Pass the Fortinet Certified Professional Network Security FCSS_EFW_AD-7.4 Questions and answers with ExamsMirror

ADVPN (Auto-Discovery VPN) 2.0is the optimal solution for enablingdirect spoke-to-spoke communicationwithout passing through the hub, while also allowingautomatic link selectionbased on quality metrics.

●Dynamic Direct Tunnels:

● ADVPN 2.0 allowsspokes to establish direct IPsec tunnels dynamicallybased on traffic patterns, reducing latency and improving performance.

● Unlike static VPNs, spokes do not need to pre-configure tunnels for each other.

●Automatic Link Optimization:

● ADVPN 2.0monitors the qualityof multiple internet connections on each spoke.

● It automatically switches to the best available connection when the primary linkdegrades or fails.

● This is achieved by dynamically adjusting BGP-based routing or leveraging SD-WAN integration.

TheInternet Service Database (ISDB)in FortiGate is used to enforce content filtering atLayer 3 (Network Layer) and Layer 4 (Transport Layer)of the OSI model by identifying applications based on theirpredefined IP addresses and ports.

FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard:

● FortiGate retrieves and updates apredefined listof IPs and ports for different internet services fromFortiGuard.

● This allows FortiGate to block specific services atLayer 3 and Layer 4without requiring deep packet inspection.

The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard:

● ISDB works by matching traffic to knownIP addresses and portsof categorized services.

● When an application or service is blocked, FortiGate prevents communication bydenying traffic based on its destination IP and port number.

Since Core1 and Core2 are not designated as management VDOMs, they rely on the root VDOM for connectivity to external resources such as FortiGuard updates. If the root VDOM lacks a VDOM link to these VDOMs or cannot reach FortiGuard services, security features like web filtering will stop working.

The FortiGateSSL/SSH inspection profileis configured forFull SSL Inspection, which is necessary to analyze encrypted HTTPS traffic. However, the firewallpolicy is protecting an SSL server (the Linux server hosting the website), and currently, the SSL/SSH profileonly applies to client-side SSL inspection.

To detect HTTPS-based attacks targeting the Linux server:

●FortiGate must act as an SSL intermediaryto inspect encrypted traffic destined for the web server.

● The administratormust upload the SSL certificate of the Linux web serverto FortiGate so that theserver-side SSL inspectioncan decrypt incoming HTTPS traffic before analyzing it.

When usingIPsec VPNsandVXLAN, additional headers are added to packets, which can exceed thedefault 1500-byte MTU. This can lead tofragmentation issues, dropped packets, or degraded performance.

To resolve this, theMTU (Maximum Transmission Unit)should be adjustedonly if all devices in the network path support it. Otherwise, some devices may still drop or fragment packets, leading to continued issues.

Why adjusting MTU helps:

●VXLAN adds a 50-byte overheadto packets.

●IPsec adds additional encapsulation(ESP, GRE, etc.), increasing the packet size.

● If packets exceed the MTU, they may befragmented or dropped, causing intermittent connectivity issues.

● Lowering the MTU on interfaces ensurespackets stay within the supported size limitacross all network devices.

Zero phase selectors inIPsec Phase 2mean thatno specific traffic selectors (subnets) are defined, allowingany traffic to be encryptedthrough the VPN tunnel. This can causeunintended traffic forwarding issuesand disrupt network operations.

To prevent this from happening during future migrations:

●Using routing protocolsensures thatonly specific subnets are advertised over the tunnel. Dynamic routing (such as OSPF or BGP) helps define which networks should use the tunnel, preventing unintended traffic from being encrypted.

●Clearly defining phase 2 selectorsavoids the problem of encrypting all traffic byexplicitly stating the allowed source and destination subnets. This prevents the tunnel from affecting unrelated network traffic.

FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless itdecryptsit first. Ifonly certificate inspectionis enabled, FortiGate can see the certificate details (such as the domain and issuer) butcannot inspect the actual web content.

To fully analyze the traffic and detect potential malware threats:

●Full SSL inspection (Deep Packet Inspection)must be enabled in theSSL/SSH Inspection Profile.

● This allows FortiGate todecrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.

● Without full SSL inspection, threats embedded in encrypted traffic may go undetected.

When configuring aloopback interface as the BGP sourceforconnecting to an ISP, two important settings must be applied:

1.Enable EBGP Multihop (ebgp-enforce-multihop)

BGP normally expects directly connected neighbors, but since the ISP and FortiGate A are usingloopback interfaces,packets will not be sent directly between their physical interfaces.

Theebgp-enforce-multihopcommandallows BGP to form an eBGP peering over multiple hops.

2.Set the Update Source (update-source)

Since FortiGate is using aloopback interface as the source, theupdate-sourcecommand ensures thatBGP updates originate from the loopback interfacerather than a physical interface.

This is essential becauseBGP peers must match the source IP with the configured neighbor address.

In anIBGP (Internal BGP) network, all routers must befully meshed, meaning every router must establish a BGP session with every other router in the sameautonomous system (AS). Thisdoes not scale wellin large networks due to the exponential increase in BGP sessions.

Tooptimize and scale IBGP,Route Reflectors (RRs)are used. ARoute Reflector (RR)reduces the number ofIBGP peer connectionsby allowing acentralized router (RR)to redistribute IBGP routes to other IBGP peers (calledclients). This eliminates the need for afull mesh, significantlyreducing BGP session overhead.

By configuring theroute-reflector-clientsetting on IBGP peers, an administrator can:

●Scale IBGP sessionsby reducing the number of direct BGP peer connections.

●Optimize the routing tableby ensuring routes are efficiently propagated within the IBGP network.

●Eliminate the need for full mesh topology, making IBGP more manageable.

To minimizeCPU and RAM usagewhile still enforcingsecurity features like web filtering and application control,SSL certificate inspection modeis the best choice.

●SSL certificate inspectionallows FortiGate to inspectonly the SSL/TLS handshake, including theServer Name Indication (SNI) and certificate details, without decrypting the full encrypted payload.

● This enables features likeweb filtering and application controlbecause FortiGate can determine thedestination website or applicationbased onSNI and certificate information.

● Itsignificantly reduces system loadcompared tofull SSL inspection, which requires full decryption and re-encryption of traffic.