Free Fortinet FCSS_EFW_AD-7.4 Practice Exam with Questions & Answers | Set: 2

Since Core1 and Core2 are not designated as management VDOMs, they rely on the root VDOM for connectivity to external resources such as FortiGuard updates. If the root VDOM lacks a VDOM link to these VDOMs or cannot reach FortiGuard services, security features like web filtering will stop working.

ADVPN (Auto-Discovery VPN) 2.0is the optimal solution for enablingdirect spoke-to-spoke communicationwithout passing through the hub, while also allowingautomatic link selectionbased on quality metrics.

●Dynamic Direct Tunnels:

● ADVPN 2.0 allowsspokes to establish direct IPsec tunnels dynamicallybased on traffic patterns, reducing latency and improving performance.

● Unlike static VPNs, spokes do not need to pre-configure tunnels for each other.

●Automatic Link Optimization:

● ADVPN 2.0monitors the qualityof multiple internet connections on each spoke.

● It automatically switches to the best available connection when the primary linkdegrades or fails.

● This is achieved by dynamically adjusting BGP-based routing or leveraging SD-WAN integration.

FortiGate_A and FortiGate_B are in thesame autonomous system (AS), andFortiGate_Adoesnot currently have route 172.16.1.248/30in its routing table. However, FortiGate_B has this routeas a connected route.

To dynamically advertiseonly172.16.1.248/30 fromFortiGate_B to FortiGate_A, the administrator must configure aBGP route map outonFortiGate_Bthat specifically permitsonlythis prefix.

A BGP route map out on FortiGate_Bcontrols which routes FortiGate_B advertises to FortiGate_A. If no filtering is applied, FortiGate_B might advertiseall BGP-learned and connected routes, which is not what the administrator wants. The route map should include aprefix-listthat explicitlyallows only172.16.1.248/30 and denies everything else.

TheFortinet FGSP (FortiGate Session Life Support Protocol) clusterallows session synchronization betweentwo FortiGate devicesto provide seamless failover. However,ICMP (ping) is a connectionless protocol, and by default, FortiGate does not synchronize connectionless sessions unless explicitly enabled.

In the exhibit:

● The commandget system session list | grep icmponFortiGate_Breturnsno output, meaning that ICMP sessions arenot being synchronizedfrom FortiGate_A.

● Ifsession-pickup-connectionlessis disabled,FortiGate_B will not receive ICMP sessions, causingpacket lossduring failover.

FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless itdecryptsit first. Ifonly certificate inspectionis enabled, FortiGate can see the certificate details (such as the domain and issuer) butcannot inspect the actual web content.

To fully analyze the traffic and detect potential malware threats:

●Full SSL inspection (Deep Packet Inspection)must be enabled in theSSL/SSH Inspection Profile.

● This allows FortiGate todecrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.

● Without full SSL inspection, threats embedded in encrypted traffic may go undetected.

In anADVPN (Auto-Discovery VPN) network, adynamic VPN tunnelis establishedon-demandbetween spokes to optimize traffic flow and reduce latency.

Process:

1.Traffic Initiation:

A client behindSpoke-1sends traffic to a device behindSpoke-2.

The traffic initially flows through thehub, following the pre-established overlay tunnel.

2.Hub Detection:

Thehubdetects that Spoke-1 is communicating with Spoke-2 and determines that adirect shortcut tunnelbetween the spokes can optimize the connection.

3.Shortcut Offer:

Thehub sends a "Shortcut Offer"message to Spoke-1, informing it that a directdynamic tunnelto Spoke-2 is possible.

4.Tunnel Establishment:

Spoke-1 and Spoke-2 then negotiate and establish a directIPsec tunnelfor communication.

To minimizeCPU and RAM usagewhile still enforcingsecurity features like web filtering and application control,SSL certificate inspection modeis the best choice.

●SSL certificate inspectionallows FortiGate to inspectonly the SSL/TLS handshake, including theServer Name Indication (SNI) and certificate details, without decrypting the full encrypted payload.

● This enables features likeweb filtering and application controlbecause FortiGate can determine thedestination website or applicationbased onSNI and certificate information.

● Itsignificantly reduces system loadcompared tofull SSL inspection, which requires full decryption and re-encryption of traffic.