Fortinet NSE 4 7.0 Lesson 3: Firewall Policies
What do firewall policies define?
Which traffic matches them. How to process matching traffic.
Can you select more than one interface for the Incoming Interface?
You can select multiple interfaces by default. This is a feature that can be enabled. The "Any" Interface is available by default.
If Internet Service is selected as the Destination
You cannot use Address in the Destination You cannot select Service in the firewall policy
If Internet Service is selected as Source:
You cannot use Address in the Source
What is Application control shaping?
bandwidth management by application
What is shared policy shaping?
bandwidth management of security policies
What is per-ip shaping?
bandwidth management of user IP addresses
Firewall Policies limit access to
configured networks
Policy Names are mandatory by default. How can you relax this requirement?
enable "Allow Unnamed Policies" in Feature Visibility
How can you reduce the number of log messages generated and improve performance when traffic violates are detected by a security profile?
enable a session table of dropped traffics by using the ses-denied-traffic via CLI.
The scope of a shaper can be per policy or
for all policies referencing that shaper
What two types of traffic shapers can be generated?
shared and per IP
What kind of traffic shaping polices does FortiGate allow you to create?
shared policy shaping per-ip shaping Application control shaping
When creating traffic shaping policies, you must ensure that the matching criteria is the same as
the firewall policies you want to apply shaping to.
A shared shaper applies a total bandwidth to all traffic
using that shaper
What is the purpose of applying security profiles to a firewall policy? A. To allow access to specific subnets. B. To protect your network from threats, and control access to specific URLs.
.B. To protect your network from threats, and control access to specific URLs.
To configure a firewall policy, you must include a firewall policy name when configuring using the A. CLI B. GUI
B. GUI
How do Security profiles protect your network?
Blocking threats Controlling access to certain applications and URLs Preventing specific data from leaving your network
What do security profiles inspect?
Each packet in the traffic flow where the session has already been conditionally accepted by the firewall policy.
How can you manually define a policy ID?
Enable "Policy Advanced Options" which must be enabled in the Feature visibility page.
What are the types of firewall policies?
Firewall Policy (IPv4, IPv6) Firewall Virtual wire pair (IPv4, IPv6) Proxy Multicast Local-in Policy (Origin and destination is in FortiGate itself) DoS(IPv4,IPv5) Traffic Shaping
What happens when FortiGate policy action is set to ACCEPT?
FortiGate applies other configured settings for packet processing such as Anti-Virus scanning, web filtering or source NAT.
What happens when FortiGate policy action is set to DENY?
FortiGate drops the session.
In what order are firewall policies matches?
FortiGate looks for matching firewall policy from top to bottom and the first policy with ANY matching criteria is used.
How can you simply administration for services and address objects?
Group LAN interfaces, source addresses, and/or services such as DNS,FTP,HTTP,HTTPS together when the same combinations are typically used together in policies.
What destinations can be matched on in a firewall policy?
IP address or internet services
You MUST specify at least one source address of what type in a firewall policy?
IP address or range Subnet (IP/Netmask) FQDN Geography Dynamic - Fabric connector address MAC Address Range
What sources can be matched on in a firewall policy?
IP address, Subnet, FQDN, Geography, Dynamic (Fabric Connector). user, internet services
For the service firewall object, what match criteria is used?
IP protocol and port number
What are valid firewall policy match criteria?
Incoming Interface Outgoing Interface Source Destination Service Schedule
What are the objects used by policies?
Interface and zone Address, user, and internet service objects Service definitions Schedules NAT rules Security profiles
What are valid options for incoming interface and outgoing interface?
It can be a logical or physical interface or a zone.
Why should you group your interfaces into Zones?
It helps to simplify policy configuration
What happens to the policy ID as a rule is moved higher or lower in the sequence?
It never changes
Are Policy IDs displayed in the GUI by default?
No
Can you reference an interface directly if it is part of a zone?
No
Where can you view policy usage statistics such as last used, first used, hit count, active sessions, etc.?
Real-Time Policy Status is available from policy & objects > Firewall policy > edit view.
You MAY specify what source types in a firewall policy?
Source user - Individual user or group local firewall accounts Accounts on a remote server (Active Directory, LDAP, RADIUS) FSSO Personal certificate (PKI-authenticated) users
How do you set the duration for blocked session to remain in the table?
The CLI command block-session-timer
What is the ref column used for?
The Ref column provides a simple way to find out where in the Fortigate's configuration an object is being referenced.
What is the purpose of the implicit deny statement?
The implicit deny policy is the last policy that is used. If no matches were found prior to reaching this point in the list, the traffic is dropped.
Where does a Policy IDs come from?
The policy ID is assigned by the system when the rule is created.
What must be selected in the Source field of a firewall policy? A. At least one address object of ISDB B. At least one source user and one source address object.
A. At least one address object of ISDB
What does FortiGate use to match traffic to a firewall policy? A. Source and Destination interfaces. B. Security Profiles
A. Source and Destination interfaces.
If you configure a firewall policy with the any interface, you can view the firewall policy list only in which view? A. The By Sequence View. B. The Interface Pair View
A. The By Sequence View.
True or False? In each policy, you MUST set a source and destination interface.
True however, the interface can bet set to "any".