Free FCSS_EFW_AD-7.4 Exam Dumps

Question 6

An administrator received a FortiAnalyzer alert that a 1 disk filled up in a day. Upon investigation, they found thousands of unusual DNS log requests, such as JHCMQK.website.com, with no answers. They later discovered that DNS exfiltration was
occurring through both UDP and TLS.
How can the administrator prevent this data theft technique?

A. Create an inline-CASB to protect against DNS exfiltration.
B. Configure a File Filter profile to prevent DNS exfiltration.
C. Enable DNS Filter to protect against DNS exfiltration.
D. Use an IPS profile and DNS exfiltration-related signatures.

Correct Answer:D
The excessiveDNS log requests with random subdomainssuggest aDNS exfiltration attack, where attackers encode and transmit data via DNS queries. Since this technique can useboth UDP and TLS (DoH - DNS over HTTPS), a comprehensive security approach is needed.
Using anIPS profile with DNS exfiltration-specific signaturesallows FortiGate to: Detect and block abnormal DNS query patternsoften used in exfiltration. Inspect encrypted DNS (DoH, DoT) trafficif SSL inspection is enabled.
Identify known exfiltration domains and techniquesbased on FortiGuard threat intelligence.

Question 7

What action can be taken on a FortiGate to block traffic using IPS protocol decoders, focusing on network transmission patterns and application signatures?

A. Use the DNS filter to block application signatures and protocol decoders.
B. Use application control to limit non-URL-based software handling.
C. Enable application detection-based SD-WAN rules.
D. Configure a web filter profile in flow mode.

Correct Answer:B
FortiGate'sIPS protocol decodersanalyzenetwork transmission patternsandapplication signaturesto identify and block malicious traffic.Application Controlis the feature that allows FortiGate todetect, classify, and block applicationsbased on their behavior and signatures, even when they do not rely on traditional URLs.
Application Controlworks alongsideIPS protocol decodersto inspect packet payloads and enforce security policies based on recognized application behaviors.
It enablesgranular control over non-URL-based applicationssuch asP2P traffic, VoIP, messaging apps, and other non-web-based protocolsthat IPS can identify through protocol decoders.
IPS and Application Control together can detect evasive or encrypted applications that
might bypass traditional firewall rules.

Question 8

Refer to the exhibit, which shows an OSPF network.
FCSS_EFW_AD-7.4 dumps exhibit
Which configuration must the administrator apply to optimize the OSPF database?

A. Set a route map in the AS boundary FortiGate.
B. Set the area 0.0.0.1 to the type STUB in the area border FortiGate.
C. Set an access list in the AS boundary FortiGate.
D. Set the area 0.0.0.1 to the type NSSA in the area border FortiGate.

Correct Answer:B
TheOSPF database optimizationis necessary to reduce unnecessary routing information and improve network performance. In the given topology,Area 0.0.0.1is a non-backbone area connected toArea 0.0.0.0 (the backbone area)through anArea Border Router (ABR).
To optimize OSPF in this scenario, configuringArea 0.0.0.1 as a Stub Areawill:
Reduce the size of the OSPF databaseby preventing external routes (from outside OSPF) from being injected into Area 0.0.0.1.
Allow only intra-area and inter-area routes, meaning routers in Area 0.0.0.1 will rely on a default routefor external destinations.
Improve convergence time and reduce router processing loadsince fewer LSAs (Link- State Advertisements) are exchanged.

Question 9

An administrator configured the FortiGate devices in an enterprise network to join the Fortinet Security Fabric. The administrator has a list of IP addresses that must be blocked by the data center firewall. This list is updated daily.
How can the administrator automate a firewall policy with the daily updated list?

A. With FortiNAC
B. With FortiAnalyzer
C. With a Security Fabric automation
D. With an external connector from Threat Feeds

Correct Answer:D
Thebest way to automate a firewall policyusing a daily updated list ofIP addressesis by using anexternal connector from Threat Feeds. This allows FortiGate to dynamically retrievereal-time threat intelligencefrom external sources and apply it directly to security policies.
By configuringThreat Feeds, the administrator can:
Automatically updatefirewall policies with the latest malicious IPs daily.
Block trafficfrom those IPs in real-time without manual intervention.
Integrate with FortiGuard, third-party threat intelligence sources, or custom feeds (CSV, STIX/TAXII, etc.).

Question 10

During the maintenance window, an administrator must sniff all the traffic going through a specific firewall policy, which is handled by NP6 interfaces. The output of the sniffer trace provides just a few packets.
Why is the output of sniffer trace limited?

A. The traffic corresponding to the firewall policy is encrypted.
B. auto-asic-off load is set to enable in the firewall policy,
C. inspection-mode is set to proxy in the firewall policy.
D. The option npudbg is not added in the diagnose sniff packet command.

Correct Answer:B
FortiGate devices withNP6 (Network Processor 6) accelerationoffload traffic directly to hardware, bypassing the CPU for improved performance. Whenauto-asic-offloadis enabled in a firewall policy, most of the trafficdoes not reach the CPU, which means it won't be captured by the standard sniffer trace command.
Since NP6-accelerated traffic is handled entirely in hardware, onlya small portion of initial packets(such as session setup packets or exceptions) might be seen in the sniffer output. To capture all packets, the administrator must disable hardware offloading using:
config firewall policy edit <policy_ID>
set auto-asic-offload disable end
Disabling ASIC offload forces traffic to be processed by the CPU, allowing the sniffer tool to capture all packets.