Firewall Policy/NAT Flashcards

1
Q

What are the two ways to SNAT traffic?

A
  • Use the outgoing interface address
  • Use the dynamic IP pool
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the four types of IP pools?

A
  • Overload
  • One-to-one
  • Fixed port range
  • Port block allocation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the two types of IP pools more commonly used for CGN?

A
  • Fixed port range
  • Port block allocation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the default pool type?

A

Overload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are characteristics of the overload IP pool type?

A
  • A many-to-one or many-to-few relationship
  • PAT is used
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How does the one-to-one pool type work?

A

FortiGate assigns an IP pool address to an internal host on a first-come, first-served basis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Where do you enable DNAT?

A

Use a VIP object on a FW policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the default VIP type?

A

Static NAT; one-to-one

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

If the VIP is not referenced in an incoming firewall policy, or the policy is disabled, what happens?

A

It uses the external interface IP address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Do VIPs match on FW policies?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How does port forwarding on VIP work?

A
  • Redirect the traffic matching the external address and port in the VIP to the mapped internal address and port
  • When you enable port forwarding, FortiGate no longer performs one-to-one mapping
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which inspection mode optimizes performance?

A

Flow-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the default inspection mode?

A

Flow-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How does proxy-based inspection work?

A
  • FortiGate buffers traffic and examines the data as a whole
  • Examines more points of data than flow-based inspection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Video filter, WAF, Inline CASB, and ICAP are only available in what inspection mode?

A

Proxy-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does it mean if you do not see the inspection mode setting in the GUI?

A

You have a low-end platform with 2 GB of RAM or less

17
Q

How do security profiles protect your network?

A
  • Block threats
  • Control access to certain applications and URLs
  • Prevent specific data from leaving your network
18
Q

What is the benefit of using Geographic-based ISDB objects?

A

Allow for more granular control over the location of the parent ISDB object

19
Q

Where does FortiGate support storing logs?

A
  • FortiGate local and cloud
  • FortiAnalyzer local and cloud
  • Syslog
20
Q

If logging is enabled on a FW policy, when does FortiGate generate the log by default?

A
  • After the policy closes an IP session
  • You can enable starting logging when the session begins, but increased logging decreases performance
21
Q

What are some characteristics of ARP reply?

A
  • Instructs FortiGate to reply to ARP requests for external addresses
  • Enabled by default
  • Sometimes required to overcome routing misconfigurations
22
Q

What is ISDB

A

Internet Service Database

23
Q

How can a customer authenticate on FortiGate?

A
  • Local Account
  • Remote Server
  • FSSO
  • PKI
24
Q

Can you select both a source IP and ISDB as a source in a FW policy?

25
Do policy IDs display by default on the GUI?
No
26
Are IPv4 and IPv6 combined into a single policy?
Yes
27
If you don't see "Generate Logs" when sessions start, what does that mean?
FortiGate does not have an internal hard drive for logging
28
What command allows you to reduce logging and CPU usage of denied sesions?
* config system setting * config ses-denied-traffic [disable | enable] * set block-session-timer [1-300]
29
What security profile options are not visible on the policy page by default? (GUI)
* Video filter * VOIP * WAF
30
Can you create an unnamed policy on the CLI and then edit it on the GUI?
Yes, but you must give the policy a unique name
31
If you choose to match a FW policy with service, what must you enter?
Protocol and port
32
Can you use a User as the destination of a Firewall policy?
No, only source