Pass the Fortinet Certified Professional Network Security FCSS_EFW_AD-7.4 Questions and answers with ValidTests

TheFortinet FGSP (FortiGate Session Life Support Protocol) clusterallows session synchronization betweentwo FortiGate devicesto provide seamless failover. However,ICMP (ping) is a connectionless protocol, and by default, FortiGate does not synchronize connectionless sessions unless explicitly enabled.

In the exhibit:

● The commandget system session list | grep icmponFortiGate_Breturnsno output, meaning that ICMP sessions arenot being synchronizedfrom FortiGate_A.

● Ifsession-pickup-connectionlessis disabled,FortiGate_B will not receive ICMP sessions, causingpacket lossduring failover.

The output of the get router info ospf status command provides key information about the OSPF (Open Shortest Path First) configuration on the FortiGate device.

The FortiGate device is connected to multiple areas

● The output states: "This router is an ABR"

●ABR (Area Border Router)means the device is connected tomultiple OSPF areasand maintains routing information between them.

● This confirms that the FortiGate isnot just in one area, but at leastone backbone area (Area 0) and another OSPF area.

The FortiGate device injects external routing information

● The output states: "Supports opaque LSA"

●Opaque LSAs(Type 9, 10, and 11) are used inOSPF extensions, including those that support external route injection.

● Typically, ABRs or ASBRs (Autonomous System Boundary Routers)inject external routes, allowing routes fromother routing protocols (such as BGP or static routes) to be advertised into OSPF.

The diagnose vpn tunnel list name Hub2Spoke1 command output provides key information about the offloading status of an IPsec VPN tunnel to the Network Processing Unit (NPU).

● npu_flag=20:

● This flag indicates that both inbound and outbound IPsec Security Associations (SAs) have been offloaded to the NPU, meaning the VPN traffic is processed in hardware instead of the CPU.

● npu_rgwy=10.10.2.2 and npu_lgwy=10.10.1.1:

● These IPs represent the remote gateway (rgwy) and local gateway (lgwy), confirming that the tunnel is successfully offloaded.

● npu_selid=1:

● This value means the session selector for the NPU offloaded SA is active.

Since both inbound and outbound SAs are offloaded, the administrator can conclude that the FortiGate NPU is handling IPsec encryption and decryption efficiently, reducing CPU load and improving VPN performance.

From theBGP neighbor status output, the key issue is thatBGP is stuck in the "Idle" state, meaning the FortiGate is unable to establish a BGP session with its peer100.65.4.1(Remote AS 65300).

The output also shows:

●"Not directly connected EBGP"→ This means the BGP peer is not on the same subnet, requiring multihop BGP.

●"Update source is Loopback"→ Since a loopback interface is used, FortiGate must be configured to allow BGP neighbors over multiple hops.

To resolve this issue, the administrator must enableebgp-enforce-multihop, which allows BGP sessions to be established even when the neighbors are not directly connected.

InBGP (Border Gateway Protocol), aneighbor (peer) configurationis required to establish a connection between two BGP routers. SinceFortiGate A is connecting to the ISP (Autonomous System 10) from AS 30, the administrator must define theISP's BGP router as a neighbor.

Theconfig neighborcommand is used to:

●Define the ISP's IP address as a BGP peer

●Specify the remote AS (AS 10 in this case)

●Allow BGP route exchanges between FortiGate A and the ISP

Since Core1 and Core2 are not designated as management VDOMs, they rely on the root VDOM for connectivity to external resources such as FortiGuard updates. If the root VDOM lacks a VDOM link to these VDOMs or cannot reach FortiGuard services, security features like web filtering will stop working.

In a hub-and-spoke topology using OSPF over IPsec VPNs, thepoint-to-multipointnetwork type is necessary to establish neighbor adjacencies between the hub and spokes. This network type ensures that OSPF operates correctly without requiring a designated router (DR) and allows dynamic routing updates across the IPsec tunnels.

To minimizeCPU and RAM usagewhile still enforcingsecurity features like web filtering and application control,SSL certificate inspection modeis the best choice.

●SSL certificate inspectionallows FortiGate to inspectonly the SSL/TLS handshake, including theServer Name Indication (SNI) and certificate details, without decrypting the full encrypted payload.

● This enables features likeweb filtering and application controlbecause FortiGate can determine thedestination website or applicationbased onSNI and certificate information.

● Itsignificantly reduces system loadcompared tofull SSL inspection, which requires full decryption and re-encryption of traffic.

From theRoot FortiGate - System Administrator Configurationexhibit:

● TheAdminSSOaccount has thesuper_admin_readonlyrole.

From theDownstream FortiGate - Security Fabric Settingsexhibit:

● TheSecurity Fabric roleis set toJoin Existing Fabric, meaning it will authenticate with the root FortiGate.

●SAML Single Sign-On (SSO) is enabled, and thedefault admin profileis set tosuper_admin_readonly.

When theAdminSSOuser logs into the downstream FortiGate usingSSO, the authentication request is sent to the root FortiGate, where AdminSSO hassuper_admin_readonlypermissions. Since the downstream FortiGate inherits this permission through the Security Fabric configuration, the user will be grantedsuper_admin_readonlyaccess.

TheInternet Service Database (ISDB)in FortiGate is used to enforce content filtering atLayer 3 (Network Layer) and Layer 4 (Transport Layer)of the OSI model by identifying applications based on theirpredefined IP addresses and ports.

FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard:

● FortiGate retrieves and updates apredefined listof IPs and ports for different internet services fromFortiGuard.

● This allows FortiGate to block specific services atLayer 3 and Layer 4without requiring deep packet inspection.

The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard:

● ISDB works by matching traffic to knownIP addresses and portsof categorized services.

● When an application or service is blocked, FortiGate prevents communication bydenying traffic based on its destination IP and port number.