NSE 7 SDWAN
For each managed gateway in VPN manager what do you configure (4)
-Protected subnets -Gateway role (hub, spoke, so on) -Interface where the tunnel terminates -Advanced settings (peer ID, IKE mode config)
What is fortimanager
-Single pane of glass management -Minimizes initial setup costs and ongoing operating expense of large deployments -helps maintain regulatory compliance -reduces wan usage with local fortiguard cache serve -provides centralized device management -automates device provisioning and maintains policies -provides logging and reporting Other: -mass provisioning -scheduled rollout of configuration changes -maintaining, tracking, auditing changes -provisioning firewall policies Configuration central repository -deploy and manage complex star and mesh VPNs -FDS -script and automate device provisioning, policy changes, etc
Key features of fortimanager (9)
-centralized management -administrative domains -configuration revision control and tracking -local fortiguard service -firmware management -scripting -manager panes -logging and reporting -pay as you go licensing through fortinet VM on demand program
When configuring SDWAN members what do you set the gateway to when using a DHCP/Ppoe interface
0.0.0.0
What are the quick mode selectors set to for ADVPN configuration
0.0.0.0/0
Udp session state values
00 when traffic is one way 01 when traffic is two ways
Client side states (TCP proto state numbers)
0=none 1=established 2= syn 3=SYN/ack 4=fin wait 5=time wait 6=close 7=close wait 8=last ack 9=listen
How many SDWAN interface per vdom
1
If a performance SLA has multiple SLA targets how many can be used as a "required SLA target" for the lowest cost (SLA) outgoing interface strategy
1 from the same performance SLA but multiple SLA targets can be selected
Steps to configure SDWAN in fortimanager(6)
1) Enable SDWAN in central management settings for ADOM 2) create health check servers 3) create interface members 4) configure SDWAN template (interface members, SLA with health check server, rules) 5) assign devices to template 6) configure SDWAN firewall policy with SDWAN interface
What are the five load balancing modes for IPSec tunnel aggregation
1) Round robin- traffic is balanced per packet 2) L3: traffic is balanced based on layer three header information 3) L4: traffic is balanced based on layer 4 header information 4) Redundant: all traffic is sent through the tunnel that came up first. Other tunnels used for backup 5) weighted round robin- traffic is load balanced in round robin manner based on link weights configured for each tunnel
Describe the flow that fortigate follows to select an outgoing interface based on the Lowest Cost (SLA) strategy (3)
1) SLA targets Fortigate checks SLA target requirements to slew for or eliminate any outgoing interfaces 2) cost Fortigate checks for cost as the second criteria (cost is specified on the interface when you add it to SDWAN) 3) interface preference Fortigate checks the interface preference as the third criteria (order it's listed)
Steps to configure SDWAN with zero touch deployment
1) add fortigate cloud key to forticloud 2) set up and assign a configuration template to redirect fortigate to fortimanager 3) plug in fortigate to obtain a DHCP address 4) fortigate will obtain central management config from forticloud 5) authorize fortigate In fortimanager root ADOM 6) create SDWAN template and push to fortigate
Steps for zero touch provisioning with SDWAN (fortideploy)
1) add fortigate cloud key to forticloud 2) set up the configuration template with the central management configuration to redirect the fortigate to fortimanager 3) connect fortigate to a DHCP server and turn on fortigate 4)fortigate reviews and IP from the DHCP server and established a management tunnel with forticloud 5) fortigate completes zero touch provisioning by obtaining the central management config from fortigate cloud 6) fortigate appears as an authorized device in fortimanager root ADOM 7) authorize fortigate and assign an SDWAN template 8) install the SDWAN configuration on fortigate
5 steps of zero touch provisioning with fortideploy
1) add fortigate cloud key to the fortigate cloud panel 2) set up a configuration template 3) connect to the fortigate egress port to obtain a DHCP IP address 4) fortigate receives an IP from the DHCP server and establishes a management tunnel with fortigate cloud 5) fortigate completes zero touch provisioning by obtaining configuration from the platform template in the fortigate cloud
Application aware sdwan
1) application aware - visibility into 3000+ apps and app level transaction for better SLA
Five advanced SDWAN features the fortigate offers
1) application aware - visibility into 3000+ apps and app level transaction for better SLA 2) multi path intelligence - Dynamic WAN link selection using SLA strategies and automated failover capabilities 3) multi broadband supported - Transport Independent with support for Ethernet 3G/4G and aggregates multiple interfaces into single interface 4) simplified monitoring- High level monitoring of SDWAN devices on a map and detailed application monitoring 5) certified security - most verified security such as NSS labs and high performance security processor technology
Describe ADVPN message exchange (10)
1) client behind spoke 1 generates traffic for devices located on spoke 2s network 2) spoke 1 receives packet, encrypts it and sends it to the hub 3) the hub receives the packet from spoke 1 and forwards it to spoke 2 4) spoke 2 receives the packet, decrypts it and forwards it to the destination device 5) the hub knows that a more direct tunnel option might be available from spoke 1 to spoke 2 and sends a shortcut offer message to spoke 1 6) spoke 1 acknowledges the shortcut offer by sending a shortcut query to the hub 7) the hub forwards the shortcut query message to spoke 2 8) spoke 2 acknowledges the shortcut query and sends a shortcut reply to the hub 9) the hub forwards the shortcut reply to spoke 1 10) spoke 1 and spoke 2 imitate the tunnel IKE negotiation
4 steps to configuring and using BGP tags in the SDWAN rulss
1) configure the community list 2) configure the route map and set match community and set route tag 3) configure BGP and apply the route map to the BGP neighbor 4) configure SDWAN rule and apply the the route tag
What are the steps to configure VPNs with VPN manager on fortimanager (5)
1) create a VPN community 2) add gateways (members) to the community 3) install the VPN community and gateways configuration 4) add firewall policies 5) install firewall policies
8 Steps to get SDWAN orchestrator set up and configured
1) enable SDWAN orchestrator 2) plan SDWAN network 3) create shared resources 4) create profiles for hub and edge devices 5) add fortigate devices to fortimanager 6) add devices to SDWAN orchestrator and install SDWAN configurations 7) install firewall policies to fortigate devices 8) monitor SDWAN network
Steps to use zero touch provisioning on a fortigate without internet access (5)
1) register the fortigate on fortimanager 2) connect fortigate to a DHCP server configured with option 240 or 241 with fortimanager Ip or FQDN 3) stars the fortigate 4) fortigate will be assigned an IP by DHCP server and will be provided with fortimanager information 5) fortigate will configure itself with the fortimanager IP for central a management
Routing table lookup process
1) regular policy routes - if it matches policy route traffic is forwarded if it matches policy route and action is stop policy routing fortigate checks the route cache 2) SDWAN rules 3) Route cache 4) FIB
Describe xauth exchange
1) server (responder) sends a CFG_REQUEST packet 2) client (initiator) sends a CFG_REPLY packet containing the user credentials 3) if authentication is OK the server sends a CFG_SET 4) client replies with a CFG_ACK
What 7 settings need to be changed from their default values when configuring ADVPN from fortimanager VPN manager
1) set protected networks to all 2) enable ADVPN in the IPsec phase 1 with a script 3) ensure that the add-route option is disabled on hub 4) enable net-device on spokes with a script 5) configure ip addresses on the IPSec virtual interfaces 6) configure dynamic routing and use script to enable route reflector if using IBGP 7) phase1name will be automatically created by fortimanager as phase1name_0
How many bytes in a mb
1,000,000
Range for the weight for volume and session based load balancing on a member
1-255
How long does FortiOS store the SLA metrics for each interface of every health check (link quality measurements)
10 minutes
What is the default threshold that fortigate will fail to the second link (based on interface preferences) for SDWAN strategy best quality
10%
What percentage by default will SDWAN fail to the next link when best quality is used as the SDWAN rule strategy and how can you change this default
10% Config sys virtual-wan-link Config health check Config sla Set link-cost-threshold <value>
Sum of guaranteed-bandwidth-percentage of all shaping groups in one shaping profile must be no bigger than _____
100%
kb vs KB
1000 bits vs 8000 bits 125 bytes vs 1024 bytes Kilobit vs kilobyte 1 kbit = 0.125 KB
What proto state are the kernel routes for the members participating in the performance SLA set to
17
What is the default class ID for traffic shaping groups
2
How many digits is protocol state in the session table and what do both numbers mean
2 First identifies if session is in proxy or flow (server side state) Second number identifies client side state
Multi path intelligence SDWAN
2) multi path intelligence - Dynamic WAN link selection using SLA strategies and automated failover capabilities
What class IDs are within acceptable range for traffic classification by groups
2-31
How many lookups does fortigate usually perform
2. One on first packet from originator and one on first packet from responder
What DHCP option is used to use zero touch provisioning on a fortigate without access to the internet
240 fortimanager IP 241 FMG FQDN
Multi broadband supported sdwan
3) multi broadband supported - Transport Independent with support for Ethernet 3G/4G and aggregates multiple interfaces into single interface
How many traffic shaping groups can you configure
30 2-31
For the link quality measurements, the latency and jitter that are displayed on the graph and percentages are based on the last _____ proves from the server that the performance SLA is using. The packet loss percentage is calculated from the last ________ probes from the server that the performance SLA is using.
30 probes 100 probes
How many SAs does a hub have to maintain if there are 16 remote sites
32
300kbps in kilobytes KBps
37KBps
Simplified monitoring SDWAN
4) simplified monitoring- High level monitoring of SDWAN devices on a map and detailed application monitoring
Certified security SDWAN
5) certified security - most verified security such as NSS labs and high performance security processor technology
What OS was ADVPN introduced
5.4
How many entries can the dynamic ISDB database hold
512
Explain how this per ip setting would apply to a traffic shaping policy Max band- 5000kbps Max concurrent connections- 5
5mbps per ip on the network. If there is ten users it total to 50mbs of outgoing traffic. Each user will be allocated 5mbps of max band and five concurrent sessions at a time
What FortiOS is OCVPN supported on
6.2.0 and later
Since what FortiOS does SDWAN support ADVPN
6.2.1
Default time that fortigate tries to fetch OCVPN related data from the OCVPN cloud and what is configurable range
60 minutes Configurable between 30-120 minutes
What is traffic shaping
A bandwidth management technique that prioritizes specific traffic over other traffic whose potential Loss would be less damaging attempts to normalize traffic peaks and bursts to prioritize certain flows over others Adjust how your fortigate allocate resources to different traffic types to improve the performance and stability of latency sensitive or band with intensive network applications
What is the ISDB
A database of well known internet service definitions made of public IP addresses and destination ports
What must be defined for unclassified traffic on a traffic shaping profile
A default-class-ID that way all traffic that doesn't match a group will be matched to the default class id
What is an ISDB entry made of
A direction which can be destination or source or both A reference to an IP range internal list A reference to an IP number
What happens after you have enabled SDWAN and configured the member interfaces and the load balancing method?
A logical interface called SDWAN is added to the interface list
What Is the link health monitor
A mechanism that detects when a router along the path is stopped or degraded
Describe IKE mode configuration (What is it, when does it occur, describe exchange)
A method for automatically configuring the IP settings of IPSec clients After phase 1 is up and xauth is completed, but before phase 2 the following exchange occurs 1) client sends a CFG_REQUEST message listing the required IP settings 2) server replies with a CFG_REPLY containing the assigned values for each attribute requested
What is a shared shaper
A shared shaper applied to a policy means all traffic matching the policy will share the bandwidth that is allocated. Using a shared shaper you can reserve guaranteed bandwidth as well as maximum bandwidth. Packets will be dropped if max is exceeded
What is IPsec
A suite of protocols for authenticating and encrypting traffic between two peers. the two most used protocols in the suite are: IKE which does the handshake, tunnel maintenance, and disconnection ESP, which ensures data integrity and encryption
What is SDWAN (3)
A virtual interface consisting of a group of member interfaces that can be connected to different link types Allows effective WAN usage with various load balancing algorithms Supports link quality measurement
SDWAN ASIC specs
A53 quad @ 1.4ghz DDR4-32B @ 2400 28,000 DMPS 18x network ports 36 GBPS throughput 18 GBPS IPSec throughput CAPWAP support
What is an ADOM
ADOMs enable the admin account to create groupings of devices for administrators to monitor and manage. It divides administration of devices by grouping the Em based on a management criteria and to control and restrict admin access
Four main fortimanager wizards
Add device Install wizard Import policy Reinstall policy
What is adding a model device in fortimanager and SDWAN orchestrator
Adding an offline fortigate by it's serial number
How does SDWn simplify configurations
Admin can configure a single set of routes and firewall policies and apply them to all member interfaces
What is time wait client state 5
After a fin ack is sent the fortigate keeps the session in the session table for a few more seconds to allow for any out of order packets
When is the session flagged as may_dirty
After traffic is evaluated against the firewall policies and allowed it is flagged (usually first packet for a new session)
Where do you configure protected subnets on fmg vpn manager
All VPN communities
What will the output of the command Be Get router info kernel | grep "proto=17"
All the FIB route entries that are used to reach the servers defined on the performance SLA page over each participant interface
Source ip based load balancing
All traffic from a source ip is sent to the same interface
What are SDWAN rules for
Allow you to specify which traffic you want to route through which interface based on different strategies
What is fortideploy
Allows admins to add fortigate and fortiap devices in bulk to their fortigate cloud or fortiap cloud acccounts. It then allows admins to select a configuration template and operating system to deploy with the newly added devices.
Application control shaping
Allows bandwidth control on specific applications, application Categories, and URL categories. Application control must be enabled on the IPv4 policy for application control shaping to work and web filter should be enabled on ipv4 policy fir URL category shaping to work
What is an SDWAN template in fortimanager and what are the 4 components
Allows you to add your SDWAN components to a single template. You can add interface members, performance SLA, SDWAN rules, and neighbor
Customized profile option for the quality criteria field in the best quality strategy SDWAN rule and what is the equation
Allows you to estimate quality of link based on a combination of the same three performance measures determined by an equation. Link quality = (a*latency)+(b*jitter)+(c*packetloss)+(d/bandwidth)
What is zero touch provisioning(fortideploy)
Allows you to provision and configure fortigate and fortiap devices automatically from forticloud or fortimanager. Admins can use the fortideploy feature to configure all devices simultaneously and manage them all with a single click
Fortimeter
Allows you turn fortiOSVMs and fortiWebOS VMs on and off as needed paying for only the volume of traffic that you use. These VM's are also sometimes called pay-as-you-go VMs. You must have a forti meter license and the fortimeter license must be linked with fortimanager using forticare
If all phase 1 settings are configured the same for an IPSec tunnel how does the fortigate choose between the two
Alphabetical order
What is forward error correction
An IPSec phase 1 setting that adds additional packets with redundant data. Recipient can use this redundant information to construct any lost packet or any packet that arrives with errors. Feature increases bandwidth usage but improves reliability on lossy or noisy links.
What is SDWAN orchestrator (3)
An application that is released and signed by fortinet to run on fortimanager. It is part of management extension on fortimanager. It is used for configuring and monitoring SDWAN networks on fortigate devices that are managed by fortimanager Simplifies centralized deployment and enables automation
What is automatically generated when you enabled SDWAN
An implicit rule designed to balance the traffic among all the available SDWAN member links based on source IP
When the hub forwards a spokes shortcut query (Ike message) to the desired spoke what does spoke 2 send to the hub to be forwarded to spoke one
And Ike message (shortcut reply) containing it's public ip
What needs to be enabled in order for application and URL category shaping to work
App control and web filter profile on IPV4 policy
What two databases can SDWAN use to steer traffic along a specific link
Application control database ISDB
What must be applied to a firewall policy if you specify an application in an SDWAN rule
Application control profile allowing the SDWAN traffic
IP DSCP app method
Application identification method. SDWAN rules are matched based on differentiated services code point values (DSCP) Traffic must be marked with IP DSCP before reaching fortigate
Application control app method
Application identification method. Fortigate identifies applications based on signatures. The well known app list is updated from fortiguard automatically. Method requires a learning phase during which the first session is required to identify the application and may not match the expected sdwan rule. After the initial learning phase, dynamic cache entries are stored in the ISDB to avoid the learning phase again
ISDB app method
Application identification method. Internet service database is a DB of well known internet service definitions that is made of public opinion addresses and destination ports. Updated from fortiguard and identifies the application immediately. It does not include all of the internet services
Customer application control app method
Application identification method. Users can define a custom application control signature.
Custom ISDB app method
Application identification method. Uses a user defined ISDB. Admins can create custom services and can group them into service groups. Method is flexible and identification is also fast but requires manual maintainence.
FQDN app method
Application identification method. Uses fully qualified domain name firewall addresses as destinations. Fortigate uses DNS to resolve the FQDN to IP addresses. It's simple and fast but not as accurate for cloud services or for most well known internet service
How does SDWAN install routes for it's member interfaces into the routing table
As individual routes
What are the requirements to be an alive member
As long as it's configured failure threshold (link status check) has not been reached SDWAN member will be in alive state even though it is failing to match the SLA target requirements
How are vpn settings stored on fortimanager for VPN manager
As objects in the objects database
After configuring all SDWAN settings what two important steps do you need to do for SDWAN to be applied
Assign to a device and create a firewall policy
How many member interfaces need to be specified for SDWAN interface
At least 2
If a fortigate device has multiple dial up VPNs using preshared keys and sharing the same local gateway , proposal, and DH group, what do you need to do to for the fortigate to identify the correct VPN configuration for each incoming proposal
At least one tunnel must use aggressive mode Or both use aggressive and different peer IDs
Fortigate SDWAN configuration requirements (4)
At least two member interfaces Interfaces should not be referenced by another configuration element Supports aggregate, VLAN, and IPSec interfaces One one SDWAN interface per vdom
What does the IKE SA consist of
At the IKE level, a single IKE SA is established to handle secure communications both ways between the two peers. The following is an example of the type of information that would be included in an IKE SA. Description Example Authentication method used MD5 Encryption and hash algorithm 3DES DH group used 2 Lifetime of the IKE SA in seconds or kilobytes 86,400 Shared secret key values for the encryption algorithms
What does the IPSec SA consist of
At the IPSec level, SAs are unidirectional—one for each direction A separate IPSec SA is established for each direction of a communication session Each IPSec SA consists of security parameter values, such as a destination address, a unique security parameter index (SPI), the IPSec transforms used, the security keys, and additional attributes, such as IPSec lifetime. The SPI value becomes a unique record identifier (key field) linked to the SA parameters in the Security Parameter Databases in the RAM of peer devices. Each IPSec SA consists of values such as Description Example Peer (destination) address 10.1.1.23 Security parameter index (SPI) 7C123A9C IPSec transforms used AH, HMAC-SHA-1 Security keys 12345CD8765EF432A Additional attributes (such as IPSec lifetime)
How to configure session route persistence and what is default
At the interface level Config system interface Edit <interface> Set preserve-session-route (enable | disable) Disable- fortigate flushes all routing information from the session table after a route change and performs new routing lookups for new packets (default) Enable- fortigate marks existing session routing information as persistent and only applies the modified routes to new sessions
What extra option is there to enable as an outgoing interface strategy for the SDWAN rules in the CLI
Auto Fortigate will select an SDWAN member based on the quality of the link
What commands need to be enabled on what devices for ADVPN (3)
Auto-discovery-forwarder enabled on the interfaces that connects two hubs together Auto-discovery-sender enabled on hub interface connected to the spoke Auto-discovery-receiver enabled on the spoke interface connecting to the hub
What routing protocols does ADVPN support (3)
BGP OSPF RIPv2/ng
SDWAN rule strategy: best quality
Based on the performance of the link. It will prefer the interface that is added to the list first and then won't switch to the next member until the priority link quality is 10% or worse than the quality of the next in the link. 10% is the default but can be changed with the set link-cost-threshold command
Why should you configure SDWAN early
Because you cannot use a member interface if the interface is referenced by a firewall policy or static route
Which SDWAN strategy rules require you to specify an SLA
Best quality Lowest cost Max bandwidth
What SDWAN rule strategy does not use an SLA TARGET
Best quality (link cost threshold based on latency jitter packet lost or custom)
What SDWAN rule strategy requires estimated upstream and downstream bandwidth to be configured on the interface (hint 3)
Best quality- criteria: bandwidth Upstream bandwidth Downstream bandwidth
Phase 1 of IPSec negotiation uses a single ______ ___ and phase 2 uses two ______ for each _____
Bidirectional SA SAs for each traffic direction
What must you do on an application control profile if you are using Google signatures on an an SDWAN rule
Block QUIC traffic
Give an example of when priority would come into play for a traffic shaping profile on an interface
Both class 2 and 3 will be assigned their guaranteed first. 20 each of 100. Then the remaining of 60 will be allocated to class 2 because of the higher priority.
How is an ISDB entry identified
By a number starting from 65536
How are the ISDB and application control databases maintained
By fortiguard
How can traffic be classified
By the traffic shaping policy into different groups or class IDs based on matching criteria. Set the "then" to "assign shaping class ID" instead of choosing "apply shaper"
What is QoS?
Capability to adjust some quality aspects of your overall network traffic - quality of service
Failover parameters for SLA (3)
Check interval Failure before inactive Success before restore
What are the acceptable value ranges for the link status configuration Check interval Failures before inactive Restore link after
Check interval - 500-3600 Failures before inactive - 1-3600 Restore link after - 1-3600
What are the following fields under the link status for: Check interval Failures before inactive Restore link after Update static route
Check interval means it will send the probe every _____ miliseconds Failures before inactive and restore link after settings are to help prevent the system from continuously transferring traffic back and forth between links (known as flapping) Failures before inactive switches to dead after x consecutive unanswered requests from both servers Restore link after switches back to alive after x consecutive responses from one of the two servers Update static route automatically disables static routes for inactive interfaces and restores routes on interface recovery
Config system settings Set firewall-session-dirty (check-all | check-new | check-policy-option) What are each options
Check-all - default and all policy information is removed from session affected by a policy change. When new packets are received they are reevaluated Check-new - existing sessions are unaffected. New sessions are evaluated against the modified policies Check-policy-option- sessions will be handled based on the firewall policy configuration
What does the best quality SDWAN rule use the performance SLA for
Chooses link based on latency, jitter, or packet loss or custom and uses SLA for these values
Three steps to configuring interface based shaping
Classify traffic into different groups using traffic shaping policy Configure the traffic shaping profile, assign a percentage based value for guaranteed and max bandwidth along with priority to each group Assign a shaping profile to interface with outbound bandwidth configured
Command to get details on an ISDB ID (shows ID, name, direction, ip-range-number, ip-number)
Config firewall internet-service <ID> Get
Command to enable or disable ISDB entries in the CLI
Config firewall internet-service-extension Edit <ID> Config disable-entry Use diag internet-service ID-summary to get id
Command to apply traffic shaper to firewall policy
Config firewall policy Edit <> Set traffic-shaper <shaper> Set traffic-shaper-reverse <shaper name> Set per-ip-shaper <shaper name>
True or false? You can apply traffic shaper to a firewall policy
Config firewall policy Edit <> Set traffic-shaper <shaper> Set traffic-shaper-reverse <shaper name> Set per-ip-shaper <shaper name>
When check-policy-option is configured for the global session handling what is the command to modify behavior per policy
Config firewall policy Edit <ID> Set firewall-session-dirty (check-all | check-new) Next End
Command to configure a per ip shaper
Config firewall shaper per-ip-shaper
Command to configure a shared shaper
Config firewall shaper traffic-shaper
CLI command to configure traffic shaping group
Config firewall shaping-policy Set name Set service Set srcaddr Set dstintf Set class-ID Set dstaddr
Command to configure traffic shaping profile in CLI
Config firewall shaping-profile Edit name Set default-class-id Config shaping-entries Edit 1 Set class-id Set priority Set guaranteed-bandwidth-percentage Set maximum-bandwidth-percentage Edit 2 Set class-ID
Command to configure BGP with route map to apply route tag
Config router bgp Config neighbor Set route-map-in "name of route map that has community list and tag"
What needs to be enabled in the IBGP configuration on the hub so that routes learned from one spoke are forwarded to the other spokes
Config router bgp Set neighbor-group Set route-reflector-client enable
Command to configure community list
Config router community list Edit "1:2" Confif rule Edit 1 Set action permit Set match "1:2" Next End Next End
Command to configure policy routes
Config router policy
Command to configure route map with community list and route tag
Config router route-map Edit "name" Config rule Edit 1 Set match-community "1:2" Set set-route-tag # Next End Next End
Command to configure a static route with SDWAN interface
Config router static Edit <> Set dst 0.0.0.0 0.0.0.0 Set virtual-wan-link enable End Next
Command to force sessions to stay on the same SDWAN member after a route chanbe
Config sys int Edit <SDWAN member> Set preserve-session-route enable
Command to apply a traffic shaper and outbandwidth on an interface
Config sys interface Edit wan1|wan2 Set outbandwidth <kbps> Set egress-shaping-profile <shaper name>
Command to configure the time to wait before a packet is considered lost
Config sys virtual-wan-link Config health-check Set probe-timeout <500-5000> Msec
Command to configure sla
Config sys virtual-wan-link Config health-check Config sla Edit <> Set link-cost-factor [latency | jitter | packet-loss] Set latency-threshold < 1-10000000> Set jitter-threshold <0-10000000> Set packetloss-threshold <0-100>
Command to configure SDWAN rule
Config sys virtual-wan-link Set name Set addr-mode Set input-device Set mode <priority | auto | manual | sla | load-balanced> Set src "all" Set input-device-negate disable Set src-negate disable Set health-check Etc
Command to set members for the performance SLA
Config sys virtual-wan-link Config health-check Set member <0,1,2>
When SNAT is applied in a session what command determines the action fortigate takes when there is a route change? What is the default?
Config system global Set SNAT-route-change [disable | enable] Default is disabled
Command to configure health check for SDWAN
Config system sdwan Config system virtual-wan-link Config health-check Edit <name> Set protocol (ping | tcp-echo | UDP-echo | http | dns | twamp) Set server x.x.x.x x.x.x.x Set members Config sla Edit <> Next End Next End
Global session handling setting command and what is default
Config system settings Set firewall-session-dirty (check-all | check-new | check-policy-option) Check-all is default
Command to configure link status parameters in CLI
Config system virtual-wan-link Config health-check Set interval <500-3600> Set failtime <1-3600> Set recoverytime <1-3600>
Command to configure SDWAN rule with route tag
Config system virtual-wan-link Config service Edit 1 Set route-tag # applied to route map
Commands to configure sdwan
Config system virtual-wan-link Set status enable Set load-balance-mode <> Config members Edit <> Set interface <> Set gateway <> Set source <> (ip for SLA probe) Set cost <> Set priority <> Set status enable Next End
Command to set load balance mode on CLI
Config system virtual-wan-link Set load-balance-mode <load balance mode> Source-ip-based Weight-based Usage-based Source-dest-ip-based Measured-volume-based
Command to configure IPSec aggregate tunnel
Config vpn IPSec phase1-interface Edit <> Set aggregate member enable Set aggregate-weight <> Next End
In interface mode for IPSec vpn, by default static routes are automatically added to each IPSec dial up client, what should you do if you are using a dynamic routing protocol over ipsec and do not want fortigate to automatically add static routes
Config vpn IPSec phase1-interface Edit <phase1 name> Set add-route disable
What is auto-discovery-sender enable
Configured on hub for ADVPN indicates that when IPSec traffic transits the hub, the hub should send a shortcut offer to the initiator of the traffic
What is a traffic shaping policy
Controls how and what traffic will be shaped. You will apply the shaper once the type of traffic is specified.
By default vpn zone is enabled when creating vpn communities on vpn manager, what is a vpn zone
Creates an interface Zone and adds the IPSec virtual interfaces to them
In a volume based load balancing algorithm weighted distribution is based on ____ ____ of ____ across each member.
Cumulative number of bytes
Where is a member marked dead when it fails the link status check
Dead on the health-check and in all rules associated with the performance SLA (will be removed from route if that option is enabled)
What does fortigate do when net-device is enabled in the phase 1 IPSec configuration and what is default
Default is disabled Fortigates creates desperate virtual interfaces for each dial up client and uses the destination subnets in the quick mode selections Tunnel name = phase1name_index
What is the per-policy option Explain enabled and disabled and which is default
Default is disabled When disabled fortigates applies the specified shaping rules to all policies using the shaper. When enabled fortigate applied shaping rules to each policy individually
What do shaping profiles do
Define the percentage of the interface bandwidth that is allocated to each group (in max and guaranteed bandwidth) defines how different shaping groups or classes of traffic are prioritized
If add-route is enabled on IPSec interface mode configuration, what is the destination of the static route
Destination subnet that is received In the phase2 quick mode selectors
What does the session table contain
Details information about every IP connection that crosses or terminates at the fortigate
Where to configure the health check servers to be used for SDWAN in fortimanager
Device manager > sdwan > health check servers
Where to create interface members for SDWAN in fortimanager
Device manager > sdwan > interface members
Where can you monitor SDWAN status in fortimanager
Device manager > sdwan > monitor
How to filter the real-time debug of IKE
Diag debug console timestamp en Diag vpn Ike log filter clear Diag vpn Ike log filter ? (Mdst-addr4) Diag debug app ike -1 Di de en
Sniffer command to match any packet with the SYN flag on to port 443
Diag sniffer packet any 'tcp[13]&2==2 and port 443' 4
Command to show every session in detail
Diag sys session list
Command to bring IPSec tunnel up
Diag vpn tunnel up <tunnel name>
Command to collect debug information for probes are what are values for ICMP UDP HTTP and TCP probes
Diagnose debug enable Diagnose debug application link-monitor <> 1 server up down events 2 configuration changes 4 engine events 8 ICMP probes 16 UDP probes 32 TCP probes 64 HTTP probes 128 TWAMP probes 256 GRE probes 512 link detection 1024 DNS messages 2048 application messages 4096 policy route messages
Command to see ISDB list in the kernel of firewall
Diagnose firewall internet-service-app-Ctrl list
Command to see policy routes
Diagnose firewall proute list
To view information for the per-IP shaper command Shows max bandwidth Max concurrent sessions Packets dropped Bytes dropped
Diagnose firewall shaper per-ip-shaper list name <name>
To view information about a shared traffic shaper what diagnose command do you use Shows name Max and guaranteed bandwidth Current bandwidth Priority queue value Overhead Packets dropped Bytes dropped
Diagnose firewall shaper traffic-shaper list name <name of shaper>
Command to get the ISDB entry summary (shows ID and name)
Diagnose internet-service ID-summary
Command to get all IPs and ports for a given ISDB entry (shows ISDB ID and name, version, timestamp, number of IP ranges, more info)
Diagnose internet-service id <>
Command of you want to get information about which ISDB entry includes a specific IP and specific port (shows ISDB ID, country, region, city )
Diagnose internet-service info <vdom name> <proto> <port> <ip>
Command to show ISDB entries that include a specific IP address (Shows ISDB ID, name, and matches number )
Diagnose internet-service match <vdom name> <ip> <netmask>
Command to check route cache
Diagnose ip rtcache list
Command to check allocated max, guaranteed and current bandwidth per class including the default class ID on an interface
Diagnose net link interface list <port> Look for egress traffic control
Command to collect different information regarding SDWAN members health checks and rules (name a few options)
Diagnose sys virtual-wan-link Member Service Health-check Neighbor Log SLA-log Internet-service-app-ctrl-list Internet-service-app-ctrl-flush
Command to collect basic information regarding SDWAN members (name some options)
Diagnose sys virtual-wan-link ? Member Service Route-tag-list Route-tag-flush Health-check Neighbor Log SLA-log Intf-SLA-log Internet-service-app-ctrl-list Internet-service-app-Ctrl-flush Reset
Command to see the performance SLA health check values in the CLI
Diagnose sys virtual-wan-link health-check
Command to show details on health check
Diagnose sys virtual-wan-link health-check
Debug command for performance SLA shows port, shows state, packet loss, latency, and jitter
Diagnose sys virtual-wan-link health-check <performance SLA name>
Command to see the dynamic ISDB cache/database
Diagnose sys virtual-wan-link internet-service-app-Ctrl-list
Debug command to check Interface specific SLA logs for the last 10 minutes
Diagnose sys virtual-wan-link intf-SLA-log <interface name>
Command to shows detailed info about SDWAN members (shows member, interfaces, gateway, priority, weight)
Diagnose sys virtual-wan-link member
Command to reset sdwan
Diagnose sys virtual-wan-link reset
Command to see SDWAN rules, with members, member state, source, destination, and interface services
Diagnose sys virtual-wan-link service
Command to show details on SDWAN rules
Diagnose sys virtual-wan-link service <rule>
Command to show details of health check quality information in last ten minutes
Diagnose sys virtual-wan-link sla-log
Debug command to debug the link monitor probe process for SLA and what are levels
Diagnose test application lnkmtd <level> 1 show memory info 2 show VDOM monitor info 3 show fail detection info
Command to display extra routing information such as IPSec Tunnel name Bound interface Important: ipv4 route tree (Shows quick mode selectors and tunnel index)
Diagnose vpn tunnel list name <name of tunnel>
What should you do if you are running a dynamic routing protocol over ipsec
Disable add-route
By default what is the distance and priority assigned to a static route added automatically by IPSec when add-route is enabled and how can you change it
Distance 15 Priority 0 Config vpn ipsec phase1-interface Edit <phase1 name> Set distance <> Set priority <>
Describe the initial burst approach traffic shaping uses
During transitions from no traffic to having traffic, for the first second of the transition, the rate can be up to two times the configured rate . Then, after the first second of transition, the rate reduces to the configured rate , And should stay there
What type of interfaces does SDWAN orchestrator create for generated tunnel interfaces
Dynamic interfaces with per-device mappings so they can be used on firewall policy packages
How is the ISDB updated
Dynamically updated from fortiguard servers.
Advantage of having a hub and spoke topology Disadvantages
Easy to manage the VPN configuration and firewall policies Minimal system requirements for branch office devices Disadvantages: Communication between branch offices through headquarters is slower than it would be using a direct connection Single point of failure
What is the first step in creating an SDWAN using fortimanager
Enable SDWAN central management for the ADOM in system settings System settings > all ADOMs > ADOM name > central management > SDWAN
What is this option for when configuring an SDWAN rule: Set input-device-negate disable | enable
Enable to include all interfaces but exclude the interfaces configured with the command "set input-device <interface>"
What is this option for when configuring an SDWAN rule: Set src-negate disable | enable
Enable to include all source addresses but exclude addresses configured with the command "set src <"src">
What is this option for when configuring an SDWAN rule: Set default disable | enable
Enable to use SDWAN as the default service With disable FIB lookups are done to validate the route to the destination
Interface based shaping
Enable traffic controls based on percentage of the interface bandwidth
Per ip traffic shaping
Enabled you to apply traffic shaping to all source IP addresses in the security policy
Policy shaping
Enables you to define the maximum bandwith and the guaranteed bandwith set for a security policy
Per IP shaping
Enables you to define traffic control on a more granular level
What is ESP
Encapsulating security payload Part of the IPsec suite of protocols ensures data integrity and encryption
What is the guaranteed bandwidth option for shared shaper
Ensure there is a consistent reserved bandwidth available for traffic passing through the policy. Traffic should be significantly less than the bandwidth capacity of the interface. If not it will cause unwanted latency for other traffic passing through that shaper policy.
If a session is flagged as May_dirty and there is a policy change the session is flagged as dirty as well. Where do offloaded session packets go in this case?
Even if they are offloaded the next packet in a dirty session will go to the CPU
Why would you need to set the source ip for SDWAN probe traffic and what if it's set to 0.0.0.0
Example, if you are sending it over a VPN tunnel and only specific subnet is allowed If set to 0.0.0.0 then fortigate will use the primary IP address of the SDWAN member interface as the source IP
After a static route is removed (such as an SDWAN member becoming dead) what happens?
Existing sessions are revalidated
True or false: when a device is added to fortimanager it can automatically be used in SDWAN orchestrator
False devices must be added to SDWAN orchestrator separately
True or false. SDWAN can't be interstated with OCVPN
False it can
True or false: NAT is not supported for ADVPN
False it is supported by the on demand tunnels
True or false. Only one SLA target can be selected as the required SLA target for the lowest cost (SLA) outgoing interface strategy for SDWAN rules
False multiple can be selected. All the selected SDWAN member interfaces must satisfy ALL of the selected SLA targets to be considered as a selection for the outgoing interface
True or false. SLA targeted are required
False they are optiona
True or false. You should use SDWAN manager on fortimanager first and then SDWAN orchestrator
False you should not use SDWAN manager if using orchestrator
True or false. You have to add fortigate to fortimanager before adding it to SDWAN orchestrator
False. It is recommended to add it to fortimanager first but you can add it to SDWAN orchestrator first
True or false. Only one SLA target can be created per performance SLA
False. Multiple can be created in although there are limited scenarios you would want to do that
True or false the default route using SDWAN requires two gateways to be defines instead of one
False. You define associated gateways when you configure the member interfaces under SDWAN virtual interface
SDVPN dynamic spoke-to-spoke shortcuts
Feature that allows SDWAN to combine a dynamic shortcut tunnel between spokes and the static tunnel to the hub. When the static tunnel to the hub is referred to in the SDWAN rules, the rules will add a dynamic shortcut tunnel automatically when a shortcut tunnel is established
What two things can you configure with the SDWAN virtual interface instead of separate interfaces
Firewall policy and static routes
A route with a lower priority would be chosen _____
First
Why may a session not match a configured SDWAN rule In a new deployment
First session is required as a learning phase to identify the application and may not match expected SDWAN rule
How is VPN manager enabled on fortimanager
For each ADOM in the system settings > ADOM > ADOM name > central management
What is the "set link-cost-factor" command used for Config sys virtual-wan-link Config service Set link-cost-factor [latency | jitter | packetloss]
For the SDWAN rules when you select best quality for the strategy on selecting outgoing interfaces
Requirements for a fortigate to participate in OCVPN
FortiOS 6.2.0 and later Fortigate must have internet access Must be registered to forticare using same forticare account
What four components overal make up the fortinet secure SDWAN solution
Fortigate Fortimanager Fortianalyzer Fortideploy
What happens if net-device is disabled in the IPsec phase1 config
Fortigate creates a single IPSec virtual interface that is shared by all IPSec clients connecting to the same dial up vpn. In this case the tunnel-search setting determines how fortigate learns networks behind each remote client.
Instead of the admin actively directing and pushing out devices in response to network topology changes how does OCVPN propagate these changes
Fortigate devices use device polling to propagate changes across nodes in the VPN
For the guaranteed bandwidth feature what does fortigate do if the flow does not achieve the configured rate
Fortigate increases the packet priority queue in effort to increase rate
What are the requirements to use zero touch provisioning feature (2)(fortideploy)
Fortigate must have internet access and a DHCP server must assign an IP address to the fortigate interface
What is the FIB
Forwarding Information Base is used for management and is generated by the routing process. Used for packet forwarding information. In HA the FIB exists on both members but the routing table only exists on the primary
Are are SDWAN rules evaluated
From top down
How are SDWAN rules evaluated
From top down
What topologies does OCVPN offer
Full mesh Hub and spoke (with or without ADVPN )
Advantages and disadvantages of full mesh
Full mesh connects every location to every other location. Topology causes less latency and hub and spoke requires less HQ bandwidth Disadvantages: every spoke fortigate must be powerful and administration and troubleshooting is more complicated
What's proto options are available in GUI and CLI for the link health monitor probing
GUI Ping HTTP DNS CLI PING HTTP tcp-echo UDP-echo TWAMP Dns
What is it called when fortigate initially selects the wrong phase 1 and switches to a different one
Gateway revalidation
What is the implicit rule for SDWAN rules
Generated when SDWAN is enabled. Used when other conditions are not met and is designed to balance the traffic among all the available SDWAN member links
Command to verify which IPSec tunnels are up
Get IPSec tunnel list
Command to get prefixes received and next hops for each destination for BGP
Get router info BGP network
Command to see FIB
Get router info kernel
When you look at the session table you will see dev->/dev -> indicating the ingress and egress ports for the traffic. How do you determine which ports they are being mapped to
Get router info kernel and it will show dev=#(port#)
Command to see routing table
Get router info routing-table all
Commands to verify there are BGP prefixes being received over the tunnels
Get router info routing-table all get router info BGP network Get router info BGP neighbors <tunnel ip > received-routes Get router info BGP summary
Command to show brief summary of each session including protocol source ip, destination ip, and port
Get sys session list
Command to see total number of IPV4 sessions for the current vdom
Get sys session status
Fortimanager management layers and sub layers (3)
Global ADOM layer - Global objects, all header and footer policies ADOM layer - Common object database, devices, device groups and policy packages Device manager layer- Name and type of managed devices, addresses, revision history, real time status, model, firmware
What level is session handling for firewall policies configured at
Globally or at VDOM level if VDOMs are enabled
What utility can be used to sort through the session list (get sis session list) for a specific ip
Grep
Name some preconfigured traffic shapers
Guaranteed 100 KBPS High priority Low priority Medium priority Shared 1M pipe
What is the purpose of configuring two server beacons for link health monitor
Guards against the server being at fault at not the link
What will an on demand tunnel look like (both through a VPN created on fmg vpn manager and one directly on fortigate )
H2S_0 H2S_0_0 Phase1vpnname_0
Diagnose debug application link-monitor 64
HTTP probe debug for link monitor
What options are there for the traffic priority drop down when creating a traffic shaoee
High medium low
For the RETRIEVE_CONFIG option of SDWAN orchestrators first online action what type of settings are retrieved (4ish)
Host name WAN port LAN/DMZ port Static route
What does the thickness of the line on the map represent on SDWAN orchestrator
How much traffic is flowing over the link
Diagnose debug application link-monitor 8
ICMP probe debug for link monitor
What methods does a fortigate support for automatically configuring the IP settings of IPSec clients (3)
IKE mode configuration DHCP over IPSec L2TP over IPSec
When does gateway revalidation apply (3)
IKEv1 with certificate authentication IKEv2 with preshared key authentication IKEv2 with certificate authentication
What two formats are accepted for specifying a link health monitor server
IP or FQDN
What does application control rely on to identify the application (besides signature)
IPS engine in order to identify the upper layer protocols (kernel cannot do this) kernel can only identify NTP DNS and ICMP
When OCVPN is enabled on fortigates registered to the same forticare account what is generated automatically
IPSec phase1 and 2 configuration, static routes, and firewall policies are generated automatically
What IP version does ADVPN support
IPv4 and ipv6
Format of a traffic shaping policy (___+____)
If + then
For a fortigate without internet access, that is managed by a fortimanager, what is employed to prevent fortimanager IP Spoofing (this is for FMG access on a lan or lab)
If a different fortimanager IP comes from the DHCP server at a later time fortigate will not change the central management configuration
When would an SDWAN member assigned to a performance SLA be selected over the other participating links
If it meets the SLA target and the others dont
Describe the two tunnel-search setting: nexthop for phase1 of a dial up vpn
If net device is disabled and tunnel search is set to nexthop fortigate does not use the quick mode selectors to learn about remote networks. Fortigate will learn those routes with the assistance of a dynamic routing protocol configured to run over the IPsec tunnels
What exception is there to the usual two route lookups that fortigate performs
If there is a route change route information is flushed from affected sessions and route cache entries
When is the session flagged as blocked
If there is no matching firewall policy or it matches a deny policy
What does the phase2 route-overlap setting define
If two remote sites share the same subnets they might create overlapping static routes on the central fortigate. This phase 2 setting defines what action fortigate will take if a new remote site is connecting and there is already a remote site connected with an overlapping subnet
In what cases would SNAT-route-change enabled be used
If you are not using SDWAN or a link monitor and you have multiple ISPs and one link goes down If you have multiple ISPs and you change a route attribute for one of the static routes such as priority
What does it mean to add member "0" to the participants for a performance SLA and where is this done
In the CLI and it is equivalent of adding all SDWAN members to the SLA
Fortimanager management model
In the global ADOM layer you create header and foot policy rules that can be assigned to multiple ADOMs In the ADOM layer objects and policy packages in each ADOM share a common object database. You can create import from and install policy package on many managed devices at once In the device manager layer you can configure and install device settings for each device. Fortimanager compares the current configuration to the changes configuration and creates a new configuration revision on fortimanager.
Where is the ISDB loaded
In the kernel
Even though you must configure routes using SDWAN virtual interface fortigate installs _____ ______ for the member interfaces in the routing table
Individual routes
By design, traffic Shaping configured in a firewall policy, application list, or traffic shaper policy uses an ________ ______ approach
Initial burst approach
How do you push vpn settings for the fortimanager vpn manager to devices
Installing policy package
Icmp protocol state
It has not state Proto_state is always 00
Why is it recommended to enable SSL deep inspection on policies when you use application control profiles
It improves the accuracy of application detection
What happens if you add a fortigate to SDWAN orchestrator before adding it to fortimanager
It is automatically added to fortimanager
Why would you configure cost for an SDWAN interface
It is used in the SDWAN rules strategies Lowest Cost and Maximize Bandwidth options
Can OCVPN use multiple wan links at once
It supports multiple but will only use one at a time
For any incoming IPSec connection, how does fortigate select which phase1 to use
It uses the first phase 1 (in alphabetical order) that matches the following: Local gateway IP Mode (aggressive or main) Peer ID if aggressive mode is used (b/c aggressive includes peer ID in first packet) Authentication method (psks and certs) Digital certificate information Proposal DH group
If no policy routes (regular policy route or SDWAN rule) matches the traffic, fortigate will perform a FIB lookup. If the FIB resolved interface is an SDWAN member what does the fortigate do
It uses the load balancing method configured in the implicit rule
How does fortigate route properly when tunnel search is set to next hop
It uses the remote IPs for the tunnel interfaces learned through the IKE messages and interface index then routes to the destination learned through the dynamic routing protocol
How does fortigate route properly when tunnel search is set to selectors
It uses the subnets learned through the quick mode selectors and the tunnel indexes
What happens if traffic does not match any traffic shaping policies
It will go through implicit policy
How can you tell if a policy route is an SDWAN rule from the command diagnose firewall proute list
It will say vwl_service and vwl_mbr_seq
With the SDWAN rule setting configuration set to default enable + gateway enable what does fortigate do
It will select the first outbound interface in the SDWAN policy route and will skip the FIB lookup
How would a reverse shaper affect YouTube
It would affect not just upload but download speed as well
When you configure traffic shapers you configure bandwidth values as ____ but in CLI and GUI stats you see bandwidth in _____
Kilobits Kbps Kilobytes KBps
What three criteria are used to measure the quality of the links connected to the member interface participating in a performance SLA
Latency Jitter Packet loss
For the best quality SDWAN rule strategy what are the options for quality criteria
Latency Jitter Packet loss Downstream Upstream Bandwidth Customized profile
What sections make up the performance SLA
Link health monitor SLA targets Link status
Customized profile equation
Link quality = (a*latency)+(b*jitter)+(c*packetloss)+(d/bandwidth)
Process responsible for performing performance SLA probes
Lnkmtd
Common session flags (11)
Log = session is being logged Local = session is to/from local stack Ndr= session will be checked by IPS signature Nds= session will be checked by IPS anomaly Br= session is being bridged (TP mode) Npu = session can be offloaded to npu Wccp = web caching Npd = session cannot be offloaded to NPU Redir = session is being processed by an application layer proxy Authed= session was successfully authenticated Auth=session requires or required authentication
What type of traffic log and column should you use to verify that traffic is egressinf the correct SDWAN member interfaces
Log and report > forward traffic Destination interface
What rule option uses SDWAN member interface cost
Lowest cost
Which SDWAN rule strategies require the SLA TARGETS
Lowest cost Max bandwith
What rules require an SLA target to be defined
Lowest cost Maximize bandwidth
What will a debug flow say if a packet is exceeded max concurrent connection limit and denied for per ip shaper
MSG="blocked by quota check, dropepd"
What will a debug flow say if packets are exceeded the maximum bandwidth and being dropped for a shared shaper
MSG="exceeded shaper limit, drop"
What SDWAN rule strategy does not depend on performance SLA or SLA targets
Manual
What 4 strategies can be used for SDWAN rules to route traffic through an outgoing interface
Manual Best quality Lowest cost Maximize bandwidth
What two views can you monitor SDWAN on fortimanager
Map view and table view
Which SDWAN rule strategy does not take cost or interface preference into consideration
Maximize bandwidth (SLA)
Link health monitor
Mechanism for detecting when a router along the path is stopped or degraded Used so fortigate can check the status/health of each SDWAN member interface participating in a performance SLA by periodically sending probing signals through each member link to a server that acts as a beacon.
What things must be specified under an SDWAN interface (2)
Member and it's associated gateway
Advantages and disadvantages of a partial mesh topology
Minimizing required resources of a full mesh but reduces latency from a hub and spoke. Partial mesh is appropriate if communication is not required between every location Disadvantage is that fortigates configuration is still more complex than a hub and spoke and routing requires more planning
What is recommended to do with the policy blocks that are automatically installed to fortimanager by SDWAN orchestrator
Move them to the top of the policy package
Formula for required VPN tunnels
N sites = N(N-1)/2
What are the three first online action options to choose from when adding a device to SDWAN orchestrator
NONE: manually imitate confirmation installation after adding the device to the orchestrator RETRIEVE_CONFIG: import some of the configuration settings from the device when the devices comes online for first time. Settings such as host name, WAN port, LAN DMZ port and static route are imported SYNC_CONFIG select to install the SDWAN orchestrator config associated with the profile when the device comes online for first time
What 5 options are there for PerIP traffic shaper
Name Max bandwidth Max concurrent connections Forward DSCP Reverse DSCP
When you add a fortigate device to SDWAN orchestrator what do you assign to the device
Name Profile name First online action Region
Where can you monitor SDWAN link status
Network > performance SLA > graph
What is the duel vpn wizard
Network > sdwan Edit SDWAN member Interface + vpn Used to automatically set up multiple VPN tunnels to the same destination over multiple outgoing interfaces for redundancy. Includes automatically configuring IPSec, routing and firewall settings
What is the gateway used for when configuring member interfaces
Next hop up used to create the kernel route to each performance SLA and also used for static routes created by SDWAN virtual interface
Are ADOMs enabled by default
No
Is cost or preference taken into consideration for the maximize bandwidth (SLA) strategy?
No only if members meets SLA targets
Where can you check OCVPN license type, device information and network topology
OCVPN portal Contains license type Device information including serial number, OCVPN rule, host name, public IP address, port number, overlays Topology
Where are configured traffic shaping profiles applied
On network > interfaces > select interface > traffic shaping
When is the session flagged as dirty
On the first packet before it is evaluated against policies and if there is a change in policy configuration any existing may_dirty sessions will also be flagged as dirty
If you are configuring a primary hub and secondary hub for OCVPN how are overlays configured
On the primary and the cloud will sync them to the secondary
What two policy blocks does SDWAN orchestrator create on fortimanager and what are they for
One for hub devices (SDWAN_Overlay_PB_HUB) One for edge devices (SDWAN_Overlay_PB_EDGE) The policy blocks include the necessary firewall policies to allow health check and negotiate traffic for VPN tunnels
Why are two SAs required to secure traffic from peer-to-peer
One for inbound and one for outbound traffic
What direction is a shared shaper applied to
Only outbound traffic
What happens if update-static-route is enabled for the performance SLA
Only static routes for the dead member with the same next-hop are removed from the routing table Static routes for the dead member that are routed through a different next hop are kept on the RIB/FIB
Does OCVPN support vdoms
Only supported on the root vdom
How does SDWAN orchestrator work with fortimanager to install the configuration on fortigate (3)
Orchestrator automatically generates CLI scripts of the configuration Orchestrator installs the CLI scripts to the device manager database on fortimanager Fortimanager receives the CLI scripts and fortimanager installs the configurations on fortigate
How can traffic shaping policy be used for interface based traffic shaping
Organizes traffic into groups so that a shaping profile can be applied to the groups which defines the percentage based values for guaranteed and max bandwidth and priority
Where in the session table can you see shared shaper information and other detailed information like packet drop counter
Origin-shaper Reply-shaper
Oif
Outgoing interface
What is OCVPN
Overlay controller vpn cloud based solution for provisioning and setting up IPSec VPN. When OCVPN is enabled on fortigate devices that are registered to forticare using the same forticare account, IPSec phase1 and 2 configuration, static routes, and firewall policies are generated automatically
What must be the same on the OCVPN config on each fortigate for the local and remote selectors pairs to be negotiated
Overlay names
SDWAN orchestrator automatically establishes _____ between all hubs
Overlays
What happens if maximum bandwidth is exceeded for traffic shaping
Packets will be dropped
What is IKE
Part of the IPsec suite which does the handshake, tunnel maintenance, and disconnection Phase 1 and phase 2 Negotiates the tunnels private keys, authentication, and encryption Allows parties involved in a transaction to set up their security associations
Where in the session table can you see per_ip_shaper shaper information
Per_ip_shaper
Explain IPSec aggressive mode exchange
Phase 1 3 packet exchange 1) client initiates by suggesting the security policies and providing it's DH public value and peer ID 2) responder replies with same information + hash 3) initiator sends it's hash payload
Explain IPSec main mode exchange
Phase 1 6 packet exchange 1) client imitates by proposing security policies (ISAKMP policies) 2) reps ponder selects which security policy it will agree to use and reply 3) initiator sends it's DH public value 4) responder replies with it's DH public value 5) imitator sends it's peer ID and hash payload 6) responder replies with it's peer ID and hash payload
What settings do you configure for vpn community on vpn manager
Phase 1 and phase 2 Authentication and encryption settings for phase 1 Diffie Hellman Key life Dpd Phase 2 PFS Replay detection
What phases and options are there for IKE
Phase 1 main or aggressive mode Phase 2 quick mode
What type of interfaces does SDWAN support (4+)
Physical VLAN Aggregate IPSec interfaces Others
What are the measurement techniques for SLA (5)
Ping Http TCP echo UDP echo TWAMP
Diag dvm device list on fmg Pkg: modified Cond: ok
Pkg= policy package status Cond= device database status Conn= firewall up or down Conf=configuration status Db= device database status
Where to configure traffic shapers
Pol it and objects > traffic shapers
Where to create a traffic shaping policy in GUI
Policy and object > traffic shaping policy
How do you modify an ISDB in the GUI
Policy and objects > internet service database Enable or disable
Where can you see stats on traffic shapers including current bandwidth utilization And dropped bytes
Policy and objects > traffic shapers
Where to configure traffic shaping profile in gui
Policy and objects > traffic shaping profile
SDWAN rules are treated as _______ routes
Policy based routes
Proute
Policy route
What type of routes are SDWAN rules
Policy routes
Which routes take precedence on fortigates
Policy routes
Which gets checked first policy routes or SDWAN routes
Policy routes then sdwan routes
What order does fortigate perform policy lookups
Policy-based routes: If a match occurs and the action is to forward, traffic is forwarded based on the policy route. SDWAN rules Route Cache: If there are no matches, FortiGate looks for the route in the route cache. Forwarding Information Base, otherwise known as the kernel routing table. If no match occurs, the packet is dropped.
With command diagnose sys virtual-wan-link health-check what do you see
Port member State (alive or dead) Packet loss percentage Latency in ms Jitter in ms Sla_map
For ADVPN over OCVPN to work at least one device must announce it's role as ____ _____
Primary hub
What role does priority assignment play when assigning bandwidth to a group or class within a traffic shaping profile
Priority decides which class can win when multiple classes are competing for available bandwidth
Pro and con of ISDB app method
Pro is it identifies and application immediately and is managed by fortiguard. Con is that it does not contain all internet service
Pros and cons of FQDN app method
Pro is it is fast but not as fast as the other options b/c it needs to use DNS. con is it is not accurate for cloud services or for most well known internet services
Pro and con of IP DSCP app method
Pro is that is can help integrate SDWAN with an existing architecture. Con is that there is less control over traffic identification, it must be marked with IP DSCP val before it reaches fortigate and users or applications both may interfere with marking
Pros and cons of custom ISDB app method
Pro is that it is fast and flexible and con is that is required manual maintenance
Pro and con of application control app method
Pro is that the fortigate identifies based on app signatures and the well known app list is managed by fortiguard. Con is that it requires a learning phase to identify the application and the first session may not match the expected SDWAN rule. After the learning phase a dynamic cache entry is stored in the ISDB to avoid the learning phase
What is SDWAN orchestrator profile
Profile creates a template that defines general system, network, and business policies for devices in SDWAN networks
What does the diag sys session list command show
Protocol number (proto=) Protocol state(proto_state=) Expiration (expire=) Traffic shaper counters (origin-shaper reply-shaper) Session flags (state=) Rx and Tx Statistics (statistics) SNAT and DNAT for each direction(origin->sink) Source mac of packet (src_mac) PolicyID (policy ID=) Hardware accel counters (npu_state, NPU info: VLAN)
When the hub sends a shortcut offer to a spoke informing that it can negotiate a direct connection, the spoke sends a FortiOS specific Ike message (shortcut query) with what information (4)
Public ip Local subnet Desired remote subnet Auto generated PSK or digital cert
_____ Can be a useful tool for optimizing the performance of the various applications on your network
QOS
What is traffic queuing?
Queuing ensures that packets are transmitted in order of their assigned priority Q for that physical Interface
Plan your SDWAN network topology based on what two principles
Regions- each device should be added to corresponding region depending on how network is structured geographically Hub and edges- defining the roles of each fortigate device
How to configure OCVPN for the fortigate (6)
Register device on forticare account VPN > overlay controller vpn Enable OCVPN Select the role (hub or spoke) Select an WAN interface Create a new overlay, specifying name, local subnets, and local interface
What must you do before you can configure OCVPN on the fortigate itself
Register the fortigates to the forticare account and then you can go to VPN > OCVPN on the fortigate
In what way is traffic load balanced between members for the maximize bandwidth (SLA) outgoing interface strategy
Round robin session based
What does the kernel perform first? Route lookup or policy lookup
Route then policy
What is a security association
SA is the basis for building security functions into IPSec A security association is the establishment of shared security attributes between two network entities to support secure communication. An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the connection.
What two components does secure SDWAN encompass
SDWAN (SDWAN, QoS, VPN) + NGFW (app control IPS AV URL sandboxing ssl inspection)
SDWAN configuration components (5) main (10 subtypes)
SDWAN - interfaces rules SLA Routing - static BGP Security - policies and profiles VPN - IPSec tunnels QoS - traffic shapers, policy, profile
Difference between SDWAN implicit load balancing methods vs ECMP load balancing method
SDWAN includes one more: volume
Where to add devices for SDWAN orchestrator
SDWAN orchestrator > configuration > device
Where in GUI do you create profiles for SDWAN orchestrator hub and edge devices
SDWAN orchestrator > configuration > profile
How does SDWAN use BGP tags
SDWAN rules can use BGP learned routes as dynamic destinations You can accept a route that matches a community and set a tag to the routes These tags can be used as dynamic destinations in the SDWAN rules
How can SDWAN work with ADVPN(3)
SDWAN rules can use the shortcut VPN to forward traffic between spokes Dynamic shortcut tunnels and the static tunnel to the hub are combined into one SDWAN member When the shortcut tunnel is established the traffic through SDWAN will go through the shortcut tunnel rather than through the hub
What makes fortinet SDWAN ultrafast (app identification and steering)
SOC4 chip
When using the application control database for SDWAN rules and policies with app control UTM what should you use for an accurate application identification
SSL deep inspection
Auth flag
Sacha requires or required authentication
Where is routing information written on the fortigate for each session (2)
Session Table and route cache
Which load balancing methods use weights configured on each SDWAN member
Session and volume based
Npu flag
Session can be offloaded to NPu
Npd flag
Session cannot be offloaded to NPU
Br flag
Session is being bridged (TP mode)
log flag
Session is being logged
Redir flag
Session is being processed by an application layer proxy
Authed flag
Session was successfully authenticated
Nds flag
Session will be checked by IPS anomaly
Ndr flag
Session will be checked by IPS signature
In a session based load balancing algorithm weighted distribution is based on the number of ____on each SDWAN member
Sessions
Weight based load balancing
Sessions Interfaces with higher weights have a higher priority and get more traffic
What is session route persistence
Sessions passing through that interface will continue to pass without being affected by a route change. Route changes will apply only to new sessions. This is applied at the interface level when SNAT is not applied
IBGP configuration of a hub participating in ADVPN
Set AS the same as the remote AS In the neighbor group Enable set route-reflector-client enable in the neighbor group In the neighbor range set the neighbor group and prefix range for the overlay subnet Add protected subnets for the hub
IBGP configuration for spoke participating in ADVPN
Set asn Config neighbor as the hub ip and set remote asn Define protected subnet for the spoke
What needs to be configured on the ADVPN spoke
Set auto-discovery-receiver enable Set ip on the tunnel interface Set net-device enable
What needs to be configured on the ADVPN hub (5)
Set net-device disable Set add-route disable Set tunnel-search nexthop Set auto discovery sender enable Assign an ip to the tunnel interface
What gets imported from the device when you select RETRIEVE_CONFIG for the first online action for add device in SDWAN orchestrator
Settings such as host name, WAN port, LAN DMZ port and static route are imported
What 5 things are so specified when creating a shared traffic shaper
Shared or per ip Name Priority Max bandwidth Guaranteed bandwidth DSCP
What three traffic shaping message does the fortigate offer?
Shared policy shaping Per IP shaping Interface based shaping
What 4 differences are there when configuring a shared shaper vs per-ip shaper (2 each)
Shared shaper will have you configure a priority and guaranteed bandwidth does not have concurrent connections Per ip shaper will have you configure max concurrent connect and reverse and forward DSCP does not have priority or guaranteed bandwidth
Diagnose sys virtual-wan-link health-check
Shows information like packet loss, latency, jitter for the servers acting as the beacons
What type of hub and spoke architecture is supported by ADVPN
Single or multiple hub
Why do you need to configure the hub as a route reflector when using IBGP for ADVPN
So routes learned from one spoke are forwarded to the other spokes
Why would you configure priority for an SDWAN interface member
So the priority can be used for SDWAN rules or priority rules
What is ADVPN
Solution based on IKE and IPSec Provides direct connectivity between all sites by creating on demand tunnels between spokes Benefit of full mesh topology while providing scalability with minimum configuration
What options are there for controlling the type of traffic matched on a shaping policy
Source IP Destination IP Service Application URL category
What parameters can be used with SDWAN rules to match traffic (7)
Source IP User group Destination Ip Destination port number ISDB address objects as dest Firewall application as dest ToS
SDWAN load balancing methods (5) what is default
Source IP (default) - sessions from the same source IP address use the same interface Source destination IP - sessions with the same source and destination IP pair use the same interface Spillover - use one interface until the threshold is reached then use the next Sessions - sessions will be distributed based on weights assigned on the interfaces Volume - sessions are distributed so the traffic volume is distributed by the interface weights
What criteria is defined is defined on a traffic shaping policy
Source address Destination address Service Application URL category Name Shaper to apply Outgoing interface
Source-dest-IP-based load balancing
Source and destination IP All traffic from a source IP to a destination IP is sent to the same interface
What is configured on an interface for a traffic shaping profile to be applied
Specified profile Outbound bandwidth
What three things are configured in a traffic shaping profile
Specify group (class ID) Set max and guaranteed bandwidth Set priority
Usage based load balancing
Spillover All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spillover limit the new traffic is sent to the next interface
What VPN communities are the hub and spoke roles provided as options in VPN manager
Star and dial up
What type of WAN IPs does OCVPN support
Static and dynamic
What traffic and routes does the SDWAN implicit rule only apply to
Static routes
Interface weight on an SDWAN member only applies to ____ ____
Static routing
What account can enable and create ADOMs
Super_user
What type of user can enable management extensions in fortimanager
Super_user
What protocol is TCP and what is UDP
TCP 6 UDP 17
Diagnose debug application link-monitor 32
TCP probe debug for link montiro
What protocols are available to use for SLA probing in the CLI that are not in the GUI
TCP-echo UDP-echo Twamp
Diagnose debug application link-monitor 128
TWAMP prob debug for link monitor
What do the green arrows on the link quality measurement (performance SLA page) indicate
That the server is responding to the health check, regardless of the packet loss latency and jitter values. Does not mean the SLA targets are being met.
Where are the routes for the link health monitor added (for the beacon probing)
The FIB
If you assign multiple classes the same priority on a shaper profile how is bandwidth allocated after guaranteed limits have been reached
The allocation to each class will be proportional to it's guaranteed bandwidth percentage. Bottom All classes will be assigned their guaranteed first which is 20 for class 2 20 for class 3 and then 30 for class 4. The remaining 30 will be allocated to class 2 and 4 because of the higher priority. The allocation of the remaining will be proportional to the guaranteed bandwidth. In this case it is 12 for class 2 (30 mbps * 20/50) and then 18 for class 4 (30*30/50)
What is the requirement to select and outbound interface when SDWAN rule settings are set default and set gateway disable (1)
The best match to the destination must be an SDWAN member A policy route outbound interface is considered acceptable only if it has a FIB route to the destination The first OIF filling this requirement is selected
What is helpful for troubleshooting when SDWAN member interfaces routes are removed or adding to the routing table
The event logs
Describe the learning phase of the application control app identify method
The first session is required to identify the application and may not match an expected SDWAN rule. After the learning phase dynamic cache entries are stored in the ISDB to avoid the learning phase again. Kernel matches policy based on IPv4 headers. Flags session as may dirty with app 0 allows sessions sends traffic to IPS to identify layer 7 info ips flags as dirty so kernel will reevaluate. After IPS identifies the app it adds an entry to a dynamic ISDB with the destination IP and port. Any further session to the same destination will use the ISDB entry to immediately identify the app This entry will be pushed to the kernel firewall
What rule is the load balancing algorithm configured on
The implicit rule
Where are the dynamic ISDB entries pushed after IPS identifies the application
The kernel firewall
If bandwidth is exceeded what traffic will be dropped first when there are traffic shapers configured
The ones with the lowest priority configured on the policy or on the profile
What is defined by an SLA target
The quality of the link Jitter Latency Packet loss
What does the fortigate do after a changing in the routing table when it is not applying SNAT (3)
The routing information is removed from the sessions that are affected by the change, session is flagged as dirty, and related route cache entries are deleted Route lookup is done again for the next packets (2 total) one for originator and one for responder
What is outbandwidth for on the interface that a traffic shaper profile is applied to
The shaper uses outbound bandwidth as maximum link speed to shape traffic. It is the bandwidth of the link
What will the routing table look like with the command get router info routing-table all when you have SDWAN configured
There will be individual static routes with both gateways applied and equal routing attributes (dest address and subnet, distance, priority) so fortigate can remove individual routes in the event of an interface outage and redirect to the remaining members without affecting the whole SDWAN load balance group
What is a vpn gateway on vpn manager and what are the two types
They are the fortigates that will be assigned to a community and have a vpn tunnel configured on it Managed - managed by fortimanager in the current ADOM External - devices not managed by fortimanager or devices ina. Different ADOM
VPN community on fortimanager and what are the three types
They contain the common ipsec settings (phase 1 and phase2) that are shared by all the IPSec gateways members of the community Full mesh Star Dial up
What are business rules in sdwan orchestrator profiles
They define routing policies between subnets in SDWAN networks or defines how traffic from SDWAN subnets accesses the internet. Orchestrator includes predefined business rules in profiles.
What other options besides protocols can you configure in the CLI for the health-check that are not available in the GUI (3)
Threshold-warning And threshold-alert for packet loss perentage, latency ms, and jitter ms Ha election priority Enable/disable system DNS as probe server
When net device is disabled and tunnel search is set to next hop how does fortigate learn the remote ips of the clients
Through the IKE messages (IPs on the IPSec virtual interfaces of the clients)
What is the max concurrent session option for per ip traffic shaping
Total number of simultaneous connections each source IP can have
What is traffic policing?
Traffic policing is dropping packets that do not conform to bandwidth limitations.
Shapers will allow you to define how traffic will flow by setting the ____, ____, _____
Traffic priority Bandwidth DSCP options
_____ Are the point of control where you can define bandwidth values and priority and then use them in traffic shaping policy
Traffic shapers
SDWAN rules: maximize bandwidth (SLA)
Traffic will be load balanced among all the members that satisfy the SLA target and if there are multiple SLA targets traffic will be load balanced between members that meet all the targets. Traffic is load balanced using session based round robin
True or false. Preshared key is NOT part of the matching criteria when choosing phase 1 settings
True
What do the virtual interfaces that are created by the set net-device enable command look like
Tunnel name = phase1name_index
How many servers can be used as a beacon for link health monitor
Two
What is an aggregate IPSec tunnel
Two or more IPSec tunnels between two sites can be combined to create an aggregate tunnel. Similar to LACP port aggregate. One single interface for routing and firewall policing
What is twamp
Two way active measurement protocol defines a standard for measuring round-trip network performance between any two devices that support the TWAMP protocols. ... The TWAMP-Test protocol is used to send and receive performance-measurement probes
Went in IP sack tunnel is traversing Nat how is ESP encapsulated
UDP over port 4500
Diagnose debug application link-monitor 16
UDP probe debug for link monitor
Where do you turn off add route on fmg vpn manager
Under the VPN gateway configuration of the hub
How long do on demand tunnels remain active for ADVPN
Until the SAs are manually flushed it until they time out
How long do sessions flag does block stay in memory in the session table And what happens two packets matching a session with the block flag
Until the session expires all packets matching will be dropped
What needs to be configured in the CLI to use the bandwidth link criteria options (3) for the SDWAN rule link quality strategy
Upstream and downstream bandwidth estimate Config sys int Set estimated-upstream-bandwidth Set estimated-downstream-bandwidth
Bandwidth option for the quality criteria field in the best quality strategy SDWAN rule (3)
Upstream, downstream, or bidirectional Fortigate selects the link based on the available bandwidth in the incoming direction, outgoing direction, or both The estimated upstream and downstream bandwidth per member interface must be configured
How can you exclude a criteria from the customized profile quality criteria
Use 0 as the value
After SDWAN network is configured on all devices by the SDWAN orchestrator when do you do
Use fortimanager to define and install firewall policies to the fortigate
What possible actions are there for the phase2 route-overlap setting (3)
Use-new - disconnect existing and accept new Use-old - keep existing and reject new one Allow - keep existing and accept new one. Traffic sessions that start from the central fortigate will be load balanced over both VPN with ECMP
What is Xauth
Used as additional authentication for IPSec tunnels. One side must provide credentials (username and password) in order to authenticate. It is known as phase 1.5 because it occurs after phase 1 and before phase 2
What is auto-discovery-receiver enabled
Used in ADVPN Configured on spike interface Indicates that the IPSec tunnel wants to participate in ADVPN and receive a SHORTCUT-OFFER
What is the max bandwidth option for shared shaper
Used to set the largest amount of traffic allowed using a policy where this shaper is enabled. If traffic goes above this limit fortigate will start dropping packets
What is this option for when configuring an SDWAN rule: Set mode <> What options can be enabled with it (5)
Used to set the outgoing interface strategy Auto -select based on quality of link Manual Priority - best quality SLA -lowest cost Load-balanced -maximize bandwidth
What is SDWAN usage monitor and three views
Used to view traffic distribution between the member interfaces based on bandwidth, volume, or sessions Bandwidth shows bandwidth utilization by each member interface Volume shows volume of traffic sent and received per member interface Sessions show number of sessions lasting through per member interface
What are SDWAN orchestrator shared resources
Useful for creating resources that are going to be used across all deployments Shared resource categories include: Intranet addresses Network SLA System Health threshold Resources such as DHCP servers/ relays, DNS servers, SNMP hosts, NTO servers fortiguard and email etc
Link quality measurements
Using Ping or HTTP echo fortigate can determine the latency Jitter, or packet loss percentage for each link and dynamically select links based on these measurements
How does SDWAN allow you to control application performance
Using rules and performance SLAs that route traffic based on quality type
How is effective WAn use achieved (3)
Using various load balancing glorying such as bandwidth usage Sessions or application aware routing
Fortimanager manager panes(5)
VPN SDWAN FortiAP Fortiswitch Fabric view
What is fortimanager VPN manager
VPN manager simplifies the administration of multiple VPNs. Allows you to install IPSec settings on multiple fortigates simultaneously
Max number of ADOMs on fortimanager
Varies by models
Measured volume based load balancing
Volume based Sessions are load balanced based on traffic volume in bytes. More traffic is sent to interfaces with higher volume ratios
Main motivator for deploying SDWAN
WAN use when using multiple WAN links
Wccp flag
Web caching
What is this option for when configuring an SDWAN rule: Set hold-down-time 0
When a backup member becomes primary it remains as primary for at least this time period regardless of changes in the quality of links
When is the only time the zero touch provisioning feature can be used(fortideploy)
When fortigate restarts after factor reset or on a new fortigate device provisioning
Why should you create an intranet IP pool that SDWAN orchestrator can use
When it creates the SDWAN network orchestrator will use an IP pool to assign IP addresses to the devices in the LAN segment and automatically create addresses objects and address groups based on this assignment
When will an SDWAN member be dead
When it reaches the failure threshold
Describe the two tunnel-search setting: selectors for phase1 of a dial up vpn and when the tunnel-search setting applies
When net-device is disabled Fortigate learns about the remote networks behind each remote client depending on what tunnel-search is set to If set to selectors fortigate uses the destination subnets of the quick mode selectors to populate the routing table with information about the remote networks. In this scenario fortigate needs to use the tunnel index's to route traffic to each remote network
When are SLA targets usef
When referenced by a rule
Where would you specify the cost of an SDWAN interface when you want to use the lowest cost (SLA) strategy
When you add the interface as a member to the SDWAN virtual interface it gives you the option to select interface, specify gateway, specify cost, and enable or disable
What the the performance SLA - link status for
Where you can set how often the system checks the link status to determine if it needs to transfer the traffic to another link
What is reverse direction shaping
Will shape any incoming traffic
How are SLA violations marked on the link quality performance SLA page
With red numbers
Is a member considered alive if it is failing the SLA target
Yes
Can different vdoms be assigned to different ADOMs on fortimanager if they belong to the same device
Yes if advanced mode is enabled
Do you need to specify an SLA for the best quality strategy and why
Yes you specify the SLA to be used but you don't use the SLA targets Fortigate estimates the quality of each link based on either latency jitter or packet loss percentage (you can specify the quality criteria)
Describe a scenario in which there would be multiple SLA targets for one performance SLA
You are located in a branch office and use a few different application that run on the same server headquarters. You could create on performance SLA that will perform the health check on that server but then have different SLA targets for the different applications.
SDWAN rules: lowest cost (SLA) strategy
You select an SLA target from a performance SLA. The selected SDWAN member (based on order from top down) must satisfy all the selected SLA targets to be considered as a selection for the outgoing interface
SDWAN rule strategy: manual
You specify the interface priority you want to send traffic out from. Traffic matching the rule criteria will go out the first available interface based on the interface preference. Does not depend on performance SLA or targets.
What do you get when you include fortideploy on your fortinet device order
You will receive a bulk deployment forticloud key tied to all support devices within that order so that you can enter the bulk key in forticloud for all devices instead of each individual one
What happens when SNAT-route-change is disabled and what happens when it is enabled
disabled - After a routing change the sessions with SNAT keep using the same outbound interface as long as the old route is still active Enabled - routing information is flushed from existing SNAT sessions (flagged as dirty) so the existing sessions can use the new best route Route cache entries are removed Routing lookups are done again for the next packets RPF is done again
How does zero touch provisioning work on a fortigate without internet access or policies, etc
https://www.historiantech.com/zeroish-touch-provisioning-connect-to-fortimanager-via-the-dhcp-option/
SDWAN orchestrator shared resource categories (5)
include: Intranet addresses Network SLA System Health threshold
Diagnose sys virtual-wan-link member | service
information related to SDWAN rules shows interface preference, state, etc
What feature is essential for SDWAN (how to know if link is down)
link quality measurements
Formula for tunnels for a hub and spoke topology
n - 1
Another name for traffic shaping
qos
What is a security association
security association is the establishment of shared security attributes between two network entities to support secure communication. Two types of SAs IKE IPsec
Local flag
session is to/from local stack
How are the link quality measurements used?
the values are used against the SLA criteria within the rules that are used to route traffic based on the link quality of each member
How to enable ADVPN shortcuts on OCVPN
"Auto discovery shortcuts" on the OCVPN GUI page
Six application identification methods
- ISDB - custom ISDB - FQDN - IP DSCP - Application control - customer application control
Three examples of when a routing change may occur
- when the order of the interfaces in the policy route changes - when an SDWAN member state changes - when there is a dynamic routing update
When should you use fortimanager in your network
-Large enterprises -Managed service providers