Firewall Authentication

Question 1

What are the three firewall auth methods for users?

Answer 1

Local password
Server based (ldap, radius, pop3, tacas+)
Two-factor

Question 2

What auth servers does FG support?

Answer 2

POP3, RADIUS, LDAP, TACACS+

Question 3

Can POP3 servers be configured in GUI?

Answer 3

No, CLI only

Question 4

What does DSA Stand for

Answer 4

Directory System AGENT

Question 5

LDAP port

Answer 5

389

Question 6

What is Common Name Identifier?

Answer 6

Used to find the username i.e. sAMAccountName or cn for LDAP

Question 7

What is the Distinguished Name setting for LDAP?

Answer 7

Identifies the top of the tree where the users are located, generally the dc value but could be container or ou.

Question 8

What protocols does secure LDAP use

Answer 8

LADPS or STARTTLS

Question 9

What is Access-Request?

Answer 9

The request that FG sends to RADIUS to auth a user.

Question 10

What is Access-Accept for Radius?

Answer 10

User credentials are ok

Question 11

What is Access-Reject for Radius?

Answer 11

User credentials are wrong

Question 12

What is Access-Challenge?

Answer 12

Radius server for secondary password ID, token, or certificate. (two factor) Not supported by all devices.

Question 13

What should you deploy to help keep OTP in sync?

Answer 13

A NTP server.

Question 14

What is used to generate a OTP?

Answer 14

Seed + Time

Question 15

Can you register a FortiToken to more than on FortiGate?

Answer 15

No, only one, you must use FortiAuthenticator if you wish to use the same FortiToken Across multiple FG

Question 16

What are examples of passive authentication?

Answer 16

Forti SSO
RSSO
NTLM

Question 17

What does RSSO stand for?

Answer 17

RADIUS Single Sign-on

Question 18

What type of user groups are there?

Answer 18

Firewall
Guest
FSSO
RSSO

Question 19

Should you allow DNS to run before your user is authenticated?

Answer 19

Yes, as it is usually required to resolve host names prior to authentication being triggered.

Question 20

What protocols can be used to trigger active authentication in a firewall policy

Answer 20

HTTPS
HTTP
FTP
Telnet

Question 21

When using active and passive policies together, what is meant to be the primary authentication method?

Answer 21

Passive.

Question 22

What CLI command enables you to force FortiGate to trigger an auth request?

Answer 22

Config user setting
Set auth-on-demand <Always | Implicit>
Implicit lets traffic through if there is a fall through policy
Always triggers auth regardless of their being a fall through policy.

Question 23

What CLI command is used to force auth timeout

Answer 23

Config user setting
set auth-timeout-type

[ Idle-time out | Hard-timeout | new-session]

Question 24

Where on the GUI do you monitor users?

Answer 24

Dashboard> User & Devices > Firewall Users