Pass the Fortinet Certified Professional Network Security FCSS_EFW_AD-7.6 Questions and answers with ValidTests

FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless it decrypts it first. If only certificate inspection is enabled, FortiGate can see the certificate details (such as the domain and issuer) but cannot inspect the actual web content.

To fully analyze the traffic and detect potential malware threats:

● Full SSL inspection (Deep Packet Inspection) must be enabled in the SSL/SSH Inspection Profile.

● This allows FortiGate to decrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.

● Without full SSL inspection, threats embedded in encrypted traffic may go undetected.

IKEv2 (Internet Key Exchange version 2) is an improvement over IKEv1, offering enhanced security, efficiency, and flexibility in VPN configurations.

It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.

IKEv2 supports stronger cryptographic algorithms, including Elliptic Curve Diffie-Hellman (ECDH) groups such as ECP256 and ECP384, providing improved security compared to IKEv1.

It supports the extensible authentication protocol (EAP).

IKEv2 natively supports EAP authentication, which allows integration with external authentication mechanisms such as RADIUS, certificates, and smart cards. This is particularly useful for remote access VPNs where user authentication must be flexible and secure.

From the exhibit, ISFW is part of a Security Fabric environment with NGFW-1 as the Fabric Root. In this architecture, FortiGate devices share security intelligence, including logs and detected threats.

ISFW is in a Security Fabric environment:

● Security Fabric allows devices like ISFW to receive threat intelligence from NGFW-1, even if UTM is not enabled locally.

● If NGFW-1 detects malware from IP 10.1.10.1 to 89.238.73.97, this information can be propagated to ISFW and FortiAnalyzer.

The firewall policy in NGFW-1 has UTM enabled:

● Even though ISFW does not have UTM enabled, NGFW-1 (which sits between ISFW and the external network) does have UTM enabled and is scanning traffic.

● Since NGFW-1 detects malware in the session, it logs the event, which is then sent to FortiAnalyzer.

The excessive DNS log requests with random subdomains suggest a DNS exfiltration attack, where attackers encode and transmit data via DNS queries. Since this technique can use both UDP and TLS (DoH - DNS over HTTPS), a comprehensive security approach is needed.

Using an IPS profile with DNS exfiltration-specific signatures allows FortiGate to:

● Detect and block abnormal DNS query patterns often used in exfiltration.

● Inspect encrypted DNS (DoH, DoT) traffic if SSL inspection is enabled.

● Identify known exfiltration domains and techniques based on FortiGuard threat intelligence.

From the Root FortiGate - System Administrator Configuration exhibit:

● The AdminSSO account has the super_admin_readonly role.

From the Downstream FortiGate - Security Fabric Settings exhibit:

● The Security Fabric role is set to Join Existing Fabric, meaning it will authenticate with the root FortiGate.

● SAML Single Sign-On (SSO) is enabled, and the default admin profile is set to super_admin_readonly.

When the AdminSSO user logs into the downstream FortiGate using SSO, the authentication request is sent to the root FortiGate, where AdminSSO has super_admin_readonly permissions. Since the downstream FortiGate inherits this permission through the Security Fabric configuration, the user will be granted super_admin_readonly access.

When configuring a loopback interface as the BGP source for connecting to an ISP, two important settings must be applied:

1. Enable EBGP Multihop (ebgp-enforce-multihop)

BGP normally expects directly connected neighbors, but since the ISP and FortiGate A are using loopback interfaces, packets will not be sent directly between their physical interfaces.

The ebgp-enforce-multihop command allows BGP to form an eBGP peering over multiple hops.

2. Set the Update Source (update-source)

Since FortiGate is using a loopback interface as the source, the update-source command ensures that BGP updates originate from the loopback interface rather than a physical interface.

This is essential because BGP peers must match the source IP with the configured neighbor address.

The output of the get router info ospf status command provides key information about the OSPF (Open Shortest Path First) configuration on the FortiGate device.

The FortiGate device is connected to multiple areas

● The output states: "This router is an ABR"

● ABR (Area Border Router) means the device is connected to multiple OSPF areas and maintains routing information between them.

● This confirms that the FortiGate is not just in one area, but at least one backbone area (Area 0) and another OSPF area.

The FortiGate device injects external routing information

● The output states: "Supports opaque LSA"

● Opaque LSAs (Type 9, 10, and 11) are used in OSPF extensions, including those that support external route injection.

● Typically, ABRs or ASBRs (Autonomous System Boundary Routers) inject external routes, allowing routes from other routing protocols (such as BGP or static routes) to be advertised into OSPF.

Based on the FortiGate Infrastructure 7.6 study guide and the Hardware Acceleration technical documentation, the diagnose vpn tunnel list command provides the status of IPsec tunnel offloading to the Network Processor (NPU).

In the provided exhibit, the specific value npu_flag=20 (which corresponds to 0x20 in hexadecimal) indicates that the IPsec Security Association (SA) cannot be offloaded to the NPU. While the NPU may have visibility of the gateway IPs (npu_rgwy and npu_lgwy), the flag itself serves as a diagnostic indicator that the traffic must be processed by the system CPU rather than the hardware accelerator.

This lack of offloading typically occurs when the tunnel configuration uses a cipher (encryption algorithm) or an HMAC (authentication algorithm) that is not supported by the specific NPU model installed in the FortiGate. For example, if a tunnel is configured with a legacy or highly complex algorithm that the NP6 or NP7 chip is not designed to process in hardware, the FortiOS kernel handles the encryption and decryption, resulting in the npu_flag=20 status. Therefore, despite the presence of NPU-related fields, the specific flag value confirms that hardware acceleration is not active for these SAs.

The diagram shows a multi-area OSPF network where:

● FortiGate A is in OSPF Area 0 (Backbone area).

● FortiGate B is in OSPF Area 0.0.0.1 and is connected to an RIP network.

To ensure that OSPF Area 0 (0.0.0.0) learns routes from the external RIP network, FortiGate B must redistribute RIP routes into OSPF.

Steps to achieve this:

1. Enable route redistribution on FortiGate B to inject RIP-learned routes into OSPF.

2. This allows OSPF Area 0.0.0.1 to forward RIP routes to OSPF Area 0 (0.0.0.0), making the external network visible.

FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless it decrypts it first. If only certificate inspection is enabled, FortiGate can see the certificate details (such as the domain and issuer) but cannot inspect the actual web content.

To fully analyze the traffic and detect potential malware threats:

● Full SSL inspection (Deep Packet Inspection) must be enabled in the SSL/SSH Inspection Profile.

● This allows FortiGate to decrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.

● Without full SSL inspection, threats embedded in encrypted traffic may go undetected.