Download Fortinet FCSS - Enterprise Firewall 7.6 Administrator.FCSS_EFW_AD-7.6.Braindump2go.2026-03-25.71q.tqb

In this ADVPN (Auto-Discovery VPN) network, there are two hubs (Hub A and Hub B) connected via EBGP, while IBGP is used within each overlay. To ensure proper BGP routing between the overlays, the administrator must configure specific BGP options.. set ebgp-enforce-multihop enable By default, EBGP requires directly connected neighbors. Since Hub A and Hub B are not directly connected but reach each other over an IPsec tunnel, multihop must be enabled for EBGP sessions to work. set next-hop-self enable In IBGP, the next-hop attribute does not change by default. When an IBGP route is advertised from a spoke to another hub or spoke, the next-hop needs to be updated to ensure proper reachability. Enabling next-hop-self forces the BGP speaker to advertise itself as the next-hop, ensuring that all spokes properly reach routes across the overlays. 

The output of the get router info ospf status command provides key information about the OSPF (Open Shortest Path First) configuration on the FortiGate device. The FortiGate device is connected to multiple areas The output states: "This router is an ABR" ABR (Area Border Router) means the device is connected to multiple OSPF areas and maintains routing information between them. This confirms that the FortiGate is not just in one area, but at least one backbone area (Area 0) and another OSPF area. The FortiGate device injects external routing information The output states: "Supports opaque LSA" Opaque LSAs (Type 9, 10, and 11) are used in OSPF extensions, including those that support external route injection. Typically, ABRs or ASBRs (Autonomous System Boundary Routers) inject external routes, allowing routes from other routing protocols (such as BGP or static routes) to be advertised into OSPF. 

Zero phase selectors in IPsec Phase 2 mean that no specific traffic selectors (subnets) are defined, allowing any traffic to be encrypted through the VPN tunnel. This can cause unintended traffic forwarding issues and disrupt network operations. To prevent this from happening during future migrations: Using routing protocols ensures that only specific subnets are advertised over the tunnel. Dynamic routing (such as OSPF or BGP) helps define which networks should use the tunnel, preventing unintended traffic from being encrypted. Clearly defining phase 2 selectors avoids the problem of encrypting all traffic by explicitly stating the allowed source and destination subnets. This prevents the tunnel from affecting unrelated network traffic. 

The set tcp-mss-sender and set tcp-mss-receiver commands in a firewall policy allow an administrator to adjust the Maximum Segment Size (MSS) of TCP packets. This setting controls the largest payload size that a device can handle in a single TCP segment, ensuring that packets do not exceed the allowed MTU (Maximum Transmission Unit) along the network path. set tcp-mss-sender adjusts the MSS value for outgoing TCP traffic. set tcp-mss-receiver adjusts the MSS value for incoming TCP traffic. This helps prevent issues with fragmentation and MTU mismatches, improving network performance and avoiding retransmissions. 

The best way to block outdated SSL/TLS versions is to configure the SSL/SSH inspection profile to enforce a minimum SSL/TLS version and disable weak SSL versions. By setting the minimum allowed SSL version in the HTTPS settings of the SSL/SSH inspection profile, FortiGate will: Block any connection using outdated SSL/TLS versions (such as SSLv3, TLS 1.0, or TLS 1.1). Enforce secure communication using only strong SSL/TLS versions (such as TLS 1.2 or TLS 1.3). Protect users from man-in-the-middle (MITM) and downgrade attacks that exploit weak encryption. 

From the OSPF status output, the key information is: "This router is an ASBR" - This means the FortiGate is acting as an Autonomous System Boundary Router (ASBR). An ASBR is responsible for injecting external routing information into OSPF from another routing protocol (such as BGP, static routes, or connected networks). 

In ADVPN (Auto-Discovery VPN) configurations, security concerns include protecting peer IDs during VPN establishment. Peer IDs are exchanged in the IKE (Internet Key Exchange) negotiation phase, and their exposure could lead to privacy risks or targeted attacks. IKEv2 encrypts peer IDs, making it more secure compared to IKEv1, where peer IDs can be exposed in plaintext in aggressive mode. IKEv2 also provides better performance and flexibility while supporting dynamic tunnel establishment in ADVPN. 

To minimize CPU and RAM usage while still enforcing security features like web filtering and application control, SSL certificate inspection mode is the best choice. SSL certificate inspection allows FortiGate to inspect only the SSL/TLS handshake, including the Server Name Indication (SNI) and certificate details, without decrypting the full encrypted payload. This enables features like web filtering and application control because FortiGate can determine the destination website or application based on SNI and certificate information. It significantly reduces system load compared to full SSL inspection, which requires full decryption and re-encryption of traffic. 

When standardizing the deployment of FortiGate devices across branches using FortiManager, the best practice is to use metadata variables. This allows for dynamic interface configuration while maintaining a single, consistent policy package for all branches. Metadata variables in FortiManager enable interface roles and configurations to be dynamically assigned based on the specific FortiGate device. This ensures scalability and consistent security policy enforcement across all branches without manually adjusting interface settings for each device. When a new branch FortiGate is deployed, metadata variables automatically map to the correct physical interfaces, reducing manual configuration errors. 

When configuring a loopback interface as the BGP source for connecting to an ISP, two important settings must be applied: 1. Enable EBGP Multihop (ebgp-enforce-multihop) BGP normally expects directly connected neighbors, but since the ISP and FortiGate A are using loopback interfaces, packets will not be sent directly between their physical interfaces. The ebgp-enforce-multihop command allows BGP to form an eBGP peering over multiple hops. 2. Set the Update Source (update-source) Since FortiGate is using a loopback interface as the source, the update-source command ensures that BGP updates originate from the loopback interface rather than a physical interface. This is essential because BGP peers must match the source IP with the configured neighbor address.