FCSS_EFW_AD-7.6 Exam Dumps - Fortinet Certified Professional Network Security Questions and Answers

According to the FortiGate security profile documentation, standard certificate inspection (which uses SNI) only examines the certificate header and does not allow the firewall to see the actual payload of an encrypted session. To identify attacks such as PHP code injection or malware hidden within HTTPS traffic, the FortiGate must be configured with full SSL inspection (also known as deep SSL inspection). This process requires the FortiGate to act as a man-in-the-middle, decrypting the traffic using a trusted CA certificate, inspecting the cleartext content for threats, and then re-encrypting it before sending it to the destination.

==============

To minimize CPU and RAM usage while still enforcing security features like web filtering and application control, SSL certificate inspection mode is the best choice.

● SSL certificate inspection allows FortiGate to inspect only the SSL/TLS handshake, including the Server Name Indication (SNI) and certificate details, without decrypting the full encrypted payload.

● This enables features like web filtering and application control because FortiGate can determine the destination website or application based on SNI and certificate information.

● It significantly reduces system load compared to full SSL inspection, which requires full decryption and re-encryption of traffic.

Comprehensive and Detailed Explanation From Exact Extract documents and Knowledge:

In enterprise environments, " scaling " refers to increasing the total throughput or processing capacity of the security fabric.

FGCP Active-Active (B): This clustering mode uses all members of the cluster to process traffic simultaneously, effectively distributing the UTM/IPS load and scaling performance beyond the limits of a single unit.

FGSP (A): The FortiGate Session Life Support Protocol allows independent FortiGate units (or clusters) to synchronize session information. This is used to scale performance in asymmetrical routing environments or when using external load balancers to distribute traffic across multiple FortiGates.

Note: FGCP Active-Passive (D) and VRRP (C) provide redundancy/high availability but do not scale performance, as only one unit processes traffic at any given time.

In a Fortinet Security Fabric environment using SAML Single Sign-On (SSO), the root FortiGate typically acts as the SAML Identity Provider (IdP) or the primary gateway to one, while the downstream FortiGates act as SAML Service Providers (SP).

Based on the logic provided in the Fortinet Enterprise Firewall 7.6 Administrator Study Guide and the provided exhibits:

Identity Verification: When the user attempts to log into the downstream FortiGate via SSO, the authentication is handled by the root FortiGate.

Profile Assignment: Although the user AdminSSO may have super_admin privileges on the root FortiGate (as shown in the first exhibit), the downstream FortiGate controls what level of access that user receives locally.

Default Fabric Settings: In the downstream FortiGate ' s Security Fabric configuration (shown in the second exhibit), there is a setting for the " Default login profile " for SAML SSO users. In standard Security Fabric deployments, this is default-set to super_admin_readonly .

Account Creation: Upon the first successful SSO login, the downstream FortiGate automatically creates a local " SSO administrator " account entry for that user to track their session and permissions. It applies the default profile specified in the Fabric settings.

Therefore, even though the user is a super_admin on the root, they will be restricted to the super_admin_readonly profile on the downstream device because that is the profile assigned by the downstream SP ' s configuration.

The issue occurs because FortiGate enforces the " do not fragment " (DF) bit in the packet, and the packet size exceeds the MTU of the network path. When the Windows PC1 (with an MTU of 1500 bytes) attempts to send a 1400-byte packet, the FortiGate interface (with an MTU of 1000 bytes) needs to fragment it. However, since the DF bit is set, FortiGate drops the packet instead of fragmenting it.

To resolve this, the user should adjust the ping packet size to fit within the path MTU. In this case, reducing the packet size to 972 bytes (1000 bytes MTU minus 28 bytes for the IP and ICMP headers) should allow successful transmission.

Standard certificate inspection (which relies on the SNI) only identifies the destination domain; it does not allow the FortiGate to see the actual content of the encrypted session. As noted in the lab documentation, " certificate inspection on its own does not help HQ-DCFW to see the encrypted traffic " . To identify and block malware hidden within HTTPS traffic, the FortiGate must be configured with full SSL inspection (also known as deep inspection). This process involves the FortiGate acting as a man-in-the-middle to decrypt the packets, scan the payload for threats using the applied security profiles (like Antivirus or IPS), and then re-encrypt the traffic before sending it to the host. Without full decryption, the unit " will not decrypt packets to analyze if there is a possible attack, " allowing malware to bypass security layers.

==============

When configuring a BGP peering session with an external neighbor (eBGP), such as an ISP, using a loopback interface as the source, two specific configuration requirements must be met in FortiOS:

update-source (B): By default, BGP uses the IP address of the physical egress interface to initiate the TCP connection to a neighbor. If you want the BGP session to be sourced from a loopback interface (which is a common practice for stability, as loopbacks do not go down unless the entire router fails), you must explicitly define this using the set update-source < interface > command under the neighbor configuration.

ebgp-enforce-multihop (A): Standard eBGP sessions have a default Time-to-Live (TTL) of 1, meaning the peer is expected to be directly connected. When peering using loopback addresses, the loopback interface is logically one hop away from the physical link. Therefore, the connection will fail unless you increase the TTL. The set ebgp-enforce-multihop < hop-count > command allows the BGP session to be established even if the peer is not on a directly connected subnet or if loopbacks are used.

In the provided exhibit (image_bd178a.jpg), the CLI shows the neighbor configuration. To successfully peer with the ISP (10.200.3.1) using a local loopback, the administrator would need to add:

set update-source " loopback0 "

set ebgp-enforce-multihop 2 (or a higher value)

The excessive DNS log requests with random subdomains suggest a DNS exfiltration attack, where attackers encode and transmit data via DNS queries. Since this technique can use both UDP and TLS (DoH - DNS over HTTPS), a comprehensive security approach is needed.

Using an IPS profile with DNS exfiltration-specific signatures allows FortiGate to:

● Detect and block abnormal DNS query patterns often used in exfiltration.

● Inspect encrypted DNS (DoH, DoT) traffic if SSL inspection is enabled.

● Identify known exfiltration domains and techniques based on FortiGuard threat intelligence.

Comprehensive and Detailed Explanation From Exact Extract documents and Knowledge:

To scale performance beyond a single unit, Fortinet provides two primary clustering and synchronization methods:

FGCP Active-Active: This mode distributes network traffic among all members of the cluster, allowing the combined processing power of multiple units to handle higher throughput and security inspection loads.

FGSP (FortiGate Session Life Support Protocol): This protocol is used to synchronize session information between independent FortiGate units or clusters. It is commonly used in large-scale environments where external load balancers distribute traffic across multiple FortiGates, ensuring that if traffic for a session is asymmetric (sent to one unit but returned to another), the return unit has the necessary session state to allow the traffic. In contrast, FGCP Active-Passive provides redundancy but does not scale performance as the secondary unit remains idle.

==============

The best way to automate a firewall policy using a daily updated list of IP addresses is by using an external connector from Threat Feeds. This allows FortiGate to dynamically retrieve real-time threat intelligence from external sources and apply it directly to security policies.

By configuring Threat Feeds, the administrator can:

● Automatically update firewall policies with the latest malicious IPs daily.

● Block traffic from those IPs in real-time without manual intervention.

● Integrate with FortiGuard, third-party threat intelligence sources, or custom feeds (CSV, STIX/TAXII, etc.).