NSE 4 Security - Firewall Policies
Which security profiles are not visible by default on the GUI?
Video filter, VOIP, and Web App (must be enabled in feature visibility)
What is a caveat to configuring Zones?
You cannot reference an interface in a zone individually. If you need to add an interface to a zone you must remove all references to that interface first.
What does Unified Threat Management inspection include?
antivirus, application control, web filtering, etc.
CLI how to configure firewall policy? (notes page 14)
config firewall policy edit 1 set name "training" set uuid <>
CLI how to edit firewall policy?
config firewall policy edit <policy id> set name "Block_FTP" set srcaddr "all" set srcintf "lan1" set dstintf "wan1" set service "all" end
How to set ISDB updates via CLI? By default they are updated automatically.
config system fortiguard set update-ffdb [enable | disable] next end
What is Shared policy shaper?
shared shaper applies to bandwidth of management of security policies
What must be selected in a SOURCE field of a firewall policy? A) at least one address object or ISDB B) at least one source user and one source address object
At least one address object or ISDB (user is not required in a firewall policy)
what are the 2 actions you can set for a firewall policy?
DENY or ACCEPT
What are the common policy types?
Firewall Policy Firewall Virtual Wire Pair Policy Multicast Policy Local In Policy DoS Policy
What is a per-ip shaper.
Guaranteed bandwidth to specific device IP
What is the relationship when selecting source objects in firewall policies if using ISDB and Source Objects?
If you use an ISDB you cannot also use a soruce address. You cannot use both at the same time.
What would cause the Policy List interface pair view to be grayed out?
If you use multiple source or destinations in a firewall policy.
What are the two views of the Policy List?
Interface pair view (default view) by Sequence
What is the ISDB?
Internet Service DataBase - Example: Amazon-AWS. ISDB is one object premade to contain all IPs related to the site/service.
User object possible sources for authentication?
Local Firewall Accounts, Active Directory, LDAP, Radius, FSS), and Personal Certificate (PKI) users
In a firewall policy can you assign a user to the destination?
NO. A user is only matched at the ingress interface.
Can you configure Services with an ISDB object?
NO. ISDB objects also contain the services (Example: Facebook-Web)
Naming requirements for Policies?
Policies must have a unique name. Unamed policies can be toggled in the GUI.. You can configure an unnamed policy in the CLI
What feature can be used within the Firewall Policy window to view which policy permits specific traffic?
Policy Lookup search.
What are the two types of traffic shapers?
Shared and Per-IP
What criteria does FortiGate use to match a firewall policy? A) source and destination interfaces B) Security profiles
Source and destination interfaces (security profiles are used only after policy is accepted)
How are policy matches determined?
TOP DOWN, Incoming/outgoing interface Source (IP/user/internet service) Destination (IP address or internet services) Services Schedules ACTION = ACCEPT or DENY
What is a UUID?
Universally unique identifier (UUID) added so logs can improve functionality.
Definition of DoS Policy
A denial-of-service (DoS) policy checks for the anomalous patterns in the network traffic that arrives at a FortiGate interface.
Definition of Firewall Policy
A firewall policy consists of set of rules that control traffic flow through FortiGate.
Definition of Local-in-Policy
A local-in policy controls the traffic to a FortiGate interface and can be used to restrict administrative access.
Definition of Multicast policy
A multicast policy allows multicast packets to pass from one interface to another.
Definition of Firewall Virtual Wire Pair Policy
A virtual wire pair policy is used to control the traffic between the interfaces in a virtual wire pair. (transparent interfaces like directly connecting the cables)
What does UTM stand for?
Unified Threat Management
