Pass the Fortinet Certified Professional Network Security FCSS_EFW_AD-7.6 Questions and answers with ValidTests

The Internet Service Database (ISDB) in FortiGate is used to enforce content filtering at Layer 3 (Network Layer) and Layer 4 (Transport Layer) of the OSI model by identifying applications based on their predefined IP addresses and ports.

FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard:

● FortiGate retrieves and updates a predefined list of IPs and ports for different internet services from FortiGuard.

● This allows FortiGate to block specific services at Layer 3 and Layer 4 without requiring deep packet inspection.

The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard:

● ISDB works by matching traffic to known IP addresses and ports of categorized services.

● When an application or service is blocked, FortiGate prevents communication by denying traffic based on its destination IP and port number.

When designing an ADVPN (Auto-Discovery VPN) network for a large enterprise with spokes that have varying numbers of internet links, the main challenge is to minimize the number of peer connections and routes at the hub while maintaining scalability and efficiency.

Using a dynamic routing protocol (such as BGP or OSPF) with loopback interfaces helps in several ways:

● Reduces the number of peer connections at the hub by using a single loopback address per spoke instead of individual physical interfaces.

● Enables simplified route advertisement by dynamically learning and propagating routes instead of manually configuring static routes.

● Supports multiple internet links per spoke efficiently, as dynamic routing can automatically adjust to the best available path.

● Allows seamless failover if a spoke’s internet link fails, ensuring continuous connectivity.

Since Core1 and Core2 are not designated as management VDOMs, they rely on the root VDOM for connectivity to external resources such as FortiGuard updates. If the root VDOM lacks a VDOM link to these VDOMs or cannot reach FortiGuard services, security features like web filtering will stop working.

In this ADVPN (Auto-Discovery VPN) network, there are two hubs (Hub A and Hub B) connected via EBGP, while IBGP is used within each overlay. To ensure proper BGP routing between the overlays, the administrator must configure specific BGP options..

set ebgp-enforce-multihop enable

By default, EBGP requires directly connected neighbors. Since Hub A and Hub B are not directly connected but reach each other over an IPsec tunnel, multihop must be enabled for EBGP sessions to work.

set next-hop-self enable

In IBGP, the next-hop attribute does not change by default. When an IBGP route is advertised from a spoke to another hub or spoke, the next-hop needs to be updated to ensure proper reachability. Enabling next-hop-self forces the BGP speaker to advertise itself as the next-hop, ensuring that all spokes properly reach routes across the overlays.

FortiGate_A and FortiGate_B are in the same autonomous system (AS), and FortiGate_A does not currently have route 172.16.1.248/30 in its routing table. However, FortiGate_B has this route as a connected route.

To dynamically advertise only 172.16.1.248/30 from FortiGate_B to FortiGate_A, the administrator must configure a BGP route map out on FortiGate_B that specifically permits only this prefix.

A BGP route map out on FortiGate_B controls which routes FortiGate_B advertises to FortiGate_A. If no filtering is applied, FortiGate_B might advertise all BGP-learned and connected routes, which is not what the administrator wants. The route map should include a prefix-list that explicitly allows only 172.16.1.248/30 and denies everything else.

This IPsec Phase 1 configuration defines a dynamic VPN tunnel that can accept connections from multiple peers. The settings chosen here suggest a configuration optimized for networks with intermittent traffic patterns while ensuring resources are used efficiently.

Key configurations and their impact:

● set type dynamic → This allows multiple peers to establish connections dynamically without needing predefined IP addresses.

● set ike-version 2 → Uses IKEv2, which is more efficient and supports features like EAP authentication and reduced rekeying overhead.

● set dpd on-idle → Dead Peer Detection (DPD) is triggered only when the tunnel is idle, reducing unnecessary keep-alive packets and improving resource utilization.

● set add-route enable → FortiGate automatically adds the route to the routing table when the tunnel is established, ensuring connectivity when needed.

● set proposal aes128-sha256 aes256-sha256 → Uses strong encryption and hashing algorithms, ensuring a secure connection.

● set keylife 28800 → Sets a longer key lifetime (8 hours), reducing the frequency of rekeying, which is beneficial for stable connections.

Because DPD is set to on-idle, the tunnel will not constantly send keep-alive messages but will still ensure connectivity when traffic is detected. This makes the configuration ideal for networks with regular but non-continuous traffic, balancing security and resource efficiency.

The best way to block outdated SSL/TLS versions is to configure the SSL/SSH inspection profile to enforce a minimum SSL/TLS version and disable weak SSL versions.

By setting the minimum allowed SSL version in the HTTPS settings of the SSL/SSH inspection profile, FortiGate will:

● Block any connection using outdated SSL/TLS versions (such as SSLv3, TLS 1.0, or TLS 1.1).

● Enforce secure communication using only strong SSL/TLS versions (such as TLS 1.2 or TLS 1.3).

● Protect users from man-in-the-middle (MITM) and downgrade attacks that exploit weak encryption.

The FortiGate SSL/SSH inspection profile is configured for Full SSL Inspection, which is necessary to analyze encrypted HTTPS traffic. However, the firewall policy is protecting an SSL server (the Linux server hosting the website), and currently, the SSL/SSH profile only applies to client-side SSL inspection.

To detect HTTPS-based attacks targeting the Linux server:

● FortiGate must act as an SSL intermediary to inspect encrypted traffic destined for the web server.

● The administrator must upload the SSL certificate of the Linux web server to FortiGate so that the server-side SSL inspection can decrypt incoming HTTPS traffic before analyzing it.

In a transparent mode Virtual Domain (VDOM) configuration, FortiGate operates as a Layer 2 bridge rather than performing Layer 3 routing. The set forward-domain <domain_ID> command is used to control how traffic is forwarded between interfaces within the same transparent VDOM.

A forward-domain acts as a broadcast domain, meaning only interfaces with the same forward-domain ID can exchange traffic. This setting is commonly used to separate different VLANs or network segments within the transparent VDOM while still allowing FortiGate to apply security policies.

False positives in Intrusion Prevention System (IPS) analysis can disrupt legitimate traffic and negatively impact user experience. To reduce false positives while maintaining security, administrators can:

● Use IPS profile extensions to fine-tune the settings based on the organization's environment.

● Select the correct operating system, protocol, and application types to ensure that IPS signatures match the network's actual traffic patterns, reducing false positives.

● Customize signature selection based on the network’s specific services, filtering out unnecessary or irrelevant signatures.