03-Network Address Translation (NAT)
[Firewall Session Diagnostics] Set the filter: 'diagnose sys session filter ?' 'dport — destination port' 'dst — destination IP address' 'policy — policy ID' 'sport — source port' 'src — source IP address'
CLI fun!!
[NAT and PAT] ___ is the process that enables a single device, such as a firewall or router, to act as an agent between the Internet, or public network, and a local, or private, network (True/False)?
NAT
Is the firewall performance of Connections for each Session, and the maximum number of Connections, indicated by the Session Table (True/False)?
True
[Central DNAT and VIPs] Do you lose the granularity of being able to define a firewall policy for a specific VIP and services? No, you don't. If you have several WAN-to-internal policies and multiple VIPs, and you want to allow specific services for specific VIPs, can you define each firewall policy with the destination address of the mapped IP of the VIP, and select the appropriate services to allow or deny (True/False)?
True
[Central DNAT and VIPs] If both central SNAT and central DNAT (VIP) are configured, will the outgoing (internal-to-WAN) traffic source NAT to the DNAT or VIP address, based on the central SNAT and DNAT (VIP) configurations (True/False)?
True
[Central DNAT and VIPs] On FortiGate, can you configure DNAT and VIPs for DNAT (True/False)? NOTE — As soon as a VIP is configured, FortiGate automatically creates a rule in the kernel to allow DNAT to occur. No additional configuration is required.
True
[Central NAT] By default, is central NAT disabled and can only be enabled on the CLI. After Central NAT is enabled, these two options are available to be configured on the GUI (True/False)?: • Central SNAT • DNAT & Virtual IPs
True
[Central NAT] Is central SNAT mandatory for the new NGFW mode in Policy-Based (True/False)? NOTE — This means SNAT behaves only according to the NAT settings under Policy & Objects > Central SNAT settings.
True
[Central NAT] Should you remove VIP or IP pool references from existing firewall policies in order to enable central NAT (True/False)?
True
[Central SNAT] Can you have more granular control, based on source and destination interfaces in the central SNAT policy, over traffic passing through firewall policies (True/False)?
True
[Central SNAT] Can you now define matching criteria in the central SNAT policy, based on (True/False)?: • Source interface • Destination interface • Source address • Destination address • Protocol • Source port
True
[Central SNAT] Similar to firewall policies, is a central SNAT policy processed from top to bottom and if a match is found, Source Address and Source Port translated based on that central SNAT policy (True/False)?
True
[Configuration Nodes for NAT] Are Central NAT configurations done per virtual domain, which means SNAT and DNAT configurations automatically apply to multiple firewall policies (True/False)? NOTE — This is according to the SNAT and DNAT rules that you specify, as opposed to each firewall policy in firewall policy NAT.
True
[Configuration Nodes for NAT] As a best practice, when you use Central NAT, should you configure specific SNAT and DNAT rules, so that they match only the desired firewall policies in your configuration (True/False)?
True
[Configuration Nodes for NAT] Do both firewall policy NAT and central NAT produce the same results (True/False)? — however, some deployment scenarios are best suited to firewall policy NAT and some are best suited to central NAT.
True
[Configuration Nodes for NAT] Is Central NAT suggested for more complex scenarios where multiple NAT IP addresses have identical policies and security profiles, or in next generation firewall (NGFW) policy mode, where the appropriate policy may not be determined at the first packet (True/False)?
True
[Configuration Nodes for NAT] Is firewall policy NAT suggested for deployments that include relatively few NAT IP addresses and where each NAT IP address would have separate policies and security profiles (True/False)?
True
[Configuration Nodes for NAT] When you use firewall policy NAT mode, do you have configure SNAT and DNAT for each firewall policy (True/False)?
True
[Disabling Central NAT] What happens to firewall policies that are using central SNAT and DNAT rules, if central NAT is disabled? For new firewall sessions, will the incoming to outgoing firewall policies may still work using the egress interface IP address (True/False)? NOTE — However, the incoming to outgoing firewall policies will not use the IP pool addresses, which were previously tied to the central SNAT policy. If you need to use the IP pool, you need to edit the firewall policy to use the IP pool.
True
[Disabling Central NAT] What happens to firewall policies that are using central SNAT and DNAT rules, if central NAT is disabled? Will Egress-to-ingress firewall policies that use DNAT and VIP stop working because, in central NAT, the destination address in the firewall policy is simply an address object, not an actual VIP (True/False)? NOTE — Without the central-nat hook into the DNAT table, the address object will cause a forward policy check failure—the traffic will be denied by policy ID 0.
True
[Firewall Policy SNAT Using the Outgoing Interface] Can you select a fixed port, in which case the Source Port Translation is disabled (True/False)? NOTE — With a fixed port, if two or more connections require the same Source Port for a single IP address, only one connection can establish.
True
[Firewall Policy SNAT Using the Outgoing Interface] Does the Source NAT option use the egress interface address when NAT is enabled on the firewall policy (True/False)? NOTE — This is many-to-one NAT.
True
[Firewall Policy SNAT Using the Outgoing Interface] When using Source NAT option — is PAT used, and connections are tracked using the original Source Address and Source Port combinations, as well as the allocated Source Port (True/False)? NOTE — This is the same behavior as the overload IP pool type
True
[Firewall Policy SNAT] There two ways to configure firewall policy Source NAT: • Can you use the dynamic IP pool (True/False)?
True
[Firewall Policy SNAT] There two ways to configure firewall policy Source NAT: • Can you use the outgoing interface address (True/False)?
True
[Firewall Session Diagnostics] Does the diagnose sys session command tree provide options to filter, clear, or show the list of sessions (True/False)? You can also list brief information about sessions by running the 'get system session list' command.
True
[ICMP and UDP Protocol States] Although UDP is a message-oriented, stateless protocol, it doesn't inherently require confirmed bidirectional connections like TCP, so there is no connection state. However, does FortiGate's session table use the proto_state= field to track the unidirectional UDP as state 0, and the bidirectional UDP as state 1 (True/False)?
True
[ICMP and UDP Protocol States] Does ICMP, such as ping and traceroute, have no protocol state and always show proto_state=00 (True/False)?
True
[IP Pool Type: Fixed Port Range] Does the fixed port range IP pool type associates Internal IP Address ranges and External IP Address ranges, and disables PAT (True/False)? NOTE — It allows fixed mapping of the Internal start IP or Internal end IP range to the External start IP or External end IP range.
True
[IP Pool Type: One-to-One] In the one-to-one pool type, is an internal IP address mapped with an external address on a first-come, first- served basis (True/False)?
True
[IP Pool Type: One-to-One] Is there a single mapping of an Internal Address to an External Address (True/False)? Mappings are not fixed and, if there are no more addresses available, a connection will be refused. NOTE — Also, in one-to-one, PAT is not required.
True
[IP Pool Type: Overload] Is the default IP pool type Overload (True/False)? NOTE — In the Overload IP pool type, a many-to-one or many-to-few relationship and port translation is used.
True
[IP Pool Type: Port Block Allocation] Will the Port Block allocation type limit the client to set number of connections for that IP pool (True/False)? NOTE — Other users will not be impacted by the rogue client.
True
[IP Pools] Are IP pools usually configured in the same range as the Interface IP address (True/False)?
True
[IP Pools] IP Pools are a mechanism that allow sessions leaving the FortiGate firewall to use NAT. Does an IP pool define a single IP address or a range of IP addresses to be used as the Source Address for the duration of the session (True/False)? NOTE — These assigned addresses will be used instead of the IP address assigned to that FortiGate interface.
True
[Matching Policies — VIP] By default, do firewall address objects not match VIPs (True/False)? In the example shown on this slide, the ALL Address Object as a Destination in the first policy does not include any VIPs, so traffic destined to the Web server VIP will skip the first Policy and match the second Allow_access. In order for the first Policy to match the VIP, you either need to: -edit the Policy on the CLI and 'set match-vip enable', which allows address objects to match the VIP address -change the destination address of the first Policy to be the VIP in question.
True
[Matching Policies — VIP] In FortiOS, are VIPs and firewall address objects completely different, so they are stored separately with no overlap (True/False)?
True
[Monitoring NAT Sessions with Diagnose Commands] Can you use 'diagnose firewall ippool-all list' command which will lists all of the configured NAT IP pools with their NAT IP range and type (True/False)?
True
[Monitoring NAT Sessions with Diagnose Commands] Does the 'diagnose firewall ippool-all stats' show the stats for all of the IP pools (True/False)?
True
[Monitoring NAT Sessions with Diagnose Commands] Does the stats command, 'diagnose firewall ippool-all stats', provide the following data and information (True/False)?: • NAT sessions per IP pool • Total TCP sessions per IP pool • Total UDP sessions per IP pool • Total others (non-tcp and non-udp) sessions per IP pool
True
[Monitoring NAT Sessions with Diagnose Commands] Optionally, can you filter the output for specific IP pool by using the name of IP pool (True/False)?
True
[NAT Implementation Best Practices] • Avoid the misconfiguration of an IP pool range: • If you have internal and external users accessing the same servers, should you use split DNS to offer an internal IP to internal users so that they don't have to use the external-facing VIP (True/False)?
True
[NAT Implementation Best Practices] • Avoid the misconfiguration of an IP pool range: • Should you Double-check the start and end IPs of each IP pool (True/False)?
True
[NAT Implementation Best Practices] • Avoid the misconfiguration of an IP pool range: • Should you ensure that the IP pool does not overlap with addresses assigned to FortiGate interfaces or to any hosts on directly connected networks (True/False)?
True
[NAT Implementation Best Practices] • You shouldn't configure a NAT rule for inbound traffic unless it is required by an application (True/False)? NOTE — If, for example, if there is a matching NAT rule for inbound SMTP traffic, the SMTP server might act as an open relay.
True
[NAT Port Exhaustion] NAT port exhaustion occurs when there is so much traffic traversing the border and being translated, that all ports are being used. When NAT port exhaustion occurs, does FortiGate inform the administrator by displaying the log shown on this slide, with a severity of critical (True/False)?
True
[NAT Port Exhaustion] To address NAT port exhaustion, you need to take one of the following actions: • Should you create an IP pool that has more than one external IP tied to it (so it load balances across them) (True/False)?
True
[NAT Port Exhaustion] To address NAT port exhaustion, you need to take one of the following actions: • Should you reduce the traffic traversing the border (True/False)?
True
[NAT and PAT] Are NAT64 and NAT46 the terms used to refer to the mechanism that allows IPv6 addressed hosts to communicate with IPv4 addressed hosts and the reverse (True/False)? NOTE — Without this mechanism, an IPv6 node on a network, such as a corporate LAN, would not be able to communicate with a website that was in an IPv4-only environment, and IPv4 environments would not be able to connect to IPv6 networks.
True
[NAT and PAT] Does NAT and PAT, also known as NAPT, translate internal, typically private, IP addresses to external, typically public or Internet, IP addresses (True/False)? NOTE — In FortiOS, NAT and traffic forwarding apply to the same firewall policy. However, diagnostics clearly show NAT and forwarding as separate actions.
True
[NAT and PAT] Is NAT66 NAT between two IPv6 networks (True/False)?
True
[NAT and PAT] NAT is usually implemented for one, or a combination, of the following reasons: • Amplification of addresses: Can Hundreds of computers use as few as one public IP address (True/False)?
True
[NAT and PAT] NAT is usually implemented for one, or a combination, of the following reasons: • Improved security: Are the addresses behind the NAT device virtually hidden (True/False)?
True
[NAT and PAT] NAT is usually implemented for one, or a combination, of the following reasons: • Internal address stability: Can the addresses stay the same, even if Internet service providers (ISPs) change (True/False)?
True
[NAT and PAT] • For incoming connections: Can Virtual IPs (VIPs) and DNAT be used and are known as destination NAT (True/False)?
True
[NAT and PAT] • For outgoing connections: Can the NAT option in a central SNAT, IP Pool, and central SNAT table be used and known as source NAT (True/False)?
True
[Session Helpers] A good example of this is an application that has both a control channel and a data or media channel, such as FTP. Will firewalls typically allow the control channel and rely on the session helpers to handle the dynamic data or media transmission connections (True/False)?
True
[Session Helpers] Some Application Layer Protocols are not fully independent of the lower layers, such as the Network or Transport layers. Can the addresses be repeated in the application layer (True/False ) — for example: If the session helper detects a pattern like this, it may change the application headers, or create the required secondary connections.
True
[Session Helpers] When more advanced application tracking and control is required, can an Application Layer Gateway (ALG) be used (True/False)? The VoIP profile is an example of an ALG.
True
[Session Table] Accepted IP sessions are tracked in the kernal's session table, but can this be affected by hardware acceleration (True/False)? NOTE — However, if your FortiGate contains FortiASIC NP chips designed to accelerate processing without loading the CPU, the session table information may not be completely accurate, because the session table reflects what is known to, and processed by, the CPU.
True
[Session Time To Live (TTL)] Because the session table has a finite amount of RAM that it can use on FortiGate, can adjusting the session TTL improve performance (True/False)? NOTE — There are global default timers, session state timers, and timers configurable in firewall objects.
True
[Session Time To Live (TTL)] Can each session on FortiGate idle for a finite time, which is defined by time to live (TTL) (True/False)? NOTE — When the FortiGate detects the session is idle after some time of inactivity, and TTL is reached, the session is deleted from the session table.
True
[VIP filters for Central NAT] Are VIPs with different Services considered non-overlapping (True/False)?
True
[VIP filters for Central NAT] The Services option has been added to VIP objects. When services and portforward are configured, only a single mapped port can be configured. However, can multiple external ports be mapped to that single internal port (True/False)? NOTE — This configuration was made possible to allow for complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT, and not requiring numerous VIPs to be bundled into VIP groups.
True
[Virtual IPs (VIPs)] Are VIPs DNAT objects (True/False)? For sessions matching a VIP, the Destination Address is translated: usually a public Internet address is translated to a server's private network address. VIPs are selected in the firewall policy's Destination field.
True
[Virtual IPs (VIPs)] Can the static NAT VIP be restricted to forward only certain ports (True/False)? NOTE — For example, connections to the external IP on port 8080 map to the internal IP on port 80.
True
[Virtual IPs (VIPs)] Is the default VIP type — static NAT (True/False)? This is a one-to-one mapping, which applies for incoming and outgoing connections; that is, an outgoing policy with NAT enabled would use the VIP address instead of the egress interface address. However, this behavior can be overridden using an IP pool.
True
[Virtual IPs (VIPs)] On the CLI, can you select the NAT type as load-balance and server-load-balance (True/False)? -Plain load balancing distributes connections from an external IP address to multiple internal addresses. -Server load balancing builds on that mechanism, using a virtual server and real servers, and provides session persistence and server availability check mechanisms.
True
[Virtual IPs (VIPs)] Should VIPs be routable to the external facing (ingress) interface (True/False)? NOTE — FortiOS responds to ARP requests for VIP and IP pool objects. ARP responses are configurable.
True
The session table stores the following information about the session: -The source and destination _________, port number pairs, state, and timeout -The source and destination _____faces -The source and destination ___ actions
addresses interfaces NAT
[IP Pools] There are four types of IP pools that can be configured on the FortiGate firewall: • Over____ • ___-to-one • Fixed ____ range • ____ block allocation
load One port Port
