Pass the Fortinet Fortinet Certified Professional Network Security FCSS_EFW_AD-7.6 Questions and answers with CertsForce

From the BGP neighbor status output, the key issue is that BGP is stuck in the " Idle " state, meaning the FortiGate is unable to establish a BGP session with its peer 100.65.4.1 (Remote AS 65300).

The output also shows:

● " Not directly connected EBGP " → This means the BGP peer is not on the same subnet, requiring multihop BGP.

● " Update source is Loopback " → Since a loopback interface is used, FortiGate must be configured to allow BGP neighbors over multiple hops.

To resolve this issue, the administrator must enable ebgp-enforce-multihop, which allows BGP sessions to be established even when the neighbors are not directly connected.

In FortiManager, pre-run CLI templates are used in Zero-Touch Provisioning (ZTP) and Low-Touch Provisioning (LTP) to configure a FortiGate device before it is fully managed by FortiManager.

These templates apply configurations when a device is initially provisioned. Once the pre-run CLI template is executed, FortiManager automatically unassigns it from the device because it is not meant to persist like other policy configurations. This prevents conflicts and ensures that the FortiGate configuration is not repeatedly applied after the initial setup.

In BGP (Border Gateway Protocol), a neighbor (peer) configuration is required to establish a connection between two BGP routers. Since FortiGate A is connecting to the ISP (Autonomous System 10) from AS 30, the administrator must define the ISP ' s BGP router as a neighbor.

The config neighbor command is used to:

● Define the ISP ' s IP address as a BGP peer

● Specify the remote AS (AS 10 in this case)

● Allow BGP route exchanges between FortiGate A and the ISP

VXLAN (Virtual Extensible LAN) is an overlay network technology that extends Layer 2 networks over Layer 3 infrastructure. When VXLAN is used extensively on FortiGate, hardware acceleration is crucial for maintaining performance.

● NP7 (Network Processor 7) is Fortinet’s latest network processor designed to accelerate high-performance networking features, including:

● VXLAN encapsulation/decapsulation

● IPsec VPN offloading

● Firewall policy enforcement

● Advanced threat protection at wire speed

NP7 significantly reduces latency and improves throughput when handling VXLAN traffic, making it the best choice for large-scale VXLAN deployments.

Comprehensive and Detailed Explanation From Exact Extract documents and Knowledge:

To scale performance beyond a single unit, Fortinet provides two primary clustering and synchronization methods:

FGCP Active-Active: This mode distributes network traffic among all members of the cluster, allowing the combined processing power of multiple units to handle higher throughput and security inspection loads.

FGSP (FortiGate Session Life Support Protocol): This protocol is used to synchronize session information between independent FortiGate units or clusters. It is commonly used in large-scale environments where external load balancers distribute traffic across multiple FortiGates, ensuring that if traffic for a session is asymmetric (sent to one unit but returned to another), the return unit has the necessary session state to allow the traffic. In contrast, FGCP Active-Passive provides redundancy but does not scale performance as the secondary unit remains idle.

==============

The issue described is a classic OSPF path selection behavior dictated by the version of the OSPF standard the device is following.

RFC 1583 vs. RFC 2328:

RFC 1583: This older standard does not distinguish between intra-area and inter-area paths when calculating the cost to an ASBR (Autonomous System Boundary Router) or an external route.

RFC 2328: This newer standard (which is the default behavior in FortiOS 7.6) introduces a preference for intra-area paths over inter-area paths to an ASBR. This is designed to prevent routing loops that could occur in specific complex topologies.

Analysis of the Exhibits:

FortiGate_A (HQ): Its routing table (image_bd08a0.jpg) shows two equal-cost paths (O E2) to the external destination 100.75.5.1/32, one via ISP1 (10.0.1.1) and one via ISP2 (10.0.11.1).

FortiGate_B (Branch): Its routing table (image_bd08a4.jpg) only shows a single path via FortiGate_A (10.0.2.1).

Topology: FortiGate_A acts as the ABR/ASBR. In this specific scenario (taken from the Enterprise Firewall Study Guide), one of the paths advertised by FortiGate_A reaches FortiGate_B as an inter-area path while the other is seen as an intra-area path.

Why only one route?

By default, rfc-1583-compatible is disabled on FortiGate. Therefore, it follows RFC 2328 logic.

Because RFC 2328 strictly prefers the intra-area path to the ASBR over the inter-area path, FortiGate_B discards the inter-area path and only installs the intra-area one in its routing table.

To allow FortiGate_B to use both paths (ECMP) for the external route, the administrator must enable RFC 1583 compatibility using the following CLI command:

config router ospf

set rfc1583-compatible enable

end

Once enabled, the FortiGate will stop preferring path types and will instead use the cost to determine the best path (or paths), allowing both routes to appear if the costs are equal.

Comprehensive and Detailed Explanation From Exact Extract documents and Knowledge:

When importing a policy package from a FortiGate into a FortiManager ADOM, the Import Wizard compares the objects on the FortiGate with the objects already existing in the FortiManager ADOM database. If an object (e.g., an Address Object) has the same name but different values, a conflict occurs.

To resolve this, the administrator must choose which version to keep. Choosing FortiManager accept (or " Use FortiManager value " ) resolves the conflict by keeping the existing object in the FortiManager database and applying its settings to the imported policy. This maintains global consistency across the ADOM.

==============

When configuring ADVPN (Auto-Discovery VPN) to connect overlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.

● set auto-discovery-crossover enable

● This allows cross-hub tunnel discovery in an ADVPN deployment where multiple hubs are used.

● Since Hub A and Hub B belong to different overlays, enabling crossover discovery ensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.

● set enforce-multihop enable

● This setting ensures that BGP peers using loopback interfaces can establish connectivity even if they are not directly connected.

● Multihop BGP sessions are required when using loopback addresses as BGP peer sources because the connection might need to traverse multiple routers before reaching the BGP neighbor.

● This is especially useful in ADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.

The best way to automate a firewall policy using a daily updated list of IP addresses is by using an external connector from Threat Feeds. This allows FortiGate to dynamically retrieve real-time threat intelligence from external sources and apply it directly to security policies.

By configuring Threat Feeds, the administrator can:

● Automatically update firewall policies with the latest malicious IPs daily.

● Block traffic from those IPs in real-time without manual intervention.

● Integrate with FortiGuard, third-party threat intelligence sources, or custom feeds (CSV, STIX/TAXII, etc.).