NSE7 Enterprise Firewall
What is the route selection process of a FortiGate?
1. Most specific route 2. Lowest distance 3. Lowest metric (dynamic routes) 4. Lowest priority (static routes) 5 ECMP, supported for static, BGP, and OSPF.
What is the process kill number that correlates with Invalid memory reference.
11
What is the process kill number that correlates with Alarm clock
14
What is the process kill number that correlates with Graceful kill
15
What is the process kill number that correlates with Illegal instruction.
4
What is the process kill number that correlates with Abort command from FortiOs.
6
What is the process kill number that correlates with Bus error
7
What is the process kill number that correlates with Unconditional kill
9
What is an OSPF area border router?
A router with interfaces in multiple OSPF areas.
Which statement about administrative domains (ADOMs) on FortiManager is true?
ADOMs allow grouping of managed devices based on management criteria and administrative access.
Disables synchronization of other fortigates
Config sys csf, set configuration-sync local
Type 3 LSA Summary Link Advertisements
Contains summarized link state information, only advertised by ABRs.
Which two configuration changes can be applied to optimize the memory usage on FortiGate?
Decrease the session TTL. Reduce the FortiGuard cache TTL.
Type 1 LSA Router Link Advertisements
Describes the networks connected to a router. They are advertised by all the routers in an area, and do not get advertised outside of one area.
diagnose test application ipsmonitor 1
Displays the IPS engine information.
At what threshold does FortiGate begin to drop new sessions?
Extreme, the default is set to 95%.
Which two stamtents about the BGP peer are true? #get router info bgp summary BGP router identifier 0.0.0.117, local AS number 64117 BGP table version is 104 3 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.125.0.60 4 65060 1698 1756 103 0 0 03:02:49 1 10.127.0.75 4 65075 2206 2250 102 0 0 02:45:55 1 10.200.3.1 4 65501 101 115 0 0 0 never Active Total number of neighbors 3
For the peer 10.125.0.60, the BGP state is Established. The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.
which three steps are executed to get antivirus and IPS updates using the pull method?
FortiGate contacts a DNS server to resolve the FortiGuard domain name. FortiGate gets a list of server IP addresses that can be contacted. FortiGate periodically queries for pending updates.
Slide 3 Given the output showing a real-time debug, which statement best describes why the update is failing?
FortiGate is unable to establish a TCP connection with FDS.
(FIB)
Forwarding Information Base
Requirements for forming an OSPF adjacency:
IP address in the same subnet. Hello and dead interval match. Each peer has a unique router ID. OSPF MTU's must match. Interfaces are the same type and in the same OSPF area.
What ports does ESP traffic use?
IP protocol 50 and when NAT or NAT-T it uses UDP 4500.
When using SSL certificate inspection, how does the FortiGate handle the initial unencrypted SSL handshake?
If the SNI field exists, it is used to obtain the FQDN and rate the site. If the SNI isn't present it retrieves the FQDN from the CN field of the server's certificate.
Which three tasks are part of the manual registration process for adding a FortiGate device to FortiManager for Central Management?
Import the policy package from the managed FortiGate device. Add the FortiManager IP address to the FortiGate central management configuration. In FortiManager, add the unregistered FortiGate device.
During the output from the diagnose debug rating command what is the I flag?
Indicates the server to which the last INTI request was sent.
In the command diagnose debug rating what does the D flag indicate?
Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with 'D' and will be used first for INTI requests before falling back to the other servers.
Examine these partial outputs from two routing debug commands: # get router info routing-table database s 0.0.0.0/0 [20/0] via 100.64.2.254, port2, [10/0] s *> 0.0.0.0/0 [10/0] via 100.64.1.254, port1 #get router info routing-table all s* 0.0.0.0/0 [10/0] via 100.64.1.254 port1 Why is the default route that uses port2 not in the output of the second command?
It has a higher distance than the default route using port1.
Slide 2 Which two statement about this session are correct?
It is a TCP session in SYN_SENT state. This session terminates or originates in the FortiGate device.
Slide 4 Which statement about this debug output is correct?
It shows a phase 2 negotiation.
View Slide 5 Which statement about this debug output is correct?
It shows a phase 2 negotiation.
Which two statements correctly describe the characteristics of the Fortinet Security Fabric?
It supports an open API, allowing third party product integration. It provides a single pane of glass for reporting for all devices in the Security Fabric.
Cache for arp in Kernel
Kernel object arp_cache
Refers to read/write data from disk, flash
Kernel object buffer_head
Cache for file system directory entries.
Kernel object dentry_cache
Information about files and directories.
Kernel object inode_cache
Refers to NON-TCP sessions in the Kernel.
Kernel object name ip_session
Refers to TCP sessions objects in the Kernel
Kernel object name tcp_session
FortiGate looks up routing for new sessions when?
On the first packet from the originator and responder.
Type 2 LSA Network Link Advertisements
Only advertised by DRs, and contain information about the other routers connected to their multiaccess networks.
At what threshold does FortiGate enter into conserve mode, what is the default memory percentage?
Red and 88%
diagnose test application ipsmonitor 99
Restart all IP engines and monitor.
Type 4 LSA AS External Link Advertisements
Sent by ABRs and are not confined to one area, they contain link state information for routes redistributed to OSPF.
Type 4 LSA AS Summary Link Advertisements
Sent by ABRs to describe the networks connected to a router. Like type 1 but for ABRs.
If debug flow shows this error: reverse path check fail, drop. Would indicate what?
That the Reverse Path Forwarding (RPF) has a better route to the source IP from a different interface.
FortiGate adds a static route to the routing table only when what requirements are met?
The outgoing interface is up. There is no other route to the same destination with a shorter distance. The link health monitor (if configured) is up.
Which two events can trigger an HA failover?
The physical disconnection of a heartbeat interface. The failure of a solid-state drive.
In the output from the diagnose debug rating command the F flag would indicate?
The server has not responded to requests and is considered to have failed.
In the output from the diagnose debug rating command the T flag indicates?
The server is currently being timed out.
diagnose test application ipsmonitor 2
Toggle IPS engine enable/disable status..
True or False FortiManage can act as a private FortiGuard distribution server (FDS) for your managed devices to query instead of reaching out to public servers.
True
True or False. Application layer test commands don't display information in real time, but they do show statistics and configuration information about a feature or process.
True
True or False. FortiManager allows you to script and automate device provisioning, policy changes, and more with JSON APIs.
True
True or False. ICMP has no state and is always proto_state=00
True
True or False. With the application layer test commands you can restart a process or execute a change in its operation.
True
What ports does IKE traffic use?
UDP 500 if there is NAT detected it will use UDP 4500
What layer of the FortiOS architecture does an application process or daemon run on?
User space.
Which troubleshooting step is applicable when investigating antivirus and IPS update issues on FortiGate
Validate DNS resolution for update.fortiguard.net
When investigating FortiGuard connectivity issues, which action is a valid troubleshooting step?
Verify management VDOM internet access.
Session flag indicating it requires (or required) authentication
auth
Process name for User authentication.
authd
Session flag indicating it was successfully authenticated.
authed
Which setting must be enabled in a spoke IPsec phase 1 configuration, to indicate that it wants to participate in ADVPN?
auto-discovery-sender
Session flag indicating it is being bridged (TP mode)
br
Process name for Apple configuration changes
cmbdsrv
Command set to adjust how firewall handles sessions after a policy change.
config sys settings, set firewall-session-dirty
Command set to enable/disable longer than screen outputs.
config system console set output {standard | more} *more is default end
Command set to make adjustments to web filtering.
config system fortiguard
What is the command set to govern FortiGate behavior for proxy-based inspection while in conserve mode?
config system global set av-failopen {off | one-shoot | pass} set av-failopen-session {enable | disable} end
What is the command set to force former primary HA device to shut down all its non-heartbeat interfaces for 1 second during a failover?
config system ha set link-failed-signal enable end
Command set to enter into the session-helper sub menu.
config system session-helper
Debug flow blocking message that would indicate the source IP has been quarantined by DLP.
denied by end point ip filter check
Debug flow blocking message that would indicate no policy or blocked by a certain policy.
denied by forward policy check
Command to test the automation stitch.
diagnose automation test <stitch_name>
Command that provides a summary of the FortiGuard configuration.
diagnose autoupdate status
Command to list all of the current versions of FortiGuard databases installed.
diagnose autoupdate versions
Command to debug common applications (daemons) in real time, sslvpn, ike, authd, and update, plus many more.
diagnose debug application <application> <debug_level>
Command set to enable real-time debug for IPsec.
diagnose debug application ike <bit-mask>, diagnose debug enable
Command to configure the device to store all console logs in the flash memory.
diagnose debug comlog <enable | disable>
Command to display the logs in the flash memory, only if comlog has been enabled.
diagnose debug comlog read
Command to enable timestamps on debug outputs.
diagnose debug console timestamp enable
Which command is used to enable timestamp in a real-time debug?
diagnose debug console timestamp enable
Command displays the crash log for review.
diagnose debug crashlog read
Command to run debug flow in CLI, which displays how the FortiGate kernel handles the packets.
diagnose debug flow filter <filter> diagnose debug flow trace start <count> diagnose debug enable
Command to display function names when running the debug flow.
diagnose debug flow show function-name enable
Command to show the list of servers for web filtering and antispam.
diagnose debug rating
Command set to enable real-time debugging for web filtering.
diagnose debug urlfilter src-addr <source_IP>, diagnose debug application urlfilter -1, diagnose debug enable
Command to display the Policy route list.
diagnose firewall proute list
Command to display HA virtual MAC address.
diagnose hardware deviceinfo nic <port_name>
Command to display if memory conserve mode is enabled/disabled.
diagnose hardware sysinfo conserve
Display's the devices current memory usage and free space.
diagnose hardware sysinfo memory
Command displays the amount of processes shared memory.
diagnose hardware sysinfo shm
Command to check amount of memory being allocated to kernel slabs.
diagnose hardware sysinfo slab
Command set to enable real-time debugging on BGP.
diagnose ip router bgp all enable, diagnose ip router bgp level info, diagnose debug enable
CLI command set to enable OSPF real-time debugging,
diagnose ip router ospf all enable, diagnose ip router ospf level info, diagnose debug enable
Command to display the route cache.
diagnose ip rtcache list
Command to run a packet capture in CLI.
diagnose sniffer packet <interface> '<filter>' <level> <count> <tsformat>
Command to show if any other administrator is working on a workspace that is pending being committed.
diagnose sys config-transaction status
Command to determine if there are any Fortigates connected on the inside port.
diagnose sys csf downstream
Displays the MAC and IP of connected FortiGate devices.
diagnose sys csf neighbor list
Command to determine if Fortigate is the root device.
diagnose sys csf upstream
Command to check the time difference in a HA pair.
diagnose sys ha dump-by vlcuster
Command to display the current statistics on a HA pair.
diagnose sys ha status
Command to manually kill processes.
diagnose sys kill <termination signal> <processID>
Command that filters out session output based on policyID, src IP addr, src port, dest IP addr, and dest port.
diagnose sys session filter
Command to display expectations of session helper.
diagnose sys session list expectation
Command that shows the number of sessions deleted by the kernel due to not being able to allocate more memory.
diagnose sys session stat
Command that displays the amount memory being used by each process.
diagnose sys top
Command that just displays the top usage processes, the -h is a help flag to display available options.
diagnose sys top-summary -h
Command to show the statistics and configuration information about certain features or processes.
diagnose test application ?
Command to display the FQDN and IP addresses of available FortiGuard antivirus and IPS update servers.
diagnose test application dnsproxy 7
Command to show the list of options for testing the IPS monitor.
diagnose test application ipsmonitor ?
Command to display all options available for the webfiltering test command.
diagnose test application urlfilter 1
Command that closes a phase 1 of a tunnel
diagnose vpn ike gateway clear
command that provides details about a tunnel.
diagnose vpn ike gateway list name <tunnel_name>
Command set to filter the IPsec logs.
diagnose vpn ike log filter ?
Command that shows the list of remote IPs and the associated tunnel indexes.
diagnose vpn tunnel list
Command to display the current IPsec SA information for all active tunnels.
diagnose vpn tunnel list
Command that displays the current IPsec SA information for all active tunnels.
diagnose vpn tunnel list name <tunnel_name>
Command used to list the content of the FortiGuard web filtering cache.
diagnose webfilter fortiguard cache dump
Command to list error counters and other statistics relation to web filtering.
diagnose webfilter fortiguard statistic list
Flag that is used after a firewall policy configuration change on all sessions to indicate they need reevaluated.
dirty
Debug flow blocking message that would indicate the packet was dropped due to a traffic shaping policy.
exceeded shaper limit, drop
Command to connect to the CLI of any of the devices in the HA pair.
execute ha manage <HA_unit_index> <Admin_Username>
Command used to restart a BGP session between two peers.
execute router clear bgp ?
Command to force an update on the FortiGuard services.
execute update-now
Formerly known as loose mode.
feasible path
Command used to get detailed information about each BGP neighbor.
get router info bgp neighbors
Command to show the details about the prefix the neighbor is advertising.
get router info bgp neighbors xx.xx.xx.xx advertise
Command to show the routes being advertised by a neightbor
get router info bgp neighbors xx.xx.xx.xx route
Command to show overview of BGP's status
get router info bgp summary
Command to display the FIB router information.
get router info kernel
Command that provides a summary of all the LSDB entries on FortiGate, ordered by LSA type.
get router info ospf database brief
Command that lists the details about type-a LSAs.
get router info ospf database router lsa
Command that lists the LSAs originated on the local FortiGate.
get router info ospf database self-originate
Command to display information on each OSPF interface.
get router info ospf interface
Command that displays a summary of the statuses of all the OSPF neighbors.
get router info ospf neighbor
Command that provides detailed information about the OSPF process.
get router info ospf status
Command to display all active routes in the routing table.
get router info routing-table all
Command to display all active and inactive routes in the routing table.
get router info routing-table database
Command to display the current health and status of a HA pair.
get sys ha status
Command to verify web filtering is enabled.
get system fortiguard
Command to show the overall memory and cpu use, along with session creation rate, number of viruses caught, and number of attacks blocked by the IPS. Give quick view of how much traffic on device.
get system performance status
Command that provides a brief summary of each session.
get system session list
Command to display the total number of sessions int he active VDOM.
get system session status
Command to show the output of firmware version, FortiGuard database version, license status, operation mode, number of VDOMs, and system time.
get system status
Command that provides some global overall counters related to all the VPNs currently active.
get vpn ipsec stats tunnel
Command that provides detailed information for the active IPsec tunnels.
get vpn ipsec tunnel details
Command to display the current categories configured on the device.
get webfilter categories
Process name for HA protocol and synchronization.
hatalk, hasync
Process name for GUI access.
httpsd
Process name for IPsec.
iked
Debug flow blocking message indicating packet is possibly, destined for a management IP where service is not enabled, incorrect service port, source IP is not a trusted host, or packet matches a local-in policy.
inrope_in_check() check failed drop
FortiGate will only put a static route in the route table if the following requirements are met.
interface is up, no other matching route with a lower distance, or link health monitor is successful.
Session flag that would indicate it is to/from local stack.
local
Session flag that would indicate it is being logged.
log
After the traffic is evaluated against firewall policies if it is allowed it will be flagged with what?
may_dirty
Process name for Logs collection, and automation stitches.
miglogd
Session flag that would indicate it will be checked by IPS signature.
ndr
Session flag that would indicate it will be checked by IPS anomaly.
nds
Session flag indicating it cannot be offloaded to NPU.
npd
Session flag indicating it is being offloaded to NPU.
npu
TCP protocol state that is equal to, no TCP state.
proto_state=00
UDP protocol state that is equal to, UDP traffic one way only
proto_state=00
TCP protocol state that is equal to, TCP established state.
proto_state=01
UDP protocol state that is equal to, UDP traffic both ways.
proto_state=01
TCP protocol state that is equal to, syn_sent state.
proto_state=02
TCP protocol state that is equal to, syn & syn/ack state
proto_state=03
TCP protocol state that is equal to, fin_wait
proto_state=04
TCP protocol state that is equal to, time_wait
proto_state=05
TCP protocol state that is equal to, close.
proto_state=06
TCP protocol state that is equal to, close_wait.
proto_state=07
TCP protocol state that is equal to, last_ack.
proto_state=08
TCP protocol state that is equal to, listen
proto_state=09
Session flag indicating it is being processed by an application layer proxy.
redir
Debug flow blocking message indicating packet dropped due to RPF check.
reverse path check fail, drop
An administrator is configuring ADVPN in a hub-and-spoke topology. The administrator will use IBGP to route traffic between the VPN site. Which IGBP setting needs to be enabled on the hub, for dynamic routing to work properly for on-demand tunnels?
route-reflector-client
Process name for File scanning.
scanunitd
See Slide 1. An administrator wants to configure ADVPN. Which ADVPN setting must be enabled in the tunnel between the Hub1 and Hub2 FortiGate devices?
set auto-discovery-forwarder enabled
Command to control the adaptive scanning behavior of the IPS.
set intelligent-mode enable | disable
Process name for SSLVPN
sslvpnd
Process name for FortiGuard updates.
updated
Process name for FortiGuard web filtering.
urlfilter
Process name for WAN optimization, explicit proxy, proxy-based inspection for HTTP and HTTPS, and FTP.
wad
Session flag indicating web caching.
wccp