Free FCSS_EFW_AD-7.4 Sample Questions — FCSS - Enterprise Firewall 7.4 Administrator

Why does the ISDB block layers 3 and 4 of the OSI model when applying content filtering? (Choose two.)

• A. FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard
• B. The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard
• C. The ISDB works in proxy mode, allowing the analysis of packets in layers 3 and 4 of the OSI model
• D. The ISDB limits access by URL and domain

An administrator is designing an ADVPN network for a large enterprise with spokes that have varying numbers of internet links. They want to avoid a high number of routes and peer connections at the hub. Which method should be used to simplify routing and peer management?

• A. Deploy a full-mesh VPN topology to eliminate hub dependency
• B. Implement static routing over IPsec interfaces for each spoke
• C. Use a dynamic routing protocol using loopback interfaces to streamline peers and routes
• D. Establish a traditional hub-and-spoke VPN topology with policy routes

How will configuring set tcp-mss-sender and set tcp-mss-receiver in a firewall policy affect the size and handling of TCP packets in the network?

• A. The maximum segment size permitted in the firewall policy determines whether TCP packets are allowed or denied
• B. Applying commands in a firewall policy determines the largest payload a device can handle in a single TCP segment
• C. The administrator must consider the payload size of the packet and the size of the IP header to configure a correct value in the firewall policy
• D. The TCP packet modifies the packet size only if the size of the packet is less than the one the administrator configured in the firewall policy

An administrator configured the FortiGate devices in an enterprise network to join the Fortinet Security Fabric. The administrator has a list of IP addresses that must be blocked by the data center firewall. This list is updated daily. How can the administrator automate a firewall policy with the daily updated list?

• A. With FortiNAC
• B. With FortiAnalyzer
• C. With a Security Fabric automation
• D. With an external connector from Threat Feeds

A user reports that their computer was infected with malware after accessing a secured HTTPS website. However, when the administrator checks the FortiGate logs, they do not see that the website was detected as insecure despite having an SSL certificate and correct profiles applied on the policy. How can an administrator ensure that FortiGate can analyze encrypted HTTPS traffic on a website?

• A. The administrator must enable reputable websites to allow only SSL/TLS websites rated by FortiGuard web filter
• B. The administrator must enable URL extraction from SNI on the SSL certificate inspection to ensure the TLS three-way handshake is correctly analyzed by FortiGate
• C. The administrator must enable DNS over TLS to protect against fake Server Name Indication (SNI) that cannot be analyzed in common DNS requests on HTTPS websites
• D. The administrator must enable full SSL inspection in the SSL/SSH Inspection Profile to decrypt packets and ensure they are analyzed as expected