Fortinet NSE 4 (Security) - 02. Firewall Policies
When utilizing the Policy Lookup function in the GUI, how is a disabled policy handled?
Disabled policies are skipped
What is the policy type that checks for the anomalous patterns in the network traffic that arrives at a FortiGate interface?
DoS Policy
True/False? It is ok if a firewall policy does not have a destination interface configured as long as the source interface is configured?
False. Each policy must set a source and destination interface, even if one or both are set to any
True/False? When moving a policy up/down in the list, the Policy ID changes to match the policies position within the policy list.
False. The Policy ID does not change
True/False? When configuring a firewall policy, the Name field is required regardless of whether the policy is being configured in the GUI or the CLI?
False. The field is only required when configuring a policy in the GUI
True/False? It is possible to configure a user for the destination of a firewall policy.
False. The user identification is determined at the ingress interface
True/False? It is possible to configure both an Internet Service Object and a Service in a firewall policy?
False. These have an either/or relationship. Note: Internet Service Objects and Addresses also have an either/or relationship and cannot be configured on the same policy
True/False? When configuring schedules for firewall policies, the Pre-expiration event log setting is available for either of the Recurring or One-Time types?
False. This setting is only available when the type is set to One Time
What is the policy type that controls traffic flow through FortiGate?
Firewall Policy
What is the policy type that controls the traffic between the interfaces in a virtual wire pair?
Firewall Virtual Wire Pair Policy
Is it possible to enable unnamed policies on the GUI? If so, how?
It is possible by enabling the Allow Unnamed Policies setting on the Feature Visibility page
What does it mean if the GUI Firewall Policy option Generate Logs when Session Starts is not displayed?
It means your FortiGate does not have internal storage. Note: This setting is available in the CLI regardless
What is the policy type that controls the traffic to a FortiGate interface and can be used to restrict administrative access?
Local In Policy
What is the policy type that allows multicast packets to pass from one interface to another?
Multicast Policy
When configuring schedules for firewall policies, where are the schedules configured?
Policy & Objects > Schedules
When configuring new Internet Service Database (ISDB) Objects, what are the two types of objects available for configuration?
Predefined or Geographic Based
What are the two types of traffic shapers?
Shared and Per IP
If you configure a firewall policy with the any interface, you can view the firewall policy list only in which view?
The By Sequence view
What setting must be enabled to allow you to select multiple interfaces in a firewall policy?
The Multiple Interface Policies setting under the Feature Visibility page
When configuring schedules for firewall policies, what will happen if a schedule is configured as Recurring and the Start Time and Stop Time are identical?
The schedule will run for 24 hours
When configuring schedules for firewall policies, what will happen if a schedule is configured as Recurring and the Stop Time is earlier than the Start Time?
The stop time will occur the next day
What types of object is used to configure groups of geographical regions?
These are configured as an ISDB (Internet Service Database) Object
What is the purpose of the following commands? config system fortiguard set update-ffdb [enable | disable]
This disables ISDB updates so that they only occur during a change control window
What is the purpose of the policy lookup feature on FortiGate?
To find a matching policy based on input criteria
When configuring schedules for firewall policies, what will happen if a schedule is configured as Recurring and the All Day option is enabled?
Traffic will be allowed for 24 hours on the days selected
True/False? When configuring schedules for firewall policies schedules as One Time, the Start Date/Time must be earlier than the Stop Date/Time.
True
What are the first six traffic match criteria that FortiGate analyzes before determining if it matches a policy and further evaluation is needed?
1. Incoming interface 2. Outgoing interface 3. Source (IP address, user, internet services) 4. Destination (IP address or internet services) 5. Service (IP protocol and port number) 6. Schedule
What are the two available Firewall Policy views? Which one is the default?
1. Interface Pair View (default) 2. By Sequence
What are the three methods that a user can be authenticated when added to the source of a firewall policy?
1. Local - configured locally on FortiGate 2. Remote - LDAP, RADIUS, etc. 3. FortiGate Single Sign-On (FSSO) - retrieved from domain controller
What are the supported characters in a firewall object name?
1. Numbers 2. Letters 3. Special characters: hyphen and underscore 4. Spaces (although these should be avoided because it can make editing policies in the CLI difficult)
What are the three types of traffic shaping policies?
1. Shared policy shaping - Bandwidth management of security policies 2. Per-IP shaping - Bandwidth management of user IP addresses 3. Application control shaping - Bandwidth management by application
When creating IPv4/IPv6 consolidated firewall policies, what are the fields that cannot be shared between IPv4 and IPv6?
1. Source addresses 2. Destination addresses 3. IP pools
True/False? There is an either/or relationship between internet service objects and source address objects in firewall policies.
True. You can select either a source address or an internet service, but not both
When configuring schedules for firewall policies, what is the purpose of the Pre-expiration event log setting, which is only available for One Time types of schedules?
Turning this setting on will generate an event N number of days before the schedule expires. Note: N can be configured from 1 to 100 days using the Number of days before field
