FCP_FGT_AD-7.4 FCP - FortiGate 7.4 Administrator Questions and Answers

The current setting for the root FortiGate (Local-FortiGate) is fabric-object-unification local, which means that new address objects are not shared across the security fabric. Changing this setting to fabric-object-unification default will allow address objects to be synchronized and shared with downstream devices like the ISFW.

FortiGate supports both pre-shared key and certificate signature methods for IKEv1 authentication. These methods provide flexibility depending on the security requirements of the network. Additionally, FortiGate supports Extended Authentication (XAuth), which requests a username and password from the remote peer, enhancing security by adding an extra layer of authentication. The XAuth method does not necessarily make the authentication faster; it is an additional security measure.

References:

FortiOS 7.4.1 Administration Guide: IPsec VPN Configuration

Based on the application sensor configuration and the filter details:

D. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration: The "Excessive-Bandwidth" filter is set to block, which includes "FaceTime" under its application signature. As a result, FaceTime will be blocked regardless of the "Apple" filter configuration because the "Excessive-Bandwidth" filter takes precedence due to its block action setting.

The other options are not correct:

A. Apple FaceTime will be allowed, based on the Video/Audio category configuration: The Video/Audio category is not relevant because FaceTime is specifically included in the Excessive-Bandwidth filter, which blocks it.

B. Apple FaceTime will be allowed, based on the Apple filter configuration: Although the Apple filter is set to monitor, the block action of the Excessive-Bandwidth filter will override this.

C. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow: The allow setting for the Apple filter is irrelevant in this context, as the block action in the Excessive-Bandwidth filter will prevail.

References

FortiOS 7.4.1 Administration Guide - Application Control and Filtering, page 978.

FortiOS 7.4.1 Administration Guide - Application Sensor Configuration, page 982.

FGCP elects the primary FortiGate device

FGCP is responsible for electing the primary (active) device in a FortiGate HA (High Availability) cluster, ensuring proper role assignment between the primary and secondary devices.

FGCP runs only over the heartbeat links

FGCP runs over the dedicated heartbeat links between FortiGate devices in the HA cluster, ensuring synchronization and communication between the devices for failover and redundancy purposes.

An SD-WAN zone can contain physical and logical interfaces

SD-WAN zones can include both physical and logical interfaces, allowing flexible configuration for different network types.

You can use an SD-WAN zone in static route definitions

SD-WAN zones can be referenced in static routes, enabling dynamic path selection based on SD-WAN rules.

An SD-WAN zone is a logical grouping of members

An SD-WAN zone is a logical grouping of interfaces (members), used to simplify the management and application of SD-WAN rules.

FortiGate interfaces can be configured in different roles, such as WAN or LAN. If an interface is set as a "WAN" role, you cannot configure it to act as a DHCP server through the GUI. The interface role must be set to "LAN" or "Undefined" to allow DHCP server configuration.

References:

FortiOS 7.4.1 Administration Guide: DHCP Server Configuration

The "d-wan" zone in FortiGate SD-WAN configuration is the default SD-WAN zone created when SD-WAN is enabled. This zone contains all the interfaces assigned to SD-WAN and is essential for the functionality of the SD-WAN feature. The "d-wan" zone cannot be deleted because it is required for SD-WAN operations. Option A is incorrect because the underlay zone does not contain port1. Options B and D are incorrect because they incorrectly describe the configuration of zones.

References:

FortiOS 7.4.1 Administration Guide: SD-WAN Zone Configuration

Strict RPF (Reverse Path Forwarding) check ensures that the packet is received on the same interface that the FortiGate device would use to send traffic back to the source. It verifies that the best route to the source of the packet is through the same interface it arrived on, enhancing security by preventing IP spoofing. If the check fails, the packet is dropped.

The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances:

The default route through port2 has an administrative distance of 20.

The default route through port1 has an administrative distance of 10.

Administrative distance determines the priority of the route; a lower value is preferred. Here, the route through port1 with an administrative distance of 10 is the preferred route. The route through port2 with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed through port2.

Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table that port2 is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes.

References:

FortiOS 7.4.1 Administration Guide: Default route configuration

FortiOS 7.4.1 Administration Guide: Routing table explanation

When full SSL inspection is enabled, FortiGate intercepts HTTPS traffic, decrypts it for inspection, and re-encrypts it using its own SSL certificate before forwarding it to the browser. If the browser does not trust the SSL certificate being used by FortiGate for re-encryption, it will display certificate warning errors. To resolve this, the certificate used by FortiGate for SSL inspection must be installed and trusted in the browser's certificate store.

Automation stitches on FortiGate can have one or more triggers, which are conditions or events that activate the automation stitch. The trigger defines when the automation stitch should execute the defined actions. Actions within a stitch can be executed sequentially or in parallel, depending on the configuration.

References:

FortiOS 7.4.1 Administration Guide: Automation Stitches

execute ping

This command helps test network connectivity by sending ICMP echo requests to a specified IP address to check if the device is reachable.

execute traceroute

This command traces the route packets take to a destination, which is useful for identifying network hops and potential delays or routing issues.

get system arp

This command shows the ARP (Address Resolution Protocol) table, which is used to map IP addresses to MAC addresses. It's useful for verifying IP-to-MAC address resolution on the network.

By default, SD-WAN members are skipped if they do not have a valid route to the destination

SD-WAN ensures that only members with valid routes to the destination are considered during routing decisions.

By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member

If the best route is not an SD-WAN member, SD-WAN rules are bypassed and standard routing takes over.

SD-WAN rules have precedence over any other type of routes

SD-WAN rules are evaluated first, meaning they take precedence over other routing mechanisms, such as static routes or policy-based routes.

FortiGate's application control can differentiate between parent and child applications and allows administrators to configure distinct actions for each. For example, it can identify Facebook (parent application) and specific functions within it (child applications) like Facebook video or chat, enabling more granular control over application traffic.

When SSL certificate inspection is enabled on a FortiGate device, the system uses the following three pieces of information to identify the hostname of the SSL server:

Server Name Indication (SNI) extension in the client hello message (B): The SNI is an extension in the client hello message of the SSL/TLS protocol. It indicates the hostname the client is attempting to connect to. This allows FortiGate to identify the server's hostname during the SSL handshake.

Subject Alternative Name (SAN) field in the server certificate (C): The SAN field in the server certificate lists additional hostnames or IP addresses that the certificate is valid for. FortiGate inspects this field to confirm the identity of the server.

Subject field in the server certificate (D): The Subject field contains the primary hostname or domain name for which the certificate was issued. FortiGate uses this information to match and validate the server’s identity during SSL certificate inspection.

The other options are not used in SSL certificate inspection for hostname identification:

Host field in the HTTP header (A): This is part of the HTTP request, not the SSL handshake, and is not used for SSL certificate inspection.

Serial number in the server certificate (E): The serial number is used for certificate management and revocation, not for hostname identification.

References

FortiOS 7.4.1 Administration Guide - SSL/SSH Inspection, page 1802.

FortiOS 7.4.1 Administration Guide - Configuring SSL/SSH Inspection Profile, page 1799.

When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi-Path (ECMP) is configured using the load-balance-mode parameter under SD-WAN settings. However, if SD-WAN is disabled, the ECMP load balancing algorithm can be configured under config system settings. This flexibility allows FortiGate to control traffic routing behavior based on the network configuration and requirements.

References:

FortiOS 7.4.1 Administration Guide: ECMP Configuration

The port1 and port2 default routes are active in the routing table

The routes with 0.0.0.0/0 for both port1 and port2 are marked with an asterisk * and > symbol, which indicates that these routes are active and selected in the routing table.

The port3 default route has the highest distance

The route via port3 has a distance of [20/0], which is higher than the distances for the routes via port1 [10/0] and port2 [30/0]. This indicates that the port3 default route has the highest distance.

Based on the system performance output provided, the memory usage on the FortiGate device is at 90%, which is above the green threshold (82%) but below the red threshold (88%). Given this high memory usage, the FortiGate device will enter "conserve mode" to prevent further resource exhaustion. In conserve mode:

B. FortiGate has entered conserve mode: When the memory usage reaches or exceeds certain thresholds (in this case, the green and red thresholds), the FortiGate enters conserve mode to protect itself from running out of memory entirely. This mode limits some functionalities to reduce memory usage and avoid a potential system crash.

D. Administrators can access FortiGate only through the console port: During conserve mode, administrative access might be restricted, and administrators may only be able to connect to the device via the console port. This restriction is in place to ensure that the FortiGate can be managed directly, even under low resource conditions.

The other options are not correct:

A. FortiGate will start sending all files to FortiSandbox for inspection: This is unrelated to memory usage and conserve mode.

C. Administrators cannot change the configuration: While access may be limited, configuration changes can still be made via the console port.

References

FortiOS 7.4.1 Administration Guide - Monitoring System Resources and Performance, page 325.

FortiOS 7.4.1 Administration Guide - Conserve Mode, page 330.

In flow-based inspection mode, FortiGate sends a reset (RST) packet to the client instead of providing a replacement message, which causes the block message not to be displayed.

The Reverse Path Forwarding (RPF) check is run on the first sent packet of any new session to ensure that the packet arrives on a legitimate interface. This check protects the network from IP spoofing attacks by verifying that a return route exists from the receiving interface back to the source IP address. If the route is invalid or not found, the packet is discarded. Options B and C are incorrect because RPF checks are performed on the first sent packet, not the reply packet.

References:

FortiOS 7.4.1 Administration Guide: Reverse Path Forwarding (RPF) Check

FortiGate's SD-WAN rule strategies for member selection include the following:

Manual with load balancing: This strategy allows an administrator to manually configure which SD-WAN member interfaces to use for specific traffic.

Lowest Cost (SLA) with load balancing: This strategy prioritizes the link with the lowest cost that meets the SLA requirements.

Best Quality with load balancing: This strategy selects the link with the best performance metrics, such as latency, jitter, or packet loss.

Options D and E are incorrect because "Lowest Quality" is not a valid strategy, and "Lowest Cost without load balancing" contradicts the requirement for load balancing in the strategy name.

References:

FortiOS 7.4.1 Administration Guide: SD-WAN Rule Strategies

A- The debug flow is for ICMP traffic.

B. A firewall policy allowed the connection.

C. A new traffic session was created.

D. The default route is required to receive a reply.

The debug flow is for ICMP traffic.

The output shows "proto=1," which indicates that the protocol is ICMP (Internet Control Message Protocol).

A new traffic session was created.

The message "allocate a new session-00003dd5" confirms that a new session was created for this traffic.