FCSS_EFW_AD-7.4 FCSS - Enterprise Firewall 7.4 Administrator Questions and Answers

From theRoot FortiGate - System Administrator Configurationexhibit:

● TheAdminSSOaccount has thesuper_admin_readonlyrole.

From theDownstream FortiGate - Security Fabric Settingsexhibit:

● TheSecurity Fabric roleis set toJoin Existing Fabric, meaning it will authenticate with the root FortiGate.

●SAML Single Sign-On (SSO) is enabled, and thedefault admin profileis set tosuper_admin_readonly.

When theAdminSSOuser logs into the downstream FortiGate usingSSO, the authentication request is sent to the root FortiGate, where AdminSSO hassuper_admin_readonlypermissions. Since the downstream FortiGate inherits this permission through the Security Fabric configuration, the user will be grantedsuper_admin_readonlyaccess.

TheOSPF database optimizationis necessary to reduce unnecessary routing information and improve network performance. In the given topology,Area 0.0.0.1is a non-backbone area connected toArea 0.0.0.0 (the backbone area)through anArea Border Router (ABR).

To optimize OSPF in this scenario, configuringArea 0.0.0.1 as a Stub Areawill:

●Reduce the size of the OSPF databaseby preventing external routes (from outside OSPF) from being injected into Area 0.0.0.1.

●Allow only intra-area and inter-area routes, meaning routers in Area 0.0.0.1 will rely on adefault routefor external destinations.

●Improve convergence time and reduce router processing loadsince fewer LSAs (Link-State Advertisements) are exchanged.

False positives inIntrusion Prevention System (IPS)analysis can disrupt legitimate traffic and negatively impact user experience. To reduce false positives while maintaining security, administrators can:

●Use IPS profile extensions to fine-tune the settings based on the organization's environment.

●Select the correct operating system, protocol, and application typesto ensure that IPS signatures match the network's actual traffic patterns, reducing false positives.

●Customize signature selectionbased on the network’s specific services, filtering out unnecessary or irrelevant signatures.

The packet capture output displays aTLS Client Hellomessage from FortiGate to FortiManager Cloud. This message containsServer Name Indication (SNI), which is used to indicate the domain name that FortiGate is trying to connect to.

FortiGate will receive a certificate that supports multiple domains because FortiManager operates in a cloud computing environment.

● FortiManager Cloud hostsmultiple customersand domains under ashared infrastructure.

● The TLS handshake includesSNI (Server Name Indication), which allows FortiManager Cloud toserve multiple certificatesbased on the requested domain.

● This means FortiGate will likely receive amulti-domain or wildcard certificatethat can be used for multiple customers under FortiManager Cloud.

The wildcard for the domain .fortinet-ca2.support.fortinet.com must be supported by FortiManager Cloud.

● The SNI extension contains the domain9398.support.fortinet-ca2.fortinet.com.

● FortiManager Cloud must supportwildcard certificatessuch as *.fortinet-ca2.support.fortinet.com to securely manage multiple subdomains and customers.

● This ensures that FortiGate can validate the server certificate without any TLS errors.

FortiGate_A and FortiGate_B are in thesame autonomous system (AS), andFortiGate_Adoesnot currently have route 172.16.1.248/30in its routing table. However, FortiGate_B has this routeas a connected route.

To dynamically advertiseonly172.16.1.248/30 fromFortiGate_B to FortiGate_A, the administrator must configure aBGP route map outonFortiGate_Bthat specifically permitsonlythis prefix.

A BGP route map out on FortiGate_Bcontrols which routes FortiGate_B advertises to FortiGate_A. If no filtering is applied, FortiGate_B might advertiseall BGP-learned and connected routes, which is not what the administrator wants. The route map should include aprefix-listthat explicitlyallows only172.16.1.248/30 and denies everything else.

Applying anaggressive IPS profilewithout prior testing candisrupt legitimate applicationsby incorrectly identifying normal traffic as malicious. To prevent disruptions while still monitoring for threats:

●Enable IPS in "Monitor Mode" first:

● This allows FortiGate tolog and analyzepotential threatswithout actively blockingtraffic.

● Administrators can review logs and fine-tune IPS signatures to minimize false positives before switching to blocking mode.

●Verify and adjust signature patterns:

● Some signatures might trigger unnecessary blocks for legitimate application traffic.

● By analyzing logs, administrators candisable or modifyspecific rules causing false positives.

Thebest way to automate a firewall policyusing a daily updated list ofIP addressesis by using anexternal connector from Threat Feeds. This allows FortiGate to dynamically retrievereal-time threat intelligencefrom external sources and apply it directly to security policies.

By configuringThreat Feeds, the administrator can:

●Automatically updatefirewall policies with the latest malicious IPs daily.

●Block trafficfrom those IPs in real-time without manual intervention.

●Integrate with FortiGuard, third-party threat intelligence sources, or custom feeds (CSV, STIX/TAXII, etc.).

Whenstandardizing the deployment of FortiGate devices across branchesusing FortiManager, thebest practiceis to usemetadata variables. This allows fordynamic interface configurationwhile maintaining asingle, consistent policy packagefor all branches.

●Metadata variablesin FortiManager enableinterface roles and configurations to be dynamically assignedbased on the specific FortiGate device.

● This ensuresscalabilityandconsistent security policy enforcementacross all branches without manually adjusting interface settings for each device.

● When a new branch FortiGate is deployed, metadata variables automaticallymap to the correct physical interfaces, reducing manual configuration errors.

VXLAN (Virtual Extensible LAN)is an overlay network technology that extends Layer 2 networks over Layer 3 infrastructure. When VXLAN is used extensively on FortiGate, hardware acceleration is crucial for maintaining performance.

●NP7 (Network Processor 7)is Fortinet’s latest network processor designed to accelerate high-performance networking features, including:

●VXLAN encapsulation/decapsulation

●IPsec VPN offloading

●Firewall policy enforcement

●Advanced threat protection at wire speed

NP7 significantlyreduces latency and improves throughputwhen handling VXLAN traffic, making it the best choice for large-scale VXLAN deployments.

The issue occurs because FortiGate enforces the "do not fragment" (DF) bit in the packet, and the packet size exceeds the MTU of the network path. When the Windows PC1 (with an MTU of 1500 bytes) attempts to send a 1400-byte packet, the FortiGate interface (with an MTU of 1000 bytes) needs to fragment it. However, since the DF bit is set, FortiGate drops the packet instead of fragmenting it.

To resolve this, the user should adjust the ping packet size to fit within the path MTU. In this case, reducing the packet size to972 bytes(1000 bytes MTU minus 28 bytes for the IP and ICMP headers) should allow successful transmission.

TheMulti-Exit Discriminator (MED)is aBGP attributeused to influence the preferred path for incoming traffic from an external autonomous system (AS). The diagram shows that FortiGate_1 advertisesMED 200, while FortiGate_2 advertisesMED 300, meaningthe ISP will prefer the route through FortiGate_1because alower MED is preferredin BGP.

To modify theMED valueon FortiGate_1 for routes advertised to AS 30, the administrator must configure aroute-map-out. A route map canmatch specific routesandset the MED valuebefore sending them to the BGP neighbor.

Whenadding an additional FortiGateto an enterprise network that is already reaching itsresource limits, the goal is to distribute traffic efficiently and ensurehigh availability.

FGSP (FortiGate Session Life Support Protocol) with external load balancers

FGSP allowssession-aware load balancingbetween multiple FortiGate units without requiring them to be in an HA (High Availability) cluster.

Withexternal load balancers, incoming traffic isevenly distributedacross multiple FortiGate devices.

This approach is useful forscaling outtraffic handling capacity while ensuring that sessions remainsynchronizedbetween firewalls.

FGSP is effectivewhen stateful failover is requiredbut without the constraints of traditional HA.

FGCP (FortiGate Clustering Protocol) in active-active mode and with switches

FGCPactive-active modeenables multiple FortiGate devices toshare traffic loads, increasing throughput and efficiency.

Active-active mode is suitable forbalancing UTM processingacross multiple FortiGates, making it ideal whenresource limits are a concern.

Usingswitchesensures redundancy and avoids single points of failure in the network.

This mode is commonly used inenterprise networkswhere bothscalability and redundancyare required.

When FortiGate processes the first packets of a session, it follows a sequence of steps to determine how the traffic should be handled before establishing a session. The initial step involves:

● Access Control List (ACL) checks: Determines if the traffic should be allowed or blocked based on predefined security rules.

● Hardware Packet Engine (HPE) inspections: Ensures that packet headers are valid and comply with protocol standards.

● IP Integrity Header Checking: Verifies if the IP headers are intact and not malformed or spoofed.

Once these security inspections are completed and the session is validated, FortiGate then installs the session in hardware (if offloading is enabled) or processes it in software.

The FortiGateSSL/SSH inspection profileis configured forFull SSL Inspection, which is necessary to analyze encrypted HTTPS traffic. However, the firewallpolicy is protecting an SSL server (the Linux server hosting the website), and currently, the SSL/SSH profileonly applies to client-side SSL inspection.

To detect HTTPS-based attacks targeting the Linux server:

●FortiGate must act as an SSL intermediaryto inspect encrypted traffic destined for the web server.

● The administratormust upload the SSL certificate of the Linux web serverto FortiGate so that theserver-side SSL inspectioncan decrypt incoming HTTPS traffic before analyzing it.