Free & Accurate Fortinet FCSS_EFW_AD-7.

4 Certified Exam Dumps | FreeCram

IT Certification Guaranteed, The Easy Way!

Exam : FCSS_EFW_AD-7.4

Title : FCSS - Enterprise Firewall 7.4

Administrator

Vendor : Fortinet

Version : DEMO
NO.1 An administrator is setting up an ADVPN configuration and wants to ensure that peer IDs are
not exposed during VPN establishment.
Which protocol can the administrator use to enhance security?
A. Use IKEv2, which encrypts peer IDs and prevents exposure.
B. Opt for SSL VPN web mode because it does not use peer IDs at all.
C. Choose IKEv1 aggressive mode because it simplifies peer identification.
D. Stick with IKEv1 main mode because it offers better performance.
Answer: A
Explanation:
In ADVPN (Auto-Discovery VPN) configurations, security concerns include protecting peer IDs during
VPN establishment. Peer IDs are exchanged in the IKE (Internet Key Exchange) negotiation phase, and
their exposure could lead to privacy risks or targeted attacks. IKEv2 encrypts peer IDs, making it more
secure compared to IKEv1, where peer IDs can be exposed in plaintext in aggressive mode.
IKEv2 also provides better performance and flexibility while supporting dynamic tunnel establishment
in ADVPN.

NO.2 An administrator must improve the resiliency of a link by minimizing data loss within the
enterprise network that has full path redundancy.
What should the administrator enable on the FortiGate devices that use BGP as dynamic routing
protocol between two separate autonomous systems? (Choose two.)
A. graceful-restart
B. ibgp-multipath
C. bfd
D. route-reflector-client
Answer: AC

NO.3 Refer to the exhibits. The exhibits show a network topology, a firewall policy, and an SSL/SSH
inspection profile configuration.
Why is FortiGate unable to detect HTTPS attacks on firewall policy ID 3 targeting the Linux server?
A. The administrator must set the policy to inspection mode to analyze the HTTPS packets as
expected.
B. The administrator must enable HTTPS in the protocol port mapping of the deep- inspection
SSL/SSH inspection profile.
C. The administrator must enable SSL inspection of the SSL server and upload the certificate of the
Linux server website to the SSL/SSH inspection profile.
D. The administrator must enable cipher suites in the SSL/SSH inspection profile to decrypt the
message.
Answer: C
Explanation:
The FortiGate SSL/SSH inspection profile is configured for Full SSL Inspection, which is necessary to
analyze encrypted HTTPS traffic. However, the firewall policy is protecting an SSL server (the Linux
server hosting the website), and currently, the SSL/SSH profile only applies to client-side SSL
inspection.
To detect HTTPS-based attacks targeting the Linux server:
FortiGate must act as an SSL intermediary to inspect encrypted traffic destined for the web server.
The administrator must upload the SSL certificate of the Linux web server to FortiGate so that the
server-side SSL inspection can decrypt incoming HTTPS traffic before analyzing it.

NO.4 Refer to the exhibit, which shows the FortiGuard Distribution Network of a FortiGate device.
FortiGuard Distribution Network on FortiGate

An administrator is trying to find the web filter database signature on FortiGate to resolve issues with
websites not being filtered correctly in a flow-mode web filter profile. Why is the web filter database
version not visible on the GUI, such as with IPS definitions?
A. The web filter database is stored locally, but the administrator must run over CLI diagnose
autoupdate versions.
B. The web filter database is stored locally on FortiGate, but it is hidden behind the GUI. It requires
enabling debug mode to make it visible.
C. The web filter database is not hosted on FortiGate: FortiGate queries FortiGuard or FortiManager
for web filter ratings on demand.
D. The web filter database is only accessible after manual syncing with a valid FDS server using
diagnose test update info.
Answer: C
Explanation:
Unlike IPS or antivirus databases, FortiGate does not store a full web filter database locally.
Instead, FortiGate queries FortiGuard (or FortiManager, if configured) dynamically to classify and
filter web content in real time.
Key points:
Web filtering works on a cloud-based model:
When a user requests a website, FortiGate queries FortiGuard servers to check its category and
reputation.
The response is then cached locally for faster lookups on repeated requests.
No local web filter database version:
Unlike IPS and antivirus, which download and store signature updates locally, web filtering relies on
cloud-based queries.
This is why no database version appears in the GUI.
Flow mode vs Proxy mode:
In proxy mode, FortiGate can cache some web filter data, improving performance. In flow mode, all
queries happen dynamically, with no locally stored database.

NO.5 Which statement about meta fields is true?

A. Meta fields must be set to required.
B. Meta field changes are applied only at the ADOM level.
C. Meta fields are useful for creating multiple objects with the same logical name but different
values.
D. Meta fields can be used as variables in scripts or provisioning templates.
Answer: C
Explanation:
Meta fields are useful when an enterprise has global offices or branches and the FortiManager
administrator must creation multiple objects with the same logical name, but different values.

NO.6 Refer to the exhibit, which contains a partial VPN configuration.

What can you conclude from this VPN IPsec phase 1 configuration?
A. This configuration is the best for networks with regular traffic intervals, providing a balance
between connectivity assurance and resource utilization.
B. Peer IDs are unencrypted and exposed, creating a security risk.
C. FortiGate will not add a route to its routing or forwarding information base when the dynamic
tunnel is negotiated.
D. A separate interface is created for each dial-up tunnel, which can be slower and more resource
intensive, especially in large networks.
Answer: A
Explanation:
This IPsec Phase 1 configuration defines a dynamic VPN tunnel that can accept connections from
multiple peers. The settings chosen here suggest a configuration optimized for networks with
intermittent traffic patterns while ensuring resources are used efficiently.
Key configurations and their impact:
set type dynamic - This allows multiple peers to establish connections dynamically without needing
predefined IP addresses.
set ike-version 2 - Uses IKEv2, which is more efficient and supports features like EAP authentication
and reduced rekeying overhead.
set dpd on-idle - Dead Peer Detection (DPD) is triggered only when the tunnel is idle, reducing
unnecessary keep-alive packets and improving resource utilization. set add-route enable FortiGate
automatically adds the route to the routing table when the tunnel is established, ensuring
connectivity when needed. set proposal aes128-sha256 aes256-sha256 Uses strong encryption and
hashing algorithms, ensuring a secure connection.
set keylife 28800 Sets a longer key lifetime (8 hours), reducing the frequency of rekeying, which is
beneficial for stable connections.
Because DPD is set to on-idle, the tunnel will not constantly send keep-alive messages but will still
ensure connectivity when traffic is detected. This makes the configuration ideal for networks with
regular but non-continuous traffic, balancing security and resource efficiency.

NO.7 Refer to the exhibit, which shows an enterprise network connected to an internet service
provider.

The administrator must configure the BGP section of FortiGate A to give internet access to the
enterprise network.
Which command must the administrator use to establish a connection with the internet service
provider?
A. config neighbor
B. config redistribute bgp
C. config router route-map
D. config redistribute ospf
Answer: A
Explanation:
In BGP (Border Gateway Protocol), a neighbor (peer) configuration is required to establish a
connection between two BGP routers. Since FortiGate A is connecting to the ISP (Autonomous
System 10) from AS 30, the administrator must define the ISP's BGP router as a neighbor.
The config neighbor command is used to:
Define the ISP's IP address as a BGP peer
Specify the remote AS (AS 10 in this case)
Allow BGP route exchanges between FortiGate A and the ISP
NO.8 An administrator needs to install an IPS profile without triggering false positives that can
impact applications and cause problems with the user's normal traffic flow. Which action can the
administrator take to prevent false positives on IPS analysis?
A. Use the IPS profile extension to select an operating system, protocol, and application for all the
network internal services and users to prevent false positives.
B. Enable Scan Outgoing Connections to avoid clicking suspicious links or attachments that can
deliver botnet malware and create false positives.
C. Use an IPS profile with action monitor, however, the administrator must be aware that this can
compromise network integrity.
D. Install missing or expired SSUTLS certificates on the client PC to prevent expected false positives.
Answer: A
Explanation:
False positives in Intrusion Prevention System (IPS) analysis can disrupt legitimate traffic and
negatively impact user experience. To reduce false positives while maintaining security,
administrators can:
Use IPS profile extensions to fine-tune the settings based on the organization's environment.
Select the correct operating system, protocol, and application types to ensure that IPS signatures
match the network's actual traffic patterns, reducing false positives.
Customize signature selection based on the network's specific services, filtering out unnecessary or
irrelevant signatures.