Pass the Fortinet Fortinet Certified Professional Network Security FCSS_EFW_AD-7.4 Questions and answers with CertsForce

Applying anaggressive IPS profilewithout prior testing candisrupt legitimate applicationsby incorrectly identifying normal traffic as malicious. To prevent disruptions while still monitoring for threats:

●Enable IPS in "Monitor Mode" first:

● This allows FortiGate tolog and analyzepotential threatswithout actively blockingtraffic.

● Administrators can review logs and fine-tune IPS signatures to minimize false positives before switching to blocking mode.

●Verify and adjust signature patterns:

● Some signatures might trigger unnecessary blocks for legitimate application traffic.

● By analyzing logs, administrators candisable or modifyspecific rules causing false positives.

The diagram shows a FortiGate connected to two FortiSwitches, which suggests the use ofFortiLink, Fortinet's protocol for managing switches directly from a FortiGate. Since multiple connections are being used, the LAN interface must be set to802.3ad (LAG)mode to aggregate the links for redundancy and load balancing.

This setup allows FortiGate to handle VLAN assignments dynamically, as seen withVLAN 10 (192.168.15.1/24). FortiLink ensures seamless integration between FortiGate and FortiSwitches, making STP unnecessary because Fortinet'sMCLAGprevents loops at Layer 2. SD-WAN, on the other hand, is used for WAN interfaces and does not apply to switch connectivity in this scenario.

In a hub-and-spoke topology using OSPF over IPsec VPNs, thepoint-to-multipointnetwork type is necessary to establish neighbor adjacencies between the hub and spokes. This network type ensures that OSPF operates correctly without requiring a designated router (DR) and allows dynamic routing updates across the IPsec tunnels.

From theOSPF status output, the key information is:

●"This router is an ASBR"→ This means the FortiGate is acting as anAutonomous System Boundary Router (ASBR).

● AnASBRis responsible for injectingexternal routing informationinto OSPF from another routing protocol (such as BGP, static routes, or connected networks).

In anADVPN (Auto-Discovery VPN) network, adynamic VPN tunnelis establishedon-demandbetween spokes to optimize traffic flow and reduce latency.

Process:

1.Traffic Initiation:

A client behindSpoke-1sends traffic to a device behindSpoke-2.

The traffic initially flows through thehub, following the pre-established overlay tunnel.

2.Hub Detection:

Thehubdetects that Spoke-1 is communicating with Spoke-2 and determines that adirect shortcut tunnelbetween the spokes can optimize the connection.

3.Shortcut Offer:

Thehub sends a "Shortcut Offer"message to Spoke-1, informing it that a directdynamic tunnelto Spoke-2 is possible.

4.Tunnel Establishment:

Spoke-1 and Spoke-2 then negotiate and establish a directIPsec tunnelfor communication.

The FortiGateSSL/SSH inspection profileis configured forFull SSL Inspection, which is necessary to analyze encrypted HTTPS traffic. However, the firewallpolicy is protecting an SSL server (the Linux server hosting the website), and currently, the SSL/SSH profileonly applies to client-side SSL inspection.

To detect HTTPS-based attacks targeting the Linux server:

●FortiGate must act as an SSL intermediaryto inspect encrypted traffic destined for the web server.

● The administratormust upload the SSL certificate of the Linux web serverto FortiGate so that theserver-side SSL inspectioncan decrypt incoming HTTPS traffic before analyzing it.

In this scenario, thecorporate networkand thenew remote office networkneed to communicate over theInternet, which requires asecure and dynamic routing method. Since both networks are usingOSPF (Open Shortest Path First)as the routing protocol, the best approach is to establish anOSPF over IPsec VPNto ensure secure and dynamic route propagation.

OSPF is already running on the corporate network, and extending it over an IPsec tunnel allows dynamic route exchange between the corporate FortiGate and the remote office FortiGate.IPsec provides encryptionfor traffic over the Internet, ensuring secure communication.OSPF over IPsec eliminates the need for manual static routes, allowing automatic route updates if networks change.

The new remote office's192.168.1.0/24 subnetwill be advertised dynamically to the corporate network without additional configuration.

FortiGate'sIPS protocol decodersanalyzenetwork transmission patternsandapplication signaturesto identify and block malicious traffic.Application Controlis the feature that allows FortiGate todetect, classify, and block applicationsbased on their behavior and signatures, even when they do not rely on traditional URLs.

●Application Controlworks alongsideIPS protocol decodersto inspect packet payloads and enforce security policies based on recognized application behaviors.

● It enablesgranular control over non-URL-based applicationssuch asP2P traffic, VoIP, messaging apps, and other non-web-based protocolsthat IPS can identify through protocol decoders.

●IPS and Application Control together can detect evasive or encrypted applications that might bypass traditional firewall rules.

Thebest wayto block outdated SSL/TLS versions is toconfigure the SSL/SSH inspection profileto enforce aminimum SSL/TLS versionand disable weak SSL versions.

By setting theminimum allowed SSL versionin theHTTPS settings of the SSL/SSH inspection profile, FortiGate will:

● Block any connection usingoutdated SSL/TLS versions(such as SSLv3, TLS 1.0, or TLS 1.1).

● Enforce secure communication usingonly strong SSL/TLS versions(such as TLS 1.2 or TLS 1.3).

● Protect users fromman-in-the-middle (MITM) and downgrade attacksthat exploit weak encryption.

The excessiveDNS log requests with random subdomainssuggest aDNS exfiltration attack, where attackers encode and transmit data via DNS queries. Since this technique can useboth UDP and TLS (DoH - DNS over HTTPS), a comprehensive security approach is needed.

Using anIPS profile with DNS exfiltration-specific signaturesallows FortiGate to:

●Detect and block abnormal DNS query patternsoften used in exfiltration.

●Inspect encrypted DNS (DoH, DoT) trafficif SSL inspection is enabled.

●Identify known exfiltration domains and techniquesbased on FortiGuard threat intelligence.