FCSS_EFW_AD-7.6 Practice Test Questions

57 Questions


A company's users on an IPsec VPN between FortiGate A and B have experienced intermittent issues since implementing VXLAN. The administrator suspects that packets exceeding the 1500-byte default MTU are causing the problems.
In which situation would adjusting the interface’s maximum MTU value help resolve issues caused by protocols that add extra headers to IP packets?


A. Adjust the MTU on interfaces only if FortiGate has the FortiGuard enterprise bundle, which allows MTU modification


B. Adjust the MTU on interfaces in all FortiGate devices that support the latest family of Fortinet SPUs: NP7, CP9 and SP5.


C. Adjust the MTU on interfaces in controlled environments where all devices along the path allow MTU interface changes.


D. Adjust the MTU on interfaces only in wired connections like PPPoE, optic fiber, and ethernet cable.





C.   Adjust the MTU on interfaces in controlled environments where all devices along the path allow MTU interface changes.

Refer to the exhibit, which shows a partial troubleshooting command output.

An administrator is extensively using IPsec on FortiGate. Many tunnels show information similar to the output shown in the exhibit.
What can the administrator conclude?


A. IPsec SAs cannot be offloaded


B. The two IPsec SAs, inbound and outbound, are copied to the NPU


C.  Only the outbound IPsec SA is copied to the NPU.


D. Only the inbound IPsec SA is copied to the NPU





B.   The two IPsec SAs, inbound and outbound, are copied to the NPU

Refer to the exhibit, which shows a hub and spokes deployment.

An administrator is deploying several spokes, including the BGP configuration for the spokes to connect to the hub.
Which two commands allow the administrator to minimize the configuration? (Choose two.)


A. A. neighbor-group


B. B. route-reflector-client


C. C. neighbor-range


D. D. ibgp-enforce-multihop





A.   A. neighbor-group

C.   C. neighbor-range

The IT department discovered during the last network migration that all zero phase selectors in phase 2 IPsec configurations impacted network operations. What are two valid approaches to prevent this during future migrations? (Choose two.)


A. A. Use routing protocols to specify allowed subnets over the tunnel.


B. B. Configure an IPsec-aggregate to create redundancy between each firewall peer.


C. C. Clearly indicate to the VPN which segments will be encrypted in the phase two selectors.


D. D. Configure an IP address on the IPsec interface of each firewall to establish unique peer





A.   A. Use routing protocols to specify allowed subnets over the tunnel.

C.   C. Clearly indicate to the VPN which segments will be encrypted in the phase two selectors.

Refer to the exhibit, which shows the VDOM section of a FortiGate device.

An administrator discovers that webfilter stopped working in Core1 and Core2 after a maintenance window.
Which two reasons could explain why webfilter stopped working? (Choose two.)


A. The root VDOM does not have access to FortiManager in a closed network.


B. The root VDOM does not have a VDOM link to connect with the Corel and Core2 VDOMs.


C. The Core1 and Core2 VDOMs must also be enabled as Management VDOMs to receive FortiGuard updates


D. The root VDOM does not have access to any valid public FDN.





B.   The root VDOM does not have a VDOM link to connect with the Corel and Core2 VDOMs.

D.   The root VDOM does not have access to any valid public FDN.

Refer to the exhibit, which shows a LAN interface connected from FortiGate to two FortiSwitch devices.

What two conclusions can you draw from the corresponding LAN interface? (Choose two.)


A. You must enable STP or RSTP on FortiGate and FortiSwitch to avoid layer 2 loopbacks.


B. The LAN interface must use a 802.3ad type interface.


C. This connection is using a FortiLInk to manage VLANs on FortiGate.


D. FortiGate is using an SD-WAN-type interface to connect to a FortiSwitch device with MCLAG.





B.   The LAN interface must use a 802.3ad type interface.

C.   This connection is using a FortiLInk to manage VLANs on FortiGate.

Refer to the exhibit, which shows a corporate network and a new remote office network.

An administrator must integrate the new remote office network with the corporate enterprise network.
What must the administrator do to allow routing between the two networks?


A. The administrator must implement BGP to inject the new remote office network into the corporate FortiGate device


B. The administrator must configure a static route to the subnet 192.168.l.0/24 on the corporate FortiGate device


C. The administrator must configure virtual links on both FortiGate devices.


D. The administrator must implement OSPF over IPsec on both FortiGate devices.





D.   The administrator must implement OSPF over IPsec on both FortiGate devices.

Refer to the exhibit.

An administrator is deploying a hub and spokes network and using OSPF as dynamic protocol.
Which configuration is mandatory for neighbor adjacency?


A. Set bfd enable in the router configuration


B. Set network-type point-to-multipoint in the hub interface


C. Set rfc1583-compatible enable in the router configuration


D. Set rfc1583-compatible enable in the router configuration





B.   Set network-type point-to-multipoint in the hub interface

Refer to the exhibit, which shows an ADVPN network


An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2.
What two options must the administrator configure in BGP? (Choose two.)


A. set ebgp-enforce-multrhop enable


B. set next-hop-self enable


C. set ibgp-enforce-multihop advpn


D. set attribute-unchanged next-hop





A.   set ebgp-enforce-multrhop enable

B.   set next-hop-self enable

An administrator must enable direct communication between multiple spokes in a company's network. Each spoke has more than one internet connection.
The requirement is for the spokes to connect directly without passing through the hub, and for the links to automatically switch to the best available connection.
How can this automatic detection and optimal link utilization between spokes be achieved?


A. Set up OSPF routing over static VPN tunnels between spokes


B. Utilize ADVPN 2.0 to facilitate dynamic direct tunnels and automatic link optimization.


C. Establish static VPN tunnels between spokes with predefined backup routes.


D. Implement SD-WAN policies at the hub to manage spoke link quality.





B.   Utilize ADVPN 2.0 to facilitate dynamic direct tunnels and automatic link optimization.

Refer to the exhibit, which shows an OSPF network.

Which configuration must the administrator apply to optimize the OSPF database?


A. Set a route map in the AS boundary FortiGate.


B. Set the area 0.0.0.1 to the type STUB in the area border FortiGate.


C. Set an access list in the AS boundary FortiGate.


D. Set the area 0.0.0.1 to the type NSSA in the area border FortiGate.





B.   Set the area 0.0.0.1 to the type STUB in the area border FortiGate.

Refer to the exhibit, which shows a partial enterprise network.

An administrator would like the area 0.0.0.0 to detect the external network.
What must the administrator configure?


A. Enable RIP redistribution on FortiGate B.


B. Configure a distribute-route-map-in on FortiGate B.


C. Configure a virtual link between FortiGate A and B.


D. Set the area 0.0.0.l type to stub on FortiGate A and B.





A.   Enable RIP redistribution on FortiGate B.


Page 1 out of 5 Pages