Fortinet FCSS_EFW_AD-7.4 FCSS - Enterprise Firewall 7.4 Administrator Exam Practice Test

When designing anADVPN (Auto-Discovery VPN) networkfor alarge enterprisewith spokes that havevarying numbers of internet links, the main challenge is tominimize the number of peer connections and routesat the hub while maintainingscalability and efficiency.

Using a dynamic routing protocol (such as BGP or OSPF) with loopback interfaces helps in several ways:

●Reduces the number of peer connectionsat the hub byusing a single loopback address per spokeinstead of individual physical interfaces.

●Enables simplified route advertisementby dynamically learning and propagating routes instead of manually configuring static routes.

●Supports multiple internet links per spokeefficiently, as dynamic routing can automatically adjust to the best available path.

●Allows seamless failoverif a spoke’s internet link fails, ensuring continuous connectivity.

When configuringADVPN (Auto-Discovery VPN)to connectoverlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.

●set auto-discovery-crossover enable

● Thisallows cross-hub tunnel discoveryin an ADVPN deployment where multiple hubs are used.

● SinceHub A and Hub Bbelong to different overlays, enablingcrossover discoveryensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.

●set enforce-multihop enable

● This setting ensures thatBGP peers using loopback interfacescan establish connectivityeven if they are not directly connected.

●Multihop BGP sessionsare required when usingloopback addresses as BGP peer sourcesbecause the connection might need to traverse multiple routers before reaching the BGP neighbor.

● This is especially useful inADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.

When FortiGate processes the first packets of a session, it follows a sequence of steps to determine how the traffic should be handled before establishing a session. The initial step involves:

● Access Control List (ACL) checks: Determines if the traffic should be allowed or blocked based on predefined security rules.

● Hardware Packet Engine (HPE) inspections: Ensures that packet headers are valid and comply with protocol standards.

● IP Integrity Header Checking: Verifies if the IP headers are intact and not malformed or spoofed.

Once these security inspections are completed and the session is validated, FortiGate then installs the session in hardware (if offloading is enabled) or processes it in software.

Thebest wayto block outdated SSL/TLS versions is toconfigure the SSL/SSH inspection profileto enforce aminimum SSL/TLS versionand disable weak SSL versions.

By setting theminimum allowed SSL versionin theHTTPS settings of the SSL/SSH inspection profile, FortiGate will:

● Block any connection usingoutdated SSL/TLS versions(such as SSLv3, TLS 1.0, or TLS 1.1).

● Enforce secure communication usingonly strong SSL/TLS versions(such as TLS 1.2 or TLS 1.3).

● Protect users fromman-in-the-middle (MITM) and downgrade attacksthat exploit weak encryption.

The diagnose vpn tunnel list name Hub2Spoke1 command output provides key information about the offloading status of an IPsec VPN tunnel to the Network Processing Unit (NPU).

● npu_flag=20:

● This flag indicates that both inbound and outbound IPsec Security Associations (SAs) have been offloaded to the NPU, meaning the VPN traffic is processed in hardware instead of the CPU.

● npu_rgwy=10.10.2.2 and npu_lgwy=10.10.1.1:

● These IPs represent the remote gateway (rgwy) and local gateway (lgwy), confirming that the tunnel is successfully offloaded.

● npu_selid=1:

● This value means the session selector for the NPU offloaded SA is active.

Since both inbound and outbound SAs are offloaded, the administrator can conclude that the FortiGate NPU is handling IPsec encryption and decryption efficiently, reducing CPU load and improving VPN performance.

Zero phase selectors inIPsec Phase 2mean thatno specific traffic selectors (subnets) are defined, allowingany traffic to be encryptedthrough the VPN tunnel. This can causeunintended traffic forwarding issuesand disrupt network operations.

To prevent this from happening during future migrations:

●Using routing protocolsensures thatonly specific subnets are advertised over the tunnel. Dynamic routing (such as OSPF or BGP) helps define which networks should use the tunnel, preventing unintended traffic from being encrypted.

●Clearly defining phase 2 selectorsavoids the problem of encrypting all traffic byexplicitly stating the allowed source and destination subnets. This prevents the tunnel from affecting unrelated network traffic.

ThisIPsec Phase 1 configurationdefines adynamicVPN tunnel that can accept connections from multiple peers. The settings chosen here suggest a configuration optimized fornetworks with intermittent traffic patternswhile ensuring resources are used efficiently.

Key configurations and their impact:

●set type dynamic→ This allows multiple peers to establish connections dynamically without needing predefined IP addresses.

●set ike-version 2→ UsesIKEv2, which is more efficient and supports features like EAP authentication and reduced rekeying overhead.

●set dpd on-idle→ Dead Peer Detection (DPD) is triggeredonly when the tunnel is idle, reducing unnecessary keep-alive packets and improving resource utilization.

●set add-route enable→ FortiGate automatically adds the route to the routing table when the tunnel is established, ensuring connectivity when needed.

●set proposal aes128-sha256 aes256-sha256→ Uses strong encryption and hashing algorithms, ensuring a secure connection.

●set keylife 28800→ Sets alonger key lifetime(8 hours), reducing the frequency of rekeying, which is beneficial for stable connections.

BecauseDPD is set to on-idle, the tunnel will not constantly send keep-alive messages but will still ensure connectivity when traffic is detected. This makes the configuration ideal fornetworks with regular but non-continuous traffic, balancing security and resource efficiency.

From theBGP neighbor status output, the key issue is thatBGP is stuck in the "Idle" state, meaning the FortiGate is unable to establish a BGP session with its peer100.65.4.1(Remote AS 65300).

The output also shows:

●"Not directly connected EBGP"→ This means the BGP peer is not on the same subnet, requiring multihop BGP.

●"Update source is Loopback"→ Since a loopback interface is used, FortiGate must be configured to allow BGP neighbors over multiple hops.

To resolve this issue, the administrator must enableebgp-enforce-multihop, which allows BGP sessions to be established even when the neighbors are not directly connected.

When multiple remote sites connect to thesame hubusingoverlapping subnets, FortiGate needs to determine which route should be used for traffic forwarding. Theroute-overlapsetting in IPsec Phase 2 allows FortiGate to handle this scenario by deciding whether to keep theexisting route(use-old) or replace it with anew route(use-new).

In anECMP (Equal-Cost Multi-Path) routing setup,both routes should be retained and balanced, but FortiGate does not supportECMP directly over overlapping routesin IPsec Phase 2. Instead, an administrator must decide which connection takes precedence usingroute-overlapsettings.

When usingIPsec VPNsandVXLAN, additional headers are added to packets, which can exceed thedefault 1500-byte MTU. This can lead tofragmentation issues, dropped packets, or degraded performance.

To resolve this, theMTU (Maximum Transmission Unit)should be adjustedonly if all devices in the network path support it. Otherwise, some devices may still drop or fragment packets, leading to continued issues.

Why adjusting MTU helps:

●VXLAN adds a 50-byte overheadto packets.

●IPsec adds additional encapsulation(ESP, GRE, etc.), increasing the packet size.

● If packets exceed the MTU, they may befragmented or dropped, causing intermittent connectivity issues.

● Lowering the MTU on interfaces ensurespackets stay within the supported size limitacross all network devices.

InBGP (Border Gateway Protocol), aneighbor (peer) configurationis required to establish a connection between two BGP routers. SinceFortiGate A is connecting to the ISP (Autonomous System 10) from AS 30, the administrator must define theISP's BGP router as a neighbor.

Theconfig neighborcommand is used to:

●Define the ISP's IP address as a BGP peer

●Specify the remote AS (AS 10 in this case)

●Allow BGP route exchanges between FortiGate A and the ISP

Whenadding an additional FortiGateto an enterprise network that is already reaching itsresource limits, the goal is to distribute traffic efficiently and ensurehigh availability.

FGSP (FortiGate Session Life Support Protocol) with external load balancers

FGSP allowssession-aware load balancingbetween multiple FortiGate units without requiring them to be in an HA (High Availability) cluster.

Withexternal load balancers, incoming traffic isevenly distributedacross multiple FortiGate devices.

This approach is useful forscaling outtraffic handling capacity while ensuring that sessions remainsynchronizedbetween firewalls.

FGSP is effectivewhen stateful failover is requiredbut without the constraints of traditional HA.

FGCP (FortiGate Clustering Protocol) in active-active mode and with switches

FGCPactive-active modeenables multiple FortiGate devices toshare traffic loads, increasing throughput and efficiency.

Active-active mode is suitable forbalancing UTM processingacross multiple FortiGates, making it ideal whenresource limits are a concern.

Usingswitchesensures redundancy and avoids single points of failure in the network.

This mode is commonly used inenterprise networkswhere bothscalability and redundancyare required.

In anIBGP (Internal BGP) network, all routers must befully meshed, meaning every router must establish a BGP session with every other router in the sameautonomous system (AS). Thisdoes not scale wellin large networks due to the exponential increase in BGP sessions.

Tooptimize and scale IBGP,Route Reflectors (RRs)are used. ARoute Reflector (RR)reduces the number ofIBGP peer connectionsby allowing acentralized router (RR)to redistribute IBGP routes to other IBGP peers (calledclients). This eliminates the need for afull mesh, significantlyreducing BGP session overhead.

By configuring theroute-reflector-clientsetting on IBGP peers, an administrator can:

●Scale IBGP sessionsby reducing the number of direct BGP peer connections.

●Optimize the routing tableby ensuring routes are efficiently propagated within the IBGP network.

●Eliminate the need for full mesh topology, making IBGP more manageable.

TheConfiguration Revision Historywindow inFortiManagershows that the most recent configuration change (ID 10) was created byscript_managerwith the actionRetrieved.

Sincescript_manageris a system-level script execution user, the IT team needs to findwho actually triggered this script. This can be done by:

● Checking theFortiManager system logsforscript execution events.

● Using thetype=scriptfilter to locate the administrator associated with the script execution.

InFortiManager,pre-run CLI templatesare used inZero-Touch Provisioning (ZTP)andLow-Touch Provisioning (LTP)to configure a FortiGate devicebeforeit is fully managed by FortiManager.

These templatesapply configurationswhen a device is initially provisioned.Once the pre-run CLI template is executed, FortiManagerautomatically unassignsit from the device because it isnot meant to persistlike other policy configurations. This prevents conflicts and ensures that the FortiGate configuration isnot repeatedly appliedafter the initial setup.

From the exhibit, ISFW is part of a Security Fabric environment with NGFW-1 as the Fabric Root. In this architecture, FortiGate devices share security intelligence, including logs and detected threats.

ISFW is in a Security Fabric environment:

● Security Fabric allows devices like ISFW toreceive threat intelligencefrom NGFW-1, even if UTM is not enabled locally.

● If NGFW-1 detects malware fromIP 10.1.10.1 to 89.238.73.97, this information can bepropagated to ISFW and FortiAnalyzer.

The firewall policy in NGFW-1 has UTM enabled:

● Even thoughISFW does not have UTM enabled, NGFW-1 (which sits between ISFW and the external network)does have UTM enabledand is scanning traffic.

● Since NGFW-1 detects malware in the session, it logs the event, which is then sent toFortiAnalyzer.

In atransparent mode Virtual Domain (VDOM)configuration, FortiGate operates as aLayer 2 bridgerather than performing Layer 3 routing. Theset forward-domain <domain_ID>command is used to control how traffic is forwarded between interfaces within the sametransparent VDOM.

Aforward-domainacts as abroadcast domain, meaning only interfaces with thesame forward-domain IDcan exchange traffic. This setting is commonly used toseparate different VLANs or network segmentswithin the transparent VDOM while still allowing FortiGate to apply security policies.