the network path.

●set tcp-mss-senderadjusts the MSS value foroutgoing TCP traffic.

●set tcp-mss-receiveradjusts the MSS value forincoming TCP traffic.

This helps prevent issues withfragmentationandMTU mismatches, improving network performance and avoiding retransmissions.

Use metadata variables to dynamically assign values according to each FortiGate device:Metadata variables in FortiManager allow device-specific configurations to be dynamically assigned without manually configuring each FortiGate. This is especially useful when deploying multiple devices with similar base configurations.

Use provisioning templates and install configuration settings at the device layer:Provisioning templates in FortiManager provide a structured way to configure FortiGate devices. These templates can define interfaces, policies, and settings, ensuring that each device is correctly configured upon deployment.

Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate devices:Zero-Touch Provisioning (ZTP) and Local Touch Provisioning (LTP) help automate the deployment of FortiGate devices. By adding devices as model devices in FortiManager, configurations can be pushed automatically when devices connect for the first time, reducing manual effort.

The diagram shows amulti-area OSPF networkwhere:

●FortiGate Ais inOSPF Area 0 (Backbone area).

●FortiGate Bis inOSPF Area 0.0.0.1and is connected to anRIP network.

To ensure thatOSPF Area 0 (0.0.0.0) learns routes from the external RIP network, FortiGate B mustredistribute RIP routes into OSPF.

Steps to achieve this:

1.Enable route redistribution on FortiGate Bto inject RIP-learned routes into OSPF.

2. This allows OSPFArea 0.0.0.1to forward RIP routes toOSPF Area 0 (0.0.0.0), making the external network visible.

Thebest way to automate a firewall policyusing a daily updated list ofIP addressesis by using anexternal connector from Threat Feeds. This allows FortiGate to dynamically retrievereal-time threat intelligencefrom external sources and apply it directly to security policies.

By configuringThreat Feeds, the administrator can:

●Automatically updatefirewall policies with the latest malicious IPs daily.

●Block trafficfrom those IPs in real-time without manual intervention.

●Integrate with FortiGuard, third-party threat intelligence sources, or custom feeds (CSV, STIX/TAXII, etc.).

False positives inIntrusion Prevention System (IPS)analysis can disrupt legitimate traffic and negatively impact user experience. To reduce false positives while maintaining security, administrators can:

●Use IPS profile extensions to fine-tune the settings based on the organization's environment.

●Select the correct operating system, protocol, and application typesto ensure that IPS signatures match the network's actual traffic patterns, reducing false positives.

●Customize signature selectionbased on the network’s specific services, filtering out unnecessary or irrelevant signatures.

neighbor-group:

● This command is used to group multipleBGP neighborswith the same configuration, reducing redundant configuration.

● Instead of defining individual BGP settings for each spoke, the administrator can create aneighbor-groupand apply the same policies, reducing manual work.

neighbor-range:

● This command allows the configuration ofa range of neighbor IPs dynamically, reducing the need to manually define each spoke neighbor.

● It automatically addsBGP neighborsthat match a given prefix, simplifying deployment.

VXLAN (Virtual Extensible LAN)is an overlay network technology that extends Layer 2 networks over Layer 3 infrastructure. When VXLAN is used extensively on FortiGate, hardware acceleration is crucial for maintaining performance.

●NP7 (Network Processor 7)is Fortinet’s latest network processor designed to accelerate high-performance networking features, including:

●VXLAN encapsulation/decapsulation

●IPsec VPN offloading

●Firewall policy enforcement

●Advanced threat protection at wire speed

NP7 significantlyreduces latency and improves throughputwhen handling VXLAN traffic, making it the best choice for large-scale VXLAN deployments.

InBGP (Border Gateway Protocol), aneighbor (peer) configurationis required to establish a connection between two BGP routers. SinceFortiGate A is connecting to the ISP (Autonomous System 10) from AS 30, the administrator must define theISP's BGP router as a neighbor.

Theconfig neighborcommand is used to:

●Define the ISP's IP address as a BGP peer

●Specify the remote AS (AS 10 in this case)

●Allow BGP route exchanges between FortiGate A and the ISP