FCSS_EFW_AD-7.6 Fortinet FCSS - Enterprise Firewall 7.6 Administrator Free Practice Exam Questions (2025 Updated)

When designing an ADVPN (Auto-Discovery VPN) network for a large enterprise with spokes that have varying numbers of internet links, the main challenge is to minimize the number of peer connections and routes at the hub while maintaining scalability and efficiency.

Using a dynamic routing protocol (such as BGP or OSPF) with loopback interfaces helps in several ways:

● Reduces the number of peer connections at the hub by using a single loopback address per spoke instead of individual physical interfaces.

● Enables simplified route advertisement by dynamically learning and propagating routes instead of manually configuring static routes.

● Supports multiple internet links per spoke efficiently, as dynamic routing can automatically adjust to the best available path.

● Allows seamless failover if a spoke’s internet link fails, ensuring continuous connectivity.

To minimize CPU and RAM usage while still enforcing security features like web filtering and application control, SSL certificate inspection mode is the best choice.

● SSL certificate inspection allows FortiGate to inspect only the SSL/TLS handshake, including the Server Name Indication (SNI) and certificate details, without decrypting the full encrypted payload.

● This enables features like web filtering and application control because FortiGate can determine the destination website or application based on SNI and certificate information.

● It significantly reduces system load compared to full SSL inspection, which requires full decryption and re-encryption of traffic.

The set tcp-mss-sender and set tcp-mss-receiver commands in a firewall policy allow an administrator to adjust the Maximum Segment Size (MSS) of TCP packets.

This setting controls the largest payload size that a device can handle in a single TCP segment, ensuring that packets do not exceed the allowed MTU (Maximum Transmission Unit) along the network path.

● set tcp-mss-sender adjusts the MSS value for outgoing TCP traffic.

● set tcp-mss-receiver adjusts the MSS value for incoming TCP traffic.

This helps prevent issues with fragmentation and MTU mismatches, improving network performance and avoiding retransmissions.

The diagnose vpn tunnel list name Hub2Spoke1 command output provides key information about the offloading status of an IPsec VPN tunnel to the Network Processing Unit (NPU).

● npu_flag=20:

● This flag indicates that both inbound and outbound IPsec Security Associations (SAs) have been offloaded to the NPU, meaning the VPN traffic is processed in hardware instead of the CPU.

● npu_rgwy=10.10.2.2 and npu_lgwy=10.10.1.1:

● These IPs represent the remote gateway (rgwy) and local gateway (lgwy), confirming that the tunnel is successfully offloaded.

● npu_selid=1:

● This value means the session selector for the NPU offloaded SA is active.

Since both inbound and outbound SAs are offloaded, the administrator can conclude that the FortiGate NPU is handling IPsec encryption and decryption efficiently, reducing CPU load and improving VPN performance.

The OSPF database optimization is necessary to reduce unnecessary routing information and improve network performance. In the given topology, Area 0.0.0.1 is a non-backbone area connected to Area 0.0.0.0 (the backbone area) through an Area Border Router (ABR).

To optimize OSPF in this scenario, configuring Area 0.0.0.1 as a Stub Area will:

● Reduce the size of the OSPF database by preventing external routes (from outside OSPF) from being injected into Area 0.0.0.1.

● Allow only intra-area and inter-area routes, meaning routers in Area 0.0.0.1 will rely on a default route for external destinations.

● Improve convergence time and reduce router processing load since fewer LSAs (Link-State Advertisements) are exchanged.

From the exhibit, ISFW is part of a Security Fabric environment with NGFW-1 as the Fabric Root. In this architecture, FortiGate devices share security intelligence, including logs and detected threats.

ISFW is in a Security Fabric environment:

● Security Fabric allows devices like ISFW to receive threat intelligence from NGFW-1, even if UTM is not enabled locally.

● If NGFW-1 detects malware from IP 10.1.10.1 to 89.238.73.97, this information can be propagated to ISFW and FortiAnalyzer.

The firewall policy in NGFW-1 has UTM enabled:

● Even though ISFW does not have UTM enabled, NGFW-1 (which sits between ISFW and the external network) does have UTM enabled and is scanning traffic.

● Since NGFW-1 detects malware in the session, it logs the event, which is then sent to FortiAnalyzer.

In the given ADVPN (Auto-Discovery VPN) topology, BGP is being used to dynamically establish routes between spokes. The neighbor-range configuration is crucial for simplifying BGP peer setup by automatically assigning neighbors based on their IP range.

set neighbor-group advpn

● The neighbor-group parameter is used to apply pre-defined settings (such as AS number) to dynamically discovered BGP neighbors.

● The advpn neighbor-group is already defined in the configuration, and assigning it to the neighbor-range ensures consistent BGP settings for all spoke neighbors.

set prefix 172.16.1.0 255.255.255.0

● This command allows dynamic BGP peer discovery by defining a range of potential neighbor IPs (172.16.1.1 - 172.16.1.255).

● Since each spoke has a unique /32 IP within this subnet, this ensures that any spoke within the 172.16.1.0/24 range can automatically establish a BGP session with the hub.

FortiGate's IPS protocol decoders analyze network transmission patterns and application signatures to identify and block malicious traffic. Application Control is the feature that allows FortiGate to detect, classify, and block applications based on their behavior and signatures, even when they do not rely on traditional URLs.

● Application Control works alongside IPS protocol decoders to inspect packet payloads and enforce security policies based on recognized application behaviors.

● It enables granular control over non-URL-based applications such as P2P traffic, VoIP, messaging apps, and other non-web-based protocols that IPS can identify through protocol decoders.

● IPS and Application Control together can detect evasive or encrypted applications that might bypass traditional firewall rules.

Since Core1 and Core2 are not designated as management VDOMs, they rely on the root VDOM for connectivity to external resources such as FortiGuard updates. If the root VDOM lacks a VDOM link to these VDOMs or cannot reach FortiGuard services, security features like web filtering will stop working.

When configuring a loopback interface as the BGP source for connecting to an ISP, two important settings must be applied:

1. Enable EBGP Multihop (ebgp-enforce-multihop)

BGP normally expects directly connected neighbors, but since the ISP and FortiGate A are using loopback interfaces, packets will not be sent directly between their physical interfaces.

The ebgp-enforce-multihop command allows BGP to form an eBGP peering over multiple hops.

2. Set the Update Source (update-source)

Since FortiGate is using a loopback interface as the source, the update-source command ensures that BGP updates originate from the loopback interface rather than a physical interface.

This is essential because BGP peers must match the source IP with the configured neighbor address.

From the OSPF status output, the key information is:

● "This router is an ASBR" → This means the FortiGate is acting as an Autonomous System Boundary Router (ASBR).

● An ASBR is responsible for injecting external routing information into OSPF from another routing protocol (such as BGP, static routes, or connected networks).

When configuring ADVPN (Auto-Discovery VPN) to connect overlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.

● set auto-discovery-crossover enable

● This allows cross-hub tunnel discovery in an ADVPN deployment where multiple hubs are used.

● Since Hub A and Hub B belong to different overlays, enabling crossover discovery ensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.

● set enforce-multihop enable

● This setting ensures that BGP peers using loopback interfaces can establish connectivity even if they are not directly connected.

● Multihop BGP sessions are required when using loopback addresses as BGP peer sources because the connection might need to traverse multiple routers before reaching the BGP neighbor.

● This is especially useful in ADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.

The FortiGate SSL/SSH inspection profile is configured for Full SSL Inspection, which is necessary to analyze encrypted HTTPS traffic. However, the firewall policy is protecting an SSL server (the Linux server hosting the website), and currently, the SSL/SSH profile only applies to client-side SSL inspection.

To detect HTTPS-based attacks targeting the Linux server:

● FortiGate must act as an SSL intermediary to inspect encrypted traffic destined for the web server.

● The administrator must upload the SSL certificate of the Linux web server to FortiGate so that the server-side SSL inspection can decrypt incoming HTTPS traffic before analyzing it.

The best way to automate a firewall policy using a daily updated list of IP addresses is by using an external connector from Threat Feeds. This allows FortiGate to dynamically retrieve real-time threat intelligence from external sources and apply it directly to security policies.

By configuring Threat Feeds, the administrator can:

● Automatically update firewall policies with the latest malicious IPs daily.

● Block traffic from those IPs in real-time without manual intervention.

● Integrate with FortiGuard, third-party threat intelligence sources, or custom feeds (CSV, STIX/TAXII, etc.).

When adding an additional FortiGate to an enterprise network that is already reaching its resource limits, the goal is to distribute traffic efficiently and ensure high availability.

FGSP (FortiGate Session Life Support Protocol) with external load balancers

FGSP allows session-aware load balancing between multiple FortiGate units without requiring them to be in an HA (High Availability) cluster.

With external load balancers, incoming traffic is evenly distributed across multiple FortiGate devices.

This approach is useful for scaling out traffic handling capacity while ensuring that sessions remain synchronized between firewalls.

FGSP is effective when stateful failover is required but without the constraints of traditional HA.

FGCP (FortiGate Clustering Protocol) in active-active mode and with switches

FGCP active-active mode enables multiple FortiGate devices to share traffic loads, increasing throughput and efficiency.

Active-active mode is suitable for balancing UTM processing across multiple FortiGates, making it ideal when resource limits are a concern.

Using switches ensures redundancy and avoids single points of failure in the network.

This mode is commonly used in enterprise networks where both scalability and redundancy are required.

False positives in Intrusion Prevention System (IPS) analysis can disrupt legitimate traffic and negatively impact user experience. To reduce false positives while maintaining security, administrators can:

● Use IPS profile extensions to fine-tune the settings based on the organization's environment.

● Select the correct operating system, protocol, and application types to ensure that IPS signatures match the network's actual traffic patterns, reducing false positives.

● Customize signature selection based on the network’s specific services, filtering out unnecessary or irrelevant signatures.