STUDY QUESTIONS2 Flashcards

1
Q

Why use block-session timer?

A

Denied packets can consume more CPU. If you add a session for denied packets, it will consume less

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

how do you enable sessions for denied packets?

A

Config system settings –> set ses-denied-traffic enable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what is the default value for “set block-session-time” in System Global

A

30 seconds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

FSSO- What are the different config modes?

A

DC Mode, Polling Mode and Terminal Server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

FSSO - There are 2 sub-types of Polling mode - mention them

A

Collector agent-based and Agentless

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

FSSO - DC - What are the requirements for DC Mode?

A

One DC agent per domain controller, one collector agent on a windowes server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

FSSO - DC - what is the responsibility of a COLLECTOR AGENT (CA) in DC mode?

A

Group verification, workstation checks, update login records on FG, send domain local security group, OU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

FSSO - DC - How does it work?

A

1) user auth 2)DC agent sees log event and forwards to CA 3)CA sends it to FG

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

FSSO - DC - What ports are used?

A

UDP 8002 (CA-DC) and TCP8000 (CA and FG)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

FSSO - POLLING - With AGENT —- What is required?

A

Only CA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

FSSO - POLLING - With AGENT —- How does it work?

A

Agent polls each DOMAIN CONTROLLER for log event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

FSSO - POLLING - With AGENT —- What ports are used?

A

SMB/tcp 445, TCP 135,137,139

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

FSSO - POLLING - With AGENT —- What methods exist to pull info?

A

1) WMI 2)WinSec 3)NETAPI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

FSSO - POLLING - With AGENT —- Describe WMI

A

dc returns REQUESTED login events every 3 seconds (can read selected logs), reduceds network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

FSSO - POLLING - With AGENT —- Describe WinSecLog

A

CA polls all sec events every 10 sec (slower, latency, but sees all)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

FSSO - POLLING - With AGENT —- Describe NetAPI

A

CA agent polls temporary sessions

17
Q

FSSO - POLLING - Agentless — How does it work?

A

FG polls info from DOMAIN CONTROLLER. More CPU / Ram required in fortigate

18
Q

FSSO - FOR ALL - What are the requirements?

A

1) DNS-WORKSTATION 2) Log must contain NAMES, not IP 3) CA reach workstations (is it logged in?)

19
Q

CERTIFICATES - What contains information about FQDN of server

A

Common Name

20
Q

CERTIFICATES - How can you tell if a CERT is issued to a USER or SERVER

A

by looking at the SUBJETCT CN.. = If it’s a name you’ll know

21
Q

CERTIFICATES - What fields can be used to determine the server’s name

A

1) Subject Field in server cert (in common Name) 2)client Hello Message (SNI extension) 3)SAN (“ALTERNATIVE”)

22
Q

CERTIFICATES - What are the requirements for a cert to be an “Issuer as well”

A

1) Key Usage extension = Key cert sign 2) CA extension set to “true”

23
Q

In debug flow - what does “msg=”Denied by forward policy check (policy 0)” mean?

A

packet is dropped because it found no policy (implicit deny)