FCSS_EFW_AD-7.4 FCSS - Enterprise Firewall 7.4 Administrator Questions and Answers

Thebest way to automate a firewall policyusing a daily updated list ofIP addressesis by using anexternal connector from Threat Feeds. This allows FortiGate to dynamically retrievereal-time threat intelligencefrom external sources and apply it directly to security policies.

By configuringThreat Feeds, the administrator can:

●Automatically updatefirewall policies with the latest malicious IPs daily.

●Block trafficfrom those IPs in real-time without manual intervention.

●Integrate with FortiGuard, third-party threat intelligence sources, or custom feeds (CSV, STIX/TAXII, etc.).

When configuringADVPN (Auto-Discovery VPN)to connectoverlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.

●set auto-discovery-crossover enable

● Thisallows cross-hub tunnel discoveryin an ADVPN deployment where multiple hubs are used.

● SinceHub A and Hub Bbelong to different overlays, enablingcrossover discoveryensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.

●set enforce-multihop enable

● This setting ensures thatBGP peers using loopback interfacescan establish connectivityeven if they are not directly connected.

●Multihop BGP sessionsare required when usingloopback addresses as BGP peer sourcesbecause the connection might need to traverse multiple routers before reaching the BGP neighbor.

● This is especially useful inADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.

In this scenario, thecorporate networkand thenew remote office networkneed to communicate over theInternet, which requires asecure and dynamic routing method. Since both networks are usingOSPF (Open Shortest Path First)as the routing protocol, the best approach is to establish anOSPF over IPsec VPNto ensure secure and dynamic route propagation.

OSPF is already running on the corporate network, and extending it over an IPsec tunnel allows dynamic route exchange between the corporate FortiGate and the remote office FortiGate.IPsec provides encryptionfor traffic over the Internet, ensuring secure communication.OSPF over IPsec eliminates the need for manual static routes, allowing automatic route updates if networks change.

The new remote office's192.168.1.0/24 subnetwill be advertised dynamically to the corporate network without additional configuration.

The diagram shows a FortiGate connected to two FortiSwitches, which suggests the use ofFortiLink, Fortinet's protocol for managing switches directly from a FortiGate. Since multiple connections are being used, the LAN interface must be set to802.3ad (LAG)mode to aggregate the links for redundancy and load balancing.

This setup allows FortiGate to handle VLAN assignments dynamically, as seen withVLAN 10 (192.168.15.1/24). FortiLink ensures seamless integration between FortiGate and FortiSwitches, making STP unnecessary because Fortinet'sMCLAGprevents loops at Layer 2. SD-WAN, on the other hand, is used for WAN interfaces and does not apply to switch connectivity in this scenario.

Use metadata variables to dynamically assign values according to each FortiGate device:Metadata variables in FortiManager allow device-specific configurations to be dynamically assigned without manually configuring each FortiGate. This is especially useful when deploying multiple devices with similar base configurations.

Use provisioning templates and install configuration settings at the device layer:Provisioning templates in FortiManager provide a structured way to configure FortiGate devices. These templates can define interfaces, policies, and settings, ensuring that each device is correctly configured upon deployment.

Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate devices:Zero-Touch Provisioning (ZTP) and Local Touch Provisioning (LTP) help automate the deployment of FortiGate devices. By adding devices as model devices in FortiManager, configurations can be pushed automatically when devices connect for the first time, reducing manual effort.

The diagnose vpn tunnel list name Hub2Spoke1 command output provides key information about the offloading status of an IPsec VPN tunnel to the Network Processing Unit (NPU).

● npu_flag=20:

● This flag indicates that both inbound and outbound IPsec Security Associations (SAs) have been offloaded to the NPU, meaning the VPN traffic is processed in hardware instead of the CPU.

● npu_rgwy=10.10.2.2 and npu_lgwy=10.10.1.1:

● These IPs represent the remote gateway (rgwy) and local gateway (lgwy), confirming that the tunnel is successfully offloaded.

● npu_selid=1:

● This value means the session selector for the NPU offloaded SA is active.

Since both inbound and outbound SAs are offloaded, the administrator can conclude that the FortiGate NPU is handling IPsec encryption and decryption efficiently, reducing CPU load and improving VPN performance.

In anIBGP (Internal BGP) network, all routers must befully meshed, meaning every router must establish a BGP session with every other router in the sameautonomous system (AS). Thisdoes not scale wellin large networks due to the exponential increase in BGP sessions.

Tooptimize and scale IBGP,Route Reflectors (RRs)are used. ARoute Reflector (RR)reduces the number ofIBGP peer connectionsby allowing acentralized router (RR)to redistribute IBGP routes to other IBGP peers (calledclients). This eliminates the need for afull mesh, significantlyreducing BGP session overhead.

By configuring theroute-reflector-clientsetting on IBGP peers, an administrator can:

●Scale IBGP sessionsby reducing the number of direct BGP peer connections.

●Optimize the routing tableby ensuring routes are efficiently propagated within the IBGP network.

●Eliminate the need for full mesh topology, making IBGP more manageable.

The excessiveDNS log requests with random subdomainssuggest aDNS exfiltration attack, where attackers encode and transmit data via DNS queries. Since this technique can useboth UDP and TLS (DoH - DNS over HTTPS), a comprehensive security approach is needed.

Using anIPS profile with DNS exfiltration-specific signaturesallows FortiGate to:

●Detect and block abnormal DNS query patternsoften used in exfiltration.

●Inspect encrypted DNS (DoH, DoT) trafficif SSL inspection is enabled.

●Identify known exfiltration domains and techniquesbased on FortiGuard threat intelligence.

IKEv2 (Internet Key Exchange version 2) is an improvement over IKEv1, offering enhanced security, efficiency, and flexibility in VPN configurations.

It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.

IKEv2 supports stronger cryptographic algorithms, includingElliptic Curve Diffie-Hellman (ECDH)groups such asECP256 and ECP384, providing improved security compared to IKEv1.

It supports the extensible authentication protocol (EAP).

IKEv2 natively supports EAP authentication, which allows integration with external authentication mechanisms such asRADIUS, certificates, and smart cards. This is particularly useful forremote access VPNswhere user authentication must be flexible and secure.

TheConfiguration Revision Historywindow inFortiManagershows that the most recent configuration change (ID 10) was created byscript_managerwith the actionRetrieved.

Sincescript_manageris a system-level script execution user, the IT team needs to findwho actually triggered this script. This can be done by:

● Checking theFortiManager system logsforscript execution events.

● Using thetype=scriptfilter to locate the administrator associated with the script execution.

From the exhibit, ISFW is part of a Security Fabric environment with NGFW-1 as the Fabric Root. In this architecture, FortiGate devices share security intelligence, including logs and detected threats.

ISFW is in a Security Fabric environment:

● Security Fabric allows devices like ISFW toreceive threat intelligencefrom NGFW-1, even if UTM is not enabled locally.

● If NGFW-1 detects malware fromIP 10.1.10.1 to 89.238.73.97, this information can bepropagated to ISFW and FortiAnalyzer.

The firewall policy in NGFW-1 has UTM enabled:

● Even thoughISFW does not have UTM enabled, NGFW-1 (which sits between ISFW and the external network)does have UTM enabledand is scanning traffic.

● Since NGFW-1 detects malware in the session, it logs the event, which is then sent toFortiAnalyzer.

When multiple remote sites connect to thesame hubusingoverlapping subnets, FortiGate needs to determine which route should be used for traffic forwarding. Theroute-overlapsetting in IPsec Phase 2 allows FortiGate to handle this scenario by deciding whether to keep theexisting route(use-old) or replace it with anew route(use-new).

In anECMP (Equal-Cost Multi-Path) routing setup,both routes should be retained and balanced, but FortiGate does not supportECMP directly over overlapping routesin IPsec Phase 2. Instead, an administrator must decide which connection takes precedence usingroute-overlapsettings.

TheInternet Service Database (ISDB)in FortiGate is used to enforce content filtering atLayer 3 (Network Layer) and Layer 4 (Transport Layer)of the OSI model by identifying applications based on theirpredefined IP addresses and ports.

FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard:

● FortiGate retrieves and updates apredefined listof IPs and ports for different internet services fromFortiGuard.

● This allows FortiGate to block specific services atLayer 3 and Layer 4without requiring deep packet inspection.

The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard:

● ISDB works by matching traffic to knownIP addresses and portsof categorized services.

● When an application or service is blocked, FortiGate prevents communication bydenying traffic based on its destination IP and port number.

In anADVPN (Auto-Discovery VPN) network, adynamic VPN tunnelis establishedon-demandbetween spokes to optimize traffic flow and reduce latency.

Process:

1.Traffic Initiation:

A client behindSpoke-1sends traffic to a device behindSpoke-2.

The traffic initially flows through thehub, following the pre-established overlay tunnel.

2.Hub Detection:

Thehubdetects that Spoke-1 is communicating with Spoke-2 and determines that adirect shortcut tunnelbetween the spokes can optimize the connection.

3.Shortcut Offer:

Thehub sends a "Shortcut Offer"message to Spoke-1, informing it that a directdynamic tunnelto Spoke-2 is possible.

4.Tunnel Establishment:

Spoke-1 and Spoke-2 then negotiate and establish a directIPsec tunnelfor communication.