FCP_FGT_AD-7.4 FCP - FortiGate 7.4 Administrator Questions and Answers

To adjust the inactivity timeout for GUI sessions, the administrator should increase the admintimeout value in the global settings. This parameter controls how long an administrator's session can remain idle before it times out and disconnects. This is configured globally and affects all administrators, including those with the "NOC_Access" profile.

To retrieve AD user group information in agentless polling mode, the administrator must add an LDAP server to the FortiGate device​.

To disable RPF (Reverse Path Forwarding) checking on a FortiGate interface, you need to disable the src-check option in the interface settings. This action disables the RPF check, allowing traffic to bypass the verification that it is arriving on the correct interface based on the routing table.

The serial console method allows management access to the FortiGate CLI without relying on network connectivity. This method involves directly connecting a computer to the FortiGate device using a serial cable (such as a DB-9 to RJ-45 cable or USB to RJ-45 cable) and using terminal emulation software to interact with the FortiGate CLI. This method is essential for situations where network-based access methods (such as SSH or Telnet) are not available or feasible.

References:

FortiOS 7.4.1 Administration Guide: Console connection

When using multiple dial-up IPsec VPNs in aggressive mode, the Peer ID setting in Phase 1 can be used to distinguish between different VPN tunnels. Each dial-up user or department can be assigned a unique Peer ID, allowing the FortiGate to match the incoming VPN request to the correct tunnel based on the Peer ID value.

Advanced mode allows for configuration as an LDAP client and supports group filtering directly on the FortiGate, as well as nested or inherited groups.

When SD-WAN is enabled on FortiGate, the load balancing algorithm for Equal-Cost Multi-Path (ECMP) is configured using the load-balance-mode parameter under SD-WAN settings. However, if SD-WAN is disabled, the ECMP load balancing algorithm can be configured under config system settings. This flexibility allows FortiGate to control traffic routing behavior based on the network configuration and requirements.

References:

FortiOS 7.4.1 Administration Guide: ECMP Configuration

The Fortinet Single Sign-On (FSSO) Collector Agent supports three primary methods for Active Directory (AD) polling to collect user information:

WinSecLog: Monitors Windows Security Event Logs for login events.

WMI: Uses Windows Management Instrumentation to poll user login sessions.

NetAPI: Utilizes the Netlogon API to query domain controllers for user session data.

These methods allow the FortiGate to gather user logon information and enforce user-based policies effectively.

References:

FortiOS 7.4.1 Administration Guide: FSSO Configuration

Automation stitches on FortiGate can have one or more triggers, which are conditions or events that activate the automation stitch. The trigger defines when the automation stitch should execute the defined actions. Actions within a stitch can be executed sequentially or in parallel, depending on the configuration.

References:

FortiOS 7.4.1 Administration Guide: Automation Stitches

Flow-based inspection optimizes performance compared to proxy-based inspection.

Flow-based inspection scans traffic in real-time as it passes through, resulting in better performance compared to proxy-based inspection, which buffers traffic.

FortiGate buffers the whole file but transmits to the client at the same time.

In flow-based inspection, the file is scanned while it is being transmitted, improving speed and reducing latency.

The IPS engine handles the process as a standalone.

In flow-based antivirus inspection, the IPS engine is used to inspect traffic, making it more efficient and integrated within the broader security mechanisms.

The exhibit shows that the "FTP.Login.Failed" IPS signature is set with the action "Pass" and packet logging enabled. This means that any traffic matching this signature will be allowed through the FortiGate, and the traffic details will be logged for monitoring and analysis purposes.

References:

FortiOS 7.4.1 Administration Guide: IPS Signature Actions

The port1 and port2 default routes are active in the routing table

The routes with 0.0.0.0/0 for both port1 and port2 are marked with an asterisk * and > symbol, which indicates that these routes are active and selected in the routing table.

The port3 default route has the highest distance

The route via port3 has a distance of [20/0], which is higher than the distances for the routes via port1 [10/0] and port2 [30/0]. This indicates that the port3 default route has the highest distance.

In FortiGate HA (High Availability) configuration, checksums of device configurations are compared to ensure they are synchronized and identical across the cluster. Incremental synchronization can only happen from changes made on the primary device to ensure consistency and integrity across the cluster members. Changes made on non-primary devices do not initiate synchronization.

References:

FortiOS 7.4.1 Administration Guide: HA Configuration Synchronization

For traffic that does not match any of the defined SD-WAN rules, the default implicit SD-WAN rule is applied. By default, the FortiGate uses a "source-destination IP-based" algorithm, which means all traffic from a specific source IP to a specific destination IP is sent through the same interface. This ensures that a consistent path is used for traffic between the same source and destination IP addresses. Options B, C, and D do not apply because the default algorithm does not prioritize by latency, session count, or source IP alone.

References:

FortiOS 7.4.1 Administration Guide: SD-WAN Load Balancing Algorithms​

Based on the system performance output provided, the memory usage on the FortiGate device is at 90%, which is above the green threshold (82%) but below the red threshold (88%). Given this high memory usage, the FortiGate device will enter "conserve mode" to prevent further resource exhaustion. In conserve mode:

B. FortiGate has entered conserve mode: When the memory usage reaches or exceeds certain thresholds (in this case, the green and red thresholds), the FortiGate enters conserve mode to protect itself from running out of memory entirely. This mode limits some functionalities to reduce memory usage and avoid a potential system crash.

D. Administrators can access FortiGate only through the console port: During conserve mode, administrative access might be restricted, and administrators may only be able to connect to the device via the console port. This restriction is in place to ensure that the FortiGate can be managed directly, even under low resource conditions.

The other options are not correct:

A. FortiGate will start sending all files to FortiSandbox for inspection: This is unrelated to memory usage and conserve mode.

C. Administrators cannot change the configuration: While access may be limited, configuration changes can still be made via the console port.

References

FortiOS 7.4.1 Administration Guide - Monitoring System Resources and Performance, page 325.

FortiOS 7.4.1 Administration Guide - Conserve Mode, page 330.

Both interfaces must have directly connected routes on the routing table

In NAT mode, each interface must have a corresponding entry in the routing table, typically as a directly connected route, to route traffic between them effectively.

Both interfaces must have IP addresses assigned

In NAT mode, each interface must have an IP address to participate in routing and NAT operations. The IP addresses allow the FortiGate to forward traffic between different network segments.

The debug output indicates that FortiGate connected to one server (173.243.141.16) to retrieve contract information as it shows four FortiGuard requests without any packet loss, which confirms the connection to the server. Additionally, the default FortiGuard communication settings are being used, as indicated by the use of the HTTPS protocol on port 443, which is the default setting for FortiGuard connections.

References:

FortiOS 7.4.1 Administration Guide: FortiGuard Connection Settings

For a high-latency internet connection, the SSL VPN setting that should be adjusted is:

C. SSL VPN dtls-hello-timeout: This setting determines how long the FortiGate will wait for a DTLS hello message from the client. For high-latency connections, increasing this timeout will prevent SSL VPN negotiation failures caused by delays in receiving the DTLS hello message.

The other options are not suitable:

A. SSL VPN idle-timeout: This setting controls the idle time allowed before a session is terminated, which is not relevant to the initial connection establishment.

B. SSL VPN login-timeout: This setting controls the maximum time allowed for a user to log in, but does not affect connection negotiation.

D. SSL VPN session-ttl: This setting controls the total time-to-live for an SSL VPN session but does not directly address issues caused by high latency.

References

FortiOS 7.4.1 Administration Guide - SSL VPN Configuration, page 1415.

Option 5 in the IPS diagnostic command toggles the bypass status. If this option is used and results in a decrease in CPU usage, it means the IPS engine is no longer processing traffic, effectively blocking or bypassing the traffic. In this case, IPS is not inspecting the traffic anymore, leading to a decrease in CPU usage, which indicates that the traffic might be blocked instead of inspected.

With the override setting enabled and a higher priority configured on FGT-2, it will preempt FGT-1 and become the primary unit in the HA cluster.

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

In agentless polling mode, FortiGate directly connects to the Domain Controllers (DCs) using the SMB protocol to read event logs and detect user login events.

FortiGate does not support workstation check.

In agentless polling mode, FortiGate does not perform workstation checks. It relies on polling the event logs from the Domain Controllers to identify user logins.

To configure redundant IPsec VPN tunnels on FortiGate with failover capability, the following two key configuration changes are required:

A. Enable Dead Peer Detection (DPD): Dead Peer Detection is crucial for detecting if the remote peer is unreachable. By enabling DPD, FortiGate can quickly detect a dead tunnel, ensuring a faster failover to the secondary tunnel when the primary tunnel goes down.

C. Configure a lower distance on the static route for the primary tunnel and a higher distance on the static route for the secondary tunnel: The static route with the lower distance (higher priority) will be used when both tunnels are operational. If the primary tunnel fails, the higher distance (lower priority) route for the secondary tunnel will take over, ensuring traffic is routed correctly.

The other options are not suitable:

B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels: This option is not directly related to the requirements of failover between two IPsec VPN tunnels.

D. Configure a higher distance on the static route for the primary tunnel and a lower distance on the static route for the secondary tunnel: This would prioritize the secondary tunnel over the primary tunnel, which is opposite to the desired configuration.

References

FortiOS 7.4.1 Administration Guide - Configuring IPsec VPN, page 1320.

FortiOS 7.4.1 Administration Guide - Redundant VPN Configuration, page 1335.

The traffic from the user on Local-Client (10.0.1.10) pinging the IP address of Remote-FortiGate (10.200.3.1) will match the firewall policy with the service "PING traffic". According to the firewall policy:

Policy ID 6 is set for PING traffic and uses the NAT IP pool "SNAT-Remote1", which is defined as 10.200.1.99.