Practice Free FCSS_EFW_AD-7.6 Exam Online Questions
Question #11
An administrator needs to install an IPS profile without triggering false positives that can impact applications and cause problems with the user’s normal traffic flow.
Which action can the administrator take to prevent false positives on IPS analysis?
- A . Use the IPS profile extension to select an operating system, protocol, and application for all the network internal services and users to prevent false positives.
- B . Enable Scan Outgoing Connections to avoid clicking suspicious links or attachments that can deliver botnet malware and create false positives.
- C . Use an IPS profile with action monitor, however, the administrator must be aware that this can compromise network integrity.
- D . Install missing or expired SSUTLS certificates on the client PC to prevent expected false positives.
Correct Answer: A
A
Explanation:
False positives in Intrusion Prevention System (IPS) analysis can disrupt legitimate traffic and negatively impact user experience.
To reduce false positives while maintaining security, administrators can:
● Use IPS profile extensions to fine-tune the settings based on the organization’s environment.
● Select the correct operating system, protocol, and application types to ensure that IPS signatures match the network’s actual traffic patterns, reducing false positives.
● Customize signature selection based on the network’s specific services, filtering out unnecessary or irrelevant signatures.
A
Explanation:
False positives in Intrusion Prevention System (IPS) analysis can disrupt legitimate traffic and negatively impact user experience.
To reduce false positives while maintaining security, administrators can:
● Use IPS profile extensions to fine-tune the settings based on the organization’s environment.
● Select the correct operating system, protocol, and application types to ensure that IPS signatures match the network’s actual traffic patterns, reducing false positives.
● Customize signature selection based on the network’s specific services, filtering out unnecessary or irrelevant signatures.
Question #11
An administrator needs to install an IPS profile without triggering false positives that can impact applications and cause problems with the user’s normal traffic flow.
Which action can the administrator take to prevent false positives on IPS analysis?
- A . Use the IPS profile extension to select an operating system, protocol, and application for all the network internal services and users to prevent false positives.
- B . Enable Scan Outgoing Connections to avoid clicking suspicious links or attachments that can deliver botnet malware and create false positives.
- C . Use an IPS profile with action monitor, however, the administrator must be aware that this can compromise network integrity.
- D . Install missing or expired SSUTLS certificates on the client PC to prevent expected false positives.
Correct Answer: A
A
Explanation:
False positives in Intrusion Prevention System (IPS) analysis can disrupt legitimate traffic and negatively impact user experience.
To reduce false positives while maintaining security, administrators can:
● Use IPS profile extensions to fine-tune the settings based on the organization’s environment.
● Select the correct operating system, protocol, and application types to ensure that IPS signatures match the network’s actual traffic patterns, reducing false positives.
● Customize signature selection based on the network’s specific services, filtering out unnecessary or irrelevant signatures.
A
Explanation:
False positives in Intrusion Prevention System (IPS) analysis can disrupt legitimate traffic and negatively impact user experience.
To reduce false positives while maintaining security, administrators can:
● Use IPS profile extensions to fine-tune the settings based on the organization’s environment.
● Select the correct operating system, protocol, and application types to ensure that IPS signatures match the network’s actual traffic patterns, reducing false positives.
● Customize signature selection based on the network’s specific services, filtering out unnecessary or irrelevant signatures.
Question #13
Refer to the exhibit.
A pre-run CLI template that is used in zero-touch provisioning (ZTP) and low-touch provisioning (LTP) with FortiManager is shown.
The template is not assigned even though the configuration has already been installed on FortiGate.
What is true about this scenario?
- A . The administrator did not assign the template correctly when adding the model device because pre-CLI templates remain permanently assigned to the firewall
- B . Pre-run CLI templates are automatically unassigned after their initial installation
- C . Pre-run CLI templates for ZTP and LTP must be unassigned manually after the first installation to avoid conflicting error objects when importing a policy package
- D . The administrator must use post-run CLI templates that are designed for ZTP and LTP
Correct Answer: B
B
Explanation:
In FortiManager, pre-run CLI templates are used in Zero-Touch Provisioning (ZTP) and Low-Touch Provisioning (LTP) to configure a FortiGate device before it is fully managed by FortiManager.
These templates apply configurations when a device is initially provisioned. Once the pre-run CLI template is executed, FortiManager automatically unassigns it from the device because it is not meant to persist like other policy configurations. This prevents conflicts and ensures that the FortiGate configuration is not repeatedly applied after the initial setup.
B
Explanation:
In FortiManager, pre-run CLI templates are used in Zero-Touch Provisioning (ZTP) and Low-Touch Provisioning (LTP) to configure a FortiGate device before it is fully managed by FortiManager.
These templates apply configurations when a device is initially provisioned. Once the pre-run CLI template is executed, FortiManager automatically unassigns it from the device because it is not meant to persist like other policy configurations. This prevents conflicts and ensures that the FortiGate configuration is not repeatedly applied after the initial setup.
Question #14
An administrator must standardize the deployment of FortiGate devices across branches with consistent interface roles and policy packages using FortiManager.
What is the recommended best practice for interface assignment in this scenario?
- A . Enable metadata variables to use dynamic configurations in the standard interfaces of FortiManager.
- B . Use the Install On feature in the policy package to automatically assign different interfaces based on the branch.
- C . Create interfaces using device database scripts to use them on the same policy package of FortiGate devices.
- D . Create normalized interface types per-platform to automatically recognize device layer interfaces based on the FortiGate model and interface name.
Correct Answer: A
A
Explanation:
When standardizing the deployment of FortiGate devices across branches using FortiManager, the best practice is to use metadata variables. This allows for dynamic interface configuration while maintaining a single, consistent policy package for all branches.
● Metadata variables in FortiManager enable interface roles and configurations to be dynamically assigned based on the specific FortiGate device.
● This ensures scalability and consistent security policy enforcement across all branches without manually adjusting interface settings for each device.
● When a new branch FortiGate is deployed, metadata variables automatically map to the correct physical interfaces, reducing manual configuration errors.
A
Explanation:
When standardizing the deployment of FortiGate devices across branches using FortiManager, the best practice is to use metadata variables. This allows for dynamic interface configuration while maintaining a single, consistent policy package for all branches.
● Metadata variables in FortiManager enable interface roles and configurations to be dynamically assigned based on the specific FortiGate device.
● This ensures scalability and consistent security policy enforcement across all branches without manually adjusting interface settings for each device.
● When a new branch FortiGate is deployed, metadata variables automatically map to the correct physical interfaces, reducing manual configuration errors.
Question #15
Refer to the exhibit, which shows an ADVPN network
An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2.
What two options must the administrator configure in BGP? (Choose two.)
- A . set ebgp-enforce-multrhop enable
- B . set next-hop-self enable
- C . set ibgp-enforce-multihop advpn
- D . set attribute-unchanged next-hop
Correct Answer: A, B
A, B
Explanation:
In this ADVPN (Auto-Discovery VPN) network, there are two hubs (Hub A and Hub B) connected via EBGP, while IBGP is used within each overlay. To ensure proper BGP routing between the overlays, the administrator must configure specific BGP options..
set ebgp-enforce-multihop enable
By default, EBGP requires directly connected neighbors. Since Hub A and Hub B are not directly connected but reach each other over an IPsec tunnel, multihop must be enabled for EBGP sessions to work.
set next-hop-self enable
In IBGP, the next-hop attribute does not change by default. When an IBGP route is advertised from a spoke to another hub or spoke, the next-hop needs to be updated to ensure proper reachability. Enabling next-hop-self forces the BGP speaker to advertise itself as the next-hop, ensuring that all spokes properly reach routes across the overlays.
A, B
Explanation:
In this ADVPN (Auto-Discovery VPN) network, there are two hubs (Hub A and Hub B) connected via EBGP, while IBGP is used within each overlay. To ensure proper BGP routing between the overlays, the administrator must configure specific BGP options..
set ebgp-enforce-multihop enable
By default, EBGP requires directly connected neighbors. Since Hub A and Hub B are not directly connected but reach each other over an IPsec tunnel, multihop must be enabled for EBGP sessions to work.
set next-hop-self enable
In IBGP, the next-hop attribute does not change by default. When an IBGP route is advertised from a spoke to another hub or spoke, the next-hop needs to be updated to ensure proper reachability. Enabling next-hop-self forces the BGP speaker to advertise itself as the next-hop, ensuring that all spokes properly reach routes across the overlays.
Question #15
Refer to the exhibit, which shows an ADVPN network
An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2.
What two options must the administrator configure in BGP? (Choose two.)
- A . set ebgp-enforce-multrhop enable
- B . set next-hop-self enable
- C . set ibgp-enforce-multihop advpn
- D . set attribute-unchanged next-hop
Correct Answer: A, B
A, B
Explanation:
In this ADVPN (Auto-Discovery VPN) network, there are two hubs (Hub A and Hub B) connected via EBGP, while IBGP is used within each overlay. To ensure proper BGP routing between the overlays, the administrator must configure specific BGP options..
set ebgp-enforce-multihop enable
By default, EBGP requires directly connected neighbors. Since Hub A and Hub B are not directly connected but reach each other over an IPsec tunnel, multihop must be enabled for EBGP sessions to work.
set next-hop-self enable
In IBGP, the next-hop attribute does not change by default. When an IBGP route is advertised from a spoke to another hub or spoke, the next-hop needs to be updated to ensure proper reachability. Enabling next-hop-self forces the BGP speaker to advertise itself as the next-hop, ensuring that all spokes properly reach routes across the overlays.
A, B
Explanation:
In this ADVPN (Auto-Discovery VPN) network, there are two hubs (Hub A and Hub B) connected via EBGP, while IBGP is used within each overlay. To ensure proper BGP routing between the overlays, the administrator must configure specific BGP options..
set ebgp-enforce-multihop enable
By default, EBGP requires directly connected neighbors. Since Hub A and Hub B are not directly connected but reach each other over an IPsec tunnel, multihop must be enabled for EBGP sessions to work.
set next-hop-self enable
In IBGP, the next-hop attribute does not change by default. When an IBGP route is advertised from a spoke to another hub or spoke, the next-hop needs to be updated to ensure proper reachability. Enabling next-hop-self forces the BGP speaker to advertise itself as the next-hop, ensuring that all spokes properly reach routes across the overlays.
Question #17
Refer to the exhibit, which shows the HA status of an active-passive cluster.
An administrator wants FortiGate_B to handle the Core2 VDOM traffic.
Which modification must the administrator apply to achieve this?
- A . The administrator must disable override on FortiGate_A.
- B . The administrator must change the priority from 100 to 160 for FortiGate_B.
- C . The administrator must change the load balancing method on FortiGate_B.
- D . The administrator must change the priority from 128 to 200 for FortiGate_B.
Correct Answer: D
D
Explanation:
The exhibit shows an active-passive HA (high availability) cluster with two virtual clusters, where FortiGate_A is the primary device for both Core1 and Core2. If the goal is to have FortiGate_B take over Core2 traffic, its priority must be higher than FortiGate_A for Virtual Cluster 2.
Currently, FortiGate_A has a priority of 150 for Core2, while FortiGate_B has 128. Increasing FortiGate_B’s priority to 200 ensures it becomes the primary for Virtual Cluster 2, taking over the Core2 VDOM traffic while keeping Core1 traffic on FortiGate_A.
Disabling override would prevent forced failovers but wouldn’t change the role distribution. Adjusting the load-balancing method is irrelevant in an active-passive setup, as it only applies to active-active configurations.
D
Explanation:
The exhibit shows an active-passive HA (high availability) cluster with two virtual clusters, where FortiGate_A is the primary device for both Core1 and Core2. If the goal is to have FortiGate_B take over Core2 traffic, its priority must be higher than FortiGate_A for Virtual Cluster 2.
Currently, FortiGate_A has a priority of 150 for Core2, while FortiGate_B has 128. Increasing FortiGate_B’s priority to 200 ensures it becomes the primary for Virtual Cluster 2, taking over the Core2 VDOM traffic while keeping Core1 traffic on FortiGate_A.
Disabling override would prevent forced failovers but wouldn’t change the role distribution. Adjusting the load-balancing method is irrelevant in an active-passive setup, as it only applies to active-active configurations.
Question #18
Refer to the exhibit, which shows a LAN interface connected from FortiGate to two FortiSwitch devices.
What two conclusions can you draw from the corresponding LAN interface? (Choose two.)
- A . You must enable STP or RSTP on FortiGate and FortiSwitch to avoid layer 2 loopbacks.
- B . The LAN interface must use a 802.3ad type interface.
- C . This connection is using a FortiLInk to manage VLANs on FortiGate.
- D . FortiGate is using an SD-WAN-type interface to connect to a FortiSwitch device with MCLAG.
Correct Answer: B, C
B, C
Explanation:
The diagram shows a FortiGate connected to two FortiSwitches, which suggests the use of FortiLink, Fortinet’s protocol for managing switches directly from a FortiGate. Since multiple connections are being used, the LAN interface must be set to 802.3ad (LAG) mode to aggregate the links for redundancy and load balancing.
This setup allows FortiGate to handle VLAN assignments dynamically, as seen with VLAN 10 (192.168.15.1/24). FortiLink ensures seamless integration between FortiGate and FortiSwitches, making STP unnecessary because Fortinet’s MCLAG prevents loops at Layer 2. SD-WAN, on the other hand, is used for WAN interfaces and does not apply to switch connectivity in this scenario.
B, C
Explanation:
The diagram shows a FortiGate connected to two FortiSwitches, which suggests the use of FortiLink, Fortinet’s protocol for managing switches directly from a FortiGate. Since multiple connections are being used, the LAN interface must be set to 802.3ad (LAG) mode to aggregate the links for redundancy and load balancing.
This setup allows FortiGate to handle VLAN assignments dynamically, as seen with VLAN 10 (192.168.15.1/24). FortiLink ensures seamless integration between FortiGate and FortiSwitches, making STP unnecessary because Fortinet’s MCLAG prevents loops at Layer 2. SD-WAN, on the other hand, is used for WAN interfaces and does not apply to switch connectivity in this scenario.
Question #18
Refer to the exhibit, which shows a LAN interface connected from FortiGate to two FortiSwitch devices.
What two conclusions can you draw from the corresponding LAN interface? (Choose two.)
- A . You must enable STP or RSTP on FortiGate and FortiSwitch to avoid layer 2 loopbacks.
- B . The LAN interface must use a 802.3ad type interface.
- C . This connection is using a FortiLInk to manage VLANs on FortiGate.
- D . FortiGate is using an SD-WAN-type interface to connect to a FortiSwitch device with MCLAG.
Correct Answer: B, C
B, C
Explanation:
The diagram shows a FortiGate connected to two FortiSwitches, which suggests the use of FortiLink, Fortinet’s protocol for managing switches directly from a FortiGate. Since multiple connections are being used, the LAN interface must be set to 802.3ad (LAG) mode to aggregate the links for redundancy and load balancing.
This setup allows FortiGate to handle VLAN assignments dynamically, as seen with VLAN 10 (192.168.15.1/24). FortiLink ensures seamless integration between FortiGate and FortiSwitches, making STP unnecessary because Fortinet’s MCLAG prevents loops at Layer 2. SD-WAN, on the other hand, is used for WAN interfaces and does not apply to switch connectivity in this scenario.
B, C
Explanation:
The diagram shows a FortiGate connected to two FortiSwitches, which suggests the use of FortiLink, Fortinet’s protocol for managing switches directly from a FortiGate. Since multiple connections are being used, the LAN interface must be set to 802.3ad (LAG) mode to aggregate the links for redundancy and load balancing.
This setup allows FortiGate to handle VLAN assignments dynamically, as seen with VLAN 10 (192.168.15.1/24). FortiLink ensures seamless integration between FortiGate and FortiSwitches, making STP unnecessary because Fortinet’s MCLAG prevents loops at Layer 2. SD-WAN, on the other hand, is used for WAN interfaces and does not apply to switch connectivity in this scenario.
Question #20
What does the command set forward-domain <domain_ID> in a transparent VDOM interface do?
- A . It configures the interface to prioritize traffic based on the domain ID, enhancing quality of service for specified VLANs.
- B . It isolates traffic within a specific VLAN by assigning a broadcast domain to an interface based on the VLAN ID.
- C . It restricts the interface to managing traffic only from the specified VLAN, effectively segregating network traffic.
- D . It assigns a unique domain ID to the interface, allowing it to operate across multiple VLANs within the same VDOM.
Correct Answer: B
B
Explanation:
In a transparent mode Virtual Domain (VDOM) configuration, FortiGate operates as a Layer 2 bridge rather than performing Layer 3 routing. The set forward-domain <domain_ID> command is used to control how traffic is forwarded between interfaces within the same transparent VDOM.
A forward-domain acts as a broadcast domain, meaning only interfaces with the same forward-domain ID can exchange traffic. This setting is commonly used to separate different VLANs or network segments within the transparent VDOM while still allowing FortiGate to apply security policies.
B
Explanation:
In a transparent mode Virtual Domain (VDOM) configuration, FortiGate operates as a Layer 2 bridge rather than performing Layer 3 routing. The set forward-domain <domain_ID> command is used to control how traffic is forwarded between interfaces within the same transparent VDOM.
A forward-domain acts as a broadcast domain, meaning only interfaces with the same forward-domain ID can exchange traffic. This setting is commonly used to separate different VLANs or network segments within the transparent VDOM while still allowing FortiGate to apply security policies.
1 2