Practice Free FCSS_EFW_AD-7.4 Exam Online Questions
An administrator needs to install an IPS profile without triggering false positives that can impact applications and cause problems with the user’s normal traffic flow.
Which action can the administrator take to prevent false positives on IPS analysis?
- A . Use the IPS profile extension to select an operating system, protocol, and application for all the network internal services and users to prevent false positives.
- B . Enable Scan Outgoing Connections to avoid clickingsuspicious links or attachments that can deliver botnet malware and create false positives.
- C . Use an IPS profile with action monitor, however, the administrator must be aware that this can compromise network integrity.
- D . Install missingor expired SSUTLS certificates on the client PC to prevent expected false positives.
A
Explanation:
False positives inIntrusion Prevention System (IPS)analysis can disrupt legitimate traffic and negatively impact user experience. To reduce false positives while maintaining security, administrators can:
#Use IPS profile extensions to fine-tune the settings based on the organization’s environment.
#Select the correct operating system, protocol, and application typesto ensure that IPS signatures match the network’s actual traffic patterns, reducing false positives.
#Customize signature selectionbased on the network’s specific services, filtering out unnecessary or irrelevant signatures.
Refer to the exhibit, which shows the ADVPN network topology and partial BGP configuration.
Which two parameters must an administrator configure in the config neighbor range for spokes shown in the exhibit? (Choose two.)
- A . set max-neighbor-num 2
- B . set neighbor-group advpn
- C . set route-reflector-client enable
- D . set prefix 172.16.1.0 255.255.255.0
B D
Explanation:
In the given ADVPN (Auto-Discovery VPN) topology, BGP is being used to dynamically establish routes between spokes. The neighbor-range configuration is crucial for simplifying BGP peer setup by automatically assigning neighbors based on their IP range.
set neighbor-group advpn
# Theneighbor-groupparameter is used to apply pre-defined settings (such as AS number) to dynamically discovered BGP neighbors.
# Theadvpnneighbor-group is already defined in the configuration, and assigning it to the neighbor-range ensures consistent BGP settings for all spoke neighbors.
set prefix 172.16.1.0 255.255.255.0
# This command allowsdynamic BGP peer discoveryby defining a range of potential neighbor IPs (172.16.1.1 – 172.16.1.255).
# Sinceeach spoke has a unique /32 IPwithin this subnet, this ensures that any spoke within the172.16.1.0/24 range can automatically establish a BGP session with the hub.
View the exhibit, then answer the question below.
Which of the following commands will bring up the tunnel?
- A . diagnose vpn tunnel up 10.200.1.1
- B . diagnose vpn tunnel H2S_0 up
- C . diagnose vpn tunnel up H2S_0
- D . diagnose vpn tunnel up H2S_0_0
Examine the output from the ‘diagnose vpn tunnel list’ command shown in the exhibit; then answer the question below.
Which command can be used to sniffer the ESP traffic for the VPN DialUP_0?
- A . diagnose sniffer packet any ‘port 500’
- B . diagnose sniffer packet any ‘esp’
- C . diagnose sniffer packet any ‘host 10.0.10.10’
- D . diagnose sniffer packet any ‘port 4500’
A user reports that their computer was infected with malware after accessing a secured HTTPS website. However, when the administrator checks the FortiGate logs, they do not see that the website was detected as insecure despite having an SSL certificate and correct profiles applied on the policy.
How can an administrator ensure that FortiGate can analyze encrypted HTTPS traffic on a website?
- A . The administrator must enable reputable websites to allow only SSL/TLS websites rated by FortiGuard web filter.
- B . The administrator must enable URL extraction from SNI on the SSL certificate inspection to ensure the TLS three-way handshake is correctly analyzed by FortiGate.
- C . The administrator must enable DNS over TLS to protect against fake Server Name Indication (SNI) that cannot be analyzed in common DNS requests on HTTPS websites.
- D . The administrator must enable full SSL inspection in the SSL/SSH Inspection Profile to decrypt packets and ensure they are analyzed as expected.
D
Explanation:
FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless itdecryptsit first. If only certificate inspectionis enabled, FortiGate can see the certificate details (such as the domain and issuer) butcannot inspect the actual web content.
To fully analyze the traffic and detect potential malware threats:
#Full SSL inspection (Deep Packet Inspection)must be enabled in theSSL/SSH Inspection Profile.
# This allows FortiGate todecrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.
# Without full SSL inspection, threats embedded in encrypted traffic may go undetected.
View the exhibit, which contains the output of diagnose sys session stat, and then answer the question below.
Which statements are correct regarding the output shown? (Choose two.)
- A . There are 0 ephemeral sessions.
- B . All the sessions in the session table are TCP sessions.
- C . No sessions have been deleted because of memory pages exhaustion.
- D . There are 166 TCP sessions waiting to complete the three-way handshake.
What is the primary function of segmentation in network management?
- A . To encrypt data traffic across the network
- B . To connect multiple physical switches in a single logical interface
- C . To divide a network into smaller, isolated segments for enhanced security
- D . To enhance the decryption and encryption speeds within the network
Which configuration can be used to reduce the number of BGP sessions in an IBGP network?
- A . Neighbor range
- B . Route reflector
- C . Next-hop-self
- D . Neighbor group
Which troubleshooting step is applicable when investigating antivirus and IPS update issues on FortiGate?
- A . Verify outbound ICMP connectivity.
- B . Validate DNS resolution for update.fortiguard.net.
- C . Use the diagnose debug rating command to check active servers.
- D . Use the alternate service port 8888.
An administrator wants to capture ESP traffic between two FortiGates using the built-in sniffer. If the administrator knows that there is no NAT device located between both FortiGates,
What command should the administrator execute?
- A . diagnose sniffer packet any ‘udp port 500’
- B . diagnose sniffer packet any ‘udp port 4500’
- C . diagnose sniffer packet any ‘esp’
- D . diagnose sniffer packet any ‘udp port 500 or udp port 4500’