Free Fortinet FCSS_EFW_AD-7.6 Practice Test & Real Exam Questions

Exam Code/Number: FCSS_EFW_AD-7.6
Exam Name/Title: FCSS - Enterprise Firewall 7.6 Administrator
Certification Provider: Fortinet
Corresponding Certification: Fortinet Certified Professional Network Security

Exam Questions: 158
Updated On: Jun 27, 2026

Question #15

During the maintenance window, you must sniff all the traffic going through a specific firewall policy, which is handled by NP6 interfaces. The output of the sniffer trace provides just a few packets. Why is the output of the sniffer trace limited?

A. inspection-mode is set to proxy in the firewall policy.

B. This is an ultralow latency interface.

C. The option npudbg is not added in the diagnose sniff packet command.

D. auto-asic-offload is set to enable in the firewall policy.

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).

Question #16

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

A. Based on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

B. Spoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

C. On both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.

D. On NGFW-1, the configuration was changed and spokes are wailing for an autoupdate.

Discussion 0

Correct Answer: C Vote an answer

Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).

Question #17

Refer to the exhibit.

The partial output of a troubleshooting command is shown.
You are using IPsec on FortiGate extensively. Many tunnels are showing information that is similar to the output shown in the exhibit.
Which statement about your IPsec use is correct?

A. Only the inbound IPsec SA is copied to the NPU.

B. Only the outbound IPsec SA is copied to the NPU.

C. The two IPsec security associations (SA), inbound and outbound, are copied to the network processing unit (NPU).

D. IPsec SAs cannot be offloaded.

Discussion 0

Correct Answer: C Vote an answer

Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).

Question #18

Refer to the exhibit.

You need to modify the MED value advertised from FortiGate_1 to a BGP neighbor in the autonomous system, AS 30.
Which parameter must you configure on FortiGate_1 to implement this?

A. route-overlap

B. route-map-out

C. distribute-list-out

D. prefix-list-out

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).

Question #19

You receive a FortiAnalyzer alert warning that a 1 TB disk filled up in a day. Upon investigation, you find thousands of unusual DNS log requests, such as JHCMQK.website.com, with no answers. You later discover that DNS exfiltration is occurring through both UDP and TLS. How can you prevent this data theft technique?

A. Use an intrusion prevention system (IPS) profile and DNS exfiltration-related signatures.

B. Use a file filter profile to protect against DNS exfiltration.

C. Enable data loss prevention (DLP) to prevent DNS exfiltration.

D. Enable DNS filter to protect against DNS exfiltration.

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).

Question #20

Refer to the exhibit, which shows the ADVPN IPsec interface representing the VPN IPsec phase
1 from Hub A to Spoke 1 and Spoke 2, and from Hub to Spoke 3 and Spoke 4.

An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2.
What must the administrator configure in the phase 1 VPN IPsec configuration of the ADVPN tunnels?

A. set auto-discovery-sender enable and set network-id x

B. set auto-discovery-crossover enable and set enforce-multihop enable

C. set auto-discovery-receiver enable and set npu-offload enable

D. set auto-discovery-forwarder enable and set remote-as x

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).

Question #21

How can FortiGate analyze HTTPS traffic on non-standard port 8443?

A. Proxy mode

B. Add 443 and 8443 mapping

C. TLS 1.2

D. Enable IPS

Discussion 0

Correct Answer: B Vote an answer

Question #22

In which two ways does FortiGate utilize the Internet Service Database (ISDB)?

A. Limits by URL

B. Provides predefined IPs and ports

C. Works in proxy mode

D. Blocks IPs and ports

Discussion 0

Correct Answer: B,D Vote an answer

Question #23

Refer to the exhibit.

A partial enterprise network is shown.
What must you configure so that FortiGate A and other OSPF routers in the backbone learn about prefixes generated within the RIP domain?

A. Configure a distribute-route-map-in on FortiGate B.

B. Set the area 0.0.0.1 type to stub on FortiGate A and B.

C. Configure a virtual link between FortiGate A and B.

D. Enable RIP redistribution on FortiGate B.

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).

Question #24

An administrator configured the following command on FortiGate.
config router ospf
set restart-mode graceful-restart
Which two statements correctly describe the result of the above command? (Choose two.)

A. FortiGate is configured with graceful restart, and will exit graceful mode, if the network topology changes.

B. In an HA cluster, FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover.

C. After the default 40 seconds wait time, the OSPF neighbors will resume communication with the restarting router.

D. The OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode.

Discussion 0

Correct Answer: B,D Vote an answer

Question #25

Which two features can you use to segment an enterprise network?

A. ZTNA

B. VDOM

C. VLAN

D. IPsec

Discussion 0

Correct Answer: B,C Vote an answer

Question #26

An administrator is configuring application control with FortiGate running in next-generation firewall (NGFW) policy-based mode.
Which two actions must the administrator take? (Choose two.)

A. Specify an SSLISSH inspection profile on a consolidated policy.

B. Create an application control profile and apply the profile to a firewall policy.

C. Configure central source network address translation (SNAT), if NAT is required.

D. Configure the action as quarantine, if an application requires feedback to prevent instability.

Discussion 0

Correct Answer: A,C Vote an answer

Question #27

Refer to the exhibit.

An ADVPN network is shown.
You must configure an ADVPN using IBGP for each local region and EBGP across regions to connect Overlay 1 with Overlay 2.
Which two options must you configure in the Hub2Hub BGP peering? (Choose two.)

A. set next-hop-self enable

B. set ibgp-enforce-multihop advpn

C. set ebgp-enforce-multihop enable

D. set attribute-unchanged next-hop

Discussion 0

Correct Answer: C,D Vote an answer

Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).

Question #28

An administrator is setting up an ADVPN configuration and wants to ensure that peer IDs are not exposed during VPN establishment.
Which protocol can the administrator use to enhance security?

A. Use IKEv2, which encrypts peer IDs and prevents exposure.

B. Stick with IKEv1 main mode because it offers better performance.

C. Choose IKEv1 aggressive mode because it simplifies peer identification.

D. Opt for SSL VPN web mode because it does not use peer IDs at all.

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).

Download Free Fortinet FCSS_EFW_AD-7.6 Demo

Simply submit your e-mail address below to get started with our free demo of your Fortinet FCSS_EFW_AD-7.6 exam.