FCP_FGT_AD-7.4 FCP - FortiGate 7.4 Administrator Question and Answers

The source address remains 10.200.3.1 because FortiGate does not modify the source address by default unless NAT is applied (which is disabled in the policy).

The destination address is translated to 10.0.1.10 by the VIP (Virtual IP) object, as this is the internal server address mapped to the external IP 10.200.1.10.

The destination port is translated from 8080 to 80 as per the port forwarding rule configured in the VIP object.

To retrieve AD user group information in agentless polling mode, the administrator must add an LDAP server to the FortiGate device​.

Strict RPF (Reverse Path Forwarding) check ensures that the packet is received on the same interface that the FortiGate device would use to send traffic back to the source. It verifies that the best route to the source of the packet is through the same interface it arrived on, enhancing security by preventing IP spoofing. If the check fails, the packet is dropped.

By default, DNS queries to FortiGuard servers use UDP port 53.

FortiGate's SD-WAN rule strategies for member selection include the following:

Manual with load balancing: This strategy allows an administrator to manually configure which SD-WAN member interfaces to use for specific traffic.

Lowest Cost (SLA) with load balancing: This strategy prioritizes the link with the lowest cost that meets the SLA requirements.

Best Quality with load balancing: This strategy selects the link with the best performance metrics, such as latency, jitter, or packet loss.

Options D and E are incorrect because "Lowest Quality" is not a valid strategy, and "Lowest Cost without load balancing" contradicts the requirement for load balancing in the strategy name.

References:

FortiOS 7.4.1 Administration Guide: SD-WAN Rule Strategies

The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate's re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser's trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites.

References:

FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration

The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances:

The default route through port2 has an administrative distance of 20.

The default route through port1 has an administrative distance of 10.

Administrative distance determines the priority of the route; a lower value is preferred. Here, the route through port1 with an administrative distance of 10 is the preferred route. The route through port2 with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed through port2.

Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table that port2 is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes.

References:

FortiOS 7.4.1 Administration Guide: Default route configuration

FortiOS 7.4.1 Administration Guide: Routing table explanation

To deny access to the web server for Remote-User2 while allowing Remote-User1 to access the same web server, two configuration changes can be made:

Enable match-vip in the Deny policy:By enabling the match-vip option in the Deny policy, the FortiGate will check for virtual IP (VIP) objects during policy matching. This setting allows the firewall policy to correctly identify and block traffic directed to a specific mapped IP address, such as the web server, when using a VIP configuration.

Set the Destination address as Webserver in the Deny policy:Setting the Destination address to "Webserver" in the Deny policy ensures that the policy specifically targets traffic attempting to reach the web server. This configuration helps to precisely control which traffic should be blocked, focusing the Deny policy on the intended destination.

References:

FortiOS 7.4.1 Administration Guide: Deny matching with a policy with a virtual IP applied​

FortiOS 7.4.1 Administration Guide: Configuring Policies with VIPs

FortiGate continues to run critical security actions, such as quarantine.

Even in conserve mode, FortiGate prioritizes critical security functions to ensure basic protections are still in place, such as quarantining malicious traffic.

FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in IPS is enabled.

When the system is in conserve mode and the "fail-open" setting is enabled, FortiGate will allow traffic to pass without IPS inspection to ensure traffic flow continuity despite resource limitations.

Flow-based inspection optimizes performance compared to proxy-based inspection.

Flow-based inspection scans traffic in real-time as it passes through, resulting in better performance compared to proxy-based inspection, which buffers traffic.

FortiGate buffers the whole file but transmits to the client at the same time.

In flow-based inspection, the file is scanned while it is being transmitted, improving speed and reducing latency.

The IPS engine handles the process as a standalone.

In flow-based antivirus inspection, the IPS engine is used to inspect traffic, making it more efficient and integrated within the broader security mechanisms.

Based on the system performance output provided, the memory usage on the FortiGate device is at 90%, which is above the green threshold (82%) but below the red threshold (88%). Given this high memory usage, the FortiGate device will enter "conserve mode" to prevent further resource exhaustion. In conserve mode:

B. FortiGate has entered conserve mode: When the memory usage reaches or exceeds certain thresholds (in this case, the green and red thresholds), the FortiGate enters conserve mode to protect itself from running out of memory entirely. This mode limits some functionalities to reduce memory usage and avoid a potential system crash.

D. Administrators can access FortiGate only through the console port: During conserve mode, administrative access might be restricted, and administrators may only be able to connect to the device via the console port. This restriction is in place to ensure that the FortiGate can be managed directly, even under low resource conditions.

The other options are not correct:

A. FortiGate will start sending all files to FortiSandbox for inspection: This is unrelated to memory usage and conserve mode.

C. Administrators cannot change the configuration: While access may be limited, configuration changes can still be made via the console port.

References

FortiOS 7.4.1 Administration Guide - Monitoring System Resources and Performance, page 325.

FortiOS 7.4.1 Administration Guide - Conserve Mode, page 330.

The IPS sensor configuration shows that:

The Microsoft.Windows.iSCSI.Target.DoS signature is set to "Monitor" with packet logging enabled, meaning that while traffic matching this signature will be allowed, it will also be logged for further analysis.

The generic Windows filter is set to "Block," meaning that all other attacks matching this filter will be blocked. However, the sensor will not reset connections or log packets unless specified.

Therefore, the sensor will allow attackers matching the specific DoS signature while blocking other attacks against Windows.

References:

FortiOS 7.4.1 Administration Guide: IPS Configuration

A- The debug flow is for ICMP traffic.

B. A firewall policy allowed the connection.

C. A new traffic session was created.

D. The default route is required to receive a reply.

The debug flow is for ICMP traffic.

The output shows "proto=1," which indicates that the protocol is ICMP (Internet Control Message Protocol).

A new traffic session was created.

The message "allocate a new session-00003dd5" confirms that a new session was created for this traffic.

execute ping

This command helps test network connectivity by sending ICMP echo requests to a specified IP address to check if the device is reachable.

execute traceroute

This command traces the route packets take to a destination, which is useful for identifying network hops and potential delays or routing issues.

get system arp

This command shows the ARP (Address Resolution Protocol) table, which is used to map IP addresses to MAC addresses. It's useful for verifying IP-to-MAC address resolution on the network.

In this scenario, the FortiGate device is using a Virtual IP (VIP) to map the public IP address (203.0.113.2) to the internal IP address of the web server (172.16.1.10). The fact that the administrator does not see any sniffer output for incoming traffic suggests that the FortiGate is not responding to ARP requests for the public IP address (203.0.113.2).

Enabling arp-reply in the VIP configuration allows the FortiGate to respond to ARP requests for the public IP, thereby allowing traffic to reach the FortiGate, which will then forward it to the web server based on the VIP mapping.

When FortiGate performs SSL/SSH full inspection and detects an invalid certificate, there are three valid actions it can take:

Allow & Warning: This action allows the session but generates a warning.

Block & Warning: This action blocks the session and generates a warning.

Block: This action blocks the session without generating a warning.

Actions such as "Trust & Allow" or just "Allow" without additional configurations are not applicable in the context of handling invalid certificates.

References:

FortiOS 7.4.1 Administration Guide: Configuring SSL/SSH inspection profile

The sniffer output shows that packets from the web client are reaching the FortiGate and being forwarded to the web server, but there is no indication that the web server is responding. To troubleshoot this issue, executing a debug flow will help analyze the traffic path and pinpoint where the problem might be occurring, such as a possible issue in firewall policy or route settings that is causing the server not to respond correctly.

References:

FortiOS 7.4.1 Administration Guide: Troubleshooting network connectivity

A session for denied traffic is created.

The command set ses-denied-traffic enable ensures that sessions for denied traffic are logged, meaning a session will be created for traffic that is denied by security policies.

The number of logs generated by denied traffic is reduced.

The set block-session-timer 30 command sets a timer to prevent excessive logging of denied traffic within a short period, which helps reduce the number of logs generated by repeated denied traffic sessions. This timer blocks sessions for a specified period (30 seconds in this case) to avoid overwhelming the log system with repetitive entries.

IPsec security associations

IPsec security associations (SAs) are synchronized between HA members to ensure seamless failover and continuity of VPN tunnels.

DHCP leases

DHCP lease information is synchronized between HA members to maintain consistent IP address assignments and prevent disruptions when failover occurs.

www.example.com

This syntax targets the main domain, which is a common way to configure a web rating override for the home page of a website.

example.com

This syntax also correctly targets the main domain without specifying a subdomain (like "www"), which is valid for configuring a web rating override for the entire site, including the home page.

The firewall policy shown in the exhibit is configured in flow-based inspection mode. In flow-based inspection, certain security features, such as deep content inspection, might not be as effective as in proxy-based mode. Proxy-based inspection is necessary for thorough content inspection, which includes identifying and blocking well-known viruses like EICAR.

References:

FortiOS 7.4.1 Administration Guide: Inspection Modes

To block access specifically to download.com while allowing other sites in the "Freeware and Software Downloads" category, you can create a separate firewall policy with a deny action specifically for the FQDN *.download.com. This approach allows blocking this particular site without affecting the other sites in the same category. Alternatively, configuring a static URL filter entry with the type set to Wildcard and action set to Block will also achieve the desired effect by directly blocking the specific URL without impacting other sites in the category.

References:

FortiOS 7.4.1 Administration Guide: URL filter configuration

The selected SSL inspection profile has certificate inspection enabled

If the SSL inspection profile is set to certificate inspection instead of full SSL inspection, FortiGate will only inspect the certificate of the HTTPS connection but will not decrypt and inspect the actual traffic content, leading to a failure in virus detection.

The website is exempted from SSL inspection

If the website hosting the EICAR test file is exempt from SSL inspection, FortiGate will not decrypt the traffic, meaning it cannot inspect the file content for viruses, resulting in the file being downloaded without detection.