Fortinet NSE 4 7.0 Lesson 3: Firewall Policies

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

What do firewall policies define?

Which traffic matches them. How to process matching traffic.

Can you select more than one interface for the Incoming Interface?

You can select multiple interfaces by default. This is a feature that can be enabled. The "Any" Interface is available by default.

If Internet Service is selected as the Destination

You cannot use Address in the Destination You cannot select Service in the firewall policy

If Internet Service is selected as Source:

You cannot use Address in the Source

What is Application control shaping?

bandwidth management by application

What is shared policy shaping?

bandwidth management of security policies

What is per-ip shaping?

bandwidth management of user IP addresses

Firewall Policies limit access to

configured networks

Policy Names are mandatory by default. How can you relax this requirement?

enable "Allow Unnamed Policies" in Feature Visibility

How can you reduce the number of log messages generated and improve performance when traffic violates are detected by a security profile?

enable a session table of dropped traffics by using the ses-denied-traffic via CLI.

The scope of a shaper can be per policy or

for all policies referencing that shaper

What two types of traffic shapers can be generated?

shared and per IP

What kind of traffic shaping polices does FortiGate allow you to create?

shared policy shaping per-ip shaping Application control shaping

When creating traffic shaping policies, you must ensure that the matching criteria is the same as

the firewall policies you want to apply shaping to.

A shared shaper applies a total bandwidth to all traffic

using that shaper

What is the purpose of applying security profiles to a firewall policy? A. To allow access to specific subnets. B. To protect your network from threats, and control access to specific URLs.

.B. To protect your network from threats, and control access to specific URLs.

To configure a firewall policy, you must include a firewall policy name when configuring using the A. CLI B. GUI

B. GUI

How do Security profiles protect your network?

Blocking threats Controlling access to certain applications and URLs Preventing specific data from leaving your network

What do security profiles inspect?

Each packet in the traffic flow where the session has already been conditionally accepted by the firewall policy.

How can you manually define a policy ID?

Enable "Policy Advanced Options" which must be enabled in the Feature visibility page.

What are the types of firewall policies?

Firewall Policy (IPv4, IPv6) Firewall Virtual wire pair (IPv4, IPv6) Proxy Multicast Local-in Policy (Origin and destination is in FortiGate itself) DoS(IPv4,IPv5) Traffic Shaping

What happens when FortiGate policy action is set to ACCEPT?

FortiGate applies other configured settings for packet processing such as Anti-Virus scanning, web filtering or source NAT.

What happens when FortiGate policy action is set to DENY?

FortiGate drops the session.

In what order are firewall policies matches?

FortiGate looks for matching firewall policy from top to bottom and the first policy with ANY matching criteria is used.

How can you simply administration for services and address objects?

Group LAN interfaces, source addresses, and/or services such as DNS,FTP,HTTP,HTTPS together when the same combinations are typically used together in policies.

What destinations can be matched on in a firewall policy?

IP address or internet services

You MUST specify at least one source address of what type in a firewall policy?

IP address or range Subnet (IP/Netmask) FQDN Geography Dynamic - Fabric connector address MAC Address Range

What sources can be matched on in a firewall policy?

IP address, Subnet, FQDN, Geography, Dynamic (Fabric Connector). user, internet services

For the service firewall object, what match criteria is used?

IP protocol and port number

What are valid firewall policy match criteria?

Incoming Interface Outgoing Interface Source Destination Service Schedule

What are the objects used by policies?

Interface and zone Address, user, and internet service objects Service definitions Schedules NAT rules Security profiles

What are valid options for incoming interface and outgoing interface?

It can be a logical or physical interface or a zone.

Why should you group your interfaces into Zones?

It helps to simplify policy configuration

What happens to the policy ID as a rule is moved higher or lower in the sequence?

It never changes

Are Policy IDs displayed in the GUI by default?

No

Can you reference an interface directly if it is part of a zone?

No

Where can you view policy usage statistics such as last used, first used, hit count, active sessions, etc.?

Real-Time Policy Status is available from policy & objects > Firewall policy > edit view.

You MAY specify what source types in a firewall policy?

Source user - Individual user or group local firewall accounts Accounts on a remote server (Active Directory, LDAP, RADIUS) FSSO Personal certificate (PKI-authenticated) users

How do you set the duration for blocked session to remain in the table?

The CLI command block-session-timer

What is the ref column used for?

The Ref column provides a simple way to find out where in the Fortigate's configuration an object is being referenced.

What is the purpose of the implicit deny statement?

The implicit deny policy is the last policy that is used. If no matches were found prior to reaching this point in the list, the traffic is dropped.

Where does a Policy IDs come from?

The policy ID is assigned by the system when the rule is created.

What must be selected in the Source field of a firewall policy? A. At least one address object of ISDB B. At least one source user and one source address object.

A. At least one address object of ISDB

What does FortiGate use to match traffic to a firewall policy? A. Source and Destination interfaces. B. Security Profiles

A. Source and Destination interfaces.

If you configure a firewall policy with the any interface, you can view the firewall policy list only in which view? A. The By Sequence View. B. The Interface Pair View

A. The By Sequence View.

True or False? In each policy, you MUST set a source and destination interface.

True however, the interface can bet set to "any".


Set pelajaran terkait

DATA SYSTEMS ADMINISTRATION - D330 (All Questions from Chapter 8-10, 12-15, and 17)

View Set

Spanish- Furniture and Other Objects in the House

View Set

LIFE ONLY_Chapter 1- Principles of Insurance and General Insurance

View Set

CH.7 Texas Real Estate License Act

View Set