Fortinet NSE 4 6.2 infastructure

Ace your homework & exams now with Quizwiz!

What is the default priority for static routes

0

Distance values: 0 5 10 20 200 110 120

0 -directly connected 5- DHCP gateway 10- static 20- external BGP (EBGP) 200- internal BGP (IBGP) 110- OSPF routes 120- RIP

Phase 1 ISAKMP TUNNEL

1 authenticate peers - preshared key, digital signature, XAUTH 2 negotiation of SA in main mode or aggressive -hashing -authentication -DH group -lifetime -encryption 3 DH key exchange The Negotiated SAs will choose the group (both peers will have a shared key)

Explain the steps in active active HA proxy based inspection TCP handshake

1. Client send syn to primary fortigate virtual Mac 2. Primarys physical Mac forwards syn to secondarys physical mac 3. Secondary sends a syn/ack to the client on it's physical Mac port and sends a syn to the server on it's physical mac port 4. Client sends ack to primary fortigates virtual Mac 5. Primary forwards the ack to the secondary's physical mac with it's physical mac port 6. Server sends a syn/ack to the primary's virtual mac 7. Primary forwards syn/ack to the secondary with both of their physical Mac ports 8. Secondary sends the server an ack on it's physical mac port

How to configure a transparent web proxy

1. Create regular firewall policies to match traffic 2. Enable http-policy-redirect on matching firewall policy Edit <firewall policy number> Set inspection mode proxy Set http-policy-redirect enable Next End 3. Create proxy policies to allow deny or inspect traffic

How to configure explicit web proxy

1. Enable explicit web proxy and indicate which interfaces the proxy will listen on 2. Create proxy policies to allow, deny, or inspect traffic 3. Configure each clients browser to connect through a proxy

NTLM authentication process

1. User attempts to browser internet 2. Fortigate requests credentials (user/pass) 3. Users browser send creds to fortigate 4. Fortigate verifies the membership with the collector agent 5. Access is granted

Multiple domain NTLM authentication process for domains not in a forest

1. User logs on to DC 2. DC sends login to collector agent 3. User access internet 4. Fortigate contacts collector for login 5. Access granted

Process of session based authentication with a web proxy

1. User starts session with web browser 2. Web browser starts session with web proxy 3. Web proxy request authentication from browser 4. Web browser prompts user for authentication 5. User enters credentials 6. Web browser stores authentication and sends to web proxy Next time user starts session web browser will automatically send credentials to the proxy

What is the distance value for the route: 10.200.2.0/24 [110/2] via 10.200.2.254 [25,0]

110

If there are FSSO issues what ports should you check are open

139 445 8000 389 636

How many member interfaces need to be added in SD-wan configuration

2

How many firewall policies and static routes are usually needed per VPN tunnel

2 policies and 2 static routes

How many vpn tunnels would you need to configure for a company with 5 fortigates and full mesh

20 total, 4 per fortigate

When verifying SDWAN traffic routing with the CLI packet capture tool which verbosity level should you use

4 (shows interface name and ip headers)

Which CLI packet capture verbosity level prints interface names

4, 5, 6

What type of ports cannot be used as the heartbeat interface

803.2 aggregate Switch port Vpn interfaces Vlan sub interfaces

What is collector agent based polling mode in FSSO

A collector agent must be installed on windows server No FSSO dc agent required Every few seconds the collector agent polls each DC for user login events Less complex

Static Route

A manually-configured routing entry that tells the router "when you see a packet whose destination is within a specific range, send it through a specific interface"

What is SSO/FSSO

A process that allows identified users to access multiple applications without having to re-authenticate. It is used with directory services like WINDOWS AD or Novell

Define web proxy authentication scheme

A scheme defines which authentication method and user database to use in an authentication rule

What is ipsec

A set of protocols used to join two lans over a virtual private network and encrypt traffic. It provides authentication, data integrity, and data confidentiality It is composed of IKE, ESP or AH

What are the two HA modes

Active-passive Active-active

Why does the collector need to query the DNS server for Microsoft AD

Ad uses workstation names so the collector queries DNS server to resolve an IP

What is the distance routing attribute

Administrative distance Ranks routes from most preferred (low value) to leaf preferred (high value). If multiple routes for the same destination exist then the one with the lowest distance is installed in routing table

Incremental synchronization

After the HA negotiation is set up. If an admin makes a small change on the primary such as a policy addition, only the policy change will be sent to the secondary fortigate not the whole configuration

Which FSSO mode requires more fortigate system resources

Agentless

The command diagnose debug FSSO-polling detail displays information for which mode of FSSO

Agentless polling

What kind of interfaces does SD wan support in configuring

Aggregate, vlan, and ipsec

Which IKEV1 mode is faster

Aggressive

Which IPSEC protocol is not supported by fortigate: AH IPSECV2

Ah

What is the default STP mode for fortigate

All functions disabled

What interfaces are assigned virtual Mac addresses on the HA primary fortigate

All interfaces besides the heartbeat and the management interface

What is internet service routing

An Internet service database (ISDB) entry that is applied as a static route so you could route all Netflix traffic through wan1 and all Dropbox traffic through wan2

Which type of administrator can make changes to all vdoms

An admin with super_admin profile

What is a virtual cluster and how many fortigates can be used

An extension of FGCP for fortigate with multiple VDOMS. Only 2 fortigates can be in the cluster. Each fortigate can act as the primary for one VDOM and secondary for some VDOMS. Each VDOM still gets a secondary and primary domain.

What interfaces can be used for the heartbeat

Any besides switch port

What does the VDOM confirmation prompt do and how to enable it in CLI

Asks user if they want to make the VDOM Config system global Set edit-Vdom-prompt enable End

How many heart beat interfaces are recommended

At least one but recommended two per fortigate (3 fortigate would need 6)

How many firewall tunnels are required for IPSEC VPN

At least one for the tunnel to come up

What is a requirement for creating an inter Vdom link between two VDOMS. (Has to do with operating mode)

At least one vdom must be in NAT mode

What is included in the configuration of an authentication scheme Authentication method Source ip

Authentication method

What is an authentication rule

Authentication rules define which scheme to use for active and passive SSO depending on the user IP address and protocol

ADVPN

Auto discovery VPN Dynamically negotiates vpn between spokes Requires a dynamic routing protocol running over tunnel so fortigates can learn about paths through the other spokes Provides the benefit of a full mesh topology over a hub and spoke or partial mesh topology

What command will be enabled on the hubs phase 1 vpn connected to another hub for ADVPN

Auto-discovery-forwarder enabled

What command will be enabled on the spokes phase 1 vpn connected to the hub for ADVPN

Auto-discovery-receiver enabled

What command will be enabled on the hub or hubs phase 1 vpn connected to the spoke or spoke for ADVPN

Auto-discovery-sender enabled

Authentication scheme methods

Basic Digest NTLM Form Negotiate FSSO RSSO Ssh-public key 2FA

Phase 2 IPSEC TUNNEL

Builds user data tunnel inside the ISAKMP tunnel One mode- quick mode Negotiation of two SAs for ESP Encapsulation mode (transport or tunnel) Authentication Lifetime DH for second key exchange (optional)

What is a proxy with a web cache

Caches the website that is requested once the server sends the web response back to the proxy. The website is cached so subsequent requests for the website can be sent directly to the client. Saves bandwidth Saves server load Faster response to client

What is multi vdom

Can create multiple VDOMS that act as independent units

Software switch

Can group multiple interfaces (physical and wireless interfaces) into a single virtual switch (acting like a traditional layer 2 switch) all the interfaces a part of broadcast domain and share the same IP

Diagnose debug authd FSSO server-status

Check connectivity between collector agent and fortigate

How can you verify the FWs in a cluster have synchronized

Check the checksum in GUI or CLI

Diagnose sys ha checksum cluster

Checks the checksum for each member Each checksum must match exactly

How does the fortigate in HA cluster know if the configuration of the secondary matches it's own

Checks the configuration checksum

What is an explicit proxy

Client must be configured to use the explicit proxy. Client sends the request to the proxy and ip port. The proxy listens for packets sent to it

CLI command to enable web cache

Config firewall proxy-policy Edit <proxy_policy_number> Set webcache enable Next end

How to access global and per Vdom setting in CLI

Config global Config vdom Edit <vdom name>

CLI command to enable VDOM

Config system global Set Vdom-mode [no-Vdom split-vdom multi-Vdom]

Commands to configure ECMP

Config system settings Set v4-ECMP-mode [ source-is-based | weight-based | usage-based | source-dest-ip-based ] If weight based: Config system interface Edit <interface name> Set weight <0 to 255> End OR Config router static Edit <i'd> Set weight <0 to 255> End If SPillover: Config system interface Edit <interface name> Set spillover-threshold <0 to 16776000> End

How can an admin configure fortigate to have four interfaces in the same broadcast domain

Configure the operation mode as transparent and use the same domain ID

What is the default criteria (override disabled) for selecting HA primary device in an HA cluster

Connected monitored ports HA uptime Priority Serial number

What is the OSPF metric

Cost (cumulative bandwidth)

What is the recommended mode for FSSO

DC AGENT MODE

Which FSSO mode is more complex

DC agent mode

Which is a WPAD method LDAP query DHCP query

DHCP

What is WPAD two discovery modes

DHCP query - browser sends a DHCPINFORM query to the DHCP server to get the URL DNS query - browsers resolve the name wpad.<local-domain> to get the ip address of the server hosting the PAC file

FSSO requires you have your own _____server

DNS

When a collector agent receives a logon event, it will query a _____ to resolve the IP address of the workstation

DNS server

Which feature should be enabled in a redundant IPSEC VPN deployment

DPD

What is the recommended mode for FSSO deployments

Dc agent mode (dcagent.dll)

What is the most common static route on all routers to forward internet traffic

Default route to 0.0.0.0/0

Multi step command to enable debug flow

Define a filter: diagnose debug flow filter <filter> Enable debug output: diagnose debug enable Start the trace: diagnose debug flow trace start <number of packets> Stop the trace: diagnose debug flow trace stop

What are the two groups of proxy address types

Destination address Source address

What do routes need to have the same of you be considered for ECMP

Destination subnet Distance Metric Priority

Types of HA protection failovers

Device, link, and session

CLI command to debug FSSO list

Diagnose debug authd fsso list

CLI command to check connectivity between collector agent and fortigate

Diagnose debug enable Diagnose debug authd fsso server-status

CLI command to display policy routes

Diagnose firewall proute list

CLI command to list MAC address table in a VDOM operating in transparent mode

Diagnose netlink brctl name host <Vdom name>

CLI command to check HA cluster configuration synchronization

Diagnose sys ha checksum

CLI command to check status of HA

Diagnose sys ha status

List processes that use the most CPU or memory CLI commands

Diagnose sys top

Which type of VPN peer can't imitate a VPN tunnel

Dial up server

Diagnose sys HA status

Displays heartbeat traffic stats Serial number HA priority of each member

Diagnose debug FSSO-polling detail

Displays status info related to polls done by fortigate to each dc in agentless polling

When using link health monitoring which route attribute must also be configured to achieve route failover protection

Distance

What does the primary fortigate do in active-active HA

Distributes specific traffic among the other cluster members

What does windows AD use to enable FSSO

Domain controller agent mode Polling mode (collector agent based)

What is link quality management for sd wan

Dynamic link selection based on the quality of a link

How do switches know which frame belongs to which vlan

Each frame has a vlan tag with a 4byte extension (tag control info)

CLI command to split vdom into separate broadcast domains

Edit system interface Edit <interface name> Set forward-domain <domain id > End

What is the first thing you need to do before configuring IPV6 policies

Enable it in system < feature visibility

How do you get ESP to work with NAT

Enable nat transversal the esp and Ike will use UDP port 4500

Esp

Encapsulated Security Payload is used for encryption and authentication in the phase 2 ipsec tunnel

Tips for troubleshoot FSSO

Ensure the correct firewall ports are opened Guarantee at least 64kbps between fortigate and DC Flush inactive sessions Ensure DNS is configured and updating IP addresses Never set timer workstation verify to 0 Include all FSSO groups in the firewall policies

ECMP

Equal cost multi path allows multiple routes of the same type (static, OSPF, BGP) that have the same attributes to all be installed in the routing table so fortigate can distribute traffic across all of them simultaneously

What can fortigate use to record HA failover events

Event logs SNMP traps Email alerts

What are the tasks of the primary fortigate in active-passive

Exchange hello packets with secondary Synchronize it's routing table, DHCP info, and configuration to secondary Sych some traffic sessions to secondary

Using the primary HA FW CLI what command let's you switch to the secondary's CLI

Execute HA manage <ha device index> <admin username>

CLI command to list index numbers for each fortigate

Execute ha manage ?

Advantages of a web proxy

Extra layer of security Can filter out traffic on 80 and 443 that's not HTTP/HTTPS For an explicit web proxy, only the web proxy address needs to be allowed to browse the internet

What protocol is used in HA

FGCP fortigate cluster protocol

What connector is used for agent based polling or dc agent mode

FSSO agent on windows AD

True or false a static route is needed for a directly connected network

False

True or false: a Vdom can only have one admin

False

True or false: static routes are needed for directly connected networks

False

True or false: you can create more VDOMS in split Vdom

False

True or false: ESP can support NAT

False, ESP does not have port numbers

What is a configuration requirement for an ipsec tunnel to come up: Firewall policy accepting traffic on the ipsec tunnel A route for IPSec traffic

Firewall policy accepting traffic on the ipsec tunnel

Diagnose debug FSSO-polling refresh-user

Flushes info about all active FSSO users. They need to login again to make available

What is ipsec hardware offloading

For some fortigate devices, with special encryption processors, you can offload the encryption part of ipsec to the special processor

What is a remote access VPN

Fortigate is configured as a dial up server and people using forticlient initiate the vpn tunnel

What are phase 2 selectors and do you have to use them

Fortigate lets you pick an IPV4 address object, protocol, or port that decides which traffic needs to be protected in the tunnel. All other traffic will be dropped if it doesn't match the selectors No you don't have to use them. Set local and remote address to 0.0.0.0/0 then use firewall policies for more granular control

What happens for policy routes set to the action "stop policy routing"

Fortigate will bypass policy routing and use regular routing table

What happens for policy routes set to the action forward traffic

Fortigate will bypass the routing table and go based off the policy route

What is the expected behavior when the stop policy routing action is used in a policy route

Fortigate will route the traffic based on the regular routing table

The heartbeat interface IP address 169.254.0.1 is assigned to which fortigate in an HA cluster

Fortigate with highest serial number

What traffic is always generated from the management VDOM: Link health monitor Fortiguard

Fortiguard

What fabric connector do you pick for DC agent mode and collector agent based polling

Fortinet SSO agent

If you have collector agents using either the DC agent or the collector agent based polling mode which fabric connector should you select on fortigate

Fortinet single sign on agent

When are FSSO logs generated

From user logon/log off events

Which VPN topology is the most fault tolerant

Full mesh

Which CLI command can be used to diagnose a physical layer problem

Get hardware nic

CLI command to get interface information

Get hardware nic <interface_name>

CLI command to display active routes

Get router info routing-table all

CLI command to displays all active standby and inactive routes

Get router info routing-table database

Which CLI command can you use to view standby and inactive routes

Get router info routing-table database

Which CLU command can be used to determine the MAC address of a fortigate default gateway

Get system arp

CLI command to see ARP table

Get system arp Lists address and Mac for an external devices connected to the same lan segments that fortigate is connected to

Command to check IPSEC vpn tunnel phase 1 status

Get vpn Ike gateway [vpn name]

What settings are not synchronized between HA pairs

HA override HA device priority HA virtual cluster priority Hostname Ping server priorities Licenses Cache HA management interface settings

What are source address options for proxy address types

HTTP method User agent HTTP header

What device hosts the PAC file

HTTP server or fortigate can host it

What is the RIP metric

Hop count

What protocols are supported for authentication between the browser and fortigate

Http Ftp Ssh socks5

Three VPN topologies

Hub-and -spoke Partial mesh Full mesh Site-to-site

IP based authentication in web proxy

IP sessions from the same source IP are treated as a single user Not recommended if multiple users are behind NAT. In this case use session based

Which two firewall address object types can be used as a destination in one or more static routes and how do you enable this option

IP/Netmask or FQDN Under policy & objects < addresses Enable "static route configuration" After it is enabled you can use any created firewall object of those two types in a static route

Which of the following objects can be used to create static routes : ISDB objects or service objects

ISDB objects

When would you use link health monitor over ECMP

If ECMP is too expensive such as if one ISP charges based on bandwidth usage or if the remote router supports ecmp

How is a link failover in an HA cluster detected

If a monitored interface fails based on specified criteria the cluster can re elect a primary connection

What does wildcard vlan enable for for virtual wire pair

If enabled. Traffic for the pair also applies to the vlans ( if Disabled any tagged traffic is denied)

Where do you configure proxy settings on a host

In a web browser so it sends HTTP requests to proxy

How does the web proxy enforce authorization

In the source portion of a firewall policy

What routes aren't displayed in the GUI routing table

Inactive and standby routes

What information is displayed in the output of the debug flow

Incoming interface and matching firewall policy

How is traffic handled in a virtual wire pair

Incoming traffic to one interface is always forward out through the other interface

Which logging level shows the login events on the collector agent Information Warning

Information

When does the primary fortigate in an HA cluster synch it's configurations

Initially and every admin change

How can VDOMS communicate with eachother

Inter VDOM links

How can VDOMS connect to eachother

Inter Vdom link that connects the other VDOMS. The traffic will leave the Vdom, enter the inter Vdom link and then go to the designated Vdom

You attempt to configure sdWan interfaces but it is not working... what could be the most common cause

Interfaces are referenced in a route or policy

Ike

Internet Key Exchange. Used with IPsec to create a secure channel over port 500 (or 4500 when NAT is enabled ) in a VPN tunnel. It negotiates a tunnel private keys, authentication, and encryption. It defines two phases. 1 and 2.

Which one of the following session types can be synchronized in an HA cluster- SSL VPN | IPSEC VPN

Ipsec

Why is asymmetric routing discourages for use on fortigate

It disables fortigates stateful inspection features and antivirus and IPS will not be effective because fortigate will not be able to keep track of sessions (stateless can't retain packet info)

Which statement about fortigate operating in transparent mode is true It has a management IP each interface has an IP

It has a management IP

What is NTLM authentication and when is it used

It is a session base authentication used when the collector and DC can't communicate or user is logged into a DC without a collector. The fortigate will initiate the NTLM negotiation with the clients browser if the user is not an active FSSO member

What is the purpose of the link health monitor setting "update-static-route"

It removes all static routes associated with the link health monitors interface in the event of failure

What does auto key keep alive do when configuring ipsec phase 2

Keeps tunnel alive

What protocol does fortigate use to poll AD

LDAP

What protocol does fortigate use to poll the AD in agentless polling mode

LDAP

Which link attributes used in SD wan link quality measurements: latency or cost

Latency

You can configure SD wan rules to choose the egress interface based on which parameter: Weight Latency

Latency

What does the SLA link status feature do

Let's you specify thresholds that tell SDWAN virtual interface when to drop certain routes and change links

What is not synchronized in an HA cluster

Licenses Cache Priority Hostname Override Management interface settings DGD settings

Diagnose vpn tunnel list

Lists the vpn tunnels and they're properties and shows hardware acceleration codes

How do you enable the feature that lets you view the egress interface for the traffic that leaves the fortigate

Log & report > forward traffic and enable destination interface column

Vlan

Logical segmentation of a layer two network into smaller broadcast domains. Vlans are identified by there vlan IDs

Virtual wire pair

Logically links two physical interfaces. Two ports are logically bound so all traffic arrived at one port is forwarded to the other port (usually one internal and one external) traffic is only allows between pairs

What does the packet sniffer help do

Look inside the headers of packets Indicates what traffic is entering or leaving the egress and ingress interfaces

What is the default RPF check method on fortigate

Loose

Two RPF modes

Loose and strict

Main vs aggressive mode for phase 1 tunnel in IPSEC

Main is more secure because the ore shared key hash is encrypted (identification) 6 packets sent Used for site to site Aggressive Not as secure because the preshared key hash is not encrypted (attacker would still need to guess hash) Faster negotiation (3 packets) Used for dial up

What are the four SDWAN strategies for selecting outgoing interfaces

Manual (interfaces manually selected) Best quality (interface with best performance) lowest cost (SLA) (link that best matches SLA rules that you created) Maximize bandwidth (traffic load balanced across selected members if they match SLA requirements )

Diagnose sys ha reset-uptime

Manually force a failover

Execute FSSO refresh

Manually refresh user group information from any directory service servers connected to fortigate using the collector agent

RPF

Mechanism that protects against IP spoofing attacks and checks for an active route back to the source IP through the incoming interface

Which attribute does fortigate use to determine the best route for a packet if it matches multiple dynamic routes that have the same distance

Metric

Most IPSEC tunnel problems aren't caused by_______

Mismatched configurations on the peers

How do you access the routing table and policy route in the gui

Monitor < routing monitor

What does the secondary fortigate do in active-passive

Monitors primary for signs of failure with the hello or port monitoring

What is a policy based route

More granular/flexible routes that can send packets based on destination IP, source IP, protocol, source/destination ports, type of service TOS They have precedence over the routing table

Advantage of using web proxy

More security because you can filter any traffic on ports 80/443 and only the web proxy IP needs to be able to browse the internet (for explicit, so less firewall policies) Reduces bandwidth and improve speed

What mode does software switch work in

NAT

NAT mode vs Transparent

NAT = Layer 3 router Transparent = layer 2 switch

What are the three collector agent based polling mode options

NETAPI WinSecLog WMI

What does a fortigate need to be able to do inter VDOM link acceleration

NP4 or NP6 processor

What mode must the fortigate VDOM be operating in to route traffic between vlans

Nat

Which type of Vdom link requires that both sides of the link be assigned an IP address within the same subnet

Nat - to - nat

Two fortigate operation modes

Nat operates as a layer 3 router and interfaces have IPs Transparent forwards according to layer 2 Mac addresses as a transparent bridge. Interfaces don't have IPs (besides management IP) and is has a MAC address table

What are the route attributes

Network Gateway IP Interfaces Distance Metric Priority

How do you create a vlan in the gui

Network > interfaces > create new > interface

How do you create a VDOM in the gui

Network > interfaces > create new > vdom

How to create virtual wire pair

Network > interfaces > create new > virtual wire pair

Do heart beat interfaces get virtual Mac addresses

No

Does the command diagnose sys ha reset-uptime change the uptime of the fortigate dashboard

No just resets time internally

If sd wan virtual interface is configured, do you configure policies for the member interfaces?

No just the virtual interface but a default route is required

Does the IPs of the heartbeat interfaces change during failover.

No they will remain the same IPs negotiated during cluster set up

By default does fortigate support STP?

No. It can be enabled but is only supported on select models with physical switch interfaces

What is the whole point of active active HA

Not to load balance but to share CPU and resources

Diagnose vpn tunnel list ipsec hardware acceleration codes

Npu_flag=00 Ingress and egress ESP packets are not offloaded 01 egress packets can be offloaded 02 only ingress packets can be offloaded 03 both ingress and egress esp packets can be offloaded 20 encryption algorithm not supports for offloading

How many sdwan interfaces can be on a fortigate

One per vdom

Which settings are configured per VDOM

Operating mode (NAT Or Transparent) NGFW mode (policy or profile based) Routes and network interfaces Firewall policies Security policies

What tool is built into fortigate to debug and verify ingress and egress interfaces of packets passing through the firewall and what is the CLI command

Packet capture/sniffer Diagnose sniffer packet <interface> '<filter>' <verbosity> <count> <time stamp> <frame size>

What is asymmetric routing

Packets from the same session may flow through different routes

Describe redundant vpns

Partial- one peer has two connections and the other has one so if one vpn goes does on the peer with two tunnels then traffic can still be routed back Fully redundant- both peers have two connections

In FSSO fortigate allows network access based on_________ Active user authentication with user name and password Passive user identification by user ID, IP address, and group membership

Passive user identification by user ID, IP address, and group membership

How is Weight based ECMP configured

Per interface or per route

When the remote gateway is set to dial up user a static route to the remote network is added to the routing table after________ Phase 1 comes up Phase 2 comes up

Phase 1 comes up

On which phase do you configure the algorithms used for traffic encryption

Phase 2

The ipsec monitor widget on the GUI shows the status for_____

Phase 2

What protocols are used for probing servers in link health monitor

Ping Http Tcp echo UDP echo Twamp Dns

What are some tools for troubleshooting VDOM configurations

Ping Traceroute Packet sniffing Debugging packet flow

How do you access the ISDB

Policy & objects > internet service database

Which IPSec vpn Type is legacy and not recommended for new deployments

Policy based

If fortigate is polling the DC as in agentless polling, what do you select under security fabric < external connectors

Poll active directory server

Which fabric connector do you use for agentless polling

Poll active directory server

Which working mode is used for monitoring user sign on activities in window AD

Polling mode (collector agent based or agent less)

What are monitored ports on the fortigate

Ports operating as network interfaces processing high priority traffic

An HA failover occurs when the link status of a monitored interface on the ______goes down

Primary fortigate

What is the workload distribution on an active-active HA CLUSTER

Primary receives all traffic and redirects some to the secondary depending on factors such as weight, policies, addresses, etc

What is level 4 packet capture verbosity

Prints ip headers and interface name (ingress and egress interfaces)

What is level 3 or 6 packet capture verbosity for

Prints the packet ip headers, payload and ethernet headers 6 does all of those and the interface name

Which of the following static route attributes does not appear on the GUI routing monitor

Priority

What type of information is stored in the crash log

Process crashes and conserve mode events

What does secondary fortigate do in active active ha

Processes the traffic distributed by the primary

What are the two NGFW mode FOR VDOM and describe each

Profile based - traditional and user must create antivirus, web filter, and IPS profiles which is applied to the policy policy based - new so users can add applications and web filter categories directly to a policy without having to create the policies first

What does FGCP do

Protocol in HA that discovers other fortigate devices belonging to same HA group Elects primary Synchronized configuration and data Detects a failure

WPAD

Provides the URL where the PAC file can be downloaded from

Which of the following configuration objects can be used to filter web proxy traffic based on the HTTP header information FQDN address Proxy addresses

Proxy addresses

Dynamic routing protocols supported by fortigate

RIP OSPF BGP IS-IS

What does the root VDOM do in split VDOM

Receives traffic from fortigate global services: NTO fortiguard updates SNMP DNS LOGS (fortianalyzer and syslog)

What is DC agent mode for FSSO

Recommended for fortigate Most scalable mode Requires one DC agent (dcagent.dll) installed on each windows DC in windows\system32 Requires one or more collector agents installed on windows servers

What threshold is used to determine when fortigate entered conserve mode

Red

What is full mesh HA

Reduces number of single point failures by using an HA cluster and multiple switches instead of one on each side of the HA cluster

Which is an advantage of an ip based authentication session over session based

Requires less RAM

Dynamic Routing

Router (fortigate) communicates with neiighboring routers to dynamically discover/learn the best routes based on several protocols and shares its own routes. Paths are based on the destination IP and become self organizing during fail over etc.

Which setting determines whether a tunnel is used as primary or backup Routing or firewall policy

Routing

What is IP routing?

Routing is how a packet from one network reaches a remote network. A router will look at a destination address and search for the best path in a route table. If there are multiple paths the router will make a decision based on various attributes. Once the destination network or default network is decided the packet is encapsulated with a new layer 2 frame and sent to the next hop.

Where can you search and filter through routes

Routing monitor

What are SD WAN rules

Rules route traffic through different members based on different circumstances. Rules can match traffic based on: Source IP destination IP Port number ISDB object Application User or user groups ToS

Which should be used to monitor the session distribution across the SD WAN member interfaces: SD WAN link status monitor SD WAN usage monitor

SD WAN usage monitor

What may be more beneficial to maintain multiple internet connection that ECMP

SDWAN

Which sessions are not synchronized between HA pairs

SSL vpn

What is an SA

Security associations Negotiated during phase 1 (ISAKMP tunnel) the SA includes encryption type, hash type, diffie helmen group, authentication (peer needs to prove who it is through pre shared key), lifetime

What is a VDOM

Segments the fortigate into multiple logical devices with independent FortiOS, security policies and routes etc. VDOM traffic can not go to another VDOM (unless it physically leaves fortinet to the internet and comes back)

Session based authentication in web proxy

Session based mean HTTP sessions are treated as a single user It can differentiate multiple sessions even if the source IP is the same After authentication the browser will store user info in a session cookie Requires more resources (ram because fortigate remembers cookies)

How does fortigate load balance traffic when using the spillover method in ECMP routing

Sessions are distributed based on the interface threshold

Which session are synchronized between HA pairs

Sessions not handled by a proxy-based security profile TCP IPSEC VPN UDP ICMP MULTICAST

how do you enable loose check RPF and strict check

Set system setting Set strict-src-check disable End Strict check: Set system setting strict-src-check enable End

How do you enable link health monitor to remove a static route if it detects and outage (CLI command)

Set update-static-route enable

What is the debug flow

Shows step by step how the CPU is handling each packet

What is session failover in HA

Since sessions can be synchronized the sessions are resumed in the event of device or link failover

Which of the following route lookup scenarios will satisfy the RPF check for a packet: if the routing table has an active route for the [destination or source IP] of the packet

Source

What is the default ECMP method

Source IP

SD wan load balancing methods (ecmp + something else)

Source IP (default) Source - destination IP Usage (spillover) - Weight - Volume - traffic is balanced based on traffic volume in bytes per link (this is based on the threshold set)

What four method can ECMP use to load balance traffic

Source IP (default)- all traffic from the same source uses the same path Source-destination IP- all traffic from the same source to the same destination use the same path Weighted (route or interface weights)- fortigate will distribute sessions with different IPs by generating a random value (based on the weight of the path) that decides the next path Usage (spillover)- fortigate will use the primary route until the traffic volume threshold is reached and it will then put the rest on another route

What is the AD access mode and what are the two

Specifies how the collector agent accessed and collects the user and user group information Standard - windows convention domains/ groups advanced-LDAP convention CN=user OU = name DC= domain

What is the purpose of configuring group filters during the collector and dc agent installation

Specifying the groups that you want the Collector to send to the fortigate so you don't have 10,000 users sent (unless you need to) only specify the groups you plan on creating policies for

What are the two VDOM modes

Split VDOM Multi Vdom

The priority attribute applies to which type of routes

Static

PAC file

Stored on the web proxy Defines how browsers choose a proxy It is a JavaScript that determines if the request will use a proxy and what the proxy addresses are

Strict vs loose RPF

Strict checks that the best route back to the source uses the incoming interface Loose checks for the existence of at least one active route back to the source using the incoming interface

Where do you download the agents for FSSO installation

Support.fortinet.com

How do you turn on advanced routing in the gui

System < feature visibility < advanced routing on

What type of sessions can be synchronized in HA

TCP IPSec UDP ICMP multicast

What ports does the collector agent use to poll the DCs for logon events

TCP 445 BY DEFAULT

FGCP port

TCP 703

Which status check protocol for link health monitor probing is only available from the CLI

TCP echo

What protocol is used to upload new firmware from the console

TFTP

When are tags added and removed

Tags are added on egress and removed on ingress

What is FEC (forward error correction)

Technique used to reduce the number of retransmission over Unstable VPN links

What is the simple difference between collector agent based polling mode and DC agent mode for FSSO.

The DC does not have a DC agent (dcagent.dll) installed in collector agent based polling mode So instead of the DC sending the collector agent information on port 8000 the collector will poll the DC on port 445 and then send it to fortigate on port 8000

What is used in the creation of the HA primary's virtual Mac addresses

The HA group ID

What happens to the virtual Mac addresses of the primary fortigate when the device fails

The Mac addresses are transferred to the interfaces of the secondary

What are phase 2 proposals

The authentication, encryption algorithms, and DH used in phase 2

What is a transparent (implicit) proxy

The client sends a request to the servers IP. Transparent Proxy intercept client request, at the IP layer, and send it to the server. Destination IP never changes. No client configuration needed

What is the DC agent mode collector and agent for

The collector agent is responsible for: Group verification Workstation checks Updates of login record to fortigate Sending domain info to Fortigate The DC agent: Monitors user login events and forwards to the collector agent (which forwards to fortigate) Handling DNS lookup

What is a stateful firewall?

The firewall processes each packet individually and maintains information about the packets and their contents to predetermine if the packet is part of a new session of preexisiting session and if it adheres to a set of rules

When is RPF carried out?

The first packet in a session and whenever there is a route change, on the next packet, in the original direction

What does FGCP run on and what port

The heartbeat links and TCP port 703 for 0x8890 NAT mode and TCP port 23 for ethernet type 0x8893

How are heartbeat interface IPs configured

The highest serial number automatically gets 169.254.0.1 second gets 169.254.0.2 and so on, during the HA negotiations

What table is The internet service routing added to?

The policy routes. Even they they are configured as Static routes they are actually policy routes

What is a web proxy

They forward requests to a server on behalf of a client

How are MAC addresses assigned to interfaces in an HA cluster

Through a group ID Virtual Mac addresses are assigned to each interface

What is the purpose of active-active in HA cluster

To load balance CPU and memory. The primary fortigate will receive traffic first then send to the secondary to transmit in the direct it needs to be

Which will cause an NTLM authentication to occur Traffic coming from an IP on the FSSO user list Traffic coming from an IP not on the FSSO user list

Traffic coming from an IP not on the FSSO user list

Which of the following is required for redirecting user traffic to the transparent web proxy Traffic must match a firewall policy with a proxy option profile with the http-policy-redirect setting enabled Traffic must match a firewall policy with the action set to proxy

Traffic must match a firewall policy with a proxy option profile with the http-policy-redirect setting enabled

Transport mode vs tunnel mode for ipsec

Transport mode- the original header is left intact Tunnel mode- there is a new ESP or AH header added so that the original header is encrypted

The Same interfaces in each fortigate connected to the same broadcast domain is required in HA.

True

True or false. All interfaces in a VDOM operating in transparent mode are in the same broadcast domain

True

True or false. You only need to update the primary fortigates firmware in an HA cluster

True

True or false: Browsers can be configured to automatically send credentials during NTLM authentication

True

True or false: ECMP implements route failover automatically

True

True or false: even though you configure routes with the SD WAN virtual interface- fortigate will install separate routes in the table on a per member interface level

True

True or false: the management VDOM is root by default but can be changed to any VDOM in multi VDOM mode

True

How many lookups with fortigate perform for a communication session and where does the route information for the session get stored

Twice - once for the originator packet to destination and once for the responder packet to source Route information will be stored to the session table All other subsequent packets will follow the same path stored in the session table and NOT the route table

You can configure virtual clustering between only ______fortigate devices with multiple VDOMS in an active-passive HA cluster

Two

How many TCP connections are they're for a web proxy during a session

Two From client to web proxy From web proxy to server

HA requirements

Two to four identical fortigates One or two max links between fortigates for heartbeat Same interfaces in each fortigate connected to same broadcast domain

What will be displayed in the routing table

Type of route (dynamic, static, directly connected), network, gateway IP, interface, distance

What port does the DC agent forward login events to the collector agent in FSSO DC agent mode What port does the collector agent forward information to the fortigate

UDP 8002 TCP 8000

What are destination address options for proxy address types

URL pattern Host regex match (FQDN) URL category

What is the priority routing attribute

Used for static routes to determine best route to a destination when the distance is the same

SD-WAN

Used in load balancing multiple wan connections based on multiple algorithms that ensure high availability to critical applications

MPLS (Multiprotocol Label Switching)

Used to connect sites to other sites through a private cloud. It is connection independent meaning each site can have different connections and it still works MPLS also comes with QoS (ToS in the packet) . ISP puts an MPLS label on the packet for quick transport so that the ISP router does not need to deencapsulate all the headers, it instead can look at the label and direct packets quickly. MPLS is reliable, scalable, high performance, better utilization BUT expensive!! And must be purchased from carrier. It is more secure because it's not routed through public internet but a private cloud.

Proxy address objects

Used to create proxy policies. Proxy address objects provide more granularity in that they can match HTTP traffic based on the content of any HTTP field Example: Http headers include a field named host which contains the FQDN of the web server. Proxy address objects can be used to create a policy that matches the FQDN instead of the destination IP Example: Matching the URL pattern. Proxy addresses can match traffic to URLs regardless of the ip address

What is DPD (dead peer detection) and wha are the three modes

Used to detect dead tunnels Useful in redundant VPNs where multiple paths are available. Probes will detect the dead tunnel and bring it down. Three modes: On demand - DPD probes are sent when there is no inbound traffic On idle - probes are sent when there is no traffic Disabled - no probes are sent

Dial up vpn

Used when the dialup sever does not know the client address so the client is who initiated the VPN (forticlient) often used in mobile vpns

Which is an SDWAN rule matching parameter for traffic sources: User groups IPS signatures

User groups

What does the collector agent forward to fortigate in DC agent mode

User name Host name IP address User groups

When performing NTLM authentication what information does the web browser supply to fortigate Username and password User ID, IP address, group membershup

Username and password

SD wan is a _____ consisting of a group of member interfaces that can be the connected to different link types

Virtual interface

What is a route based IPSEC VPN

Virtual interface for each VPN

Which method of load balancing is supported by SD-WAN but not supported by ECMP routing

Volume

What is the link health monitor

Way to detect when a router along a path is down

Which of the following is an advantage of transparent web proxy over explicit web proxy

Web browsers do not need to be configured to use the proxy

When would there be a change in the heartbeat IP addresses

When a member leaves or join the cluster

When is a new TCP session allocated

When a syn packet is allowed

How does link health monitor work

When configured fortigate will probe a server passed the ISP gateway. If fortigates stops receiving replies it will remove any routes using that gateway from the routing table or can shut down an interface and active standby routes with a higher distance

Perfect Forward Secrecy (PFS)

When enabled, fortigate will renegotiate DH keys everytime phase 2 expires so that the same key is not used everytime

What is memory conserve mode

When fortigate is using too much memory and it begins to drop sessions to conserve memory NOT GOOD Also does not run any quarantine actions (subjecting network to potential malware) Packets requiring IPS or proxy get dropped Config changes are not allowed

When are IPSEC SA renegotiate

When the lifetime expires

How is a device failover trigged in a HA cluster

When the primary fortigate stops sending hello packets through heartbeat interface

When are routes flushed from the session table in order to be relearned

When there is a change to the routing table

When is the metric used in routing and what is it

When two routes have the same distance metric will be used to break the tie. Metric helps determine the best route. Metric varies based on the dynamic routing protocol

What configuration setting must be enable to allow vlan tagged traffic through a virtual wire pair

Wildcard vlan

Which convention does FSSO collector agent use to access the windows AD in standard access mode

Windows netbios: domain\groups

How does the web proxy enforce authentication

With authentication rules and schemes

Can a software switch be used in firewall policies

Yes. The virtual interface (group of interfaces) can be used

Can you use SLA- link health monitor with SDWAN?

Yes. You can specify Sd wan interfaces

Execute ha manage <device index> <admin username>

You can connect to the CLI of the secondary member from the lineage

What three things do you need to do to set up link health monitor

You must set the where interface, ip of gateway router, and server ip and protocol

What is the first [#/#] displayed in the routing table entry and what are the second

[Distance/metric] [priority/weight]

Diffie-Hellman key exchange

an asymmetric standard for exchanging keys. primarily used to send private keys over public networks.

CLI COMMAND Configuration to enable link health monitor

config system link-monitor Edit <name> Set srcintf <interface> Set server <server ip> Set gateway-ip <gateway ip> Set protocol [ping tcp-echo UDP-echo twamp http] Set update-static-route [enable disable] Next End

What is split VDOM

fortigate has two VDOMS total- root and FG-traffic Root- management work (hidden entries) FG-traffic- allows firewall traffic Split Vdom cannot create new VDOMS

What is agentless polling mode in FSSO

fortigate polls the DC instead so it doesn't require an DC agent or collector agent More CPU and RAM is used by fortigate

CLI command to get system information

get system status

What is the workload distribution on an active-passive HA CLUSTER

primary receives and processes all traffic while sending hello packets through heartbeat interface secondary waits

Types of IPSEC VPNS and which is recommended

route based and policy based (not recommended)

STP

spanning tree protocol enabled will block a redundant path to prevent broadcast storms. It will elect a root bridge (switch) and switches will exchange bpdus that provide information about the neighbors and paths so a port can be blocked and unblocked to restore an alternate path if needed

What feature can you use to ensure the latency, jitter, and packet loss level remain in a threshold for SDWAN

turn on SLA target, configure thresholds for SDWAN, and use SLA target in policy


Related study sets

Chapter 5 Homeowners Policy P&C Test

View Set

Physics and Human Affairs Test 2

View Set

Oral portion question and answer italian

View Set

CHAPTER 7: Quality and Innovation in Product and Process Design (TF)

View Set

Reading 54. Basics of portfolio planning and construction

View Set

Leadership in Leisure Services_CH5 Communication Skills for Leaders

View Set