Pass the Fortinet Certified Professional Network Security FCSS_EFW_AD-7.6 Questions and answers with ExamsMirror

The best way to block outdated SSL/TLS versions is to configure the SSL/SSH inspection profile to enforce a minimum SSL/TLS version and disable weak SSL versions.

By setting the minimum allowed SSL version in the HTTPS settings of the SSL/SSH inspection profile, FortiGate will:

● Block any connection using outdated SSL/TLS versions (such as SSLv3, TLS 1.0, or TLS 1.1).

● Enforce secure communication using only strong SSL/TLS versions (such as TLS 1.2 or TLS 1.3).

● Protect users from man-in-the-middle (MITM) and downgrade attacks that exploit weak encryption.

Unlike IPS or antivirus databases, FortiGate does not store a full web filter database locally. Instead, FortiGate queries FortiGuard (or FortiManager, if configured) dynamically to classify and filter web content in real time.

Key points:

● Web filtering works on a cloud-based model:

● When a user requests a website, FortiGate queries FortiGuard servers to check its category and reputation.

● The response is then cached locally for faster lookups on repeated requests.

● No local web filter database version:

● Unlike IPS and antivirus, which download and store signature updates locally, web filtering relies on cloud-based queries.

● This is why no database version appears in the GUI.

● Flow mode vs Proxy mode:

● In proxy mode, FortiGate can cache some web filter data, improving performance.

● In flow mode, all queries happen dynamically, with no locally stored database.

neighbor-group:

● This command is used to group multiple BGP neighbors with the same configuration, reducing redundant configuration.

● Instead of defining individual BGP settings for each spoke, the administrator can create a neighbor-group and apply the same policies, reducing manual work.

neighbor-range:

● This command allows the configuration of a range of neighbor IPs dynamically, reducing the need to manually define each spoke neighbor.

● It automatically adds BGP neighbors that match a given prefix, simplifying deployment.

The diagram shows a multi-area OSPF network where:

● FortiGate A is in OSPF Area 0 (Backbone area).

● FortiGate B is in OSPF Area 0.0.0.1 and is connected to an RIP network.

To ensure that OSPF Area 0 (0.0.0.0) learns routes from the external RIP network, FortiGate B must redistribute RIP routes into OSPF.

Steps to achieve this:

1. Enable route redistribution on FortiGate B to inject RIP-learned routes into OSPF.

2. This allows OSPF Area 0.0.0.1 to forward RIP routes to OSPF Area 0 (0.0.0.0), making the external network visible.

FortiGate_A and FortiGate_B are in the same autonomous system (AS), and FortiGate_A does not currently have route 172.16.1.248/30 in its routing table. However, FortiGate_B has this route as a connected route.

To dynamically advertise only 172.16.1.248/30 from FortiGate_B to FortiGate_A, the administrator must configure a BGP route map out on FortiGate_B that specifically permits only this prefix.

A BGP route map out on FortiGate_B controls which routes FortiGate_B advertises to FortiGate_A. If no filtering is applied, FortiGate_B might advertise all BGP-learned and connected routes, which is not what the administrator wants. The route map should include a prefix-list that explicitly allows only 172.16.1.248/30 and denies everything else.

The diagram shows a FortiGate connected to two FortiSwitches, which suggests the use of FortiLink, Fortinet's protocol for managing switches directly from a FortiGate. Since multiple connections are being used, the LAN interface must be set to 802.3ad (LAG) mode to aggregate the links for redundancy and load balancing.

This setup allows FortiGate to handle VLAN assignments dynamically, as seen with VLAN 10 (192.168.15.1/24). FortiLink ensures seamless integration between FortiGate and FortiSwitches, making STP unnecessary because Fortinet's MCLAG prevents loops at Layer 2. SD-WAN, on the other hand, is used for WAN interfaces and does not apply to switch connectivity in this scenario.

The excessive DNS log requests with random subdomains suggest a DNS exfiltration attack, where attackers encode and transmit data via DNS queries. Since this technique can use both UDP and TLS (DoH - DNS over HTTPS), a comprehensive security approach is needed.

Using an IPS profile with DNS exfiltration-specific signatures allows FortiGate to:

● Detect and block abnormal DNS query patterns often used in exfiltration.

● Inspect encrypted DNS (DoH, DoT) traffic if SSL inspection is enabled.

● Identify known exfiltration domains and techniques based on FortiGuard threat intelligence.

The MAC address e0:23:ff:fc:00:86 follows the format used in FortiGate High Availability (HA) clusters. When FortiGate devices are in an HA configuration, they use virtual MAC addresses for failover and redundancy purposes.

The suspicious packet is related to a cluster that has VDOMs enabled:

FortiGate devices with Virtual Domains (VDOMs) enabled use specific MAC address ranges to differentiate HA-related traffic. This MAC address is likely part of that mechanism.

The suspicious packet is related to a cluster with a group-id value lower than 255:

FortiGate HA clusters assign virtual MAC addresses based on the group ID. The last octet (00:86) corresponds to a group ID that is below 255, confirming this option.

FortiGate devices with NP6 (Network Processor 6) acceleration offload traffic directly to hardware, bypassing the CPU for improved performance. When auto-asic-offload is enabled in a firewall policy, most of the traffic does not reach the CPU, which means it won't be captured by the standard sniffer trace command.

Since NP6-accelerated traffic is handled entirely in hardware, only a small portion of initial packets (such as session setup packets or exceptions) might be seen in the sniffer output. To capture all packets, the administrator must disable hardware offloading using:

config firewall policy

edit

set auto-asic-offload disable

end

Disabling ASIC offload forces traffic to be processed by the CPU, allowing the sniffer tool to capture all packets.

The Multi-Exit Discriminator (MED) is a BGP attribute used to influence the preferred path for incoming traffic from an external autonomous system (AS). The diagram shows that FortiGate_1 advertises MED 200, while FortiGate_2 advertises MED 300, meaning the ISP will prefer the route through FortiGate_1 because a lower MED is preferred in BGP.

To modify the MED value on FortiGate_1 for routes advertised to AS 30, the administrator must configure a route-map-out. A route map can match specific routes and set the MED value before sending them to the BGP neighbor.