The set tcp-mss-sender and set tcp-mss-receiver commands in a FortiGate firewall policy are used to implement TCP Maximum Segment Size (MSS) clamping. The MSS value, exchanged during the TCP three-way handshake, defines the largest TCP payload size that an endpoint can receive in a single segment. By configuring these values, the FortiGate intercepts TCP SYN packets and, if necessary, lowers the advertised MSS. This ensures that the resulting IP packets (TCP payload + TCP/IP headers) do not exceed the Path Maximum Transmission Unit (PMTU), thereby preventing IP fragmentation, which is a common issue in networks with tunnels like IPsec VPNs.

A. MSS clamping is a traffic modification mechanism that alters TCP parameters to prevent fragmentation; it does not act as a security filter to allow or deny packets based on their size.

C. The administrator calculates the appropriate MSS value based on the path's MTU, not the other way around. The goal is to control the payload size to fit within the MTU.

D. The FortiGate modifies the MSS value in the TCP SYN packet only if the packet's original MSS is greater than the value configured, in order to reduce it.

---

1. Fortinet FortiOS 7.0.0 CLI Reference:

Document: FortiOS 7.0.0 CLI Reference

Section: config firewall policy

Page: 1018

Content: The reference defines tcp-mss-sender and tcp-mss-receiver as commands to configure the "TCP maximum segment size in bytes." It states

"When set to a non-zero value

the FortiGate unit will replace the MSS value in the TCP SYN packet with the value you specify if the original MSS is larger." This confirms the mechanism modifies the maximum payload size.

2. Fortinet FortiOS 7.0.0 Networking Guide:

Document: FortiOS 7.0.0 Networking Guide

Section: Packet fragmentation

Page: 338

Content: "The FortiGate can also perform TCP MSS clamping to reduce the MSS of TCP packets to prevent them from being fragmented... The MSS is the size of the data portion of a TCP packet." This directly supports that the commands determine the largest payload (data portion) of a TCP segment.

3. Fortinet FortiOS 7.0.0 Administration Guide:

Document: FortiOS 7.0.0 Administration Guide

Section: IPsec VPN advanced settings

Page: 518

Content: The guide explains the need for MSS clamping in VPNs: "If the TCP MSS is not set correctly

the TCP packets may need to be fragmented after being encrypted. The FortiGate unit can reduce the MSS in the TCP SYN packet to avoid this." This highlights the function of controlling segment size to prevent fragmentation.

Pre-run CLI templates used for Zero-Touch Provisioning (ZTP) and Low-Touch Provisioning (LTP) are designed for the initial bootstrapping of a FortiGate. They configure essential settings like interface IP addresses and static routes, enabling FortiManager to establish a connection and perform the first configuration installation. By design, FortiManager automatically unassigns these specific pre-run templates from the device after the first successful installation. This is a deliberate one-time action to prevent the initial bootstrap configuration from being re-applied during subsequent policy package installations, which could cause conflicts or revert intended changes.

A. This is incorrect. The template was assigned correctly for ZTP; its unassignment is an expected, automatic behavior, not a permanent assignment failure.

C. The unassignment process is automatic for ZTP/LTP pre-run templates, not manual. This automation is a key feature of the provisioning workflow.

D. Post-run CLI templates are executed after a policy package installation, making them unsuitable for the initial bootstrap configuration required for ZTP/LTP.

1. Fortinet FortiManager Administration Guide 7.6:

In the section Device Manager > Provisioning Templates > Creating a provisioning template

the guide states: "When a pre-run CLI template is used for zero-touch or low-touch provisioning

the template is automatically unassigned from the device after the template is run on the device. This prevents the template from being run on the device again during subsequent installations." This directly confirms the automatic unassignment behavior.

2. Fortinet FortiManager Administration Guide 7.4:

The same behavior is documented in the Device Manager > Provisioning Templates > Creating a provisioning template section

confirming this is a standard feature: "When a pre-run CLI template is used for zero-touch or low-touch provisioning

the template is automatically unassigned from the device after the template is run on the device."

In an ADVPN configuration that uses both iBGP and eBGP, specific BGP settings are required on the hub FortiGate.

1. set next-hop-self enable: This command is essential for the iBGP peering between the hub and its spokes. The hub acts as a route reflector. When it receives routes from one spoke, it must advertise them to other spokes with itself as the next hop. This action is the trigger for the spokes to initiate the on-demand shortcut tunnel.

2. set ebgp-enforce-multihop enable: This command is required for the eBGP peering. By default, eBGP peers must be directly connected. In a WAN or VPN environment, eBGP peers are typically multiple network hops apart. This setting allows the BGP session to be established between peers that are not on the same subnet.

C. set ibgp-enforce-multihop advpn: iBGP peers are not required to be directly connected by default, so enforcing multihop is generally unnecessary. The advpn keyword for this command is not a standard configuration for this scenario.

D. set attribute-unchanged next-hop: This command would prevent the hub from changing the next-hop attribute, which is the opposite of the required behavior. It would break the ADVPN shortcut mechanism.

1. Fortinet FortiOS 7.4.0 Administration Guide

VPN > IPsec VPN > Auto-Discovery VPN (ADVPN) > BGP configuration for the hub.

This section explicitly shows the command set next-hop-self enable as a required part of the iBGP neighbor group configuration on the hub. It states

"The hub must be configured as a route reflector for iBGP."

2. Fortinet FortiOS 7.4.0 Administration Guide

Routing > BGP > BGP concepts > eBGP multihop.

The documentation states: "By default

eBGP requires neighbors to be directly connected. If they are not

you must configure eBGP multihop routing... config router bgp ... config neighbor ... set ebgp-multihop enable". This confirms the necessity of the command for non-directly connected eBGP peers

as is the case in this ADVPN scenario.

3. Fortinet Cookbook

ADVPN with BGP as the routing protocol (2023/11/21).

In the "Configuring the Hub" section

under the BGP configuration for the neighbor group that includes the spokes

the command set next-hop-self enable is listed as a mandatory step. The explanation notes that this allows the hub to advertise itself as the next hop for routes learned from other spokes.

The neighbor (100.65.4.1) is reached across at least one intermediate hop (the summary shows the neighbor on an interface/subnet that is not directly connected).

FortiGate will refuse an eBGP session if the first TTL of the TCP packet is larger than 1 unless eBGP-multihop is allowed.

Setting “set ebgp-enforce-multihop enable” under config router bgp (or per-neighbor) removes the single-hop restriction and permits the session to come up.

A. A connected/network route to 100.65.4.1 already exists (shown in the exhibit); an additional static route is unnecessary.

B. Local AS already matches the configured 65200; changing it to 65300 would break the session (“Bad peer AS” error).

C. The peer is already configured and listening; the session fails on TTL, not because BGP is disabled remotely.

1. Fortinet

“FortiOS 7.2 CLI Reference – router bgp”

entry “ebgp-enforce-multihop”

p. 2749: “Enable to allow external BGP sessions with non-directly connected neighbors.”

2. Fortinet

“BGP Best Practices for FortiOS 7.2”

section 3.2

p. 17: “For eBGP over multiple hops you must enable ebgp-enforce-multihop

otherwise the session remains Idle.”

3. Fortinet Cookbook

“Configure eBGP multi-hop”

Example 2

steps 4-5.

4. RFC 4271

Border Gateway Protocol 4

§8.5: default TTL value of 1 for eBGP sessions.

These sources collectively document the default single-hop behavior and the necessity of enabling eBGP multi-hop when neighbors are not directly connected.

The MAC address prefix e0:23:ff is specifically used by FortiGate High Availability (HA) clusters when Virtual Domains (VDOMs) are enabled. This immediately confirms that the packet originates from a cluster with VDOMs.

The last three octets of the MAC address (fc:00:86) encode the HA group ID, virtual cluster ID, and interface index. The value is calculated using the formula: Last 3 Octets = 0xFFFFFF - ((groupid << 16) | (vclusterid << 8) | ifindex).

By reversing the calculation (0xFFFFFF - 0xFC0086), we get 0x03FF79. This result indicates a groupid of 0x03 (decimal 3). Since 3 is less than the maximum possible value of 255, this conclusion is also correct.

B. The FortiGate Session Life Support Protocol (FGSP) is used for session synchronization between standalone devices and does not generate this virtual MAC address for traffic forwarding.

D. The calculation derives the interface index as 0x79 (decimal 121), not 7. Furthermore, the interface index is an internal value and does not directly map to a physical port number.

1. FortiOS Handbook - High Availability 7.2.1

Page 36

Section: "HA cluster virtual MAC addresses".

This document states: "When VDOMs are enabled

FortiGate generates a different set of virtual MAC addresses. The first three octets are e0:23:ff. The last three octets are calculated based on the HA group ID

the virtual cluster ID

and the interface index. The formula is (0xffffff - (groupid << 16 | vclusterid << 8 | ifindex))." This directly supports the explanation for answers A and C.

2. Fortinet Knowledge Base - Technical Tip: FortiGate HA virtual MAC address details (Article ID: FD36109).

This article provides a detailed breakdown of HA virtual MAC address calculation. It confirms that for FortiOS 5.4 and later with VDOMs enabled

the prefix is e0:23:ff and explicitly provides the formula 0xffffff - ((groupid << 16) + (vclusterid << 8) + ifindex) for the remaining octets. This validates the entire analysis.

SSL certificate inspection mode allows the FortiGate to inspect the Server Name Indication (SNI) and the server certificate presented during the initial TLS handshake. This enables security features like web filtering (based on domain name/category) and application control (based on the certificate's subject) without decrypting the entire encrypted payload. Because it avoids the computationally expensive decryption and re-encryption process, this mode consumes significantly less CPU and RAM compared to full SSL inspection, directly addressing the administrator's goal of minimizing system load while maintaining essential security visibility.

A. Full SSL inspection is the most resource-intensive method as it decrypts and re-encrypts all traffic, which contradicts the requirement to minimize CPU and RAM use.

B. Disabling SSL inspection entirely would prevent the FortiGate from identifying the destination domain or application within the encrypted stream, rendering web filtering and application control ineffective.

C. This option is too generic. While the goal is efficient handling, it does not specify a concrete setting or mode, unlike certificate inspection, which is a specific, low-impact configuration.

1. FortiGate Infrastructure 7.2 Study Guide

p. 218: "SSL Inspection Modes" section states

"Certificate inspection: FortiGate only inspects the server certificate to confirm its validity and the subject. It does not decrypt the traffic. This mode consumes the least amount of resources." It also clarifies that web filtering and application control can use the information from the certificate.

2. FortiOS 7.2 Administration Guide

"SSL & SSH Inspection > Inspection modes" section: "In certificate inspection mode

FortiGate only inspects the header information of the packets. This is the least resource-intensive inspection mode... Based on the information in the certificate

FortiGate can determine if the traffic should be allowed or blocked."

3. FortiGate Security 7.2 Study Guide

p. 130: "SSL Inspection Modes" section explains

"Certificate inspection only looks at the certificate of the web server... This allows FortiGate to perform web filtering based on the category of the website

but it does not allow FortiGate to inspect the actual content for threats." This highlights its capability for web filtering with low overhead.

In a hub-and-spoke topology, particularly over a Non-Broadcast Multi-Access (NBMA) network such as a typical IPsec VPN overlay, OSPF requires a specific network type to establish adjacencies correctly. Setting the network type to point-to-multipoint on the hub's interface is the standard and recommended configuration. This mode eliminates the need for a Designated Router (DR) and Backup Designated Router (BDR) election. Instead, the hub establishes a separate point-to-point adjacency with each spoke router, which is the intended behavior for this topology. This ensures stable neighbor relationships and proper route propagation without requiring manual neighbor configuration.

A. Set bfd enable in the router configuration

BFD (Bidirectional Forwarding Detection) is used for rapid link failure detection but is not a prerequisite for forming an OSPF neighbor adjacency.

C. Set rfc1583-compatible enable in the router configuration

This setting controls the calculation method for summary routes (Type 3 LSAs) for compatibility with older standards and does not affect neighbor adjacency formation.

D. Set virtual-link enable in the hub interface

Virtual links are used to connect a disconnected OSPF area to the backbone area (Area 0). The exhibit shows all devices are within Area 0, making a virtual link unnecessary.

1. Fortinet FortiOS 7.6.0 Administration Guide

Networking > OSPF > OSPF network types

p. 1031: "Point-to-multipoint: This mode is a set of point-to-point links. There is no DR or BDR. This mode is useful for partial-mesh NBMA networks." This directly applies to the hub-and-spoke scenario.

2. Fortinet FortiOS 7.6.0 Administration Guide

Networking > OSPF > OSPF configuration examples > OSPF point-to-multipoint configuration example

p. 1040: This section provides a step-by-step configuration for a hub-and-spoke topology

explicitly demonstrating the use of set network-type point-to-multipoint on the hub's interface. The example topology is identical to the one shown in the question's exhibit.

The recommended best practice for standardizing FortiGate deployments with consistent configurations across multiple branches is to use provisioning templates combined with metadata variables. Metadata variables act as placeholders for device-specific values, such as IP addresses, hostnames, or VLAN IDs. An administrator creates a single, standardized provisioning template for interface configurations. During deployment to each branch FortiGate, FortiManager dynamically replaces the metadata variables in the template with the unique values assigned to that specific device. This approach allows for the use of a consistent configuration base while accommodating the necessary per-device variations, fulfilling the requirement for standardization.

B: The Install On feature is used to target which devices or groups receive a policy package; it does not configure the interfaces or assign their settings.

C: Using scripts is a viable but less efficient method. The recommended best practice involves using FortiManager's built-in template and metadata features for better scalability and management.

D: Normalized interfaces are essential for creating consistent interface roles (e.g., LAN, WAN) across different hardware models, enabling the use of a single policy package. However, metadata variables (A) perform the dynamic assignment of configuration settings (like IP addresses) to those interfaces, which is the core of standardizing the device-level configuration.

1. FortiManager Administration Guide 7.2

"Provisioning Templates" > "Using metadata in provisioning templates" section.

Quote: "Metadata allows you to define custom variables that you can use to dynamically configure managed devices. You can reference the metadata variables in provisioning templates... When the template is applied to a device

the metadata variables are replaced with the values defined for the device." This directly supports using metadata for dynamic configuration assignment.

2. FortiManager Administration Guide 7.2

"Best Practices" > "Device and policy management" section.

Quote: "Use provisioning templates with metadata to standardize device settings across multiple devices." This explicitly states that the combination of provisioning templates and metadata is the best practice for standardization.

3. Fortinet Certified Professional - Network Security Study Guide for FortiManager 7.2

Chapter "Provisioning"

Section "Using Metadata in Provisioning Templates".

This section provides examples of creating a provisioning template for a system interface and using a metadata variable

such as $(ipaddress)

to assign a unique IP address to each managed device. This illustrates the practical application of the concept in option A.

To prevent false positives, an administrator can use IPS filters (referred to as the profile extension in the question) to tailor the IPS profile to the specific network environment it protects. By specifying the target operating systems, protocols, and applications, the FortiGate only loads and applies the relevant IPS signatures. This significantly reduces the number of signatures evaluated against the traffic, which not only improves performance but also minimizes the risk of a signature incorrectly identifying legitimate traffic as malicious, thereby preventing false positives.

B: Enabling Scan Outgoing Connections is for detecting compromised hosts communicating outbound. It increases the scope of inspection and could potentially increase, not prevent, false positives if not tuned properly.

C: Using a monitor action does not prevent false positives; it only logs them without blocking traffic. This is a strategy to identify false positives without impacting users, but it allows potentially malicious traffic to pass, compromising network integrity.

D: SSL/TLS certificate issues on a client PC are related to SSL inspection and web access problems. They are not a direct cause of IPS false positive detections, which analyze traffic content for malicious patterns.

1. Fortinet Certified Solution Specialist - Enterprise Firewall 7.0 Advanced Study Guide

Chapter 3: Intrusion Prevention System (IPS)

Section: IPS Tuning

Page 10: "You can use IPS filters to narrow down the signatures that are included in an IPS profile. This is useful for improving performance and reducing the number of false positives. For example

if you know that you don't have any Linux servers on your network

you can create a filter to exclude all Linux signatures from the IPS profile." This directly supports using filters based on OS to prevent false positives.

2. FortiOS 7.4.0 Administration Guide

Section: Security Profiles > Intrusion Prevention > IPS Signatures

Sub-section: Filters: "You can use filters to narrow the list of IPS signatures that are displayed... You can also use filters to narrow the signatures that are included in an IPS sensor." This confirms the mechanism for narrowing down signatures.

3. FortiOS 7.4.0 Administration Guide

Section: Security Profiles > Intrusion Prevention > Best practices for IPS deployment: "Start by using an IPS sensor that monitors traffic and generates logs... After you have determined that the IPS sensor is not causing any problems

you can change the action to block." This describes the process related to option C

highlighting that monitoring is for identifying false positives

not preventing them

and carries the risk of not blocking real attacks.

To modify BGP attributes for routes being advertised to a neighbor, a route-map-out is the correct mechanism. A route map is a policy tool that allows an administrator to match specific routes and then apply actions, such as modifying attributes. In this case, a route map would be created to set the desired Multi-Exit Discriminator (MED) value using the set metric command. This route map is then applied to the BGP neighbor configuration in the outbound direction (route-map-out) to influence the routing decisions of the receiving autonomous system (AS 30).

B. network-import-check: This command only validates if a network configured for advertisement via the network command exists in the routing table; it does not modify BGP attributes.

C. prefix-list-out: A prefix list is used to filter routes based on network prefixes. While it can be used within a route map to match routes, it cannot modify attributes by itself.

D. distribute-list-out: A distribute list uses an access list to permit or deny routes being advertised. It is a filtering tool and lacks the capability to modify BGP attributes like MED.

1. FortiOS Administration Guide 7.4

BGP > Route maps: "Route maps are used to control and modify routing information that is exchanged between routing protocols... You can define which routes are controlled by matching on a given route and then modify information for that route by setting certain values." This section explicitly states that route maps are the tool for modifying attributes.

2. FortiOS CLI Reference 7.4

config router route-map: The command set metric is documented here with the description "Set MED." This confirms that the metric parameter within a route map directly corresponds to the BGP MED attribute.

3. FortiOS CLI Reference 7.4

config router bgp: Within the config neighbor context

the command set route-map-out is available. Its description is "Apply a route map to outbound routes." This shows how the created route map is applied to affect advertised routes.