Special Summer Sale Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

Fortinet FCSS_EFW_AD-7.4 Dumps

FCSS - Enterprise Firewall 7.4 Administrator Questions and Answers

Question 1

An administrator is extensively using VXLAN on FortiGate.

Which specialized acceleration hardware does FortiGate need to improve its performance?

Options:

A.

NP7

B.

SP5

C.

СР9

D.

NTurbo

Question 2

Refer to the exhibit, which shows an ADVPN network

as

An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2.

What two options must the administrator configure in BGP? (Choose two.)

Options:

A.

set ebgp-enforce-multrhop enable

B.

set next-hop-self enable

C.

set ibgp-enforce-multihop advpn

D.

set attribute-unchanged next-hop

Question 3

A vulnerability scan report has revealed that a user has generated traffic to the website example.com (10.10.10.10) using a weak SSL/TLS version supported by the HTTPS web server.

What can the firewall administrator do to block all outdated SSL/TLS versions on any HTTPS web server to prevent possible attacks on user traffic?

Options:

A.

Configure the unsupported SSL version and set the minimum allowed SSL version in the HTTPS settings of the SSL/SSH inspection profile.

B.

Enable auto-detection of outdated SSL/TLS versions in the SSL/SSH inspection profile to block vulnerable websites.

C.

Install the required certificate in the client's browser or use Active Directory policies to block specific websites as defined in the SSL/SSH inspection profile.

D.

Use the latest certificate, Fortinet_SSL_ECDSA256, and replace the CA certificate in the SSL/SSH inspection profile.

Question 4

Refer to the exhibit, which shows theADVPNIPsec interface representing the VPN IPsec phase 1 from Hub A to Spoke 1 and Spoke 2, and from Hub В to Spoke 3 and Spoke 4.

as

An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2.

What must the administrator configure in the phase 1 VPN IPsec configuration of theADVPNtunnels?

Options:

A.

set auto-discovery-sender enable and set network-id x

B.

set auto-discovery-forwarder enable and set remote-as x

C.

set auto-discovery-crossover enable and set enforce-multihop enable

D.

set auto-discovery-receiver enable and set npu-offload enable

Question 5

Refer to the exhibit, which shows a network diagram showing the addition of site 2 with an overlapping network segment to the existing VPN IPsec connection between the hub and site 1.

as

Which IPsec phase 2 configuration must an administrator make on the FortiGate hub to enable equal-cost multi-path (ECMP) routing when multiple remote sites connect with overlapping subnets?

Options:

A.

Set route-overlap to either use-new or use-old

B.

Set net-device to ecmp

C.

Set single-source to enable

D.

Set route-overlap to allow

Question 6

An administrator is setting up an ADVPN configuration and wants to ensure that peer IDs are not exposed during VPN establishment.

Which protocol can the administrator use to enhance security?

Options:

A.

Use IKEv2, which encrypts peer IDs and prevents exposure.

B.

Opt for SSL VPN web mode because it does not use peer IDs at all.

C.

Choose IKEv1 aggressive mode because it simplifies peer identification.

D.

Stick with IKEv1 main mode because it offers better performance.

Question 7

Refer to the exhibit.

A pre-run CLI template that is used in zero-touch provisioning (ZTP) and low-touch provisioning (LTP) with FortiManager is shown.

as

The template is not assigned even though the configuration has already been installed on FortiGate.

What is true about this scenario?

Options:

A.

The administrator did not assign the template correctly when adding the model device because pre-CLI templates remain permanently assigned to the firewall

B.

Pre-run CLI templates are automatically unassigned after their initial installation

C.

Pre-run CLI templates for ZTP and LTP must be unassigned manually after the first installation to avoid conflicting error objects when importing a policy package

D.

The administrator must use post-run CLI templates that are designed for ZTP and LTP

Question 8

How will configuring set tcp-mss-sender and set tcp-mss-receiver in a firewall policy affect the size and handling of TCP packets in the network?

Options:

A.

The maximum segment size permitted in the firewall policy determines whether TCP packets are allowed or denied.

B.

Applying commands in a firewall policy determines the largest payload a device can handle in a single TCP segment.

C.

The administrator must consider the payload size of the packet and the size of the IP header to configure a correct value in the firewall policy.

D.

The TCP packet modifies the packet size only if the size of the packet is less than the one the administrator configured in the firewall policy.

Question 9

Which two statements about IKEv2 are true if an administrator decides to implement IKEv2 in the VPN topology? (Choose two.)

Options:

A.

It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.

B.

It supports interoperability with devices using IKEv1.

C.

It exchanges a minimum of two messages to establish a secure tunnel.

D.

It supports the extensible authentication protocol (EAP).

Question 10

Why does the ISDB block layers 3 and 4 of the OSI model when applying content filtering? (Choose two.)

Options:

A.

FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard.

B.

The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard.

C.

The ISDB works in proxy mode, allowing the analysis of packets in layers 3 and 4 of the OSI model.

D.

The ISDB limits access by URL and domain.

Question 11

Refer to the exhibit, which contains the partial output of an OSPF command.

as

An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit.

Which statement on this FortiGate device is correct?

Options:

A.

The FortiGate device can inject external routing information.

B.

The FortiGate device is in the area 0.0.0.5.

C.

The FortiGate device does not support OSPF ECMP.

D.

The FortiGate device is a backup designated router.

Question 12

Refer to the exhibit, which shows an enterprise network connected to an internet service provider.

as

An administrator must configure a loopback as a BGP source to connect to the ISP.

Which two commands are required to establish the connection? (Choose two.)

Options:

A.

ebgp-enforce-multihop

B.

update-source

C.

ibgp-enforce-multihop

D.

recursive-next-hop

Question 13

Refer to the exhibit, which shows a network diagram.

as

An administrator would like to modify the MED value advertised from FortiGate_1 to a BGP neighbor in the autonomous system 30.

What must the administrator configure on FortiGate_1 to implement this?

Options:

A.

route-map-out

B.

network-import-check

C.

prefix-list-out

D.

distribute-list-out

Question 14

A FortiGate device with UTM profiles is reaching the resource limits, and the administrator expects the traffic in the enterprise network to increase.

The administrator has received an additional FortiGate of the same model.

Which two protocols should the administrator use to integrate the additional FortiGate device into this enterprise network? (Choose two.)

Options:

A.

FGSP with external load balancers

B.

FGCP in active-active mode and with switches

C.

FGCP in active-passive mode and with VDOM disabled

D.

VRRP with switches

Question 15

An administrator is checking an enterprise network and sees a suspicious packet with the MAC address e0:23:ff:fc:00:86.

What two conclusions can the administrator draw? (Choose two.)

Options:

A.

The suspicious packet is related to a cluster that has VDOMs enabled.

B.

The network includes FortiGate devices configured with the FGSP protocol.

C.

The suspicious packet is related to a cluster with a group-id value lower than 255.

D.

The suspicious packet corresponds to port 7 on a FortiGate device.

Question 16

Refer to the exhibits.

as

as

The Administrators section of a root FortiGate device and the Security Fabric Settings section of a downstream FortiGate device are shown.

When prompted to sign in with Security Fabric in the downstream FortiGate device, a user enters the AdminSSO credentials.

What is the next status for the user?

Options:

A.

The user is prompted to create an SSO administrator account for AdminSSO.

B.

The user receives an authentication failure message.

C.

The user accesses the downstream FortiGate with super_admin_readonly privileges.

D.

The user accesses the downstream FortiGate with super_admin privileges.

Question 17

An administrator must minimize CPU and RAM use on a FortiGate firewall while also enabling essential security features, such as web filtering and application control for HTTPS traffic.

Which SSL inspection setting helps reduce system load while also enabling security features, such as web filtering and application control for encrypted HTTPS traffic?

Options:

A.

Use full SSL inspection to thoroughly inspect encrypted payloads.

B.

Disable SSL inspection entirely to conserve resources.

C.

Configure SSL inspection to handle HTTPS traffic efficiently.

D.

Enable SSL certificate inspection mode to perform basic checks without decrypting traffic.

Page: 1 / 6
Total 57 questions