NSE 7 Enterprise firewall
What should the phase 2 quick mode selectors be set to for ADVPN (or any dynamic routing over IPSEC)
0.0.0.0/0.0.0.0
What are the only two session state values for UDP (2digits)
00 when traffic is only one way 01 when traffic is two ways
What formula determines the virtual MAC address and explain each part
00:09:0f:09:group_id:(vluster_id+interface_id) Group_id is the HA group ID converted to hexadecimal Vcluster_id is 0x00 fort virtual cluster 1 and 0x80 for virtual cluster 2 Interface_id is the interface index
How many times can the service option be used in a custom IPS signature
1
By default a BGP RR propagates how many paths per prefix and what is the command to change this default behavior
1 Config router bgp Set additional-path enable Set additional-path-select <number of paths> Config neighbor Edit <neighbor ip> Set additional-path [send | receive | both | disable ] Set adv-additional-path <number of paths>
IPSec connection steps (low level) (6)
1 interesting traffic triggers negotiation 2 phase 1 goes up (single bidirectional SA) 3 extended auth (if required) 4 IKE mode config (if required) 5 phase 2 goes up (2 SAs one for each direction) 6 tunnel is established and traffic can traverse
Steps to reset the web filtering and antispam databases
1) Disable the rating services on fortimanager interfaces 2) stop the rating services under fortiguard > advanced settings 3) delete the databases With the two commands Diagnose fmupdate fgd-del-db wf Diagnose fmupdate fgd-del-db as 4) start the rating services service under fortiguard > advanced settings 5) wait for the entire rating database to be downloaded and fully merged (4-12 hours) 6) enable the rating services on the fortimanager interfaces
Stage 1-3 NGFW policy mode
1) Traffic comes in 2) kernel can identify (NNTP, ICMP, and DNS) but no other layer 7 info 3) kernel evaluates layer 4 info to match NGFW policy 4) session flagged as may_dirty and added to session table with appid =0 unknown 5) traffic sent to IPS engine 6) IPS evaluates layer 7 and updates session table with dirty flag and correct appId 7) dirty flag tells kernel to reevaluate the session 8) kernel reevaluates session with new layer 7 info against NGFW policy and takes configured action
Active-active load balance steps (7)
1) client sends SYN packet and is forwarded to the primary fortigate using the interfaces VIRTUAL MAC address as destination 2) if primary decides the second will inspect the traffic then the SYN gets forwards to the secondary device in the respective interface PHYSICAL mac 3) the secondary responds with the SYN/ack to the client with it's PHYSICAL mac as src and starts the connection with the server by directly sending the SYN packet 4) client ACKs the SYN/ACK and sends it to the port on the primary using the VIRTUAL Mac 5) the primary device forwards the packet to the secondary for inspection using the secondary's PHYSICAL mac 6) when the server responds to the TCP SYN the packet with the SYN/ACK it is sent to the primary using the external interface VIRTUAL Mac 7) primary signals secondary and the on the Physical Mac and the secondary replies to the server with the ACK with it's physical interface mac as src
Route selection process (5)
1) most specific route (longest netmask/smallest subnet) 2) lowest distance (trustworthiness) 3) lowest metric (dynamic routes) 4) lowest priority (static routes) 5) if there are multiple paths with the same netmask, distance, metric, and priority fortigate will share traffic among all of them called ECMP
Debug flow block message 1) Denied by forward policy check 2) Denied by end point ip filter check 3) exceeded shaper limit, drop 4) reverse path check fail, drop 5)iprope_in_check() check failed, drop
1) no firewall policy allows the traffic Or a firewall policy allows the traffic but disclaimer is enabled and is not being accepted 2) source IP has been quarantined by DLP 3) packet dropped because of traffic shaping 4) packet dropped because of the RPF check 5) packet is management traffic destined to fortigate IP but: Service is not enabled Service is using different port Source IP is not included in trusted host Packet matches a local-in policy with action deny OR packet is not destined to fortigate IP address but there is a virtual IP or IP pool config using the destined IP
What 3 requirements does the fortigate have to put a configured static route in the routing table?
1) outgoing interface is UP 2) there is no other matching route with a lower distance 3) the link health monitor (if configured) is successful
6 requirements for forming an OSPF adjacency
1) peers primary IP addresses are in same subnet with same subnet mask 2) peers interfaces are the same type and in the same OSPF area 3) peers hello and dead interval match 4) peer has a unique router ID 5) OSPF IP MTUs match 6) OSPF auth if enabled is successful
7 things to do if you are configuring ADVPN from fortimanager VPN manager
1) set protected networks to all 2) enable ADVPN in the IPSec phase 1 3) disable add-route on the hub 4) enable net-device on spokes 5) configure IPs on virtual tunnel interfaces 6) configure dynamic routing and config route reflector if using IBGP 7) phase 1 is automatically named <vpnname>_0
Four occurrences that can trigger a failover
1) when primary stops replying to heartbeats (loss of keepalive packets) 2) when the link status of a monitored interface goes down (primary will be device with the fewest failed monitored interfaces b/c port monitoring takes precedence over priority) 3) when a server IP stops replying to the ping sent by the primary (remote link failure) (configurable) 4) when ForitOS detects a failure in an SSD
Root causes for "iprope_in_check() check failed, drop" (4)
1- When accessing the FortiGate for remote management (ping, telnet, ssh...), the service that is being accessed is not enabled on the interface. 2- When accessing the FortiGate for remote management (ping, telnet, ssh...), the service that is being accessed is enabled on the interface but there are trusted hosts configured which do not match the source IP of the ingressing packets 3- When accessing a FortiGate interface for remote management (ping, telnet, ssh...), via another interface of this same FortiGate, and no firewall policy is present 4- A VIP parameter must be set
Root causes for "Denied by forward policy check" (3)
1. - There is no firewall policy matching the traffic that needs to be routed or forwarded by the FortiGate (Traffic will hit the Implicit Deny rule) 2- The traffic is matching a DENY firewall policy 3- The traffic is matching a ALLOW firewall policy, but DISCLAIMER is enabled, in this case, traffic will not be accepted unless end user will accept the HTTP disclaimer purposed by Fortigate while browser external site.
What are the 7 steps OSPF routers go through with other OSPF peers to form an adjacency and what is the end result
1. Down -initial state 2. Init - hello packet is sent from a non adjacent neighbor 3. 2-way - communication is bidirectional between routers 4. Exstart- a primary and secondary relationship is negotiated 5. Exchange - database (DB) description packets are exchanged 6. Loading - LSAs are exchanged (request from one, update from other, request from other, update from one) 7. Full - LSDBs are identical
10 BGP route selection tie breakers:
1. Highest weight 2. Highest local preference 3. Prefer the path that was locally originated 4. Shortest AS path 5. Lowest origin type 6. Lowest multi exit discriminator (MED) 7. Lowest IGP metric to the BGP next hop 8. Prefer external path (EBGP) over internal path (IBGP) 9. IF ECMP enabled insert up to 10 routes 10. Lowest router id 10
How many LSA types are there? What are the five most common types?
1. router link advertisement Describes a routers links 2. Network link advertisement Describes all the routers in a multi access network 3. Summary link advertisement Describes summarized networks within an area (generated by ABR) 4. AS summary link advertisement Describes the path to a ASBR router 5. AS external link advertisement Describes external destinations originated in an ASBR
Maximum length for user created IPS rules
1024 bytes
Default max file size inspected and how to reduce or increase
10mb CLI Config firewall profile-protocol-options Edit <name> Config [http, ftp, pop3, smtp, imap] Set oversize-limit <mb> End
How many sessions does FTP use for file transfer and describe each
2 One control channel One data channel The control channel is always initiated by the client and is used to send the FTP commands which allow the client to move through the server folders, specify the file transfer, and initiate the data channel(if passive) for file upload or download The data channel is for the actual file transfer
What two phases does IKE use and how many SAs are established
2 Phase 1 1 bidirectional SA Phase 2 uses two IPSec SAs one for each traffic direction
Safe reduction of file inspection from 10mb in order to optimize memory but still catch viruses successfully
2 or 3 mb
Diagnose test application ipsmonitor 2, 5, 99
2 toggle IPS engine enable/disable status 5 toggle bypass status 99 restart all IPS engines and monitor
For any sessions, how many route look ups are performed
2- one for first packet sent by originator and one for first reply packet sent by responder
broadcast OSPF networks use two multicast destination addresses, what are they and what are they for
224.0.0.5 AllSPFRouters Hello packets LSA updates and acknowledgements sent by either the DR or BDR 224.0.0.6 AllDRouters LSA updates and acknowledgements sent by all other routers
point to point OSPF networks use one multicast destination address what is it and what is it for
224.0.0.5 AllSPFRouters All packets are sent to this address
Up to how long could it take to update a contract on all servers for fortiguard
24 hours but usually 2-4
A BGP router stores routing information in how many logical tables? What are they and describe each RIB-in: contains route info learned from other BGP routers before filtering. Local RIB: route info the local BGP speaker has selected from RIB-in after applying it's local policies RIB-out: contains the BGP rout info selected to be advertised to other peers
3
How many stages does NGFW policy mode session handling have
3
How many packets are exchanged in phase 1 aggressive mode and describe exchange
3 Client initiated by sending security policies and providing no DH and peer ID Responder replies with same info plus a hash Initiator sends hash payload
What verbose levels would you use and then convert to PCAP for wire shark
3 6 (prob 5 too but it wasn't mentioned) all three show payload 3 and 6 both show IP/Ethernet headers and payload
How often do OSPF routers read berries their OSPF information
30 minutes
How many VRFS are supported
32
Describe xauth packet exchange and how many packets
4 Server (responded) sends CFG_request Initiator or client responded with CFG_Reply containing user credentials If they are correct server sends and CFG_Set Client sends a CFG_ACk
what IP version does ADVPN support
4 and 6
Most common termination signal numbers (7)
4 illegal instruction 6 abort command from FortiOS 7 bus error 9 unconditional kill 11 invalid memory reference 14 alarm clock 15 graceful kill
What does option 5 do for the diagnose test application ipsmonitor 5 and how does it help diagnose high CPU issues
5 enabled IPs bypass mode. In this mode IPs is still running but it is not inspecting traffic. If the CPU decreases after that it indicates that the volume of traffic being inspected is too high for that fortigate model If it remains high after enabling bypass it indicates a problem with IPS engine needed to be reported to fortinet
Why is the FIN ACK protocol state 5
5 is TIME_WAIT which keeps the session in the session table for a few seconds more to allow for any out of order packets
How many packets are exchanged in main mode and describe the communication of the 6 packets
6 Client initiated by proposing security ISAKMP policies Responders selects which security policy it will agree to use Initiator send it's DH value Responder replies with it's DH Initiator sends it's peer ID and hash payload Responder replies with it's peer ID and hash payload
Maximum length of custom IPS signature NAME
64 characters
What arch is fortios
64bit
What port does fortitelemetry use
8013
Default for when fortigate enters conserve mode
88
What termination signal should you use if you have to manually kill a process and why
9 Diag sys kill 9 <ID> Because improperly killing a process can make fortigate system unstable since there are processes that function concurrently
What is default for when fortigate drops new sessions for conserve mode
95
What does fortimanager name phase 1 IPSec tunnels
<vpnname>_0
When is a session categorized as ephemeral (2)
A TCP session is not fully establish (three way handshake not completed) A UDP with only a single packet is received
TCP socket
A TCP socket is an endpoint instance defined by an IP address and a port in the context of either a particular TCP connection or the listening state.
What does a BGP RR and it's clients form
A cluster
What is NGFW policy mode
A flow based inspection mode that lets you configure app signatures, categories, groups, and fortiguard web filter categories directly on the firewall policy. AV and DLP are still configured as profiles.
How can you use TCL to create 150 addresses objects 10.0.1.0-10.0.1.150
A for loop
OSPF area
A logical collection of OSPF networks and routers defined with a 32 but number 0.0.0.10 or 10
Why is memory optimization important
A lot of fortigate processes are memory intensive such as DLP and AV. especially in smaller fortigates it is important to optimize memory use so that the fortigate does not go into conserve mode
What are ephemeral drops
A mechanism the fortigate has to prevent DoS attack. Sessions take up memory. A session is flagged as ephemeral if it is an incomplete TCP session or if only one UDP packet is received. Fortigate has a hard limit on max ephemeral sessions that can exist simultaneously in the session table
Partial Mesh Topology
A mesh topology where it is less expensive to implement and yields less redundancy than full mesh topology. With partial mesh, some nodes are organized in a full mesh scheme but others are only connected to one or two in the network. Partial mesh topology is commonly found in peripheral networks connected to a full meshed backbone.
What is a stub network?
A network that is accessed by a single route, and the router has just 1 neighbor. A stub network is a network with no knowledge of other networks, that will typically send much or all of its non-local traffic out via a single path, with the network aware only of a default route to non-local destinations.
Memory pagings
A portion of the hard disk can act as virtual RAM when there is not enough RAM available. The portion that acts as this is called the page file. Memory paging is when the OS moves pages of memory to the hard disk page file when RAM space is low and it needs to make room for other current processes. Reliance on paging can impair performance. Accessing the page file is slower than actual RAM.
Conserve mode
A protection mechanism that is triggered by the fortigate when it does does not have enough memory available to handle traffic It prevents using so much memory that fortigate becomes unresponsive
what is an AS autonomous system
A set of routers and networks under the same administration identified by a unique number and usually running an interior gateway protocol
How does ASBR info get advertised to other areas in OSPF if the e-bit type 1 LSAs are confined to same area
ABRs send type 4 LSAs to other areas on how to reach the ASBR
How does BGP route traffic (what is the routing based on)
AS paths and their attributes
Which BGP attributes are well known mandatory and what does that mean (3)
AS_path Origin NEXT_hop Well-known mandatory - attributes are mandatory
Which UTM profiles can be set to proxy or flow based
AV and Web filter
What are some public SDN connectors available
AWS Azure Google cloud platform Oracle cloud infrastructure IBM cloud AliCloud
By default, fortigate ____ all the prefixes it receives from routing advertisements
Accepts but you can filter out or modify some prefixes
What is the HA mode set to for VDOM partitioning
Active -passive
What two ways can you configure load balancing for virtual clustering
Active active and virtual partitioning
The system IO cache value is a sum of all ___ and ___ pages
Active and in active pages See diagnose hardware sysinfo memory
Two types of System IO cache
Active and inactive
What two modes does FTP have and describe each
Active and passive Active is when the client sends a port command through the control channel to the server that specifies the client IP and the TCP port for incoming data channel. The server then initiated the TCP data channel session to the IP and port specified Passive is when the client initiates the data channel to the server
How to tell active via inactive routes with command get router info routing table database
Active has * next to it
Four main wizards on the fortimanager device manager pane
Add device wizard to add devices and import configurations Install wizard to install config changes from the device manager pane or polices and objects pane to the managed devices Import policy wizard to import interface mapping, policy databases and objects associated with a managed device and preview changes Reinstall policy wizard to perform a quick install of a policy package and preview changes
What commands should be disabled/enabled on the HUB when doing ADVPN in the phase 1 and what should tunnel selector be set to
Add-route should be disabled so that dynamic routing is used Net-device should be disabled so dynamic interfaces are not configured Tunnel search should be next hop so that the next hop ip of the route is used to decide which tunnel the packet must be sent Auto-discovery-sender needs to be enabled
What is a fortimanager ADOM
Administrative domain that allows you to create grouping of devices to be monitored and managed by administrators. For example grouping by location, business division, firmware version, etc. not enabled by default. Purpose is to divide administration of devices to control and restrict access. Access is assigned based on the admin profile that allows access to one or more ADOMs. The number of ADOMs vary by model. Vdoms can be assigned to Adoms
APT
Advanced Persistent Threat
Network link advertisement (type 2) OSPF LSA types
Advertised by only and every DRs Contain information about the other routers connected to their multi access networks
What are the global IPS configuration Settings for
Affect the IPS engine operations for the whole Fortigate device
When are quarantined addresses automatically removed and when are banned IPs automatically removed
After a configurable period of time Banned IPs are not auto removed and need to be removed by an admin
Config system global Set SNAT-route-change enabled
After a routing change, routing information is flushed from existing SNAT sessions and rtcache, session flagged as dirty, and route lookups are performed again so the existing SNAT Sessions can use the new best route
Describe packet exchange for IKE mode config and when it occurs
After phase 1 and Xauth (if configured) 2 packets Client sends CFG_request listing the required IP settings Server replies with CFG_Replt containing the assigned values for each attribute
PPP for a packet that is offloaded to a NPU (NP6)
After the first packet, subsequent packets in an offloaded session skip routing, UTM/NGFW, and kernel processors and are just forwarded out the egress interface by the NP6 processor
Which AS attribute is optional transitive and what does that mean (2)
Aggregator Community Optional transitive - attributes may or may not be accepted and can be passed outside the local AS
What mode includes the peer ID in the first packet for IPsec
Aggressive
What routes would be in the FIB
All active routes in the RIB and some additional routes that may not be in the routing table and were automatically added by the fortigate such as routes added dynamically to real SSL VPN users
Security fabric map
All fortigate devices in a SF maintain their own SF map that include the MAC address and IP address of all connected fortigate devices and their interface
What interfaces are assigned virtual mac addresses when a primary is in a HA cluster
All interfaces besides the HA heartbeat interfaces
In what order are flow based inspection profiles applied to traffic
All of the applicable flow-based security modules are applied simultaneously in one single pass
What does full ssl inspection inspect
All of the packet contents including the payload
Why doesn't the kernel need to use memory paging to access the whole memory space
All the memory space is directly accessible to the kernel because of 64 bit arch
What does the "additional-paths" option for BGP do and benefits
Allows RR to propagate multiple paths for the same prefix More efficient use of BGP multi path Can prevent sub optimal routing Required for combing SDWAN and ADVPN
Workspace mode
Allows admins to make a batch of changes that are not implemented until committed so that the changes can be reverted or edited without impacting current operations
Features of workspace mode
Allows you to make changes in CLI that are not applied to the current config until saved with a specific command. When in workspace mode the object being changed is locked and can't be edited by another admin. A warning message will be shown to the admin letting them know it is being configured in another workspace transaction. Once changes are approved they can be save and applied and the changes will be available to the kernel and processes. If not approved they can be aborted and it won't affect the current config.
What is the ICMP proto_state
Always 00
In active active HA which device gets traffic first
Always primary
What connectors are available as public SDN multi cloud support
Amazon AWS Microsoft AZURE Google cloud platform (GCP) Oracle cloud infrastructure (OCI) Alicloud
How do ASBRs advertise themselves
An ASBR advertises itself by sending type 1 LSAs. They set the E-bit on in the OSPF header. LSAs with the E-bit set are confined to the area they originate.
AS summary link advertisement (type 4) OSPF LSA type
An ASBR advertises itself by sending type 1 LSAs. They set the E-bit on in the OSPF header. LSAs with the E-bit set are confined to the area they originate. ABRs in the same area send a type 4 LSA to the other areas with information on how to reach the ASBRs
An OSPF session between two OSPF peers is called ____
An adjacency
What is virtual clustering and what three ways can you configure a virtual cluster
An extension of FGCP for a cluster of two fortigate devices operating with multiple VDOMs enable Can be in active-active active-passive VDOM partitioning
What can continuous high CPU use by the IPS engines be caused by (ipsengine daemon)
An infinite loop in packet parsing
What is required to be configured on the tunnel interfaces for hub and spokes when having dynamic routing
An overlay IP address Overlay IPs need to be in the same subnet
What are the three stages to an IPS solution
Analysis: admin defines what to protect and where Evaluation: after an initial IPS configuration the admin makes further adjustments based on the IPS logs and set IPS to monitor MaintenAnce: after the config is working correctly the admin sets IPS to protect and must continue to monitor logs and make adjustments for false positives or negatives that occur
How to fine tune IPS (2)
Analyze Ips events and eliminate false positives {Check the IPS events and starts with events that have been generated the most or have high priority Analyze each event for: Source Destination Services Type of attack Analysis will help you figure out if it is a false positive or genuine attack} {eliminate as many false positives as possible. Try to fix the problem by making changes in either the source or destination of the traffic first. You can also use IPS exemptions}
When you are analyzing a IPS event what should you look at to determine if it is a true attack or false positive
Analyze each event for: Source Destination Services Type of attack
ACI
Application centric infrastructure
What is SIP ALG, what does it provide, and how is it different than the sip session helper
Application layer gateway A feature that is smarter and more versatile than the SIP session helper Has all the same functions of the SIP helper but provides more features: SIP TCP and UDP support SIP IPv6 Rate limiting Message syntax checking SIP HA failover Detailed logging and reporting Session helper runs in kernel and SIP ALG runs in user space process
What runs in the user space in the FortiOS arch
Application processes and daemons
What two options are configurable for NGFW policy mode
Application sig/categories/groups and web filter categories
Enterprise firewall solution (2)
Apply end to end security Segment your network End to end security with a consolidated operating system FortiOS Core of the solution is security fabric which allows all devices to communicate in network And manage all deployments through fortimanager
Process in building OSPF tree
As LSAs are added to the LSDB dijkstras algorithm is a recursive process that runs multiple times to map all known paths and then it will choose the lowest path and fill those paths in the OSPF tree
How is memory allocated to each process that runs above the kernel layer in the user space
As separate blocks of memory for each process
What actions can you perform from physical topology view in Sf (4)
Authorize switches and APs Upgrade devices Connect to a devices CLI Ban and unban compromised IPS
What ADVPN command needs to be configured on the hub-hub tunnel
Auto-discovery-forwarded enable
What ADVPN command needs to be configured on the hub-hub tunnel
Auto-discovery-forwarded enabled
Command to enable ADVPN on spoke
Auto-discovery-receiver
What ADVPN command needs to be configured on the spoke-hub tunnel
Auto-discovery-receiver enabled
What ADVPN command needs to be configured on the hub-spoke tunnel
Auto-discovery-sender enabled
Stitches
Automated actions based on triggers
Two settings for av fail open under config sys global
Av-failopen Av-session-failopen
Total slab size
Available objects x objects size
What is required for ADVPN routing and what protocols are supported
BGP OSPF RIPv2/RIPng
What type of routes does ECMP support (3)
BGP OSPF Static
What does ADVPN require all hubs to be configured as
BGP RR
Dominate EGP
BGP for the Internet
BGP attributes (8)
BGP routes based on AS paths and their attributes. AS list is one of the attributes: AS list contains the autonomous systems that traffic needs to route through to reach the destination
Two area types in OSPF network and what is the area ID
Backbone 0.0.0.0 Normal area (any thing other than 0.0.0.0)
Why you you clear session filter and then specify a new session filter
Because all sessions from previous filters will be listed If no filter is specified then the whole table will be listed (this could be in the thousands or millions)
Why will return packets be toured through an interface if there is a better route through a different interface
Because fortigate remembers the interface to source for the return packets and asymmetric routing hinders content inspection so the fortigate will route it through the interface back to source to prevent asymmetric routing
Why is it beneficial if two wan interfaces share the same public IP pool for SNAT
Because if one wan goes down sessions are routed through the secondary ISP and maintain the same public source IP so sessions can remain up
From command diagnose webfilter fortiguard statistics list, why are all the cache stats at 0
Because the web filtering cache is disabled under "config system fortiguard"
Memory tension drops
Behavior where kernel deletes old sessions to free up memory
What is the debug level for real time debugs
Bit value that specifies which messages are displayed 0 means no output (disabled) Debug -1 means enable all possible message types
Which route would be put in the routing table Get router info routing-table all 0.0.0.0/0 [10/0] via x.x.x.x port 1 [10/0] via x.x.x.x port 2 [20/0]
Both because they both have the same distance. One is just preferred with a lower priority. If one had a higher distance it would not be in the routing table
SF tree structure
Branch fortigate devices connect to upstream fortigate devices
What is the purpose of the public SDN connectors
Bridge SDN controllers and fortigate devices such as in connecting and registering itself to APIC in the Cisco ACI fabric, polling interesting objects, translating them into address objects and populating the address objects and endpoints onto fortigate
How does an OSPF router generate the OSPF tree (2)
By using the LSDB and dijkstras algorithm
What runs in the configuration layer of the FortiOS arch (4)
CLI GUI API FMG
Where is workspace mode available from
CLI only
What are the CP chip models
CP8 and CP9
What may you be experiencing if you see this output when you perform the diag sys top command 0U, 0N, 0S, 100I
CPU states 0% user 0% system 0% nice 100% idle Fortigate has stopped working
What may you be experiencing if you see the following when you perform the diag sys top command 1U, 0N, 98S, 1I
CPU states 1% user 98% system 0% nice 1% idle Network is slow
Fortimanager scripts and what two are supported (what are each)
Can make many changes at once and is useful for bulk changes across multiple managed devices. CLI - FortiOS command as they are entered on the command prompt on the device TCL - dynamic scripting language that extends the CLI functionally. First like is #! Do not include exit command because it will prevent script from running.
What happens when changes are committed in workspace mode
Changes are applied to current configuration and changes are available for all other processes in the kernel
What to do if IPS is triggering false positives (5)
Check that the DB is up-to-date Determine what signature is causing the false positive Use IP exemptions as a temporary bypasS If all factors verifies, (correct policy match, IPS profile match) Collect multiple sniffer samples to send to fortiguard team
BGP troubleshooting tips: (4)
Check that the local router can reach remote peer Check the TCP session Check the BGP session If the BGP session is established, check the prefixes received and advertised by each peer
What should you check if a fortigate is unexpectedly restarting itself
Check the logs Console logs And crash log
When troubleshooting, what should you do after making a security profile change
Clear and sessions related to the change and generate new sessions because the change won't apply to existing sessiosn
What are the IKE messages exchanged when an ADVPN tunnel is being negotiated (10)
Client on Spoke 1 generates traffic for a subnet on spoke 2 Spoke 1 receives/encrypts packet and sends it to the hub The hub receives the packet from spoke 1 and forwards it to spoke 2 Spoke 2 received the packets, decrypts, and forwards to dest device The hub knows there is a direct tunnel option available with the and sends a shortcut offer message to spoke 1 Spoke 1 acknowledges the shortcut offer by sending a shortcut query to the hub The hub forwards the shortcut query from spoke 1 to spoke 2 Spoke2 acknowledges the shortcut query and sends a shortcut reply to the hub The hub forwards the shortcut reply to spoke 1 Spoke 1 and spoke 2 initiate the tunnel IKE negotiation
What is a kernel memory slab and 7 examples of kernel slabs
Collection of objects with a common purpose and fixed size. Used by the kernel to store information in memory. Tcp_session tcp session Ip_session non-tcp session ip_dst_cache route cache Buffer_head read/write data from disk,flash Inode_cache information about files and directories Dentry_cache cache for file system directory entries Arp _cache cache for arp
When there is a routing change and SNAT is applied what determines the action the fortigate takes
Command Config system global Set SNAT-route-change [disable | enable]
If you see an increase in error counters with command diagnose webfilter fortiguard statistics list what does this indicate
Communicate problems to fortiguard
Command to disable IPS acceleration, enable basic IPS acceleration, and enable enhanced acceleration
Config IPS global Set cp-accel-mode (none | basic | advanced)
What is the command that controls how IPS handles incoming packets when in fail open mode
Config IPs global Set fail-open (enable | disable)
Commonly used options for global IPS Configuration
Config IPs global Set fail-open {enable | disable} Set intelligent-mode (enable | disable) Set socket-size <IPs buffer size> Set traffic-submit (enable | disable)
Command to enable and disable IPS offloading to NPU
Config IPs global Set np-accel-mode (none | basic}
If you configure the check-policy-option for the global firewall-session-dirty handling behavior, what command lets you specify the session handling setting per policy
Config firewall policy Edit <ID> Set firewall-session-dirty {check-all, check-new}
Command to reduce session TTL per firewall policy for memory OPT and default
Config firewall policy Edit <ID> Set session-ttl 300 Default 3600
By default fortigate will use the CN field if the SNI in the client certificate does not match the CN or server fields. What is the command to change this behavior
Config firewall ssl-ssh-profile Edit <profile name> Config http Set SNI-server-cert-check [ enable | strict | disable]
Command to change IPS fail open behavior and default behavior
Config ips global Set fail-open (enable | disable) Default is disabled which means if fortigate goes into conserved mode the IPS engine will drop all new sessions that require flow based inspection but will try to process all existing sessions
Command to redistribute connected and static routes and routes learned from other routing protocols into BGP
Config router BGP Config redistribute "static" Set status enable End
How to enable route redistribution for OSPF on fortigate and what it does
Config router ospf Config redistribute bgp Set status enable Fortigate will redistribute non OSPF routes and act as an ASBR
What is a good indication of the health of an ha cluster
Config sync status
Commands to configure fortigate with fortimanager ip for updates and ratings and command to exclude fortiguard servers in the override list
Config sys central-management Config server-list Set server-type update rating Set server-address <fmg ip> Next End Set include-default-servers-disable (enable or disable the inclusion of public fortiguard servers in the override server list)
Command to reduce DNS cache for memory opt and what is default
Config sys dns Set dns-cache-ttl 300 End Default 1800 seconds
Command to reduce fortiguard cache TTL for memory opt and what is default
Config sys fortiguard Set webfilter-cache-TTL 500 Set antispam-cache-TTL 500 Default is 3600 and 1800 seconds
Command to change default conserve mode values and what are defaults for each
Config sys global Set memory-use-threshold-<extreme, red, green> Extreme default- 95 red default- 88 Green default- 82
Command to control how fortigate handles traffic that requires proxy based content inspection during conserve mode
Config sys global Set av-failopen (off | one shot | pass) Set av-failopen-session (enable | disable)
Command to change fortiguard source port if ISP is blocking source ports
Config sys global Set ip-src-port-range 1031-4999 End
Command to reduce TCP session timers and defaults
Config sys global Set tcp-halfclose-timer 30 (was 120) Set tcp-halfopen-timer 8 (10) Set tcp-timewait-timer 1 (1)
Useful command for debugging update services activities on fortigates managers by a fortimanager FDS and what level should you set the sebug
Config sys locallog disk setting Set severity debug End Config fmupdate FDS-setting Set linkd-log debug Set umsvc-log debug
Command for logging rating services events the same way it logs updates services and what level should you enable first (3) commands
Config sys locallog disk setting Set severity debug End Config fmupdate web-spam fgd-setting Set linkd-log debug Set update-log enable Diagnose fmupdate view-linkd-log fgd
Command to lower TCP session TTL and one for UDP session TTL and one for each service TTL (3) and defaults
Config sys session-TTL Set default 300 (was 3600) Config sys global Set UDP-idle-timer 90 (was 180) Config sys session-ttl Config port Edit <ID> Set protocol <ip prot> Set start-port <> Set end-port <> Set timeout 300
Command to enable TCL scripting in fortimanager
Config system admin setting Set show_tcl_script enable
How to disable configuration sync for SF
Config system csf Set configuration-sync local
Command to configure fortigate to use servers world wide or only server located in the USA and which does it use by default
Config system fortiguard Set update-server-location [usa | any] Default uses worldwide
Command to change fortiguard web filter cache TTL
Config system fortiguard Webfilter-cache enable Webfilter-cache-TTL <3600>
What to do if fortiguard web filter ratings in the local cache are expiring to quickly
Config system fortiguard Webfilter-cache enable Webfilter-cache-TTL <3600> Change TTL
Command to use a different interface for session sync than the heart beat interface
Config system ha Set session-sync-dev <port name> <port name2>
Command to delay session sync for ha by 30 seconds so that short lived sessions are synced and save bandwidth and don't interfere with heartbeats
Config system ha Set session-pickup-delay enable
Command to change if session helper or SIP ALG is used in VoIP config (describe both options for command and which is default)
Config system setting Set default-voip-ALG-mode [proxy-based | kernel-helper-based] End proxy-based: default and will use SIP ALG Kernel-helper-based: SIP helper is used
Command to change the SIP ALG ports over UDP, TCP, and SSL
Config system settings Set sip-tcp-port <port num1> <port num2> Set sip-udp-port <port num1> <port num2> Set sip-ssl-port <port num1> <port num2>
Command to modify the fortigate s session handling behavior after policy changes and what are the 3 options (which is default)
Config system settings Set firewall-session-dirty {check-all, check-new, check-policy-option} Check-all: all policy information. Is removed from sessions affected by a policy change. When packets are received they are reevaluated (default) Check-new: existing sessions are unaffected. New sessions are evaluated against the modified policies Check-policy-option: sessions will be handled based on firewall policy configuration
Command to manually disable IPSEC offloading per tunnel
Config vpn IPSec phase1-interface Edit <> Set NPU-offload enable | disable
Command to configure IPSec aggregate
Config vpn IPSec phase1-interface Edit <> Set aggregate member enable
FortiOS architecture (pic) (4 layers)
Configuration layer User space Kernel Hardware
IBGP config for HUB (pic) (5)
Configure AS Configure a neighbor group and set the remote AS the same Within the neighbor group configure the hub as a route reflector Configure a neighbor range with a prefix that includes all of the spokes Configure the local networks behind the hub to be advertised to the spokes
IBGP config for spoke (pic) (3)
Configure as Configure neighbor as hub ip and set same remote as Config network as local IPs to be advertised over BGP
If fortigate is connecting through a web proxy what needs to be done to reach fortiguard
Configure the connection through the web proxy with command: Config system autoupdate tunneling Set password <pass> Set port <proxy port> Set status [enable disable ] Set username End
If you are using IBGP with ADVPN what must you configure on the hub so that routes learned from one spoke are forwarded to the other spokes
Configure the hub as a route reflector with command Set route-reflector-client enable
Basic fortiGate OSPF config. What to configure and commands
Configure the router ID, define OSPF area, select networks to enable OSPF on config router ospf Set router-id 0.0.0.1 Config area Edit 0.0.0.0 Next End Config network Edit 1 Set prefix 192.168.1.0 255.255.255.0 Set area 0.0.0.0 Next End
Auto-discovery-sender
Configured on HUB. Tells the fortigate that when IPSec traffic transits the hub it should send a shortcut offer to the initiator of the traffic to indicate that it could perhaps establish a shortcut
Auto-discovery-receiver
Configured on spoke and unification that the IPsec tunnel wants to participate in ADVPN and receive shortcut offers
Two modes AV system operates in
Conserve and non conserve
What feature is useful when troubleshooting unexpected restarts and devices that randomly become unresponsive
Console logging so console logs are stored in flash memory
Summary link advertisement (type 3) OSPF LSA type
Contain summarized link state information. Advertised only by ABRs See pic
What is the checksum zone in command diag sys ha checksum show and what is debugzone
Contains the checksum of the configuration that is actually running in the device Where Configuration changes are first stored before applying them to the running configuration
Management layers of fortimanager (pic)
Contains the device manager management module and the ADOM layer (policy and object, AP, Switch, VPN manager) system settings and fortiguard and then a fortianalyzer mode for log view, incidents and events, SOC, reports
What is the OSPF tree
Contains the shortest path from the local router to each other router and network. It gives the best route to each destination and objects this into the devices routing table
In a proxy based policy how are inspection profiles ordered
Content inspection happens in the following order: VoIP inspection, DLP, Email Filter (Anti-Spam), Web Filtering, AntiVirus, and ICAP.
What processor encrypts and decrypts SSL
Content processor
CP8 and CP9 purpose
Content processors that offload resource intensive tasks from CPU and provide a fast path for traffic inspected by IPS including flow based inspection and proxy based encryption/decryption and AV
FTP control and FTP data port
Control 21 Data 20
What type of channels does SIP use
Control and four data
What does the command do Config IPs global Set intelligent-mode enable
Controls the IPS engines adaptive scanning behavior Enable- (default) using heuristics IPS engine determines when it is secure enough to stop scanning session traffic. It's a balanced method that covers all known exploits
Core of enterprise firewall solution
Core of the solution is security fabric which allows all devices to communicate in network
Metric in OSPF and explain how it works
Cost. This is how the routers choose the best path to a destination Each router interface is associated with an interface cost which is how fast that interface is. An OSPF cost is the sum of all interfaces' costs to the final destination (cumulative bandwidth) Lower cost is better
What type of message is usually generated through the console port when a fgt crashes
Crashdump
Highest Throughout requirements of all firewall roles
DCFW
What type of OSPF packets are Unicast? (2)
DD database description packets exchanged during adjacency LSA retransmission
What kind of firewall role would a fgt deployed in a smaller branch office or remote site
DEFW
Five firewall roles depending on where fortigate is deployed
DEFW (distributed enterprise firewall) CFW (Cloud firewall) NGFW (next generation firewall) DCFW (data center firewall) ISFW (Internal segmentation firewall)
If vpn tunnel is up but traffic can't cross tunnel what command should you use and what does it show (4)
Debug flow of tunnel traffic to see packet arriving Packet being allowed by a firewall policy Packet entering the tunnel Packet being encrypted and sent
What is the default behavior of a fortimanager were to go down and it is acting as a FDS
Default command include-default-servers enable will override and check fortiguard servers unless this option is disabled
What is default session route persistence and how can you modify the default behavior (without SNAT)
Default disable Config system interface Edit interface Set preserve-session-route (enable | disable) Enable: sessions passing through the interface will continue to pass without being affected by the route change. Only new sessions will be affected Disable: fortigate flushed all routing information from session table after route change and performs new route lookups
What is the route-overlap setting found in phase 2 of IPSec config
Defines what action fortigate will take if two remote subnets are the same. Possible actions include: Use-new (default) disconnect existing dial up and accept new dial up Use-old keep existing and reject new Allow - keep existing and accept new. Traffic will be load balanced between both
If the kernel cannot allocate more memory pages what does it do
Delete the oldest sessions
When configuring filter subnets prefix list, by default traffic that does not match a subnet in the prefix list is....
Denied
Router link advertisement (type 1) OSPF LSA types
Describes the networks connected to a router Advertised by every OSPF router in an area Not advertised outside the area they originate
In multi access network one _____ and one backup ____ are elected
Designated router DR
What does the session table contain and what is the command to see the table and the command to see number of session
Detailed information about every IP connection that crosses or terminates at fortigate Get sys session status shows number of sessions Get sys session lists shows the session table
Three ways to run CLI scripts from fortimanager
Device database Policy package/ADOM database (Both require using install wizard) remote fortigate directly (CLI)
What bridges the kernel and the hardware
Device drivers
What does the reset_cnt value in the diagnose sys ha dump-by vlcuster command show you
Device uptime and how many times the device uptime has been reset with diagnose sys ha reset-uptime
IPSec real-time debug
Diag debug app ike -1 Di de en
Command to enable real time app debug And some apps (daemons) that can be debugged in real time (4)
Diag debug application <app name> <debug level> Di de en Ike Snmpd Sslvpnd Authd Updated
What command can you use to identify how much memory the session table is using or if the fortigate model is too small for the amount of traffic crossing the device and what to do if session memory value is too high
Diag hardware sysinfo slab Look at memory allocated to TCP and IP sessions by multiplying num_obj by objsize If too high get bigger fgt or tune session TTLs
How can you identify if a process is using too much memory so the fortigate doesn't go into conserve mode
Diag sys top
Command to show the state of each process and what the 4 states are
Diag sys top Sleeping (s) Running (R) do not disturb (D) Zombie (Z)
Command to manually kill a process and command to find the process id
Diag sys top (to get process ID) Diag sys kill <termination signal> <process ID> Use termination 9!!!!
Command to show how much memory space is being used by each process Displays ID number State CPU use And how can you sort the list by CPU use and memory Use
Diag sys top <refresh time in sec> <num lines> Shift P for CPU Shift M for Mem
Command to filter for specific IKE info when doing a debug
Diag vpn Ike log filter ? Diag vpn ike log filter clear
Command to filter for IPs address of remote peer for IPSEC
Diag vpn Ike log filter dst-addr4
What filter is useful when debugging ADVPN shortcut messages and spoke-to-spoke negotiations
Diag vpn Ike log filter mdst-addr <ip.of.hub> <ip.of.spoke> Specify if multiple ip addresses during the ike real time debug
Command to see a summary of fortiguard configuration on fortigate
Diagnose autoupdate status
Command to list all the fortiguard databases and engines installed including version, contract, expiration date, time it was updated and what was happening during last update
Diagnose autoupdate versions
Ike real-time debug and bit mask options
Diagnose debug application Ike <bit mask> Diag debug console timestamp enable -1 shows all options
HA Real-time debug (3)
Diagnose debug application hatalk -1 Diagnose debug application hasync -1 Diagnose debug enable
Command for SIP real time debug (3)
Diagnose debug application im 31 Diagnose debug application sip <debug_level> Diagnose debug enable
Fortiguard real-time debug for AV/IPS update issues
Diagnose debug application update -1 Di de en Execute update-now
How to enable or disable console logging
Diagnose debug comlog <enable | disable>
Command to clear console logging
Diagnose debug comlog clear
Command to display console log settings
Diagnose debug comlog info
Command to read console logging
Diagnose debug comlog read
Option to prepend a timestamp to each debug line
Diagnose debug console timestamp enable
Command to read crash log
Diagnose debug crashlog read
5 steps to debug flow and what is each step (5 commands)
Diagnose debug flow show function-name enable (displays function names) Diagnose debug flow filter <filter> (specify filter) Diagnose debug enable (send output) Diagnose debug flow trace start <count> Diagnose debug follow trace stop
Command to display the list of servers for web filtering and anti spam queries. For each IP the table will show: Round trip delay Server time zone Number of recent consecutive queries without a reply Historical number of queries without a reply (reset with device restarts)
Diagnose debug rating
Real-time web filter debug
Diagnose debug urlfilter src-addr <source ip> Diagnose debug application urlfilter -1 Diagnose debug enable
Command to check policy based route table
Diagnose firewall proute list
Command in CLI to displays receive status information for fortimanager fortiguard (fortimanager)
Diagnose fmupdate FDS-getobject
Command in fortimanager to show fortigate licensing for fortiguard
Diagnose fmupdate dbcontact
Fortimanager command to display the number of web filtering and antispam queries received from fortigate
Diagnose fmupdate fgt-wfas-rate
Fortimanager command to restart the rating service
Diagnose fmupdate service-restart fgd
Command to display details about which updates were installed or will be installed on devices managed by fortimanager (fortimanager command)
Diagnose fmupdate show-dev-object
Command to display update services logs from the fortigate to the fortimanager for fortiguard updates and from fortimanager to fortiguard
Diagnose fmupdate view-linkd-log fds
Command to verify ha virtual MAC
Diagnose hardware deviceinfo nic <interface name>
Command to see if fortigate is in conserve mode
Diagnose hardware sysinfo conserve
Command to show the total amount of sys memory (memtotal) and amount of free memory (memfree)
Diagnose hardware sysinfo memory
Command to display total amount of memory allocated for the I/O cache.
Diagnose hardware sysinfo memory Check "cached"
Command shown to check how much memory is being allocated to kernel slabs
Diagnose hardware sysinfo slab
Real-time BGP debug and how to disable What is some info that will be displayed
Diagnose ip router bgp all enable Diagnose ip router bgp level info Diagnose debug enable Diagnose ip router bgp all disable Diagnose ip router bgp level none Diagnose debug disable All 6 BGP connection states, messages sent back and forth, neighbor statuses changing, Prefixes received from peer, if any prefixes are denied by a filter
Command to stop OSPF real-time debug (DIAG DEBUG RESET DOES NOT STOP IT)
Diagnose ip router ospf all disable
Command to keep ospf debug running even after the execute router clear ospf process is run which restarts ospf
Diagnose ip router z1 enable
Command to check route cache
Diagnose ip rtcache list
Command to sniff HA heartbeat packets for a NAT/route mode cluster
Diagnose sniff packet any "ether proto 0x8890" 4
Sniffer for IKE traffic with no NAT Sniffer for ESP traffic with no NAT
Diagnose sniffer packet <port> 'host <remote gateway> and UDP port 500' Diagnose sniffer packet any 'host <remote gateway> and esp'
Sniffer for IKE and ESP traffic with NAT
Diagnose sniffer packet any 'host <remote gateway> and (UDP port 500 or UDP port 4500)'
Command to sniff traffic from all interfaces
Diagnose sniffer packet any 4
Command to crash system if it has not scheduled any daemon in 10 minutes and will force a crashdump to the console
Diagnose sys NMI-watchdog enable
Command to list the CLI changes pending to be commuted in your workspace
Diagnose sys config-transaction show txn-CLI-commands
Command to view information about all the active workspace transactions (from multiple admins) including transaction ID, expiration times, usernames of admin and how and where they are connecting from
Diagnose sys config-transaction show txn-info
Command to show if the current admin is working on a workspace that is pending being committed and the transaction ID
Diagnose sys config-transaction status
How to see the security fabric map
Diagnose sys csf neighbor list
Command to see upstream AND downstream fortigates if the fortigate is not the SF root ( will show serial number, IP, connecting interface and connection status)
Diagnose sys csf upstream Diagnose sys csf downstream
Instead of running the diagnose sys ha checksum show command on all devices what command can you run (give an example in which you wouldn't be able to run this command instead)
Diagnose sys ha checksum cluster If there are communication problems between primary and secondary
Command to verify that all the secondary confirmations are synced with the primary configuration
Diagnose sys ha checksum show
Command to see how many times device had it's uptime reset with diagnose sys ha reset-uptime
Diagnose sys ha dump-by vcluster
Command to provide information about past HA events
Diagnose sys ha history read
Command to reset uptime and change primary devices
Diagnose sys ha reset-uptime
Command to display HA stats including heartbeat traffic stats, serial number, HA priority, heartbeat interface IP for primary fortigate
Diagnose sys ha status
Commands to clear sessions that match a filter and why you need to be careful with the commands (3)
Diagnose sys session filter ? (Specify filters) Diagnose sys session filter (check filter is correct) Diagnose sys session clear (clears session) Need to be careful because you can potentially clear out all sessions if you don't specify the correct filters or any filters
Three commands to display detailed information about sessions (what do each commands do)
Diagnose sys session filter clear (Clears previous session filters) Diagnose sys session filter ? <dport, dst, policy, sport, src > (Specifies filter for the session table so the whole table isn't displayed) Diagnose sys session list (Lists entries matching the configured filter)
If session sync is enabled across HA devices how can you check to see which sessions have been synced to the secondary
Diagnose sys session list Ha_id=index Synced
Command to list expected sessions created by the session helpers
Diagnose sys session list expectation
How to see memory tension and ephemeral drops
Diagnose sys session stat
Command to display number of sessions deleted by the kernel to free up memory
Diagnose sys session stat Look for memory tension drop=0
Command to disconnect any active SIP calls
Diagnose sys sip-proxy calls clear
Command to display all active SIP calls
Diagnose sys sip-proxy calls list
Command to diagnose high CPU problems caused by IPS 5
Diagnose test application IPS monitor ?
Command to see FQDN and IPs of fortiguard servers available for antivirus and IPS updates
Diagnose test application dnsproxy 7
Command to troubleshoot issues related to web filtering (see pic for all options)
Diagnose test application urlfilter 1
Command to clear phase 1 and why to be careful with it
Diagnose vpn Ike gateway clear <name> If you don't specify a phase 1 name all phase 1s of all tunnels will be cleared
Command to display details about a tunnel Name Version Interface Addresses When phase 1 is created Imitator or responder Proposals Phase1 lifetimes and DPD etc
Diagnose vpn Ike gateway list (name) <tunnel name>
What is an Ike route and what is the command to see them
Diagnose vpn ike routes list It is a route created based on the network learned through the phase 2 selector. Used when net device is disabled and tunnel search is set to next hop
Command to display current IPSec SA info for all active tunnels
Diagnose vpn tunnel list
Command to list VPN tunnels, and mapping between each remote subnet and phase 1 index to route traffic properly
Diagnose vpn tunnel list [name] <tunnel name>
Command to display SA information for a specific tunnel Name DOD Anti replay info SA info Hardware offload info
Diagnose vpn tunnel list name < tunnel name>
Command to list the contents of the fortiguard web filtering cache. For each URL the output lists it's rating by domain name and IP address. Wan
Diagnose webfilter fortiguard cache dump
Command to list error counters and other stats related to web filtering: Request timeouts Total requests Requests to fortiguard servers Allowed Blocked Logged Counters for web filtering cache
Diagnose webfilter fortiguard statistics list
What do OSPF routers use to determine the best route to each destination (algorithm that determines cost)
Dijkstras
There are no _____ reads and writes made too hard discs or flash discs. Each one is done through a ____ held in memory called the ______
Direct Cache System IO cache
How the the kernel access the ENTIRE memory
Directly
Three flags for packets
Dirty May_dirty Block
Tips in memory optimization (6)
Disable features not required Reduce the maximum file size to inspect (default 10mb) Reduce the fortiguard cache TTL (3600 web 1800 anti spam) Reduce DNS cache (1800) Reduce session TTL (TCP 3600, UDP 180, fw policy 3600, app control, per protocol/port ) Reduce TCP session timers (half close 120, halfopen 10, timewait 1)
Is net-device default enable or disabled
Disabled
By default what is Av-session-failopen set to and what will this do to new sessions in conserve mode if kept default
Disabled If disabled when fortigate enters conserve mode fortigate will block NEW sessions
Debug 0
Disabled no output
DEFW
Distributed enterprise firewall Extension of the enterprise network VPN dependent (connects to Corp HQ using vpn) 1Gbps throughput Security for smaller location and branch offices All-in-one security (firewall, app control, vpn, ips, AV)
What are the option types divided and how many categories for IPS signature
Divided into four categories based on their purpose
How to calculate memory allocated to each kernel slab (2) involves math
Do command diag hardware sysinfo slab Multiple available objects in slab (num_objects) by the size (objsize) in
IPSec tunnel is up but not passing traffic
Do debug flow and see if a peer is dropping packets or routing incorrectly. Packets may not match quick mode selectors
IPSec tunnel is not coming up
Do real time debug And look for error messages
IPSec tunnel is unstable
Do real-time debug and look for lost DPD packets indicated it is an ISP issue
What are some security inspections performed on a packet in the life of the packet and why does it perform security inspections so early on in the processing
DoS checking, RPF checking, and IP integer header checking and it does this so the fortigate can make sure the packets are within acceptable parameters before allowing the packet to move through the rest of the processes
What does command execute router clear BGP all soft do
Does a soft reset between BGP peers and forces them to exchange their complete BGP routing tables
By default fortigate BGP ______ advertise prefixes
Does not
Some downsides of SSL certificate inspection
Does not inspect encrypted traffic If browser does not support SNI and fortigate obtains an incorrect FQDN from the CN the wrong filtering could be applied It only works with web filtering and SOME app control signature.
What are application layer test commands for
Don't display information in real time but show statistics and config information about a feature or process. Can also be used to restart a process or execute a change in operation
What filters are available for the command diagnose sys session filter ?
Dport Dst Policy id Sport Src
Why should two or more HA clusters in the Same lan segment (broadcast domain) use different HA group ids
Due to the formula used in creating the virtual mac addresses 00:09:0f:09:group_id:(vluster_id+interface_id) The same group ID will create a virtual mac conflict
What two forms can BGP be configured as and what are each
EBGP - advertises routing updates across multiple ASs IBGP - advertises routing updates within the same AS
What does this command do Config system settings Set auxiliary-session enabled
ECMP traffic is accelerated to the NP6 processor. The kernel will create two sessions will created in case of a route change. The main session and auxiliary sessions.
What is listed and How to read the output from the command diagnose webfilter fortiguard cache dump (see pic)
Each URL the output lists it's rating by domain name and IP address. Rating by domain name is the first two differs of the first number from left to right. The rating by IP address is the first two digits of the second number. Both represented in hexadecimal
When is an entry in the crashlog generated and what does the entry contain
Each time an application or process crashes or closes. When an app crashes the entry contains the name of the app, the time it crashed, and the termination signal
Since fortigate BGP does not advertise prefixes by default, what two things can you configure to advertise
Either redistribution of routes or use the network command to configure the exact prefixes you want to advertise Command Config router bgp Config network Edit <> Set prefix <prefix>
Debug -1
Enable all possible messaging types
During the evaluation stage of IPS deployment what is a good way to start the initial configuration
Enable one group of signatures at a time and start with the ones that have more priority Analyze the logs and tune the IPS or enable another group Monitor the network for one to two weeks
Config firewall ssl-ssh-profile Edit <profile name> Config http Set SNI-server-cert-check enable What does enable do
Enable: default if the SNI does not match the CN or SAN fields in the returned servers certificate, fortigate uses the cn field instead of the SNI to obtain the FQDN
What is advanced IPS acceleration Config IPS global Set cp-accel-mode advanced
Enabled enhanced acceleration which can offload more types of signatures than basic mode
What proxy tasks do the content processors accelerate
Encryption/decryption and antivirus
Name some security checks under SF ratinf
Enforcing password security Applying recommended login attempt thresholds Encouraging 2FA
ESP
Ensures data integrity and encryption
Fortimanager header and footer policy packages
Envelope each ADOMs policies
When does the fortigate reach out to fortiguard for the pull method
Every two house to check and download any new version of the AV or IPS databases and engines using port 443
Command to abort configuration changes made in workspace mode so that no changes are made to the current configuration
Execute config-transaction abort
Command to commit configuration changes made in workspace mode so that the changes are available for all other processes in the kernel
Execute config-transaction commit
Command to start workspace mode
Execute config-transaction start
Command to list index numbers for each member in HA cluster Command to connect to a secondary CLI from the primary CLI
Execute ha manage ? <id > <0 or 1> subsidiary unit Exec ha manage <index> <admin username>
Command to restart a BGP session between two peers and force them to establish BGP peering again
Execute router clear BGP <option> <in | in prefix-filter | out> All As Ip Etc
Command to restart OSPF process
Execute router clear ospf process
What is Xauth for IPSec and what phase is it
Extended authentication can be used as additional level of authentication. When used one side just provide credentials (user and pass) in order to authenticate. It happens after phase 1 and before phase 2 phase 1.5
EGP
Exterior Gateway Protocol; protocol for communication between Autonomous Systems.
What does the secondary try to sync with the primary first, when it joins an HA cluster What does it sync second Where would you see this communication
External files which include the fortiguard database and digital certificates After it syncs the configuration If you console into the secondary console port when it joins HA cluster
What three memory thresholds can you configure in the CLI for conserved mode
Extreme - when fortigate starts dropping new sessions Red - when fortigate enters conserve mode Green - when fortigate exits conserved mode
What is configuration sync for SF
FAZ And fmg config on the root fortigate will be pushed down to the other fortigates
What protocol does fortigate use for HA communication and where does it travel
FGCP fortigate clustering protocol and travels among the clustered fortigates over the links designated as heartbeat interfaces
How is CLI scripting run from fortigate to fortimanager ...via? What about TCL?
FGFM tunnel TCL runs over SSH
What compliance policies are used for the SF rating (2)
FSBP or PCI compliance
What are some endpoint/identity external connectors
FSSO agent on windows ad Symantec endpoint protection Poll active directory server RADIUS single sign on Exchange server
Two protocols that require a session helper in a NAT environment
FTP and SIP Also PPTP, H323, RSH
True or false. Rip supports VRFs
False
True or false. Session sync is enabled across HA members by default
False it's disabled by default
True or false SF is required to use stitches
False, not required. But you can use stitches to detect events from any source in the SF and apply actions to any destination
True or false. Fortigate decrypts traffic when the SSL certificate inspection profile is applied
False. Ssl certification inspection fortigate won't encrypt or decrypt
Two RPF check modes (which is default)
Feasible path (was called loose) and strict Feasible is the default
Scanunitd
File scanning process
What can you do to optimize IPS configuration
Fine tune it. Create profiles specific for the type of traffic being inspected. You don't need Solaris and Linux profiles for traffic to/from windows machine
Aside from the IPSec config what else is required to allowed IPSec traffic to flow from spoke to hub, hub to spoke, and spoke through hub to spoke
Firewall policy
Are policies using proxy based inspection profiles offloaded?
Firewall sessions that include proxy-based security profiles are never offloaded to network processors and are always processed by the FortiGate CPU
Explain the routing table (pic)
First column shows route source Second shows destination network [x/y] X shows distance and y shows metric
Describe the logic of the routing modules and which the fortigate check it's routes against first (pic)
First fortigate checks the policy routes, if traffic matches a policy route and the action is forward traffic then the fgt will route packets according to the policy route. If action is stop policy routing the fgt will check the next table Next the fgt will check the route cache. If there is a route it will route packets and if not it will move on to next Finally fortigate searches the FIB (forwarding information base) which is generated by the routing process and is the table used for packet forwarding.
What custom IPS signature keyword options can only be used once
Flow Service
Is IPS flow based or proxy based
Flow only
Why do the clients in a cluster communicate with the RR and who does the RR communicate with
For routing updates The RR communicates with other RRs and BRs
Why does net device need to be enabled on the spokes when doing ADVPN
For the creation of the on demand tunnels between spokes
If checksums in the debugzone and checksum zones do not match what can you do and how
Force a recalculate with command Diagnose sys ha checksum recalculate [vdom name | global]
What consolidated OS does the fortinet solution offer
FortiOS
What is gateway revalidation and what three scenarios does it apply to
FortiOS can switch to a different phase 1 if it initially selected the wrong one Ikev1 with certificate authentication Ikev2 with preshared authentication Ikev2 with certificate authentication
What does the root fortigate use to send topology info about the SF to fortianalzyer
Fortianalyzer API
How does fortigate learn about remote networks up net-device is disabled and tunnel-selector is set to next hop
Fortigate DOES NOT use quick mode selectors to Learn about remote networks and will use a dynamic routing protocol configured to run over the IPSec tunnels It used the dynamic routing protocol in combination with the remote IPs learned through IKE messages
How does full ssl inspection work
Fortigate acts as a man in the middle proxy It maintains two separate ssl sessions- client to fortigate and fortigate to server The fortigate encrypts and decrypts packets using it's own keys which is how it can fully inspect all data inside the encrypted packets
Strict RPF mode and example (pic)
Fortigate checks that the best route to the source IP address is through the incoming interface. Route not only has to be active but has to be the best.
Web filter order of inspection (4)
Fortigate checks: the static URL filter list Then Fortiguard categories Then web content filtering lists Final executes advanced options such as manipulation of HTTP headers
How does fortiguard web filtering and anti spam work (steps) (6)
Fortigate contacts the DNS server to resolve the fortiguard service name with a DNS A record lookup (4 different) Fortigate gets a list of IPs for server (2-3) that can be contacted to validate the fortiguard license Fortigate contacts one of those servers to check the license and obtains a list of servers that can be used to submit web filtering and anti spam rating queries Fortigate gets the list of server Fortigate starts sending rating queries to one of the servers in the list (it chooses server certain way) If the chosen server does not reply in two seconds it will contact the next server on the list
Fortiguard AV/IPS push method (4)
Fortigate contacts the DNS server to resolve the name by submitting a DNS A record lookup for update.fortiguard.net Fortigate gets a list of server IPs that can be contacted Fortigate registers it's public IP address in fortiguard Fortiguard notifies fortigate every time there are new updates and fortigate will proceed to download the updates.
Fortiguard AV/IPS pull method (4)
Fortigate contacts the DNS server to resolve the name by submitting a DNS A record lookup for update.fortiguard.net Fortigate gets a list of server IPs that can be contacted Fortigate periodically connects to one of the servers to check for pending updates If there is an update fortigate downloads the update
What happens if net-device is disabled for phase 1 interface config
Fortigate creates a single interface for all dial up clients and the set tunnel-search determines how fortigate learns networks behind each remote client
What is created automatically when an automation stitch is triggered
Fortigate creates an event log in Log & report > system events
What must you specify when configuring an automation stitch (4)
Fortigate device Trigger Action Minimum interval
Config firewall ssl-ssh-profile Edit <profile name> Config http Set SNI-server-cert-check disable What does disable do
Fortigate does not check the SNI
When is a session flagged as may_dirty
Fortigate evaluates if traffic should or should not be allowed on the first packet based on the firewall policies , If the first packet is allowed by the firewall policy the fortigate creates a session and the session is flagged (may_dirty)
Steps on how the fortiguard weight calculation (how fortigate selects server to send rating request to)
Fortigate initially uses the delta (basically the difference ie +4) between the servers time zone and the fortigates system time zone multiplied by 10 This is the servers initial weight and the weight is not allowed to drop below the initial weight to prevent possibility of using a remote server Weight goes up with each packet lost Weight goes down overtime if no packets are lost Fortigate uses the server with the lowest weight as the one for the rating queries If two or more server have the same weight the one with the lowest RTT round trip delay Is used
How does SSL certificate inspection work by default
Fortigate inspects the initial unencrypted SSL handshake. If the SNI (server name indication) field exists in the client certificate, fortigate uses it to obtain the FQDN to rate the site. If the SNI isn't present, fortigate retrieves the FQDN from the CN and SAN fields of the servers certificate. If the domain in the SNI field does not match the domains listed in the Server certificate field it will use the CN field
What does fortigate inspect in SSL certificate inspection
Fortigate inspects the unencrypted SSL handshake
If a failover happens in HA cluster what is the best tool to get information about the failover
Fortigate logs (should be on secondary if primary failed)
What does fortigate do when Av-session-failopen is enabled
Fortigate will apply the action configured in Av-failopen
How is the IPS signature database updated
Fortiguard
What data is used to provide customer ratings for SF security rating
Fortiguard
Where to see the list of all managed fortigate devices, their last update time, and their statuses in fortimanager. What are the five possible statuses and what each mean. Up to Date Never Updated Pending Problem Unknown
Fortiguard > Package management > service status 1) latest package has been received by fortigate 2) the device has never requested or received the package 3) the fortigate device has an older version of the package for an acceptable reason (pending scheduled update) 4) the fortigate device missed the scheduled query or did not correctly receive the latest package 5) the fortigate device status is not currently known
Where in the GUI in fortimanager can you see the status of fortiguard licensing for all fortigate devices
Fortiguard > licensing status
Where are the antivirus and IPs signature packages manager in fortimanager GUI
Fortiguard > package management
Where can you change the version of an AV or IPS package to be deployed to a fortigate in fortimanager
Fortiguard > package management
Where can you see the databases revived from fortiguard to the fortimanager for the rating services
Fortiguard > query server management > receive status
What are some threat feed external connectors
Fortiguard category IP address Domain name Malware hash
FDN and what it does. What does it provide updates and rating services for (10)
Fortiguard distribution network provides fortiguard servers for your fortimanager system and it's managed fortigate devices and forticlient agents. It provides updates and rating services for: Antivirus IPS Web filtering Anti spam Application control Vulnerability scanning Ip reputation Web security Database security Geographic ip addresses
See pic. Where were the networks advertised over the vpn tunnels configured on
Fortimanager
Single pane of glass management through which solution
Fortimanager
What does fortinet recommend for centralized management of fortigate devices and access devices in the SF
Fortimanager
Route priority
Fortinet proprietary feature specific to static routes
What protocol must be enabled bidirectionally on all fortigates in the security fabric
Fortitelemetry
How many data channels does SIP use
Four data channels Two for each traffic direction are required for each call
Fssod
Fsso process
Three types of fortimanager vpn manager vpn communities
Full mesh Star Dial up
Tips for creating custom signatures (4)
Gather as many samples of traffic as possible Protocol related patterns are obvious Identify payload related patterns in captures Use payload related and special options to ensure the lease number of false positive or negative matched
What is the FIB
Generated by the routing table and is used for packet forwarding. Routing table purpose is management and the FIBs purpose is forwarding.
Command to show detailed information about each BGP neighbor including peer IP, peer router ID, remote AS, BGP state, timers, message counters. Also shows number of prefixes announced and accepted
Get router info BGP neighbors
Command to display the routes advertised by a neighbor
Get router info BGP neighbors <route advertised by neighbor> route
Command to see local router ID, BGP table version, remote networks learned by BGP and next hops
Get router info BGP network
Command to get overview of BGP status and the status of all of it's neighbors. Shows local router ID and AS, for neighbors: AS, packet counters and up time
Get router info BGP summary
Command to provide a summary of all the LSDB entries on fortigate ordered by LSAs Shows router with ID, area, router link states (type 1 LSA), network link states (Type 2 LSA), AS external link (type 5 LSAs)
Get router info OSPF database brief
Command to show details about OSPF LSA type 1 Shows LS age Flags Ls type Advertising router Number of links Shows DR address and router interface address
Get router info OSPF database router LSA
Command that shows self originating LSAs on the fortigate
Get router info OSPF database self-originate
Command to display OSPF information about each interface details include: Network type Router id if it is DR and BDR Dr and BDR IP address Number of adjacencies and traffic stats Timers
Get router info OSPF interface
Command to show the summary of the statuses of all the OSPF neighbors. Displays the adjacency stats and if it is a DR, BDR, or drother
Get router info OSPF neighbor
Command to get details about the prefixes the local router is advertising. Also has status codes associated with a routing entry. For each prefix it displays the next hop ip, local preference, weight, AS path
Get router info bgp neighbors <advertised prefix by local fortigate> advertise
Command that shows the FIB
Get router info kernel
Command to check FIB
Get router info kernel
Command to provide detailed information about the OSPF process such as routing process, area, timers, adjacent neighbor count, LSAs, checksum etc
Get router info ospf status
Command to show all active route in the routing table (Installed routes in the RIB)
Get router info routing-table all
Commands to check routing table
Get router info routing-table all
What command is equivalent of the routing monitor
Get router info routing-table all
Command to display both installed (active) and non-installed (inactive) routes
Get router info routing-table database
Command to display: Ha health status Cluster uptime Criteria used to select the master unit Override status Status of the monitored interfaces Status of the ha ping servers
Get sys ha status
List the session table and what info does it contain (5)
Get sys session list Protocol Source IP Destination IP Port Expiration
How many sessions are in the current vdom? Command
Get sys session status
How to make sure web filtering isn't globally disabled
Get system fortiguard Webfilter-force-off: disable (default and means it's enabled globally)
Command to see resource usage including overall memory and CPU use, session creation rate, number of viruses caught, number of attacks blocked by IPS, sys uptime and quick view on how much traffic the device is handling
Get system performance status
Command to show firmware version, FGDB version, license status, operation mode, num VDOMs, system time, etc. should be first command in troubleshooting
Get system status
Command to provide global overall counters related to all VPNs currently active Number of tunnels currently active Selectors
Get vpn IPSec stats tunnel
Command to view detailed information for active IPSEC tunnels Phase 1 details Quick mode selectors Tunnel MTU Phase 2 SAs for each directions Hardware acceleration
Get vpn IPSec tunnel details
Command to provide summary info about IPSec VPN tunnel (2) Name Ip Selectors Rx/tx Name Remote gateway Quick mode selectors Status Timeout
Get vpn IPSec tunnel summary Get IPSec tunnel list
CLI command to check web filter categories and numerical values
Get webfilter categories
You just changed fortiguard contact and do not see change on fortigate
Give it 2-24 hours for the change to sync on all of the fortiguard servers
Three fortimanager management layers and what are some things included in each layer
Global ADOM layer (Global objects, all header and footer policies) ADOM layer (Common object database, devices, device groups, policy packages) Device manager layer (Name and type of managed devices, their IP addresses, revision history and real time status, firmware version, etc)
What level is session handling configured at
Global unless the check-policy-option setting is enabled then it is configured at policy level too
Four places where you can reduce session TTL
Globally for all traffic On IP protocol and port basis Each firewall policy Application control profile
After a failover how does the new primary notify the network that the virtual MAC is available through a new switch port
Gratuitous arp
What utility can you use with the command get sys session list to filter for specific IP
Grep
What protocols does the UTM proxy handle (6)
HTTP, SMTP, POP3, IMAP, FTP, and NNTP
What website lets you test webfilter/fullssl/certssl on web categories
HTTPS://fortiguard.com/webfilter/categories
Hatalk, hasync
Ha protocol and sync process
tcp-halfclose-timer tcp-halfopen-timer tcp-timewait-timer
Halfclose- controls for how long after a FIN packet a session without FIN/ACK remains in the table Halfopen- controls for how long after a SYN packet a session without a SYN/ACK remains Timewait- controls for how long after a FIN/Ack a session remains in a table. A closed session remains in the session table for a few seconds more to allow any out-of-sequence packets
Ipshelper daemon
Handles actions whose results can be shared by different daemons to reduce load
Syntax of custom IPS signatures
Header Option Value Header = F-SBID Option = starts with "—" and keyword/parameter (case insensitive) Value = value of parameter to match signature (case sensitive) Enclosed in parentheses
Fortimanager management module (pic) top down (software architecture)
Header and footer policies are part of the global object database and envelope each ADOMs policies Objects and policies in each ADOM share a common object database and policy folders. You can create, import from and install policy packages on many devices at once In the device manager layer you can configure and install device settings for each device. Fortimanager compares the current device config with what is stored in the device database and creates new revision automatically in fortimanager if the change is made on the fortigate. Managed devices communicate through import and retrieves to fortimanager
What is FGCP responsible for (5)
Heartbeats Discover other fortigates in same HA group Elect the primary Synchronize data Detect when a unit daily
If net-device is disabled what does the tunnel-search option selector do
Help fortigate determine what networks are behind each remote client If tunnel-search is set to selectors, fortigate uses the destination subjects of the quick mode selectors to populate the routing table with info about remote networks
What are route reflectors RR
Help reduce the number of IBGP sessions inside an AS. A RR forwards the routes learned from one peer to the other peers. If you configure RRs you don't need to create full mesh IBGP network. RRs pass the routing updates to other RRs and border routers within the AS
Besides session syncing what else can cause heartbeat issues for HA (1)
High CPU
How is a designated router in OSPF network elected (2)
Highest router priority wins Highest router ID wins
Diag debug flow trace start <number>
How many debug messages to show
What is the fortiguard weigh calculation
How the fortigate selects the server to send the rating requests to
How can you verify which category a specific website belongs to
Http://fortiguard.com/webfilter
How to use the webfilter category numerical values to see if a category is blocked or allowed
Http://wfurltest.com.fortiguard.com/wftest/<wf_category_id_here>.html
What is the base topology of ADVPN
Hub and spoke
The output of diagnose debug rating shows flags besides some servers what do the flags mean? I D S T F
I = initial Server contacted to request contact information and updates D = default IPs dresses of servers received from DNS resolution service.fortiguard.net S = serving Ip addresses of servers received from fortimanager T = timing Actively timing this connection Server remains in this state for 15 seconds (default) before being considered as failed F = failed Server connection failed Fortigate pings every 15 minutes to check if server has come back
What type of BGP is being used: Config router bgp Set ad 65100 Set router-ID 172.16.1.3 Config neighbor Edit "17.16.1.1" Set remote-as 65100 Next End Config network Edit 1 Set prefix 10.1.0.0 255.255.255.0 Next End End
IBGP because local AS and remote AS is the same
Protocol 1
ICMP
What protocol in IPSec negotiates the private keys authentications and encryptions (SAs)
IKE
Two most used protocols in IPsec
IKE ESP
What three modes does fortigate support for automatically configuring IP settings of IPSec clients
IKE mode config DHCO over IPSec L2TP over ipsec
Level 1-6 sniffer verbosity and 4 viewable options
IP headers IP payload Ethernet headers Port names
What handles flow based inspection (AV engine handles proxy based inspection )
IPS engine handles flow based inspection
What is IPS fail-open
IPS fail open governs fortigate behavior for flow based inspection while in conserve mode
What is a cause of frequent IPS fail open events
IPS is not able to keep up with traffic demands
Iked
IPSec process
Ike routes and how to display them
IPSec routes learned from the traffic selectors of the IPSec SA negotiation. Diagnose vpn Ike routes list
What does command do Config IPs global Set intelligent-mode disable
IPs engine scan every byte in every session
DPD packets being lost shown in real time debug
ISP issues
What is the 3 common causes for most issues related to fortiguard web filtering and antispam and how can you resolve
ISPs Some ISPs block traffic on port 53 that is not DNS or that contains large packets. In that case the solution is to switch fortiguard traffic from 53 to 8888 If ISP or upstream firewall blocks 8888 use 53 Or ISP will block traffic based on source ports. Changing the source port range with command: Config sys global Set ip-src-port-range 1031-4999 End
BGP connection states (6)
Idle: initial state Connect: waiting for successful three way handshake Active: unable to establish the TCP session Opensent: waiting for an OPEN message from the peer OpenConfirm: Waiting for the keepalive message from the peer Established: peers have successfully exchanged OPEN and keepalive messages
Under the phase 1 interface config for IPSec what does command net-device enable do for dial up responsers
If enabled fortigate creates separate virtual interfaces for each dial up client It uses the destination subnets in the quick mode selector and names the tunnel based on phase1name_index
Describe the behavior based on this command: Config IPS global Set fail-open enable
If fortigate goes into conserve mode and the policy is using UTM with flow based inspection mode then the IPS engine will not perform any scan and will allow new packets
Crashlog entries are normal. When would a crashlog entry be considered suspicious (example?)
If it happens at the same time as a failure in a fortigate feature or abnormal behavior of the fortigate For example, a crashlog entry that is generated when the device unexpectedly restart might provide information about the cause. OR ie: a crash in the SSLVPNd when all ssl user disconnect.
When is an IO cache page labeled as active and when is it labeled as inactive
If it has been recently used or modified Enters the inactive state after it has not been used for sometime
Why would a route be listed in the routing database and not the RIB besides being inactive example
If it is not the best route. Such as if there is another route with a lower distance or if there's two default routes one static and one BGP the static would be put into the RIB
Config firewall ssl-ssh-profile Edit <profile name> Config http Set SNI-server-cert-check strict What does strict do
If the SNI does not match the CN or SAN fields in the returned servers certificate, fortigate closes the connection
When is advanced mode available for the CP chips
If the fortigate model has two or more CP8s or one or more CP9
When would a firewall session flagged as may_dirty be also flagged as dirty (2 flags) when would the second flag be removed in this instance
If there is a change in the policy configuration and sessions need to be reevaluated against the policy change, the dirty flag is added. If the session is still allowed the dirty flag is removed and may_dirty is kept
What exception is there to the two route lookups performed on a session (originator and responder)
If there is a route change routing information is flushed from the affected entries in the session table and a new route lookup is performed to repopulate the session table
When should you disable add-route for IPSec interface config
If you are using a dynamic routing protocol over IPSec and do not want fortigate to automatically add routes
How can you tell from a debug flow if proxy based inspection is being used
If you see the msg="send to application layer" in the debug flow what kind of inspection is being used
When should you turn off add-route for IPSec config
If your configuring IPSec with a dynamic routing protocol (or ADVPN)
What daemon handles IPSec connections
Ike daemon
What is a Link state update
In OSPF link state updates are sent to and from OSPF routers to share LSAs. It consists of a OSPF headers and string of LSAs. The LSAs are then used to populate the LSDB
Where are workspace mode changes made
In a local CLI process not viewable by other processes
If a fortigate has multiple dial up VPNs, using preshared keys, and sharing the same local gateway, proposal, and DH group how much one of the tunnels be configured or else what would happen?
In aggressive mode with different peers ID If not then the second tunnel would never be matched
Is it normal to see multiple instances of the ipsengine daemon running
In some fortigate models
When are security audit running
In the background when an admin is logged into GUI
Where can IPS fail open event details be seen and what is the command to see if
In the crash log Diagnose debug crashlog read
What are the NPU_flags for IPSec SAs? Npu_flag= 00 Npu_flag= 01 Npu_flag= 02 Npu_flag= 03 Npu_flag= 20
Indicates offloading status in diagnose vpn tunnel list command and session table Npu_flag= 00 both IPSec SAs loads to kernel Npu_flag= 01 outbound IPSec copied to NPU Npu_flag= 02 inbound IPSec copied to NPU Npu_flag= 03 outbound and inbound IPSec SA copies to NPU Npu_flag= 20 unsupported cipher or HMAC cannot be offloaded
Describe life of a packet for a FGT without network processor
Ingress All packets accepted by a FortiGate pass through a network interface and are processed by the TCP/IP stack. Then if DoS policies have been configured the packet must pass through these as well as automatic IP integrity header checking. DoS scans are handled very early in the life of the packet to determine whether the traffic is valid or is part of a DoS attack. The DoS module inspects all traffic flows but only tracks packets that can be used for DoS attacks (for example, TCP SYN packets), to ensure they are within the permitted parameters. Suspected DoS attacks are blocked, other packets are allowed. IP integrity header checking reads the packet headers to verify if the packet is a valid TCP, UDP, ICMP, SCTP or GRE packet. The only verification that is done at this step to ensure that the protocol header is the correct length. If it is, the packet is allowed to carry on to the next step. If not, the packet is dropped. Incoming IPsec packets that match configured IPsec tunnels on the FortiGate are decrypted after header checking is done. If the packet is an IPsec packet, the IPsec engine attempts to decrypt it. If the IPsec engine can apply the correct encryption keys and decrypt the packet, the unencrypted packet is sent to the next step. Non-IPsec traffic and IPsec traffic that cannot be decrypted passes on to the next step without being affected. IPsec VPN decryption is offloaded to and accelerated by CP8 or CP9 processors. Admission control Admission control checks to make sure the packet is not from a source or headed to a destination on the quarantine list. If configured admission control then imposes FortiTelemetry protection that requires a device to have FortiClient installed before allowing packets from it. Admission control can also impose captive portal authentication on ingress traffic. Kernel Once a packet makes it through all of the ingress steps, the FortiOS kernel performs the following checks to determine what happens to the packet next. Destination NAT Destination NAT checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT. DNAT is typically applied to traffic from the internet that is going to be directed to a server on a network behind the FortiGate. DNAT means the actual address of the internal network is hidden from the internet. This step determines whether a route to the destination address actually exists. DNAT must take place before routing so that the FortiGate can route packets to the correct destination. Routing (including SD-WAN) Routing uses the routing table to determine the interface to be used by the packet as it leaves the FortiGate. Routing also distinguishes between local traffic and forwarded traffic. Firewall policies are matched with packets depending on the source and destination interface used by the packet. The source interface is known when the packet is received and the destination interface is determined by routing. SD-WAN is a special application of routing that provides route selection, load balancing, and failover among two or more routes. SD-WAN also supports using the Internet Services Database (ISDB) and Application Control to select a route in the following way: SD-WAN uses Application Control to compare the first packet of a new session against the layer 4 ISDB. If Application Control can identify the new session as a known application, SD-WAN is applied to the session according to the matching SD-WAN rule. SD-WAN then routes all of the packets in the session according to the selected SD-WAN rule. If Application Control cannot match a new session with an application in the layer 4 ISDB, the implicit SD-WAN rule is applied to the session. As the session is being processed by the implicit SD-WAN rule, layer 7 Application Control attempts to identify the application. If the application can be identified, the ISDB is extended by adding a layer 4 match record for the application to the ISDB cache. New sessions can then be matched and routed by SD-WAN using both the ISDB and the ISDB cache. Stateful inspection/policy lookup/session management Stateful inspection looks at the first packet of a session and looks in the policy table to make a security decision about the entire session. Stateful inspection looks at packet TCP SYN and FIN flags to identity the start and end of a session, the source/destination IP, source/destination port and protocol. Other checks are also performed on the packet payload and sequence numbers to verify it as a valid session and that the data is not corrupted or poorly formed. When the first packet of a session is matched in the policy table, stateful inspection adds information about the session to its session table. So when subsequent packets are received for the same session, stateful inspection can determine how to handle them by looking them up in the session table (which is more efficient than looking them up in the policy table). Stateful inspection makes the decision to drop or allow a session and apply security features to it based on what is found in the first packet of the session. Then all subsequent packets in the same session are processed in the same way. When the final packet in the session is processed, the session is removed from the session table. Stateful inspection also has a session idle timeout that removes sessions from the session table that have been idle for the length of the timeout. See the Stateful Firewall Wikipedia article (https://en.wikipedia.org/wiki/Stateful_firewall) for an excellent description of stateful inspection. Session helpers Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. For example, the SIP VoIP protocol uses TCP control packets with a standard destination port to set up SIP calls. To successfully process SIP VoIP calls, FortiOS must be able to extract information from the body of the SIP packet and use this information to allow the voice-carrying packets through the firewall. FortiOS uses session helpers to analyze the data in the packet bodies of some protocols and adjust the firewall to allow those protocols to send packets through the firewall. FortiOS includes the following session helpers: PPTP H323 RAS TNS TFTP RTSP FTP MMS PMAP SIP DNS-UDP RSH DCERPC MGCP User authentication User authentication added to security policies is handled by the stateful inspection, which is why Firewall authentication is based on IP address. Authentication takes place after policy lookup selects a policy that includes authentication. Device identification Device identification is applied if required by the matching policy. SSL VPN Local SSL VPN traffic is treated like special management traffic as determined by the SSL VPN destination port. Packets are decrypted and are routed to an SSL VPN interface. Policy lookup is then used to control how packets are forwarded to their destination outside the FortiGate. SSL encryption and decryption is offloaded to and accelerated by CP8 or CP9 processors. Local management traffic Local management traffic terminates at a FortiGate interface. This can be any FortiGate interface including dedicated management interfaces. In multiple VDOM mode local management traffic terminates at the management interface. In transparent mode, local management traffic terminates at the management IP address. Local management traffic includes administrative access, some routing protocol communication, central management from FortiManager, communication with the FortiGuard network and so on. Management traffic is allowed or blocked according to the Local In Policy list which lists all management protocols and their access control settings. You configure local management access indirectly by configuring administrative access and so on. Management traffic is processed by applications such as the web server which displays the FortiOS GUI, the SSH server for the CLI or the FortiGuard server to handle local FortiGuard database updates or FortiGuard Web Filtering URL lookups. Local management traffic is not involved in subsequent stateful inspection steps. SSL VPN traffic terminates at a FortiGate interface similar to local management traffic. However, SSL VPN traffic uses a different destination port number than administrative HTTPS traffic and can thus be detected and handled differently. UTM/NGFW If the policy matching the packet includes security profiles, then the packet is subject to Unified Threat Management (UTM)/Next Generation Firewall (NGFW) processing. UTM/NGFW processing depends on the inspection mode of the security policy: Flow-based (single pass architecture) or proxy-based. Proxy-based processing can include explicit or transparent web proxy traffic. Many UTM/NGFW processes are offloaded and accelerated by CP8 or CP9 processors. Single pass flow-based UTM/NGFW inspection identifies and blocks security threats in real time as they are identified using single-pass Direct Filter Approach (DFA) pattern matching to identify possible attacks or threats. Packets are then subject to botnet checking to make sure they are not destined for known botnet addresses. Proxy-based UTM/NGFW inspection can apply both flow-based and proxy-based inspection. Packets initially encounter the IPS engine, which can apply single-pass flow-based IPS and Application Control (as configured). The packets are then sent to the proxy for proxy-based inspection. Proxy-based inspection can apply VoIP inspection, DLP, Email Filter (Anti-Spam), Web Filtering, Antivirus, and ICAP. Explicit web proxy inspection is similar to proxy based inspection. CP9 content processors Most FortiGate models contain Security Processing Unit (SPU) Content Processors (CPs) that accelerate many common resource intensive security related processes. CPs work at the system level with tasks being offloaded to them as determined by the main CPU. Capabilities of the CPs vary by model. Newer FortiGate units include CP9 processors. Older CP versions still in use in currently operating FortiGate models include the CP4, CP5, CP6, and CP8. CP9 capabilities The CP9 content processor provides the following services: Flow-based inspection (IPS, application control etc.) pattern matching acceleration with over 10Gbps throughput IPS pre-scan IPS signature correlation Full match processors High performance VPN bulk data engine IPsec and SSL/TLS protocol processor DES/3DES/AES128/192/256 in accordance with FIPS46-3/FIPS81/FIPS197 MD5/SHA-1/SHA256/384/512-96/128/192/256 with RFC1321 and FIPS180 HMAC in accordance with RFC2104/2403/2404 and FIPS198 ESN mode GCM support for NSA "Suite B" (RFC6379/RFC6460) including GCM-128/256; GMAC-128/256 Key Exchange Processor that supports high performance IKE and RSA computation Public key exponentiation engine with hardware CRT support Primary checking for RSA key generation Handshake accelerator with automatic key material generation True Random Number generator Elliptic Curve support for NSA "Suite B" Sub public key engine (PKCE) to support up to 4096 bit operation directly (4k for DH and 8k for RSA with CRT) DLP fingerprint support TTTD (Two-Thresholds-Two-Divisors) content chunking Two thresholds and two divisors are configurable Kernel Traffic is now in the process of exiting the FortiGate. The kernel uses the routing table to forward the packet out the correct exit interface. The kernel also checks the NAT table and determines if the source IP address for outgoing traffic must be changed using SNAT. SNAT is typically applied to traffic from an internal network heading out to the internet. SNAT means the actual address of the internal network is hidden from the internet. Egress Before exiting the FortiGate, outgoing packets that are entering an IPsec VPN tunnel are encrypted and encapsulated. IPsec VPN encryption is offloaded to and accelerated by CP8 or CP9 processors. Traffic shaping is then imposed, if configured, followed by WAN Optimization. The packet is then processed by the TCP/IP stack and exits out the egress interface. Ingress packet flow Network Interface TCP/IP stack DoS Policy IP integrity header checking IPsec VPN decryption Admission Control Quarantine FortiTelemetry User Authentication Kernel Destination NAT Routing (including SD-WAN) Stateful inspection/Policy Lookup/Session management Session Helpers User Authentication Device Identification SSL VPN Local Management Traffic UTM/NGFW Flow-based inspection NTurbo IPSA Botnet check Proxy-based inspection Explicit Web Proxy Kernel Forwarding Source NAT (SNAT) Egress packet flow IPsec VPN Encryption Traffic shaping WAN Optimization TCP/IP stack Network Interface
What features can be disabled for wan optimization.
Inspection of specific protocols (HTTP, FTP, SMTP, POP, IMAP) Logging to memory DHCP server some IPS signatures Also don't have the fortigate doing anti spam if you have fortimail
What triggers the VPN negotiation
Interesting traffic
4 OSPF router types and describe each
Internal router - All connected interfaces belong to same area 1 LSDB and OSPF tree Area border router (ABR) - A router with interfaces in multiple areas One LSDB and one OSPF tree Always connected to backbone Backbone router - Has at least one interface in the backbone area Autonomous system boundary router (ASBR) - redistributes non-OSPF routes into OSPF network
ISFW
Internal segmentation firewall Breach containment for attacks that come from inside zero trust network 1g-100gbs throughput Firewall, app control, web filtering, and IPS (sandbox inspection also) Placed in access layer These prevent propagation
What are contained in the suggested ISAKMP policies
Internet Security Association and Key Management Protocol Established the SA with: encryption keys Authentication algorithm IPSec protocol (ESP AH) DH
What port does ESP use with no Nat and with NAT
Ip protocol 50 UDP 4500 with NAT
Two IPS related daemons
Ipsengine Ipshelper
A BGP speaker/peer
Is a router that sends and receives BGP routing information
How to troubleshoot IPS false negatives (4)
Is database up to date Is traffic hitting correct policy or IPS profile Is IPS using high CPU or memory ? Is it crashing Is signature action set correctly
Which is more common: Issues with AV/IPS communication to fortiguard Or Issues with web filtering and anti spam communication to fortiguard
Issues with AV/IPS communication to fortiguard
What does fortigate do before it sends rating requests to fortiguard
It checks it's local cache because by default fortigate caches all the rating results it receives from fortiguard.
How does fortianalyzer generate topology vies and IoC
It combines info received from the root fortigate
Why is it important to disable real-time debugging after using it
It consumes fortigate resources and can be CPU intensive
If a session is blocked what is it flagged as and what happens to the session
It is flagged as "block" Session remains in memory until it expires but all subsequent packets and blocked
What is a crashdump message in the crashlog
It is generated through the console port when the device crashed They can provide useful information for fortinet developers to identify which code triggered the problem
What to do if packets are getting dropped by sniffer
It means that not all the traffic that matched the sniffer filter could be captures so you may need to capture the traffic again using a stricter filter
What if you see "full/-" for the state if you do command "get router info OSPF neighbor"
It means that the neighbor is in a point-to-point network
How does the root fortigate use fortitelemetry, where does it share what it learns, and how does it share it
It uses the network topology information collected from the other fortigates and forwards it to fortianalyzer used the fortianalyzer API
What happens if a custom IPS signature doesn't have a service keyword nor a port keyword
It will be added to all service trees including unknown
Why may you not want to sync sessions
It's bandwidth intensive and can interfere with heartbeat traffic and create delays in replies
When is a route shown inactive under get router info routing-table database (3)
It's gateway is detected dead by link monitor Interface is admin down Interface has a link down
Steps to troubleshooting a device that freezes
Keep a laptop connected to the console port If the model has multiple CPUs enable NMI watchdog which will crash the system (diagnose sys nmi/watchdog enable) After the device freezes, push the NMI button with the laptop connected to generate the crash dump (not all models have this)
If a fortigate model doesn't support console logging and you are experiencing unexpected restarts what can you do
Keep a laptop connected to the console port and wait until another crash happens to capture the crashdump
What is the heart of FortiOS and explain
Kernel
Five main purposes that fortigate allocates memory
Kernel memory slabs System I/O cache Buffers Shared memory Process memory
What is the IPS signature database used to detect (3)
Known exploits Network errors Anomalies
The topology information interchanged by OSPF peers is contains in____ which is then populated into the LSDB.
LSA link state advertisements.
Each OSPF router in the same area has identical databases called ______ and what do these databases contain
LSDB Link state database Contains network topology of entire OSPF area delivered in LSA from other OSPF routers
Typical virus size
Less than 1mb
OSPF is a ___ state protocol
Link
Each OSPF router in the same area has identical databases called ______ and what do these databases contain
Link state databases that contain the network topology generated by receiving LSAs
If you want to find the category name for a URL in the cache what commands do you use (2)
List the cache with Diagnose webfilter fortiguard cache dump Convert ID number from HEX to decimal Then use command Get webfilter categories To find the category name
MSG= Iprope_in_check() Func=fw_local_in_handler
Local in policy is blocking management traffic to fortigate
Which AS attributes are well known discretionary and what does that mean (2)
Local_pref Atomic_aggregate Well-known discretionary - attributes may or may not be included
In OSPF what routes do the OSPF routers advertise in the LSAs
Locally connected subnets
Common session flags (11) and what each mean Log Local Ndr Nds Br Npu Wccp Npd Redir Authed Auth
Log - session is being logged Local - session is to/from local stack Ndr - session will be checked by IPS signature Nds - session will be checked by IPS anomaly Br - session is being bridged (TP mode) Npu - session can be offloaded to NPU Wccp - web caching Npd - session cannot be offloaded to NPU Redir - session is being processed by an application layer proxy Authed - session was successfully authenticated Auth - session requires authentication
Where to view OSPF related router events in the GUI
Log and report > events > router events
What two places can you view logs for conserve mode and what will the message be
Log and report > events > system events Message- kernel enter memory conserve mode
Where to view BGP logging in GUI
Log and report > router events
Why is BGP more preferable over OSPF
Lower distance More control over which routes are advertised and accepted More scalable Easier to troubleshoot
After you deploy an IPS solution what is it important to do
MONITOR
What would you see if a local in policy was blocking in a debug flow
MSG= Iprope_in_check() Func=fw_local_in_handler
What is the system IO cache made of and what size
Made of pages 4K size of disk block 1K size
Ipsengine daemon
Main type that Handles inspection and detection tasks
How to eliminate false positives for IPS events (3)
Make changes to the source or destination Create exemption Adjust the thresholds (for rate base signatures)
How to verify if configs are synced on the same device and how to tell between cluster members with command diagnose sys ha checksum show
Make sure debugzone and checksum zone numbers match For members run the same command and compare the checksums
How can you eliminate the number of false positives for an IPS deployment
Make the list of signatures that you set to block small and precise. The list should include the attacks that are most dangerous to critical services
Two types of gateways for the fortimanager vpn manager and what are each
Managed gateway External gateway Managed are managed by fortimanager in the current ADOM Devices in a different ADOM if other vendor devices are external gateways
What vdom does fortiguard traffic originate from
Management vdom Root by default
In the session table what does the state flag redir mean (next to the may_dirty and dirty flags)
Means the traffic is inspected in proxy based mode
What does reducing session. TTL do
Memory opt Also fortigate will age out idle session quicker to increase available memory
Besides conserve mode what does kernel do to free up memory
Memory tension drops Kernel Delete oldest sessions
What is the conserve mode trigger based on
Memory use
Backbone area in OSPF
Minimum area in OSPF network Area ID 0.0.0.0 All areas must connect to the backbone
What do you need to configure for stitch so you don't receive repeat alert notification about the same event
Minimum interval
Diagnose test application _____ Options (12)
Mm17 Smtp Ftpd Pop3 Imap Nntp Forticldd Miglogd Urlfilter Ipsmonitor ips monitor Ipsengine IPs sensor Ipldbd (IP load balancing daemon)
What factors are contributing to a border less network
Mobile workforce Partners accessing your network services Public and private clouds Internet of things BYOD
What is vdom partitioning
Mode is active -passive You configure one cluster device as the primary for some VDOMs and you set the other cluster devices as the primary for the other VDOM. Traffic distribution is controlled by setting the primary for the different vdoms
How many options can be used with F-SBID (—KEYWORD VALUE;)
Multiple options can be used if separated by a colon F-SBID (—KEYWORD VALUE; —KEYWORD2 VALUE2;)
For a full mesh vpn config what is the formula to calculate the number of tunnels
N sites = N(N-1)/2
Describe fortinet send to end solution
NAC/Client/AUTH/EDR AP/Switch/Extender Fortigate Fortigate VM/FortiCWP WEB/mail/CASB/ADC Analyzer/Sandbox/SIEM/SOAR Manager/cloud
How many different Ethernet types does FGCP and what are the values for each
NAT/Route 0x8890 Transparent 0x8891 0x8893 for configuration sync
What are the two fortiSPUs
NP and CP
What chip offloads IPSec encryption and decryption
NPU
If you have all flow based UTM profiles what handles the packets (Minus exception)
NTURBO Does not handle three way hand shakes
Nturbo
NTurbo offloads firewall sessions that include flow-based security profiles to NP7 or NP6 network processors. Without NTurbo, or with NTurbo disabled, all firewall sessions that include flow-based security profiles are processed by the FortiGate CPU. NTurbo also offloads sessions that have interface or DoS policies. NTurbo creates a special data path to redirect traffic from the ingress interface to IPS, and from IPS to the egress interface. NTurbo allows firewall operations to be offloaded along this path, and still allows IPS to behave as a stage in the processing pipeline, reducing the workload on the FortiGate CPU and improving overall throughput.
Creating a falling for TCL procedures in fmg
Name the proc and give a parameter #! proc do_cmd {cmd} { Puts [exec "$cmd\n" "# " 10] do_cmd "config system interface" do_cmd "edit port1" do_cmd "set ip 10.0.1.10 255.255.255.0" do_cmd "end" Procedure is called 4 times and you are able to run command because you used the $cmd
What is more difficult to discover IPS false positives or false negatives
Negatives
BGP event logging displays____? (4)
Neighbor down/up RIB update BGP message exchange Errors connecting to neighbors
What type of OSPF events does fortigate log What command is this default behavior enabled under
Neighbor up or down OSPF message exchange Negotiation errors Config router ospf Set log-neighbour-change enable
What processor encrypts and decrypts for IPSEC
Network processor
NP
Network processor NP6
If the IPs fail open setting is disabled what happens
New packets might be dropped depending on system load
NGFWs
Next generation firewall 1g-40gb throughput Deployed for firewall, app control, IPS, AV, and VPN Can be deployed at edge or in core
Can you apply proxy based UTM to a flow based policy
No
Does FortiOS need to use memory paging
No
Is console logging available on all models
No
Is the preshared key value part of the criteria for responder dial up selection
No
Will all signal numbers generate a crash log
No
Will a fortigate log a session from another gate in the SF and why What exception is there to this rule besides being the first fortigate
No and it eliminates repeated logging of a session by multiple fortigate devices It will log if it is the first fortigate that handled the session Exception is if one of the fortigate performs NAT another log will be generated to record NAT details such as translated ports and addresses
Will fortiguard work if DNS access is disabled
No because fortigate must be able to resolve hostnames Update.fortiguard.net(AV/IPS) Service.fortiguard.net(web filtering/AS)
Problem with multiple vendor networks
No central visibility or central management
What scaling limitations are there on a fortigate with BGP implemented
No hard limits. Only limitation is system memory. Number of neighbors, routes, and policies will have impact on the memory so the more then the more memory needed
Does fortigate perform route redistribution by default
No it's enabled under the dynamic routing protocol options
IPSec real time debug errors: No matching IPSec selector drop
No matching IPSec selector drop Tunnel up but not passing traffic. Quick mode selector mismatch or NAT is enabled on firewall policy
Can processes access the memory allocated to other processes
No only to memory allocated to that specific process
Is it common to need to edit the global IPS Configuration
No the default ones work well in most cases
After a route lookup where is routing information written (2)
No the route info is stored in the session table and route cache
Is the object to load balance bandwidth with active active mode?
No the traffic is always sent to the primary first. The objective is to share CPU and memory among devices for traffic inspection
What routes are considered external in OSPF
Non OSPF networks External routes include a directly connected interface not running OSPF Static route Route derived from another routing protocol
What could cause a short spike in CPU usage by ipsengine daemon
Normal and usually caused when fortigate had hundreds of policies and profiles or many VDOMS or a configuration change
NMI button
Not all fortigates have but if the system if frozen you can press this and it will force a crash and generate a crash dump to the console
Are firewall policies needed for the four data channels for SIP
Not if a session helper is being used since it creates an expected session (pinhole)
For active FTP does a policy need to exist to allow the incoming FTP data channel from the server to the client
Not if session helpers are used because it will create a pinhole in the firewall (or expected session)
If a fortigate receives a packet from a MAC address that belong to another fortigate in the security fabric (security fabric map) it will ______that session unless....
Not log Unless it it's the first fortigate that handled the session in the security fabric
What happens to traffic if using proxy based UTM on flow based policy
Nturbo does not work. All packets for flow based inspection need to go through the socket buffer and deliver to IPS. When the socket buffer is full the even is logged as a fail open event and sessionact is used to reflect the fail-open settings
If a tsformat option is not specified with the sniffer what is shown instead of timestamp
Number of seconds since sniffer started running
How do user space daemons share info
OS Dynamically allocates shared memory
What are the only two dynamic routing protocols that support VRF
OSPF and BGP
OSPF full state
OSPF routers have established adjacency and have identical LSDBs
In a multi access network, full adjacencies are formed between what OSPF routers
OSPF routers will form full adjacencies with the BDR and DR and not each other in order to limit resource utilization
When Av-session-failopen is enabled what options are there for Av-failopen and what do each mean
Off - all new session that require content inspection are dropped but existing sessions are processed Pass - stops inspecting new sessions. Inspection is automatically restarted when fortigate exits conserve mode On-shot - similar to pass but you must manually change the av-fail open setting to restart inspection after fortigate exits conserve mode
Where do you configure a VRF and what is a configurable value
On an interface 0-31 Interfaces with matching VRFS are isolated to a VRF instance
When implementing an RR (route reflector) in BGP, where is configuration done and what command is enabled on the neighbors
On the RR only Config router bgp Config neighbor Edit <neighbor IPv4> Set route-reflector-client enable Next End
When there is a failover and a switch ignores the gratuitous arp and continues to send traffic to the failed device what command should you perform and on what device should you do it
On the failed primary Config sys ha Set link-failed-signal enable End This will simulate a link failure and shut all non ha interfaces down for 1 second so the switch clears is MAC table
Describe how session helpers are needed for SIP in a NAT environment
Once The control channel is up, a sip phone sends an invite packet with it's IP address and port numbers for two of the four data channels. The session helper creates two expected session (one direction) and translates the private ip inside the invite packet to the NATed IP. The remote phone sends an OK packets to the right NATed destination ip. The OK packet included the IP address and ports for the other two data channels (other direction) the session helper creates two more expected sessions using the information from the OK packet. Four expected pinholes have been created so the four data channels can connect through. Firewall policies are not needed
How many times does the SF as a hole log a session
Once by the first fortigate in the SF unless passed to a FGT performing NAT
Why would an OSPF router have multiple LSDBs and what is the pros (3) and cons (2) of this
One for each area Pro: smaller LSDB tables Impact of topology change is minimized outside area (less LSAs) Routes can be summarized on the area borders Cons: more complex to troubleshoot and network design considerations
What signatures should be enabled during evaluation stage of IPS deployment
One group at a time Most critical ones
How many actions can be paired with a trigger foe a stitch
One or more
How long does the evaluation process of IPS deployment take and why
One to two weeks Because you have to enable one group of signatures at a time and monitor the log to fine tune then add additional signatures
When is RPF performed
Only on the first packet when the session is being created (or when there is a route change that requires packets to be reevaluated)
Is the SF an open or closed protocol
Open
REQUIRED option type for custom IPS signature (3)
Options that are required to create a custom signature —name —service —flow Name is the signature name displayed in the GUI and CLI Service specifies the session type associated with a packet (HTP FTP ETC) Flow specifies direction of the detection packet
PPP (parallel path processing)
PPP chooses from a group of parallel options to identify the optimal path for processing a packet uses the firewall policy configuration to choose from a group of parallel options to determine the optimal path for processing a packet. Most FortiOS features are applied through Firewall policies and the features applied determine the path a packet takes.
What happens if packet fails RPF and how could you tell what was going on
Packet is dropped and the debug flow will show the error "reverse path check fail, drop"
What will you see in the crash log if IPS is in fail open
Packet_action drop/pass IPS enter/exit fail open mode Will be either drop or pass exit or enter but it will tell you what is happening
Different between pass and one-shot for av-fail open
Pass - stops inspecting new sessions. Inspection is automatically restarted when fortigate exits conserve mode On-shot - similar to pass but you must manually change the av-fail open setting to restart inspection after fortigate exits conserve mode
Use _____ related and_____ options to ensure the lease number of false positive or negative matched for custom IPS signatures
Payload and special
How can fortimanager function as local FDS, what does it get from FGDN, and why is it a benefit
Periodically downloads from fortiguard license information and fortiguard database (IPS/ AV/ web filtering/AS ETC) caches firmware updates for managed devices
What are the modes for phase 1 and 2 of IPSec
Phase 1 main or aggressive Phase 2 quick mode
FEC IPSec
Phase 1 setting that when enabled adds additional packets with redundant data so recipient can use to construct any lost packet or any that arrived with errors (increase bandwidth usage )
Types of interfaces that can be configured
Physical VLAN IPSec Hardware switch Aggregate
Two options to view SF GUI
Physical and logical
Three types of OSPF networks and describe each
Point to point - Pair of routers connected through a point to point link Broadcast (multicast) - Supports more than two attached routers and then sending of single message to multiple routers (Ethernet) Point to multipoint - Supports more than two attached routers Does not support multicast
What are custom local-in policies and command to view them
Policies for management traffic into the local fortigate Not visible in the GUI unless enabled but when enabled shows default and not custom Show firewall local-in-policy Or config firewall local-in-policy
Fortitelemetry
Port 8013 Fortigate uses to communicate with other fortigate devices and distribute information about the network topology and it also uses to integrate with forticlient
Which takes precedence? Port monitoring or device priority in selection of primary in HA cluster
Port monitoring
NTurbo
Powered by NP6 network processor that increases the IPS processing performance by distributing the cost of processing to different CPU cores
Pppoed
Pppoed process
Pptpd, l2tps
Pptp and l2tp protocol processes
What features do NPs offer (4)
Pre IPS anomaly filtering and logging Packet offloading Link aggregation IPSec encryption and decryption (IPSec phase 2 and hashing)
What are the two categories of fortinet IPS signatures and define each
Predefined signatures - develops by fortiguard analysts which are distributed as part of regular fortiguard updates Custom signatures - created by users for specialized applications
What can you configure, for BGP, to filter prefixes or modify their BGP attributes
Prefix lists and route mals
BGP prefix lists and how to configure them
Prefix lists can be used to filter out the subnets being advertised to and being received from each neighbor Config router prefix-list Edit filter-subnets Config rule Edit <ID> Set prefix <prefix> Set action (deny | permit) Config router bgp Config neighbor Edit x.x.x.x Set prefix-list-in filter-subnets w
If primary device interface fails where should you check logs (HA)
Primary
Wad
Process for wan optimization, explicit proxy, proxy based inspection for HTTP and HTTPS and FTP
Cmdbsrv
Process that applies config changes
Httpsd
Process that controls GUI access
Updated
Process that controls fortiguard updates
Miglogd
Process that controls log collections and automation stitches
ADVPN
Proprietary fortinet solution based on IKE and IPSec. Provides direct connectivity between all sites by dynamically creating on demand tunnels between spokes. Benefit of the full mesh topology while providing scalability with minimum configuration
What do you configure for each managed gateway for the fortimanager vpn manager (4)
Protected subnets (P2 local subnet) Gateway title (hub spoke etc) Interface where the tunnel terminates Advanced setting like peer ID, IKE mode etc
UDP session example (pic) describe highlighted portions
Proto_state= Expire= length of time until session expires if there is no more traffic Origin-shaper= traffic shaping counters State= session flags Statistics= received and transmitted packet and byte counters Origin->sink= shows SNAT or DNAR for each direction and NAT ip address Src Mac= src max address of packet Policy_id= ID number of the matching policy Npu_state/npu_info= counters for hardware
What two modes does web filtering operate in
Proxy and flow
If you see the msg="send to application layer" in the debug flow what kind of inspection is being used
Proxy based
Proxyworker
Proxy based inspection for IMAP POP SMTP process
What two methods will antivirus and IPS fortiguard communication depend on
Pull or push
What is access layer quarantine for stitch action
Quarantine host and switch or AP
What are the four IPS options types for custom signatures
REQUIRED PROTOCOL PAYLOAD SPECIAL
Diagnose ip router ospf all enable Di de en Diagnose ip router ospf level info
Real time OSPF debug
Aggressive mode debug (pic)
Real-time debug for phase 1 aggressive and the three aggressive mode packet exchange
What is console logging
Records console CLI output in a 4MB log file on flash memory that is useful for troubleshooting unexpected restarts and unresponsive devices. The output can be displayed in the CLI or downloaded from the GUI
Since specific apps require specific TTL what can you do if you want to reduce session overall for memory opt but don't want to hinder application communication
Reduce TTL globally for TCP UDP and then increase the TTL tor the specific application port number
x64
Refers to 64bit CPY and OS instead of a 32 bit system meaning the CPU can process 64 bit chunks of data compared to 32bit chunks. 64 bit can access 2^64 memory addresses (18quintillian ram) 2^32 is only 4GB of ram. 64 can also perform more calculations per second and the processors can be multi core.
What do the numbers mean Diag sys top 3 15 3
Refresh 3 seconds Show 15 lines Stop after 3 refreshes
What devices (status) can request FDS info from fortimanager
Registered and unregistered (unmanaged)
What option does TCL script have to be run on?
Remote fortigate directly only
What is required to use the compromise host trigger for stitches
Requires fortiAnalyzer IoC reporting
Disadvantages of OSPF (2)
Requires planning and running to optimize performance Difficult to troubleshoot in large network
RPF and what two things it protects
Reverse Path Forwarding Checks against IP spoofing attacks and routing loops by checking the route to the source IP address Makes sure that the packet coming in is from the subnet that it says it's from by making sure the subnet matches what is in the routing table to the correct source interface
What two ways can you test an automation stitch
Right click in CLI In CLI with command Diagnose automation test <stitchname>
What must be configured in the SF first
Root fortigate
Where can you view the SF topology
Root fortigate GUI (or FAZ) Security fabric > physical topology
What are the five load balancing methods supports for aggregate IPSec tunnels
Round Robin - balanced per packet L3 - balanced per l3 header L4 - balanced per l4 header Redundant - sent through tunnel that came up first Weighted round Robin - load balanced based on link weights
Route Metric
Router metrics are metrics used by a router to make routing decisions. A metric is one of many fields in a routing table. Router metrics help the router choose the best route among multiple feasible routes to a destination. The route will go in the direction of the gateway with the lowest metric. RIP hop count OSPF cost (cumulative bandwidth) BGP
Without SNAT what happens to preexisting sessions when there is a route change (4)
Routing info is flushed from session entries rtcache entries flushed Session flagged as dirty and new route lookup is done for the next packets
What two places (CLI) can you see the source and destination ports and IPs for a session
Rtcache and session table
What would you see in a debug flow if a FTP session helper was inspecting the traffic
Rub helper-ftp (dir=original) Or Run helper-ftp (dir=reply)
Two problems high traffic volume may cause (like overloaded amounts) not just talking slow connection for users
Running in conserve mode due to low sys memory Proxy connection pool has no free connections
Which process states are normal and what are not
S and R are normal D is normal if briefly Z is not normal D is not normal for a long time(indicates process is not working properly)
Command to see shared memory and what is shared memory
SHM is memory allocated dynamically to multiple processes so they can share information with each other Diagnose hardware sysinfo shm Shows total, free, avail, alloc
When is SIP ALG used vs when is SIP helper used
SIP ALG When traffic matches a policy with a VoIP profile regardless of mode When traffic does not match a VoIP profile and the VoIP mode is set to proxy based SIP helper traffic does not match a policy with a VoIP profile and the VoIP mode is set to kernel-helper-based
If there is a VoIP profile applied to a policy that SIP traffic matches, and the default-voip-ALG-mode setting is set to kernel-helper-based what is used for the mode
SIP ALG even tho it is set to kernel-helper-based. Remove VoIP profile if you want it to use session helper and not SIP ALG
For SSL certificate inspection where does the FGT look for the FQDN first and where if that extension is not present
SNI If not present then CN in the server certificate
What is AV failopen
Safeguard feature that determines the behavior of the antivirus system for proxy based inspection if the fgt is overloaded with high traffic
If primary device fails where should you check logs (HA)
Secondary
What DNS lookup does fortigate do for web filtering and anti spam if it is configured to use HTTPS and worldwide servers
Securewf.fortiguard.net
Where to configure stitches
Security fabric > automation
How to configure fabric connectors
Security fabric > external connectors
Diagnose test application csfd 1
Security fabric daemon and command will show you downstream and upstream info: IP SN Port number Link status (ok = connected)
What is end to end security
Security from endpoints to the cloud
What does the security rating score help you identify
Security issues in your network
What three sections is security rating scorecards
Security posture Fabric coverage Optimization
Where is UTM or NGFW traffic offloaded for acceleration
Security processors CP8 or CP9
How to add an IP exemption for an IPS signature
Security profile > intrusion prevention > edit ip exemption
Two example of changes that will only apply to new sessions and not existing
Security profile and session helper changes
Where can you edit the SSL/SSH inspection for outbound traffic inspection
Security profiles > SSL/SSH inspection
Tunnel-search options for IPSec vpn
Selector Next hop
Tunnel search options for IPSec
Selectors Next hop
AS external link advertisement (type 5) OSPF LSA type
Sent only by ASBRs and are not confined to one area. Won't get sent to stub networks or NSSAs They contain link state information for routes redistributed to OSPF (external routes) External routes include a directly connected interface not running OSPF Static route Route derived from another routing protocol
How is the FGFM tunnel authenticated between fortigate and fortimanager
Serial numbers
What needs to be configured on fortigate in order to use fortimanager for fortiguard services and how do you do it
Server list where you define server address (IP of fortimanager ) where fortigate will query ratings and package updates Config sys central-management Config server-list Set server-type update rating Set server-address <fmg ip> Next End Set include-default-servers-disable (enable or disable the inclusion of public fortiguard servers in the override server list)
What needs to be configured for each interface under system settings > network on a fortimanager acting as a FDS
Service access setting
What DNS lookup does fortigate do for web filtering and anti spam if it is configured to use UDP and worldwide servers
Service.fortiguard.net
When fortigate submits a DNS lookup to get the IP of a fortiguard service name for rating services which 4 names does it try to resolve, protocol does it use, and is it worldwide or USA
Service.fortiguard.net UDP worldwide Securewf.fortiguard.net HTTPS worldwide Usservice.fortiguard.net UDP USA ussecurewf.fortiguard.net HTTPS USA
The connection between two BGP peers is called a BGP ____
Session
If there is a may_dirty session being offloaded to an NPU or SPU what happens if there is a change in a policy
Session flagged as dirty TOO and then next packet is sent to CPU to be reevaluated against policy change
What command enables the ADVPN or SDWAN hub to dynamically propagate all the redundant paths to each remote location through BGP
Set additional-path enable
What should be enabled on the spoke for IPSec that's disabled on the hub for ADVPN
Set net-device enable
Get router info OSPF status
Shows ID timers LSA originated and received areas attached to router number of neighbors in area what SPF was last executed
OSPF real-time debug commands and what the debug shows Disable command
Shows adjacency establishments, OSPF errors, network topology changes Diagnose ip router all enable Diagnose ip router OSPF level info Diagnose debug enable Diagnose ip router ospf all disable Diagnose debug disable
Receive status in fortimanager fortiguard and what is displays and for what four device types
Shows packages received from fortiguard, version, size, version to be deployed, and update history Fortigate Fortimail Fortianalyzer Forticlient
SF scorecard
Shows performance in sub categories and gives an overall grade, clicking a scorecards drills down to a detailed report of itemized results and compliance reccomendations
Phase 2 debug (pic)
Shows phase 2 proposal from local gateway and coming to the remote gateway
Parts of the real time ike debug phase1 (pic)
Shows the 6 packet exchange, phase 1 negotiation settings, what VPN config is used on responder, successful preshared key matches and final up status for phase 1
IPSec debug XAUTH enabled (pic)
Shows the CFG_REQUEST CFG_REPLY CFG_SET CFG_ACK
What does the SF physical topology display
Shows the physical topology of devices in the SF and the connections between them
Debugging IKE MODE config (pic)
Shows the remote site requesting and receiving IP settings with CFG_REQUEST and CFG_REPLY
What is Debug flow
Similar to built-in sniffer but the output shows step by step kernel decisions for each packet
Fortimanager vpn manager and steps (5)
Simplifies VPN administration by having the ability to install con settings to multiple devices at once. Settings are stores as objects in the object database and can be pushed by installing the policy package. 1) create vpn community 2) add gateways (members) to the community 3) install the vpn community and gateways configuration 4) add the firewall polices 5) install the firewall policies
What kind of hub architectures does ADVPN support
Single or multiple
What is fortimanager and key features just name as much as you can think of. Flex dah brain
Single pane of glass management for mass provisioning, scheduled rollout of configurations, compliance regulation through audit abilities Reduces wan usage with local fortiguard cache server Provides logging and reporting VPN, AP, Switch managers Security fabric ADOMs Firmware management
Why do you need to configure full mesh peering between all IBGP routers and what can simplify this
So each BGP router knows the local subnets on every other BGP router Route reflectors
Why is the SF API and protocol Open
So other vendors can join for partner integration so fortinet devices can communicate with third party devices
Which SoC platforms include NTurbo for fast IPS processing
SoC3 and 4
What two methods are there for inspecting outbound encrypted sessions
Ssl certificate inspection Ssl full inspection
Sslvpnd
Ssl vpn process
After you know What services to protect in an IPS deployment how can you defined the threats and where to implement IPS
Start with the most critical services and classify the threats into groups
Theee inspection types
Stateful Proxy Flow
AD for static, directly connected, dhcp, OSPF, BGP
Static 10 DHCP 5 Connected 0 OSPF 110 EBGP 20
If an IPSEC vpn is configured in interface mode and the set add-route command is enabled what happens
Static routes are automatically added to clients each time the dialup IPSec connects The destination subnets are what is received in phase 2
Nick name for administrator-defined automated work flows and what are the function
Stitches Stitches use if/then statements to cause FortiOS to automatically respond to an event in a preprogrammed way.
How can you tell if a fortigate freezes
Stops handling traffic You can't connect to it and you can't access the Console port Only power cycling fixes the issue
Describe the flow of BGP routes coming in from advertised peers to leaving and being advertised to peers (pic)
Stores BGP routes it receives from others routers in the RIB-in The BGP router applies filters and the resulting routes are stored in the local RIB, which are then consolidated in the routing table with other types of routes (static, directly connected, other protocols etc) The BGP routers adds redistributed routes (from other protocols) and external routes, applies filter, and adds them to the RIB-out The resulting routes are advertised
Three AS types, describe each, and example
Stub AS: single exit point and routes only local traffic. Company with one ISP and it's own AS Multihomed AS: multiple exit points and routes only local traffic. Company with two ISPs and it's own AS transit AS: handles and routes local traffic as well as traffic that originates and terminates in different autonomous systems (transit traffic) an ISP is an example
When performing dynamic routing over IPSec the overlay IPS (hub and spoke tunnel IPS ) need to be in the same____
Subnet
Security fabric > security rating What is security rating and how can you get a rating
Subscription services that requires a security rating license Provides ability to see and perform many best practices such as password checks, to audit strength of your network security Broken down into score cards that provide a letter grade
Is IPSec encryption and decryption offloaded to hardware
Supported on some models Supported algorithms vary by processor type and model It is enabled by default for supported algorithms
Difference between swap files and page files
Swapping is when a whole process is transferred to disk and paging is when part of a process is transferred back and forth as needed
What devices can extend the SF to the access layer
Switch and AP
What does system > HA display (6)
Sync status Fortigate members Hostnames Serial numbers Role Uptime
Where can you check the status of fortiguard licenses, the versions, and the communication to fortiguard in the GUI
System > fortiguard
What is a fork?
System call to create a new process (child process) from an existing process (parent process)
What is indicated if no new daemons have been schedule in the last 10 mins
System may be frozen use watchdog feature
Where is SoC found
System on a chip is found in small office and desktop model fortigates that combine the CPU NP CP and memory onto a single chip
What is SoC
System on a chip that includes entire microprocessors (CPU NP CP, memory blocks, flash memory, external I/O(network interfaces))
Fortimanager script starts with #! What type is it
TCL
Protocol 6
TCP
If processes are allocated individual blocks of memory, how can they share information with eachother
The OS dynamically allocated shared memory (SHM) so multiple processes can share information.
What part of the fortimanager vpn manager contains the phase 1 and phase 2 settings that gets pushed to the devices
The communities
What is contained in the IKE message from the initiating remote spoke when it tries to stand up a dynamic tunnel with ADVPN to another remote spoke (4)
The first remote site will create a FortiOS specific IKE message that contains it's public IP, local subnet, and desired remote subnet, an auto generated PSK/ dig cert
Why would you see Dev=6->9/9->6 gwy/10.8.1.1/0.0.0.0 in the session table
The gateway to destination is identified by the route lookup on the first packet that passes through from originator. The gateway to source will be identified when the return packet comes back from the receiver
What two parts of the firewall affect the path that a packet takes
The hardware and software configuration
Stage 3 of NGFW policy mode session handling
The kernel uses the layer 7 information to search NGFW policy table again for match and once match is found the kernel applies the configured action on matching policy
What does the point score represent for SF rating
The net score for all passed and failed items in the area
If fortiguard server weights are the same which one will the fortigate use
The one with the lowest RTT (round trip delay)
Feasible RPF mode and example (pic)
The packet is accepted as long as there is one active route to the source IP through the incoming interface, it does not have to be the best route just an active one
By default, BGP prefix under the network command is only advertised when....how can you change this behavior (command)
The prefix matches the destination subnet of an active route in the routing table To always advertise the prefix regardless of active routes: Config router bgp Set network-import-check disable
How does active-active work for virtual clustering
The primary device receives all sessions and load balances them among the cluster devices according to the load balancing schedule. All cluster devices process traffic for all VDOMs
Socket buffer
The receive socket buffer size determines the maximum receive window for a TCP connection. The socket receive buffer space is shared between the application and kernel. TCP maintains part of the buffer as the TCP window, this is the size of the receive window advertised to the other end.
Security fabric > security rating > security posture
The scorecard that shows a ranking presented as a percentile based on security audit information.
Describe how a session helper works with active FTP and NAT (2)
The session helper will translate the IP and port in the FTP command so that the server initiates the connection to the NATed IP and not the private IP It also will create an expected session (or pinhole) for the data channel connection that will come from the server so that an admin doesn't need to create a firewall policy allowing an incoming FTP session
What happens to the routing table after you configure VRF IDs on interfaces
The table and database and command output changes Routes are grouped based on VRF ID and not grouped together
Your looking at a session entry and you see state=dirty may_dirty and you see dev=9->0/0->9 gwy=0.0.0.0/0.0.0.0
There was a routing change
How do permissions in workspace mode work
They are the same permissions defined on the account profile
Compromised host trigger for automation stitch
This trigger uses indicator of compromise (IOC) event reporting from fortianalyzer Set a threat level threshold (medium or high) Based on that you can configure the stitch to take different remediation steps such as: Quarantine the compromise host and switch or AP (access layer quarantine) Quarantine forticlient on the compromise host using EMS Ban the IP
Describe the protocol states as it relates to the TCP handshakes
Three way SYN - 02 (SYN_SENT) SYN/ACK - 03 (SYN & SYN/ACK) ACK - 01 (established) FIN - (FIN_WAIT) FIM / ACK - (TIME_WAIT)
In what case can fortigate access fortiguard without DNS resolution
Through a web proxy because the web proxy contacts the DNS server to resolve names
config system global set av-failopen-session {enable | disable} set av-failopen {off | one-shot | pass} end
To configure failopen in the CLI: config system global set av-failopen-session {enable | disable} set av-failopen {off | one-shot | pass} end To set the behavior for these conditions, you must enable av-failopen-session. When enabled, and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and behaves as defined in the av-failopen command. av-failopen determines the behavior of the proxy until entries are free in the session table again for that proxy.
Purpose of ISFW
To segment the network so that any breach coming from inside can be contained in one segment of the network without reaching others
From this picture which is primary top or bottom
Top
Stage 1 of NGFW policy mode session handling
Traffic comes in Kernel can identify ICMP, DNS, And NTP traffic in the kernel (all other types it cannot) When traffic first comes in kernel cannot identify layer 7 info and uses the layer 4 headers to search for the NGFW policy table to match and send traffic to IPS engine The kernel creates a session table entry with the may_dirty flag And an application ID of 0 Session is allowed
How is traffic distribution controlled in vdom partitioning for HA
Traffic distribution is controlled by setting the primary for the different vdoms
What is IPS acceleration
Traffic inspected by IPs is offloaded to CP8 or CP9 content processor
In the session table what does the state flag ndr mean (next to the may_dirty and dirty flags)
Traffic is inspected in flow base mode
For BGP, if all route attributes are the same and ECMP is enabled where is traffic routed What if ECMP is not enabled
Traffic is shared among up to 10 BGP routes If ECMP is not enabled then the fortigate uses the route that goes to the router with the lowest BGP router ID
True or false The communication between fortigate and fortiguard for web filtering and anti spam is different from the communication for antivirus and IPS
True
True or false Fortigate can create sessions for traffic expected to come
True session helpers and application layer gatwat
How many SSL sessions are established with full ssl inspection
Two Client to fortigate Fortigate to server
TCP protocol state and what are all 10 client side states What are server side state options and client side state options
Two digit number (proto_state=) First digit is server side state (0 or 1) 0 if no inspection 1 if proxy or flow Second digit is client-side state NONE 0 ESTABLISHED 1 SYN_SENT 2 SYN & SYN/ACK 3 FIN_WAIT 4 TIME_WAIT 5 CLOSE 6 CLOSE_WAIT 7 LAST_ACK 8 LISTEN 9
Max number of fortigates for virtual clustering
Two fortigates
How many entries in the route cache are there for one session
Two one for originating traffic and one for return
Aggregated IPSec tunnels
Two or more IPSec tunnels between two sites can be combined to create an aggregated tunnel. Similar to lacp port aggregation
What devices comprise the core of the security fabric (MANDATORY) and what is comprised in the recommended and extended portions
Two or more fortigates + fortianalyzer in core Recommended- Fortimanager, fortiAP, switch, client, sandbox, and mail Extended- Other fortinet products and third party products using the API
External route metric types what are each
Type 1 - Metric is the sum of the external cost plus the internal cost of reach the ASBR. Considered close to AS. Type 2 - Metric is based on external cost and considered far from AS.
What port does IKE use with no NAT and with NAT
UDP 500 UDP 4500 After NAT detected
What ports does the fortigate use for rating services (web filtering and anti spam) when communicating with public fortiguard services What ports does it use when communicating with a fortimanager configured as a local fortiguard server What port is used for update services (antivirus and IPS)
UDP 8888 UDP 53 HTTPS 8888 HTTPS 53 HTTPS 443 UDP 8888 UDP 53 HTTPS 53 HTTP 8888 HTTPS 443
Protocol 17
Udp
How can you apply security reccomendations to your firewall settings in one click
Under SF security rating > security posture and click apply on the failed controls
Where do you configure a protected subnet in fortimanager
Under all vpn communities
Where can you view quarantined and banned IPS
Under the quarantine widget dashboard
App=0 (what stage is this seen in session table)
Unknown app NGFW policy mode stage 1
How long do on demand (ADVPN) tunnels remind active and what command can you use to see which on demand tunnels are active
Until the SAs are manually flushed or until they time out Get IPSec tunnel list
How can you fix interference and delays that session sync causes for the heartbeats (2) commands to do both
Use a different interface for sessions synchronization than the heartbeat interface Config system ha Set session-sync-dev <port name> <port name2> Delay the sync of the new session by 30 seconds so short lived sessions are not synced Config system ha Set session-pickup-delay enable
Scripts in fortimanager are not running in fortigate correctly (3) what should you check
Use completed commands and not shortened syntax Do not use # in front of any commands On fortigate ensure the console output to standard otherwise script longer than screen length will not run correctly Config sys console Set output standard On fortigate
How to stop BGP behavior of redistributing BGP routes automatically to all BGP peers (can cause massive amounts of routes)
Use prefix list and route maps
SPECIAL option type for custom IPS signature
Used for all another purposes besides the payload, protocol, and special option types Example —app_cat 7
Difference between these commands: Set preserve-session-route Set SNAT-route-change Set firewall-session-dirty
Used for session behavior when there is a route change and SNAT is not applied Used for session behavior when there is a route change and SNAT is applied Used for session behavior when there is a policy change
What can the numerical web filter categories from command "get webfilter categories" be used for
Used to create web filtering profiles using the fortigate CLI or fortimanager scripts can also be used to test whether a specific category or sub category is allowed or block
PROTOCOL option type for custom IPS signature
Used to match different protocol options Example —protocol tcp
PAYLOAD option type for custom IPS signature
Used to match the packet payload Such as —pattern "POST" and —context uri
System IO cache and examples of operation sped up by this cache
Used to speed up the access to information stored in the hard and flash disk memories Logging Wan optimization Explicit proxy
Authd
User authentication process
What is the responder dial up selection criteria (for any incoming connection where the fortigate is acting as dial up responder how does it select clients)
Uses the first phase 1 config (in alphabetical order) that matches: Local gateway Mode (aggressive or main) Peer ID (if aggressive) Authentication method (psk OR cert?) Digital cert info (if used) Proposal DH group
What DNS lookup does fortigate do for web filtering and anti spam if it is configured to use HTTPS and USA servers only
Ussecurewf.fortiguard.net
What DNS lookup does fortigate do for web filtering and anti spam if it is configured to use UDP and USA servers only
Usservice.fortiguard.net
What will a fortimanager acting as a downstream FDS provide (3)
VM license validation service Update services for AV and IPS signatures Rating services for web filtering and anti spam
Where in GUI can you configure aggregated IPSec
VPN > IPSec tunnels > create new > aggregate
Layer three route isolation using____
VRFS
F-SBID (—KEYWORD VALUE;) What is this for and which is case sensitive value or option
Value is case sensitive This is used for custom IPS signature creation. Made up of the header "F-SBID" and a series of option and value pairs
What is the max number of proxy connections and what if it's maxed out
Varies by model. It is the max number of proxy sessions a protocol in a proxy policy can have. If it fills up the IPS engine goes into fail open mode To configure failopen in the CLI: config system global set av-failopen-session {enable | disable} set av-failopen {off | one-shot | pass} end To set the behavior for these conditions, you must enable av-failopen-session. When enabled, and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and behaves as defined in the av-failopen command. av-failopen determines the behavior of the proxy until entries are free in the session table again for that proxy.
How does fortigate verify the fortianalyzer
Verifies serial number against it's certificate and then the serial is stored in the fortigate config
If a device can't join an HA cluster what 4 steps should you follow
Verify the HA settings match Verify firmware and hardware match Verify physical layer connections Use the HA real time debug (Diagnose debug application hatalk -1 Diagnose debug application hasync -1 Diagnose debug enable )
If GUI is unresponsive what should you do
View the crash log in the CLI for conserve mode messages and try to look for processes using too much memory Diagnose debug crash log read
VRF
Virtual Routing Forwarding is a technology included in some routers that allows multiple instances of a routing table to exist in a router. This increases functionality by allowing network paths to be segmented without using multiple devices. Also increases security since it's segmenting traffic. This is something ISPs usually do to create separate VPNs for customers
Hub and spoke topology
WAN topology; each remote site connects back to a main site, communication between the two remote sites travels through the hub site; benefits: costs are reduced, adding an additional site is easy (only one link per site); ease of management for VPN config and firewall policies drawbacks: suboptimal routes between remote sites, hub site is a single point of failure because all remote sites converge on that main site, lacks redundancy
BGP attribute categories (4) and describe each
Well-known mandatory - attributes are mandatory Well-known discretionary - attributes may or may not be included Optional transitive - attributes may or may not be accepted and can be passed outside the local AS Optional non-transitive - attributes may or may not be accepted and can't be passed outside the local AS
Tips for troubleshooting web filtering (4)
What URLS? Is it random or consistent? Who is affected? Is there anything in any of the logs? Was something blocked intentionally? Is authentication involved? Double check the user is being handled properly Attempt reproduction Ensure web filtering isn't globally disabled Connectivity problems to fortiguard and conserved mode can cause web filtering intermittent issues
During the analysis stage of an IPS deployment what three things must you identify
What services to protect the threats to those Services where to enable IPS inspection
If the IPs fail open setting is enable what happens
When IPS goes into fail open mode some new packets might pass through without being inspected depending on the system load
How does a fortigate use virtual max address to fail over correctly and how are virtual macs assigned
When a primary joins a cluster, each interface is given a virtual mac address, the primary informs all secondary units about the assigned virtual MAC addresses. When the fortigate fails over a secondary adopts the same virtual mac addresses for equivalent interfaces
When is it likely for fortigate to go into conserve mode
When fortigate is using content inspection (especially proxy based) or AV because it's more likely to increase memory
When is traffic considered interesting
When it must travel through an IPSec tunnel (encrypted and encapsulated) to reach a remote network
When does fortigate reach out to fortiguard for rating services (antispam and web filtering )
When it needs to rate a website or email unless the rating is cached in the fortigate
At what part in IPSec tunnel creation are SAs loaded to kernel and when does the fortigate determine if inbound or outbound can be offloaded
When phase 2 goes up SAs are loaded into kernel If there is not traffic passing it will remain in kernel When inbound or outbound traffic begins to flow it determines if inbound or outbound can be offloaded
Why may a file transfer fail if the fortigate is doing NAT and the FTP mode is configured as active (there is no session helper)
When that FTP packet crosses the router, the source IP address in the IP header is changed from 10.0.1.10 to 10.200.1.1. However the IP address in the FTP port command is not translated to 10.200.1.1. Once the server receives that FTP command it tries to bring up the TCP session for the day to channel to 10.0.1.10. It sends the syn packet to the IP address 10.0.1.10 this address is probably not routeable because it is a private IP behind a device doing NAT so the file transfer fails
Describe the action the hub takes when it receives a packet from a remote location destined to another remote location when auto-discovery is enabled
When the hub receives the packets it knows ADVPN is enabled because of the command. The hub will send an IKE message to the initiating remote site informing it that it can try to negotiate a direct connection to the other remote site. The first remote site will create a FortiOS specific IKE message (shortcut query) that contains it's public IP, local subnet, and desired remote subnet, an auto generated PSK/ dig cert This gets sent to the hub and hub will forward to remote site When the other remote site receives the IKE message (shortcuts query) it stores the PSK and replies with another IKE info message (shortcut reply) containing it's own public IP The hub will forward this IKE message to the initiating remote site and the tunnel will be dynamically negotiated and stood up
When is BGP typically used (2)
When there are a large number of routes Strict control over what routes are announced or accepted is required
When does IPS go into fail open mode (2)
When there is not enough available memory in the IPS socket buffer for new packets Or When the fortigate is in conserve mode
Config system global Set SNAT-route-change disabled
When this setting is disabled, after a routing change, sessions with SNAR keep using the same outbound interface as long as the old route is still active
When two routers start EBGP communication, the ___ BGP routing table is interchanged. After that only network ____ are sent
Whole Network
For NAT traversal how is ESP encapsulated
With a UDP header
Can you apply flow based UTM to a proxy based policy
Yes
Does ADVPN support NAT
Yes
True or false. Route leaking is supported between VRFs
Yes
Is bgp event logging enabled by default? How can you change the behavior?
Yes Config router bgp Set log-neighbour-change [enabled | disabled] End
TCL variables
You can create variables in the TCL script with: Set <variable name> <"value"> Then using <$variablename> in the program portion of the script which will auto fill with the variable value
Can you do EBGP with ADVPN
You can't do ADVPN with EBGP because EBGP can't use route reflectors. Without the route reflector pointing you directly to the spoke, IPSEC will never create the shortcut. If you don't need the spoke to spoke connectivity through the IPSEC shortcuts, you can use the dynamic VPN tunnels that ADVPN uses and use EBGP for your routing. It would require some modifications though since you will have to set the AS per spoke.
If a protocol is using a non standard port and you need to use a session helper what should you do and how do you do it
You should change the default port number in the session helper config on the fortigate to match the custom port (or add new entry) Command: Config system session-helper Show Edit 13 Set name sip Set protocol 17 Set port <port number> Edit 14 Set name h323 Set protocol 6 Set port <port number> End
What modern day tech and threats create the need for more protection (protecting the perimeter of a network is no longer enough)
Zero day attacks APT Polymorphic malware Insider threats BYOD Cloud tech
What five areas does the SF (security fabric) deliver solutions in
Zero trust access Security driven networking Dynamic cloud security AI-driven security operations Fabric management center
Two options for tsformat for sniffer
a UTC time l local time
IPSec (Internet Protocol Security)
a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. Operates at the Network Layer
What happens if there is no activity in a workspace transaction
after five minutes It times out and all changes are discarded
What is route redistribution?
an ASBR connects different routing domains, such as EIGRP & OSPF, and configures them to exchange & advertise routing info route redistribution allows a network that uses one routing protocol to route traffic dynamically based on information learned from another routing protoco
Dijkstra's algorithm
an algorithm used in calculating the shortest path between an origin node and other destination nodes in a network
IPSec real time debug errors: Negotiation failure No SA proposal chosen
config mismatch verify phase 1 and phase
DCFW
data center firewall Protect servers, low latency, inbound security focused 10g-1tb throughput Firewall, application control, and IPS common Places in data center and in enterprise DMZ Deployed at distribution layer
Command to disable all app debugging
diagnose debug reset
IKE
establishes a security association between two peers, tunnel maintenance, and disconnection
Full Mesh Topology
every site has a direct connection to every other site; benefits: an optimal route exists between any two sites, fault tolerant, easy troubleshooting; drawbacks: difficult and expensive to scale
Where are the web filter and antispam database managed in fortimanager acting as FDS
fortiguard management > query server management
DoS module
inspects all traffic flows but only tracks packets that can be used for DoS attacks (for example, TCP SYN packets), to ensure they are within the permitted parameters. Suspected DoS attacks are blocked, other packets are allowed.
What are some private SDN connector available
kubetnetes VMware ESXI VMware Nsx Openstack ACI application centric infa Nuage virtualized services
Which AS attribute is optional non transitive and what does that mean (1)
multi_exit_disk Optional non-transitive - attributes may or may not be accepted and can't be passed outside the local AS
Where is traffic not requiring any UTM or NGFW processing offloaded for acceleration
network processor NP6
If a firewall policy is configured for _________ then a mixture of flow-based and proxy-based inspection occurs. Packets initially encounter the IPS engine
proxy-based inspection
IP header integrity checking
reads the packet headers to verify if the packet is a valid TCP, UDP, ICMP, SCTP or GRE packet. The only verification that is done at this step to ensure that the protocol header is the correct length. If it is, the packet is allowed to carry on to the next step. If not, the packet is dropped.
Flow based inspection
the flow-based inspection method examines the file as it passes through the FortiGate unit without any buffering. As each packet of the traffic arrives it is processed and forwarded without waiting for the complete file or web page.
Proxy based inspection
the proxy-based inspection involves buffering traffic and examining it as a whole before determining an action. The process of having the whole of the data to analyze allows for the examination of more points of data than the flow-based.
If net-device is disabled and tunnel-search is selectors what else is needed to route properly if there are multiple clients
tunnel Index
Stage 2 of NGFW policy mode session handling
while the session is allowed the kernel forwards packets to IPS engine IPS engine performs layer 7 identification and updates session table Session table entry is flagged with dirty flag and identified app ID is changed from 0 Dirty flag notifies the kernel that the session needs to be reevaluated
What would you see in a debug flow for traffic matching an expected session opened by a session helper
"Find an EXP session, id 0016f90"
Example on how to run a CLI command in a TCL script in fortimanager (pic)
#! - must start with Exec - runs a program on fortigate ".......\n" - program(command) to run on fortigate \n is new line "# " 10] - wait 10 seconds for command prompt to display "#" before running command. If it doesn't do not run command and return error
What is the CP
(Content processor ) Co-processor for the CPU that accelerates resource intensive security related processes
