NSE 4 Security 6.2 - Firewall Policies
If a local user is added as a source in a policy, where are the user's credentials retrieved from?
Locally on FortiGate
What is the purpose of the policy lookup feature on FortiGate?
To find a matching policy based on input criteria
What is the purpose of applying security profiles to a firewall policy?
To protect your network from threats and control access to specific applications and URLs
If a firewall policy status is set to disable, the policy lookup skips this disabled policy and checks for the next policy on the list
True
If traffic matches the Firewall policy and is ACCEPTED, FortiGate will apply other UTM (unified threat management) features such as antivirus scanning, web filtering, or source NAT if enabled
True
Policy types
- IPv4/IPv6 - Virtual wire pair (IPv4/IPv6) - Proxy - Multicast - Local IN Policy (Source/Dest. is FortiGate itself) - DoS (IPv4/IPv6) - Traffic Shaping
Objects used by policies
- interface and zone - address, user, interface service objects - service definitions - schedules - NAT rules - Security Profiles
3 types of Traffic Shaping policies
1. Shared policy 2. Per-IP address policy 3. Application control policy
What must be selected in the source field of a firewall policy?
At least one address object or ISDB (intertnet service database object)
If a remote user is added as a source in a policy, where are the user's credentials retrieved from?
Authentication server
If a FSSO user is added as a source in a policy, where are the user's credentials retrieved from?
Domain Controller
An interface belonging to a Zone can be referenced individually
FALSE An interface in a Zone CANNOT be referenced individually If you need to add an interface to a Zone, you must first eliminate all references to that interface
You can delete an object at any point, regardless of use or configuration
False If an object is being used/referenced, it cannot be deleted. You must reconfigure objects/policies that are currently using it
The policy ID assigned to a rule changes based on the order of the rule's placement in the list
False The policy ID NEVER changes, even if the rule is moved higher or lower in sequence
When choosing a source for a policy, you can select either an ISDB object and a source address
False you can choose one or the other; "either/or relationship"
To configure a firewall policy, you must include a firewall policy name when configuring using the....
GUI
What criteria does FortiGate use to match traffic to a firewall policy?
Source and destination interface
If you configure a firewall policy with the "any" interface, you can only view the firewall policy in.......
The "By Sequence" view
When configuring consolidate policy, you must select source addresses , destination addresses and IP pool addresses for both IPv4 and IPv6
True
When selecting a FQDN as a source address for a policy, it must be resolved by DNS and cached in FortiGate, otherwise the policy may not function properly
True
If you cannot select ISDB and services as destination when creating policies
True (ISDBs already have services information hard-coded)
Why is there no option to select a user as a destination when creating a policy?
User identification is determined at the ingress interface and packets are forwarded only to the egress interface after user authentication is successful.
command: ses-denied-traffic
creates a denied session entry in the session table and all packets following the denied session are dropped
command: block-session-timer
determines how long a session remains in the session table; 30 seconds by default
Enabling consolidated policy mode will delete all existing IPv4 and Ipv6 policies
true
Consolidated policy mode
when enabled, you can combine IPv4 and IPv6 policies into a single consolidated policy rather than creating and maintaining two different policy sets. IPv4/v6 share: -source/dest interface -service -user -schedule
