Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Pass the Fortinet Fortinet Certified Professional Network Security FCSS_EFW_AD-7.6 Questions and answers with CertsForce

Viewing page 2 out of 4 pages
Viewing questions 11-20 out of questions
Questions # 11:

A company that acquired multiple branches across different countries needs to install new FortiGate devices on each of those branches. However, the IT staff lacks sufficient knowledge to implement the initial configuration on the FortiGate devices.

Which three approaches can the company take to successfully deploy advanced initial configurations on remote branches? (Choose three.)

Options:

A.

Use metadata variables to dynamically assign values according to each FortiGate device.


B.

Use provisioning templates and install configuration settings at the device layer.


C.

Use the Global ADOM to deploy global object configurations to each FortiGate device.


D.

Apply Jinja in the FortiManager scripts for large-scale and advanced deployments.


E.

Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate devices.


Expert Solution
Questions # 12:

Refer to the exhibit, which shows a hub and spokes deployment.

Question # 12

An administrator is deploying several spokes, including the BGP configuration for the spokes to connect to the hub.

Which two commands allow the administrator to minimize the configuration? (Choose two.)

Options:

A.

neighbor-group


B.

route-reflector-client


C.

neighbor-range


D.

ibgp-enforce-multihop


Expert Solution
Questions # 13:

Why does FortiGate_B install only one OSPF external route?

Options:

A.

ECMP disabled


B.

Single advertisement


C.

Area mismatch


D.

Route filtering


Expert Solution
Questions # 14:

An administrator needs to install an IPS profile without triggering false positives that can impact applications and cause problems with the user ' s normal traffic flow.

Which action can the administrator take to prevent false positives on IPS analysis?

Options:

A.

Use the IPS profile extension to select an operating system, protocol, and application for all the network internal services and users to prevent false positives.


B.

Enable Scan Outgoing Connections to avoid clicking suspicious links or attachments that can deliver botnet malware and create false positives.


C.

Use an IPS profile with action monitor, however, the administrator must be aware that this can compromise network integrity.


D.

Install missing or expired SSUTLS certificates on the client PC to prevent expected false positives.


Expert Solution
Questions # 15:

An administrator received a FortiAnalyzer alert that a 1 ТВ disk filled up in a day. Upon investigation, they found thousands of unusual DNS log requests, such as JHCMQK.website.com, with no answers. They later discovered that DNS exfiltration was occurring through both UDP and TLS.

How can the administrator prevent this data theft technique?

Options:

A.

Create an inline-CASB to protect against DNS exfiltration.


B.

Configure a File Filter profile to prevent DNS exfiltration.


C.

Enable DNS Filter to protect against DNS exfiltration.


D.

Use an IPS profile and DNS exfiltration-related signatures.


Expert Solution
Questions # 16:

An administrator is setting up an ADVPN configuration and wants to ensure that peer IDs are not exposed during VPN establishment.

Which protocol can the administrator use to enhance security?

Options:

A.

Use IKEv2, which encrypts peer IDs and prevents exposure.


B.

Opt for SSL VPN web mode because it does not use peer IDs at all.


C.

Choose IKEv1 aggressive mode because it simplifies peer identification.


D.

Stick with IKEv1 main mode because it offers better performance.


Expert Solution
Questions # 17:

Refer to the exhibit, which contains a partial VPN configuration.

Question # 17

What can you conclude from this VPN IPsec phase 1 configuration?

Options:

A.

This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.


B.

Peer IDs are unencrypted and exposed, creating a security risk.


C.

FortiGate will not add a route to its routing or forwarding information base when the dynamic tunnel is negotiated.


D.

A separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks.


Expert Solution
Questions # 18:

Refer to the exhibit, which shows the FortiGuard Distribution Network of a FortiGate device.

FortiGuard Distribution Network on FortiGate

Question # 18

An administrator is trying to find the web filter database signature on FortiGate to resolve issues with websites not being filtered correctly in a flow-mode web filter profile.

Why is the web filter database version not visible on the GUI, such as with IPS definitions?

Options:

A.

The web filter database is stored locally, but the administrator must run over CLI diagnose autoupdate versions.


B.

The web filter database is stored locally on FortiGate, but it is hidden behind the GUI. It requires enabling debug mode to make it visible.


C.

The web filter database is not hosted on FortiGate: FortiGate queries FortiGuard or FortiManager for web filter ratings on demand.


D.

The web filter database is only accessible after manual syncing with a valid FDS server using diagnose test update info.


Expert Solution
Questions # 19:

Refer to the exhibit.

A LAN interface connected from FortiGate to two FortiSwitch devices is shown.

Which two statements about the LAN interface connection shown in the exhibit are correct? (Choose two.)

Options:

A.

The LAN interface must use an 802.3ad type interface.


B.

FortiGate is using an SD-WAN-type interface to connect to one FortiSwitch device with MCLAG.


C.

The connection is using a FortiLink interface.


D.

You must enable Spanning Tree Protocol (STP) or Rapid STP (RSTP) on FortiGate and FortiSwitch to avoid layer 2 loopbacks.


Expert Solution
Questions # 20:

Refer to the exhibit, which shows the HA status of an active-passive cluster.

An administrator wants FortiGate_B to handle the Core2 VDOM traffic.

Which modification must the administrator apply to achieve this?

Options:

A.

The administrator must disable override on FortiGate_A.


B.

The administrator must change the priority from 100 to 160 for FortiGate_B.


C.

The administrator must change the load balancing method on FortiGate_B.


D.

The administrator must change the priority from 128 to 200 for FortiGate_B.


Expert Solution
Viewing page 2 out of 4 pages
Viewing questions 11-20 out of questions