FCP_FGT_AD-7.4 FCP - FortiGate 7.4 Administrator Questions and Answers

FortiGate's SD-WAN rule strategies for member selection include the following:

Manual with load balancing: This strategy allows an administrator to manually configure which SD-WAN member interfaces to use for specific traffic.

Lowest Cost (SLA) with load balancing: This strategy prioritizes the link with the lowest cost that meets the SLA requirements.

Best Quality with load balancing: This strategy selects the link with the best performance metrics, such as latency, jitter, or packet loss.

Options D and E are incorrect because "Lowest Quality" is not a valid strategy, and "Lowest Cost without load balancing" contradicts the requirement for load balancing in the strategy name.

References:

FortiOS 7.4.1 Administration Guide: SD-WAN Rule Strategies

For traffic that does not match any of the defined SD-WAN rules, the default implicit SD-WAN rule is applied. By default, the FortiGate uses a "source-destination IP-based" algorithm, which means all traffic from a specific source IP to a specific destination IP is sent through the same interface. This ensures that a consistent path is used for traffic between the same source and destination IP addresses. Options B, C, and D do not apply because the default algorithm does not prioritize by latency, session count, or source IP alone.

References:

FortiOS 7.4.1 Administration Guide: SD-WAN Load Balancing Algorithms​

By default, DNS queries to FortiGuard servers use UDP port 53.

The "d-wan" zone in FortiGate SD-WAN configuration is the default SD-WAN zone created when SD-WAN is enabled. This zone contains all the interfaces assigned to SD-WAN and is essential for the functionality of the SD-WAN feature. The "d-wan" zone cannot be deleted because it is required for SD-WAN operations. Option A is incorrect because the underlay zone does not contain port1. Options B and D are incorrect because they incorrectly describe the configuration of zones.

References:

FortiOS 7.4.1 Administration Guide: SD-WAN Zone Configuration

In flow-based inspection mode, FortiGate sends a reset (RST) packet to the client instead of providing a replacement message, which causes the block message not to be displayed.

The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances:

The default route through port2 has an administrative distance of 20.

The default route through port1 has an administrative distance of 10.

Administrative distance determines the priority of the route; a lower value is preferred. Here, the route through port1 with an administrative distance of 10 is the preferred route. The route through port2 with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed through port2.

Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table that port2 is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes.

References:

FortiOS 7.4.1 Administration Guide: Default route configuration

FortiOS 7.4.1 Administration Guide: Routing table explanation

A- The debug flow is for ICMP traffic.

B. A firewall policy allowed the connection.

C. A new traffic session was created.

D. The default route is required to receive a reply.

The debug flow is for ICMP traffic.

The output shows "proto=1," which indicates that the protocol is ICMP (Internet Control Message Protocol).

A new traffic session was created.

The message "allocate a new session-00003dd5" confirms that a new session was created for this traffic.

The selected SSL inspection profile has certificate inspection enabled

If the SSL inspection profile is set to certificate inspection instead of full SSL inspection, FortiGate will only inspect the certificate of the HTTPS connection but will not decrypt and inspect the actual traffic content, leading to a failure in virus detection.

The website is exempted from SSL inspection

If the website hosting the EICAR test file is exempt from SSL inspection, FortiGate will not decrypt the traffic, meaning it cannot inspect the file content for viruses, resulting in the file being downloaded without detection.

FortiGate's application control can differentiate between parent and child applications and allows administrators to configure distinct actions for each. For example, it can identify Facebook (parent application) and specific functions within it (child applications) like Facebook video or chat, enabling more granular control over application traffic.

IPsec security associations

IPsec security associations (SAs) are synchronized between HA members to ensure seamless failover and continuity of VPN tunnels.

DHCP leases

DHCP lease information is synchronized between HA members to maintain consistent IP address assignments and prevent disruptions when failover occurs.

FortiGate supports both pre-shared key and certificate signature methods for IKEv1 authentication. These methods provide flexibility depending on the security requirements of the network. Additionally, FortiGate supports Extended Authentication (XAuth), which requests a username and password from the remote peer, enhancing security by adding an extra layer of authentication. The XAuth method does not necessarily make the authentication faster; it is an additional security measure.

References:

FortiOS 7.4.1 Administration Guide: IPsec VPN Configuration

FortiGate interfaces can be configured in different roles, such as WAN or LAN. If an interface is set as a "WAN" role, you cannot configure it to act as a DHCP server through the GUI. The interface role must be set to "LAN" or "Undefined" to allow DHCP server configuration.

References:

FortiOS 7.4.1 Administration Guide: DHCP Server Configuration

Option 5 in the IPS diagnostic command toggles the bypass status. If this option is used and results in a decrease in CPU usage, it means the IPS engine is no longer processing traffic, effectively blocking or bypassing the traffic. In this case, IPS is not inspecting the traffic anymore, leading to a decrease in CPU usage, which indicates that the traffic might be blocked instead of inspected.

To retrieve AD user group information in agentless polling mode, the administrator must add an LDAP server to the FortiGate device​.

Advanced mode allows for configuration as an LDAP client and supports group filtering directly on the FortiGate, as well as nested or inherited groups.

If the SD-WAN traffic logs do not show the specific SD-WAN rule name, it likely means that FortiGate is using the default or implicit SD-WAN rule to balance traffic. The implicit rule comes into effect when no explicit SD-WAN rule is matched, and as a result, the SD-WAN rule name is not displayed in the logs. The default behavior is to load balance the traffic across available interfaces based on SD-WAN strategy.

Strict RPF (Reverse Path Forwarding) check ensures that the packet is received on the same interface that the FortiGate device would use to send traffic back to the source. It verifies that the best route to the source of the packet is through the same interface it arrived on, enhancing security by preventing IP spoofing. If the check fails, the packet is dropped.

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

Flow-based inspection allows real-time scanning of files as they are being transmitted, with minimal impact on performance.

In proxy-based inspection mode antivirus scanning buffers the whole file for scanning, before sending it to the client.

Proxy-based inspection mode holds the file completely, scans it for threats, and only sends the file to the client if no threats are detected.

When the HA override setting is disabled, FortiGate uses the primary election process based on the following criteria:

Connected monitored ports: The unit with the most monitored ports up is preferred.

Priority: The unit with the highest priority is preferred.

System uptime: The unit with the longest uptime is preferred.

FortiGate serial number: Used as the final criterion to break any remaining ties.

References:

FortiOS 7.4.1 Administration Guide: HA election process

FGCP elects the primary FortiGate device

FGCP is responsible for electing the primary (active) device in a FortiGate HA (High Availability) cluster, ensuring proper role assignment between the primary and secondary devices.

FGCP runs only over the heartbeat links

FGCP runs over the dedicated heartbeat links between FortiGate devices in the HA cluster, ensuring synchronization and communication between the devices for failover and redundancy purposes.

The sniffer output shows that packets from the web client are reaching the FortiGate and being forwarded to the web server, but there is no indication that the web server is responding. To troubleshoot this issue, executing a debug flow will help analyze the traffic path and pinpoint where the problem might be occurring, such as a possible issue in firewall policy or route settings that is causing the server not to respond correctly.

References:

FortiOS 7.4.1 Administration Guide: Troubleshooting network connectivity

The application control engine on a FortiGate next-generation firewall is responsible for identifying and managing application traffic. It allows administrators to set policies based on application types, regardless of the port or protocol being used.

When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi-Path (ECMP) is configured using the load-balance-mode parameter under SD-WAN settings. However, if SD-WAN is disabled, the ECMP load balancing algorithm can be configured under config system settings. This flexibility allows FortiGate to control traffic routing behavior based on the network configuration and requirements.

References:

FortiOS 7.4.1 Administration Guide: ECMP Configuration