Free Fortinet FCSS_EFW_AD-7.6 Practice Exam with Questions & Answers | Set: 2

The Fortinet FGSP (FortiGate Session Life Support Protocol) cluster allows session synchronization between two FortiGate devices to provide seamless failover. However, ICMP (ping) is a connectionless protocol, and by default, FortiGate does not synchronize connectionless sessions unless explicitly enabled.

In the exhibit:

● The command get system session list | grep icmp on FortiGate_B returns no output, meaning that ICMP sessions are not being synchronized from FortiGate_A.

● If session-pickup-connectionless is disabled, FortiGate_B will not receive ICMP sessions, causing packet loss during failover.

When FortiGate is operating in proxy mode with full SSL inspection enabled, it inspects encrypted HTTPS traffic by default on port 443. However, some websites may use non-standard HTTPS ports (such as 8443), which FortiGate does not inspect unless explicitly configured.

To ensure that FortiGate inspects HTTPS traffic on port 8443, administrators must manually add port 8443 in the Protocol Port Mapping section of the SSL/SSH Inspection Profile. This allows FortiGate to treat HTTPS traffic on port 8443 the same as traffic on port 443, enabling proper inspection and enforcement of FortiGuard category-based web filtering.

The output of the get router info ospf status command provides key information about the OSPF (Open Shortest Path First) configuration on the FortiGate device.

The FortiGate device is connected to multiple areas

● The output states: " This router is an ABR "

● ABR (Area Border Router) means the device is connected to multiple OSPF areas and maintains routing information between them.

● This confirms that the FortiGate is not just in one area, but at least one backbone area (Area 0) and another OSPF area.

The FortiGate device injects external routing information

● The output states: " Supports opaque LSA "

● Opaque LSAs (Type 9, 10, and 11) are used in OSPF extensions, including those that support external route injection.

● Typically, ABRs or ASBRs (Autonomous System Boundary Routers) inject external routes, allowing routes from other routing protocols (such as BGP or static routes) to be advertised into OSPF.

Comprehensive and Detailed 150 to 200 words of Explanation From Exact Extract of Enterprise Firewall 7.6 Administrator documents:

According to the FortiManager 7.6 Study Guide regarding Object Management and the Import Device Wizard, FortiManager uses a centralized database where objects are shared across an ADOM. When importing a configuration from a FortiGate, the wizard compares local objects with those already existing in the FortiManager ADOM database.

As shown in the exhibit, conflicts exist for the Web_restrictions and deep-inspection profiles. Since these profiles are shared with other FortiGate devices, a decision must be made:

Selecting " FortiManager " : The local FortiGate settings will be overwritten by the FortiManager ' s database version upon the next installation, potentially losing site-specific configurations.

Selecting " FortiGate " : The FortiManager ADOM database is updated with the new values. This causes all other FortiGate devices using these shared objects to move into a " Modified " status, as their local configurations no longer match the updated central database.

To resolve this conflict properly when different devices require different settings for the same profile type, the best practice is to create uniquely named objects (Option B) on the FortiGate before re-importing. This ensures that the specific requirements for the Core1 VDOM are met without affecting the global objects used by the rest of the enterprise network.

FortiManager uses a feature called per-device mapping (also referred to as dynamic mapping) to manage environments where different FortiGate devices require different values for the same object name. For example, an address object named " LAN " might represent 172.16.0.0/24 on one device and 192.168.0.0/24 on another.

When an administrator views the policy package in the FortiManager GUI, they see the common object name used across the ADOM. However, the reinstall preview generates the actual CLI commands that will be pushed to the specific FortiGate unit. This preview reflects the specific mapped value or name defined for that individual device, which is why the names or values may appear different from the generic policy view.

==============

" Zero phase 2 selectors " (also known as 0.0.0.0/0 selectors) are commonly used in dynamic VPN environments like ADVPN to allow any traffic to be routed into the tunnel. However, because the selector itself does not define the network range, there is a risk of traffic being sent down " invalid paths " if the routing table is not properly maintained.

Assign tunnel IP: For dynamic routing protocols to function over an IPsec tunnel, the tunnel interfaces must have IP addresses assigned.

Routing protocols: To ensure traffic only follows valid paths, dynamic routing protocols (such as BGP or OSPF) must be used to populate the routing table with the specific prefixes that are actually reachable through each tunnel.

==============

Standard certificate inspection (which relies on the SNI) only identifies the destination domain; it does not allow the FortiGate to see the actual content of the encrypted session. As noted in the lab documentation, " certificate inspection on its own does not help HQ-DCFW to see the encrypted traffic " . To identify and block malware hidden within HTTPS traffic, the FortiGate must be configured with full SSL inspection (also known as deep inspection). This process involves the FortiGate acting as a man-in-the-middle to decrypt the packets, scan the payload for threats using the applied security profiles (like Antivirus or IPS), and then re-encrypt the traffic before sending it to the host. Without full decryption, the unit " will not decrypt packets to analyze if there is a possible attack, " allowing malware to bypass security layers.

==============

Encapsulation (such as IPsec, VXLAN, or FGSP synchronization) adds overhead to standard packets, often causing them to exceed the standard MTU of 1500 bytes and leading to fragmentation or dropped packets. The Enterprise Firewall curriculum notes that while " jumbo packets " can be detected as possible attacks by IPS, adjusting MTU and MSS values to account for encapsulation should ideally be performed in a controlled environment . This allows administrators to accurately measure the required overhead and verify that the adjustments do not cause unintended network instability or performance degradation across the entire infrastructure.

==============

Comprehensive and Detailed 150 to 200 words of Explanation From Exact Extract of Enterprise Firewall 7.6 Administrator documents:

According to the FortiOS 7.6 Administration Guide and the FortiGate Infrastructure study materials, inter-VDOM communication can be achieved using either software-based VDOM links or hardware-accelerated NPU VDOM links (vlinks).

While standard VDOM links (Option B) allow traffic to pass between VDOMs, they are processed by the system CPU, which can become a bottleneck in high-throughput environments. To ensure accelerated internet access as specified in the requirements, NPU vlinks (Option C) must be used. NPU vlinks are virtual interfaces created in pairs that allow traffic to be offloaded to the FortiGate’s Network Processor (NP6, NP7, etc.), significantly reducing latency and CPU overhead.

In the provided exhibit, the root VDOM has direct internet access, while VDOM1 and VDOMn do not. By configuring NPU vlinks between the non-root VDOMs and the root VDOM, you create a hardware-accelerated path. Traffic from the internal VDOMs is sent through the vlink to the root VDOM, which then forwards it to the Internet. This " hub-and-spoke " VDOM architecture, powered by NPU acceleration, ensures that all VDOMs share the internet connection without sacrificing performance.

Zero phase selectors in IPsec Phase 2 mean that no specific traffic selectors (subnets) are defined, allowing any traffic to be encrypted through the VPN tunnel. This can cause unintended traffic forwarding issues and disrupt network operations.

To prevent this from happening during future migrations:

● Using routing protocols ensures that only specific subnets are advertised over the tunnel. Dynamic routing (such as OSPF or BGP) helps define which networks should use the tunnel, preventing unintended traffic from being encrypted.

● Clearly defining phase 2 selectors avoids the problem of encrypting all traffic by explicitly stating the allowed source and destination subnets. This prevents the tunnel from affecting unrelated network traffic.