FCSS_EFW_AD-7.6 Online Practice Questions

Explanation:
FortiGate_A and FortiGate_B are in the same autonomous system (AS), and FortiGate_A does not currently have route 172.16.1.248/30 in its routing table. However, FortiGate_B has this route as a connected route.
To dynamically advertise only 172.16.1.248/30 from FortiGate_B to FortiGate_A, the administrator must configure a BGP route map out on FortiGate_B that specifically permits only this prefix.
A BGP route map out on FortiGate_B controls which routes FortiGate_B advertises to FortiGate_A. If no filtering is applied, FortiGate_B might advertise all BGP-learned and connected routes, which is not what the administrator wants. The route map should include a prefix-list that explicitly allows only 172.16.1.248/30 and denies everything else.

Explanation:
The output of the get router info ospf status command provides key information about the OSPF (Open Shortest Path First) configuration on the FortiGate device.
The FortiGate device is connected to multiple areas
● The output states: "This router is an ABR"
● ABR (Area Border Router) means the device is connected to multiple OSPF areas and maintains routing information between them.
● This confirms that the FortiGate is not just in one area, but at least one backbone area (Area 0) and another OSPF area.
The FortiGate device injects external routing information
● The output states: "Supports opaque LSA"
● Opaque LSAs (Type 9, 10, and 11) are used in OSPF extensions, including those that support external route injection.
● Typically, ABRs or ASBRs (Autonomous System Boundary Routers) inject external routes, allowing routes from other routing protocols (such as BGP or static routes) to be advertised into OSPF.

Explanation:
The diagnose vpn tunnel list name Hub2Spoke1 command output provides key information about the offloading status of an IPsec VPN tunnel to the Network Processing Unit (NPU).
● npu_flag=20:
● This flag indicates that both inbound and outbound IPsec Security Associations (SAs) have been offloaded to the NPU, meaning the VPN traffic is processed in hardware instead of the CPU.
● npu_rgwy=10.10.2.2 and npu_lgwy=10.10.1.1:
● These IPs represent the remote gateway (rgwy) and local gateway (lgwy), confirming that the tunnel is successfully offloaded.
● npu_selid=1:
● This value means the session selector for the NPU offloaded SA is active.
Since both inbound and outbound SAs are offloaded, the administrator can conclude that the FortiGate NPU is handling IPsec encryption and decryption efficiently, reducing CPU load and improving VPN performance.

Explanation:
The diagram shows a multi-area OSPF network where:
● FortiGate A is in OSPF Area 0 (Backbone area).
● FortiGate B is in OSPF Area 0.0.0.1 and is connected to an RIP network.
To ensure that OSPF Area 0 (0.0.0.0) learns routes from the external RIP network, FortiGate B must redistribute RIP routes into OSPF.
Steps to achieve this:

Explanation:
When multiple remote sites connect to the same hub using overlapping subnets, FortiGate needs to determine which route should be used for traffic forwarding. The route-overlap setting in IPsec Phase 2 allows FortiGate to handle this scenario by deciding whether to keep the existing route (use-old) or replace it with a new route (use-new).
In an ECMP (Equal-Cost Multi-Path) routing setup, both routes should be retained and balanced, but FortiGate does not support ECMP directly over overlapping routes in IPsec Phase 2. Instead, an administrator must decide which connection takes precedence using route-overlap settings.