2 - Firewall Policies
Incoming/Outgoing Interfaces Source (IP,user,device) Destination (IP or Internet Services) Services (IP Protocol and Port Number) Schedule
What are the FGT Matching Criteria?
a. Source and destination interfaces
What criteria does FortiGate use to match traffic to a firewall policy? a. Source and destination interfaces b. Security profiles
a. The number of places where that object is being used
What does the number in the Ref. column represent? a. The number of places where that object is being used b. The policy ID of the firewall policy where that object is being used
Security events
What is the default logging for "log allowed traffic"?
b. To protect your network from threats and control access to specific applications and URLs
What is the purpose of applying security profiles to a firewall policy? a. To allow access to certain subnets b. To protect your network from threats and control access to specific applications and URLs
a. To find a matching policy based on input criteria
What is the purpose of the policy lookup feature on FortiGate? a. To find a matching policy based on input criteria b. To block traffic based on input criteria
a. At least one address object
What must be selected in the Source field of a firewall policy? a. At least one address object b. At least one source user and one source address object
b. Hidden security profiles are enabled.
What will happen when the Action option in the firewall policy is set to Learn? a. All services in firewall policy are enabled. b. Hidden security profiles are enabled.
a. Good_Training
Which of the following naming formats is correct when configuring a name for a firewall address object? a. Good_Training b. Good(Training)
Firewall Policies
define which traffic matches them and what FGT will do if it matches
Security Profiles
inspects each packet in the traffic flow, where the session has already been conditionally accepted by the firewall policy
Pre-expiration event log
will generate an event log N number of days before the schedule expires, where N can be from 1 to 100 days
28
Detected Devices are save in the FGT flash drive for ______ days
b. GUI
Firewall policy name is mandatory when configuring on the _____. a. CLI b. GUI
a. The By Sequence View
If a firewall policy is configured with the any interface, you can only view the firewall policy list in _____ . a. The By Sequence View b. The Interface Pair View
Active Scanning
If passive detection fails to detect the device type for more than five minutes, ______ is triggered and scans every three minutes. (N+1)*5 mins algorithm for scanning.
By sequence
If policies are created using multiple source and destination interfaces or any interface
Interface Pair View
List policies by ingress and egress interfaces
- up to 35 characters - Numbers, Letters, hypen and underscore - Spaces (to be avoided)
Naming rules of a firewall policy?
a. Source interface of the firewall policy
On which FortiGate interface is Device Detection enabled when configuring a firewall policy with a device definition? a. Source interface of the firewall policy b. Destination interface of the firewall policy
ses-denied-traffic
To reduce the amount of log messages generated and improve performance, you can enable a session table entry of dropped traffic. What's the command to enable this?
Learning Mode (Action -> LEARN)
Allows everything through firewall policy but with fully enabled logging capabilities.
shared and per IP
Two types of traffic shapers?