Itfreedumps provides the latest online questions for all IT certifications,

such as IBM, Microsoft, CompTIA, Huawei, and so on.

Hot exams are available below.

AZ-204 Developing Solutions for Microsoft Azure

820-605 Cisco Customer Success Manager

MS-203 Microsoft 365 Messaging

HPE2-T37 Using HPE OneView

300-415 Implementing Cisco SD-WAN Solutions (ENSDWI)

DP-203 Data Engineering on Microsoft Azure

500-220 Engineering Cisco Meraki Solutions v1.0

NACE-CIP1-001 Coating Inspector Level 1

NACE-CIP2-001 Coating Inspector Level 2

200-301 Implementing and Administering Cisco Solutions

Share some FCSS_EFW_AD-7.4 exam online questions below.

1.An administrator has enabled HA session synchronization in a HA cluster with two members.
Which flag is added to a primary unit’s session to indicate that it has been synchronized to the
secondary unit?
A. redir.
B. dirty.
C. synced
D. nds.
Answer: C

2.Which three tasks are part of the manual registration process for adding a FortiGate device to
FortiManager for central management? (Choose three.)
A. Import the policy package from the managed FortiGate device.
B. Start the rating services on FortiManager.
C. Wait for the rating databases to download on FortiManager.
D. Add the FortiManager IP address to the FortiGate central management configuration.
E. In FortiManager, add the unregistered FortiGate device.
Answer: ADE

3.Refer to the exhibit, which shows an OSPF network.

Which configuration must the administrator apply to optimize the OSPF database?
A. Set a route map in the AS boundary FortiGate.
B. Set the area 0.0.0.1 to the type STUB in the area border FortiGate.
C. Set an access list in the AS boundary FortiGate.
D. Set the area 0.0.0.1 to the type NSSA in the area border FortiGate.
Answer: B
Explanation:
TheOSPF database optimizationis necessary to reduce unnecessary routing information and improve
network performance. In the given topology,Area 0.0.0.1is a non-backbone area connected toArea
0.0.0.0 (the backbone area)through anArea Border Router (ABR).
To optimize OSPF in this scenario, configuringArea 0.0.0.1 as a Stub Areawill:
#Reduce the size of the OSPF databaseby preventing external routes (from outside OSPF) from
being injected into Area 0.0.0.1.
#Allow only intra-area and inter-area routes, meaning routers in Area 0.0.0.1 will rely on adefault
route for external destinations.
#Improve convergence time and reduce router processing loadsince fewer LSAs (Link-State
Advertisements) are exchanged.
4.View the exhibit, which contains a hub-and-spoke VPN topology with two hubs, then answer the
question below.

An administrator wants to configure ADVPN.

Which ADVPN setting needs to be enabled in the tunnel between Hub1 and Hub2 FortiGates?
A. set auto-discovery-forwarder enabled
B. set auto-discovery-receiver enabled
C. set auto-discovery-sender enabled
D. set auto-discovery-ipsec enabled
Answer: A

5.How will configuring set tcp-mss-sender and set tcp-mss-receiver in a firewall policy affect the size
and handling of TCP packets in the network?
A. The maximum segment size permitted in the firewall policy determines whether TCP packets are
allowed or denied.
B. Applying commands in a firewall policy determines the largest payload a device can handle in a
single TCP segment.
C. The administrator must consider the payload size of the packet and the size of the IP header to
configure a correct value in the firewall policy.
D. The TCP packet modifies the packet size only if the size of the packet is less than the one the
administrator configured in the firewall policy.
Answer: B
Explanation:
Theset tcp-mss-senderandset tcp-mss-receivercommands in afirewall policyallow an administrator to
adjust theMaximum Segment Size (MSS)of TCP packets.
This setting controls thelargest payload sizethat a device can handle in a singleTCP segment,
ensuring that packets do not exceed the allowed MTU (Maximum Transmission Unit) along the
network path.
#set tcp-mss-senderadjusts the MSS value foroutgoing TCP traffic.
#set tcp-mss-receiveradjusts the MSS value forincoming TCP traffic.
This helps prevent issues withfragmentationandMTU mismatches, improving network performance
and avoiding retransmissions.

6.Shortcut Offer:
Thehub sends a "Shortcut Offer"message to Spoke-1, informing it that a directdynamic tunnelto
Spoke-2 is possible.

7.Refer to the exhibit, which shows a physical topology and a traffic log.

The administrator is checking on FortiAnalyzer traffic from the device with IP address10.1.10.1,
located behind the FortiGate ISFW device.
The firewall policy in on the ISFW device does not have UTM enabled and the administrator is
surprised to see a log with the actionMalware, as shown in the exhibit.
What are the two reasons FortiAnalyzer would display this log? (Choose two.)
A. Security rating is enabled in ISFW.
B. ISFW is in a Security Fabric environment.
C. ISFW is not connected to FortiAnalyzer and must go through NGFW-1.
D. The firewall policy in NGFW-1 has UTM enabled.
Answer: B D
Explanation:
From the exhibit, ISFW is part of a Security Fabric environment with NGFW-1 as the Fabric Root. In
this architecture, FortiGate devices share security intelligence, including logs and detected threats.
ISFW is in a Security Fabric environment:
# Security Fabric allows devices like ISFW toreceive threat intelligencefrom NGFW-1, even if UTM is
not enabled locally.
# If NGFW-1 detects malware fromIP 10.1.10.1 to 89.238.73.97, this information can bepropagated to
ISFW and FortiAnalyzer.
The firewall policy in NGFW-1 has UTM enabled:
# Even thoughISFW does not have UTM enabled, NGFW-1 (which sits between ISFW and the
external network) does have UTM enabledand is scanning traffic.
# Since NGFW-1 detects malware in the session, it logs the event, which is then sent toFortiAnalyzer.

8.View the exhibit, which contains the sniffer output for a passive mode FTP request, and then
answer the question below.
An administrator has created the following custom IPS signature to block all FTP requests for passive
mode:
F-SBID (--attack_id 1002; --name "Block.FTP "; --protocol tcp; --flow from_client; --pattern "PASV";
--no_case;)
Soon after the signature is enabled in an active IPS sensor, some false positive detections are
generated.
Which of the following option and value pairs will allow more specific detection?
A. --attack_id 1001
B. --protocol ftp
C. --name "Block.FTP.PASV
D. --service ftp
Answer: D

9.Refer to the exhibit, which shows a partial routing table.

Assuming all the appropriate firewall policies are configured, what two changes would an
administrator need to make if they wanted to send traffic from a client directly connected to port3, to a
server directly connected to port4? (Choose two.)
A. Configure route leaking between VRF 12 and VRF 21.
B. Disable auto-asic-offload as this is not supported between VRF instances.
C. Configure RIPv2 to exchange route information between the VRF instances.
D. Configure route leaking between port3 and port4.
E. Enable SNAT on the relevant firewall policies to prevent RPF check drops.
Answer: AE

10.During the maintenance window, an administrator must sniff all the traffic going through a specific
firewall policy, which is handled by NP6 interfaces. The output of the sniffer trace provides just a few
packets.
Why is the output of sniffer trace limited?
A. The traffic corresponding to the firewall policy is encrypted.
B. auto-asic-off load is set to enable in the firewall policy,
C. inspection-mode is set to proxy in the firewall policy.
D. The option npudbg is not added in the diagnose sniff packet command.
Answer: B
Explanation:
FortiGate devices withNP6 (Network Processor 6) accelerationoffload traffic directly to hardware,
bypassing the CPU for improved performance. Whenauto-asic-offloadis enabled in a firewall policy,
most of the trafficdoes not reach the CPU, which means it won't be captured by the standard sniffer
trace command.
Since NP6-accelerated traffic is handled entirely in hardware, onlya small portion of initial
packets(such as session setup packets or exceptions) might be seen in the sniffer output.
To capture all packets, the administrator must disable hardware offloading using:
config firewall policy
edit <policy_ID>
set auto-asic-offload disable
end
Disabling ASIC offload forces traffic to be processed by the CPU, allowing the sniffer tool to capture
all packets.

11.A user reports that their computer was infected with malware after accessing a secured HTTPS
website. However, when the administrator checks the FortiGate logs, they do not see that the website
was detected as insecure despite having an SSL certificate and correct profiles applied on the policy.
How can an administrator ensure that FortiGate can analyze encrypted HTTPS traffic on a website?
A. The administrator must enable reputable websites to allow only SSL/TLS websites rated by
FortiGuard web filter.
B. The administrator must enable URL extraction from SNI on the SSL certificate inspection to ensure
the TLS three-way handshake is correctly analyzed by FortiGate.
C. The administrator must enable DNS over TLS to protect against fake Server Name Indication (SNI)
that cannot be analyzed in common DNS requests on HTTPS websites.
D. The administrator must enable full SSL inspection in the SSL/SSH Inspection Profile to decrypt
packets and ensure they are analyzed as expected.
Answer: D
Explanation:
FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless itdecryptsit
first. If only certificate inspectionis enabled, FortiGate can see the certificate details (such as the
domain and issuer) butcannot inspect the actual web content.
To fully analyze the traffic and detect potential malware threats:
#Full SSL inspection (Deep Packet Inspection)must be enabled in theSSL/SSH Inspection Profile.
# This allows FortiGate todecrypt the HTTPS traffic, inspect the content, and then re-encrypt it before
forwarding it to the user.
# Without full SSL inspection, threats embedded in encrypted traffic may go undetected.

12.Which of the following statements is true regarding a FortiGate configured as an explicit web
proxy?
A. FortiGate limits the number of simultaneous sessions per explicit web proxy user. This limit
CANNOT be modified by the administrator.
B. FortiGate limits the total number of simultaneous explicit web proxy users.
C. FortiGate limits the number of simultaneous sessions per explicit web proxy user. The limit CAN be
modified by the administrator.
D. FortiGate limits the number of workstations that authenticate using the same web proxy user
credentials. This limit CANNOT be modified by the administrator.
Answer: B

13.Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.
Based on the output, which two statements are correct? (Choose two.)
A. Phase 2 authentication is set to sha1 on both sides.
B. Hub2Spoke1 is configured on interface wan2.
C. Anti-replay is disabled.
D. Hub2Spoke1 is a policy-based VPN.
Answer: AB

14.The IT department discovered during the last network migration that all zero phase selectors in
phase 2 IPsec configurations impacted network operations.
What are two valid approaches to prevent this during future migrations? (Choose two.)
A. Use routing protocols to specify allowed subnets over the tunnel.
B. Configure an IPsec-aggregate to create redundancy between each firewall peer.
C. Clearly indicate to the VPN which segments will be encrypted in the phase two selectors.
D. Configure an IP address on the IPsec interface of each firewall to establish unique peer
connections and avoid impacting network operations.
Answer: A C
Explanation:
Zero phase selectors inIPsec Phase 2mean thatno specific traffic selectors (subnets) are defined,
allowing any traffic to be encryptedthrough the VPN tunnel. This can causeunintended traffic
forwarding issues and disrupt network operations.
To prevent this from happening during future migrations:
#Using routing protocolsensures thatonly specific subnets are advertised over the tunnel. Dynamic
routing (such as OSPF or BGP) helps define which networks should use the tunnel, preventing
unintended traffic from being encrypted.
#Clearly defining phase 2 selectorsavoids the problem of encrypting all traffic byexplicitly stating the
allowed source and destination subnets. This prevents the tunnel from affecting unrelated network
traffic.

15.Which command is used to enable timestamp in a real-time debug?

A. diagnose debug console timestamp enable
B. diagnose timestamp enable
C. diagnose application timestamp enable
D. diagnose debug application timestamp enable
Answer: A

16.An administrator wants to scale the IBGP sessions and optimize the routing table in an IBGP
network.
Which parameter should the administrator configure?
A. network-import-check
B. ibgp-enforce-multihop
C. neighbor-group
D. route-reflector-client
Answer: D
Explanation:
In anIBGP (Internal BGP) network, all routers must befully meshed, meaning every router must
establish a BGP session with every other router in the sameautonomous system (AS). Thisdoes not
scale wellin large networks due to the exponential increase in BGP sessions.
Tooptimize and scale IBGP,Route Reflectors (RRs)are used. ARoute Reflector (RR)reduces the
number ofIBGP peer connectionsby allowing acentralized router (RR)to redistribute IBGP routes to
other IBGP peers (calledclients). This eliminates the need for afull mesh, significantlyreducing BGP
session overhead.
By configuring theroute-reflector-clientsetting on IBGP peers, an administrator can:
#Scale IBGP sessionsby reducing the number of direct BGP peer connections.
#Optimize the routing tableby ensuring routes are efficiently propagated within the IBGP network.
#Eliminate the need for full mesh topology, making IBGP more manageable.

17.Refer to the exhibit, which contains the output of diagnose sys session list.
If the HA ID for the primary unit is zero (0), which statement about the output is true?
A. This session cannot be synced with the slave unit.
B. The inspection of this session has been offloaded to the slave unit.
C. The master unit is processing this traffic.
D. This session is for HA heartbeat traffic.
Answer: C

18.Examine the output from the ‘diagnose vpn tunnel list’ command shown in the exhibit; then
answer the question below.
Which command can be used to sniffer the ESP traffic for the VPN DialUP_0?
A. diagnose sniffer packet any ‘port 500’
B. diagnose sniffer packet any ‘esp’
C. diagnose sniffer packet any ‘host 10.0.10.10’
D. diagnose sniffer packet any ‘port 4500’
Answer: D

19.Refer to the exhibit, which shows the output of a diagnose command

What can you conclude from the RTT value?
A. Its value is incremented with each packet lost.
B. Its initial value is statically set to 10.
C. It determines which FortiGuard server is used for license validation.
D. Its value represents the time it takes to receive a response after a rating request is sent to a
particular server.
Answer: D

20.What configuration changes can reduce the memory utilization in a FortiGate? (Choose two.)
A. Reduce the session time to live.
B. Increase the TCP session timers.
C. Increase the FortiGuard cache time to live.
D. Reduce the maximum file size to inspect.
Answer: AD

21.Refer to the exhibits.

The Administrators section of a root FortiGate device and the Security Fabric Settings section of a
downstream FortiGate device are shown.
When prompted to sign in with Security Fabric in the downstream FortiGate device, a user enters the
Admin SSO credentials.
What is the next status for the user?
A. The user is prompted to create an SSO administrator account for AdminSSO.
B. The user receives an authentication failure message.
C. The user accesses the downstream FortiGate with super_admin_readonly privileges.
D. The user accesses the downstream FortiGate with super_admin privileges.
Answer: C
Explanation:
From theRoot FortiGate - System Administrator Configurationexhibit:
# TheAdminSSOaccount has thesuper_admin_readonlyrole.
From theDownstream FortiGate - Security Fabric Settingsexhibit:
# TheSecurity Fabric roleis set toJoin Existing Fabric, meaning it will authenticate with the root
FortiGate.
#SAML Single Sign-On (SSO) is enabled, and thedefault admin profileis set tosuper_admin_readonly.
When theAdminSSOuser logs into the downstream FortiGate usingSSO, the authentication request is
sent to the root FortiGate, where AdminSSO hassuper_admin_readonlypermissions. Since the
downstream FortiGate inherits this permission through the Security Fabric configuration, the user will
be granted super_admin_readonlyaccess.

22.Which of the following statements about administrative domains (ADOMs) on FortiManager is

true?
A. The ADOM feature can be enabled by any administrator with super-user privileges.
B. The number of configurable ADOMs is based on the FortiManager's FortiCare service contract.
C. ADOMs allow grouping of managed devices based on management criteria and administrative
access.
D. FortiGates with multiple VDOMs must be assigned to the same ADOM on FortiManager.
Answer: C

23.Refer to the exhibit.

An administrator is deploying a hub and spokes network and using OSPF as dynamic protocol.
Which configuration is mandatory for neighbor adjacency?
A. Set bfd enable in the router configuration
B. Set network-type point-to-multipoint in the hub interface
C. Set rfc1583-compatible enable in the router configuration
D. Set virtual-link enable in the hub interface
Answer: B
Explanation:
In a hub-and-spoke topology using OSPF over IPsec VPNs, thepoint-to-multipointnetwork type is
necessary to establish neighbor adjacencies between the hub and spokes. This network type ensures
that OSPF operates correctly without requiring a designated router (DR) and allows dynamic routing
updates across the IPsec tunnels.

24.What action can be taken on a FortiGate to block traffic using IPS protocol decoders, focusing on
network transmission patterns and application signatures?
A. Use the DNS filter to block application signatures and protocol decoders.
B. Use application control to limit non-URL-based software handling.
C. Enable application detection-based SD-WAN rules.
D. Configure a web filter profile in flow mode.
Answer: B
Explanation:
FortiGate'sIPS protocol decodersanalyzenetwork transmission patternsandapplication signaturesto
identify and block malicious traffic.Application Controlis the feature that allows FortiGate todetect,
classify, and block applicationsbased on their behavior and signatures, even when they do not rely on
traditional URLs.
#Application Controlworks alongsideIPS protocol decodersto inspect packet payloads and enforce
security policies based on recognized application behaviors.
# It enablesgranular control over non-URL-based applicationssuch asP2P traffic, VoIP, messaging
apps, and other non-web-based protocolsthat IPS can identify through protocol decoders.
#IPS and Application Control together can detect evasive or encrypted applications that might bypass
traditional firewall rules.

25.An administrator wants to capture ESP traffic between two FortiGates using the built-in sniffer. If
the administrator knows that there is no NAT device located between both FortiGates,
What command should the administrator execute?
A. diagnose sniffer packet any ‘udp port 500’
B. diagnose sniffer packet any ‘udp port 4500’
C. diagnose sniffer packet any ‘esp’
D. diagnose sniffer packet any ‘udp port 500 or udp port 4500’
Answer: C

26.Which two statements about application layer test commands are true? (Choose two.)
A. They are used to filter real-time debugs.
B. They display real-time application debugs.
C. Some of them can be used to restart an application.
D. Some of them display statistics and configuration information about a feature or process.
Answer: CD

27.Refer to the exhibits.

The exhibits show a network topology, a firewall policy, and an SSL/SSH inspection profile
configuration.
Why is FortiGate unable to detect HTTPS attacks on firewall policy ID 3 targeting the Linux server?
A. The administrator must set the policy to inspection mode to analyze the HTTPS packets as
expected.
B. The administrator must enable HTTPS in the protocol port mapping of the deep- inspection
SSL/SSH inspection profile.
C. The administrator must enable SSL inspection of the SSL server and upload the certificate of the
Linux server website to the SSL/SSH inspection profile.
D. The administrator must enable cipher suites in the SSL/SSH inspection profile to decrypt the
message.
Answer: C
Explanation:
The FortiGateSSL/SSH inspection profileis configured forFull SSL Inspection, which is necessary to
analyze encrypted HTTPS traffic. However, the firewallpolicy is protecting an SSL server (the Linux
server hosting the website), and currently, the SSL/SSH profileonly applies to client-side SSL
inspection.
To detect HTTPS-based attacks targeting the Linux server:
#FortiGate must act as an SSL intermediaryto inspect encrypted traffic destined for the web server.
# The administratormust upload the SSL certificate of the Linux web serverto FortiGate so that
theserver-side SSL inspectioncan decrypt incoming HTTPS traffic before analyzing it.

28.An administrator is setting up an ADVPN configuration and wants to ensure that peer IDs are not
exposed during VPN establishment.
Which protocol can the administrator use to enhance security?
A. Use IKEv2, which encrypts peer IDs and prevents exposure.
B. Opt for SSL VPN web mode because it does not use peer IDs at all.
C. Choose IKEv1 aggressive mode because it simplifies peer identification.
D. Stick with IKEv1 main mode because it offers better performance.
Answer: A
Explanation:
InADVPN (Auto-Discovery VPN) configurations, security concerns includeprotecting peer IDsduring
VPN establishment. Peer IDs are exchanged in theIKE (Internet Key Exchange) negotiation phase,
and their exposure could lead toprivacy risks or targeted attacks.
#IKEv2 encrypts peer IDs, making itmore securecompared to IKEv1, where peer IDs can beexposed
in plaintextin aggressive mode.
#IKEv2 also provides better performance and flexibilitywhile supporting dynamic tunnel establishment
in ADVPN.

29.Refer to the exhibit, which contains partial output from an IKE real-time debug.

Based on the debug output, which phase 1 setting is enabled in the configuration of this VPN?
A. auto-discovery-receiver
B. auto-discovery-forwarder
C. auto-discovery-shortcut
D. auto-discovery-sender
Answer: D

30.View the exhibit, which contains the output of a debug command, and then answer the question
below.
Which of the following statements about the exhibit are true? (Choose two.)
A. In the network on port4, two OSPF routers are down
B. Port4 is connected to the OSPF backbone area.
C. The local FortiGate’s OSPF router ID is 0.0.0.4
D. The local FortiGate has been elected as the OSPF backup designated router.
Answer: BC

31.A company that acquired multiple branches across different countries needs to install new
FortiGate devices on each of those branches. However, the IT staff lacks sufficient knowledge to
implement the initial configuration on the FortiGate devices.
Which three approaches can the company take to successfully deploy advanced initial configurations
on remote branches? (Choose three.)
A. Use metadata variables to dynamically assign values according to each FortiGate device.
B. Use provisioning templates and install configuration settings at the device layer.
C. Use the Global ADOM to deploy global object configurations to each FortiGate device.
D. Apply Jinja in the FortiManager scripts for large-scale and advanced deployments.
E. Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to
FortiGate devices.
Answer: A B E
Explanation:
Use metadata variables to dynamically assign values according to each FortiGate device:Metadata
variables in FortiManager allow device-specific configurations to be dynamically assigned without
manually configuring each FortiGate. This is especially useful when deploying multiple devices with
similar base configurations.
Use provisioning templates and install configuration settings at the device layer:Provisioning
templates in FortiManager provide a structured way to configure FortiGate devices. These templates
can define interfaces, policies, and settings, ensuring that each device is correctly configured upon
deployment.
Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to
FortiGate devices:Zero-Touch Provisioning (ZTP) and Local Touch Provisioning (LTP) help automate
the deployment of FortiGate devices. By adding devices as model devices in FortiManager,
configurations can be pushed automatically when devices connect for the first time, reducing manual
effort.
32.An administrator is running the following sniffer in a FortiGate:
diagnose sniffer packet any “host 10.0.2.10” 2
What information is included in the output of the sniffer? (Choose two.)
A. Ethernet headers.
B. IP payload.
C. IP headers.
D. Port names.
Answer: BC

33.Which two configuration settings change the behavior for content-inspected traffic while FortiGate
is in conserve mode? (Choose two.)
A. IPS failopen
B. mem failopen
C. AV failopen
D. UTM failopen
Answer: AC

34.Examine the output of the ‘get router info ospf interface’ command shown in the exhibit; then
answer the question below.

Which statements are true regarding the above output? (Choose two.)
A. The port4 interface is connected to the OSPF backbone area.
B. The local FortiGate has been elected as the OSPF backup designated router.
C. There are at least 5 OSPF routers connected to the port4 network.
D. Two OSPF routers are down in the port4 network.
Answer: AC

35.Refer to the exhibit, which shows an enterprise network connected to an internet service provider.
An administrator must configure a loopback as a BGP source to connect to the ISP.
Which two commands are required to establish the connection? (Choose two.)
A. ebgp-enforce-multihop
B. update-source
C. ibgp-enforce-multihop
D. recursive-next-hop
Answer: A B
Explanation:
When configuring aloopback interface as the BGP sourceforconnecting to an ISP, two important
settings must be applied:

36.A FortiGate's port1 is connected to a private network. Its port2 is connected to the Internet. Explicit
web proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache
is NOT enabled. An internal web proxy user is downloading a file from the Internet via HTTP.
Which statements are true regarding the two entries in the FortiGate session table related with this
traffic? (Choose two.)
A. Both session have the local flag on.
B. The destination IP addresses of both sessions are IP addresses assigned to FortiGate's interfaces.
C. One session has the proxy flag on, the other one does not.
D. One of the sessions has the IP address of port2 as the source IP address.
Answer: AD

37.One firewall policy in an enterprise firewall is essentially used for IPS.

Which configuration must the administrator check in this firewall policy to validate optimum
performance for IPS?
A. set cp-accel-mode enable
B. set inspection-mode proxy
C. set offload enable
D. set np-acceleration enable
Answer: D

38.Which two statements about bulk configuration changes using FortiManager CLI scripts are
correct? (Choose two.)
A. When executed on the Policy Package, ADOM database, changes are applied directly to the
managed FortiGate.
B. When executed on the Device Database, you must use the installation wizard to apply the changes
to the managed FortiGate
C. When executed on the All FortiGate in ADOM, changes are automatically installed without creating
a new revision history.
D. When executed on the Remote FortiGate directly, administrators do not have the option to review
the changes prior to installation.
Answer: BD

39.Exhibits:
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
An administrator is trying to configure ADVPN with a hub-spoke VPN setup using iBGP. All the VPNs
are up and connected to the hub. The hub is receiving route information from both spokes over iBGP;
however, the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned by
one spoke are forwarded to the other spokes?
A. Configure the hub as a route reflector client.
B. Change the router id to 10.1.0.254.
C. Configure an individual neighbor and remove neighbor-range configuration.
D. Make the configuration of remote-as different from the configuration of local-as.
Answer: A

40.Refer to the exhibit, which shows a FortiGate configuration.

An administrator is troubleshooting a web filter issue on FortiGate. The administrator has configured a
web filter profile and applied it to a policy; however, the web filter is not inspecting any traffic that is
passing through the policy.
What must the administrator change to fix the issue?
A. The administrator must increase webfilter-timeout.
B. The administrator must change protocol to TCP.
C. The administrator must enable fortiguard-anycast.
D. The administrator must disable webfilter-force-off.
Answer: D

41.The logs in a FSSO collector agent (CA) are showing the following error:
failed to connect to registry: PIKA1026 (192.168.12.232)
What can be the reason for this error?
A. The CA cannot resolve the name of the workstation.
B. The FortiGate cannot resolve the name of the workstation.
C. The remote registry service is not running in the workstation 192.168.12.232.
D. The CA cannot reach the FortiGate with the IP address 192.168.12.232.
Answer: C

42.View the exhibit, which contains the partial output of a diagnose command, and then answer the
question below.

Based on the output, which of the following statements is correct?

A. Anti-replay is enabled.
B. DPD is disabled.
C. Quick mode selectors are disabled.
D. Remote gateway IP is 10.200.5.1.
Answer: A
 Get FCSS_EFW_AD-7.4 exam dumps full
version.

Powered by TCPDF (www.tcpdf.org)