Fortinet Updated FCSS_EFW_AD-7.4 Exam Questions and Answers by issa

FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless itdecryptsit first. Ifonly certificate inspectionis enabled, FortiGate can see the certificate details (such as the domain and issuer) butcannot inspect the actual web content.

To fully analyze the traffic and detect potential malware threats:

●Full SSL inspection (Deep Packet Inspection)must be enabled in theSSL/SSH Inspection Profile.

● This allows FortiGate todecrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.

● Without full SSL inspection, threats embedded in encrypted traffic may go undetected.

Applying anaggressive IPS profilewithout prior testing candisrupt legitimate applicationsby incorrectly identifying normal traffic as malicious. To prevent disruptions while still monitoring for threats:

●Enable IPS in "Monitor Mode" first:

● This allows FortiGate tolog and analyzepotential threatswithout actively blockingtraffic.

● Administrators can review logs and fine-tune IPS signatures to minimize false positives before switching to blocking mode.

●Verify and adjust signature patterns:

● Some signatures might trigger unnecessary blocks for legitimate application traffic.

● By analyzing logs, administrators candisable or modifyspecific rules causing false positives.

In thisADVPN (Auto-Discovery VPN) network, there are two hubs (Hub A and Hub B) connected viaEBGP, whileIBGPis used within each overlay. To ensure proper BGP routing between the overlays, the administrator must configure specific BGP options..

set ebgp-enforce-multihop enable

By default, EBGP requires directly connected neighbors. Since Hub A and Hub B are not directly connected but reach each other over an IPsec tunnel, multihop must be enabled for EBGP sessions to work.

set next-hop-self enable

In IBGP, the next-hop attribute does not change by default. When an IBGP route is advertised from a spoke to another hub or spoke, the next-hop needs to be updated to ensure proper reachability. Enabling next-hop-self forces the BGP speaker to advertise itself as the next-hop, ensuring that all spokes properly reach routes across the overlays.

The diagram shows amulti-area OSPF networkwhere:

●FortiGate Ais inOSPF Area 0 (Backbone area).

●FortiGate Bis inOSPF Area 0.0.0.1and is connected to anRIP network.

To ensure thatOSPF Area 0 (0.0.0.0) learns routes from the external RIP network, FortiGate B mustredistribute RIP routes into OSPF.

Steps to achieve this:

1.Enable route redistribution on FortiGate Bto inject RIP-learned routes into OSPF.

2. This allows OSPFArea 0.0.0.1to forward RIP routes toOSPF Area 0 (0.0.0.0), making the external network visible.