Practice Free FCSS_EFW_AD-7.6 Exam Online Questions
Question #1
Refer to the exhibit, which shows an ADVPN network.
The client behind Spoke-1 generates traffic to the device located behind Spoke-2.
What is the first message that the hub sends to Spoke-1 to bring up the dynamic tunnel?
- A . Shortcut query
- B . Shortcut offer
- C . Shortcut reply
- D . Shortcut forward
Correct Answer: B
B
Explanation:
In an ADVPN (Auto-Discovery VPN) network, a dynamic VPN tunnel is established on-demand between spokes to optimize traffic flow and reduce latency.
Process:
B
Explanation:
In an ADVPN (Auto-Discovery VPN) network, a dynamic VPN tunnel is established on-demand between spokes to optimize traffic flow and reduce latency.
Process:
Question #2
Refer to the exhibit, which contains the partial output of an OSPF command.
An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit.
Which statement on this FortiGate device is correct?
- A . The FortiGate device can inject external routing information.
- B . The FortiGate device is in the area 0.0.0.5.
- C . The FortiGate device does not support OSPF ECMP.
- D . The FortiGate device is a backup designated router.
Correct Answer: A
A
Explanation:
From the OSPF status output, the key information is:
● "This router is an ASBR" → This means the FortiGate is acting as an Autonomous System Boundary Router (ASBR).
● An ASBR is responsible for injecting external routing information into OSPF from another routing protocol (such as BGP, static routes, or connected networks).
A
Explanation:
From the OSPF status output, the key information is:
● "This router is an ASBR" → This means the FortiGate is acting as an Autonomous System Boundary Router (ASBR).
● An ASBR is responsible for injecting external routing information into OSPF from another routing protocol (such as BGP, static routes, or connected networks).
Question #3
An administrator is checking an enterprise network and sees a suspicious packet with the MAC address e0:23:ff:fc:00:86.
What two conclusions can the administrator draw? (Choose two.)
- A . The suspicious packet is related to a cluster that has VDOMs enabled.
- B . The network includes FortiGate devices configured with the FGSP protocol.
- C . The suspicious packet is related to a cluster with a group-id value lower than 255.
- D . The suspicious packet corresponds to port 7 on a FortiGate device.
Correct Answer: A, C
A, C
Explanation:
The MAC address e0:23:ff:fc:00:86 follows the format used in FortiGate High Availability (HA) clusters. When FortiGate devices are in an HA configuration, they use virtual MAC addresses for failover and redundancy purposes.
The suspicious packet is related to a cluster that has VDOMs enabled:
FortiGate devices with Virtual Domains (VDOMs) enabled use specific MAC address ranges to differentiate HA-related traffic. This MAC address is likely part of that mechanism.
The suspicious packet is related to a cluster with a group-id value lower than 255:
FortiGate HA clusters assign virtual MAC addresses based on the group ID. The last octet (00:86) corresponds to a group ID that is below 255, confirming this option.
A, C
Explanation:
The MAC address e0:23:ff:fc:00:86 follows the format used in FortiGate High Availability (HA) clusters. When FortiGate devices are in an HA configuration, they use virtual MAC addresses for failover and redundancy purposes.
The suspicious packet is related to a cluster that has VDOMs enabled:
FortiGate devices with Virtual Domains (VDOMs) enabled use specific MAC address ranges to differentiate HA-related traffic. This MAC address is likely part of that mechanism.
The suspicious packet is related to a cluster with a group-id value lower than 255:
FortiGate HA clusters assign virtual MAC addresses based on the group ID. The last octet (00:86) corresponds to a group ID that is below 255, confirming this option.
Question #4
Refer to the exhibit, which shows the ADVPN IPsec interface representing the VPN IPsec phase 1 from Hub A to Spoke 1 and Spoke 2, and from Hub В to Spoke 3 and Spoke 4.
An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2.
What must the administrator configure in the phase 1 VPN IPsec configuration of the ADVPN tunnels?
- A . set auto-discovery-sender enable and set network-id x
- B . set auto-discovery-forwarder enable and set remote-as x
- C . set auto-discovery-crossover enable and set enforce-multihop enable
- D . set auto-discovery-receiver enable and set npu-offload enable
Correct Answer: C
C
Explanation:
When configuring ADVPN (Auto-Discovery VPN) to connect overlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.
● set auto-discovery-crossover enable
● This allows cross-hub tunnel discovery in an ADVPN deployment where multiple hubs are used.
● Since Hub A and Hub B belong to different overlays, enabling crossover discovery ensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.
● set enforce-multihop enable
● This setting ensures that BGP peers using loopback interfaces can establish connectivity even if they are not directly connected.
● Multihop BGP sessions are required when using loopback addresses as BGP peer sources because the connection might need to traverse multiple routers before reaching the BGP neighbor.
● This is especially useful in ADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.
C
Explanation:
When configuring ADVPN (Auto-Discovery VPN) to connect overlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.
● set auto-discovery-crossover enable
● This allows cross-hub tunnel discovery in an ADVPN deployment where multiple hubs are used.
● Since Hub A and Hub B belong to different overlays, enabling crossover discovery ensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.
● set enforce-multihop enable
● This setting ensures that BGP peers using loopback interfaces can establish connectivity even if they are not directly connected.
● Multihop BGP sessions are required when using loopback addresses as BGP peer sources because the connection might need to traverse multiple routers before reaching the BGP neighbor.
● This is especially useful in ADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.
Question #5
A company that acquired multiple branches across different countries needs to install new FortiGate devices on each of those branches. However, the IT staff lacks sufficient knowledge to implement the initial configuration on the FortiGate devices.
Which three approaches can the company take to successfully deploy advanced initial configurations on remote branches? (Choose three.)
- A . Use metadata variables to dynamically assign values according to each FortiGate device.
- B . Use provisioning templates and install configuration settings at the device layer.
- C . Use the Global ADOM to deploy global object configurations to each FortiGate device.
- D . Apply Jinja in the FortiManager scripts for large-scale and advanced deployments.
- E . Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate devices.
Correct Answer: A, B, E
A, B, E
Explanation:
Use metadata variables to dynamically assign values according to each FortiGate device:
Metadata variables in FortiManager allow device-specific configurations to be dynamically assigned without manually configuring each FortiGate. This is especially useful when deploying multiple devices with similar base configurations.
Use provisioning templates and install configuration settings at the device layer:
Provisioning templates in FortiManager provide a structured way to configure FortiGate devices. These templates can define interfaces, policies, and settings, ensuring that each device is correctly configured upon deployment.
Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate devices:
Zero-Touch Provisioning (ZTP) and Local Touch Provisioning (LTP) help automate the deployment of FortiGate devices. By adding devices as model devices in FortiManager, configurations can be pushed automatically when devices connect for the first time, reducing manual effort.
A, B, E
Explanation:
Use metadata variables to dynamically assign values according to each FortiGate device:
Metadata variables in FortiManager allow device-specific configurations to be dynamically assigned without manually configuring each FortiGate. This is especially useful when deploying multiple devices with similar base configurations.
Use provisioning templates and install configuration settings at the device layer:
Provisioning templates in FortiManager provide a structured way to configure FortiGate devices. These templates can define interfaces, policies, and settings, ensuring that each device is correctly configured upon deployment.
Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate devices:
Zero-Touch Provisioning (ZTP) and Local Touch Provisioning (LTP) help automate the deployment of FortiGate devices. By adding devices as model devices in FortiManager, configurations can be pushed automatically when devices connect for the first time, reducing manual effort.
Question #6
An administrator wants to scale the IBGP sessions and optimize the routing table in an IBGP network.
Which parameter should the administrator configure?
- A . network-import-check
- B . ibgp-enforce-multihop
- C . neighbor-group
- D . route-reflector-client
Correct Answer: D
D
Explanation:
In an IBGP (Internal BGP) network, all routers must be fully meshed, meaning every router must establish a BGP session with every other router in the same autonomous system (AS). This does not scale well in large networks due to the exponential increase in BGP sessions.
To optimize and scale IBGP, Route Reflectors (RRs) are used. A Route Reflector (RR) reduces the number of IBGP peer connections by allowing a centralized router (RR) to redistribute IBGP routes to other IBGP peers (called clients). This eliminates the need for a full mesh, significantly reducing BGP session overhead.
By configuring the route-reflector-client setting on IBGP peers, an administrator can:
● Scale IBGP sessions by reducing the number of direct BGP peer connections.
● Optimize the routing table by ensuring routes are efficiently propagated within the IBGP network.
● Eliminate the need for full mesh topology, making IBGP more manageable.
D
Explanation:
In an IBGP (Internal BGP) network, all routers must be fully meshed, meaning every router must establish a BGP session with every other router in the same autonomous system (AS). This does not scale well in large networks due to the exponential increase in BGP sessions.
To optimize and scale IBGP, Route Reflectors (RRs) are used. A Route Reflector (RR) reduces the number of IBGP peer connections by allowing a centralized router (RR) to redistribute IBGP routes to other IBGP peers (called clients). This eliminates the need for a full mesh, significantly reducing BGP session overhead.
By configuring the route-reflector-client setting on IBGP peers, an administrator can:
● Scale IBGP sessions by reducing the number of direct BGP peer connections.
● Optimize the routing table by ensuring routes are efficiently propagated within the IBGP network.
● Eliminate the need for full mesh topology, making IBGP more manageable.
Question #7
An administrator is extensively using VXLAN on FortiGate.
Which specialized acceleration hardware does FortiGate need to improve its performance?
- A . NP7
- B . SP5
- C . СР9
- D . NTurbo
Correct Answer: A
A
Explanation:
VXLAN (Virtual Extensible LAN) is an overlay network technology that extends Layer 2 networks over Layer 3 infrastructure. When VXLAN is used extensively on FortiGate, hardware acceleration is crucial for maintaining performance.
● NP7 (Network Processor 7) is Fortinet’s latest network processor designed to accelerate high-performance networking features, including:
● VXLAN encapsulation/decapsulation
● IPsec VPN offloading
● Firewall policy enforcement
● Advanced threat protection at wire speed
NP7 significantly reduces latency and improves throughput when handling VXLAN traffic, making it the best choice for large-scale VXLAN deployments.
A
Explanation:
VXLAN (Virtual Extensible LAN) is an overlay network technology that extends Layer 2 networks over Layer 3 infrastructure. When VXLAN is used extensively on FortiGate, hardware acceleration is crucial for maintaining performance.
● NP7 (Network Processor 7) is Fortinet’s latest network processor designed to accelerate high-performance networking features, including:
● VXLAN encapsulation/decapsulation
● IPsec VPN offloading
● Firewall policy enforcement
● Advanced threat protection at wire speed
NP7 significantly reduces latency and improves throughput when handling VXLAN traffic, making it the best choice for large-scale VXLAN deployments.
Question #8
A user reports that their computer was infected with malware after accessing a secured HTTPS website. However, when the administrator checks the FortiGate logs, they do not see that the website was detected as insecure despite having an SSL certificate and correct profiles applied on the policy.
How can an administrator ensure that FortiGate can analyze encrypted HTTPS traffic on a website?
- A . The administrator must enable reputable websites to allow only SSL/TLS websites rated by FortiGuard web filter.
- B . The administrator must enable URL extraction from SNI on the SSL certificate inspection to ensure the TLS three-way handshake is correctly analyzed by FortiGate.
- C . The administrator must enable DNS over TLS to protect against fake Server Name Indication (SNI) that cannot be analyzed in common DNS requests on HTTPS websites.
- D . The administrator must enable full SSL inspection in the SSL/SSH Inspection Profile to decrypt packets and ensure they are analyzed as expected.
Correct Answer: D
D
Explanation:
FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless it decrypts it first. If only certificate inspection is enabled, FortiGate can see the certificate details (such as the domain and issuer) but cannot inspect the actual web content.
To fully analyze the traffic and detect potential malware threats:
● Full SSL inspection (Deep Packet Inspection) must be enabled in the SSL/SSH Inspection Profile.
● This allows FortiGate to decrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.
● Without full SSL inspection, threats embedded in encrypted traffic may go undetected.
D
Explanation:
FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless it decrypts it first. If only certificate inspection is enabled, FortiGate can see the certificate details (such as the domain and issuer) but cannot inspect the actual web content.
To fully analyze the traffic and detect potential malware threats:
● Full SSL inspection (Deep Packet Inspection) must be enabled in the SSL/SSH Inspection Profile.
● This allows FortiGate to decrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.
● Without full SSL inspection, threats embedded in encrypted traffic may go undetected.
Question #9
Which two statements about IKEv2 are true if an administrator decides to implement IKEv2 in the VPN topology? (Choose two.)
- A . It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.
- B . It supports interoperability with devices using IKEv1.
- C . It exchanges a minimum of two messages to establish a secure tunnel.
- D . It supports the extensible authentication protocol (EAP).
Correct Answer: A, D
A, D
Explanation:
IKEv2 (Internet Key Exchange version 2) is an improvement over IKEv1, offering enhanced security, efficiency, and flexibility in VPN configurations.
It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.
IKEv2 supports stronger cryptographic algorithms, including Elliptic Curve Diffie-Hellman (ECDH) groups such as ECP256 and ECP384, providing improved security compared to IKEv1.
It supports the extensible authentication protocol (EAP).
IKEv2 natively supports EAP authentication, which allows integration with external authentication mechanisms such as RADIUS, certificates, and smart cards. This is particularly useful for remote access VPNs where user authentication must be flexible and secure.
A, D
Explanation:
IKEv2 (Internet Key Exchange version 2) is an improvement over IKEv1, offering enhanced security, efficiency, and flexibility in VPN configurations.
It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.
IKEv2 supports stronger cryptographic algorithms, including Elliptic Curve Diffie-Hellman (ECDH) groups such as ECP256 and ECP384, providing improved security compared to IKEv1.
It supports the extensible authentication protocol (EAP).
IKEv2 natively supports EAP authentication, which allows integration with external authentication mechanisms such as RADIUS, certificates, and smart cards. This is particularly useful for remote access VPNs where user authentication must be flexible and secure.
Question #10
Refer to the exhibit, which contains a partial command output.
The administrator has configured BGP on FortiGate. The status of this new BGP configuration is shown in the exhibit.
What configuration must the administrator consider next?
- A . Configure a static route to 100.65.4.1.
- B . Configure the local AS to 65300.
- C . Contact the remote peer administrator to enable BGP
- D . Enable ebgp-enforce-multihop.
Correct Answer: D
D
Explanation:
From the BGP neighbor status output, the key issue is that BGP is stuck in the "Idle" state, meaning the FortiGate is unable to establish a BGP session with its peer 100.65.4.1 (Remote AS 65300).
The output also shows:
● "Not directly connected EBGP" → This means the BGP peer is not on the same subnet, requiring multihop BGP.
● "Update source is Loopback" → Since a loopback interface is used, FortiGate must be configured to allow BGP neighbors over multiple hops.
To resolve this issue, the administrator must enable ebgp-enforce-multihop, which allows BGP sessions to be established even when the neighbors are not directly connected.
D
Explanation:
From the BGP neighbor status output, the key issue is that BGP is stuck in the "Idle" state, meaning the FortiGate is unable to establish a BGP session with its peer 100.65.4.1 (Remote AS 65300).
The output also shows:
● "Not directly connected EBGP" → This means the BGP peer is not on the same subnet, requiring multihop BGP.
● "Update source is Loopback" → Since a loopback interface is used, FortiGate must be configured to allow BGP neighbors over multiple hops.
To resolve this issue, the administrator must enable ebgp-enforce-multihop, which allows BGP sessions to be established even when the neighbors are not directly connected.
1 2