NSE7 Enterprise Firewall

¡Supera tus tareas y exámenes ahora con Quizwiz!

What is the route selection process of a FortiGate?

1. Most specific route 2. Lowest distance 3. Lowest metric (dynamic routes) 4. Lowest priority (static routes) 5 ECMP, supported for static, BGP, and OSPF.

What is the process kill number that correlates with Invalid memory reference.

11

What is the process kill number that correlates with Alarm clock

14

What is the process kill number that correlates with Graceful kill

15

What is the process kill number that correlates with Illegal instruction.

4

What is the process kill number that correlates with Abort command from FortiOs.

6

What is the process kill number that correlates with Bus error

7

What is the process kill number that correlates with Unconditional kill

9

What is an OSPF area border router?

A router with interfaces in multiple OSPF areas.

Which statement about administrative domains (ADOMs) on FortiManager is true?

ADOMs allow grouping of managed devices based on management criteria and administrative access.

Disables synchronization of other fortigates

Config sys csf, set configuration-sync local

Type 3 LSA Summary Link Advertisements

Contains summarized link state information, only advertised by ABRs.

Which two configuration changes can be applied to optimize the memory usage on FortiGate?

Decrease the session TTL. Reduce the FortiGuard cache TTL.

Type 1 LSA Router Link Advertisements

Describes the networks connected to a router. They are advertised by all the routers in an area, and do not get advertised outside of one area.

diagnose test application ipsmonitor 1

Displays the IPS engine information.

At what threshold does FortiGate begin to drop new sessions?

Extreme, the default is set to 95%.

Which two stamtents about the BGP peer are true? #get router info bgp summary BGP router identifier 0.0.0.117, local AS number 64117 BGP table version is 104 3 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.125.0.60 4 65060 1698 1756 103 0 0 03:02:49 1 10.127.0.75 4 65075 2206 2250 102 0 0 02:45:55 1 10.200.3.1 4 65501 101 115 0 0 0 never Active Total number of neighbors 3

For the peer 10.125.0.60, the BGP state is Established. The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.

which three steps are executed to get antivirus and IPS updates using the pull method?

FortiGate contacts a DNS server to resolve the FortiGuard domain name. FortiGate gets a list of server IP addresses that can be contacted. FortiGate periodically queries for pending updates.

Slide 3 Given the output showing a real-time debug, which statement best describes why the update is failing?

FortiGate is unable to establish a TCP connection with FDS.

(FIB)

Forwarding Information Base

Requirements for forming an OSPF adjacency:

IP address in the same subnet. Hello and dead interval match. Each peer has a unique router ID. OSPF MTU's must match. Interfaces are the same type and in the same OSPF area.

What ports does ESP traffic use?

IP protocol 50 and when NAT or NAT-T it uses UDP 4500.

When using SSL certificate inspection, how does the FortiGate handle the initial unencrypted SSL handshake?

If the SNI field exists, it is used to obtain the FQDN and rate the site. If the SNI isn't present it retrieves the FQDN from the CN field of the server's certificate.

Which three tasks are part of the manual registration process for adding a FortiGate device to FortiManager for Central Management?

Import the policy package from the managed FortiGate device. Add the FortiManager IP address to the FortiGate central management configuration. In FortiManager, add the unregistered FortiGate device.

During the output from the diagnose debug rating command what is the I flag?

Indicates the server to which the last INTI request was sent.

In the command diagnose debug rating what does the D flag indicate?

Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with 'D' and will be used first for INTI requests before falling back to the other servers.

Examine these partial outputs from two routing debug commands: # get router info routing-table database s 0.0.0.0/0 [20/0] via 100.64.2.254, port2, [10/0] s *> 0.0.0.0/0 [10/0] via 100.64.1.254, port1 #get router info routing-table all s* 0.0.0.0/0 [10/0] via 100.64.1.254 port1 Why is the default route that uses port2 not in the output of the second command?

It has a higher distance than the default route using port1.

Slide 2 Which two statement about this session are correct?

It is a TCP session in SYN_SENT state. This session terminates or originates in the FortiGate device.

Slide 4 Which statement about this debug output is correct?

It shows a phase 2 negotiation.

View Slide 5 Which statement about this debug output is correct?

It shows a phase 2 negotiation.

Which two statements correctly describe the characteristics of the Fortinet Security Fabric?

It supports an open API, allowing third party product integration. It provides a single pane of glass for reporting for all devices in the Security Fabric.

Cache for arp in Kernel

Kernel object arp_cache

Refers to read/write data from disk, flash

Kernel object buffer_head

Cache for file system directory entries.

Kernel object dentry_cache

Information about files and directories.

Kernel object inode_cache

Refers to NON-TCP sessions in the Kernel.

Kernel object name ip_session

Refers to TCP sessions objects in the Kernel

Kernel object name tcp_session

FortiGate looks up routing for new sessions when?

On the first packet from the originator and responder.

Type 2 LSA Network Link Advertisements

Only advertised by DRs, and contain information about the other routers connected to their multiaccess networks.

At what threshold does FortiGate enter into conserve mode, what is the default memory percentage?

Red and 88%

diagnose test application ipsmonitor 99

Restart all IP engines and monitor.

Type 4 LSA AS External Link Advertisements

Sent by ABRs and are not confined to one area, they contain link state information for routes redistributed to OSPF.

Type 4 LSA AS Summary Link Advertisements

Sent by ABRs to describe the networks connected to a router. Like type 1 but for ABRs.

If debug flow shows this error: reverse path check fail, drop. Would indicate what?

That the Reverse Path Forwarding (RPF) has a better route to the source IP from a different interface.

FortiGate adds a static route to the routing table only when what requirements are met?

The outgoing interface is up. There is no other route to the same destination with a shorter distance. The link health monitor (if configured) is up.

Which two events can trigger an HA failover?

The physical disconnection of a heartbeat interface. The failure of a solid-state drive.

In the output from the diagnose debug rating command the F flag would indicate?

The server has not responded to requests and is considered to have failed.

In the output from the diagnose debug rating command the T flag indicates?

The server is currently being timed out.

diagnose test application ipsmonitor 2

Toggle IPS engine enable/disable status..

True or False FortiManage can act as a private FortiGuard distribution server (FDS) for your managed devices to query instead of reaching out to public servers.

True

True or False. Application layer test commands don't display information in real time, but they do show statistics and configuration information about a feature or process.

True

True or False. FortiManager allows you to script and automate device provisioning, policy changes, and more with JSON APIs.

True

True or False. ICMP has no state and is always proto_state=00

True

True or False. With the application layer test commands you can restart a process or execute a change in its operation.

True

What ports does IKE traffic use?

UDP 500 if there is NAT detected it will use UDP 4500

What layer of the FortiOS architecture does an application process or daemon run on?

User space.

Which troubleshooting step is applicable when investigating antivirus and IPS update issues on FortiGate

Validate DNS resolution for update.fortiguard.net

When investigating FortiGuard connectivity issues, which action is a valid troubleshooting step?

Verify management VDOM internet access.

Session flag indicating it requires (or required) authentication

auth

Process name for User authentication.

authd

Session flag indicating it was successfully authenticated.

authed

Which setting must be enabled in a spoke IPsec phase 1 configuration, to indicate that it wants to participate in ADVPN?

auto-discovery-sender

Session flag indicating it is being bridged (TP mode)

br

Process name for Apple configuration changes

cmbdsrv

Command set to adjust how firewall handles sessions after a policy change.

config sys settings, set firewall-session-dirty

Command set to enable/disable longer than screen outputs.

config system console set output {standard | more} *more is default end

Command set to make adjustments to web filtering.

config system fortiguard

What is the command set to govern FortiGate behavior for proxy-based inspection while in conserve mode?

config system global set av-failopen {off | one-shoot | pass} set av-failopen-session {enable | disable} end

What is the command set to force former primary HA device to shut down all its non-heartbeat interfaces for 1 second during a failover?

config system ha set link-failed-signal enable end

Command set to enter into the session-helper sub menu.

config system session-helper

Debug flow blocking message that would indicate the source IP has been quarantined by DLP.

denied by end point ip filter check

Debug flow blocking message that would indicate no policy or blocked by a certain policy.

denied by forward policy check

Command to test the automation stitch.

diagnose automation test <stitch_name>

Command that provides a summary of the FortiGuard configuration.

diagnose autoupdate status

Command to list all of the current versions of FortiGuard databases installed.

diagnose autoupdate versions

Command to debug common applications (daemons) in real time, sslvpn, ike, authd, and update, plus many more.

diagnose debug application <application> <debug_level>

Command set to enable real-time debug for IPsec.

diagnose debug application ike <bit-mask>, diagnose debug enable

Command to configure the device to store all console logs in the flash memory.

diagnose debug comlog <enable | disable>

Command to display the logs in the flash memory, only if comlog has been enabled.

diagnose debug comlog read

Command to enable timestamps on debug outputs.

diagnose debug console timestamp enable

Which command is used to enable timestamp in a real-time debug?

diagnose debug console timestamp enable

Command displays the crash log for review.

diagnose debug crashlog read

Command to run debug flow in CLI, which displays how the FortiGate kernel handles the packets.

diagnose debug flow filter <filter> diagnose debug flow trace start <count> diagnose debug enable

Command to display function names when running the debug flow.

diagnose debug flow show function-name enable

Command to show the list of servers for web filtering and antispam.

diagnose debug rating

Command set to enable real-time debugging for web filtering.

diagnose debug urlfilter src-addr <source_IP>, diagnose debug application urlfilter -1, diagnose debug enable

Command to display the Policy route list.

diagnose firewall proute list

Command to display HA virtual MAC address.

diagnose hardware deviceinfo nic <port_name>

Command to display if memory conserve mode is enabled/disabled.

diagnose hardware sysinfo conserve

Display's the devices current memory usage and free space.

diagnose hardware sysinfo memory

Command displays the amount of processes shared memory.

diagnose hardware sysinfo shm

Command to check amount of memory being allocated to kernel slabs.

diagnose hardware sysinfo slab

Command set to enable real-time debugging on BGP.

diagnose ip router bgp all enable, diagnose ip router bgp level info, diagnose debug enable

CLI command set to enable OSPF real-time debugging,

diagnose ip router ospf all enable, diagnose ip router ospf level info, diagnose debug enable

Command to display the route cache.

diagnose ip rtcache list

Command to run a packet capture in CLI.

diagnose sniffer packet <interface> '<filter>' <level> <count> <tsformat>

Command to show if any other administrator is working on a workspace that is pending being committed.

diagnose sys config-transaction status

Command to determine if there are any Fortigates connected on the inside port.

diagnose sys csf downstream

Displays the MAC and IP of connected FortiGate devices.

diagnose sys csf neighbor list

Command to determine if Fortigate is the root device.

diagnose sys csf upstream

Command to check the time difference in a HA pair.

diagnose sys ha dump-by vlcuster

Command to display the current statistics on a HA pair.

diagnose sys ha status

Command to manually kill processes.

diagnose sys kill <termination signal> <processID>

Command that filters out session output based on policyID, src IP addr, src port, dest IP addr, and dest port.

diagnose sys session filter

Command to display expectations of session helper.

diagnose sys session list expectation

Command that shows the number of sessions deleted by the kernel due to not being able to allocate more memory.

diagnose sys session stat

Command that displays the amount memory being used by each process.

diagnose sys top

Command that just displays the top usage processes, the -h is a help flag to display available options.

diagnose sys top-summary -h

Command to show the statistics and configuration information about certain features or processes.

diagnose test application ?

Command to display the FQDN and IP addresses of available FortiGuard antivirus and IPS update servers.

diagnose test application dnsproxy 7

Command to show the list of options for testing the IPS monitor.

diagnose test application ipsmonitor ?

Command to display all options available for the webfiltering test command.

diagnose test application urlfilter 1

Command that closes a phase 1 of a tunnel

diagnose vpn ike gateway clear

command that provides details about a tunnel.

diagnose vpn ike gateway list name <tunnel_name>

Command set to filter the IPsec logs.

diagnose vpn ike log filter ?

Command that shows the list of remote IPs and the associated tunnel indexes.

diagnose vpn tunnel list

Command to display the current IPsec SA information for all active tunnels.

diagnose vpn tunnel list

Command that displays the current IPsec SA information for all active tunnels.

diagnose vpn tunnel list name <tunnel_name>

Command used to list the content of the FortiGuard web filtering cache.

diagnose webfilter fortiguard cache dump

Command to list error counters and other statistics relation to web filtering.

diagnose webfilter fortiguard statistic list

Flag that is used after a firewall policy configuration change on all sessions to indicate they need reevaluated.

dirty

Debug flow blocking message that would indicate the packet was dropped due to a traffic shaping policy.

exceeded shaper limit, drop

Command to connect to the CLI of any of the devices in the HA pair.

execute ha manage <HA_unit_index> <Admin_Username>

Command used to restart a BGP session between two peers.

execute router clear bgp ?

Command to force an update on the FortiGuard services.

execute update-now

Formerly known as loose mode.

feasible path

Command used to get detailed information about each BGP neighbor.

get router info bgp neighbors

Command to show the details about the prefix the neighbor is advertising.

get router info bgp neighbors xx.xx.xx.xx advertise

Command to show the routes being advertised by a neightbor

get router info bgp neighbors xx.xx.xx.xx route

Command to show overview of BGP's status

get router info bgp summary

Command to display the FIB router information.

get router info kernel

Command that provides a summary of all the LSDB entries on FortiGate, ordered by LSA type.

get router info ospf database brief

Command that lists the details about type-a LSAs.

get router info ospf database router lsa

Command that lists the LSAs originated on the local FortiGate.

get router info ospf database self-originate

Command to display information on each OSPF interface.

get router info ospf interface

Command that displays a summary of the statuses of all the OSPF neighbors.

get router info ospf neighbor

Command that provides detailed information about the OSPF process.

get router info ospf status

Command to display all active routes in the routing table.

get router info routing-table all

Command to display all active and inactive routes in the routing table.

get router info routing-table database

Command to display the current health and status of a HA pair.

get sys ha status

Command to verify web filtering is enabled.

get system fortiguard

Command to show the overall memory and cpu use, along with session creation rate, number of viruses caught, and number of attacks blocked by the IPS. Give quick view of how much traffic on device.

get system performance status

Command that provides a brief summary of each session.

get system session list

Command to display the total number of sessions int he active VDOM.

get system session status

Command to show the output of firmware version, FortiGuard database version, license status, operation mode, number of VDOMs, and system time.

get system status

Command that provides some global overall counters related to all the VPNs currently active.

get vpn ipsec stats tunnel

Command that provides detailed information for the active IPsec tunnels.

get vpn ipsec tunnel details

Command to display the current categories configured on the device.

get webfilter categories

Process name for HA protocol and synchronization.

hatalk, hasync

Process name for GUI access.

httpsd

Process name for IPsec.

iked

Debug flow blocking message indicating packet is possibly, destined for a management IP where service is not enabled, incorrect service port, source IP is not a trusted host, or packet matches a local-in policy.

inrope_in_check() check failed drop

FortiGate will only put a static route in the route table if the following requirements are met.

interface is up, no other matching route with a lower distance, or link health monitor is successful.

Session flag that would indicate it is to/from local stack.

local

Session flag that would indicate it is being logged.

log

After the traffic is evaluated against firewall policies if it is allowed it will be flagged with what?

may_dirty

Process name for Logs collection, and automation stitches.

miglogd

Session flag that would indicate it will be checked by IPS signature.

ndr

Session flag that would indicate it will be checked by IPS anomaly.

nds

Session flag indicating it cannot be offloaded to NPU.

npd

Session flag indicating it is being offloaded to NPU.

npu

TCP protocol state that is equal to, no TCP state.

proto_state=00

UDP protocol state that is equal to, UDP traffic one way only

proto_state=00

TCP protocol state that is equal to, TCP established state.

proto_state=01

UDP protocol state that is equal to, UDP traffic both ways.

proto_state=01

TCP protocol state that is equal to, syn_sent state.

proto_state=02

TCP protocol state that is equal to, syn & syn/ack state

proto_state=03

TCP protocol state that is equal to, fin_wait

proto_state=04

TCP protocol state that is equal to, time_wait

proto_state=05

TCP protocol state that is equal to, close.

proto_state=06

TCP protocol state that is equal to, close_wait.

proto_state=07

TCP protocol state that is equal to, last_ack.

proto_state=08

TCP protocol state that is equal to, listen

proto_state=09

Session flag indicating it is being processed by an application layer proxy.

redir

Debug flow blocking message indicating packet dropped due to RPF check.

reverse path check fail, drop

An administrator is configuring ADVPN in a hub-and-spoke topology. The administrator will use IBGP to route traffic between the VPN site. Which IGBP setting needs to be enabled on the hub, for dynamic routing to work properly for on-demand tunnels?

route-reflector-client

Process name for File scanning.

scanunitd

See Slide 1. An administrator wants to configure ADVPN. Which ADVPN setting must be enabled in the tunnel between the Hub1 and Hub2 FortiGate devices?

set auto-discovery-forwarder enabled

Command to control the adaptive scanning behavior of the IPS.

set intelligent-mode enable | disable

Process name for SSLVPN

sslvpnd

Process name for FortiGuard updates.

updated

Process name for FortiGuard web filtering.

urlfilter

Process name for WAN optimization, explicit proxy, proxy-based inspection for HTTP and HTTPS, and FTP.

wad

Session flag indicating web caching.

wccp


Conjuntos de estudio relacionados

556 things I still need to memorize Chapter 2

View Set

AP United States Government and Politics

View Set

History Unit 2, Assign. 8: Middle & Southern Colonies

View Set