FCSS EFW AD 7.6 – Empowering Families & Community Support
                     Fortinet
FCSS_EFW_AD-7.6
ExamName: Fortinet NSE 7 - Enterprise Firewall 7.6 Administrator
Exam Version: 6.2
Questions & Answers Sample PDF
(Preview content before you buy)
Check the full version using the link below.
https://pass2certify.com/exam/fcss_efw_ad-7.6
Unlock Full Features:
Stay Updated: 90 days of free exam updates
Zero Risk: 30-day money-back policy
Instant Access: Download right after purchase
Always Here: 24/7 customer support team
https://pass2certify.com//exam/fcss_efw_ad-7.6 Page 1 of 8
Question 1. (Multi Select)
A company that acquired multiple branches across different countries needs to install new FortiGate
devices on each of those branches. However, the IT staff lacks sufficient knowledge to implement the initial
configuration on the FortiGate devices.
Which three approaches can the company take to successfully deploy advanced initial configurations on
remote branches? (Choose three.)
A: Use metadata variables to dynamically assign values according to each FortiGate device.
B: Use provisioning templates and install configuration settings at the device layer.
C: Use the Global ADOM to deploy global object configurations to each FortiGate device.
D: Apply Jinja in the FortiManager scripts for large-scale and advanced deployments.
E: Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate
devices.
Answer: A, B, E
Explanation:
Use metadata variables to dynamically assign values according to each FortiGate device:Metadata
variables in FortiManager allow device-specific configurations to be dynamically assigned without manually
configuring each FortiGate. This is especially useful when deploying multiple devices with similar base
configurations.
Use provisioning templates and install configuration settings at the device layer:Provisioning templates in
FortiManager provide a structured way to configure FortiGate devices. These templates can define
interfaces, policies, and settings, ensuring that each device is correctly configured upon deployment.
Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate
devices:Zero-Touch Provisioning (ZTP) and Local Touch Provisioning (LTP) help automate the deployment
of FortiGate devices. By adding devices as model devices in FortiManager, configurations can be pushed
automatically when devices connect for the first time, reducing manual effort.
Question 2. (Single Select)
A company's guest internet policy, operating in proxy mode, blocks access to Artificial Intelligence
https://pass2certify.com//exam/fcss_efw_ad-7.6 Page 2 of 8
Technology sites using FortiGuard. However, a guest user accessed a page in this category using port
8443.
Which configuration changes are required for FortiGate to analyze HTTPS traffic on nonstandard ports like
8443 when full SSL inspection is active in the guest policy?
A: Add a URL wildcard domain to the website CA certificate and use it in the SSL/SSH Inspection Profile.
B: In the Protocol Port Mapping section of the SSL/SSH Inspection Profile, enter 443, 8443 to analyze both
standard (443) and non-standard (8443) HTTPS ports.
C: To analyze nonstandard ports in web filter profiles, use TLSv1.3 in the SSL/SSH Inspection Profile.
D: Administrators can block traffic on nonstandard ports by enabling the SNI check in the SSL/SSH
Inspection Profile.
Answer: B
Explanation:
When FortiGate is operating in proxy mode with full SSL inspection enabled, it inspects encrypted HTTPS
traffic by default on port 443. However, some websites may use non-standard HTTPS ports (such as
8443), which FortiGate does not inspect unless explicitly configured.
To ensure that FortiGate inspects HTTPS traffic on port 8443, administrators must manually add port 8443
in the Protocol Port Mapping section of the SSL/SSH Inspection Profile. This allows FortiGate to treat
HTTPS traffic on port 8443 the same as traffic on port 443, enabling proper inspection and enforcement of
FortiGuard category-based web filtering.
Question 3. (Single Select)
Refer to the exhibits.
https://pass2certify.com//exam/fcss_efw_ad-7.6 Page 3 of 8
The Administrators section of a root FortiGate device and the Security Fabric Settings section of a
downstream FortiGate device are shown. When prompted to sign in with Security Fabric in the downstream
FortiGate device, a user enters the AdminSSO credentials. What is the next status for the user?
A: The user is prompted to create an SSO administrator account for AdminSSO.
B: The user receives an authentication failure message.
C: The user accesses the downstream FortiGate with super_admin_readonly privileges.
D: The user accesses the downstream FortiGate with super_admin privileges.
Answer: C
https://pass2certify.com//exam/fcss_efw_ad-7.6 Page 4 of 8
Explanation:
From the Root FortiGate - System Administrator Configuration exhibit:
%Ï The AdminSSO account has the super_admin_readonly role.
From the Downstream FortiGate - Security Fabric Settings exhibit:
%Ï The Security Fabric role is set to Join Existing Fabric, meaning it will authenticate with the root FortiGate.
%Ï SAML Single Sign-On (SSO) is enabled, and the default admin profile is set to super_admin_readonly.
When the AdminSSO user logs into the downstream FortiGate using SSO, the authentication request is
sent to the root FortiGate, where AdminSSO has super_admin_readonly permissions. Since the
downstream FortiGate inherits this permission through the Security Fabric configuration, the user will be
granted super_admin_readonly access.
Question 4. (Single Select)
A user reports that their computer was infected with malware after accessing a secured HTTPS website.
However, when the administrator checks the FortiGate logs, they do not see that the website was detected
as insecure despite having an SSL certificate and correct profiles applied on the policy.
How can an administrator ensure that FortiGate can analyze encrypted HTTPS traffic on a website?
A: The administrator must enable reputable websites to allow only SSL/TLS websites rated by FortiGuard
web filter.
B: The administrator must enable URL extraction from SNI on the SSL certificate inspection to ensure the
TLS three-way handshake is correctly analyzed by FortiGate.
C: The administrator must enable DNS over TLS to protect against fake Server Name Indication (SNI) that
cannot be analyzed in common DNS requests on HTTPS websites.
D: The administrator must enable full SSL inspection in the SSL/SSH Inspection Profile to decrypt packets
and ensure they are analyzed as expected.
Answer: D
Explanation:
FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless it decrypts it first.
If only certificate inspection is enabled, FortiGate can see the certificate details (such as the domain and
issuer) but cannot inspect the actual web content.
To fully analyze the traffic and detect potential malware threats:
https://pass2certify.com//exam/fcss_efw_ad-7.6 Page 5 of 8
%Ï Full SSL inspection (Deep Packet Inspection) must be enabled in the SSL/SSH Inspection Profile.
%Ï This allows FortiGate to decrypt the HTTPS traffic, inspect the content, and then re-encrypt it before
forwarding it to the user.
%Ï Without full SSL inspection, threats embedded in encrypted traffic may go undetected.
Question 5. (Single Select)
Refer to the exhibit, which shows an ADVPN network.
The client behind Spoke-1 generates traffic to the device located behind Spoke-2. What is the first
message that the hub sends to Spoke-1 to bring up the dynamic tunnel?
A: Shortcut query
B: Shortcut offer
C: Shortcut reply
D: Shortcut forward
Answer: B
Explanation:
In an ADVPN (Auto-Discovery VPN) network, a dynamic VPN tunnel is established on-demand between
spokes to optimize traffic flow and reduce latency.
https://pass2certify.com//exam/fcss_efw_ad-7.6 Page 6 of 8
Process:
1. Traffic Initiation:
2. Hub Detection:
3. Shortcut Offer:
4. Tunnel Establishment:
https://pass2certify.com//exam/fcss_efw_ad-7.6 Page 7 of 8
Need more info? Check the link below:
https://pass2certify.com/exam/fcss_efw_ad-7.6
Thanks for Being a Valued Pass2Certify User!
Guaranteed Success Pass Every Exam with Pass2Certify.
Save $15 instantly with promo code
SAVEFAST
Sales: [email protected]
Support: [email protected]
https://pass2certify.com//exam/fcss_efw_ad-7.6 Page 8 of 8