Fortinet FCSS_EFW_AD-7.4 FCSS - Enterprise Firewall 7.4 Administrator Exam Practice Test

In this scenario, thecorporate networkand thenew remote office networkneed to communicate over theInternet, which requires asecure and dynamic routing method. Since both networks are usingOSPF (Open Shortest Path First)as the routing protocol, the best approach is to establish anOSPF over IPsec VPNto ensure secure and dynamic route propagation.

OSPF is already running on the corporate network, and extending it over an IPsec tunnel allows dynamic route exchange between the corporate FortiGate and the remote office FortiGate.IPsec provides encryptionfor traffic over the Internet, ensuring secure communication.OSPF over IPsec eliminates the need for manual static routes, allowing automatic route updates if networks change.

The new remote office's192.168.1.0/24 subnetwill be advertised dynamically to the corporate network without additional configuration.

The output of the get router info ospf status command provides key information about the OSPF (Open Shortest Path First) configuration on the FortiGate device.

The FortiGate device is connected to multiple areas

● The output states: "This router is an ABR"

●ABR (Area Border Router)means the device is connected tomultiple OSPF areasand maintains routing information between them.

● This confirms that the FortiGate isnot just in one area, but at leastone backbone area (Area 0) and another OSPF area.

The FortiGate device injects external routing information

● The output states: "Supports opaque LSA"

●Opaque LSAs(Type 9, 10, and 11) are used inOSPF extensions, including those that support external route injection.

● Typically, ABRs or ASBRs (Autonomous System Boundary Routers)inject external routes, allowing routes fromother routing protocols (such as BGP or static routes) to be advertised into OSPF.

Thebest wayto block outdated SSL/TLS versions is toconfigure the SSL/SSH inspection profileto enforce aminimum SSL/TLS versionand disable weak SSL versions.

By setting theminimum allowed SSL versionin theHTTPS settings of the SSL/SSH inspection profile, FortiGate will:

● Block any connection usingoutdated SSL/TLS versions(such as SSLv3, TLS 1.0, or TLS 1.1).

● Enforce secure communication usingonly strong SSL/TLS versions(such as TLS 1.2 or TLS 1.3).

● Protect users fromman-in-the-middle (MITM) and downgrade attacksthat exploit weak encryption.

Zero phase selectors inIPsec Phase 2mean thatno specific traffic selectors (subnets) are defined, allowingany traffic to be encryptedthrough the VPN tunnel. This can causeunintended traffic forwarding issuesand disrupt network operations.

To prevent this from happening during future migrations:

●Using routing protocolsensures thatonly specific subnets are advertised over the tunnel. Dynamic routing (such as OSPF or BGP) helps define which networks should use the tunnel, preventing unintended traffic from being encrypted.

●Clearly defining phase 2 selectorsavoids the problem of encrypting all traffic byexplicitly stating the allowed source and destination subnets. This prevents the tunnel from affecting unrelated network traffic.

In anIBGP (Internal BGP) network, all routers must befully meshed, meaning every router must establish a BGP session with every other router in the sameautonomous system (AS). Thisdoes not scale wellin large networks due to the exponential increase in BGP sessions.

Tooptimize and scale IBGP,Route Reflectors (RRs)are used. ARoute Reflector (RR)reduces the number ofIBGP peer connectionsby allowing acentralized router (RR)to redistribute IBGP routes to other IBGP peers (calledclients). This eliminates the need for afull mesh, significantlyreducing BGP session overhead.

By configuring theroute-reflector-clientsetting on IBGP peers, an administrator can:

●Scale IBGP sessionsby reducing the number of direct BGP peer connections.

●Optimize the routing tableby ensuring routes are efficiently propagated within the IBGP network.

●Eliminate the need for full mesh topology, making IBGP more manageable.

The FortiGateSSL/SSH inspection profileis configured forFull SSL Inspection, which is necessary to analyze encrypted HTTPS traffic. However, the firewallpolicy is protecting an SSL server (the Linux server hosting the website), and currently, the SSL/SSH profileonly applies to client-side SSL inspection.

To detect HTTPS-based attacks targeting the Linux server:

●FortiGate must act as an SSL intermediaryto inspect encrypted traffic destined for the web server.

● The administratormust upload the SSL certificate of the Linux web serverto FortiGate so that theserver-side SSL inspectioncan decrypt incoming HTTPS traffic before analyzing it.

Whenstandardizing the deployment of FortiGate devices across branchesusing FortiManager, thebest practiceis to usemetadata variables. This allows fordynamic interface configurationwhile maintaining asingle, consistent policy packagefor all branches.

●Metadata variablesin FortiManager enableinterface roles and configurations to be dynamically assignedbased on the specific FortiGate device.

● This ensuresscalabilityandconsistent security policy enforcementacross all branches without manually adjusting interface settings for each device.

● When a new branch FortiGate is deployed, metadata variables automaticallymap to the correct physical interfaces, reducing manual configuration errors.

The diagnose vpn tunnel list name Hub2Spoke1 command output provides key information about the offloading status of an IPsec VPN tunnel to the Network Processing Unit (NPU).

● npu_flag=20:

● This flag indicates that both inbound and outbound IPsec Security Associations (SAs) have been offloaded to the NPU, meaning the VPN traffic is processed in hardware instead of the CPU.

● npu_rgwy=10.10.2.2 and npu_lgwy=10.10.1.1:

● These IPs represent the remote gateway (rgwy) and local gateway (lgwy), confirming that the tunnel is successfully offloaded.

● npu_selid=1:

● This value means the session selector for the NPU offloaded SA is active.

Since both inbound and outbound SAs are offloaded, the administrator can conclude that the FortiGate NPU is handling IPsec encryption and decryption efficiently, reducing CPU load and improving VPN performance.

The excessiveDNS log requests with random subdomainssuggest aDNS exfiltration attack, where attackers encode and transmit data via DNS queries. Since this technique can useboth UDP and TLS (DoH - DNS over HTTPS), a comprehensive security approach is needed.

Using anIPS profile with DNS exfiltration-specific signaturesallows FortiGate to:

●Detect and block abnormal DNS query patternsoften used in exfiltration.

●Inspect encrypted DNS (DoH, DoT) trafficif SSL inspection is enabled.

●Identify known exfiltration domains and techniquesbased on FortiGuard threat intelligence.

From theRoot FortiGate - System Administrator Configurationexhibit:

● TheAdminSSOaccount has thesuper_admin_readonlyrole.

From theDownstream FortiGate - Security Fabric Settingsexhibit:

● TheSecurity Fabric roleis set toJoin Existing Fabric, meaning it will authenticate with the root FortiGate.

●SAML Single Sign-On (SSO) is enabled, and thedefault admin profileis set tosuper_admin_readonly.

When theAdminSSOuser logs into the downstream FortiGate usingSSO, the authentication request is sent to the root FortiGate, where AdminSSO hassuper_admin_readonlypermissions. Since the downstream FortiGate inherits this permission through the Security Fabric configuration, the user will be grantedsuper_admin_readonlyaccess.

When FortiGate processes the first packets of a session, it follows a sequence of steps to determine how the traffic should be handled before establishing a session. The initial step involves:

● Access Control List (ACL) checks: Determines if the traffic should be allowed or blocked based on predefined security rules.

● Hardware Packet Engine (HPE) inspections: Ensures that packet headers are valid and comply with protocol standards.

● IP Integrity Header Checking: Verifies if the IP headers are intact and not malformed or spoofed.

Once these security inspections are completed and the session is validated, FortiGate then installs the session in hardware (if offloading is enabled) or processes it in software.

InBGP (Border Gateway Protocol), aneighbor (peer) configurationis required to establish a connection between two BGP routers. SinceFortiGate A is connecting to the ISP (Autonomous System 10) from AS 30, the administrator must define theISP's BGP router as a neighbor.

Theconfig neighborcommand is used to:

●Define the ISP's IP address as a BGP peer

●Specify the remote AS (AS 10 in this case)

●Allow BGP route exchanges between FortiGate A and the ISP

From theBGP neighbor status output, the key issue is thatBGP is stuck in the "Idle" state, meaning the FortiGate is unable to establish a BGP session with its peer100.65.4.1(Remote AS 65300).

The output also shows:

●"Not directly connected EBGP"→ This means the BGP peer is not on the same subnet, requiring multihop BGP.

●"Update source is Loopback"→ Since a loopback interface is used, FortiGate must be configured to allow BGP neighbors over multiple hops.

To resolve this issue, the administrator must enableebgp-enforce-multihop, which allows BGP sessions to be established even when the neighbors are not directly connected.

FortiGate_A and FortiGate_B are in thesame autonomous system (AS), andFortiGate_Adoesnot currently have route 172.16.1.248/30in its routing table. However, FortiGate_B has this routeas a connected route.

To dynamically advertiseonly172.16.1.248/30 fromFortiGate_B to FortiGate_A, the administrator must configure aBGP route map outonFortiGate_Bthat specifically permitsonlythis prefix.

A BGP route map out on FortiGate_Bcontrols which routes FortiGate_B advertises to FortiGate_A. If no filtering is applied, FortiGate_B might advertiseall BGP-learned and connected routes, which is not what the administrator wants. The route map should include aprefix-listthat explicitlyallows only172.16.1.248/30 and denies everything else.

False positives inIntrusion Prevention System (IPS)analysis can disrupt legitimate traffic and negatively impact user experience. To reduce false positives while maintaining security, administrators can:

●Use IPS profile extensions to fine-tune the settings based on the organization's environment.

●Select the correct operating system, protocol, and application typesto ensure that IPS signatures match the network's actual traffic patterns, reducing false positives.

●Customize signature selectionbased on the network’s specific services, filtering out unnecessary or irrelevant signatures.

The exhibit shows anactive-passive HA (high availability) clusterwith two virtual clusters, where FortiGate_A is the primary device for both Core1 and Core2. If the goal is to haveFortiGate_B take over Core2 traffic, itspriority must be higherthan FortiGate_A forVirtual Cluster 2.

Currently, FortiGate_A has a priority of150for Core2, while FortiGate_B has128. IncreasingFortiGate_B’s priority to 200ensures it becomes theprimary for Virtual Cluster 2, taking over the Core2 VDOM traffic while keeping Core1 traffic on FortiGate_A.

Disabling override would prevent forced failovers but wouldn’t change the role distribution. Adjusting the load-balancing method is irrelevant in anactive-passive setup, as it only applies to active-active configurations.

FortiGate'sIPS protocol decodersanalyzenetwork transmission patternsandapplication signaturesto identify and block malicious traffic.Application Controlis the feature that allows FortiGate todetect, classify, and block applicationsbased on their behavior and signatures, even when they do not rely on traditional URLs.

●Application Controlworks alongsideIPS protocol decodersto inspect packet payloads and enforce security policies based on recognized application behaviors.

● It enablesgranular control over non-URL-based applicationssuch asP2P traffic, VoIP, messaging apps, and other non-web-based protocolsthat IPS can identify through protocol decoders.

●IPS and Application Control together can detect evasive or encrypted applications that might bypass traditional firewall rules.