FCSS_EFW_AD-7.6 Exam Dumps - Fortinet NSE 7 - Enterprise Firewall 7.6 Administrator

In FortiManager, pre-run CLI templates are used in Zero-Touch Provisioning (ZTP) and Low-Touch Provisioning (LTP) to configure a FortiGate device before it is fully managed by FortiManager.

These templates apply configurations when a device is initially provisioned. Once the pre-run CLI template is executed, FortiManager automatically unassigns it from the device because it is not meant to persist like other policy configurations. This prevents conflicts and ensures that the FortiGate configuration is not repeatedly applied after the initial setup.

The TCP Maximum Segment Size (MSS) defines the largest payload (the data part of a TCP segment) that a device can receive in a single segment. Configuring tcp-mss-sender and tcp-mss-receiver on a FortiGate interface or within an IPsec tunnel configuration allows the firewall to intercept and modify the MSS value in the TCP SYN and SYN-ACK packets. This is primarily used to prevent packet fragmentation over links with lower MTUs (like IPsec or VXLAN) by ensuring the sender produces segments that fit within the tunnel ' s available payload space once encapsulation headers are added.

==============

In an FGSP (FortiGate Session Life Support Protocol) cluster, sessions are synchronized between members to provide seamless failover or handle asymmetric traffic. By default, FortiGate only synchronizes connection-oriented sessions (TCP). For connectionless sessions such as ICMP or UDP , synchronization must be explicitly enabled using the session-pickup-connectionless setting under the HA configuration. Without this setting, connectionless traffic remains local to the device that processed it and is not reflected in the session table of peer members.

==============

According to the FortiGate security profile documentation, standard certificate inspection (which uses SNI) only examines the certificate header and does not allow the firewall to see the actual payload of an encrypted session. To identify attacks such as PHP code injection or malware hidden within HTTPS traffic, the FortiGate must be configured with full SSL inspection (also known as deep SSL inspection). This process requires the FortiGate to act as a man-in-the-middle, decrypting the traffic using a trusted CA certificate, inspecting the cleartext content for threats, and then re-encrypting it before sending it to the destination.

==============

From the BGP neighbor status output, the key issue is that BGP is stuck in the " Idle " state, meaning the FortiGate is unable to establish a BGP session with its peer 100.65.4.1 (Remote AS 65300).

The output also shows:

● " Not directly connected EBGP " → This means the BGP peer is not on the same subnet, requiring multihop BGP.

● " Update source is Loopback " → Since a loopback interface is used, FortiGate must be configured to allow BGP neighbors over multiple hops.

To resolve this issue, the administrator must enable ebgp-enforce-multihop, which allows BGP sessions to be established even when the neighbors are not directly connected.