Firewall Policy/NAT Flashcards
What are the two ways to SNAT traffic?
- Use the outgoing interface address
- Use the dynamic IP pool
What are the four types of IP pools?
- Overload
- One-to-one
- Fixed port range
- Port block allocation
What are the two types of IP pools more commonly used for CGN?
- Fixed port range
- Port block allocation
What is the default pool type?
Overload
What are characteristics of the overload IP pool type?
- A many-to-one or many-to-few relationship
- PAT is used
How does the one-to-one pool type work?
FortiGate assigns an IP pool address to an internal host on a first-come, first-served basis
Where do you enable DNAT?
Use a VIP object on a FW policy
What is the default VIP type?
Static NAT; one-to-one
If the VIP is not referenced in an incoming firewall policy, or the policy is disabled, what happens?
It uses the external interface IP address
Do VIPs match on FW policies?
No
How does port forwarding on VIP work?
- Redirect the traffic matching the external address and port in the VIP to the mapped internal address and port
- When you enable port forwarding, FortiGate no longer performs one-to-one mapping
Which inspection mode optimizes performance?
Flow-based
What is the default inspection mode?
Flow-based
How does proxy-based inspection work?
- FortiGate buffers traffic and examines the data as a whole
- Examines more points of data than flow-based inspection
Video filter, WAF, Inline CASB, and ICAP are only available in what inspection mode?
Proxy-based
What does it mean if you do not see the inspection mode setting in the GUI?
You have a low-end platform with 2 GB of RAM or less
How do security profiles protect your network?
- Block threats
- Control access to certain applications and URLs
- Prevent specific data from leaving your network
What is the benefit of using Geographic-based ISDB objects?
Allow for more granular control over the location of the parent ISDB object
Where does FortiGate support storing logs?
- FortiGate local and cloud
- FortiAnalyzer local and cloud
- Syslog
If logging is enabled on a FW policy, when does FortiGate generate the log by default?
- After the policy closes an IP session
- You can enable starting logging when the session begins, but increased logging decreases performance
What are some characteristics of ARP reply?
- Instructs FortiGate to reply to ARP requests for external addresses
- Enabled by default
- Sometimes required to overcome routing misconfigurations
What is ISDB
Internet Service Database
How can a customer authenticate on FortiGate?
- Local Account
- Remote Server
- FSSO
- PKI
Can you select both a source IP and ISDB as a source in a FW policy?
No
Do policy IDs display by default on the GUI?
No
Are IPv4 and IPv6 combined into a single policy?
Yes
If you don’t see “Generate Logs” when sessions start, what does that mean?
FortiGate does not have an internal hard drive for logging
What command allows you to reduce logging and CPU usage of denied sesions?
- config system setting
- config ses-denied-traffic [disable | enable]
- set block-session-timer [1-300]
What security profile options are not visible on the policy page by default? (GUI)
- Video filter
- VOIP
- WAF
Can you create an unnamed policy on the CLI and then edit it on the GUI?
Yes, but you must give the policy a unique name
If you choose to match a FW policy with service, what must you enter?
Protocol and port
Can you use a User as the destination of a Firewall policy?
No, only source
