Practice Free FCSS_EFW_AD-7.4 Exam Online Questions
Examine the output of the ‘get router info ospf neighbor’ command shown in the exhibit; then answer the question below.
Which statements are true regarding the output in the exhibit? (Choose two.)
- A . The interface ToRemote is OSPF network type point-to-point.
- B . The OSPF router with the ID 0.0.0.2 is the designated router for the ToRemote network.
- C . The local FortiGate is the backup designated router for the wan1 network.
- D . The OSPF routers with the IDs 0.0.0.69 and 0.0.0.117 are both designated routers for the wan1 network.
View the exhibit, which contains the partial output of an IKE real time debug, and then answer the question below.
The administrator does not have access to the remote gateway.
Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?
- A . Change phase 1 encryption to AESCBC and authentication to SHA128.
- B . Change phase 1 encryption to 3DES and authentication to CBC.
- C . Change phase 1 encryption to AES128 and authentication to SHA512.
- D . Change phase 1 encryption to 3DES and authentication to SHA256.
A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS errors when accessing any website.
The administrator executes the following debug commands and observes that the n-dns-timeout counter is increasing:
What should the administrator check to fix the problem?
- A . The connectivity between the FortiGate unit and the DNS server.
- B . The connectivity between the client workstations and the DNS server.
- C . That DNS traffic from client workstations is allowed by the explicit web proxy policies.
- D . That DNS service is enabled in the explicit web proxy interface.
Which three steps are executed to get antivirus and IPS updates using the pull method? (Choose three.)
- A . FortiGate starts sending rating queries to one of the servers in the list.
- B . FortiGate periodically queries for pending updates.
- C . FortiGate gets a list of server IP addresses that can be contacted.
- D . FortiGate contacts a DNS server to resolve the FortiGuard domain name.
- E . FortiGate registers its public IP address in FortiGuard.
View the exhibit, which contains the output of a debug command, and then answer the question below.
Which one of the following statements about this FortiGate is correct?
- A . It is currently in system conserve mode because of high CPU usage.
- B . It is currently in proxy conserve mode because of high memory usage.
- C . It is currently in memory conserve mode because of high memory usage.
- D . It is currently in extreme conserve mode because of high memory usage.
Examine the following partial output from a sniffer command; then answer the question below.
What is the meaning of the packets dropped counter at the end of the sniffer?
- A . Number of packets that didn’t match the sniffer filter.
- B . Number of total packets dropped by the FortiGate.
- C . Number of packets that matched the sniffer filter and were dropped by the FortiGate.
- D . Number of packets that matched the sniffer filter but could not be captured by the sniffer.
An administrator must minimize CPU and RAM use on a FortiGate firewall while also enabling essential security features, such as web filtering and application control for HTTPS traffic.
Which SSL inspection setting helps reduce system load while also enabling security features, such as web filtering and application control for encrypted HTTPS traffic?
- A . Use full SSL inspection to thoroughly inspect encrypted payloads.
- B . Disable SSL inspection entirely to conserve resources.
- C . Configure SSL inspection to handle HTTPS traffic efficiently.
- D . Enable SSL certificate inspection mode to perform basic checks without decrypting traffic.
D
Explanation:
To minimizeCPU and RAM usagewhile still enforcingsecurity features like web filtering and application control,SSL certificate inspection modeis the best choice.
#SSL certificate inspectionallows FortiGate to inspectonly the SSL/TLS handshake, including theServer Name Indication (SNI) and certificate details, without decrypting the full encrypted payload.
# This enables features likeweb filtering and application controlbecause FortiGate can determine the destination website or applicationbased onSNI and certificate information.
# Itsignificantly reduces system loadcompared tofull SSL inspection, which requires full decryption and re-encryption of traffic.
Which of the following statements is true regarding a FortiGate configured as an explicit web proxy?
- A . FortiGate limits the number of simultaneous sessions per explicit web proxy user. This limit CANNOT be modified by the administrator.
- B . FortiGate limits the total number of simultaneous explicit web proxy users.
- C . FortiGate limits the number of simultaneous sessions per explicit web proxy user. The limit CAN be modified by the administrator.
- D . FortiGate limits the number of workstations that authenticate using the same web proxy user credentials. This limit CANNOT be modified by the administrator.
Refer to the exhibit, which shows the output of a diagnose command
What can you conclude from the RTT value?
- A . Its value is incremented with each packet lost.
- B . Its initial value is statically set to 10.
- C . It determines which FortiGuard server is used for license validation.
- D . Its value represents the time it takes to receive a response after a rating request is sent to a particular server.
What configuration changes can reduce the memory utilization in a FortiGate? (Choose two.)
- A . Reduce the session time to live.
- B . Increase the TCP session timers.
- C . Increase the FortiGuard cache time to live.
- D . Reduce the maximum file size to inspect.