Fortinet FCSS_EFW_AD-7.4 FCSS - Enterprise Firewall 7.4 Administrator Exam Practice Test

Answer : A, D

IKEv2 (Internet Key Exchange version 2) is an improvement over IKEv1, offering enhanced security, efficiency, and flexibility in VPN configurations.

It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.

IKEv2 supports stronger cryptographic algorithms, including Elliptic Curve Diffie-Hellman (ECDH) groups such as ECP256 and ECP384, providing improved security compared to IKEv1.

It supports the extensible authentication protocol (EAP).

IKEv2 natively supports EAP authentication, which allows integration with external authentication mechanisms such as RADIUS, certificates, and smart cards. This is particularly useful for remote access VPNs where user authentication must be flexible and secure.

Answer : C

When using IPsec VPNs and VXLAN, additional headers are added to packets, which can exceed the default 1500-byte MTU. This can lead to fragmentation issues, dropped packets, or degraded performance.

To resolve this, the MTU (Maximum Transmission Unit) should be adjusted only if all devices in the network path support it. Otherwise, some devices may still drop or fragment packets, leading to continued issues.

Why adjusting MTU helps:

VXLAN adds a 50-byte overhead to packets.

IPsec adds additional encapsulation (ESP, GRE, etc.), increasing the packet size.

If packets exceed the MTU, they may be fragmented or dropped, causing intermittent connectivity issues.

Lowering the MTU on interfaces ensures packets stay within the supported size limit across all network devices.

Answer : A

From the OSPF status output, the key information is:

'This router is an ASBR' This means the FortiGate is acting as an Autonomous System Boundary Router (ASBR).

An ASBR is responsible for injecting external routing information into OSPF from another routing protocol (such as BGP, static routes, or connected networks).

Answer : C

When configuring ADVPN (Auto-Discovery VPN) to connect overlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.

set auto-discovery-crossover enable

This allows cross-hub tunnel discovery in an ADVPN deployment where multiple hubs are used.

Since Hub A and Hub B belong to different overlays, enabling crossover discovery ensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.

set enforce-multihop enable

This setting ensures that BGP peers using loopback interfaces can establish connectivity even if they are not directly connected.

Multihop BGP sessions are required when using loopback addresses as BGP peer sources because the connection might need to traverse multiple routers before reaching the BGP neighbor.

This is especially useful in ADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.

Answer : D

The packet capture output displays a TLS Client Hello message from FortiGate to FortiManager Cloud. This message contains Server Name Indication (SNI), which is used to indicate the domain name that FortiGate is trying to connect to.

FortiGate will receive a certificate that supports multiple domains because FortiManager operates in a cloud computing environment.

FortiManager Cloud hosts multiple customers and domains under a shared infrastructure.

The TLS handshake includes SNI (Server Name Indication), which allows FortiManager Cloud to serve multiple certificates based on the requested domain.

This means FortiGate will likely receive a multi-domain or wildcard certificate that can be used for multiple customers under FortiManager Cloud.

The wildcard for the domain .fortinet-ca2.support.fortinet.com must be supported by FortiManager Cloud.

The SNI extension contains the domain 9398.support.fortinet-ca2.fortinet.com.

FortiManager Cloud must support wildcard certificates such as *.fortinet-ca2.support.fortinet.com to securely manage multiple subdomains and customers.

This ensures that FortiGate can validate the server certificate without any TLS errors.

Answer : C

Unlike IPS or antivirus databases, FortiGate does not store a full web filter database locally. Instead, FortiGate queries FortiGuard (or FortiManager, if configured) dynamically to classify and filter web content in real time.

Key points:

Web filtering works on a cloud-based model:

When a user requests a website, FortiGate queries FortiGuard servers to check its category and reputation.

The response is then cached locally for faster lookups on repeated requests.

No local web filter database version:

Unlike IPS and antivirus, which download and store signature updates locally, web filtering relies on cloud-based queries.

This is why no database version appears in the GUI.

Flow mode vs Proxy mode:

In proxy mode, FortiGate can cache some web filter data, improving performance.

In flow mode, all queries happen dynamically, with no locally stored database.

Answer : D

In an IBGP (Internal BGP) network, all routers must be fully meshed, meaning every router must establish a BGP session with every other router in the same autonomous system (AS). This does not scale well in large networks due to the exponential increase in BGP sessions.

To optimize and scale IBGP, Route Reflectors (RRs) are used. A Route Reflector (RR) reduces the number of IBGP peer connections by allowing a centralized router (RR) to redistribute IBGP routes to other IBGP peers (called clients). This eliminates the need for a full mesh, significantly reducing BGP session overhead.

By configuring the route-reflector-client setting on IBGP peers, an administrator can:

Scale IBGP sessions by reducing the number of direct BGP peer connections.

Optimize the routing table by ensuring routes are efficiently propagated within the IBGP network.

Eliminate the need for full mesh topology, making IBGP more manageable.