Infrastructure Flashcards
What relies on well-known FortiOS features such as IPSec, auto-discovery VPN, link monitoring, advanced routing, internet service database (ISDB), traffic shaping, UTM inspection, and load balancing.
SD-WAN
What is the default operation mode on for the Fortigate
NAT Mode
Standard routing table containing connected, static, and dynamic routes
RIB (Routing Information Base) table
Routing table from kernel point-of-view, contains RIB and specific system entries
FIB (Forwarding Information Base) table
Which route table does the Fortigate perform route lookups from?
FIB
“get router info kernel” does what?
CLI command to show the FIB table
Subsequent packets are routed according to what?
Session table
What is the first tiebreaker that routers use for best route?
Distance or Administrative Distance (AD)
If distance is the same on 2 or more dynamic routes, what is used to determine best route?
Metric (lower takes priority)
Two or more duplicate static routes with same distance and priority is what?
ECMP (Equal Cost Multi-Path) routes
Default priority for static routes?
1
What are the 4 algorithms for ECMP
1) Source IP (default)
2) Source-Destination IP
3) Weighted
4) Usage (Spillover)
Reducing costs by steering more traffic over low-cost fast internet links rather than high-cost slow private links
Hybrid WAN
Most common use case for SD-WAN?
Direct Internet Access (DIA) or local breakout
SD-WAN steering rules are based on what?
Matching traffic criteria, Performance, and Preference
Where in the order does SD-WAN routes get processed?
Before FIB (routing table)
What is replaced with load-balance-mode when SD-WAN is enabled?
v4-ecmp-mode
What is the default ECMP algorithm on Fortigate
Source IP
How does Fortigate load balance traffic when using the spillover algorithm in ECMP routing?
Session are distributed based on interface thresholds
What is the mechanism that protects Fortigate and the network from IP spoofing attacked by checking for a return path to the source in the route table?
Return Path Forwarding (RPF)
What are the two types of RPF?
Feasible Path and Strict
What does strict RPF do that Feasible Path RPF doesn’t?
Verifies that the matching source address and interface matches the best route
What satisfies the default RPF check?
Routing table has a route fro the source IP of the packet through the incoming interface
Static routes are kept in the routing table unless:
associated interface is admin down, OR the link goes down, OR a duplicate route with a lower distance is present
Enables the Fortigate to detect dead links what the failure is beyond the local connection
Link Health Monitor
Default number of failed and successful probes to change the status with Link Health Monitor
5
Most accurate Link Health Monitor Protocol?
TWAMP (Two-Way Active Measurement Protocol)
Most deployed Link Health Monitor protocol?
PING
What are the 5 options for Link Health Montior Protocols
Ping, TCP Echo, UDP Echo, TWAMP, and HTTP
What mechanism on the Fortigate brings down the alert interface after the monitoring interface is detected dead
Update cascade interface
When using link health monitoring, which route attribute can you configure to achieve route failover protection?
Distance
Command to show the active routes on CLI
get router info routing-table all
Command to show all active and in-active routes on CLI
get router info routing-table database
CLI command to show policy routes
diagnose firewall proute list
What are the ID values for the 3 types of policy routes?
1) Regular Policy Routes - <= 65535
2) ISDB Routes - > 65535 + has the vwl_service attribute
3) SD-WAN Routes - > 65535
CLI command for packet sniffer
diagnose sniffer packet <interface> <"filters"></interface>
What filter syntax does the packet sniffer use?
Berkeley Packet Filter (BPF)
Most commonly used verbosity levels for packet sniffer
4, 3, 6
What is the distance value for the following route?
“10.200.2.0/24 [100/2] via 10.200.2.254, [25/0]”
110
Firewall configuration that allows for multiple logical devices and divides one security domain into multiple security domains?
VDOMs
What are the two types of VDOMs?
Admin and Traffic
Which traffic is always generated from the management VDOM?
Fortiguard
What accounts can configure and backup all VDOMs?
Admin account and accounts assigned the Super_admin user profile
What is the traditional NGFW mode where UTM profiles are applied to each policy?
Profile based
What is the new NGFW mode where you add applications and web-filtering categories directly to a policy without creating a profile?
Policy-Based
What are the Global settings in a multi-VDOM Fortigate?
Hostname, HA settings, Fortiguard, System time, and Admin accounts
True/False: You can create global profiles for AV, Application Control, IPS, and Webfilter?
True
What is the virtual link that routes between VDOMs?
Inter-VDOM links
Which troubleshooting tool is most suitable when trying to verify the firewall policy used by an inter-VDOM link?
Packet Flow Trace
Which FSSO deployment mode does not require a collector agent?
Polling Mode
In FSSO, Fortigate allows network access based on what?
Passive user ID, IP address, and Group Membership
How do you fix a double DNS issue with FSSO collector agent?
Configure the following registry key on the DC:
“donot_resolve = (Dword) 1”
Location = HKLM/Software/Fortinet/FSAE/dcagent
What does the collector agent send?
Username, Hostname, IP address, User Groups
What port does the FSSO collector agent use to communicate with the Foritgate?
TCP/8000
What protocol does the FSSO collector agent use to communicate with the domain controller?
SMB (TCP/445)
What are the 3 methods for Polling Mode Collector Agent for collecting login info?
WMI, WinSecLog, and NetAPI
What two windows security log events that FSSO Agentless Polling use?
4768 and 4769
If you have collector agents using either the DC agent mode or the collector agent-based polling mode, which fabric connector should you select on the Fortigate?
Fortinet Single Sign-On Agent
Which naming conventions does the FSSO collector agent use to access the Windows AD in Standard access mode?
Windows convention - NetBios: Domain\groups
What CLI command do you run to display the list of FSSO users that are currently logged in?
diagnose debug authd fsso list
CLI command to manually refresh user group information from any directory service servers connected to the FortiGate
execute fsso refresh
Show status of communication between Fortigate and each collector agent
diagnose debug authd fsso server-status
Requires the use of “diag debug enable”
The command diagnose debug fsso-polling detail displays information for which mode of FSSO?
Agentless polling
An access control method that uses client device identification, authentication, and zero-trust tags to provide role-based application access
ZTNA
ZTNA has two modes:
ZTNA access proxy and IP/MAC filtering
What information does FortiClient provide to the FortiClient EMS when it registers?
- Device Info (network details, os, model, etc.)
- Logged in user info
- Security posture (on-fabric and off-fabric, antivirus, vulnerability status, etc.)
What does the FortClient request on its first attempt to connect to the access proxy (ForiClient EMS)?
client device certificate from the EMS ZTNA CA.
What is required to make FortiClient work for ZTNA?
FortiClient EMS
When the endpoint network changes or a user login and logout events occur, what happens?
The ForitClient triggers an X-FFCK-TAG message to the EMS even if there are no tag changes.
What is the default ZTNA CA that FortiClient EMS uses?
default_ZTNARootCA
What CLI command do you use to verify the client UID and certificate SN for a matching endpoint record on the FortiGate?
diagnose endpoint record list
What happens to the certificate when the endpoint disconnects or is unregistered from the ForitClient EMS?
The client certificate is removed from the certificate store and revokes on FortiClient EMS. The endpoint obtains a certificate again when it reconnects to EMS.
If the client cancels and responds with an empty client certificate, what has to be set in order to allow the client to continue with ZTNA proxy rule processing?
empty-cert-action accept
