Firewall Policy/NAT

Question 1

What are the two ways to SNAT traffic?

Answer 1

• Use the outgoing interface address
• Use the dynamic IP pool

Question 2

What are the four types of IP pools?

Answer 2

• Overload
• One-to-one
• Fixed port range
• Port block allocation

Question 3

What are the two types of IP pools more commonly used for CGN?

Answer 3

• Fixed port range
• Port block allocation

Question 4

What is the default pool type?

Answer 4

Overload

Question 5

What are characteristics of the overload IP pool type?

Answer 5

• A many-to-one or many-to-few relationship
• PAT is used

Question 6

How does the one-to-one pool type work?

Answer 6

FortiGate assigns an IP pool address to an internal host on a first-come, first-served basis

Question 7

Where do you enable DNAT?

Answer 7

Use a VIP object on a FW policy

Question 8

What is the default VIP type?

Answer 8

Static NAT; one-to-one

Question 9

If the VIP is not referenced in an incoming firewall policy, or the policy is disabled, what happens?

Answer 9

It uses the external interface IP address

Question 10

Do VIPs match on FW policies?

Answer 10

No

Question 11

How does port forwarding on VIP work?

Answer 11

• Redirect the traffic matching the external address and port in the VIP to the mapped internal address and port
• When you enable port forwarding, FortiGate no longer performs one-to-one mapping

Question 12

Which inspection mode optimizes performance?

Answer 12

Flow-based

Question 13

What is the default inspection mode?

Answer 13

Flow-based

Question 14

How does proxy-based inspection work?

Answer 14

• FortiGate buffers traffic and examines the data as a whole
• Examines more points of data than flow-based inspection

Question 15

Video filter, WAF, Inline CASB, and ICAP are only available in what inspection mode?

Answer 15

Proxy-based

Question 16

What does it mean if you do not see the inspection mode setting in the GUI?

Answer 16

You have a low-end platform with 2 GB of RAM or less

Question 17

How do security profiles protect your network?

Answer 17

• Block threats
• Control access to certain applications and URLs
• Prevent specific data from leaving your network

Question 18

What is the benefit of using Geographic-based ISDB objects?

Answer 18

Allow for more granular control over the location of the parent ISDB object

Question 19

Where does FortiGate support storing logs?

Answer 19

• FortiGate local and cloud
• FortiAnalyzer local and cloud
• Syslog

Question 20

If logging is enabled on a FW policy, when does FortiGate generate the log by default?

Answer 20

• After the policy closes an IP session
• You can enable starting logging when the session begins, but increased logging decreases performance

Question 21

What are some characteristics of ARP reply?

Answer 21

• Instructs FortiGate to reply to ARP requests for external addresses
• Enabled by default
• Sometimes required to overcome routing misconfigurations

Question 22

What is ISDB

Answer 22

Internet Service Database

Question 23

How can a customer authenticate on FortiGate?

Answer 23

• Local Account
• Remote Server
• FSSO
• PKI

Question 24

Can you select both a source IP and ISDB as a source in a FW policy?

Answer 24

No

Question 25

Do policy IDs display by default on the GUI?

Answer 25

No

Question 26

Are IPv4 and IPv6 combined into a single policy?

Answer 26

Yes

Question 27

If you don’t see “Generate Logs” when sessions start, what does that mean?

Answer 27

FortiGate does not have an internal hard drive for logging

Question 28

What command allows you to reduce logging and CPU usage of denied sesions?

Answer 28

• config system setting
• config ses-denied-traffic [disable | enable]
• set block-session-timer [1-300]

Question 29

What security profile options are not visible on the policy page by default? (GUI)

Answer 29

• Video filter
• VOIP
• WAF

Question 30

Can you create an unnamed policy on the CLI and then edit it on the GUI?

Answer 30

Yes, but you must give the policy a unique name

Question 31

If you choose to match a FW policy with service, what must you enter?

Answer 31

Protocol and port

Question 32

Can you use a User as the destination of a Firewall policy?

Answer 32

No, only source