SSL VPN Flashcards

1
Q

What are the two modes of SSL VPN?

A

Tunnel mode with a client, more protocols
Web mode with only a web browser. Supports limited protocols like FTP, HTTP/HTTPS, RDP, SSH Telnet etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When users use Web Mode SSL VPN, what IP address is seen by internal devices?

A

Internal devices see the source address as the IP address of FTG, not the user’s IP Address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What interface does Tunnel mode SSL VPN create on a PC?

A

A virtual network adapter identified as fortiss1, receives an IP add from FTG.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Can FSSO remote password be used on SSL VPN?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the two modes that SSL VPN portals can operate in?

A

Tunnel mode: Enable split tunneling,
Web mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Can you use both SSL VPN Client for VPN and SSL for administrative access on the same interface?

A

Yes, but you have to use different prot numbers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the default timeout for SSL VPNs?

A

300 seconds or five minutes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the two SSL tunnel IP allocation methods?

A

First available (default)
Round Robin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What must be done when you pick round-robbin IP allocation for SSL VPN?

A

You must set address IP pools in vpn ssl settings, as portal pools are ignored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Do you have to create firewall policies for SSL VPN traffic?

A

Yes, otherwise no login portal is presented to users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What interface does SSL VPN user traffic exit from?

A

ssl.<vdom_name></vdom_name>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the name of the exit interface for SSL VPN traffic if you have not enabled VDOMs?

A

ssl.root

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

If you disable split tunnelling for SSL VPN you must

A

also create a policy that enables traffic from the egress interface to the internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Can you use Client Integrity Checking on MACs?

A

No, only on Windows PC, because it uses the Windows Security Center to perform its checks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a GUID?

A

It is the ID that identifies each Windows application. You can use it for Client Integrity Checking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What checks can the Client Integrity checker perform?

A

AV and FW Software
Applications:
Active/Inactive
Current version number
Signature updates

16
Q

When does Client Integrity Checker perform it’s check?

A

Just after users authentication, if the required software is not running FTG drops the connection.

17
Q

What are the drawbacks of CIC?

A

All users must have their software up to date in order to connect.
Software updates can result in a change to the registry key values, preventing a user from connecting.

18
Q

What is the Default DTLS hello timeout?

A

Default 10 seconds

19
Q

What is the default login timeout for SSL VPN?

A

30 seconds.

20
Q

List the best practices for SSL VPN Web mode

A

Enable cookies
Set internet privacy to high
Use https://<FortiGateIP>:<port></port></FortiGateIP>

21
Q

List the best practices for tunnel mode connections

A

FortiClient version is compatible with FTG FortiOS firmware
Enable split tunneling
or
Disableit, and create an egress firewall policy towards the internet.

22
Q
A