FCSS_EFW_AD-7.4試験無料問題集（78題）「Fortinet FCSS - Enterprise Firewall 7.4 Administrator 認定」

出題：1

Refer to the exhibit, which contains a partial command output.

The administrator has configured BGP on FortiGate. The status of this new BGP configuration is shown in the exhibit.
What configuration must the administrator consider next?

A. Configure a static route to 100.65.4.1.

B. Contact the remote peer administrator to enable BGP

C. Configure the local AS to 65300.

D. Enable ebgp-enforce-multihop.

正解：D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：2

A user reports that their computer was infected with malware after accessing a secured HTTPS website. However, when the administrator checks the FortiGate logs, they do not see that the website was detected as insecure despite having an SSL certificate and correct profiles applied on the policy.
How can an administrator ensure that FortiGate can analyze encrypted HTTPS traffic on a website?

A. The administrator must enable full SSL inspection in the SSL/SSH Inspection Profile to decrypt packets and ensure they are analyzed as expected.

B. The administrator must enable reputable websites to allow only SSL/TLS websites rated by FortiGuard web filter.

C. The administrator must enable URL extraction from SNI on the SSL certificate inspection to ensure the TLS three-way handshake is correctly analyzed by FortiGate.

D. The administrator must enable DNS over TLS to protect against fake Server Name Indication (SNI) that cannot be analyzed in common DNS requests on HTTPS websites.

正解：A 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：3

An administrator must optimize the performance of real-time voice and video applications across a WAN link with high packet loss.
Which combination of IPSec phase 1 parameters must the administrator configure to reduce errors and boost application reliability?

A. fec-ingress and fsc-egrsss

B. dpd and dpd-retryinterval

C. fragmentation and fragmentation-mtu

D. keepalive and keylive

正解：A 解答を投票する

出題：4

Refer to the exhibit, which shows an SSL certification inspection configuration.
SSL certification inspection configuration

While testing, the administrator updated the ssl-ssh-profile configuration with the command set sni-server-cert-check strict.
The administrator found that the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate.
With respect to the set sni-server-cert-check strict command, which action does FortiGate take?

A. FortiGate uses the CN information from the Subject field in the server certificate.

B. FortiGate closes the connection because this represents an invalid SSL/TLS header.

C. FortiGate uses the first entry listed in the SAN field in the server certificate.

D. FortiGate uses the SNI from the user's web browser.

正解：B 解答を投票する

出題：5

The IT department discovered during the last network migration that all zero phase selectors in phase 2 IPsec configurations impacted network operations. What are two valid approaches to prevent this during future migrations? (Choose two.)

A. Clearly indicate to the VPN which segments will be encrypted in the phase two selectors.

B. Configure an IP address on the IPsec interface of each firewall to establish unique peer connections and avoid impacting network operations.

C. Configure an IPsec-aggregate to create redundancy between each firewall peer.

D. Use routing protocols to specify allowed subnets over the tunnel.

正解：A,D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：6

Refer to the exhibit, which shows the ADVPN network topology and partial BGP configuration.

Which two parameters must an administrator configure in the config neighbor range for spokes shown in the exhibit? (Choose two.)

A. set max-neighbor-num 2

B. set neighbor-group advpn

C. set prefix 172.16.1.0 255.255.255.0

D. set route-reflector-client enable

正解：B,C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：7

Refer to the exhibit, which contains the partial output of an OSPF command.

An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit.
Which statement on this FortiGate device is correct?

A. The FortiGate device is a backup designated router.

B. The FortiGate device does not support OSPF ECMP.

C. The FortiGate device can inject external routing information.

D. The FortiGate device is in the area 0.0.0.5.

正解：C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：8

Refer to the exhibit, which contains a partial VPN configuration.

What can you conclude from this VPN IPsec phase 1 configuration?

A. This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.

B. Peer IDs are unencrypted and exposed, creating a security risk.

C. A separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks.

D. FortiGate will not add a route to its routing or forwarding information base when the dynamic tunnel is negotiated.

正解：A 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

FCSS_EFW_AD-7.4試験無料問題集「Fortinet FCSS - Enterprise Firewall 7.4 Administrator 認定」