Certificates

Question 1

Which attribute or extension identifies the owner of a certificate?

Answer 1

The subject name

Question 2

Which configuration requires FortiGate to act as a CA for full SSL inspection?

Answer 2

Multiple clients connecting to multiple servers

Question 3

Which inspection mode can protect your LAN devices from encrypted malware?

Answer 3

Deep inspection

Question 4

What certificate standard does FortiGate use?

Answer 4

X.509v3

Question 5

Who acts as the FortiGate OSCP responder?

Answer 5

FortiAuthenticator

Question 6

What does FortiGate check before trusting and using a certificate?

Answer 6

• Revocation check
• CA certificate possession (issuer)
• Validity dates
• Digital signature validation

Question 7

How does FortiGate verify a digital signature?

Answer 7

• Runs certificate through a hash function/algorithm
• FortiGate hash result must match the CA result

Question 8

What is SSL inspection mode used for?

Answer 8

• Web filtering
• Application control

Question 9

What does SSL inspection do?

Answer 9

• FortiGate inspects the certificate and packet header
• Then, checks for a match between the site visited and the certificate presented

Question 10

What does FortiGate act as in full SSL inspection?

Answer 10

Main-in-the-middle proxy

Question 11

What is a difference between SSL inspection and full SSL inspection?

Answer 11

• SSL inspection does not decrypt packets
• Full SSL inspection decrypts and encrypts packets using its own keys
• In full SSL inspection, FortiGate can inspect the traffic

Question 12

How do sessions work in full SSL inspection mode?

Answer 12

• Two separate SSL sessions are maintained
• Client-To-FortiGate, and FortiGate-to-server

Question 13

Where can you select the SSL inspection mode?

Answer 13

At the firewall policy level

Question 14

What are the pre-defined SSL profiles?

Answer 14

• no-inspection
• deep-inspection
• certificate-inspection

Question 15

What should you do if you want to modify a SSL profile?

Answer 15

• Use custom deep-inspection
• Pre-defined profiles cannot be modified

Question 16

Why might you exempt sites from SSL inspection?

Answer 16

• Problems with traffic (ex. HSTS)
• Legal issues

Question 17

How does FortiGate inspect encrypted traffic?

Answer 17

Intercepts the certificate coming from the server, then generates a temporary one

Question 18

What certificate is installed by default on FortiGate?

Answer 18

• A self-signed encrypting SSL CA certificate
• Fortinet_CA_SSL

Question 19

How would you avoid warnings on a user device when using the default FortiGate Self-Signed certificate?

Answer 19

• Install CA certificate Fortinet_CA_SSL as a trusted CA on user devices (import into browsers)
• Install a company CA certificate on FortiGate for full SSL inspection

Question 20

What is a certificate requirement for full SSL inspection?

Answer 20

Requires that FortiGate acts as a CA to generate an SSL private key and certificate

Question 21

What is the default SSL inspection profile?

Answer 21

no-inspection

Question 22

What are limitations of the no-inspection profile?

Answer 22

• No web filtering
• No application control

Question 23

Where can you find the FortiGate HTTPS Server Certificate?

Answer 23

System > Settings

Question 24

What functions would you need to import a private certificate for?

Answer 24

• FortiGate GUI
• SSL-VPN tunnels

Question 25

What error is NET::ERR_CERT_AUTHORITY_INVALID indicative of?

Answer 25

HSTS issues

Question 26

What is a possible workaround for sites with an HSTS requirement that having issues?

Answer 26

• Exempt websites from full SSL inspection
• Use SSL certificate inspection instead
• Adjust browser settings