FCSS_EFW_AD-7.6 Reviews Questions

Comprehensive and Detailed 150 to 200 words of Explanation From Exact Extract of Enterprise Firewall 7.6 Administrator documents:

According to the Fortinet Security Fabric 7.6 documentation and FortiAnalyzer study materials, when multiple FortiGate devices are part of a Security Fabric, logs are typically sent to a centralized FortiAnalyzer for a unified view of the network.

In the provided exhibit, the topology shows HQ-NGFW-1 as the Fabric Root and HQ-ISFW as a downstream device. One of the key benefits of the Security Fabric (Option C) is topology-wide visibility, where logs from different devices are correlated.

The traffic log table shows a " Malware " action for traffic originating from 10.0.2.51 (located behind HQ-ISFW) destined for a public IP. If UTM is not enabled on the HQ-ISFW itself, it cannot generate an Antivirus (AV) log. However, because HQ-ISFW is part of the Security Fabric, the traffic eventually passes through the upstream device, HQ-NGFW-1, to reach the internet. If UTM is enabled on HQ-NGFW-1 (Option B), that device will inspect the traffic, detect the malware, and generate the security log. FortiAnalyzer then displays this log as part of the unified threat view, associating it with the original source and the inspection point in the fabric path.

From the BGP neighbor status output, the key issue is that BGP is stuck in the " Idle " state, meaning the FortiGate is unable to establish a BGP session with its peer 100.65.4.1 (Remote AS 65300).

The output also shows:

● " Not directly connected EBGP " → This means the BGP peer is not on the same subnet, requiring multihop BGP.

● " Update source is Loopback " → Since a loopback interface is used, FortiGate must be configured to allow BGP neighbors over multiple hops.

To resolve this issue, the administrator must enable ebgp-enforce-multihop, which allows BGP sessions to be established even when the neighbors are not directly connected.

The Fortinet FGSP (FortiGate Session Life Support Protocol) cluster allows session synchronization between two FortiGate devices to provide seamless failover. However, ICMP (ping) is a connectionless protocol, and by default, FortiGate does not synchronize connectionless sessions unless explicitly enabled.

In the exhibit:

● The command get system session list | grep icmp on FortiGate_B returns no output, meaning that ICMP sessions are not being synchronized from FortiGate_A.

● If session-pickup-connectionless is disabled, FortiGate_B will not receive ICMP sessions, causing packet loss during failover.

Comprehensive and Detailed Explanation From Exact Extract documents and Knowledge:

By default, FortiGate ' s security engines are configured to recognize specific protocols on their standard ports (e.g., HTTPS on 443). When traffic uses a non-standard port like 8443, the firewall may not automatically recognize it as HTTPS and thus will not apply the appropriate SSL inspection or category-based filtering. To resolve this, administrators must update the protocol port mapping within the SSL/SSH inspection profile. By adding port 8443 to the mapping for the HTTPS protocol, the FortiGate is instructed to treat traffic on that port as encrypted web traffic, allowing the full SSL inspection engine to decrypt it and enforce the FortiGuard category blocks as defined in the policy.

==============