FCSS_EFW_AD-7.4 FCSS - Enterprise Firewall 7.4 Administrator Question and Answers

From theOSPF status output, the key information is:

●"This router is an ASBR"→ This means the FortiGate is acting as anAutonomous System Boundary Router (ASBR).

● AnASBRis responsible for injectingexternal routing informationinto OSPF from another routing protocol (such as BGP, static routes, or connected networks).

In anIBGP (Internal BGP) network, all routers must befully meshed, meaning every router must establish a BGP session with every other router in the sameautonomous system (AS). Thisdoes not scale wellin large networks due to the exponential increase in BGP sessions.

Tooptimize and scale IBGP,Route Reflectors (RRs)are used. ARoute Reflector (RR)reduces the number ofIBGP peer connectionsby allowing acentralized router (RR)to redistribute IBGP routes to other IBGP peers (calledclients). This eliminates the need for afull mesh, significantlyreducing BGP session overhead.

By configuring theroute-reflector-clientsetting on IBGP peers, an administrator can:

●Scale IBGP sessionsby reducing the number of direct BGP peer connections.

●Optimize the routing tableby ensuring routes are efficiently propagated within the IBGP network.

●Eliminate the need for full mesh topology, making IBGP more manageable.

The diagnose vpn tunnel list name Hub2Spoke1 command output provides key information about the offloading status of an IPsec VPN tunnel to the Network Processing Unit (NPU).

● npu_flag=20:

● This flag indicates that both inbound and outbound IPsec Security Associations (SAs) have been offloaded to the NPU, meaning the VPN traffic is processed in hardware instead of the CPU.

● npu_rgwy=10.10.2.2 and npu_lgwy=10.10.1.1:

● These IPs represent the remote gateway (rgwy) and local gateway (lgwy), confirming that the tunnel is successfully offloaded.

● npu_selid=1:

● This value means the session selector for the NPU offloaded SA is active.

Since both inbound and outbound SAs are offloaded, the administrator can conclude that the FortiGate NPU is handling IPsec encryption and decryption efficiently, reducing CPU load and improving VPN performance.

When configuringADVPN (Auto-Discovery VPN)to connectoverlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.

●set auto-discovery-crossover enable

● Thisallows cross-hub tunnel discoveryin an ADVPN deployment where multiple hubs are used.

● SinceHub A and Hub Bbelong to different overlays, enablingcrossover discoveryensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.

●set enforce-multihop enable

● This setting ensures thatBGP peers using loopback interfacescan establish connectivityeven if they are not directly connected.

●Multihop BGP sessionsare required when usingloopback addresses as BGP peer sourcesbecause the connection might need to traverse multiple routers before reaching the BGP neighbor.

● This is especially useful inADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.

Whenstandardizing the deployment of FortiGate devices across branchesusing FortiManager, thebest practiceis to usemetadata variables. This allows fordynamic interface configurationwhile maintaining asingle, consistent policy packagefor all branches.

●Metadata variablesin FortiManager enableinterface roles and configurations to be dynamically assignedbased on the specific FortiGate device.

● This ensuresscalabilityandconsistent security policy enforcementacross all branches without manually adjusting interface settings for each device.

● When a new branch FortiGate is deployed, metadata variables automaticallymap to the correct physical interfaces, reducing manual configuration errors.

Thebest wayto block outdated SSL/TLS versions is toconfigure the SSL/SSH inspection profileto enforce aminimum SSL/TLS versionand disable weak SSL versions.

By setting theminimum allowed SSL versionin theHTTPS settings of the SSL/SSH inspection profile, FortiGate will:

● Block any connection usingoutdated SSL/TLS versions(such as SSLv3, TLS 1.0, or TLS 1.1).

● Enforce secure communication usingonly strong SSL/TLS versions(such as TLS 1.2 or TLS 1.3).

● Protect users fromman-in-the-middle (MITM) and downgrade attacksthat exploit weak encryption.

The FortiGateSSL/SSH inspection profileis configured forFull SSL Inspection, which is necessary to analyze encrypted HTTPS traffic. However, the firewallpolicy is protecting an SSL server (the Linux server hosting the website), and currently, the SSL/SSH profileonly applies to client-side SSL inspection.

To detect HTTPS-based attacks targeting the Linux server:

●FortiGate must act as an SSL intermediaryto inspect encrypted traffic destined for the web server.

● The administratormust upload the SSL certificate of the Linux web serverto FortiGate so that theserver-side SSL inspectioncan decrypt incoming HTTPS traffic before analyzing it.

TheOSPF database optimizationis necessary to reduce unnecessary routing information and improve network performance. In the given topology,Area 0.0.0.1is a non-backbone area connected toArea 0.0.0.0 (the backbone area)through anArea Border Router (ABR).

To optimize OSPF in this scenario, configuringArea 0.0.0.1 as a Stub Areawill:

●Reduce the size of the OSPF databaseby preventing external routes (from outside OSPF) from being injected into Area 0.0.0.1.

●Allow only intra-area and inter-area routes, meaning routers in Area 0.0.0.1 will rely on adefault routefor external destinations.

●Improve convergence time and reduce router processing loadsince fewer LSAs (Link-State Advertisements) are exchanged.

In a hub-and-spoke topology using OSPF over IPsec VPNs, thepoint-to-multipointnetwork type is necessary to establish neighbor adjacencies between the hub and spokes. This network type ensures that OSPF operates correctly without requiring a designated router (DR) and allows dynamic routing updates across the IPsec tunnels.

Theset tcp-mss-senderandset tcp-mss-receivercommands in afirewall policyallow an administrator to adjust theMaximum Segment Size (MSS)of TCP packets.

This setting controls thelargest payload sizethat a device can handle in a singleTCP segment, ensuring that packets do not exceed the allowed MTU (Maximum Transmission Unit) along the network path.

●set tcp-mss-senderadjusts the MSS value foroutgoing TCP traffic.

●set tcp-mss-receiveradjusts the MSS value forincoming TCP traffic.

This helps prevent issues withfragmentationandMTU mismatches, improving network performance and avoiding retransmissions.

The exhibit shows anactive-passive HA (high availability) clusterwith two virtual clusters, where FortiGate_A is the primary device for both Core1 and Core2. If the goal is to haveFortiGate_B take over Core2 traffic, itspriority must be higherthan FortiGate_A forVirtual Cluster 2.

Currently, FortiGate_A has a priority of150for Core2, while FortiGate_B has128. IncreasingFortiGate_B’s priority to 200ensures it becomes theprimary for Virtual Cluster 2, taking over the Core2 VDOM traffic while keeping Core1 traffic on FortiGate_A.

Disabling override would prevent forced failovers but wouldn’t change the role distribution. Adjusting the load-balancing method is irrelevant in anactive-passive setup, as it only applies to active-active configurations.

The output of the get router info ospf status command provides key information about the OSPF (Open Shortest Path First) configuration on the FortiGate device.

The FortiGate device is connected to multiple areas

● The output states: "This router is an ABR"

●ABR (Area Border Router)means the device is connected tomultiple OSPF areasand maintains routing information between them.

● This confirms that the FortiGate isnot just in one area, but at leastone backbone area (Area 0) and another OSPF area.

The FortiGate device injects external routing information

● The output states: "Supports opaque LSA"

●Opaque LSAs(Type 9, 10, and 11) are used inOSPF extensions, including those that support external route injection.

● Typically, ABRs or ASBRs (Autonomous System Boundary Routers)inject external routes, allowing routes fromother routing protocols (such as BGP or static routes) to be advertised into OSPF.

FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless itdecryptsit first. Ifonly certificate inspectionis enabled, FortiGate can see the certificate details (such as the domain and issuer) butcannot inspect the actual web content.

To fully analyze the traffic and detect potential malware threats:

●Full SSL inspection (Deep Packet Inspection)must be enabled in theSSL/SSH Inspection Profile.

● This allows FortiGate todecrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.

● Without full SSL inspection, threats embedded in encrypted traffic may go undetected.

When configuring aloopback interface as the BGP sourceforconnecting to an ISP, two important settings must be applied:

1.Enable EBGP Multihop (ebgp-enforce-multihop)

BGP normally expects directly connected neighbors, but since the ISP and FortiGate A are usingloopback interfaces,packets will not be sent directly between their physical interfaces.

Theebgp-enforce-multihopcommandallows BGP to form an eBGP peering over multiple hops.

2.Set the Update Source (update-source)

Since FortiGate is using aloopback interface as the source, theupdate-sourcecommand ensures thatBGP updates originate from the loopback interfacerather than a physical interface.

This is essential becauseBGP peers must match the source IP with the configured neighbor address.