Practice Free FCSS_EFW_AD-7.4 Exam Online Questions
Refer to the exhibit, which shows partial outputs from two routing debug commands.
Which change must an administrator make on FortiGate to route web traffic from internal users to the internet, using ECMP?
- A . Set the priority of the static default route using port1 to 10.
- B . Set the priority of the static default route using port2 to 1.
- C . Set preserve-session-route to enable.
- D . Set snat-route-change to enable.
Refer to the exhibit, which contains a TCL script configuration on FortiManager.
An administrator has configured the TCL script on FortiManager, but failed to apply any changes to the managed device after being executed.
Why did the TCL script fail to make any changes to the managed device?
- A . Changes in an interface configuration can only be done by CLI script.
- B . The TCL script must start with #include <>.
- C . Incomplete commands are ignored in TCL scripts.
- D . The TCL command run_cmd has not been created.
Refer to the exhibit, which contains a TCL script configuration on FortiManager.
An administrator has configured the TCL script on FortiManager, but failed to apply any changes to the managed device after being executed.
Why did the TCL script fail to make any changes to the managed device?
- A . Changes in an interface configuration can only be done by CLI script.
- B . The TCL script must start with #include <>.
- C . Incomplete commands are ignored in TCL scripts.
- D . The TCL command run_cmd has not been created.
Refer to the exhibit, which shows the output of a debug command.
Which two statements about the output are true? (Choose two.)
- A . In the network connected to port 4, two OSPF routers are down.
- B . Based on the network type of port 4, OSPF hello packets will be sent to 224.0.0.5.
- C . Based on the network type of port 4, OSPF hello packets will be sent to 224.0.0.6.
- D . There are a total of 5 OSPF routers attached to the Port4 network segment.
View the global IPS configuration, and then answer the question below.
Which of the following statements is true regarding this configuration?
- A . IPS will scan every byte in every session.
- B . FortiGate will spawn IPS engine instances based on the system load.
- C . New packets will be passed through without inspection if the IPS socket buffer runs out of memory
- D . IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.
Refer to the exhibit, which shows a network diagram.
An administrator would like to modify the MED value advertised from FortiGate_1 to a BGP neighbor in the autonomous system 30.
What must the administrator configure on FortiGate_1 to implement this?
- A . route-map-out
- B . network-import-check
- C . prefix-list-out
- D . distribute-list-out
A
Explanation:
TheMulti-Exit Discriminator (MED)is aBGP attributeused to influence the preferred path for incoming traffic from an external autonomous system (AS). The diagram shows that FortiGate_1 advertisesMED 200, while FortiGate_2 advertisesMED 300, meaningthe ISP will prefer the route through FortiGate_1because alower MED is preferredin BGP.
To modify theMED valueon FortiGate_1 for routes advertised to AS 30, the administrator must configure a route-map-out. A route map canmatch specific routesandset the MED valuebefore sending them to the BGP neighbor.
When does a RADIUS server send an Access-Challenge packet?
- A . The server does not have the user credentials yet.
- B . The server requires more information from the user, such as the token code for two-factor authentication.
- C . The user credentials are wrong.
- D . The user account is not found in the server.
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.
Why didn’t the tunnel come up?
- A . The pre-shared keys do not match.
- B . The remote gateway’s phase 2 configuration does not match the local gateway’s phase 2 configuration.
- C . The remote gateway’s phase 1 configuration does not match the local gateway’s phase 1 configuration.
- D . The remote gateway is using aggressive mode and the local gateway is configured to use man mode.
An administrator wants to capture encrypted phase 2 traffic between two FortiGate devices using the built-in sniffer.
If the administrator knows that there is no NAT device located between both FortiGate devices, which command should the administrator run?
- A . diagnose sniffer packet any ‘ah’
- B . diagnose sniffer packet any ‘ip proto 50’
- C . diagnose sniffer packet any ‘udp port 4500’
- D . diagnose sniffer packet any ‘udp port 500’
Why does the ISDB block layers 3 and 4 of the OSI model when applying content filtering? (Choose two.)
- A . FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard.
- B . The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard.
- C . The ISDB works in proxy mode, allowing the analysis of packets in layers 3 and 4 of the OSI model.
- D . The ISDB limits access by URL and domain.
A B
Explanation:
TheInternet Service Database (ISDB)in FortiGate is used to enforce content filtering atLayer 3 (Network Layer) and Layer 4 (Transport Layer) of the OSI model by identifying applications based on their predefined IP addresses and ports.
FortiGate has a predefined list of all IPs and ports for specific applications downloaded from
FortiGuard:
# FortiGate retrieves and updates apredefined listof IPs and ports for different internet services from FortiGuard.
# This allows FortiGate to block specific services atLayer 3 and Layer 4without requiring deep packet inspection.
The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard:
# ISDB works by matching traffic to knownIP addresses and portsof categorized services.
# When an application or service is blocked, FortiGate prevents communication bydenying traffic based on its destination IP and port number.