Fortinet NSE 4 6.2 infastructure
What is the default priority for static routes
0
Distance values: 0 5 10 20 200 110 120
0 -directly connected 5- DHCP gateway 10- static 20- external BGP (EBGP) 200- internal BGP (IBGP) 110- OSPF routes 120- RIP
Phase 1 ISAKMP TUNNEL
1 authenticate peers - preshared key, digital signature, XAUTH 2 negotiation of SA in main mode or aggressive -hashing -authentication -DH group -lifetime -encryption 3 DH key exchange The Negotiated SAs will choose the group (both peers will have a shared key)
Explain the steps in active active HA proxy based inspection TCP handshake
1. Client send syn to primary fortigate virtual Mac 2. Primarys physical Mac forwards syn to secondarys physical mac 3. Secondary sends a syn/ack to the client on it's physical Mac port and sends a syn to the server on it's physical mac port 4. Client sends ack to primary fortigates virtual Mac 5. Primary forwards the ack to the secondary's physical mac with it's physical mac port 6. Server sends a syn/ack to the primary's virtual mac 7. Primary forwards syn/ack to the secondary with both of their physical Mac ports 8. Secondary sends the server an ack on it's physical mac port
How to configure a transparent web proxy
1. Create regular firewall policies to match traffic 2. Enable http-policy-redirect on matching firewall policy Edit <firewall policy number> Set inspection mode proxy Set http-policy-redirect enable Next End 3. Create proxy policies to allow deny or inspect traffic
How to configure explicit web proxy
1. Enable explicit web proxy and indicate which interfaces the proxy will listen on 2. Create proxy policies to allow, deny, or inspect traffic 3. Configure each clients browser to connect through a proxy
NTLM authentication process
1. User attempts to browser internet 2. Fortigate requests credentials (user/pass) 3. Users browser send creds to fortigate 4. Fortigate verifies the membership with the collector agent 5. Access is granted
Multiple domain NTLM authentication process for domains not in a forest
1. User logs on to DC 2. DC sends login to collector agent 3. User access internet 4. Fortigate contacts collector for login 5. Access granted
Process of session based authentication with a web proxy
1. User starts session with web browser 2. Web browser starts session with web proxy 3. Web proxy request authentication from browser 4. Web browser prompts user for authentication 5. User enters credentials 6. Web browser stores authentication and sends to web proxy Next time user starts session web browser will automatically send credentials to the proxy
What is the distance value for the route: 10.200.2.0/24 [110/2] via 10.200.2.254 [25,0]
110
If there are FSSO issues what ports should you check are open
139 445 8000 389 636
How many member interfaces need to be added in SD-wan configuration
2
How many firewall policies and static routes are usually needed per VPN tunnel
2 policies and 2 static routes
How many vpn tunnels would you need to configure for a company with 5 fortigates and full mesh
20 total, 4 per fortigate
When verifying SDWAN traffic routing with the CLI packet capture tool which verbosity level should you use
4 (shows interface name and ip headers)
Which CLI packet capture verbosity level prints interface names
4, 5, 6
What type of ports cannot be used as the heartbeat interface
803.2 aggregate Switch port Vpn interfaces Vlan sub interfaces
What is collector agent based polling mode in FSSO
A collector agent must be installed on windows server No FSSO dc agent required Every few seconds the collector agent polls each DC for user login events Less complex
Static Route
A manually-configured routing entry that tells the router "when you see a packet whose destination is within a specific range, send it through a specific interface"
What is SSO/FSSO
A process that allows identified users to access multiple applications without having to re-authenticate. It is used with directory services like WINDOWS AD or Novell
Define web proxy authentication scheme
A scheme defines which authentication method and user database to use in an authentication rule
What is ipsec
A set of protocols used to join two lans over a virtual private network and encrypt traffic. It provides authentication, data integrity, and data confidentiality It is composed of IKE, ESP or AH
What are the two HA modes
Active-passive Active-active
Why does the collector need to query the DNS server for Microsoft AD
Ad uses workstation names so the collector queries DNS server to resolve an IP
What is the distance routing attribute
Administrative distance Ranks routes from most preferred (low value) to leaf preferred (high value). If multiple routes for the same destination exist then the one with the lowest distance is installed in routing table
Incremental synchronization
After the HA negotiation is set up. If an admin makes a small change on the primary such as a policy addition, only the policy change will be sent to the secondary fortigate not the whole configuration
Which FSSO mode requires more fortigate system resources
Agentless
The command diagnose debug FSSO-polling detail displays information for which mode of FSSO
Agentless polling
What kind of interfaces does SD wan support in configuring
Aggregate, vlan, and ipsec
Which IKEV1 mode is faster
Aggressive
Which IPSEC protocol is not supported by fortigate: AH IPSECV2
Ah
What is the default STP mode for fortigate
All functions disabled
What interfaces are assigned virtual Mac addresses on the HA primary fortigate
All interfaces besides the heartbeat and the management interface
What is internet service routing
An Internet service database (ISDB) entry that is applied as a static route so you could route all Netflix traffic through wan1 and all Dropbox traffic through wan2
Which type of administrator can make changes to all vdoms
An admin with super_admin profile
What is a virtual cluster and how many fortigates can be used
An extension of FGCP for fortigate with multiple VDOMS. Only 2 fortigates can be in the cluster. Each fortigate can act as the primary for one VDOM and secondary for some VDOMS. Each VDOM still gets a secondary and primary domain.
What interfaces can be used for the heartbeat
Any besides switch port
What does the VDOM confirmation prompt do and how to enable it in CLI
Asks user if they want to make the VDOM Config system global Set edit-Vdom-prompt enable End
How many heart beat interfaces are recommended
At least one but recommended two per fortigate (3 fortigate would need 6)
How many firewall tunnels are required for IPSEC VPN
At least one for the tunnel to come up
What is a requirement for creating an inter Vdom link between two VDOMS. (Has to do with operating mode)
At least one vdom must be in NAT mode
What is included in the configuration of an authentication scheme Authentication method Source ip
Authentication method
What is an authentication rule
Authentication rules define which scheme to use for active and passive SSO depending on the user IP address and protocol
ADVPN
Auto discovery VPN Dynamically negotiates vpn between spokes Requires a dynamic routing protocol running over tunnel so fortigates can learn about paths through the other spokes Provides the benefit of a full mesh topology over a hub and spoke or partial mesh topology
What command will be enabled on the hubs phase 1 vpn connected to another hub for ADVPN
Auto-discovery-forwarder enabled
What command will be enabled on the spokes phase 1 vpn connected to the hub for ADVPN
Auto-discovery-receiver enabled
What command will be enabled on the hub or hubs phase 1 vpn connected to the spoke or spoke for ADVPN
Auto-discovery-sender enabled
Authentication scheme methods
Basic Digest NTLM Form Negotiate FSSO RSSO Ssh-public key 2FA
Phase 2 IPSEC TUNNEL
Builds user data tunnel inside the ISAKMP tunnel One mode- quick mode Negotiation of two SAs for ESP Encapsulation mode (transport or tunnel) Authentication Lifetime DH for second key exchange (optional)
What is a proxy with a web cache
Caches the website that is requested once the server sends the web response back to the proxy. The website is cached so subsequent requests for the website can be sent directly to the client. Saves bandwidth Saves server load Faster response to client
What is multi vdom
Can create multiple VDOMS that act as independent units
Software switch
Can group multiple interfaces (physical and wireless interfaces) into a single virtual switch (acting like a traditional layer 2 switch) all the interfaces a part of broadcast domain and share the same IP
Diagnose debug authd FSSO server-status
Check connectivity between collector agent and fortigate
How can you verify the FWs in a cluster have synchronized
Check the checksum in GUI or CLI
Diagnose sys ha checksum cluster
Checks the checksum for each member Each checksum must match exactly
How does the fortigate in HA cluster know if the configuration of the secondary matches it's own
Checks the configuration checksum
What is an explicit proxy
Client must be configured to use the explicit proxy. Client sends the request to the proxy and ip port. The proxy listens for packets sent to it
CLI command to enable web cache
Config firewall proxy-policy Edit <proxy_policy_number> Set webcache enable Next end
How to access global and per Vdom setting in CLI
Config global Config vdom Edit <vdom name>
CLI command to enable VDOM
Config system global Set Vdom-mode [no-Vdom split-vdom multi-Vdom]
Commands to configure ECMP
Config system settings Set v4-ECMP-mode [ source-is-based | weight-based | usage-based | source-dest-ip-based ] If weight based: Config system interface Edit <interface name> Set weight <0 to 255> End OR Config router static Edit <i'd> Set weight <0 to 255> End If SPillover: Config system interface Edit <interface name> Set spillover-threshold <0 to 16776000> End
How can an admin configure fortigate to have four interfaces in the same broadcast domain
Configure the operation mode as transparent and use the same domain ID
What is the default criteria (override disabled) for selecting HA primary device in an HA cluster
Connected monitored ports HA uptime Priority Serial number
What is the OSPF metric
Cost (cumulative bandwidth)
What is the recommended mode for FSSO
DC AGENT MODE
Which FSSO mode is more complex
DC agent mode
Which is a WPAD method LDAP query DHCP query
DHCP
What is WPAD two discovery modes
DHCP query - browser sends a DHCPINFORM query to the DHCP server to get the URL DNS query - browsers resolve the name wpad.<local-domain> to get the ip address of the server hosting the PAC file
FSSO requires you have your own _____server
DNS
When a collector agent receives a logon event, it will query a _____ to resolve the IP address of the workstation
DNS server
Which feature should be enabled in a redundant IPSEC VPN deployment
DPD
What is the recommended mode for FSSO deployments
Dc agent mode (dcagent.dll)
What is the most common static route on all routers to forward internet traffic
Default route to 0.0.0.0/0
Multi step command to enable debug flow
Define a filter: diagnose debug flow filter <filter> Enable debug output: diagnose debug enable Start the trace: diagnose debug flow trace start <number of packets> Stop the trace: diagnose debug flow trace stop
What are the two groups of proxy address types
Destination address Source address
What do routes need to have the same of you be considered for ECMP
Destination subnet Distance Metric Priority
Types of HA protection failovers
Device, link, and session
CLI command to debug FSSO list
Diagnose debug authd fsso list
CLI command to check connectivity between collector agent and fortigate
Diagnose debug enable Diagnose debug authd fsso server-status
CLI command to display policy routes
Diagnose firewall proute list
CLI command to list MAC address table in a VDOM operating in transparent mode
Diagnose netlink brctl name host <Vdom name>
CLI command to check HA cluster configuration synchronization
Diagnose sys ha checksum
CLI command to check status of HA
Diagnose sys ha status
List processes that use the most CPU or memory CLI commands
Diagnose sys top
Which type of VPN peer can't imitate a VPN tunnel
Dial up server
Diagnose sys HA status
Displays heartbeat traffic stats Serial number HA priority of each member
Diagnose debug FSSO-polling detail
Displays status info related to polls done by fortigate to each dc in agentless polling
When using link health monitoring which route attribute must also be configured to achieve route failover protection
Distance
What does the primary fortigate do in active-active HA
Distributes specific traffic among the other cluster members
What does windows AD use to enable FSSO
Domain controller agent mode Polling mode (collector agent based)
What is link quality management for sd wan
Dynamic link selection based on the quality of a link
How do switches know which frame belongs to which vlan
Each frame has a vlan tag with a 4byte extension (tag control info)
CLI command to split vdom into separate broadcast domains
Edit system interface Edit <interface name> Set forward-domain <domain id > End
What is the first thing you need to do before configuring IPV6 policies
Enable it in system < feature visibility
How do you get ESP to work with NAT
Enable nat transversal the esp and Ike will use UDP port 4500
Esp
Encapsulated Security Payload is used for encryption and authentication in the phase 2 ipsec tunnel
Tips for troubleshoot FSSO
Ensure the correct firewall ports are opened Guarantee at least 64kbps between fortigate and DC Flush inactive sessions Ensure DNS is configured and updating IP addresses Never set timer workstation verify to 0 Include all FSSO groups in the firewall policies
ECMP
Equal cost multi path allows multiple routes of the same type (static, OSPF, BGP) that have the same attributes to all be installed in the routing table so fortigate can distribute traffic across all of them simultaneously
What can fortigate use to record HA failover events
Event logs SNMP traps Email alerts
What are the tasks of the primary fortigate in active-passive
Exchange hello packets with secondary Synchronize it's routing table, DHCP info, and configuration to secondary Sych some traffic sessions to secondary
Using the primary HA FW CLI what command let's you switch to the secondary's CLI
Execute HA manage <ha device index> <admin username>
CLI command to list index numbers for each fortigate
Execute ha manage ?
Advantages of a web proxy
Extra layer of security Can filter out traffic on 80 and 443 that's not HTTP/HTTPS For an explicit web proxy, only the web proxy address needs to be allowed to browse the internet
What protocol is used in HA
FGCP fortigate cluster protocol
What connector is used for agent based polling or dc agent mode
FSSO agent on windows AD
True or false a static route is needed for a directly connected network
False
True or false: a Vdom can only have one admin
False
True or false: static routes are needed for directly connected networks
False
True or false: you can create more VDOMS in split Vdom
False
True or false: ESP can support NAT
False, ESP does not have port numbers
What is a configuration requirement for an ipsec tunnel to come up: Firewall policy accepting traffic on the ipsec tunnel A route for IPSec traffic
Firewall policy accepting traffic on the ipsec tunnel
Diagnose debug FSSO-polling refresh-user
Flushes info about all active FSSO users. They need to login again to make available
What is ipsec hardware offloading
For some fortigate devices, with special encryption processors, you can offload the encryption part of ipsec to the special processor
What is a remote access VPN
Fortigate is configured as a dial up server and people using forticlient initiate the vpn tunnel
What are phase 2 selectors and do you have to use them
Fortigate lets you pick an IPV4 address object, protocol, or port that decides which traffic needs to be protected in the tunnel. All other traffic will be dropped if it doesn't match the selectors No you don't have to use them. Set local and remote address to 0.0.0.0/0 then use firewall policies for more granular control
What happens for policy routes set to the action "stop policy routing"
Fortigate will bypass policy routing and use regular routing table
What happens for policy routes set to the action forward traffic
Fortigate will bypass the routing table and go based off the policy route
What is the expected behavior when the stop policy routing action is used in a policy route
Fortigate will route the traffic based on the regular routing table
The heartbeat interface IP address 169.254.0.1 is assigned to which fortigate in an HA cluster
Fortigate with highest serial number
What traffic is always generated from the management VDOM: Link health monitor Fortiguard
Fortiguard
What fabric connector do you pick for DC agent mode and collector agent based polling
Fortinet SSO agent
If you have collector agents using either the DC agent or the collector agent based polling mode which fabric connector should you select on fortigate
Fortinet single sign on agent
When are FSSO logs generated
From user logon/log off events
Which VPN topology is the most fault tolerant
Full mesh
Which CLI command can be used to diagnose a physical layer problem
Get hardware nic
CLI command to get interface information
Get hardware nic <interface_name>
CLI command to display active routes
Get router info routing-table all
CLI command to displays all active standby and inactive routes
Get router info routing-table database
Which CLI command can you use to view standby and inactive routes
Get router info routing-table database
Which CLU command can be used to determine the MAC address of a fortigate default gateway
Get system arp
CLI command to see ARP table
Get system arp Lists address and Mac for an external devices connected to the same lan segments that fortigate is connected to
Command to check IPSEC vpn tunnel phase 1 status
Get vpn Ike gateway [vpn name]
What settings are not synchronized between HA pairs
HA override HA device priority HA virtual cluster priority Hostname Ping server priorities Licenses Cache HA management interface settings
What are source address options for proxy address types
HTTP method User agent HTTP header
What device hosts the PAC file
HTTP server or fortigate can host it
What is the RIP metric
Hop count
What protocols are supported for authentication between the browser and fortigate
Http Ftp Ssh socks5
Three VPN topologies
Hub-and -spoke Partial mesh Full mesh Site-to-site
IP based authentication in web proxy
IP sessions from the same source IP are treated as a single user Not recommended if multiple users are behind NAT. In this case use session based
Which two firewall address object types can be used as a destination in one or more static routes and how do you enable this option
IP/Netmask or FQDN Under policy & objects < addresses Enable "static route configuration" After it is enabled you can use any created firewall object of those two types in a static route
Which of the following objects can be used to create static routes : ISDB objects or service objects
ISDB objects
When would you use link health monitor over ECMP
If ECMP is too expensive such as if one ISP charges based on bandwidth usage or if the remote router supports ecmp
How is a link failover in an HA cluster detected
If a monitored interface fails based on specified criteria the cluster can re elect a primary connection
What does wildcard vlan enable for for virtual wire pair
If enabled. Traffic for the pair also applies to the vlans ( if Disabled any tagged traffic is denied)
Where do you configure proxy settings on a host
In a web browser so it sends HTTP requests to proxy
How does the web proxy enforce authorization
In the source portion of a firewall policy
What routes aren't displayed in the GUI routing table
Inactive and standby routes
What information is displayed in the output of the debug flow
Incoming interface and matching firewall policy
How is traffic handled in a virtual wire pair
Incoming traffic to one interface is always forward out through the other interface
Which logging level shows the login events on the collector agent Information Warning
Information
When does the primary fortigate in an HA cluster synch it's configurations
Initially and every admin change
How can VDOMS communicate with eachother
Inter VDOM links
How can VDOMS connect to eachother
Inter Vdom link that connects the other VDOMS. The traffic will leave the Vdom, enter the inter Vdom link and then go to the designated Vdom
You attempt to configure sdWan interfaces but it is not working... what could be the most common cause
Interfaces are referenced in a route or policy
Ike
Internet Key Exchange. Used with IPsec to create a secure channel over port 500 (or 4500 when NAT is enabled ) in a VPN tunnel. It negotiates a tunnel private keys, authentication, and encryption. It defines two phases. 1 and 2.
Which one of the following session types can be synchronized in an HA cluster- SSL VPN | IPSEC VPN
Ipsec
Why is asymmetric routing discourages for use on fortigate
It disables fortigates stateful inspection features and antivirus and IPS will not be effective because fortigate will not be able to keep track of sessions (stateless can't retain packet info)
Which statement about fortigate operating in transparent mode is true It has a management IP each interface has an IP
It has a management IP
What is NTLM authentication and when is it used
It is a session base authentication used when the collector and DC can't communicate or user is logged into a DC without a collector. The fortigate will initiate the NTLM negotiation with the clients browser if the user is not an active FSSO member
What is the purpose of the link health monitor setting "update-static-route"
It removes all static routes associated with the link health monitors interface in the event of failure
What does auto key keep alive do when configuring ipsec phase 2
Keeps tunnel alive
What protocol does fortigate use to poll AD
LDAP
What protocol does fortigate use to poll the AD in agentless polling mode
LDAP
Which link attributes used in SD wan link quality measurements: latency or cost
Latency
You can configure SD wan rules to choose the egress interface based on which parameter: Weight Latency
Latency
What does the SLA link status feature do
Let's you specify thresholds that tell SDWAN virtual interface when to drop certain routes and change links
What is not synchronized in an HA cluster
Licenses Cache Priority Hostname Override Management interface settings DGD settings
Diagnose vpn tunnel list
Lists the vpn tunnels and they're properties and shows hardware acceleration codes
How do you enable the feature that lets you view the egress interface for the traffic that leaves the fortigate
Log & report > forward traffic and enable destination interface column
Vlan
Logical segmentation of a layer two network into smaller broadcast domains. Vlans are identified by there vlan IDs
Virtual wire pair
Logically links two physical interfaces. Two ports are logically bound so all traffic arrived at one port is forwarded to the other port (usually one internal and one external) traffic is only allows between pairs
What does the packet sniffer help do
Look inside the headers of packets Indicates what traffic is entering or leaving the egress and ingress interfaces
What is the default RPF check method on fortigate
Loose
Two RPF modes
Loose and strict
Main vs aggressive mode for phase 1 tunnel in IPSEC
Main is more secure because the ore shared key hash is encrypted (identification) 6 packets sent Used for site to site Aggressive Not as secure because the preshared key hash is not encrypted (attacker would still need to guess hash) Faster negotiation (3 packets) Used for dial up
What are the four SDWAN strategies for selecting outgoing interfaces
Manual (interfaces manually selected) Best quality (interface with best performance) lowest cost (SLA) (link that best matches SLA rules that you created) Maximize bandwidth (traffic load balanced across selected members if they match SLA requirements )
Diagnose sys ha reset-uptime
Manually force a failover
Execute FSSO refresh
Manually refresh user group information from any directory service servers connected to fortigate using the collector agent
RPF
Mechanism that protects against IP spoofing attacks and checks for an active route back to the source IP through the incoming interface
Which attribute does fortigate use to determine the best route for a packet if it matches multiple dynamic routes that have the same distance
Metric
Most IPSEC tunnel problems aren't caused by_______
Mismatched configurations on the peers
How do you access the routing table and policy route in the gui
Monitor < routing monitor
What does the secondary fortigate do in active-passive
Monitors primary for signs of failure with the hello or port monitoring
What is a policy based route
More granular/flexible routes that can send packets based on destination IP, source IP, protocol, source/destination ports, type of service TOS They have precedence over the routing table
Advantage of using web proxy
More security because you can filter any traffic on ports 80/443 and only the web proxy IP needs to be able to browse the internet (for explicit, so less firewall policies) Reduces bandwidth and improve speed
What mode does software switch work in
NAT
NAT mode vs Transparent
NAT = Layer 3 router Transparent = layer 2 switch
What are the three collector agent based polling mode options
NETAPI WinSecLog WMI
What does a fortigate need to be able to do inter VDOM link acceleration
NP4 or NP6 processor
What mode must the fortigate VDOM be operating in to route traffic between vlans
Nat
Which type of Vdom link requires that both sides of the link be assigned an IP address within the same subnet
Nat - to - nat
Two fortigate operation modes
Nat operates as a layer 3 router and interfaces have IPs Transparent forwards according to layer 2 Mac addresses as a transparent bridge. Interfaces don't have IPs (besides management IP) and is has a MAC address table
What are the route attributes
Network Gateway IP Interfaces Distance Metric Priority
How do you create a vlan in the gui
Network > interfaces > create new > interface
How do you create a VDOM in the gui
Network > interfaces > create new > vdom
How to create virtual wire pair
Network > interfaces > create new > virtual wire pair
Do heart beat interfaces get virtual Mac addresses
No
Does the command diagnose sys ha reset-uptime change the uptime of the fortigate dashboard
No just resets time internally
If sd wan virtual interface is configured, do you configure policies for the member interfaces?
No just the virtual interface but a default route is required
Does the IPs of the heartbeat interfaces change during failover.
No they will remain the same IPs negotiated during cluster set up
By default does fortigate support STP?
No. It can be enabled but is only supported on select models with physical switch interfaces
What is the whole point of active active HA
Not to load balance but to share CPU and resources
Diagnose vpn tunnel list ipsec hardware acceleration codes
Npu_flag=00 Ingress and egress ESP packets are not offloaded 01 egress packets can be offloaded 02 only ingress packets can be offloaded 03 both ingress and egress esp packets can be offloaded 20 encryption algorithm not supports for offloading
How many sdwan interfaces can be on a fortigate
One per vdom
Which settings are configured per VDOM
Operating mode (NAT Or Transparent) NGFW mode (policy or profile based) Routes and network interfaces Firewall policies Security policies
What tool is built into fortigate to debug and verify ingress and egress interfaces of packets passing through the firewall and what is the CLI command
Packet capture/sniffer Diagnose sniffer packet <interface> '<filter>' <verbosity> <count> <time stamp> <frame size>
What is asymmetric routing
Packets from the same session may flow through different routes
Describe redundant vpns
Partial- one peer has two connections and the other has one so if one vpn goes does on the peer with two tunnels then traffic can still be routed back Fully redundant- both peers have two connections
In FSSO fortigate allows network access based on_________ Active user authentication with user name and password Passive user identification by user ID, IP address, and group membership
Passive user identification by user ID, IP address, and group membership
How is Weight based ECMP configured
Per interface or per route
When the remote gateway is set to dial up user a static route to the remote network is added to the routing table after________ Phase 1 comes up Phase 2 comes up
Phase 1 comes up
On which phase do you configure the algorithms used for traffic encryption
Phase 2
The ipsec monitor widget on the GUI shows the status for_____
Phase 2
What protocols are used for probing servers in link health monitor
Ping Http Tcp echo UDP echo Twamp Dns
What are some tools for troubleshooting VDOM configurations
Ping Traceroute Packet sniffing Debugging packet flow
How do you access the ISDB
Policy & objects > internet service database
Which IPSec vpn Type is legacy and not recommended for new deployments
Policy based
If fortigate is polling the DC as in agentless polling, what do you select under security fabric < external connectors
Poll active directory server
Which fabric connector do you use for agentless polling
Poll active directory server
Which working mode is used for monitoring user sign on activities in window AD
Polling mode (collector agent based or agent less)
What are monitored ports on the fortigate
Ports operating as network interfaces processing high priority traffic
An HA failover occurs when the link status of a monitored interface on the ______goes down
Primary fortigate
What is the workload distribution on an active-active HA CLUSTER
Primary receives all traffic and redirects some to the secondary depending on factors such as weight, policies, addresses, etc
What is level 4 packet capture verbosity
Prints ip headers and interface name (ingress and egress interfaces)
What is level 3 or 6 packet capture verbosity for
Prints the packet ip headers, payload and ethernet headers 6 does all of those and the interface name
Which of the following static route attributes does not appear on the GUI routing monitor
Priority
What type of information is stored in the crash log
Process crashes and conserve mode events
What does secondary fortigate do in active active ha
Processes the traffic distributed by the primary
What are the two NGFW mode FOR VDOM and describe each
Profile based - traditional and user must create antivirus, web filter, and IPS profiles which is applied to the policy policy based - new so users can add applications and web filter categories directly to a policy without having to create the policies first
What does FGCP do
Protocol in HA that discovers other fortigate devices belonging to same HA group Elects primary Synchronized configuration and data Detects a failure
WPAD
Provides the URL where the PAC file can be downloaded from
Which of the following configuration objects can be used to filter web proxy traffic based on the HTTP header information FQDN address Proxy addresses
Proxy addresses
Dynamic routing protocols supported by fortigate
RIP OSPF BGP IS-IS
What does the root VDOM do in split VDOM
Receives traffic from fortigate global services: NTO fortiguard updates SNMP DNS LOGS (fortianalyzer and syslog)
What is DC agent mode for FSSO
Recommended for fortigate Most scalable mode Requires one DC agent (dcagent.dll) installed on each windows DC in windows\system32 Requires one or more collector agents installed on windows servers
What threshold is used to determine when fortigate entered conserve mode
Red
What is full mesh HA
Reduces number of single point failures by using an HA cluster and multiple switches instead of one on each side of the HA cluster
Which is an advantage of an ip based authentication session over session based
Requires less RAM
Dynamic Routing
Router (fortigate) communicates with neiighboring routers to dynamically discover/learn the best routes based on several protocols and shares its own routes. Paths are based on the destination IP and become self organizing during fail over etc.
Which setting determines whether a tunnel is used as primary or backup Routing or firewall policy
Routing
What is IP routing?
Routing is how a packet from one network reaches a remote network. A router will look at a destination address and search for the best path in a route table. If there are multiple paths the router will make a decision based on various attributes. Once the destination network or default network is decided the packet is encapsulated with a new layer 2 frame and sent to the next hop.
Where can you search and filter through routes
Routing monitor
What are SD WAN rules
Rules route traffic through different members based on different circumstances. Rules can match traffic based on: Source IP destination IP Port number ISDB object Application User or user groups ToS
Which should be used to monitor the session distribution across the SD WAN member interfaces: SD WAN link status monitor SD WAN usage monitor
SD WAN usage monitor
What may be more beneficial to maintain multiple internet connection that ECMP
SDWAN
Which sessions are not synchronized between HA pairs
SSL vpn
What is an SA
Security associations Negotiated during phase 1 (ISAKMP tunnel) the SA includes encryption type, hash type, diffie helmen group, authentication (peer needs to prove who it is through pre shared key), lifetime
What is a VDOM
Segments the fortigate into multiple logical devices with independent FortiOS, security policies and routes etc. VDOM traffic can not go to another VDOM (unless it physically leaves fortinet to the internet and comes back)
Session based authentication in web proxy
Session based mean HTTP sessions are treated as a single user It can differentiate multiple sessions even if the source IP is the same After authentication the browser will store user info in a session cookie Requires more resources (ram because fortigate remembers cookies)
How does fortigate load balance traffic when using the spillover method in ECMP routing
Sessions are distributed based on the interface threshold
Which session are synchronized between HA pairs
Sessions not handled by a proxy-based security profile TCP IPSEC VPN UDP ICMP MULTICAST
how do you enable loose check RPF and strict check
Set system setting Set strict-src-check disable End Strict check: Set system setting strict-src-check enable End
How do you enable link health monitor to remove a static route if it detects and outage (CLI command)
Set update-static-route enable
What is the debug flow
Shows step by step how the CPU is handling each packet
What is session failover in HA
Since sessions can be synchronized the sessions are resumed in the event of device or link failover
Which of the following route lookup scenarios will satisfy the RPF check for a packet: if the routing table has an active route for the [destination or source IP] of the packet
Source
What is the default ECMP method
Source IP
SD wan load balancing methods (ecmp + something else)
Source IP (default) Source - destination IP Usage (spillover) - Weight - Volume - traffic is balanced based on traffic volume in bytes per link (this is based on the threshold set)
What four method can ECMP use to load balance traffic
Source IP (default)- all traffic from the same source uses the same path Source-destination IP- all traffic from the same source to the same destination use the same path Weighted (route or interface weights)- fortigate will distribute sessions with different IPs by generating a random value (based on the weight of the path) that decides the next path Usage (spillover)- fortigate will use the primary route until the traffic volume threshold is reached and it will then put the rest on another route
What is the AD access mode and what are the two
Specifies how the collector agent accessed and collects the user and user group information Standard - windows convention domains/ groups advanced-LDAP convention CN=user OU = name DC= domain
What is the purpose of configuring group filters during the collector and dc agent installation
Specifying the groups that you want the Collector to send to the fortigate so you don't have 10,000 users sent (unless you need to) only specify the groups you plan on creating policies for
What are the two VDOM modes
Split VDOM Multi Vdom
The priority attribute applies to which type of routes
Static
PAC file
Stored on the web proxy Defines how browsers choose a proxy It is a JavaScript that determines if the request will use a proxy and what the proxy addresses are
Strict vs loose RPF
Strict checks that the best route back to the source uses the incoming interface Loose checks for the existence of at least one active route back to the source using the incoming interface
Where do you download the agents for FSSO installation
Support.fortinet.com
How do you turn on advanced routing in the gui
System < feature visibility < advanced routing on
What type of sessions can be synchronized in HA
TCP IPSec UDP ICMP multicast
What ports does the collector agent use to poll the DCs for logon events
TCP 445 BY DEFAULT
FGCP port
TCP 703
Which status check protocol for link health monitor probing is only available from the CLI
TCP echo
What protocol is used to upload new firmware from the console
TFTP
When are tags added and removed
Tags are added on egress and removed on ingress
What is FEC (forward error correction)
Technique used to reduce the number of retransmission over Unstable VPN links
What is the simple difference between collector agent based polling mode and DC agent mode for FSSO.
The DC does not have a DC agent (dcagent.dll) installed in collector agent based polling mode So instead of the DC sending the collector agent information on port 8000 the collector will poll the DC on port 445 and then send it to fortigate on port 8000
What is used in the creation of the HA primary's virtual Mac addresses
The HA group ID
What happens to the virtual Mac addresses of the primary fortigate when the device fails
The Mac addresses are transferred to the interfaces of the secondary
What are phase 2 proposals
The authentication, encryption algorithms, and DH used in phase 2
What is a transparent (implicit) proxy
The client sends a request to the servers IP. Transparent Proxy intercept client request, at the IP layer, and send it to the server. Destination IP never changes. No client configuration needed
What is the DC agent mode collector and agent for
The collector agent is responsible for: Group verification Workstation checks Updates of login record to fortigate Sending domain info to Fortigate The DC agent: Monitors user login events and forwards to the collector agent (which forwards to fortigate) Handling DNS lookup
What is a stateful firewall?
The firewall processes each packet individually and maintains information about the packets and their contents to predetermine if the packet is part of a new session of preexisiting session and if it adheres to a set of rules
When is RPF carried out?
The first packet in a session and whenever there is a route change, on the next packet, in the original direction
What does FGCP run on and what port
The heartbeat links and TCP port 703 for 0x8890 NAT mode and TCP port 23 for ethernet type 0x8893
How are heartbeat interface IPs configured
The highest serial number automatically gets 169.254.0.1 second gets 169.254.0.2 and so on, during the HA negotiations
What table is The internet service routing added to?
The policy routes. Even they they are configured as Static routes they are actually policy routes
What is a web proxy
They forward requests to a server on behalf of a client
How are MAC addresses assigned to interfaces in an HA cluster
Through a group ID Virtual Mac addresses are assigned to each interface
What is the purpose of active-active in HA cluster
To load balance CPU and memory. The primary fortigate will receive traffic first then send to the secondary to transmit in the direct it needs to be
Which will cause an NTLM authentication to occur Traffic coming from an IP on the FSSO user list Traffic coming from an IP not on the FSSO user list
Traffic coming from an IP not on the FSSO user list
Which of the following is required for redirecting user traffic to the transparent web proxy Traffic must match a firewall policy with a proxy option profile with the http-policy-redirect setting enabled Traffic must match a firewall policy with the action set to proxy
Traffic must match a firewall policy with a proxy option profile with the http-policy-redirect setting enabled
Transport mode vs tunnel mode for ipsec
Transport mode- the original header is left intact Tunnel mode- there is a new ESP or AH header added so that the original header is encrypted
The Same interfaces in each fortigate connected to the same broadcast domain is required in HA.
True
True or false. All interfaces in a VDOM operating in transparent mode are in the same broadcast domain
True
True or false. You only need to update the primary fortigates firmware in an HA cluster
True
True or false: Browsers can be configured to automatically send credentials during NTLM authentication
True
True or false: ECMP implements route failover automatically
True
True or false: even though you configure routes with the SD WAN virtual interface- fortigate will install separate routes in the table on a per member interface level
True
True or false: the management VDOM is root by default but can be changed to any VDOM in multi VDOM mode
True
How many lookups with fortigate perform for a communication session and where does the route information for the session get stored
Twice - once for the originator packet to destination and once for the responder packet to source Route information will be stored to the session table All other subsequent packets will follow the same path stored in the session table and NOT the route table
You can configure virtual clustering between only ______fortigate devices with multiple VDOMS in an active-passive HA cluster
Two
How many TCP connections are they're for a web proxy during a session
Two From client to web proxy From web proxy to server
HA requirements
Two to four identical fortigates One or two max links between fortigates for heartbeat Same interfaces in each fortigate connected to same broadcast domain
What will be displayed in the routing table
Type of route (dynamic, static, directly connected), network, gateway IP, interface, distance
What port does the DC agent forward login events to the collector agent in FSSO DC agent mode What port does the collector agent forward information to the fortigate
UDP 8002 TCP 8000
What are destination address options for proxy address types
URL pattern Host regex match (FQDN) URL category
What is the priority routing attribute
Used for static routes to determine best route to a destination when the distance is the same
SD-WAN
Used in load balancing multiple wan connections based on multiple algorithms that ensure high availability to critical applications
MPLS (Multiprotocol Label Switching)
Used to connect sites to other sites through a private cloud. It is connection independent meaning each site can have different connections and it still works MPLS also comes with QoS (ToS in the packet) . ISP puts an MPLS label on the packet for quick transport so that the ISP router does not need to deencapsulate all the headers, it instead can look at the label and direct packets quickly. MPLS is reliable, scalable, high performance, better utilization BUT expensive!! And must be purchased from carrier. It is more secure because it's not routed through public internet but a private cloud.
Proxy address objects
Used to create proxy policies. Proxy address objects provide more granularity in that they can match HTTP traffic based on the content of any HTTP field Example: Http headers include a field named host which contains the FQDN of the web server. Proxy address objects can be used to create a policy that matches the FQDN instead of the destination IP Example: Matching the URL pattern. Proxy addresses can match traffic to URLs regardless of the ip address
What is DPD (dead peer detection) and wha are the three modes
Used to detect dead tunnels Useful in redundant VPNs where multiple paths are available. Probes will detect the dead tunnel and bring it down. Three modes: On demand - DPD probes are sent when there is no inbound traffic On idle - probes are sent when there is no traffic Disabled - no probes are sent
Dial up vpn
Used when the dialup sever does not know the client address so the client is who initiated the VPN (forticlient) often used in mobile vpns
Which is an SDWAN rule matching parameter for traffic sources: User groups IPS signatures
User groups
What does the collector agent forward to fortigate in DC agent mode
User name Host name IP address User groups
When performing NTLM authentication what information does the web browser supply to fortigate Username and password User ID, IP address, group membershup
Username and password
SD wan is a _____ consisting of a group of member interfaces that can be the connected to different link types
Virtual interface
What is a route based IPSEC VPN
Virtual interface for each VPN
Which method of load balancing is supported by SD-WAN but not supported by ECMP routing
Volume
What is the link health monitor
Way to detect when a router along a path is down
Which of the following is an advantage of transparent web proxy over explicit web proxy
Web browsers do not need to be configured to use the proxy
When would there be a change in the heartbeat IP addresses
When a member leaves or join the cluster
When is a new TCP session allocated
When a syn packet is allowed
How does link health monitor work
When configured fortigate will probe a server passed the ISP gateway. If fortigates stops receiving replies it will remove any routes using that gateway from the routing table or can shut down an interface and active standby routes with a higher distance
Perfect Forward Secrecy (PFS)
When enabled, fortigate will renegotiate DH keys everytime phase 2 expires so that the same key is not used everytime
What is memory conserve mode
When fortigate is using too much memory and it begins to drop sessions to conserve memory NOT GOOD Also does not run any quarantine actions (subjecting network to potential malware) Packets requiring IPS or proxy get dropped Config changes are not allowed
When are IPSEC SA renegotiate
When the lifetime expires
How is a device failover trigged in a HA cluster
When the primary fortigate stops sending hello packets through heartbeat interface
When are routes flushed from the session table in order to be relearned
When there is a change to the routing table
When is the metric used in routing and what is it
When two routes have the same distance metric will be used to break the tie. Metric helps determine the best route. Metric varies based on the dynamic routing protocol
What configuration setting must be enable to allow vlan tagged traffic through a virtual wire pair
Wildcard vlan
Which convention does FSSO collector agent use to access the windows AD in standard access mode
Windows netbios: domain\groups
How does the web proxy enforce authentication
With authentication rules and schemes
Can a software switch be used in firewall policies
Yes. The virtual interface (group of interfaces) can be used
Can you use SLA- link health monitor with SDWAN?
Yes. You can specify Sd wan interfaces
Execute ha manage <device index> <admin username>
You can connect to the CLI of the secondary member from the lineage
What three things do you need to do to set up link health monitor
You must set the where interface, ip of gateway router, and server ip and protocol
What is the first [#/#] displayed in the routing table entry and what are the second
[Distance/metric] [priority/weight]
Diffie-Hellman key exchange
an asymmetric standard for exchanging keys. primarily used to send private keys over public networks.
CLI COMMAND Configuration to enable link health monitor
config system link-monitor Edit <name> Set srcintf <interface> Set server <server ip> Set gateway-ip <gateway ip> Set protocol [ping tcp-echo UDP-echo twamp http] Set update-static-route [enable disable] Next End
What is split VDOM
fortigate has two VDOMS total- root and FG-traffic Root- management work (hidden entries) FG-traffic- allows firewall traffic Split Vdom cannot create new VDOMS
What is agentless polling mode in FSSO
fortigate polls the DC instead so it doesn't require an DC agent or collector agent More CPU and RAM is used by fortigate
CLI command to get system information
get system status
What is the workload distribution on an active-passive HA CLUSTER
primary receives and processes all traffic while sending hello packets through heartbeat interface secondary waits
Types of IPSEC VPNS and which is recommended
route based and policy based (not recommended)
STP
spanning tree protocol enabled will block a redundant path to prevent broadcast storms. It will elect a root bridge (switch) and switches will exchange bpdus that provide information about the neighbors and paths so a port can be blocked and unblocked to restore an alternate path if needed
What feature can you use to ensure the latency, jitter, and packet loss level remain in a threshold for SDWAN
turn on SLA target, configure thresholds for SDWAN, and use SLA target in policy
