Pass the Fortinet Fortinet Certified Professional Network Security FCSS_EFW_AD-7.4 Questions and answers with CertsForce

neighbor-group:

● This command is used to group multipleBGP neighborswith the same configuration, reducing redundant configuration.

● Instead of defining individual BGP settings for each spoke, the administrator can create aneighbor-groupand apply the same policies, reducing manual work.

neighbor-range:

● This command allows the configuration ofa range of neighbor IPs dynamically, reducing the need to manually define each spoke neighbor.

● It automatically addsBGP neighborsthat match a given prefix, simplifying deployment.

From the exhibit, ISFW is part of a Security Fabric environment with NGFW-1 as the Fabric Root. In this architecture, FortiGate devices share security intelligence, including logs and detected threats.

ISFW is in a Security Fabric environment:

● Security Fabric allows devices like ISFW toreceive threat intelligencefrom NGFW-1, even if UTM is not enabled locally.

● If NGFW-1 detects malware fromIP 10.1.10.1 to 89.238.73.97, this information can bepropagated to ISFW and FortiAnalyzer.

The firewall policy in NGFW-1 has UTM enabled:

● Even thoughISFW does not have UTM enabled, NGFW-1 (which sits between ISFW and the external network)does have UTM enabledand is scanning traffic.

● Since NGFW-1 detects malware in the session, it logs the event, which is then sent toFortiAnalyzer.

InBGP (Border Gateway Protocol), aneighbor (peer) configurationis required to establish a connection between two BGP routers. SinceFortiGate A is connecting to the ISP (Autonomous System 10) from AS 30, the administrator must define theISP's BGP router as a neighbor.

Theconfig neighborcommand is used to:

●Define the ISP's IP address as a BGP peer

●Specify the remote AS (AS 10 in this case)

●Allow BGP route exchanges between FortiGate A and the ISP

TheMulti-Exit Discriminator (MED)is aBGP attributeused to influence the preferred path for incoming traffic from an external autonomous system (AS). The diagram shows that FortiGate_1 advertisesMED 200, while FortiGate_2 advertisesMED 300, meaningthe ISP will prefer the route through FortiGate_1because alower MED is preferredin BGP.

To modify theMED valueon FortiGate_1 for routes advertised to AS 30, the administrator must configure aroute-map-out. A route map canmatch specific routesandset the MED valuebefore sending them to the BGP neighbor.

When FortiGate is operating inproxy modewithfull SSL inspection enabled, it inspects encrypted HTTPS traffic by default onport 443. However, some websites may usenon-standard HTTPS ports(such as 8443), which FortiGate does not inspect unless explicitly configured.

To ensure that FortiGate inspects HTTPS traffic onport 8443, administrators mustmanually add port 8443in theProtocol Port Mappingsection of theSSL/SSH Inspection Profile. This allows FortiGate to treat HTTPS traffic on port 8443 the same as traffic on port 443, enabling proper inspection and enforcement ofFortiGuard category-based web filtering.

FortiGate devices withNP6 (Network Processor 6) accelerationoffload traffic directly to hardware, bypassing the CPU for improved performance. Whenauto-asic-offloadis enabled in a firewall policy, most of the trafficdoes not reach the CPU, which means it won't be captured by the standard sniffer trace command.

Since NP6-accelerated traffic is handled entirely in hardware, onlya small portion of initial packets(such as session setup packets or exceptions) might be seen in the sniffer output. To capture all packets, the administrator must disable hardware offloading using:

config firewall policy

edit

set auto-asic-offload disable

end

Disabling ASIC offload forces traffic to be processed by the CPU, allowing the sniffer tool to capture all packets.

When configuringADVPN (Auto-Discovery VPN)to connectoverlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.

●set auto-discovery-crossover enable

● Thisallows cross-hub tunnel discoveryin an ADVPN deployment where multiple hubs are used.

● SinceHub A and Hub Bbelong to different overlays, enablingcrossover discoveryensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.

●set enforce-multihop enable

● This setting ensures thatBGP peers using loopback interfacescan establish connectivityeven if they are not directly connected.

●Multihop BGP sessionsare required when usingloopback addresses as BGP peer sourcesbecause the connection might need to traverse multiple routers before reaching the BGP neighbor.

● This is especially useful inADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.