Free FCSS_EFW_AD-7.4 Exam Dumps

Question 11

Refer to the exhibit, which contains a partial command output.
FCSS_EFW_AD-7.4 dumps exhibit
The administrator has configured BGP on FortiGate. The status of this new BGP configuration is shown in the exhibit.
What configuration must the administrator consider next?

A. Configure a static route to 100.65.4.1.
B. Configure the local AS to 65300.
C. Contact the remote peer administrator to enable BGP
D. Enable ebgp-enforce-multihop.

Correct Answer:D
From theBGP neighbor status output, the key issue is thatBGP is stuck in the "Idle" state, meaning the FortiGate is unable to establish a BGP session with its peer100.65.4.1 (Remote AS 65300).
The output also shows:
"Not directly connected EBGP" This means the BGP peer is not on the same subnet, requiring multihop BGP.
"Update source is Loopback" Since a loopback interface is used, FortiGate must be configured to allow BGP neighbors over multiple hops.
To resolve this issue, the administrator must enableebgp-enforce-multihop, which allows BGP sessions to be established even when the neighbors are not directly connected.

Question 12

What is the initial step performed by FortiGate when handling the first packets of a session?

A. Installation of the session key in the network processor (NP)
B. Data encryption and decryption
C. Security inspections such as ACL, HPE, and IP integrity header checking
D. Offloading the packets directly to the content processor (CP)

Correct Answer:C
When FortiGate processes the first packets of a session, it follows a sequence of steps to determine how the traffic should be handled before establishing a session. The initial step involves:
Access Control List (ACL) checks: Determines if the traffic should be allowed or blocked based on predefined security rules.
Hardware Packet Engine (HPE) inspections: Ensures that packet headers are valid and comply with protocol standards.
IP Integrity Header Checking: Verifies if the IP headers are intact and not malformed or spoofed.
Once these security inspections are completed and the session is validated, FortiGate then installs the session in hardware (if offloading is enabled) or processes it in software.

Question 13

A vulnerability scan report has revealed that a user has generated traffic to the website example.com (10.10.10.10) using a weak SSL/TLS version supported by the HTTPS web server.
What can the firewall administrator do to block all outdated SSL/TLS versions on any HTTPS web server to prevent possible attacks on user traffic?

A. Configure the unsupported SSL version and set the minimum allowed SSL version in the HTTPS settings of the SSL/SSH inspection profile.
B. Enable auto-detection of outdated SSL/TLS versions in the SSL/SSH inspection profile to block vulnerable websites.
C. Install the required certificate in the client's browser or use Active Directory policies to block specific websites as defined in the SSL/SSH inspection profile.
D. Use the latest certificate, Fortinet_SSL_ECDSA256, and replace the CA certificate in the SSL/SSH inspection profile.

Correct Answer:A
Thebest wayto block outdated SSL/TLS versions is toconfigure the SSL/SSH inspection profileto enforce aminimum SSL/TLS versionand disable weak SSL versions.
By setting theminimum allowed SSL versionin theHTTPS settings of the SSL/SSH inspection profile, FortiGate will:
Block any connection usingoutdated SSL/TLS versions(such as SSLv3, TLS 1.0, or TLS 1.1).
Enforce secure communication usingonly strong SSL/TLS versions(such as TLS 1.2 or TLS 1.3).
Protect users fromman-in-the-middle (MITM) and downgrade attacksthat exploit weak encryption.

Question 14

Refer to the exhibit, which shows an enterprise network connected to an internet service provider.
FCSS_EFW_AD-7.4 dumps exhibit
The administrator must configure the BGP section of FortiGate A to give internet access to the enterprise network.
Which command must the administrator use to establish a connection with the internet service provider?

A. config neighbor
B. config redistribute bgp
C. config router route-map
D. config redistribute ospf

Correct Answer:A
InBGP (Border Gateway Protocol), aneighbor (peer) configurationis required to establish a connection between two BGP routers. SinceFortiGate A is connecting to the ISP (Autonomous System 10) from AS 30, the administrator must define theISP's BGP router as a neighbor.
Theconfig neighborcommand is used to: Define the ISP's IP address as a BGP peer Specify the remote AS (AS 10 in this case)
Allow BGP route exchanges between FortiGate A and the ISP

Question 15

Refer to the exhibit, which contains the partial output of an OSPF command.
FCSS_EFW_AD-7.4 dumps exhibit
An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit.
What two conclusions can the administrator draw? (Choose two.)

A. The FortiGate device is a backup designated router
B. The FortiGate device is connected to multiple areas
C. The FortiGate device injects external routing information
D. The FortiGate device has OSPF ECMP enabled

Correct Answer:BC
The output of the get router info ospf status command provides key information about the OSPF (Open Shortest Path First) configuration on the FortiGate device.
The FortiGate device is connected to multiple areas
The output states: "This router is an ABR"
ABR (Area Border Router)means the device is connected tomultiple OSPF areasand maintains routing information between them.
This confirms that the FortiGate isnot just in one area, but at leastone backbone area (Area 0) and another OSPF area.
The FortiGate device injects external routing information
The output states: "Supports opaque LSA"
Opaque LSAs(Type 9, 10, and 11) are used inOSPF extensions, including those that support external route injection.
Typically, ABRs or ASBRs (Autonomous System Boundary Routers)inject external routes, allowing routes fromother routing protocols (such as BGP or static routes) to be advertised into OSPF.