NSE 7 Enterprise firewall

Ace your homework & exams now with Quizwiz!

What should the phase 2 quick mode selectors be set to for ADVPN (or any dynamic routing over IPSEC)

0.0.0.0/0.0.0.0

What are the only two session state values for UDP (2digits)

00 when traffic is only one way 01 when traffic is two ways

What formula determines the virtual MAC address and explain each part

00:09:0f:09:group_id:(vluster_id+interface_id) Group_id is the HA group ID converted to hexadecimal Vcluster_id is 0x00 fort virtual cluster 1 and 0x80 for virtual cluster 2 Interface_id is the interface index

How many times can the service option be used in a custom IPS signature

1

By default a BGP RR propagates how many paths per prefix and what is the command to change this default behavior

1 Config router bgp Set additional-path enable Set additional-path-select <number of paths> Config neighbor Edit <neighbor ip> Set additional-path [send | receive | both | disable ] Set adv-additional-path <number of paths>

IPSec connection steps (low level) (6)

1 interesting traffic triggers negotiation 2 phase 1 goes up (single bidirectional SA) 3 extended auth (if required) 4 IKE mode config (if required) 5 phase 2 goes up (2 SAs one for each direction) 6 tunnel is established and traffic can traverse

Steps to reset the web filtering and antispam databases

1) Disable the rating services on fortimanager interfaces 2) stop the rating services under fortiguard > advanced settings 3) delete the databases With the two commands Diagnose fmupdate fgd-del-db wf Diagnose fmupdate fgd-del-db as 4) start the rating services service under fortiguard > advanced settings 5) wait for the entire rating database to be downloaded and fully merged (4-12 hours) 6) enable the rating services on the fortimanager interfaces

Stage 1-3 NGFW policy mode

1) Traffic comes in 2) kernel can identify (NNTP, ICMP, and DNS) but no other layer 7 info 3) kernel evaluates layer 4 info to match NGFW policy 4) session flagged as may_dirty and added to session table with appid =0 unknown 5) traffic sent to IPS engine 6) IPS evaluates layer 7 and updates session table with dirty flag and correct appId 7) dirty flag tells kernel to reevaluate the session 8) kernel reevaluates session with new layer 7 info against NGFW policy and takes configured action

Active-active load balance steps (7)

1) client sends SYN packet and is forwarded to the primary fortigate using the interfaces VIRTUAL MAC address as destination 2) if primary decides the second will inspect the traffic then the SYN gets forwards to the secondary device in the respective interface PHYSICAL mac 3) the secondary responds with the SYN/ack to the client with it's PHYSICAL mac as src and starts the connection with the server by directly sending the SYN packet 4) client ACKs the SYN/ACK and sends it to the port on the primary using the VIRTUAL Mac 5) the primary device forwards the packet to the secondary for inspection using the secondary's PHYSICAL mac 6) when the server responds to the TCP SYN the packet with the SYN/ACK it is sent to the primary using the external interface VIRTUAL Mac 7) primary signals secondary and the on the Physical Mac and the secondary replies to the server with the ACK with it's physical interface mac as src

Route selection process (5)

1) most specific route (longest netmask/smallest subnet) 2) lowest distance (trustworthiness) 3) lowest metric (dynamic routes) 4) lowest priority (static routes) 5) if there are multiple paths with the same netmask, distance, metric, and priority fortigate will share traffic among all of them called ECMP

Debug flow block message 1) Denied by forward policy check 2) Denied by end point ip filter check 3) exceeded shaper limit, drop 4) reverse path check fail, drop 5)iprope_in_check() check failed, drop

1) no firewall policy allows the traffic Or a firewall policy allows the traffic but disclaimer is enabled and is not being accepted 2) source IP has been quarantined by DLP 3) packet dropped because of traffic shaping 4) packet dropped because of the RPF check 5) packet is management traffic destined to fortigate IP but: Service is not enabled Service is using different port Source IP is not included in trusted host Packet matches a local-in policy with action deny OR packet is not destined to fortigate IP address but there is a virtual IP or IP pool config using the destined IP

What 3 requirements does the fortigate have to put a configured static route in the routing table?

1) outgoing interface is UP 2) there is no other matching route with a lower distance 3) the link health monitor (if configured) is successful

6 requirements for forming an OSPF adjacency

1) peers primary IP addresses are in same subnet with same subnet mask 2) peers interfaces are the same type and in the same OSPF area 3) peers hello and dead interval match 4) peer has a unique router ID 5) OSPF IP MTUs match 6) OSPF auth if enabled is successful

7 things to do if you are configuring ADVPN from fortimanager VPN manager

1) set protected networks to all 2) enable ADVPN in the IPSec phase 1 3) disable add-route on the hub 4) enable net-device on spokes 5) configure IPs on virtual tunnel interfaces 6) configure dynamic routing and config route reflector if using IBGP 7) phase 1 is automatically named <vpnname>_0

Four occurrences that can trigger a failover

1) when primary stops replying to heartbeats (loss of keepalive packets) 2) when the link status of a monitored interface goes down (primary will be device with the fewest failed monitored interfaces b/c port monitoring takes precedence over priority) 3) when a server IP stops replying to the ping sent by the primary (remote link failure) (configurable) 4) when ForitOS detects a failure in an SSD

Root causes for "iprope_in_check() check failed, drop" (4)

1- When accessing the FortiGate for remote management (ping, telnet, ssh...), the service that is being accessed is not enabled on the interface. 2- When accessing the FortiGate for remote management (ping, telnet, ssh...), the service that is being accessed is enabled on the interface but there are trusted hosts configured which do not match the source IP of the ingressing packets 3- When accessing a FortiGate interface for remote management (ping, telnet, ssh...), via another interface of this same FortiGate, and no firewall policy is present 4- A VIP parameter must be set

Root causes for "Denied by forward policy check" (3)

1. - There is no firewall policy matching the traffic that needs to be routed or forwarded by the FortiGate (Traffic will hit the Implicit Deny rule) 2- The traffic is matching a DENY firewall policy 3- The traffic is matching a ALLOW firewall policy, but DISCLAIMER is enabled, in this case, traffic will not be accepted unless end user will accept the HTTP disclaimer purposed by Fortigate while browser external site.

What are the 7 steps OSPF routers go through with other OSPF peers to form an adjacency and what is the end result

1. Down -initial state 2. Init - hello packet is sent from a non adjacent neighbor 3. 2-way - communication is bidirectional between routers 4. Exstart- a primary and secondary relationship is negotiated 5. Exchange - database (DB) description packets are exchanged 6. Loading - LSAs are exchanged (request from one, update from other, request from other, update from one) 7. Full - LSDBs are identical

10 BGP route selection tie breakers:

1. Highest weight 2. Highest local preference 3. Prefer the path that was locally originated 4. Shortest AS path 5. Lowest origin type 6. Lowest multi exit discriminator (MED) 7. Lowest IGP metric to the BGP next hop 8. Prefer external path (EBGP) over internal path (IBGP) 9. IF ECMP enabled insert up to 10 routes 10. Lowest router id 10

How many LSA types are there? What are the five most common types?

1. router link advertisement Describes a routers links 2. Network link advertisement Describes all the routers in a multi access network 3. Summary link advertisement Describes summarized networks within an area (generated by ABR) 4. AS summary link advertisement Describes the path to a ASBR router 5. AS external link advertisement Describes external destinations originated in an ASBR

Maximum length for user created IPS rules

1024 bytes

Default max file size inspected and how to reduce or increase

10mb CLI Config firewall profile-protocol-options Edit <name> Config [http, ftp, pop3, smtp, imap] Set oversize-limit <mb> End

How many sessions does FTP use for file transfer and describe each

2 One control channel One data channel The control channel is always initiated by the client and is used to send the FTP commands which allow the client to move through the server folders, specify the file transfer, and initiate the data channel(if passive) for file upload or download The data channel is for the actual file transfer

What two phases does IKE use and how many SAs are established

2 Phase 1 1 bidirectional SA Phase 2 uses two IPSec SAs one for each traffic direction

Safe reduction of file inspection from 10mb in order to optimize memory but still catch viruses successfully

2 or 3 mb

Diagnose test application ipsmonitor 2, 5, 99

2 toggle IPS engine enable/disable status 5 toggle bypass status 99 restart all IPS engines and monitor

For any sessions, how many route look ups are performed

2- one for first packet sent by originator and one for first reply packet sent by responder

broadcast OSPF networks use two multicast destination addresses, what are they and what are they for

224.0.0.5 AllSPFRouters Hello packets LSA updates and acknowledgements sent by either the DR or BDR 224.0.0.6 AllDRouters LSA updates and acknowledgements sent by all other routers

point to point OSPF networks use one multicast destination address what is it and what is it for

224.0.0.5 AllSPFRouters All packets are sent to this address

Up to how long could it take to update a contract on all servers for fortiguard

24 hours but usually 2-4

A BGP router stores routing information in how many logical tables? What are they and describe each RIB-in: contains route info learned from other BGP routers before filtering. Local RIB: route info the local BGP speaker has selected from RIB-in after applying it's local policies RIB-out: contains the BGP rout info selected to be advertised to other peers

3

How many stages does NGFW policy mode session handling have

3

How many packets are exchanged in phase 1 aggressive mode and describe exchange

3 Client initiated by sending security policies and providing no DH and peer ID Responder replies with same info plus a hash Initiator sends hash payload

What verbose levels would you use and then convert to PCAP for wire shark

3 6 (prob 5 too but it wasn't mentioned) all three show payload 3 and 6 both show IP/Ethernet headers and payload

How often do OSPF routers read berries their OSPF information

30 minutes

How many VRFS are supported

32

Describe xauth packet exchange and how many packets

4 Server (responded) sends CFG_request Initiator or client responded with CFG_Reply containing user credentials If they are correct server sends and CFG_Set Client sends a CFG_ACk

what IP version does ADVPN support

4 and 6

Most common termination signal numbers (7)

4 illegal instruction 6 abort command from FortiOS 7 bus error 9 unconditional kill 11 invalid memory reference 14 alarm clock 15 graceful kill

What does option 5 do for the diagnose test application ipsmonitor 5 and how does it help diagnose high CPU issues

5 enabled IPs bypass mode. In this mode IPs is still running but it is not inspecting traffic. If the CPU decreases after that it indicates that the volume of traffic being inspected is too high for that fortigate model If it remains high after enabling bypass it indicates a problem with IPS engine needed to be reported to fortinet

Why is the FIN ACK protocol state 5

5 is TIME_WAIT which keeps the session in the session table for a few seconds more to allow for any out of order packets

How many packets are exchanged in main mode and describe the communication of the 6 packets

6 Client initiated by proposing security ISAKMP policies Responders selects which security policy it will agree to use Initiator send it's DH value Responder replies with it's DH Initiator sends it's peer ID and hash payload Responder replies with it's peer ID and hash payload

Maximum length of custom IPS signature NAME

64 characters

What arch is fortios

64bit

What port does fortitelemetry use

8013

Default for when fortigate enters conserve mode

88

What termination signal should you use if you have to manually kill a process and why

9 Diag sys kill 9 <ID> Because improperly killing a process can make fortigate system unstable since there are processes that function concurrently

What is default for when fortigate drops new sessions for conserve mode

95

What does fortimanager name phase 1 IPSec tunnels

<vpnname>_0

When is a session categorized as ephemeral (2)

A TCP session is not fully establish (three way handshake not completed) A UDP with only a single packet is received

TCP socket

A TCP socket is an endpoint instance defined by an IP address and a port in the context of either a particular TCP connection or the listening state.

What does a BGP RR and it's clients form

A cluster

What is NGFW policy mode

A flow based inspection mode that lets you configure app signatures, categories, groups, and fortiguard web filter categories directly on the firewall policy. AV and DLP are still configured as profiles.

How can you use TCL to create 150 addresses objects 10.0.1.0-10.0.1.150

A for loop

OSPF area

A logical collection of OSPF networks and routers defined with a 32 but number 0.0.0.10 or 10

Why is memory optimization important

A lot of fortigate processes are memory intensive such as DLP and AV. especially in smaller fortigates it is important to optimize memory use so that the fortigate does not go into conserve mode

What are ephemeral drops

A mechanism the fortigate has to prevent DoS attack. Sessions take up memory. A session is flagged as ephemeral if it is an incomplete TCP session or if only one UDP packet is received. Fortigate has a hard limit on max ephemeral sessions that can exist simultaneously in the session table

Partial Mesh Topology

A mesh topology where it is less expensive to implement and yields less redundancy than full mesh topology. With partial mesh, some nodes are organized in a full mesh scheme but others are only connected to one or two in the network. Partial mesh topology is commonly found in peripheral networks connected to a full meshed backbone.

What is a stub network?

A network that is accessed by a single route, and the router has just 1 neighbor. A stub network is a network with no knowledge of other networks, that will typically send much or all of its non-local traffic out via a single path, with the network aware only of a default route to non-local destinations.

Memory pagings

A portion of the hard disk can act as virtual RAM when there is not enough RAM available. The portion that acts as this is called the page file. Memory paging is when the OS moves pages of memory to the hard disk page file when RAM space is low and it needs to make room for other current processes. Reliance on paging can impair performance. Accessing the page file is slower than actual RAM.

Conserve mode

A protection mechanism that is triggered by the fortigate when it does does not have enough memory available to handle traffic It prevents using so much memory that fortigate becomes unresponsive

what is an AS autonomous system

A set of routers and networks under the same administration identified by a unique number and usually running an interior gateway protocol

How does ASBR info get advertised to other areas in OSPF if the e-bit type 1 LSAs are confined to same area

ABRs send type 4 LSAs to other areas on how to reach the ASBR

How does BGP route traffic (what is the routing based on)

AS paths and their attributes

Which BGP attributes are well known mandatory and what does that mean (3)

AS_path Origin NEXT_hop Well-known mandatory - attributes are mandatory

Which UTM profiles can be set to proxy or flow based

AV and Web filter

What are some public SDN connectors available

AWS Azure Google cloud platform Oracle cloud infrastructure IBM cloud AliCloud

By default, fortigate ____ all the prefixes it receives from routing advertisements

Accepts but you can filter out or modify some prefixes

What is the HA mode set to for VDOM partitioning

Active -passive

What two ways can you configure load balancing for virtual clustering

Active active and virtual partitioning

The system IO cache value is a sum of all ___ and ___ pages

Active and in active pages See diagnose hardware sysinfo memory

Two types of System IO cache

Active and inactive

What two modes does FTP have and describe each

Active and passive Active is when the client sends a port command through the control channel to the server that specifies the client IP and the TCP port for incoming data channel. The server then initiated the TCP data channel session to the IP and port specified Passive is when the client initiates the data channel to the server

How to tell active via inactive routes with command get router info routing table database

Active has * next to it

Four main wizards on the fortimanager device manager pane

Add device wizard to add devices and import configurations Install wizard to install config changes from the device manager pane or polices and objects pane to the managed devices Import policy wizard to import interface mapping, policy databases and objects associated with a managed device and preview changes Reinstall policy wizard to perform a quick install of a policy package and preview changes

What commands should be disabled/enabled on the HUB when doing ADVPN in the phase 1 and what should tunnel selector be set to

Add-route should be disabled so that dynamic routing is used Net-device should be disabled so dynamic interfaces are not configured Tunnel search should be next hop so that the next hop ip of the route is used to decide which tunnel the packet must be sent Auto-discovery-sender needs to be enabled

What is a fortimanager ADOM

Administrative domain that allows you to create grouping of devices to be monitored and managed by administrators. For example grouping by location, business division, firmware version, etc. not enabled by default. Purpose is to divide administration of devices to control and restrict access. Access is assigned based on the admin profile that allows access to one or more ADOMs. The number of ADOMs vary by model. Vdoms can be assigned to Adoms

APT

Advanced Persistent Threat

Network link advertisement (type 2) OSPF LSA types

Advertised by only and every DRs Contain information about the other routers connected to their multi access networks

What are the global IPS configuration Settings for

Affect the IPS engine operations for the whole Fortigate device

When are quarantined addresses automatically removed and when are banned IPs automatically removed

After a configurable period of time Banned IPs are not auto removed and need to be removed by an admin

Config system global Set SNAT-route-change enabled

After a routing change, routing information is flushed from existing SNAT sessions and rtcache, session flagged as dirty, and route lookups are performed again so the existing SNAT Sessions can use the new best route

Describe packet exchange for IKE mode config and when it occurs

After phase 1 and Xauth (if configured) 2 packets Client sends CFG_request listing the required IP settings Server replies with CFG_Replt containing the assigned values for each attribute

PPP for a packet that is offloaded to a NPU (NP6)

After the first packet, subsequent packets in an offloaded session skip routing, UTM/NGFW, and kernel processors and are just forwarded out the egress interface by the NP6 processor

Which AS attribute is optional transitive and what does that mean (2)

Aggregator Community Optional transitive - attributes may or may not be accepted and can be passed outside the local AS

What mode includes the peer ID in the first packet for IPsec

Aggressive

What routes would be in the FIB

All active routes in the RIB and some additional routes that may not be in the routing table and were automatically added by the fortigate such as routes added dynamically to real SSL VPN users

Security fabric map

All fortigate devices in a SF maintain their own SF map that include the MAC address and IP address of all connected fortigate devices and their interface

What interfaces are assigned virtual mac addresses when a primary is in a HA cluster

All interfaces besides the HA heartbeat interfaces

In what order are flow based inspection profiles applied to traffic

All of the applicable flow-based security modules are applied simultaneously in one single pass

What does full ssl inspection inspect

All of the packet contents including the payload

Why doesn't the kernel need to use memory paging to access the whole memory space

All the memory space is directly accessible to the kernel because of 64 bit arch

What does the "additional-paths" option for BGP do and benefits

Allows RR to propagate multiple paths for the same prefix More efficient use of BGP multi path Can prevent sub optimal routing Required for combing SDWAN and ADVPN

Workspace mode

Allows admins to make a batch of changes that are not implemented until committed so that the changes can be reverted or edited without impacting current operations

Features of workspace mode

Allows you to make changes in CLI that are not applied to the current config until saved with a specific command. When in workspace mode the object being changed is locked and can't be edited by another admin. A warning message will be shown to the admin letting them know it is being configured in another workspace transaction. Once changes are approved they can be save and applied and the changes will be available to the kernel and processes. If not approved they can be aborted and it won't affect the current config.

What is the ICMP proto_state

Always 00

In active active HA which device gets traffic first

Always primary

What connectors are available as public SDN multi cloud support

Amazon AWS Microsoft AZURE Google cloud platform (GCP) Oracle cloud infrastructure (OCI) Alicloud

How do ASBRs advertise themselves

An ASBR advertises itself by sending type 1 LSAs. They set the E-bit on in the OSPF header. LSAs with the E-bit set are confined to the area they originate.

AS summary link advertisement (type 4) OSPF LSA type

An ASBR advertises itself by sending type 1 LSAs. They set the E-bit on in the OSPF header. LSAs with the E-bit set are confined to the area they originate. ABRs in the same area send a type 4 LSA to the other areas with information on how to reach the ASBRs

An OSPF session between two OSPF peers is called ____

An adjacency

What is virtual clustering and what three ways can you configure a virtual cluster

An extension of FGCP for a cluster of two fortigate devices operating with multiple VDOMs enable Can be in active-active active-passive VDOM partitioning

What can continuous high CPU use by the IPS engines be caused by (ipsengine daemon)

An infinite loop in packet parsing

What is required to be configured on the tunnel interfaces for hub and spokes when having dynamic routing

An overlay IP address Overlay IPs need to be in the same subnet

What are the three stages to an IPS solution

Analysis: admin defines what to protect and where Evaluation: after an initial IPS configuration the admin makes further adjustments based on the IPS logs and set IPS to monitor MaintenAnce: after the config is working correctly the admin sets IPS to protect and must continue to monitor logs and make adjustments for false positives or negatives that occur

How to fine tune IPS (2)

Analyze Ips events and eliminate false positives {Check the IPS events and starts with events that have been generated the most or have high priority Analyze each event for: Source Destination Services Type of attack Analysis will help you figure out if it is a false positive or genuine attack} {eliminate as many false positives as possible. Try to fix the problem by making changes in either the source or destination of the traffic first. You can also use IPS exemptions}

When you are analyzing a IPS event what should you look at to determine if it is a true attack or false positive

Analyze each event for: Source Destination Services Type of attack

ACI

Application centric infrastructure

What is SIP ALG, what does it provide, and how is it different than the sip session helper

Application layer gateway A feature that is smarter and more versatile than the SIP session helper Has all the same functions of the SIP helper but provides more features: SIP TCP and UDP support SIP IPv6 Rate limiting Message syntax checking SIP HA failover Detailed logging and reporting Session helper runs in kernel and SIP ALG runs in user space process

What runs in the user space in the FortiOS arch

Application processes and daemons

What two options are configurable for NGFW policy mode

Application sig/categories/groups and web filter categories

Enterprise firewall solution (2)

Apply end to end security Segment your network End to end security with a consolidated operating system FortiOS Core of the solution is security fabric which allows all devices to communicate in network And manage all deployments through fortimanager

Process in building OSPF tree

As LSAs are added to the LSDB dijkstras algorithm is a recursive process that runs multiple times to map all known paths and then it will choose the lowest path and fill those paths in the OSPF tree

How is memory allocated to each process that runs above the kernel layer in the user space

As separate blocks of memory for each process

What actions can you perform from physical topology view in Sf (4)

Authorize switches and APs Upgrade devices Connect to a devices CLI Ban and unban compromised IPS

What ADVPN command needs to be configured on the hub-hub tunnel

Auto-discovery-forwarded enable

What ADVPN command needs to be configured on the hub-hub tunnel

Auto-discovery-forwarded enabled

Command to enable ADVPN on spoke

Auto-discovery-receiver

What ADVPN command needs to be configured on the spoke-hub tunnel

Auto-discovery-receiver enabled

What ADVPN command needs to be configured on the hub-spoke tunnel

Auto-discovery-sender enabled

Stitches

Automated actions based on triggers

Two settings for av fail open under config sys global

Av-failopen Av-session-failopen

Total slab size

Available objects x objects size

What is required for ADVPN routing and what protocols are supported

BGP OSPF RIPv2/RIPng

What type of routes does ECMP support (3)

BGP OSPF Static

What does ADVPN require all hubs to be configured as

BGP RR

Dominate EGP

BGP for the Internet

BGP attributes (8)

BGP routes based on AS paths and their attributes. AS list is one of the attributes: AS list contains the autonomous systems that traffic needs to route through to reach the destination

Two area types in OSPF network and what is the area ID

Backbone 0.0.0.0 Normal area (any thing other than 0.0.0.0)

Why you you clear session filter and then specify a new session filter

Because all sessions from previous filters will be listed If no filter is specified then the whole table will be listed (this could be in the thousands or millions)

Why will return packets be toured through an interface if there is a better route through a different interface

Because fortigate remembers the interface to source for the return packets and asymmetric routing hinders content inspection so the fortigate will route it through the interface back to source to prevent asymmetric routing

Why is it beneficial if two wan interfaces share the same public IP pool for SNAT

Because if one wan goes down sessions are routed through the secondary ISP and maintain the same public source IP so sessions can remain up

From command diagnose webfilter fortiguard statistics list, why are all the cache stats at 0

Because the web filtering cache is disabled under "config system fortiguard"

Memory tension drops

Behavior where kernel deletes old sessions to free up memory

What is the debug level for real time debugs

Bit value that specifies which messages are displayed 0 means no output (disabled) Debug -1 means enable all possible message types

Which route would be put in the routing table Get router info routing-table all 0.0.0.0/0 [10/0] via x.x.x.x port 1 [10/0] via x.x.x.x port 2 [20/0]

Both because they both have the same distance. One is just preferred with a lower priority. If one had a higher distance it would not be in the routing table

SF tree structure

Branch fortigate devices connect to upstream fortigate devices

What is the purpose of the public SDN connectors

Bridge SDN controllers and fortigate devices such as in connecting and registering itself to APIC in the Cisco ACI fabric, polling interesting objects, translating them into address objects and populating the address objects and endpoints onto fortigate

How does an OSPF router generate the OSPF tree (2)

By using the LSDB and dijkstras algorithm

What runs in the configuration layer of the FortiOS arch (4)

CLI GUI API FMG

Where is workspace mode available from

CLI only

What are the CP chip models

CP8 and CP9

What may you be experiencing if you see this output when you perform the diag sys top command 0U, 0N, 0S, 100I

CPU states 0% user 0% system 0% nice 100% idle Fortigate has stopped working

What may you be experiencing if you see the following when you perform the diag sys top command 1U, 0N, 98S, 1I

CPU states 1% user 98% system 0% nice 1% idle Network is slow

Fortimanager scripts and what two are supported (what are each)

Can make many changes at once and is useful for bulk changes across multiple managed devices. CLI - FortiOS command as they are entered on the command prompt on the device TCL - dynamic scripting language that extends the CLI functionally. First like is #! Do not include exit command because it will prevent script from running.

What happens when changes are committed in workspace mode

Changes are applied to current configuration and changes are available for all other processes in the kernel

What to do if IPS is triggering false positives (5)

Check that the DB is up-to-date Determine what signature is causing the false positive Use IP exemptions as a temporary bypasS If all factors verifies, (correct policy match, IPS profile match) Collect multiple sniffer samples to send to fortiguard team

BGP troubleshooting tips: (4)

Check that the local router can reach remote peer Check the TCP session Check the BGP session If the BGP session is established, check the prefixes received and advertised by each peer

What should you check if a fortigate is unexpectedly restarting itself

Check the logs Console logs And crash log

When troubleshooting, what should you do after making a security profile change

Clear and sessions related to the change and generate new sessions because the change won't apply to existing sessiosn

What are the IKE messages exchanged when an ADVPN tunnel is being negotiated (10)

Client on Spoke 1 generates traffic for a subnet on spoke 2 Spoke 1 receives/encrypts packet and sends it to the hub The hub receives the packet from spoke 1 and forwards it to spoke 2 Spoke 2 received the packets, decrypts, and forwards to dest device The hub knows there is a direct tunnel option available with the and sends a shortcut offer message to spoke 1 Spoke 1 acknowledges the shortcut offer by sending a shortcut query to the hub The hub forwards the shortcut query from spoke 1 to spoke 2 Spoke2 acknowledges the shortcut query and sends a shortcut reply to the hub The hub forwards the shortcut reply to spoke 1 Spoke 1 and spoke 2 initiate the tunnel IKE negotiation

What is a kernel memory slab and 7 examples of kernel slabs

Collection of objects with a common purpose and fixed size. Used by the kernel to store information in memory. Tcp_session tcp session Ip_session non-tcp session ip_dst_cache route cache Buffer_head read/write data from disk,flash Inode_cache information about files and directories Dentry_cache cache for file system directory entries Arp _cache cache for arp

When there is a routing change and SNAT is applied what determines the action the fortigate takes

Command Config system global Set SNAT-route-change [disable | enable]

If you see an increase in error counters with command diagnose webfilter fortiguard statistics list what does this indicate

Communicate problems to fortiguard

Command to disable IPS acceleration, enable basic IPS acceleration, and enable enhanced acceleration

Config IPS global Set cp-accel-mode (none | basic | advanced)

What is the command that controls how IPS handles incoming packets when in fail open mode

Config IPs global Set fail-open (enable | disable)

Commonly used options for global IPS Configuration

Config IPs global Set fail-open {enable | disable} Set intelligent-mode (enable | disable) Set socket-size <IPs buffer size> Set traffic-submit (enable | disable)

Command to enable and disable IPS offloading to NPU

Config IPs global Set np-accel-mode (none | basic}

If you configure the check-policy-option for the global firewall-session-dirty handling behavior, what command lets you specify the session handling setting per policy

Config firewall policy Edit <ID> Set firewall-session-dirty {check-all, check-new}

Command to reduce session TTL per firewall policy for memory OPT and default

Config firewall policy Edit <ID> Set session-ttl 300 Default 3600

By default fortigate will use the CN field if the SNI in the client certificate does not match the CN or server fields. What is the command to change this behavior

Config firewall ssl-ssh-profile Edit <profile name> Config http Set SNI-server-cert-check [ enable | strict | disable]

Command to change IPS fail open behavior and default behavior

Config ips global Set fail-open (enable | disable) Default is disabled which means if fortigate goes into conserved mode the IPS engine will drop all new sessions that require flow based inspection but will try to process all existing sessions

Command to redistribute connected and static routes and routes learned from other routing protocols into BGP

Config router BGP Config redistribute "static" Set status enable End

How to enable route redistribution for OSPF on fortigate and what it does

Config router ospf Config redistribute bgp Set status enable Fortigate will redistribute non OSPF routes and act as an ASBR

What is a good indication of the health of an ha cluster

Config sync status

Commands to configure fortigate with fortimanager ip for updates and ratings and command to exclude fortiguard servers in the override list

Config sys central-management Config server-list Set server-type update rating Set server-address <fmg ip> Next End Set include-default-servers-disable (enable or disable the inclusion of public fortiguard servers in the override server list)

Command to reduce DNS cache for memory opt and what is default

Config sys dns Set dns-cache-ttl 300 End Default 1800 seconds

Command to reduce fortiguard cache TTL for memory opt and what is default

Config sys fortiguard Set webfilter-cache-TTL 500 Set antispam-cache-TTL 500 Default is 3600 and 1800 seconds

Command to change default conserve mode values and what are defaults for each

Config sys global Set memory-use-threshold-<extreme, red, green> Extreme default- 95 red default- 88 Green default- 82

Command to control how fortigate handles traffic that requires proxy based content inspection during conserve mode

Config sys global Set av-failopen (off | one shot | pass) Set av-failopen-session (enable | disable)

Command to change fortiguard source port if ISP is blocking source ports

Config sys global Set ip-src-port-range 1031-4999 End

Command to reduce TCP session timers and defaults

Config sys global Set tcp-halfclose-timer 30 (was 120) Set tcp-halfopen-timer 8 (10) Set tcp-timewait-timer 1 (1)

Useful command for debugging update services activities on fortigates managers by a fortimanager FDS and what level should you set the sebug

Config sys locallog disk setting Set severity debug End Config fmupdate FDS-setting Set linkd-log debug Set umsvc-log debug

Command for logging rating services events the same way it logs updates services and what level should you enable first (3) commands

Config sys locallog disk setting Set severity debug End Config fmupdate web-spam fgd-setting Set linkd-log debug Set update-log enable Diagnose fmupdate view-linkd-log fgd

Command to lower TCP session TTL and one for UDP session TTL and one for each service TTL (3) and defaults

Config sys session-TTL Set default 300 (was 3600) Config sys global Set UDP-idle-timer 90 (was 180) Config sys session-ttl Config port Edit <ID> Set protocol <ip prot> Set start-port <> Set end-port <> Set timeout 300

Command to enable TCL scripting in fortimanager

Config system admin setting Set show_tcl_script enable

How to disable configuration sync for SF

Config system csf Set configuration-sync local

Command to configure fortigate to use servers world wide or only server located in the USA and which does it use by default

Config system fortiguard Set update-server-location [usa | any] Default uses worldwide

Command to change fortiguard web filter cache TTL

Config system fortiguard Webfilter-cache enable Webfilter-cache-TTL <3600>

What to do if fortiguard web filter ratings in the local cache are expiring to quickly

Config system fortiguard Webfilter-cache enable Webfilter-cache-TTL <3600> Change TTL

Command to use a different interface for session sync than the heart beat interface

Config system ha Set session-sync-dev <port name> <port name2>

Command to delay session sync for ha by 30 seconds so that short lived sessions are synced and save bandwidth and don't interfere with heartbeats

Config system ha Set session-pickup-delay enable

Command to change if session helper or SIP ALG is used in VoIP config (describe both options for command and which is default)

Config system setting Set default-voip-ALG-mode [proxy-based | kernel-helper-based] End proxy-based: default and will use SIP ALG Kernel-helper-based: SIP helper is used

Command to change the SIP ALG ports over UDP, TCP, and SSL

Config system settings Set sip-tcp-port <port num1> <port num2> Set sip-udp-port <port num1> <port num2> Set sip-ssl-port <port num1> <port num2>

Command to modify the fortigate s session handling behavior after policy changes and what are the 3 options (which is default)

Config system settings Set firewall-session-dirty {check-all, check-new, check-policy-option} Check-all: all policy information. Is removed from sessions affected by a policy change. When packets are received they are reevaluated (default) Check-new: existing sessions are unaffected. New sessions are evaluated against the modified policies Check-policy-option: sessions will be handled based on firewall policy configuration

Command to manually disable IPSEC offloading per tunnel

Config vpn IPSec phase1-interface Edit <> Set NPU-offload enable | disable

Command to configure IPSec aggregate

Config vpn IPSec phase1-interface Edit <> Set aggregate member enable

FortiOS architecture (pic) (4 layers)

Configuration layer User space Kernel Hardware

IBGP config for HUB (pic) (5)

Configure AS Configure a neighbor group and set the remote AS the same Within the neighbor group configure the hub as a route reflector Configure a neighbor range with a prefix that includes all of the spokes Configure the local networks behind the hub to be advertised to the spokes

IBGP config for spoke (pic) (3)

Configure as Configure neighbor as hub ip and set same remote as Config network as local IPs to be advertised over BGP

If fortigate is connecting through a web proxy what needs to be done to reach fortiguard

Configure the connection through the web proxy with command: Config system autoupdate tunneling Set password <pass> Set port <proxy port> Set status [enable disable ] Set username End

If you are using IBGP with ADVPN what must you configure on the hub so that routes learned from one spoke are forwarded to the other spokes

Configure the hub as a route reflector with command Set route-reflector-client enable

Basic fortiGate OSPF config. What to configure and commands

Configure the router ID, define OSPF area, select networks to enable OSPF on config router ospf Set router-id 0.0.0.1 Config area Edit 0.0.0.0 Next End Config network Edit 1 Set prefix 192.168.1.0 255.255.255.0 Set area 0.0.0.0 Next End

Auto-discovery-sender

Configured on HUB. Tells the fortigate that when IPSec traffic transits the hub it should send a shortcut offer to the initiator of the traffic to indicate that it could perhaps establish a shortcut

Auto-discovery-receiver

Configured on spoke and unification that the IPsec tunnel wants to participate in ADVPN and receive shortcut offers

Two modes AV system operates in

Conserve and non conserve

What feature is useful when troubleshooting unexpected restarts and devices that randomly become unresponsive

Console logging so console logs are stored in flash memory

Summary link advertisement (type 3) OSPF LSA type

Contain summarized link state information. Advertised only by ABRs See pic

What is the checksum zone in command diag sys ha checksum show and what is debugzone

Contains the checksum of the configuration that is actually running in the device Where Configuration changes are first stored before applying them to the running configuration

Management layers of fortimanager (pic)

Contains the device manager management module and the ADOM layer (policy and object, AP, Switch, VPN manager) system settings and fortiguard and then a fortianalyzer mode for log view, incidents and events, SOC, reports

What is the OSPF tree

Contains the shortest path from the local router to each other router and network. It gives the best route to each destination and objects this into the devices routing table

In a proxy based policy how are inspection profiles ordered

Content inspection happens in the following order: VoIP inspection, DLP, Email Filter (Anti-Spam), Web Filtering, AntiVirus, and ICAP.

What processor encrypts and decrypts SSL

Content processor

CP8 and CP9 purpose

Content processors that offload resource intensive tasks from CPU and provide a fast path for traffic inspected by IPS including flow based inspection and proxy based encryption/decryption and AV

FTP control and FTP data port

Control 21 Data 20

What type of channels does SIP use

Control and four data

What does the command do Config IPs global Set intelligent-mode enable

Controls the IPS engines adaptive scanning behavior Enable- (default) using heuristics IPS engine determines when it is secure enough to stop scanning session traffic. It's a balanced method that covers all known exploits

Core of enterprise firewall solution

Core of the solution is security fabric which allows all devices to communicate in network

Metric in OSPF and explain how it works

Cost. This is how the routers choose the best path to a destination Each router interface is associated with an interface cost which is how fast that interface is. An OSPF cost is the sum of all interfaces' costs to the final destination (cumulative bandwidth) Lower cost is better

What type of message is usually generated through the console port when a fgt crashes

Crashdump

Highest Throughout requirements of all firewall roles

DCFW

What type of OSPF packets are Unicast? (2)

DD database description packets exchanged during adjacency LSA retransmission

What kind of firewall role would a fgt deployed in a smaller branch office or remote site

DEFW

Five firewall roles depending on where fortigate is deployed

DEFW (distributed enterprise firewall) CFW (Cloud firewall) NGFW (next generation firewall) DCFW (data center firewall) ISFW (Internal segmentation firewall)

If vpn tunnel is up but traffic can't cross tunnel what command should you use and what does it show (4)

Debug flow of tunnel traffic to see packet arriving Packet being allowed by a firewall policy Packet entering the tunnel Packet being encrypted and sent

What is the default behavior of a fortimanager were to go down and it is acting as a FDS

Default command include-default-servers enable will override and check fortiguard servers unless this option is disabled

What is default session route persistence and how can you modify the default behavior (without SNAT)

Default disable Config system interface Edit interface Set preserve-session-route (enable | disable) Enable: sessions passing through the interface will continue to pass without being affected by the route change. Only new sessions will be affected Disable: fortigate flushed all routing information from session table after route change and performs new route lookups

What is the route-overlap setting found in phase 2 of IPSec config

Defines what action fortigate will take if two remote subnets are the same. Possible actions include: Use-new (default) disconnect existing dial up and accept new dial up Use-old keep existing and reject new Allow - keep existing and accept new. Traffic will be load balanced between both

If the kernel cannot allocate more memory pages what does it do

Delete the oldest sessions

When configuring filter subnets prefix list, by default traffic that does not match a subnet in the prefix list is....

Denied

Router link advertisement (type 1) OSPF LSA types

Describes the networks connected to a router Advertised by every OSPF router in an area Not advertised outside the area they originate

In multi access network one _____ and one backup ____ are elected

Designated router DR

What does the session table contain and what is the command to see the table and the command to see number of session

Detailed information about every IP connection that crosses or terminates at fortigate Get sys session status shows number of sessions Get sys session lists shows the session table

Three ways to run CLI scripts from fortimanager

Device database Policy package/ADOM database (Both require using install wizard) remote fortigate directly (CLI)

What bridges the kernel and the hardware

Device drivers

What does the reset_cnt value in the diagnose sys ha dump-by vlcuster command show you

Device uptime and how many times the device uptime has been reset with diagnose sys ha reset-uptime

IPSec real-time debug

Diag debug app ike -1 Di de en

Command to enable real time app debug And some apps (daemons) that can be debugged in real time (4)

Diag debug application <app name> <debug level> Di de en Ike Snmpd Sslvpnd Authd Updated

What command can you use to identify how much memory the session table is using or if the fortigate model is too small for the amount of traffic crossing the device and what to do if session memory value is too high

Diag hardware sysinfo slab Look at memory allocated to TCP and IP sessions by multiplying num_obj by objsize If too high get bigger fgt or tune session TTLs

How can you identify if a process is using too much memory so the fortigate doesn't go into conserve mode

Diag sys top

Command to show the state of each process and what the 4 states are

Diag sys top Sleeping (s) Running (R) do not disturb (D) Zombie (Z)

Command to manually kill a process and command to find the process id

Diag sys top (to get process ID) Diag sys kill <termination signal> <process ID> Use termination 9!!!!

Command to show how much memory space is being used by each process Displays ID number State CPU use And how can you sort the list by CPU use and memory Use

Diag sys top <refresh time in sec> <num lines> Shift P for CPU Shift M for Mem

Command to filter for specific IKE info when doing a debug

Diag vpn Ike log filter ? Diag vpn ike log filter clear

Command to filter for IPs address of remote peer for IPSEC

Diag vpn Ike log filter dst-addr4

What filter is useful when debugging ADVPN shortcut messages and spoke-to-spoke negotiations

Diag vpn Ike log filter mdst-addr <ip.of.hub> <ip.of.spoke> Specify if multiple ip addresses during the ike real time debug

Command to see a summary of fortiguard configuration on fortigate

Diagnose autoupdate status

Command to list all the fortiguard databases and engines installed including version, contract, expiration date, time it was updated and what was happening during last update

Diagnose autoupdate versions

Ike real-time debug and bit mask options

Diagnose debug application Ike <bit mask> Diag debug console timestamp enable -1 shows all options

HA Real-time debug (3)

Diagnose debug application hatalk -1 Diagnose debug application hasync -1 Diagnose debug enable

Command for SIP real time debug (3)

Diagnose debug application im 31 Diagnose debug application sip <debug_level> Diagnose debug enable

Fortiguard real-time debug for AV/IPS update issues

Diagnose debug application update -1 Di de en Execute update-now

How to enable or disable console logging

Diagnose debug comlog <enable | disable>

Command to clear console logging

Diagnose debug comlog clear

Command to display console log settings

Diagnose debug comlog info

Command to read console logging

Diagnose debug comlog read

Option to prepend a timestamp to each debug line

Diagnose debug console timestamp enable

Command to read crash log

Diagnose debug crashlog read

5 steps to debug flow and what is each step (5 commands)

Diagnose debug flow show function-name enable (displays function names) Diagnose debug flow filter <filter> (specify filter) Diagnose debug enable (send output) Diagnose debug flow trace start <count> Diagnose debug follow trace stop

Command to display the list of servers for web filtering and anti spam queries. For each IP the table will show: Round trip delay Server time zone Number of recent consecutive queries without a reply Historical number of queries without a reply (reset with device restarts)

Diagnose debug rating

Real-time web filter debug

Diagnose debug urlfilter src-addr <source ip> Diagnose debug application urlfilter -1 Diagnose debug enable

Command to check policy based route table

Diagnose firewall proute list

Command in CLI to displays receive status information for fortimanager fortiguard (fortimanager)

Diagnose fmupdate FDS-getobject

Command in fortimanager to show fortigate licensing for fortiguard

Diagnose fmupdate dbcontact

Fortimanager command to display the number of web filtering and antispam queries received from fortigate

Diagnose fmupdate fgt-wfas-rate

Fortimanager command to restart the rating service

Diagnose fmupdate service-restart fgd

Command to display details about which updates were installed or will be installed on devices managed by fortimanager (fortimanager command)

Diagnose fmupdate show-dev-object

Command to display update services logs from the fortigate to the fortimanager for fortiguard updates and from fortimanager to fortiguard

Diagnose fmupdate view-linkd-log fds

Command to verify ha virtual MAC

Diagnose hardware deviceinfo nic <interface name>

Command to see if fortigate is in conserve mode

Diagnose hardware sysinfo conserve

Command to show the total amount of sys memory (memtotal) and amount of free memory (memfree)

Diagnose hardware sysinfo memory

Command to display total amount of memory allocated for the I/O cache.

Diagnose hardware sysinfo memory Check "cached"

Command shown to check how much memory is being allocated to kernel slabs

Diagnose hardware sysinfo slab

Real-time BGP debug and how to disable What is some info that will be displayed

Diagnose ip router bgp all enable Diagnose ip router bgp level info Diagnose debug enable Diagnose ip router bgp all disable Diagnose ip router bgp level none Diagnose debug disable All 6 BGP connection states, messages sent back and forth, neighbor statuses changing, Prefixes received from peer, if any prefixes are denied by a filter

Command to stop OSPF real-time debug (DIAG DEBUG RESET DOES NOT STOP IT)

Diagnose ip router ospf all disable

Command to keep ospf debug running even after the execute router clear ospf process is run which restarts ospf

Diagnose ip router z1 enable

Command to check route cache

Diagnose ip rtcache list

Command to sniff HA heartbeat packets for a NAT/route mode cluster

Diagnose sniff packet any "ether proto 0x8890" 4

Sniffer for IKE traffic with no NAT Sniffer for ESP traffic with no NAT

Diagnose sniffer packet <port> 'host <remote gateway> and UDP port 500' Diagnose sniffer packet any 'host <remote gateway> and esp'

Sniffer for IKE and ESP traffic with NAT

Diagnose sniffer packet any 'host <remote gateway> and (UDP port 500 or UDP port 4500)'

Command to sniff traffic from all interfaces

Diagnose sniffer packet any 4

Command to crash system if it has not scheduled any daemon in 10 minutes and will force a crashdump to the console

Diagnose sys NMI-watchdog enable

Command to list the CLI changes pending to be commuted in your workspace

Diagnose sys config-transaction show txn-CLI-commands

Command to view information about all the active workspace transactions (from multiple admins) including transaction ID, expiration times, usernames of admin and how and where they are connecting from

Diagnose sys config-transaction show txn-info

Command to show if the current admin is working on a workspace that is pending being committed and the transaction ID

Diagnose sys config-transaction status

How to see the security fabric map

Diagnose sys csf neighbor list

Command to see upstream AND downstream fortigates if the fortigate is not the SF root ( will show serial number, IP, connecting interface and connection status)

Diagnose sys csf upstream Diagnose sys csf downstream

Instead of running the diagnose sys ha checksum show command on all devices what command can you run (give an example in which you wouldn't be able to run this command instead)

Diagnose sys ha checksum cluster If there are communication problems between primary and secondary

Command to verify that all the secondary confirmations are synced with the primary configuration

Diagnose sys ha checksum show

Command to see how many times device had it's uptime reset with diagnose sys ha reset-uptime

Diagnose sys ha dump-by vcluster

Command to provide information about past HA events

Diagnose sys ha history read

Command to reset uptime and change primary devices

Diagnose sys ha reset-uptime

Command to display HA stats including heartbeat traffic stats, serial number, HA priority, heartbeat interface IP for primary fortigate

Diagnose sys ha status

Commands to clear sessions that match a filter and why you need to be careful with the commands (3)

Diagnose sys session filter ? (Specify filters) Diagnose sys session filter (check filter is correct) Diagnose sys session clear (clears session) Need to be careful because you can potentially clear out all sessions if you don't specify the correct filters or any filters

Three commands to display detailed information about sessions (what do each commands do)

Diagnose sys session filter clear (Clears previous session filters) Diagnose sys session filter ? <dport, dst, policy, sport, src > (Specifies filter for the session table so the whole table isn't displayed) Diagnose sys session list (Lists entries matching the configured filter)

If session sync is enabled across HA devices how can you check to see which sessions have been synced to the secondary

Diagnose sys session list Ha_id=index Synced

Command to list expected sessions created by the session helpers

Diagnose sys session list expectation

How to see memory tension and ephemeral drops

Diagnose sys session stat

Command to display number of sessions deleted by the kernel to free up memory

Diagnose sys session stat Look for memory tension drop=0

Command to disconnect any active SIP calls

Diagnose sys sip-proxy calls clear

Command to display all active SIP calls

Diagnose sys sip-proxy calls list

Command to diagnose high CPU problems caused by IPS 5

Diagnose test application IPS monitor ?

Command to see FQDN and IPs of fortiguard servers available for antivirus and IPS updates

Diagnose test application dnsproxy 7

Command to troubleshoot issues related to web filtering (see pic for all options)

Diagnose test application urlfilter 1

Command to clear phase 1 and why to be careful with it

Diagnose vpn Ike gateway clear <name> If you don't specify a phase 1 name all phase 1s of all tunnels will be cleared

Command to display details about a tunnel Name Version Interface Addresses When phase 1 is created Imitator or responder Proposals Phase1 lifetimes and DPD etc

Diagnose vpn Ike gateway list (name) <tunnel name>

What is an Ike route and what is the command to see them

Diagnose vpn ike routes list It is a route created based on the network learned through the phase 2 selector. Used when net device is disabled and tunnel search is set to next hop

Command to display current IPSec SA info for all active tunnels

Diagnose vpn tunnel list

Command to list VPN tunnels, and mapping between each remote subnet and phase 1 index to route traffic properly

Diagnose vpn tunnel list [name] <tunnel name>

Command to display SA information for a specific tunnel Name DOD Anti replay info SA info Hardware offload info

Diagnose vpn tunnel list name < tunnel name>

Command to list the contents of the fortiguard web filtering cache. For each URL the output lists it's rating by domain name and IP address. Wan

Diagnose webfilter fortiguard cache dump

Command to list error counters and other stats related to web filtering: Request timeouts Total requests Requests to fortiguard servers Allowed Blocked Logged Counters for web filtering cache

Diagnose webfilter fortiguard statistics list

What do OSPF routers use to determine the best route to each destination (algorithm that determines cost)

Dijkstras

There are no _____ reads and writes made too hard discs or flash discs. Each one is done through a ____ held in memory called the ______

Direct Cache System IO cache

How the the kernel access the ENTIRE memory

Directly

Three flags for packets

Dirty May_dirty Block

Tips in memory optimization (6)

Disable features not required Reduce the maximum file size to inspect (default 10mb) Reduce the fortiguard cache TTL (3600 web 1800 anti spam) Reduce DNS cache (1800) Reduce session TTL (TCP 3600, UDP 180, fw policy 3600, app control, per protocol/port ) Reduce TCP session timers (half close 120, halfopen 10, timewait 1)

Is net-device default enable or disabled

Disabled

By default what is Av-session-failopen set to and what will this do to new sessions in conserve mode if kept default

Disabled If disabled when fortigate enters conserve mode fortigate will block NEW sessions

Debug 0

Disabled no output

DEFW

Distributed enterprise firewall Extension of the enterprise network VPN dependent (connects to Corp HQ using vpn) 1Gbps throughput Security for smaller location and branch offices All-in-one security (firewall, app control, vpn, ips, AV)

What are the option types divided and how many categories for IPS signature

Divided into four categories based on their purpose

How to calculate memory allocated to each kernel slab (2) involves math

Do command diag hardware sysinfo slab Multiple available objects in slab (num_objects) by the size (objsize) in

IPSec tunnel is up but not passing traffic

Do debug flow and see if a peer is dropping packets or routing incorrectly. Packets may not match quick mode selectors

IPSec tunnel is not coming up

Do real time debug And look for error messages

IPSec tunnel is unstable

Do real-time debug and look for lost DPD packets indicated it is an ISP issue

What are some security inspections performed on a packet in the life of the packet and why does it perform security inspections so early on in the processing

DoS checking, RPF checking, and IP integer header checking and it does this so the fortigate can make sure the packets are within acceptable parameters before allowing the packet to move through the rest of the processes

What does command execute router clear BGP all soft do

Does a soft reset between BGP peers and forces them to exchange their complete BGP routing tables

By default fortigate BGP ______ advertise prefixes

Does not

Some downsides of SSL certificate inspection

Does not inspect encrypted traffic If browser does not support SNI and fortigate obtains an incorrect FQDN from the CN the wrong filtering could be applied It only works with web filtering and SOME app control signature.

What are application layer test commands for

Don't display information in real time but show statistics and config information about a feature or process. Can also be used to restart a process or execute a change in operation

What filters are available for the command diagnose sys session filter ?

Dport Dst Policy id Sport Src

Why should two or more HA clusters in the Same lan segment (broadcast domain) use different HA group ids

Due to the formula used in creating the virtual mac addresses 00:09:0f:09:group_id:(vluster_id+interface_id) The same group ID will create a virtual mac conflict

What two forms can BGP be configured as and what are each

EBGP - advertises routing updates across multiple ASs IBGP - advertises routing updates within the same AS

What does this command do Config system settings Set auxiliary-session enabled

ECMP traffic is accelerated to the NP6 processor. The kernel will create two sessions will created in case of a route change. The main session and auxiliary sessions.

What is listed and How to read the output from the command diagnose webfilter fortiguard cache dump (see pic)

Each URL the output lists it's rating by domain name and IP address. Rating by domain name is the first two differs of the first number from left to right. The rating by IP address is the first two digits of the second number. Both represented in hexadecimal

When is an entry in the crashlog generated and what does the entry contain

Each time an application or process crashes or closes. When an app crashes the entry contains the name of the app, the time it crashed, and the termination signal

Since fortigate BGP does not advertise prefixes by default, what two things can you configure to advertise

Either redistribution of routes or use the network command to configure the exact prefixes you want to advertise Command Config router bgp Config network Edit <> Set prefix <prefix>

Debug -1

Enable all possible messaging types

During the evaluation stage of IPS deployment what is a good way to start the initial configuration

Enable one group of signatures at a time and start with the ones that have more priority Analyze the logs and tune the IPS or enable another group Monitor the network for one to two weeks

Config firewall ssl-ssh-profile Edit <profile name> Config http Set SNI-server-cert-check enable What does enable do

Enable: default if the SNI does not match the CN or SAN fields in the returned servers certificate, fortigate uses the cn field instead of the SNI to obtain the FQDN

What is advanced IPS acceleration Config IPS global Set cp-accel-mode advanced

Enabled enhanced acceleration which can offload more types of signatures than basic mode

What proxy tasks do the content processors accelerate

Encryption/decryption and antivirus

Name some security checks under SF ratinf

Enforcing password security Applying recommended login attempt thresholds Encouraging 2FA

ESP

Ensures data integrity and encryption

Fortimanager header and footer policy packages

Envelope each ADOMs policies

When does the fortigate reach out to fortiguard for the pull method

Every two house to check and download any new version of the AV or IPS databases and engines using port 443

Command to abort configuration changes made in workspace mode so that no changes are made to the current configuration

Execute config-transaction abort

Command to commit configuration changes made in workspace mode so that the changes are available for all other processes in the kernel

Execute config-transaction commit

Command to start workspace mode

Execute config-transaction start

Command to list index numbers for each member in HA cluster Command to connect to a secondary CLI from the primary CLI

Execute ha manage ? <id > <0 or 1> subsidiary unit Exec ha manage <index> <admin username>

Command to restart a BGP session between two peers and force them to establish BGP peering again

Execute router clear BGP <option> <in | in prefix-filter | out> All As Ip Etc

Command to restart OSPF process

Execute router clear ospf process

What is Xauth for IPSec and what phase is it

Extended authentication can be used as additional level of authentication. When used one side just provide credentials (user and pass) in order to authenticate. It happens after phase 1 and before phase 2 phase 1.5

EGP

Exterior Gateway Protocol; protocol for communication between Autonomous Systems.

What does the secondary try to sync with the primary first, when it joins an HA cluster What does it sync second Where would you see this communication

External files which include the fortiguard database and digital certificates After it syncs the configuration If you console into the secondary console port when it joins HA cluster

What three memory thresholds can you configure in the CLI for conserved mode

Extreme - when fortigate starts dropping new sessions Red - when fortigate enters conserve mode Green - when fortigate exits conserved mode

What is configuration sync for SF

FAZ And fmg config on the root fortigate will be pushed down to the other fortigates

What protocol does fortigate use for HA communication and where does it travel

FGCP fortigate clustering protocol and travels among the clustered fortigates over the links designated as heartbeat interfaces

How is CLI scripting run from fortigate to fortimanager ...via? What about TCL?

FGFM tunnel TCL runs over SSH

What compliance policies are used for the SF rating (2)

FSBP or PCI compliance

What are some endpoint/identity external connectors

FSSO agent on windows ad Symantec endpoint protection Poll active directory server RADIUS single sign on Exchange server

Two protocols that require a session helper in a NAT environment

FTP and SIP Also PPTP, H323, RSH

True or false. Rip supports VRFs

False

True or false. Session sync is enabled across HA members by default

False it's disabled by default

True or false SF is required to use stitches

False, not required. But you can use stitches to detect events from any source in the SF and apply actions to any destination

True or false. Fortigate decrypts traffic when the SSL certificate inspection profile is applied

False. Ssl certification inspection fortigate won't encrypt or decrypt

Two RPF check modes (which is default)

Feasible path (was called loose) and strict Feasible is the default

Scanunitd

File scanning process

What can you do to optimize IPS configuration

Fine tune it. Create profiles specific for the type of traffic being inspected. You don't need Solaris and Linux profiles for traffic to/from windows machine

Aside from the IPSec config what else is required to allowed IPSec traffic to flow from spoke to hub, hub to spoke, and spoke through hub to spoke

Firewall policy

Are policies using proxy based inspection profiles offloaded?

Firewall sessions that include proxy-based security profiles are never offloaded to network processors and are always processed by the FortiGate CPU

Explain the routing table (pic)

First column shows route source Second shows destination network [x/y] X shows distance and y shows metric

Describe the logic of the routing modules and which the fortigate check it's routes against first (pic)

First fortigate checks the policy routes, if traffic matches a policy route and the action is forward traffic then the fgt will route packets according to the policy route. If action is stop policy routing the fgt will check the next table Next the fgt will check the route cache. If there is a route it will route packets and if not it will move on to next Finally fortigate searches the FIB (forwarding information base) which is generated by the routing process and is the table used for packet forwarding.

What custom IPS signature keyword options can only be used once

Flow Service

Is IPS flow based or proxy based

Flow only

Why do the clients in a cluster communicate with the RR and who does the RR communicate with

For routing updates The RR communicates with other RRs and BRs

Why does net device need to be enabled on the spokes when doing ADVPN

For the creation of the on demand tunnels between spokes

If checksums in the debugzone and checksum zones do not match what can you do and how

Force a recalculate with command Diagnose sys ha checksum recalculate [vdom name | global]

What consolidated OS does the fortinet solution offer

FortiOS

What is gateway revalidation and what three scenarios does it apply to

FortiOS can switch to a different phase 1 if it initially selected the wrong one Ikev1 with certificate authentication Ikev2 with preshared authentication Ikev2 with certificate authentication

What does the root fortigate use to send topology info about the SF to fortianalzyer

Fortianalyzer API

How does fortigate learn about remote networks up net-device is disabled and tunnel-selector is set to next hop

Fortigate DOES NOT use quick mode selectors to Learn about remote networks and will use a dynamic routing protocol configured to run over the IPSec tunnels It used the dynamic routing protocol in combination with the remote IPs learned through IKE messages

How does full ssl inspection work

Fortigate acts as a man in the middle proxy It maintains two separate ssl sessions- client to fortigate and fortigate to server The fortigate encrypts and decrypts packets using it's own keys which is how it can fully inspect all data inside the encrypted packets

Strict RPF mode and example (pic)

Fortigate checks that the best route to the source IP address is through the incoming interface. Route not only has to be active but has to be the best.

Web filter order of inspection (4)

Fortigate checks: the static URL filter list Then Fortiguard categories Then web content filtering lists Final executes advanced options such as manipulation of HTTP headers

How does fortiguard web filtering and anti spam work (steps) (6)

Fortigate contacts the DNS server to resolve the fortiguard service name with a DNS A record lookup (4 different) Fortigate gets a list of IPs for server (2-3) that can be contacted to validate the fortiguard license Fortigate contacts one of those servers to check the license and obtains a list of servers that can be used to submit web filtering and anti spam rating queries Fortigate gets the list of server Fortigate starts sending rating queries to one of the servers in the list (it chooses server certain way) If the chosen server does not reply in two seconds it will contact the next server on the list

Fortiguard AV/IPS push method (4)

Fortigate contacts the DNS server to resolve the name by submitting a DNS A record lookup for update.fortiguard.net Fortigate gets a list of server IPs that can be contacted Fortigate registers it's public IP address in fortiguard Fortiguard notifies fortigate every time there are new updates and fortigate will proceed to download the updates.

Fortiguard AV/IPS pull method (4)

Fortigate contacts the DNS server to resolve the name by submitting a DNS A record lookup for update.fortiguard.net Fortigate gets a list of server IPs that can be contacted Fortigate periodically connects to one of the servers to check for pending updates If there is an update fortigate downloads the update

What happens if net-device is disabled for phase 1 interface config

Fortigate creates a single interface for all dial up clients and the set tunnel-search determines how fortigate learns networks behind each remote client

What is created automatically when an automation stitch is triggered

Fortigate creates an event log in Log & report > system events

What must you specify when configuring an automation stitch (4)

Fortigate device Trigger Action Minimum interval

Config firewall ssl-ssh-profile Edit <profile name> Config http Set SNI-server-cert-check disable What does disable do

Fortigate does not check the SNI

When is a session flagged as may_dirty

Fortigate evaluates if traffic should or should not be allowed on the first packet based on the firewall policies , If the first packet is allowed by the firewall policy the fortigate creates a session and the session is flagged (may_dirty)

Steps on how the fortiguard weight calculation (how fortigate selects server to send rating request to)

Fortigate initially uses the delta (basically the difference ie +4) between the servers time zone and the fortigates system time zone multiplied by 10 This is the servers initial weight and the weight is not allowed to drop below the initial weight to prevent possibility of using a remote server Weight goes up with each packet lost Weight goes down overtime if no packets are lost Fortigate uses the server with the lowest weight as the one for the rating queries If two or more server have the same weight the one with the lowest RTT round trip delay Is used

How does SSL certificate inspection work by default

Fortigate inspects the initial unencrypted SSL handshake. If the SNI (server name indication) field exists in the client certificate, fortigate uses it to obtain the FQDN to rate the site. If the SNI isn't present, fortigate retrieves the FQDN from the CN and SAN fields of the servers certificate. If the domain in the SNI field does not match the domains listed in the Server certificate field it will use the CN field

What does fortigate inspect in SSL certificate inspection

Fortigate inspects the unencrypted SSL handshake

If a failover happens in HA cluster what is the best tool to get information about the failover

Fortigate logs (should be on secondary if primary failed)

What does fortigate do when Av-session-failopen is enabled

Fortigate will apply the action configured in Av-failopen

How is the IPS signature database updated

Fortiguard

What data is used to provide customer ratings for SF security rating

Fortiguard

Where to see the list of all managed fortigate devices, their last update time, and their statuses in fortimanager. What are the five possible statuses and what each mean. Up to Date Never Updated Pending Problem Unknown

Fortiguard > Package management > service status 1) latest package has been received by fortigate 2) the device has never requested or received the package 3) the fortigate device has an older version of the package for an acceptable reason (pending scheduled update) 4) the fortigate device missed the scheduled query or did not correctly receive the latest package 5) the fortigate device status is not currently known

Where in the GUI in fortimanager can you see the status of fortiguard licensing for all fortigate devices

Fortiguard > licensing status

Where are the antivirus and IPs signature packages manager in fortimanager GUI

Fortiguard > package management

Where can you change the version of an AV or IPS package to be deployed to a fortigate in fortimanager

Fortiguard > package management

Where can you see the databases revived from fortiguard to the fortimanager for the rating services

Fortiguard > query server management > receive status

What are some threat feed external connectors

Fortiguard category IP address Domain name Malware hash

FDN and what it does. What does it provide updates and rating services for (10)

Fortiguard distribution network provides fortiguard servers for your fortimanager system and it's managed fortigate devices and forticlient agents. It provides updates and rating services for: Antivirus IPS Web filtering Anti spam Application control Vulnerability scanning Ip reputation Web security Database security Geographic ip addresses

See pic. Where were the networks advertised over the vpn tunnels configured on

Fortimanager

Single pane of glass management through which solution

Fortimanager

What does fortinet recommend for centralized management of fortigate devices and access devices in the SF

Fortimanager

Route priority

Fortinet proprietary feature specific to static routes

What protocol must be enabled bidirectionally on all fortigates in the security fabric

Fortitelemetry

How many data channels does SIP use

Four data channels Two for each traffic direction are required for each call

Fssod

Fsso process

Three types of fortimanager vpn manager vpn communities

Full mesh Star Dial up

Tips for creating custom signatures (4)

Gather as many samples of traffic as possible Protocol related patterns are obvious Identify payload related patterns in captures Use payload related and special options to ensure the lease number of false positive or negative matched

What is the FIB

Generated by the routing table and is used for packet forwarding. Routing table purpose is management and the FIBs purpose is forwarding.

Command to show detailed information about each BGP neighbor including peer IP, peer router ID, remote AS, BGP state, timers, message counters. Also shows number of prefixes announced and accepted

Get router info BGP neighbors

Command to display the routes advertised by a neighbor

Get router info BGP neighbors <route advertised by neighbor> route

Command to see local router ID, BGP table version, remote networks learned by BGP and next hops

Get router info BGP network

Command to get overview of BGP status and the status of all of it's neighbors. Shows local router ID and AS, for neighbors: AS, packet counters and up time

Get router info BGP summary

Command to provide a summary of all the LSDB entries on fortigate ordered by LSAs Shows router with ID, area, router link states (type 1 LSA), network link states (Type 2 LSA), AS external link (type 5 LSAs)

Get router info OSPF database brief

Command to show details about OSPF LSA type 1 Shows LS age Flags Ls type Advertising router Number of links Shows DR address and router interface address

Get router info OSPF database router LSA

Command that shows self originating LSAs on the fortigate

Get router info OSPF database self-originate

Command to display OSPF information about each interface details include: Network type Router id if it is DR and BDR Dr and BDR IP address Number of adjacencies and traffic stats Timers

Get router info OSPF interface

Command to show the summary of the statuses of all the OSPF neighbors. Displays the adjacency stats and if it is a DR, BDR, or drother

Get router info OSPF neighbor

Command to get details about the prefixes the local router is advertising. Also has status codes associated with a routing entry. For each prefix it displays the next hop ip, local preference, weight, AS path

Get router info bgp neighbors <advertised prefix by local fortigate> advertise

Command that shows the FIB

Get router info kernel

Command to check FIB

Get router info kernel

Command to provide detailed information about the OSPF process such as routing process, area, timers, adjacent neighbor count, LSAs, checksum etc

Get router info ospf status

Command to show all active route in the routing table (Installed routes in the RIB)

Get router info routing-table all

Commands to check routing table

Get router info routing-table all

What command is equivalent of the routing monitor

Get router info routing-table all

Command to display both installed (active) and non-installed (inactive) routes

Get router info routing-table database

Command to display: Ha health status Cluster uptime Criteria used to select the master unit Override status Status of the monitored interfaces Status of the ha ping servers

Get sys ha status

List the session table and what info does it contain (5)

Get sys session list Protocol Source IP Destination IP Port Expiration

How many sessions are in the current vdom? Command

Get sys session status

How to make sure web filtering isn't globally disabled

Get system fortiguard Webfilter-force-off: disable (default and means it's enabled globally)

Command to see resource usage including overall memory and CPU use, session creation rate, number of viruses caught, number of attacks blocked by IPS, sys uptime and quick view on how much traffic the device is handling

Get system performance status

Command to show firmware version, FGDB version, license status, operation mode, num VDOMs, system time, etc. should be first command in troubleshooting

Get system status

Command to provide global overall counters related to all VPNs currently active Number of tunnels currently active Selectors

Get vpn IPSec stats tunnel

Command to view detailed information for active IPSEC tunnels Phase 1 details Quick mode selectors Tunnel MTU Phase 2 SAs for each directions Hardware acceleration

Get vpn IPSec tunnel details

Command to provide summary info about IPSec VPN tunnel (2) Name Ip Selectors Rx/tx Name Remote gateway Quick mode selectors Status Timeout

Get vpn IPSec tunnel summary Get IPSec tunnel list

CLI command to check web filter categories and numerical values

Get webfilter categories

You just changed fortiguard contact and do not see change on fortigate

Give it 2-24 hours for the change to sync on all of the fortiguard servers

Three fortimanager management layers and what are some things included in each layer

Global ADOM layer (Global objects, all header and footer policies) ADOM layer (Common object database, devices, device groups, policy packages) Device manager layer (Name and type of managed devices, their IP addresses, revision history and real time status, firmware version, etc)

What level is session handling configured at

Global unless the check-policy-option setting is enabled then it is configured at policy level too

Four places where you can reduce session TTL

Globally for all traffic On IP protocol and port basis Each firewall policy Application control profile

After a failover how does the new primary notify the network that the virtual MAC is available through a new switch port

Gratuitous arp

What utility can you use with the command get sys session list to filter for specific IP

Grep

What protocols does the UTM proxy handle (6)

HTTP, SMTP, POP3, IMAP, FTP, and NNTP

What website lets you test webfilter/fullssl/certssl on web categories

HTTPS://fortiguard.com/webfilter/categories

Hatalk, hasync

Ha protocol and sync process

tcp-halfclose-timer tcp-halfopen-timer tcp-timewait-timer

Halfclose- controls for how long after a FIN packet a session without FIN/ACK remains in the table Halfopen- controls for how long after a SYN packet a session without a SYN/ACK remains Timewait- controls for how long after a FIN/Ack a session remains in a table. A closed session remains in the session table for a few seconds more to allow any out-of-sequence packets

Ipshelper daemon

Handles actions whose results can be shared by different daemons to reduce load

Syntax of custom IPS signatures

Header Option Value Header = F-SBID Option = starts with "—" and keyword/parameter (case insensitive) Value = value of parameter to match signature (case sensitive) Enclosed in parentheses

Fortimanager management module (pic) top down (software architecture)

Header and footer policies are part of the global object database and envelope each ADOMs policies Objects and policies in each ADOM share a common object database and policy folders. You can create, import from and install policy packages on many devices at once In the device manager layer you can configure and install device settings for each device. Fortimanager compares the current device config with what is stored in the device database and creates new revision automatically in fortimanager if the change is made on the fortigate. Managed devices communicate through import and retrieves to fortimanager

What is FGCP responsible for (5)

Heartbeats Discover other fortigates in same HA group Elect the primary Synchronize data Detect when a unit daily

If net-device is disabled what does the tunnel-search option selector do

Help fortigate determine what networks are behind each remote client If tunnel-search is set to selectors, fortigate uses the destination subjects of the quick mode selectors to populate the routing table with info about remote networks

What are route reflectors RR

Help reduce the number of IBGP sessions inside an AS. A RR forwards the routes learned from one peer to the other peers. If you configure RRs you don't need to create full mesh IBGP network. RRs pass the routing updates to other RRs and border routers within the AS

Besides session syncing what else can cause heartbeat issues for HA (1)

High CPU

How is a designated router in OSPF network elected (2)

Highest router priority wins Highest router ID wins

Diag debug flow trace start <number>

How many debug messages to show

What is the fortiguard weigh calculation

How the fortigate selects the server to send the rating requests to

How can you verify which category a specific website belongs to

Http://fortiguard.com/webfilter

How to use the webfilter category numerical values to see if a category is blocked or allowed

Http://wfurltest.com.fortiguard.com/wftest/<wf_category_id_here>.html

What is the base topology of ADVPN

Hub and spoke

The output of diagnose debug rating shows flags besides some servers what do the flags mean? I D S T F

I = initial Server contacted to request contact information and updates D = default IPs dresses of servers received from DNS resolution service.fortiguard.net S = serving Ip addresses of servers received from fortimanager T = timing Actively timing this connection Server remains in this state for 15 seconds (default) before being considered as failed F = failed Server connection failed Fortigate pings every 15 minutes to check if server has come back

What type of BGP is being used: Config router bgp Set ad 65100 Set router-ID 172.16.1.3 Config neighbor Edit "17.16.1.1" Set remote-as 65100 Next End Config network Edit 1 Set prefix 10.1.0.0 255.255.255.0 Next End End

IBGP because local AS and remote AS is the same

Protocol 1

ICMP

What protocol in IPSec negotiates the private keys authentications and encryptions (SAs)

IKE

Two most used protocols in IPsec

IKE ESP

What three modes does fortigate support for automatically configuring IP settings of IPSec clients

IKE mode config DHCO over IPSec L2TP over ipsec

Level 1-6 sniffer verbosity and 4 viewable options

IP headers IP payload Ethernet headers Port names

What handles flow based inspection (AV engine handles proxy based inspection )

IPS engine handles flow based inspection

What is IPS fail-open

IPS fail open governs fortigate behavior for flow based inspection while in conserve mode

What is a cause of frequent IPS fail open events

IPS is not able to keep up with traffic demands

Iked

IPSec process

Ike routes and how to display them

IPSec routes learned from the traffic selectors of the IPSec SA negotiation. Diagnose vpn Ike routes list

What does command do Config IPs global Set intelligent-mode disable

IPs engine scan every byte in every session

DPD packets being lost shown in real time debug

ISP issues

What is the 3 common causes for most issues related to fortiguard web filtering and antispam and how can you resolve

ISPs Some ISPs block traffic on port 53 that is not DNS or that contains large packets. In that case the solution is to switch fortiguard traffic from 53 to 8888 If ISP or upstream firewall blocks 8888 use 53 Or ISP will block traffic based on source ports. Changing the source port range with command: Config sys global Set ip-src-port-range 1031-4999 End

BGP connection states (6)

Idle: initial state Connect: waiting for successful three way handshake Active: unable to establish the TCP session Opensent: waiting for an OPEN message from the peer OpenConfirm: Waiting for the keepalive message from the peer Established: peers have successfully exchanged OPEN and keepalive messages

Under the phase 1 interface config for IPSec what does command net-device enable do for dial up responsers

If enabled fortigate creates separate virtual interfaces for each dial up client It uses the destination subnets in the quick mode selector and names the tunnel based on phase1name_index

Describe the behavior based on this command: Config IPS global Set fail-open enable

If fortigate goes into conserve mode and the policy is using UTM with flow based inspection mode then the IPS engine will not perform any scan and will allow new packets

Crashlog entries are normal. When would a crashlog entry be considered suspicious (example?)

If it happens at the same time as a failure in a fortigate feature or abnormal behavior of the fortigate For example, a crashlog entry that is generated when the device unexpectedly restart might provide information about the cause. OR ie: a crash in the SSLVPNd when all ssl user disconnect.

When is an IO cache page labeled as active and when is it labeled as inactive

If it has been recently used or modified Enters the inactive state after it has not been used for sometime

Why would a route be listed in the routing database and not the RIB besides being inactive example

If it is not the best route. Such as if there is another route with a lower distance or if there's two default routes one static and one BGP the static would be put into the RIB

Config firewall ssl-ssh-profile Edit <profile name> Config http Set SNI-server-cert-check strict What does strict do

If the SNI does not match the CN or SAN fields in the returned servers certificate, fortigate closes the connection

When is advanced mode available for the CP chips

If the fortigate model has two or more CP8s or one or more CP9

When would a firewall session flagged as may_dirty be also flagged as dirty (2 flags) when would the second flag be removed in this instance

If there is a change in the policy configuration and sessions need to be reevaluated against the policy change, the dirty flag is added. If the session is still allowed the dirty flag is removed and may_dirty is kept

What exception is there to the two route lookups performed on a session (originator and responder)

If there is a route change routing information is flushed from the affected entries in the session table and a new route lookup is performed to repopulate the session table

When should you disable add-route for IPSec interface config

If you are using a dynamic routing protocol over IPSec and do not want fortigate to automatically add routes

How can you tell from a debug flow if proxy based inspection is being used

If you see the msg="send to application layer" in the debug flow what kind of inspection is being used

When should you turn off add-route for IPSec config

If your configuring IPSec with a dynamic routing protocol (or ADVPN)

What daemon handles IPSec connections

Ike daemon

What is a Link state update

In OSPF link state updates are sent to and from OSPF routers to share LSAs. It consists of a OSPF headers and string of LSAs. The LSAs are then used to populate the LSDB

Where are workspace mode changes made

In a local CLI process not viewable by other processes

If a fortigate has multiple dial up VPNs, using preshared keys, and sharing the same local gateway, proposal, and DH group how much one of the tunnels be configured or else what would happen?

In aggressive mode with different peers ID If not then the second tunnel would never be matched

Is it normal to see multiple instances of the ipsengine daemon running

In some fortigate models

When are security audit running

In the background when an admin is logged into GUI

Where can IPS fail open event details be seen and what is the command to see if

In the crash log Diagnose debug crashlog read

What are the NPU_flags for IPSec SAs? Npu_flag= 00 Npu_flag= 01 Npu_flag= 02 Npu_flag= 03 Npu_flag= 20

Indicates offloading status in diagnose vpn tunnel list command and session table Npu_flag= 00 both IPSec SAs loads to kernel Npu_flag= 01 outbound IPSec copied to NPU Npu_flag= 02 inbound IPSec copied to NPU Npu_flag= 03 outbound and inbound IPSec SA copies to NPU Npu_flag= 20 unsupported cipher or HMAC cannot be offloaded

Describe life of a packet for a FGT without network processor

Ingress All packets accepted by a FortiGate pass through a network interface and are processed by the TCP/IP stack. Then if DoS policies have been configured the packet must pass through these as well as automatic IP integrity header checking. DoS scans are handled very early in the life of the packet to determine whether the traffic is valid or is part of a DoS attack. The DoS module inspects all traffic flows but only tracks packets that can be used for DoS attacks (for example, TCP SYN packets), to ensure they are within the permitted parameters. Suspected DoS attacks are blocked, other packets are allowed. IP integrity header checking reads the packet headers to verify if the packet is a valid TCP, UDP, ICMP, SCTP or GRE packet. The only verification that is done at this step to ensure that the protocol header is the correct length. If it is, the packet is allowed to carry on to the next step. If not, the packet is dropped. Incoming IPsec packets that match configured IPsec tunnels on the FortiGate are decrypted after header checking is done. If the packet is an IPsec packet, the IPsec engine attempts to decrypt it. If the IPsec engine can apply the correct encryption keys and decrypt the packet, the unencrypted packet is sent to the next step. Non-IPsec traffic and IPsec traffic that cannot be decrypted passes on to the next step without being affected. IPsec VPN decryption is offloaded to and accelerated by CP8 or CP9 processors. Admission control Admission control checks to make sure the packet is not from a source or headed to a destination on the quarantine list. If configured admission control then imposes FortiTelemetry protection that requires a device to have FortiClient installed before allowing packets from it. Admission control can also impose captive portal authentication on ingress traffic. Kernel Once a packet makes it through all of the ingress steps, the FortiOS kernel performs the following checks to determine what happens to the packet next. Destination NAT Destination NAT checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT. DNAT is typically applied to traffic from the internet that is going to be directed to a server on a network behind the FortiGate. DNAT means the actual address of the internal network is hidden from the internet. This step determines whether a route to the destination address actually exists. DNAT must take place before routing so that the FortiGate can route packets to the correct destination. Routing (including SD-WAN) Routing uses the routing table to determine the interface to be used by the packet as it leaves the FortiGate. Routing also distinguishes between local traffic and forwarded traffic. Firewall policies are matched with packets depending on the source and destination interface used by the packet. The source interface is known when the packet is received and the destination interface is determined by routing. SD-WAN is a special application of routing that provides route selection, load balancing, and failover among two or more routes. SD-WAN also supports using the Internet Services Database (ISDB) and Application Control to select a route in the following way: SD-WAN uses Application Control to compare the first packet of a new session against the layer 4 ISDB. If Application Control can identify the new session as a known application, SD-WAN is applied to the session according to the matching SD-WAN rule. SD-WAN then routes all of the packets in the session according to the selected SD-WAN rule. If Application Control cannot match a new session with an application in the layer 4 ISDB, the implicit SD-WAN rule is applied to the session. As the session is being processed by the implicit SD-WAN rule, layer 7 Application Control attempts to identify the application. If the application can be identified, the ISDB is extended by adding a layer 4 match record for the application to the ISDB cache. New sessions can then be matched and routed by SD-WAN using both the ISDB and the ISDB cache. Stateful inspection/policy lookup/session management Stateful inspection looks at the first packet of a session and looks in the policy table to make a security decision about the entire session. Stateful inspection looks at packet TCP SYN and FIN flags to identity the start and end of a session, the source/destination IP, source/destination port and protocol. Other checks are also performed on the packet payload and sequence numbers to verify it as a valid session and that the data is not corrupted or poorly formed. When the first packet of a session is matched in the policy table, stateful inspection adds information about the session to its session table. So when subsequent packets are received for the same session, stateful inspection can determine how to handle them by looking them up in the session table (which is more efficient than looking them up in the policy table). Stateful inspection makes the decision to drop or allow a session and apply security features to it based on what is found in the first packet of the session. Then all subsequent packets in the same session are processed in the same way. When the final packet in the session is processed, the session is removed from the session table. Stateful inspection also has a session idle timeout that removes sessions from the session table that have been idle for the length of the timeout. See the Stateful Firewall Wikipedia article (https://en.wikipedia.org/wiki/Stateful_firewall) for an excellent description of stateful inspection. Session helpers Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. For example, the SIP VoIP protocol uses TCP control packets with a standard destination port to set up SIP calls. To successfully process SIP VoIP calls, FortiOS must be able to extract information from the body of the SIP packet and use this information to allow the voice-carrying packets through the firewall. FortiOS uses session helpers to analyze the data in the packet bodies of some protocols and adjust the firewall to allow those protocols to send packets through the firewall. FortiOS includes the following session helpers: PPTP H323 RAS TNS TFTP RTSP FTP MMS PMAP SIP DNS-UDP RSH DCERPC MGCP User authentication User authentication added to security policies is handled by the stateful inspection, which is why Firewall authentication is based on IP address. Authentication takes place after policy lookup selects a policy that includes authentication. Device identification Device identification is applied if required by the matching policy. SSL VPN Local SSL VPN traffic is treated like special management traffic as determined by the SSL VPN destination port. Packets are decrypted and are routed to an SSL VPN interface. Policy lookup is then used to control how packets are forwarded to their destination outside the FortiGate. SSL encryption and decryption is offloaded to and accelerated by CP8 or CP9 processors. Local management traffic Local management traffic terminates at a FortiGate interface. This can be any FortiGate interface including dedicated management interfaces. In multiple VDOM mode local management traffic terminates at the management interface. In transparent mode, local management traffic terminates at the management IP address. Local management traffic includes administrative access, some routing protocol communication, central management from FortiManager, communication with the FortiGuard network and so on. Management traffic is allowed or blocked according to the Local In Policy list which lists all management protocols and their access control settings. You configure local management access indirectly by configuring administrative access and so on. Management traffic is processed by applications such as the web server which displays the FortiOS GUI, the SSH server for the CLI or the FortiGuard server to handle local FortiGuard database updates or FortiGuard Web Filtering URL lookups. Local management traffic is not involved in subsequent stateful inspection steps. SSL VPN traffic terminates at a FortiGate interface similar to local management traffic. However, SSL VPN traffic uses a different destination port number than administrative HTTPS traffic and can thus be detected and handled differently. UTM/NGFW If the policy matching the packet includes security profiles, then the packet is subject to Unified Threat Management (UTM)/Next Generation Firewall (NGFW) processing. UTM/NGFW processing depends on the inspection mode of the security policy: Flow-based (single pass architecture) or proxy-based. Proxy-based processing can include explicit or transparent web proxy traffic. Many UTM/NGFW processes are offloaded and accelerated by CP8 or CP9 processors. Single pass flow-based UTM/NGFW inspection identifies and blocks security threats in real time as they are identified using single-pass Direct Filter Approach (DFA) pattern matching to identify possible attacks or threats. Packets are then subject to botnet checking to make sure they are not destined for known botnet addresses. Proxy-based UTM/NGFW inspection can apply both flow-based and proxy-based inspection. Packets initially encounter the IPS engine, which can apply single-pass flow-based IPS and Application Control (as configured). The packets are then sent to the proxy for proxy-based inspection. Proxy-based inspection can apply VoIP inspection, DLP, Email Filter (Anti-Spam), Web Filtering, Antivirus, and ICAP. Explicit web proxy inspection is similar to proxy based inspection. CP9 content processors Most FortiGate models contain Security Processing Unit (SPU) Content Processors (CPs) that accelerate many common resource intensive security related processes. CPs work at the system level with tasks being offloaded to them as determined by the main CPU. Capabilities of the CPs vary by model. Newer FortiGate units include CP9 processors. Older CP versions still in use in currently operating FortiGate models include the CP4, CP5, CP6, and CP8. CP9 capabilities The CP9 content processor provides the following services: Flow-based inspection (IPS, application control etc.) pattern matching acceleration with over 10Gbps throughput IPS pre-scan IPS signature correlation Full match processors High performance VPN bulk data engine IPsec and SSL/TLS protocol processor DES/3DES/AES128/192/256 in accordance with FIPS46-3/FIPS81/FIPS197 MD5/SHA-1/SHA256/384/512-96/128/192/256 with RFC1321 and FIPS180 HMAC in accordance with RFC2104/2403/2404 and FIPS198 ESN mode GCM support for NSA "Suite B" (RFC6379/RFC6460) including GCM-128/256; GMAC-128/256 Key Exchange Processor that supports high performance IKE and RSA computation Public key exponentiation engine with hardware CRT support Primary checking for RSA key generation Handshake accelerator with automatic key material generation True Random Number generator Elliptic Curve support for NSA "Suite B" Sub public key engine (PKCE) to support up to 4096 bit operation directly (4k for DH and 8k for RSA with CRT) DLP fingerprint support TTTD (Two-Thresholds-Two-Divisors) content chunking Two thresholds and two divisors are configurable Kernel Traffic is now in the process of exiting the FortiGate. The kernel uses the routing table to forward the packet out the correct exit interface. The kernel also checks the NAT table and determines if the source IP address for outgoing traffic must be changed using SNAT. SNAT is typically applied to traffic from an internal network heading out to the internet. SNAT means the actual address of the internal network is hidden from the internet. Egress Before exiting the FortiGate, outgoing packets that are entering an IPsec VPN tunnel are encrypted and encapsulated. IPsec VPN encryption is offloaded to and accelerated by CP8 or CP9 processors. Traffic shaping is then imposed, if configured, followed by WAN Optimization. The packet is then processed by the TCP/IP stack and exits out the egress interface. Ingress packet flow Network Interface TCP/IP stack DoS Policy IP integrity header checking IPsec VPN decryption Admission Control Quarantine FortiTelemetry User Authentication Kernel Destination NAT Routing (including SD-WAN) Stateful inspection/Policy Lookup/Session management Session Helpers User Authentication Device Identification SSL VPN Local Management Traffic UTM/NGFW Flow-based inspection NTurbo IPSA Botnet check Proxy-based inspection Explicit Web Proxy Kernel Forwarding Source NAT (SNAT) Egress packet flow IPsec VPN Encryption Traffic shaping WAN Optimization TCP/IP stack Network Interface

What features can be disabled for wan optimization.

Inspection of specific protocols (HTTP, FTP, SMTP, POP, IMAP) Logging to memory DHCP server some IPS signatures Also don't have the fortigate doing anti spam if you have fortimail

What triggers the VPN negotiation

Interesting traffic

4 OSPF router types and describe each

Internal router - All connected interfaces belong to same area 1 LSDB and OSPF tree Area border router (ABR) - A router with interfaces in multiple areas One LSDB and one OSPF tree Always connected to backbone Backbone router - Has at least one interface in the backbone area Autonomous system boundary router (ASBR) - redistributes non-OSPF routes into OSPF network

ISFW

Internal segmentation firewall Breach containment for attacks that come from inside zero trust network 1g-100gbs throughput Firewall, app control, web filtering, and IPS (sandbox inspection also) Placed in access layer These prevent propagation

What are contained in the suggested ISAKMP policies

Internet Security Association and Key Management Protocol Established the SA with: encryption keys Authentication algorithm IPSec protocol (ESP AH) DH

What port does ESP use with no Nat and with NAT

Ip protocol 50 UDP 4500 with NAT

Two IPS related daemons

Ipsengine Ipshelper

A BGP speaker/peer

Is a router that sends and receives BGP routing information

How to troubleshoot IPS false negatives (4)

Is database up to date Is traffic hitting correct policy or IPS profile Is IPS using high CPU or memory ? Is it crashing Is signature action set correctly

Which is more common: Issues with AV/IPS communication to fortiguard Or Issues with web filtering and anti spam communication to fortiguard

Issues with AV/IPS communication to fortiguard

What does fortigate do before it sends rating requests to fortiguard

It checks it's local cache because by default fortigate caches all the rating results it receives from fortiguard.

How does fortianalyzer generate topology vies and IoC

It combines info received from the root fortigate

Why is it important to disable real-time debugging after using it

It consumes fortigate resources and can be CPU intensive

If a session is blocked what is it flagged as and what happens to the session

It is flagged as "block" Session remains in memory until it expires but all subsequent packets and blocked

What is a crashdump message in the crashlog

It is generated through the console port when the device crashed They can provide useful information for fortinet developers to identify which code triggered the problem

What to do if packets are getting dropped by sniffer

It means that not all the traffic that matched the sniffer filter could be captures so you may need to capture the traffic again using a stricter filter

What if you see "full/-" for the state if you do command "get router info OSPF neighbor"

It means that the neighbor is in a point-to-point network

How does the root fortigate use fortitelemetry, where does it share what it learns, and how does it share it

It uses the network topology information collected from the other fortigates and forwards it to fortianalyzer used the fortianalyzer API

What happens if a custom IPS signature doesn't have a service keyword nor a port keyword

It will be added to all service trees including unknown

Why may you not want to sync sessions

It's bandwidth intensive and can interfere with heartbeat traffic and create delays in replies

When is a route shown inactive under get router info routing-table database (3)

It's gateway is detected dead by link monitor Interface is admin down Interface has a link down

Steps to troubleshooting a device that freezes

Keep a laptop connected to the console port If the model has multiple CPUs enable NMI watchdog which will crash the system (diagnose sys nmi/watchdog enable) After the device freezes, push the NMI button with the laptop connected to generate the crash dump (not all models have this)

If a fortigate model doesn't support console logging and you are experiencing unexpected restarts what can you do

Keep a laptop connected to the console port and wait until another crash happens to capture the crashdump

What is the heart of FortiOS and explain

Kernel

Five main purposes that fortigate allocates memory

Kernel memory slabs System I/O cache Buffers Shared memory Process memory

What is the IPS signature database used to detect (3)

Known exploits Network errors Anomalies

The topology information interchanged by OSPF peers is contains in____ which is then populated into the LSDB.

LSA link state advertisements.

Each OSPF router in the same area has identical databases called ______ and what do these databases contain

LSDB Link state database Contains network topology of entire OSPF area delivered in LSA from other OSPF routers

Typical virus size

Less than 1mb

OSPF is a ___ state protocol

Link

Each OSPF router in the same area has identical databases called ______ and what do these databases contain

Link state databases that contain the network topology generated by receiving LSAs

If you want to find the category name for a URL in the cache what commands do you use (2)

List the cache with Diagnose webfilter fortiguard cache dump Convert ID number from HEX to decimal Then use command Get webfilter categories To find the category name

MSG= Iprope_in_check() Func=fw_local_in_handler

Local in policy is blocking management traffic to fortigate

Which AS attributes are well known discretionary and what does that mean (2)

Local_pref Atomic_aggregate Well-known discretionary - attributes may or may not be included

In OSPF what routes do the OSPF routers advertise in the LSAs

Locally connected subnets

Common session flags (11) and what each mean Log Local Ndr Nds Br Npu Wccp Npd Redir Authed Auth

Log - session is being logged Local - session is to/from local stack Ndr - session will be checked by IPS signature Nds - session will be checked by IPS anomaly Br - session is being bridged (TP mode) Npu - session can be offloaded to NPU Wccp - web caching Npd - session cannot be offloaded to NPU Redir - session is being processed by an application layer proxy Authed - session was successfully authenticated Auth - session requires authentication

Where to view OSPF related router events in the GUI

Log and report > events > router events

What two places can you view logs for conserve mode and what will the message be

Log and report > events > system events Message- kernel enter memory conserve mode

Where to view BGP logging in GUI

Log and report > router events

Why is BGP more preferable over OSPF

Lower distance More control over which routes are advertised and accepted More scalable Easier to troubleshoot

After you deploy an IPS solution what is it important to do

MONITOR

What would you see if a local in policy was blocking in a debug flow

MSG= Iprope_in_check() Func=fw_local_in_handler

What is the system IO cache made of and what size

Made of pages 4K size of disk block 1K size

Ipsengine daemon

Main type that Handles inspection and detection tasks

How to eliminate false positives for IPS events (3)

Make changes to the source or destination Create exemption Adjust the thresholds (for rate base signatures)

How to verify if configs are synced on the same device and how to tell between cluster members with command diagnose sys ha checksum show

Make sure debugzone and checksum zone numbers match For members run the same command and compare the checksums

How can you eliminate the number of false positives for an IPS deployment

Make the list of signatures that you set to block small and precise. The list should include the attacks that are most dangerous to critical services

Two types of gateways for the fortimanager vpn manager and what are each

Managed gateway External gateway Managed are managed by fortimanager in the current ADOM Devices in a different ADOM if other vendor devices are external gateways

What vdom does fortiguard traffic originate from

Management vdom Root by default

In the session table what does the state flag redir mean (next to the may_dirty and dirty flags)

Means the traffic is inspected in proxy based mode

What does reducing session. TTL do

Memory opt Also fortigate will age out idle session quicker to increase available memory

Besides conserve mode what does kernel do to free up memory

Memory tension drops Kernel Delete oldest sessions

What is the conserve mode trigger based on

Memory use

Backbone area in OSPF

Minimum area in OSPF network Area ID 0.0.0.0 All areas must connect to the backbone

What do you need to configure for stitch so you don't receive repeat alert notification about the same event

Minimum interval

Diagnose test application _____ Options (12)

Mm17 Smtp Ftpd Pop3 Imap Nntp Forticldd Miglogd Urlfilter Ipsmonitor ips monitor Ipsengine IPs sensor Ipldbd (IP load balancing daemon)

What factors are contributing to a border less network

Mobile workforce Partners accessing your network services Public and private clouds Internet of things BYOD

What is vdom partitioning

Mode is active -passive You configure one cluster device as the primary for some VDOMs and you set the other cluster devices as the primary for the other VDOM. Traffic distribution is controlled by setting the primary for the different vdoms

How many options can be used with F-SBID (—KEYWORD VALUE;)

Multiple options can be used if separated by a colon F-SBID (—KEYWORD VALUE; —KEYWORD2 VALUE2;)

For a full mesh vpn config what is the formula to calculate the number of tunnels

N sites = N(N-1)/2

Describe fortinet send to end solution

NAC/Client/AUTH/EDR AP/Switch/Extender Fortigate Fortigate VM/FortiCWP WEB/mail/CASB/ADC Analyzer/Sandbox/SIEM/SOAR Manager/cloud

How many different Ethernet types does FGCP and what are the values for each

NAT/Route 0x8890 Transparent 0x8891 0x8893 for configuration sync

What are the two fortiSPUs

NP and CP

What chip offloads IPSec encryption and decryption

NPU

If you have all flow based UTM profiles what handles the packets (Minus exception)

NTURBO Does not handle three way hand shakes

Nturbo

NTurbo offloads firewall sessions that include flow-based security profiles to NP7 or NP6 network processors. Without NTurbo, or with NTurbo disabled, all firewall sessions that include flow-based security profiles are processed by the FortiGate CPU. NTurbo also offloads sessions that have interface or DoS policies. NTurbo creates a special data path to redirect traffic from the ingress interface to IPS, and from IPS to the egress interface. NTurbo allows firewall operations to be offloaded along this path, and still allows IPS to behave as a stage in the processing pipeline, reducing the workload on the FortiGate CPU and improving overall throughput.

Creating a falling for TCL procedures in fmg

Name the proc and give a parameter #! proc do_cmd {cmd} { Puts [exec "$cmd\n" "# " 10] do_cmd "config system interface" do_cmd "edit port1" do_cmd "set ip 10.0.1.10 255.255.255.0" do_cmd "end" Procedure is called 4 times and you are able to run command because you used the $cmd

What is more difficult to discover IPS false positives or false negatives

Negatives

BGP event logging displays____? (4)

Neighbor down/up RIB update BGP message exchange Errors connecting to neighbors

What type of OSPF events does fortigate log What command is this default behavior enabled under

Neighbor up or down OSPF message exchange Negotiation errors Config router ospf Set log-neighbour-change enable

What processor encrypts and decrypts for IPSEC

Network processor

NP

Network processor NP6

If the IPs fail open setting is disabled what happens

New packets might be dropped depending on system load

NGFWs

Next generation firewall 1g-40gb throughput Deployed for firewall, app control, IPS, AV, and VPN Can be deployed at edge or in core

Can you apply proxy based UTM to a flow based policy

No

Does FortiOS need to use memory paging

No

Is console logging available on all models

No

Is the preshared key value part of the criteria for responder dial up selection

No

Will all signal numbers generate a crash log

No

Will a fortigate log a session from another gate in the SF and why What exception is there to this rule besides being the first fortigate

No and it eliminates repeated logging of a session by multiple fortigate devices It will log if it is the first fortigate that handled the session Exception is if one of the fortigate performs NAT another log will be generated to record NAT details such as translated ports and addresses

Will fortiguard work if DNS access is disabled

No because fortigate must be able to resolve hostnames Update.fortiguard.net(AV/IPS) Service.fortiguard.net(web filtering/AS)

Problem with multiple vendor networks

No central visibility or central management

What scaling limitations are there on a fortigate with BGP implemented

No hard limits. Only limitation is system memory. Number of neighbors, routes, and policies will have impact on the memory so the more then the more memory needed

Does fortigate perform route redistribution by default

No it's enabled under the dynamic routing protocol options

IPSec real time debug errors: No matching IPSec selector drop

No matching IPSec selector drop Tunnel up but not passing traffic. Quick mode selector mismatch or NAT is enabled on firewall policy

Can processes access the memory allocated to other processes

No only to memory allocated to that specific process

Is it common to need to edit the global IPS Configuration

No the default ones work well in most cases

After a route lookup where is routing information written (2)

No the route info is stored in the session table and route cache

Is the object to load balance bandwidth with active active mode?

No the traffic is always sent to the primary first. The objective is to share CPU and memory among devices for traffic inspection

What routes are considered external in OSPF

Non OSPF networks External routes include a directly connected interface not running OSPF Static route Route derived from another routing protocol

What could cause a short spike in CPU usage by ipsengine daemon

Normal and usually caused when fortigate had hundreds of policies and profiles or many VDOMS or a configuration change

NMI button

Not all fortigates have but if the system if frozen you can press this and it will force a crash and generate a crash dump to the console

Are firewall policies needed for the four data channels for SIP

Not if a session helper is being used since it creates an expected session (pinhole)

For active FTP does a policy need to exist to allow the incoming FTP data channel from the server to the client

Not if session helpers are used because it will create a pinhole in the firewall (or expected session)

If a fortigate receives a packet from a MAC address that belong to another fortigate in the security fabric (security fabric map) it will ______that session unless....

Not log Unless it it's the first fortigate that handled the session in the security fabric

What happens to traffic if using proxy based UTM on flow based policy

Nturbo does not work. All packets for flow based inspection need to go through the socket buffer and deliver to IPS. When the socket buffer is full the even is logged as a fail open event and sessionact is used to reflect the fail-open settings

If a tsformat option is not specified with the sniffer what is shown instead of timestamp

Number of seconds since sniffer started running

How do user space daemons share info

OS Dynamically allocates shared memory

What are the only two dynamic routing protocols that support VRF

OSPF and BGP

OSPF full state

OSPF routers have established adjacency and have identical LSDBs

In a multi access network, full adjacencies are formed between what OSPF routers

OSPF routers will form full adjacencies with the BDR and DR and not each other in order to limit resource utilization

When Av-session-failopen is enabled what options are there for Av-failopen and what do each mean

Off - all new session that require content inspection are dropped but existing sessions are processed Pass - stops inspecting new sessions. Inspection is automatically restarted when fortigate exits conserve mode On-shot - similar to pass but you must manually change the av-fail open setting to restart inspection after fortigate exits conserve mode

Where do you configure a VRF and what is a configurable value

On an interface 0-31 Interfaces with matching VRFS are isolated to a VRF instance

When implementing an RR (route reflector) in BGP, where is configuration done and what command is enabled on the neighbors

On the RR only Config router bgp Config neighbor Edit <neighbor IPv4> Set route-reflector-client enable Next End

When there is a failover and a switch ignores the gratuitous arp and continues to send traffic to the failed device what command should you perform and on what device should you do it

On the failed primary Config sys ha Set link-failed-signal enable End This will simulate a link failure and shut all non ha interfaces down for 1 second so the switch clears is MAC table

Describe how session helpers are needed for SIP in a NAT environment

Once The control channel is up, a sip phone sends an invite packet with it's IP address and port numbers for two of the four data channels. The session helper creates two expected session (one direction) and translates the private ip inside the invite packet to the NATed IP. The remote phone sends an OK packets to the right NATed destination ip. The OK packet included the IP address and ports for the other two data channels (other direction) the session helper creates two more expected sessions using the information from the OK packet. Four expected pinholes have been created so the four data channels can connect through. Firewall policies are not needed

How many times does the SF as a hole log a session

Once by the first fortigate in the SF unless passed to a FGT performing NAT

Why would an OSPF router have multiple LSDBs and what is the pros (3) and cons (2) of this

One for each area Pro: smaller LSDB tables Impact of topology change is minimized outside area (less LSAs) Routes can be summarized on the area borders Cons: more complex to troubleshoot and network design considerations

What signatures should be enabled during evaluation stage of IPS deployment

One group at a time Most critical ones

How many actions can be paired with a trigger foe a stitch

One or more

How long does the evaluation process of IPS deployment take and why

One to two weeks Because you have to enable one group of signatures at a time and monitor the log to fine tune then add additional signatures

When is RPF performed

Only on the first packet when the session is being created (or when there is a route change that requires packets to be reevaluated)

Is the SF an open or closed protocol

Open

REQUIRED option type for custom IPS signature (3)

Options that are required to create a custom signature —name —service —flow Name is the signature name displayed in the GUI and CLI Service specifies the session type associated with a packet (HTP FTP ETC) Flow specifies direction of the detection packet

PPP (parallel path processing)

PPP chooses from a group of parallel options to identify the optimal path for processing a packet uses the firewall policy configuration to choose from a group of parallel options to determine the optimal path for processing a packet. Most FortiOS features are applied through Firewall policies and the features applied determine the path a packet takes.

What happens if packet fails RPF and how could you tell what was going on

Packet is dropped and the debug flow will show the error "reverse path check fail, drop"

What will you see in the crash log if IPS is in fail open

Packet_action drop/pass IPS enter/exit fail open mode Will be either drop or pass exit or enter but it will tell you what is happening

Different between pass and one-shot for av-fail open

Pass - stops inspecting new sessions. Inspection is automatically restarted when fortigate exits conserve mode On-shot - similar to pass but you must manually change the av-fail open setting to restart inspection after fortigate exits conserve mode

Use _____ related and_____ options to ensure the lease number of false positive or negative matched for custom IPS signatures

Payload and special

How can fortimanager function as local FDS, what does it get from FGDN, and why is it a benefit

Periodically downloads from fortiguard license information and fortiguard database (IPS/ AV/ web filtering/AS ETC) caches firmware updates for managed devices

What are the modes for phase 1 and 2 of IPSec

Phase 1 main or aggressive Phase 2 quick mode

FEC IPSec

Phase 1 setting that when enabled adds additional packets with redundant data so recipient can use to construct any lost packet or any that arrived with errors (increase bandwidth usage )

Types of interfaces that can be configured

Physical VLAN IPSec Hardware switch Aggregate

Two options to view SF GUI

Physical and logical

Three types of OSPF networks and describe each

Point to point - Pair of routers connected through a point to point link Broadcast (multicast) - Supports more than two attached routers and then sending of single message to multiple routers (Ethernet) Point to multipoint - Supports more than two attached routers Does not support multicast

What are custom local-in policies and command to view them

Policies for management traffic into the local fortigate Not visible in the GUI unless enabled but when enabled shows default and not custom Show firewall local-in-policy Or config firewall local-in-policy

Fortitelemetry

Port 8013 Fortigate uses to communicate with other fortigate devices and distribute information about the network topology and it also uses to integrate with forticlient

Which takes precedence? Port monitoring or device priority in selection of primary in HA cluster

Port monitoring

NTurbo

Powered by NP6 network processor that increases the IPS processing performance by distributing the cost of processing to different CPU cores

Pppoed

Pppoed process

Pptpd, l2tps

Pptp and l2tp protocol processes

What features do NPs offer (4)

Pre IPS anomaly filtering and logging Packet offloading Link aggregation IPSec encryption and decryption (IPSec phase 2 and hashing)

What are the two categories of fortinet IPS signatures and define each

Predefined signatures - develops by fortiguard analysts which are distributed as part of regular fortiguard updates Custom signatures - created by users for specialized applications

What can you configure, for BGP, to filter prefixes or modify their BGP attributes

Prefix lists and route mals

BGP prefix lists and how to configure them

Prefix lists can be used to filter out the subnets being advertised to and being received from each neighbor Config router prefix-list Edit filter-subnets Config rule Edit <ID> Set prefix <prefix> Set action (deny | permit) Config router bgp Config neighbor Edit x.x.x.x Set prefix-list-in filter-subnets w

If primary device interface fails where should you check logs (HA)

Primary

Wad

Process for wan optimization, explicit proxy, proxy based inspection for HTTP and HTTPS and FTP

Cmdbsrv

Process that applies config changes

Httpsd

Process that controls GUI access

Updated

Process that controls fortiguard updates

Miglogd

Process that controls log collections and automation stitches

ADVPN

Proprietary fortinet solution based on IKE and IPSec. Provides direct connectivity between all sites by dynamically creating on demand tunnels between spokes. Benefit of the full mesh topology while providing scalability with minimum configuration

What do you configure for each managed gateway for the fortimanager vpn manager (4)

Protected subnets (P2 local subnet) Gateway title (hub spoke etc) Interface where the tunnel terminates Advanced setting like peer ID, IKE mode etc

UDP session example (pic) describe highlighted portions

Proto_state= Expire= length of time until session expires if there is no more traffic Origin-shaper= traffic shaping counters State= session flags Statistics= received and transmitted packet and byte counters Origin->sink= shows SNAT or DNAR for each direction and NAT ip address Src Mac= src max address of packet Policy_id= ID number of the matching policy Npu_state/npu_info= counters for hardware

What two modes does web filtering operate in

Proxy and flow

If you see the msg="send to application layer" in the debug flow what kind of inspection is being used

Proxy based

Proxyworker

Proxy based inspection for IMAP POP SMTP process

What two methods will antivirus and IPS fortiguard communication depend on

Pull or push

What is access layer quarantine for stitch action

Quarantine host and switch or AP

What are the four IPS options types for custom signatures

REQUIRED PROTOCOL PAYLOAD SPECIAL

Diagnose ip router ospf all enable Di de en Diagnose ip router ospf level info

Real time OSPF debug

Aggressive mode debug (pic)

Real-time debug for phase 1 aggressive and the three aggressive mode packet exchange

What is console logging

Records console CLI output in a 4MB log file on flash memory that is useful for troubleshooting unexpected restarts and unresponsive devices. The output can be displayed in the CLI or downloaded from the GUI

Since specific apps require specific TTL what can you do if you want to reduce session overall for memory opt but don't want to hinder application communication

Reduce TTL globally for TCP UDP and then increase the TTL tor the specific application port number

x64

Refers to 64bit CPY and OS instead of a 32 bit system meaning the CPU can process 64 bit chunks of data compared to 32bit chunks. 64 bit can access 2^64 memory addresses (18quintillian ram) 2^32 is only 4GB of ram. 64 can also perform more calculations per second and the processors can be multi core.

What do the numbers mean Diag sys top 3 15 3

Refresh 3 seconds Show 15 lines Stop after 3 refreshes

What devices (status) can request FDS info from fortimanager

Registered and unregistered (unmanaged)

What option does TCL script have to be run on?

Remote fortigate directly only

What is required to use the compromise host trigger for stitches

Requires fortiAnalyzer IoC reporting

Disadvantages of OSPF (2)

Requires planning and running to optimize performance Difficult to troubleshoot in large network

RPF and what two things it protects

Reverse Path Forwarding Checks against IP spoofing attacks and routing loops by checking the route to the source IP address Makes sure that the packet coming in is from the subnet that it says it's from by making sure the subnet matches what is in the routing table to the correct source interface

What two ways can you test an automation stitch

Right click in CLI In CLI with command Diagnose automation test <stitchname>

What must be configured in the SF first

Root fortigate

Where can you view the SF topology

Root fortigate GUI (or FAZ) Security fabric > physical topology

What are the five load balancing methods supports for aggregate IPSec tunnels

Round Robin - balanced per packet L3 - balanced per l3 header L4 - balanced per l4 header Redundant - sent through tunnel that came up first Weighted round Robin - load balanced based on link weights

Route Metric

Router metrics are metrics used by a router to make routing decisions. A metric is one of many fields in a routing table. Router metrics help the router choose the best route among multiple feasible routes to a destination. The route will go in the direction of the gateway with the lowest metric. RIP hop count OSPF cost (cumulative bandwidth) BGP

Without SNAT what happens to preexisting sessions when there is a route change (4)

Routing info is flushed from session entries rtcache entries flushed Session flagged as dirty and new route lookup is done for the next packets

What two places (CLI) can you see the source and destination ports and IPs for a session

Rtcache and session table

What would you see in a debug flow if a FTP session helper was inspecting the traffic

Rub helper-ftp (dir=original) Or Run helper-ftp (dir=reply)

Two problems high traffic volume may cause (like overloaded amounts) not just talking slow connection for users

Running in conserve mode due to low sys memory Proxy connection pool has no free connections

Which process states are normal and what are not

S and R are normal D is normal if briefly Z is not normal D is not normal for a long time(indicates process is not working properly)

Command to see shared memory and what is shared memory

SHM is memory allocated dynamically to multiple processes so they can share information with each other Diagnose hardware sysinfo shm Shows total, free, avail, alloc

When is SIP ALG used vs when is SIP helper used

SIP ALG When traffic matches a policy with a VoIP profile regardless of mode When traffic does not match a VoIP profile and the VoIP mode is set to proxy based SIP helper traffic does not match a policy with a VoIP profile and the VoIP mode is set to kernel-helper-based

If there is a VoIP profile applied to a policy that SIP traffic matches, and the default-voip-ALG-mode setting is set to kernel-helper-based what is used for the mode

SIP ALG even tho it is set to kernel-helper-based. Remove VoIP profile if you want it to use session helper and not SIP ALG

For SSL certificate inspection where does the FGT look for the FQDN first and where if that extension is not present

SNI If not present then CN in the server certificate

What is AV failopen

Safeguard feature that determines the behavior of the antivirus system for proxy based inspection if the fgt is overloaded with high traffic

If primary device fails where should you check logs (HA)

Secondary

What DNS lookup does fortigate do for web filtering and anti spam if it is configured to use HTTPS and worldwide servers

Securewf.fortiguard.net

Where to configure stitches

Security fabric > automation

How to configure fabric connectors

Security fabric > external connectors

Diagnose test application csfd 1

Security fabric daemon and command will show you downstream and upstream info: IP SN Port number Link status (ok = connected)

What is end to end security

Security from endpoints to the cloud

What does the security rating score help you identify

Security issues in your network

What three sections is security rating scorecards

Security posture Fabric coverage Optimization

Where is UTM or NGFW traffic offloaded for acceleration

Security processors CP8 or CP9

How to add an IP exemption for an IPS signature

Security profile > intrusion prevention > edit ip exemption

Two example of changes that will only apply to new sessions and not existing

Security profile and session helper changes

Where can you edit the SSL/SSH inspection for outbound traffic inspection

Security profiles > SSL/SSH inspection

Tunnel-search options for IPSec vpn

Selector Next hop

Tunnel search options for IPSec

Selectors Next hop

AS external link advertisement (type 5) OSPF LSA type

Sent only by ASBRs and are not confined to one area. Won't get sent to stub networks or NSSAs They contain link state information for routes redistributed to OSPF (external routes) External routes include a directly connected interface not running OSPF Static route Route derived from another routing protocol

How is the FGFM tunnel authenticated between fortigate and fortimanager

Serial numbers

What needs to be configured on fortigate in order to use fortimanager for fortiguard services and how do you do it

Server list where you define server address (IP of fortimanager ) where fortigate will query ratings and package updates Config sys central-management Config server-list Set server-type update rating Set server-address <fmg ip> Next End Set include-default-servers-disable (enable or disable the inclusion of public fortiguard servers in the override server list)

What needs to be configured for each interface under system settings > network on a fortimanager acting as a FDS

Service access setting

What DNS lookup does fortigate do for web filtering and anti spam if it is configured to use UDP and worldwide servers

Service.fortiguard.net

When fortigate submits a DNS lookup to get the IP of a fortiguard service name for rating services which 4 names does it try to resolve, protocol does it use, and is it worldwide or USA

Service.fortiguard.net UDP worldwide Securewf.fortiguard.net HTTPS worldwide Usservice.fortiguard.net UDP USA ussecurewf.fortiguard.net HTTPS USA

The connection between two BGP peers is called a BGP ____

Session

If there is a may_dirty session being offloaded to an NPU or SPU what happens if there is a change in a policy

Session flagged as dirty TOO and then next packet is sent to CPU to be reevaluated against policy change

What command enables the ADVPN or SDWAN hub to dynamically propagate all the redundant paths to each remote location through BGP

Set additional-path enable

What should be enabled on the spoke for IPSec that's disabled on the hub for ADVPN

Set net-device enable

Get router info OSPF status

Shows ID timers LSA originated and received areas attached to router number of neighbors in area what SPF was last executed

OSPF real-time debug commands and what the debug shows Disable command

Shows adjacency establishments, OSPF errors, network topology changes Diagnose ip router all enable Diagnose ip router OSPF level info Diagnose debug enable Diagnose ip router ospf all disable Diagnose debug disable

Receive status in fortimanager fortiguard and what is displays and for what four device types

Shows packages received from fortiguard, version, size, version to be deployed, and update history Fortigate Fortimail Fortianalyzer Forticlient

SF scorecard

Shows performance in sub categories and gives an overall grade, clicking a scorecards drills down to a detailed report of itemized results and compliance reccomendations

Phase 2 debug (pic)

Shows phase 2 proposal from local gateway and coming to the remote gateway

Parts of the real time ike debug phase1 (pic)

Shows the 6 packet exchange, phase 1 negotiation settings, what VPN config is used on responder, successful preshared key matches and final up status for phase 1

IPSec debug XAUTH enabled (pic)

Shows the CFG_REQUEST CFG_REPLY CFG_SET CFG_ACK

What does the SF physical topology display

Shows the physical topology of devices in the SF and the connections between them

Debugging IKE MODE config (pic)

Shows the remote site requesting and receiving IP settings with CFG_REQUEST and CFG_REPLY

What is Debug flow

Similar to built-in sniffer but the output shows step by step kernel decisions for each packet

Fortimanager vpn manager and steps (5)

Simplifies VPN administration by having the ability to install con settings to multiple devices at once. Settings are stores as objects in the object database and can be pushed by installing the policy package. 1) create vpn community 2) add gateways (members) to the community 3) install the vpn community and gateways configuration 4) add the firewall polices 5) install the firewall policies

What kind of hub architectures does ADVPN support

Single or multiple

What is fortimanager and key features just name as much as you can think of. Flex dah brain

Single pane of glass management for mass provisioning, scheduled rollout of configurations, compliance regulation through audit abilities Reduces wan usage with local fortiguard cache server Provides logging and reporting VPN, AP, Switch managers Security fabric ADOMs Firmware management

Why do you need to configure full mesh peering between all IBGP routers and what can simplify this

So each BGP router knows the local subnets on every other BGP router Route reflectors

Why is the SF API and protocol Open

So other vendors can join for partner integration so fortinet devices can communicate with third party devices

Which SoC platforms include NTurbo for fast IPS processing

SoC3 and 4

What two methods are there for inspecting outbound encrypted sessions

Ssl certificate inspection Ssl full inspection

Sslvpnd

Ssl vpn process

After you know What services to protect in an IPS deployment how can you defined the threats and where to implement IPS

Start with the most critical services and classify the threats into groups

Theee inspection types

Stateful Proxy Flow

AD for static, directly connected, dhcp, OSPF, BGP

Static 10 DHCP 5 Connected 0 OSPF 110 EBGP 20

If an IPSEC vpn is configured in interface mode and the set add-route command is enabled what happens

Static routes are automatically added to clients each time the dialup IPSec connects The destination subnets are what is received in phase 2

Nick name for administrator-defined automated work flows and what are the function

Stitches Stitches use if/then statements to cause FortiOS to automatically respond to an event in a preprogrammed way.

How can you tell if a fortigate freezes

Stops handling traffic You can't connect to it and you can't access the Console port Only power cycling fixes the issue

Describe the flow of BGP routes coming in from advertised peers to leaving and being advertised to peers (pic)

Stores BGP routes it receives from others routers in the RIB-in The BGP router applies filters and the resulting routes are stored in the local RIB, which are then consolidated in the routing table with other types of routes (static, directly connected, other protocols etc) The BGP routers adds redistributed routes (from other protocols) and external routes, applies filter, and adds them to the RIB-out The resulting routes are advertised

Three AS types, describe each, and example

Stub AS: single exit point and routes only local traffic. Company with one ISP and it's own AS Multihomed AS: multiple exit points and routes only local traffic. Company with two ISPs and it's own AS transit AS: handles and routes local traffic as well as traffic that originates and terminates in different autonomous systems (transit traffic) an ISP is an example

When performing dynamic routing over IPSec the overlay IPS (hub and spoke tunnel IPS ) need to be in the same____

Subnet

Security fabric > security rating What is security rating and how can you get a rating

Subscription services that requires a security rating license Provides ability to see and perform many best practices such as password checks, to audit strength of your network security Broken down into score cards that provide a letter grade

Is IPSec encryption and decryption offloaded to hardware

Supported on some models Supported algorithms vary by processor type and model It is enabled by default for supported algorithms

Difference between swap files and page files

Swapping is when a whole process is transferred to disk and paging is when part of a process is transferred back and forth as needed

What devices can extend the SF to the access layer

Switch and AP

What does system > HA display (6)

Sync status Fortigate members Hostnames Serial numbers Role Uptime

Where can you check the status of fortiguard licenses, the versions, and the communication to fortiguard in the GUI

System > fortiguard

What is a fork?

System call to create a new process (child process) from an existing process (parent process)

What is indicated if no new daemons have been schedule in the last 10 mins

System may be frozen use watchdog feature

Where is SoC found

System on a chip is found in small office and desktop model fortigates that combine the CPU NP CP and memory onto a single chip

What is SoC

System on a chip that includes entire microprocessors (CPU NP CP, memory blocks, flash memory, external I/O(network interfaces))

Fortimanager script starts with #! What type is it

TCL

Protocol 6

TCP

If processes are allocated individual blocks of memory, how can they share information with eachother

The OS dynamically allocated shared memory (SHM) so multiple processes can share information.

What part of the fortimanager vpn manager contains the phase 1 and phase 2 settings that gets pushed to the devices

The communities

What is contained in the IKE message from the initiating remote spoke when it tries to stand up a dynamic tunnel with ADVPN to another remote spoke (4)

The first remote site will create a FortiOS specific IKE message that contains it's public IP, local subnet, and desired remote subnet, an auto generated PSK/ dig cert

Why would you see Dev=6->9/9->6 gwy/10.8.1.1/0.0.0.0 in the session table

The gateway to destination is identified by the route lookup on the first packet that passes through from originator. The gateway to source will be identified when the return packet comes back from the receiver

What two parts of the firewall affect the path that a packet takes

The hardware and software configuration

Stage 3 of NGFW policy mode session handling

The kernel uses the layer 7 information to search NGFW policy table again for match and once match is found the kernel applies the configured action on matching policy

What does the point score represent for SF rating

The net score for all passed and failed items in the area

If fortiguard server weights are the same which one will the fortigate use

The one with the lowest RTT (round trip delay)

Feasible RPF mode and example (pic)

The packet is accepted as long as there is one active route to the source IP through the incoming interface, it does not have to be the best route just an active one

By default, BGP prefix under the network command is only advertised when....how can you change this behavior (command)

The prefix matches the destination subnet of an active route in the routing table To always advertise the prefix regardless of active routes: Config router bgp Set network-import-check disable

How does active-active work for virtual clustering

The primary device receives all sessions and load balances them among the cluster devices according to the load balancing schedule. All cluster devices process traffic for all VDOMs

Socket buffer

The receive socket buffer size determines the maximum receive window for a TCP connection. The socket receive buffer space is shared between the application and kernel. TCP maintains part of the buffer as the TCP window, this is the size of the receive window advertised to the other end.

Security fabric > security rating > security posture

The scorecard that shows a ranking presented as a percentile based on security audit information.

Describe how a session helper works with active FTP and NAT (2)

The session helper will translate the IP and port in the FTP command so that the server initiates the connection to the NATed IP and not the private IP It also will create an expected session (or pinhole) for the data channel connection that will come from the server so that an admin doesn't need to create a firewall policy allowing an incoming FTP session

What happens to the routing table after you configure VRF IDs on interfaces

The table and database and command output changes Routes are grouped based on VRF ID and not grouped together

Your looking at a session entry and you see state=dirty may_dirty and you see dev=9->0/0->9 gwy=0.0.0.0/0.0.0.0

There was a routing change

How do permissions in workspace mode work

They are the same permissions defined on the account profile

Compromised host trigger for automation stitch

This trigger uses indicator of compromise (IOC) event reporting from fortianalyzer Set a threat level threshold (medium or high) Based on that you can configure the stitch to take different remediation steps such as: Quarantine the compromise host and switch or AP (access layer quarantine) Quarantine forticlient on the compromise host using EMS Ban the IP

Describe the protocol states as it relates to the TCP handshakes

Three way SYN - 02 (SYN_SENT) SYN/ACK - 03 (SYN & SYN/ACK) ACK - 01 (established) FIN - (FIN_WAIT) FIM / ACK - (TIME_WAIT)

In what case can fortigate access fortiguard without DNS resolution

Through a web proxy because the web proxy contacts the DNS server to resolve names

config system global set av-failopen-session {enable | disable} set av-failopen {off | one-shot | pass} end

To configure failopen in the CLI: config system global set av-failopen-session {enable | disable} set av-failopen {off | one-shot | pass} end To set the behavior for these conditions, you must enable av-failopen-session. When enabled, and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and behaves as defined in the av-failopen command. av-failopen determines the behavior of the proxy until entries are free in the session table again for that proxy.

Purpose of ISFW

To segment the network so that any breach coming from inside can be contained in one segment of the network without reaching others

From this picture which is primary top or bottom

Top

Stage 1 of NGFW policy mode session handling

Traffic comes in Kernel can identify ICMP, DNS, And NTP traffic in the kernel (all other types it cannot) When traffic first comes in kernel cannot identify layer 7 info and uses the layer 4 headers to search for the NGFW policy table to match and send traffic to IPS engine The kernel creates a session table entry with the may_dirty flag And an application ID of 0 Session is allowed

How is traffic distribution controlled in vdom partitioning for HA

Traffic distribution is controlled by setting the primary for the different vdoms

What is IPS acceleration

Traffic inspected by IPs is offloaded to CP8 or CP9 content processor

In the session table what does the state flag ndr mean (next to the may_dirty and dirty flags)

Traffic is inspected in flow base mode

For BGP, if all route attributes are the same and ECMP is enabled where is traffic routed What if ECMP is not enabled

Traffic is shared among up to 10 BGP routes If ECMP is not enabled then the fortigate uses the route that goes to the router with the lowest BGP router ID

True or false The communication between fortigate and fortiguard for web filtering and anti spam is different from the communication for antivirus and IPS

True

True or false Fortigate can create sessions for traffic expected to come

True session helpers and application layer gatwat

How many SSL sessions are established with full ssl inspection

Two Client to fortigate Fortigate to server

TCP protocol state and what are all 10 client side states What are server side state options and client side state options

Two digit number (proto_state=) First digit is server side state (0 or 1) 0 if no inspection 1 if proxy or flow Second digit is client-side state NONE 0 ESTABLISHED 1 SYN_SENT 2 SYN & SYN/ACK 3 FIN_WAIT 4 TIME_WAIT 5 CLOSE 6 CLOSE_WAIT 7 LAST_ACK 8 LISTEN 9

Max number of fortigates for virtual clustering

Two fortigates

How many entries in the route cache are there for one session

Two one for originating traffic and one for return

Aggregated IPSec tunnels

Two or more IPSec tunnels between two sites can be combined to create an aggregated tunnel. Similar to lacp port aggregation

What devices comprise the core of the security fabric (MANDATORY) and what is comprised in the recommended and extended portions

Two or more fortigates + fortianalyzer in core Recommended- Fortimanager, fortiAP, switch, client, sandbox, and mail Extended- Other fortinet products and third party products using the API

External route metric types what are each

Type 1 - Metric is the sum of the external cost plus the internal cost of reach the ASBR. Considered close to AS. Type 2 - Metric is based on external cost and considered far from AS.

What port does IKE use with no NAT and with NAT

UDP 500 UDP 4500 After NAT detected

What ports does the fortigate use for rating services (web filtering and anti spam) when communicating with public fortiguard services What ports does it use when communicating with a fortimanager configured as a local fortiguard server What port is used for update services (antivirus and IPS)

UDP 8888 UDP 53 HTTPS 8888 HTTPS 53 HTTPS 443 UDP 8888 UDP 53 HTTPS 53 HTTP 8888 HTTPS 443

Protocol 17

Udp

How can you apply security reccomendations to your firewall settings in one click

Under SF security rating > security posture and click apply on the failed controls

Where do you configure a protected subnet in fortimanager

Under all vpn communities

Where can you view quarantined and banned IPS

Under the quarantine widget dashboard

App=0 (what stage is this seen in session table)

Unknown app NGFW policy mode stage 1

How long do on demand (ADVPN) tunnels remind active and what command can you use to see which on demand tunnels are active

Until the SAs are manually flushed or until they time out Get IPSec tunnel list

How can you fix interference and delays that session sync causes for the heartbeats (2) commands to do both

Use a different interface for sessions synchronization than the heartbeat interface Config system ha Set session-sync-dev <port name> <port name2> Delay the sync of the new session by 30 seconds so short lived sessions are not synced Config system ha Set session-pickup-delay enable

Scripts in fortimanager are not running in fortigate correctly (3) what should you check

Use completed commands and not shortened syntax Do not use # in front of any commands On fortigate ensure the console output to standard otherwise script longer than screen length will not run correctly Config sys console Set output standard On fortigate

How to stop BGP behavior of redistributing BGP routes automatically to all BGP peers (can cause massive amounts of routes)

Use prefix list and route maps

SPECIAL option type for custom IPS signature

Used for all another purposes besides the payload, protocol, and special option types Example —app_cat 7

Difference between these commands: Set preserve-session-route Set SNAT-route-change Set firewall-session-dirty

Used for session behavior when there is a route change and SNAT is not applied Used for session behavior when there is a route change and SNAT is applied Used for session behavior when there is a policy change

What can the numerical web filter categories from command "get webfilter categories" be used for

Used to create web filtering profiles using the fortigate CLI or fortimanager scripts can also be used to test whether a specific category or sub category is allowed or block

PROTOCOL option type for custom IPS signature

Used to match different protocol options Example —protocol tcp

PAYLOAD option type for custom IPS signature

Used to match the packet payload Such as —pattern "POST" and —context uri

System IO cache and examples of operation sped up by this cache

Used to speed up the access to information stored in the hard and flash disk memories Logging Wan optimization Explicit proxy

Authd

User authentication process

What is the responder dial up selection criteria (for any incoming connection where the fortigate is acting as dial up responder how does it select clients)

Uses the first phase 1 config (in alphabetical order) that matches: Local gateway Mode (aggressive or main) Peer ID (if aggressive) Authentication method (psk OR cert?) Digital cert info (if used) Proposal DH group

What DNS lookup does fortigate do for web filtering and anti spam if it is configured to use HTTPS and USA servers only

Ussecurewf.fortiguard.net

What DNS lookup does fortigate do for web filtering and anti spam if it is configured to use UDP and USA servers only

Usservice.fortiguard.net

What will a fortimanager acting as a downstream FDS provide (3)

VM license validation service Update services for AV and IPS signatures Rating services for web filtering and anti spam

Where in GUI can you configure aggregated IPSec

VPN > IPSec tunnels > create new > aggregate

Layer three route isolation using____

VRFS

F-SBID (—KEYWORD VALUE;) What is this for and which is case sensitive value or option

Value is case sensitive This is used for custom IPS signature creation. Made up of the header "F-SBID" and a series of option and value pairs

What is the max number of proxy connections and what if it's maxed out

Varies by model. It is the max number of proxy sessions a protocol in a proxy policy can have. If it fills up the IPS engine goes into fail open mode To configure failopen in the CLI: config system global set av-failopen-session {enable | disable} set av-failopen {off | one-shot | pass} end To set the behavior for these conditions, you must enable av-failopen-session. When enabled, and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and behaves as defined in the av-failopen command. av-failopen determines the behavior of the proxy until entries are free in the session table again for that proxy.

How does fortigate verify the fortianalyzer

Verifies serial number against it's certificate and then the serial is stored in the fortigate config

If a device can't join an HA cluster what 4 steps should you follow

Verify the HA settings match Verify firmware and hardware match Verify physical layer connections Use the HA real time debug (Diagnose debug application hatalk -1 Diagnose debug application hasync -1 Diagnose debug enable )

If GUI is unresponsive what should you do

View the crash log in the CLI for conserve mode messages and try to look for processes using too much memory Diagnose debug crash log read

VRF

Virtual Routing Forwarding is a technology included in some routers that allows multiple instances of a routing table to exist in a router. This increases functionality by allowing network paths to be segmented without using multiple devices. Also increases security since it's segmenting traffic. This is something ISPs usually do to create separate VPNs for customers

Hub and spoke topology

WAN topology; each remote site connects back to a main site, communication between the two remote sites travels through the hub site; benefits: costs are reduced, adding an additional site is easy (only one link per site); ease of management for VPN config and firewall policies drawbacks: suboptimal routes between remote sites, hub site is a single point of failure because all remote sites converge on that main site, lacks redundancy

BGP attribute categories (4) and describe each

Well-known mandatory - attributes are mandatory Well-known discretionary - attributes may or may not be included Optional transitive - attributes may or may not be accepted and can be passed outside the local AS Optional non-transitive - attributes may or may not be accepted and can't be passed outside the local AS

Tips for troubleshooting web filtering (4)

What URLS? Is it random or consistent? Who is affected? Is there anything in any of the logs? Was something blocked intentionally? Is authentication involved? Double check the user is being handled properly Attempt reproduction Ensure web filtering isn't globally disabled Connectivity problems to fortiguard and conserved mode can cause web filtering intermittent issues

During the analysis stage of an IPS deployment what three things must you identify

What services to protect the threats to those Services where to enable IPS inspection

If the IPs fail open setting is enable what happens

When IPS goes into fail open mode some new packets might pass through without being inspected depending on the system load

How does a fortigate use virtual max address to fail over correctly and how are virtual macs assigned

When a primary joins a cluster, each interface is given a virtual mac address, the primary informs all secondary units about the assigned virtual MAC addresses. When the fortigate fails over a secondary adopts the same virtual mac addresses for equivalent interfaces

When is it likely for fortigate to go into conserve mode

When fortigate is using content inspection (especially proxy based) or AV because it's more likely to increase memory

When is traffic considered interesting

When it must travel through an IPSec tunnel (encrypted and encapsulated) to reach a remote network

When does fortigate reach out to fortiguard for rating services (antispam and web filtering )

When it needs to rate a website or email unless the rating is cached in the fortigate

At what part in IPSec tunnel creation are SAs loaded to kernel and when does the fortigate determine if inbound or outbound can be offloaded

When phase 2 goes up SAs are loaded into kernel If there is not traffic passing it will remain in kernel When inbound or outbound traffic begins to flow it determines if inbound or outbound can be offloaded

Why may a file transfer fail if the fortigate is doing NAT and the FTP mode is configured as active (there is no session helper)

When that FTP packet crosses the router, the source IP address in the IP header is changed from 10.0.1.10 to 10.200.1.1. However the IP address in the FTP port command is not translated to 10.200.1.1. Once the server receives that FTP command it tries to bring up the TCP session for the day to channel to 10.0.1.10. It sends the syn packet to the IP address 10.0.1.10 this address is probably not routeable because it is a private IP behind a device doing NAT so the file transfer fails

Describe the action the hub takes when it receives a packet from a remote location destined to another remote location when auto-discovery is enabled

When the hub receives the packets it knows ADVPN is enabled because of the command. The hub will send an IKE message to the initiating remote site informing it that it can try to negotiate a direct connection to the other remote site. The first remote site will create a FortiOS specific IKE message (shortcut query) that contains it's public IP, local subnet, and desired remote subnet, an auto generated PSK/ dig cert This gets sent to the hub and hub will forward to remote site When the other remote site receives the IKE message (shortcuts query) it stores the PSK and replies with another IKE info message (shortcut reply) containing it's own public IP The hub will forward this IKE message to the initiating remote site and the tunnel will be dynamically negotiated and stood up

When is BGP typically used (2)

When there are a large number of routes Strict control over what routes are announced or accepted is required

When does IPS go into fail open mode (2)

When there is not enough available memory in the IPS socket buffer for new packets Or When the fortigate is in conserve mode

Config system global Set SNAT-route-change disabled

When this setting is disabled, after a routing change, sessions with SNAR keep using the same outbound interface as long as the old route is still active

When two routers start EBGP communication, the ___ BGP routing table is interchanged. After that only network ____ are sent

Whole Network

For NAT traversal how is ESP encapsulated

With a UDP header

Can you apply flow based UTM to a proxy based policy

Yes

Does ADVPN support NAT

Yes

True or false. Route leaking is supported between VRFs

Yes

Is bgp event logging enabled by default? How can you change the behavior?

Yes Config router bgp Set log-neighbour-change [enabled | disabled] End

TCL variables

You can create variables in the TCL script with: Set <variable name> <"value"> Then using <$variablename> in the program portion of the script which will auto fill with the variable value

Can you do EBGP with ADVPN

You can't do ADVPN with EBGP because EBGP can't use route reflectors. Without the route reflector pointing you directly to the spoke, IPSEC will never create the shortcut. If you don't need the spoke to spoke connectivity through the IPSEC shortcuts, you can use the dynamic VPN tunnels that ADVPN uses and use EBGP for your routing. It would require some modifications though since you will have to set the AS per spoke.

If a protocol is using a non standard port and you need to use a session helper what should you do and how do you do it

You should change the default port number in the session helper config on the fortigate to match the custom port (or add new entry) Command: Config system session-helper Show Edit 13 Set name sip Set protocol 17 Set port <port number> Edit 14 Set name h323 Set protocol 6 Set port <port number> End

What modern day tech and threats create the need for more protection (protecting the perimeter of a network is no longer enough)

Zero day attacks APT Polymorphic malware Insider threats BYOD Cloud tech

What five areas does the SF (security fabric) deliver solutions in

Zero trust access Security driven networking Dynamic cloud security AI-driven security operations Fabric management center

Two options for tsformat for sniffer

a UTC time l local time

IPSec (Internet Protocol Security)

a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. Operates at the Network Layer

What happens if there is no activity in a workspace transaction

after five minutes It times out and all changes are discarded

What is route redistribution?

an ASBR connects different routing domains, such as EIGRP & OSPF, and configures them to exchange & advertise routing info route redistribution allows a network that uses one routing protocol to route traffic dynamically based on information learned from another routing protoco

Dijkstra's algorithm

an algorithm used in calculating the shortest path between an origin node and other destination nodes in a network

IPSec real time debug errors: Negotiation failure No SA proposal chosen

config mismatch verify phase 1 and phase

DCFW

data center firewall Protect servers, low latency, inbound security focused 10g-1tb throughput Firewall, application control, and IPS common Places in data center and in enterprise DMZ Deployed at distribution layer

Command to disable all app debugging

diagnose debug reset

IKE

establishes a security association between two peers, tunnel maintenance, and disconnection

Full Mesh Topology

every site has a direct connection to every other site; benefits: an optimal route exists between any two sites, fault tolerant, easy troubleshooting; drawbacks: difficult and expensive to scale

Where are the web filter and antispam database managed in fortimanager acting as FDS

fortiguard management > query server management

DoS module

inspects all traffic flows but only tracks packets that can be used for DoS attacks (for example, TCP SYN packets), to ensure they are within the permitted parameters. Suspected DoS attacks are blocked, other packets are allowed.

What are some private SDN connector available

kubetnetes VMware ESXI VMware Nsx Openstack ACI application centric infa Nuage virtualized services

Which AS attribute is optional non transitive and what does that mean (1)

multi_exit_disk Optional non-transitive - attributes may or may not be accepted and can't be passed outside the local AS

Where is traffic not requiring any UTM or NGFW processing offloaded for acceleration

network processor NP6

If a firewall policy is configured for _________ then a mixture of flow-based and proxy-based inspection occurs. Packets initially encounter the IPS engine

proxy-based inspection

IP header integrity checking

reads the packet headers to verify if the packet is a valid TCP, UDP, ICMP, SCTP or GRE packet. The only verification that is done at this step to ensure that the protocol header is the correct length. If it is, the packet is allowed to carry on to the next step. If not, the packet is dropped.

Flow based inspection

the flow-based inspection method examines the file as it passes through the FortiGate unit without any buffering. As each packet of the traffic arrives it is processed and forwarded without waiting for the complete file or web page.

Proxy based inspection

the proxy-based inspection involves buffering traffic and examining it as a whole before determining an action. The process of having the whole of the data to analyze allows for the examination of more points of data than the flow-based.

If net-device is disabled and tunnel-search is selectors what else is needed to route properly if there are multiple clients

tunnel Index

Stage 2 of NGFW policy mode session handling

while the session is allowed the kernel forwards packets to IPS engine IPS engine performs layer 7 identification and updates session table Session table entry is flagged with dirty flag and identified app ID is changed from 0 Dirty flag notifies the kernel that the session needs to be reevaluated

What would you see in a debug flow for traffic matching an expected session opened by a session helper

"Find an EXP session, id 0016f90"

Example on how to run a CLI command in a TCL script in fortimanager (pic)

#! - must start with Exec - runs a program on fortigate ".......\n" - program(command) to run on fortigate \n is new line "# " 10] - wait 10 seconds for command prompt to display "#" before running command. If it doesn't do not run command and return error

What is the CP

(Content processor ) Co-processor for the CPU that accelerates resource intensive security related processes


Related study sets

Managing Diversity - Workplace Chapter 4

View Set

Chapter 15 post test Mental Health

View Set

Unit 3 Test 2023 AMH2010-64: United States History

View Set

Foundations of Psychiatric Nursing SCC 4th quarter psych

View Set