Fortinet FCSS_EFW_AD-7.6 Exam Questions Instant Access

Question 1

Refer to the exhibit, which shows a revision history window in the FortiManager device layer.

The IT team is trying to identify the administrator responsible for the most recent update in the FortiGate device database.

Which conclusion can you draw about this scenario?

AThis retrieved process was automatically triggered by a Remote FortiGate Directly (via CLI) script.

BThe user script_manager is an API user from the Fortinet Developer Network (FDN) retrieving a configuration.

CTo identify the user who created the event, check it on the Configuration and Installation widget on FortiGate within the FortiManager device layer.

DFind the user in the FortiManager system logs and use the type=script command to find the administrator user in the user field.

Answer : D

The Configuration Revision History window in FortiManager shows that the most recent configuration change (ID 10) was created by script_manager with the action Retrieved.

Since script_manager is a system-level script execution user, the IT team needs to find who actually triggered this script. This can be done by:

Checking the FortiManager system logs for script execution events.

Using the type=script filter to locate the administrator associated with the script execution.

Question 2

What does the command set forward-domain in a transparent VDOM interface do?

AIt configures the interface to prioritize traffic based on the domain ID, enhancing quality of service for specified VLANs.

BIt isolates traffic within a specific VLAN by assigning a broadcast domain to an interface based on the VLAN ID.

CIt restricts the interface to managing traffic only from the specified VLAN, effectively segregating network traffic.

DIt assigns a unique domain ID to the interface, allowing it to operate across multiple VLANs within the same VDOM.

Answer : B

In a transparent mode Virtual Domain (VDOM) configuration, FortiGate operates as a Layer 2 bridge rather than performing Layer 3 routing. The set forward-domain <domain_ID> command is used to control how traffic is forwarded between interfaces within the same transparent VDOM.

A forward-domain acts as a broadcast domain, meaning only interfaces with the same forward-domain ID can exchange traffic. This setting is commonly used to separate different VLANs or network segments within the transparent VDOM while still allowing FortiGate to apply security policies.

Question 3

The IT department discovered during the last network migration that all zero phase selectors in phase 2 IPsec configurations impacted network operations.

What are two valid approaches to prevent this during future migrations? (Choose two.)

AUse routing protocols to specify allowed subnets over the tunnel.

BConfigure an IPsec-aggregate to create redundancy between each firewall peer.

CClearly indicate to the VPN which segments will be encrypted in the phase two selectors.

DConfigure an IP address on the IPsec interface of each firewall to establish unique peer connections and avoid impacting network operations.

Answer : A, C

Zero phase selectors in IPsec Phase 2 mean that no specific traffic selectors (subnets) are defined, allowing any traffic to be encrypted through the VPN tunnel. This can cause unintended traffic forwarding issues and disrupt network operations.

To prevent this from happening during future migrations:

Using routing protocols ensures that only specific subnets are advertised over the tunnel. Dynamic routing (such as OSPF or BGP) helps define which networks should use the tunnel, preventing unintended traffic from being encrypted.

Clearly defining phase 2 selectors avoids the problem of encrypting all traffic by explicitly stating the allowed source and destination subnets. This prevents the tunnel from affecting unrelated network traffic.

Question 4

What action can be taken on a FortiGate to block traffic using IPS protocol decoders, focusing on network transmission patterns and application signatures?

AUse the DNS filter to block application signatures and protocol decoders.

BUse application control to limit non-URL-based software handling.

CEnable application detection-based SD-WAN rules.

DConfigure a web filter profile in flow mode.

Answer : B

FortiGate's IPS protocol decoders analyze network transmission patterns and application signatures to identify and block malicious traffic. Application Control is the feature that allows FortiGate to detect, classify, and block applications based on their behavior and signatures, even when they do not rely on traditional URLs.

Application Control works alongside IPS protocol decoders to inspect packet payloads and enforce security policies based on recognized application behaviors.

It enables granular control over non-URL-based applications such as P2P traffic, VoIP, messaging apps, and other non-web-based protocols that IPS can identify through protocol decoders.

IPS and Application Control together can detect evasive or encrypted applications that might bypass traditional firewall rules.

Question 5

To secure your enterprise network traffic, which step does FortiGate perform first, when handling the first packets of a session? (Choose one answer)

AInstallation of the session key in the network processor (NP)

BDecryption

CA reverse path forwarding (RPF) check

DIP integrity header checking

Answer : D

Comprehensive and Detailed 150 to 200 words of Explanation From Exact Extract of Enterprise Firewall 7.6 Administrator documents:

Based on the FortiOS 7.6 Administration Guide and the Life of a Packet documentation (Parallel Path Processing), the FortiGate follows a specific, hardcoded sequence when processing the first packet of a new session. This process is divided into several stages: Ingress, Kernel, and Egress.

The very first stage is Ingress, where all packets accepted by a network interface are processed by the TCP/IP stack. Immediately following this, the packet must pass through IP integrity header checking. This step involves reading the packet headers to verify that the packet is a valid protocol (TCP, UDP, ICMP, etc.) and that the header length is correct. This sanity check is performed before any other security functions, such as decryption (which occurs later in the Ingress stage) or the Reverse Path Forwarding (RPF) check (which occurs even later during the Routing step in the Kernel stage).

Installation of the session key (Option A) only occurs after the packet has matched a firewall policy and the session has been fully established and offloaded to the NPU. Therefore, IP integrity header checking is the absolute first security-related validation performed on an incoming packet.

Question 6

During the maintenance window, an administrator must sniff all the traffic going through a specific firewall policy, which is handled by NP6 interfaces. The output of the sniffer trace provides just a few packets.

Why is the output of sniffer trace limited?

AThe traffic corresponding to the firewall policy is encrypted.

Bauto-asic-off load is set to enable in the firewall policy,

Cinspection-mode is set to proxy in the firewall policy.

DThe option npudbg is not added in the diagnose sniff packet command.

Answer : B

FortiGate devices with NP6 (Network Processor 6) acceleration offload traffic directly to hardware, bypassing the CPU for improved performance. When auto-asic-offload is enabled in a firewall policy, most of the traffic does not reach the CPU, which means it won't be captured by the standard sniffer trace command.

Since NP6-accelerated traffic is handled entirely in hardware, only a small portion of initial packets (such as session setup packets or exceptions) might be seen in the sniffer output. To capture all packets, the administrator must disable hardware offloading using:

config firewall policy

edit

set auto-asic-offload disable

end

Disabling ASIC offload forces traffic to be processed by the CPU, allowing the sniffer tool to capture all packets.

Question 7

Refer to the exhibit, which shows the VDOM section of a FortiGate device.

An administrator discovers that webfilter stopped working in Core1 and Core2 after a maintenance window.

Which two reasons could explain why webfilter stopped working? (Choose two.)

AThe root VDOM does not have access to FortiManager in a closed network.

BThe root VDOM does not have a VDOM link to connect with the Corel and Core2 VDOMs.

CThe Core1 and Core2 VDOMs must also be enabled as Management VDOMs to receive FortiGuard updates

DThe root VDOM does not have access to any valid public FDN.

Answer : B, D

Since Core1 and Core2 are not designated as management VDOMs, they rely on the root VDOM for connectivity to external resources such as FortiGuard updates. If the root VDOM lacks a VDOM link to these VDOMs or cannot reach FortiGuard services, security features like web filtering will stop working.

Fortinet FCSS - Enterprise Firewall 7.6 Administrator FCSS_EFW_AD-7.6 Exam Questions