Fortinet FCSS_EFW_AD-7.4 Übungsprüfungen
Zuletzt aktualisiert am 27.08.2025- Prüfungscode: FCSS_EFW_AD-7.4
- Prüfungsname: FCSS - Enterprise Firewall 7.4 Administrator
- Zertifizierungsanbieter: Fortinet
- Zuletzt aktualisiert am: 27.08.2025
Which statement about administrative domains (ADOMs) on FortiManager is true?
- A . The number of configurable ADOMs is based on the FortiManager FortiCare service contract.
- B . The ADOM feature can be enabled by any administrative user.
- C . FortiGate devices with multiple VDOMs must be assigned to the same ADOM on FortiManager.
- D . ADOMs allow grouping of managed devices based on management criteria and administrative access.
Refer to the exhibit, which contains the output of a debug command.
If the default settings are in place, what can be concluded about the conserve mode shown in the exhibit?
- A . FortiGate is currently blocking all new sessions regardless of the content inspection requirements or configuration settings due to high memory use.
- B . FortiGate is currently allowing new sessions that require flow-based or proxy-based content inspection but is not performing inspection on those sessions.
- C . FortiGate is currently blocking new sessions that require flow-based or proxy-based content inspection.
- D . FortiGate is currently allowing new sessions that require flow-based content inspection and blocking sessions that require proxy-based content inspection.
View the exhibit, which contains an entry in the session table, and then answer the question below.
Which one of the following statements is true regarding FortiGate’s inspection of this session?
- A . FortiGate applied proxy-based inspection.
- B . FortiGate forwarded this session without any inspection.
- C . FortiGate applied flow-based inspection.
- D . FortiGate applied explicit proxy-based inspection.
View the following exhibit:
Which two statements about the BGP peer are true? (Choose two.)
- A . Since the BGP counters were last reset, the BGP peer 10.200.3.1 has never been down.
- B . For the peer 10.125.0.60, the BGP state is Established.
- C . The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.
- D . The local BGP peer has received a total of three BGP prefixes.
An administrator added the following Ipsec VPN to a FortiGate configuration:
configvpn ipsec phasel -interface
edit "RemoteSite"
set type dynamic
set interface "portl"
set mode main
set psksecret ENC LCVkCiK2E2PhVUzZe
next
end
config vpn ipsec phase2-interface
edit "RemoteSite"
set phasel name "RemoteSite"
set proposal 3des-sha256
next
end
However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while attempting the Ipsec connection.
The output is shown in the exhibit.
What is causing the IPsec problem in the phase 1?
- A . The incoming IPsec connection is matching the wrong VPN configuration
- B . The phrase-1 mode must be changed to aggressive
- C . The pre-shared key is wrong
- D . NAT-T settings do not match
Which statement about protocol options is true?
- A . Protocol options allow administrators to configure a maximum number of sessions for each configured protocol.
- B . Protocol options allows administrators the ability to configure the Any setting for all enabled protocols which provides the most efficient use of system resources.
- C . Protocol options allows administrators a streamlined method to instruct FortiGate to block all sessions corresponding to disabled protocols.
- D . Protocol options allows administrators to configure which Layer 4 port numbers map to upper-layer protocols, such as HTTP, SMTP, FTP, and so on.
Refer to the exhibit, which shows a partial routing table.
Assuming all the appropriate firewall policies are configured, what two changes would an administrator need to make if they wanted to send traffic from a client directly connected to port3, to a server directly connected to port4? (Choose two.)
- A . Configure route leaking between VRF 12 and VRF 21.
- B . Disable auto-asic-offload as this is not supported between VRF instances.
- C . Configure RIPv2 to exchange route information between the VRF instances.
- D . Configure route leaking between port3 and port4.
- E . Enable SNAT on the relevant firewall policies to prevent RPF check drops.
View the exhibit, which contains the output of a diagnose command, and then answer the question below.
Which statements are true regarding the output in the exhibit? (Choose two.)
- A . FortiGate will probe 121.111.236.179 every fifteen minutes for a response.
- B . Servers with the D flag are considered to be down.
- C . Servers with a negative TZ value are experiencing a service outage.
- D . FortiGate used 209.222.147.36 as the initial server to validate its contract.
An administrator has configured two FortiGate devices for an HA cluster. While testing the HA failover, the administrator noticed that some of the switches in the network continue to send traffic to the former primary unit.
The administrator decides to enable the setting link-failed-signal to fix the problem.
Which statement is correct regarding this command?
- A . Forces the former primary device to shut down all its non-heartbeat interfaces for one second while the failover occurs.
- B . Sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.
- C . Sends a link failed signal to all connected devices.
- D . Disables all the non-heartbeat interfaces in all the HA members for two seconds after a failover.
An LDAP user cannot authenticate against a FortiGate device.
Examine the real time debug output shown in the exhibit when the user attempted the authentication; then answer the question below.
Based on the output in the exhibit, what can cause this authentication problem?
- A . The FortiGate has been configured with the wrong password for the LDAP administrator.
- B . User student is using a wrong password.
- C . User student is not found in the LDAP server.
- D . The FortiGate has been configured with the wrong authentication schema.