SSL VPN

Question 1

What are the two modes of SSL VPN?

Answer 1

Tunnel mode with a client, more protocols
Web mode with only a web browser. Supports limited protocols like FTP, HTTP/HTTPS, RDP, SSH Telnet etc.

Question 2

When users use Web Mode SSL VPN, what IP address is seen by internal devices?

Answer 2

Internal devices see the source address as the IP address of FTG, not the user’s IP Address

Question 3

What interface does Tunnel mode SSL VPN create on a PC?

Answer 3

A virtual network adapter identified as fortiss1, receives an IP add from FTG.

Question 4

Can FSSO remote password be used on SSL VPN?

Answer 4

No

Question 5

What are the two modes that SSL VPN portals can operate in?

Answer 5

Tunnel mode: Enable split tunneling,
Web mode

Question 5

Can you use both SSL VPN Client for VPN and SSL for administrative access on the same interface?

Answer 5

Yes, but you have to use different prot numbers.

Question 6

What is the default timeout for SSL VPNs?

Answer 6

300 seconds or five minutes.

Question 7

What are the two SSL tunnel IP allocation methods?

Answer 7

First available (default)
Round Robin

Question 8

What must be done when you pick round-robbin IP allocation for SSL VPN?

Answer 8

You must set address IP pools in vpn ssl settings, as portal pools are ignored.

Question 9

Do you have to create firewall policies for SSL VPN traffic?

Answer 9

Yes, otherwise no login portal is presented to users.

Question 10

What interface does SSL VPN user traffic exit from?

Answer 10

ssl.<vdom_name></vdom_name>

Question 11

What is the name of the exit interface for SSL VPN traffic if you have not enabled VDOMs?

Answer 11

ssl.root

Question 12

If you disable split tunnelling for SSL VPN you must

Answer 12

also create a policy that enables traffic from the egress interface to the internet.

Question 13

Can you use Client Integrity Checking on MACs?

Answer 13

No, only on Windows PC, because it uses the Windows Security Center to perform its checks.

Question 14

What is a GUID?

Answer 14

It is the ID that identifies each Windows application. You can use it for Client Integrity Checking.

Question 15

What checks can the Client Integrity checker perform?

Answer 15

AV and FW Software
Applications:
Active/Inactive
Current version number
Signature updates

Question 16

When does Client Integrity Checker perform it’s check?

Answer 16

Just after users authentication, if the required software is not running FTG drops the connection.

Question 17

What are the drawbacks of CIC?

Answer 17

All users must have their software up to date in order to connect.
Software updates can result in a change to the registry key values, preventing a user from connecting.

Question 18

What is the Default DTLS hello timeout?

Answer 18

Default 10 seconds

Question 19

What is the default login timeout for SSL VPN?

Answer 19

30 seconds.

Question 20

List the best practices for SSL VPN Web mode

Answer 20

Enable cookies
Set internet privacy to high
Use https://<FortiGateIP>:<port></port></FortiGateIP>

Question 21

List the best practices for tunnel mode connections

Answer 21

FortiClient version is compatible with FTG FortiOS firmware
Enable split tunneling
or
Disableit, and create an egress firewall policy towards the internet.