FCSS_EFW_AD-7.4 FCSS - Enterprise Firewall 7.4 Administrator Questions and Answers

The diagram shows a FortiGate connected to two FortiSwitches, which suggests the use ofFortiLink, Fortinet's protocol for managing switches directly from a FortiGate. Since multiple connections are being used, the LAN interface must be set to802.3ad (LAG)mode to aggregate the links for redundancy and load balancing.

This setup allows FortiGate to handle VLAN assignments dynamically, as seen withVLAN 10 (192.168.15.1/24). FortiLink ensures seamless integration between FortiGate and FortiSwitches, making STP unnecessary because Fortinet'sMCLAGprevents loops at Layer 2. SD-WAN, on the other hand, is used for WAN interfaces and does not apply to switch connectivity in this scenario.

Thebest way to automate a firewall policyusing a daily updated list ofIP addressesis by using anexternal connector from Threat Feeds. This allows FortiGate to dynamically retrievereal-time threat intelligencefrom external sources and apply it directly to security policies.

By configuringThreat Feeds, the administrator can:

●Automatically updatefirewall policies with the latest malicious IPs daily.

●Block trafficfrom those IPs in real-time without manual intervention.

●Integrate with FortiGuard, third-party threat intelligence sources, or custom feeds (CSV, STIX/TAXII, etc.).

From theBGP neighbor status output, the key issue is thatBGP is stuck in the "Idle" state, meaning the FortiGate is unable to establish a BGP session with its peer100.65.4.1(Remote AS 65300).

The output also shows:

●"Not directly connected EBGP"→ This means the BGP peer is not on the same subnet, requiring multihop BGP.

●"Update source is Loopback"→ Since a loopback interface is used, FortiGate must be configured to allow BGP neighbors over multiple hops.

To resolve this issue, the administrator must enableebgp-enforce-multihop, which allows BGP sessions to be established even when the neighbors are not directly connected.

The packet capture output displays aTLS Client Hellomessage from FortiGate to FortiManager Cloud. This message containsServer Name Indication (SNI), which is used to indicate the domain name that FortiGate is trying to connect to.

FortiGate will receive a certificate that supports multiple domains because FortiManager operates in a cloud computing environment.

● FortiManager Cloud hostsmultiple customersand domains under ashared infrastructure.

● The TLS handshake includesSNI (Server Name Indication), which allows FortiManager Cloud toserve multiple certificatesbased on the requested domain.

● This means FortiGate will likely receive amulti-domain or wildcard certificatethat can be used for multiple customers under FortiManager Cloud.

The wildcard for the domain .fortinet-ca2.support.fortinet.com must be supported by FortiManager Cloud.

● The SNI extension contains the domain9398.support.fortinet-ca2.fortinet.com.

● FortiManager Cloud must supportwildcard certificatessuch as *.fortinet-ca2.support.fortinet.com to securely manage multiple subdomains and customers.

● This ensures that FortiGate can validate the server certificate without any TLS errors.

Zero phase selectors inIPsec Phase 2mean thatno specific traffic selectors (subnets) are defined, allowingany traffic to be encryptedthrough the VPN tunnel. This can causeunintended traffic forwarding issuesand disrupt network operations.

To prevent this from happening during future migrations:

●Using routing protocolsensures thatonly specific subnets are advertised over the tunnel. Dynamic routing (such as OSPF or BGP) helps define which networks should use the tunnel, preventing unintended traffic from being encrypted.

●Clearly defining phase 2 selectorsavoids the problem of encrypting all traffic byexplicitly stating the allowed source and destination subnets. This prevents the tunnel from affecting unrelated network traffic.

TheInternet Service Database (ISDB)in FortiGate is used to enforce content filtering atLayer 3 (Network Layer) and Layer 4 (Transport Layer)of the OSI model by identifying applications based on theirpredefined IP addresses and ports.

FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard:

● FortiGate retrieves and updates apredefined listof IPs and ports for different internet services fromFortiGuard.

● This allows FortiGate to block specific services atLayer 3 and Layer 4without requiring deep packet inspection.

The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard:

● ISDB works by matching traffic to knownIP addresses and portsof categorized services.

● When an application or service is blocked, FortiGate prevents communication bydenying traffic based on its destination IP and port number.

In anADVPN (Auto-Discovery VPN) network, adynamic VPN tunnelis establishedon-demandbetween spokes to optimize traffic flow and reduce latency.

Process:

1.Traffic Initiation:

A client behindSpoke-1sends traffic to a device behindSpoke-2.

The traffic initially flows through thehub, following the pre-established overlay tunnel.

2.Hub Detection:

Thehubdetects that Spoke-1 is communicating with Spoke-2 and determines that adirect shortcut tunnelbetween the spokes can optimize the connection.

3.Shortcut Offer:

Thehub sends a "Shortcut Offer"message to Spoke-1, informing it that a directdynamic tunnelto Spoke-2 is possible.

4.Tunnel Establishment:

Spoke-1 and Spoke-2 then negotiate and establish a directIPsec tunnelfor communication.

In a hub-and-spoke topology using OSPF over IPsec VPNs, thepoint-to-multipointnetwork type is necessary to establish neighbor adjacencies between the hub and spokes. This network type ensures that OSPF operates correctly without requiring a designated router (DR) and allows dynamic routing updates across the IPsec tunnels.

When designing anADVPN (Auto-Discovery VPN) networkfor alarge enterprisewith spokes that havevarying numbers of internet links, the main challenge is tominimize the number of peer connections and routesat the hub while maintainingscalability and efficiency.

Using a dynamic routing protocol (such as BGP or OSPF) with loopback interfaces helps in several ways:

●Reduces the number of peer connectionsat the hub byusing a single loopback address per spokeinstead of individual physical interfaces.

●Enables simplified route advertisementby dynamically learning and propagating routes instead of manually configuring static routes.

●Supports multiple internet links per spokeefficiently, as dynamic routing can automatically adjust to the best available path.

●Allows seamless failoverif a spoke’s internet link fails, ensuring continuous connectivity.

Thebest wayto block outdated SSL/TLS versions is toconfigure the SSL/SSH inspection profileto enforce aminimum SSL/TLS versionand disable weak SSL versions.

By setting theminimum allowed SSL versionin theHTTPS settings of the SSL/SSH inspection profile, FortiGate will:

● Block any connection usingoutdated SSL/TLS versions(such as SSLv3, TLS 1.0, or TLS 1.1).

● Enforce secure communication usingonly strong SSL/TLS versions(such as TLS 1.2 or TLS 1.3).

● Protect users fromman-in-the-middle (MITM) and downgrade attacksthat exploit weak encryption.

The diagnose vpn tunnel list name Hub2Spoke1 command output provides key information about the offloading status of an IPsec VPN tunnel to the Network Processing Unit (NPU).

● npu_flag=20:

● This flag indicates that both inbound and outbound IPsec Security Associations (SAs) have been offloaded to the NPU, meaning the VPN traffic is processed in hardware instead of the CPU.

● npu_rgwy=10.10.2.2 and npu_lgwy=10.10.1.1:

● These IPs represent the remote gateway (rgwy) and local gateway (lgwy), confirming that the tunnel is successfully offloaded.

● npu_selid=1:

● This value means the session selector for the NPU offloaded SA is active.

Since both inbound and outbound SAs are offloaded, the administrator can conclude that the FortiGate NPU is handling IPsec encryption and decryption efficiently, reducing CPU load and improving VPN performance.

To minimizeCPU and RAM usagewhile still enforcingsecurity features like web filtering and application control,SSL certificate inspection modeis the best choice.

●SSL certificate inspectionallows FortiGate to inspectonly the SSL/TLS handshake, including theServer Name Indication (SNI) and certificate details, without decrypting the full encrypted payload.

● This enables features likeweb filtering and application controlbecause FortiGate can determine thedestination website or applicationbased onSNI and certificate information.

● Itsignificantly reduces system loadcompared tofull SSL inspection, which requires full decryption and re-encryption of traffic.

The exhibit shows anactive-passive HA (high availability) clusterwith two virtual clusters, where FortiGate_A is the primary device for both Core1 and Core2. If the goal is to haveFortiGate_B take over Core2 traffic, itspriority must be higherthan FortiGate_A forVirtual Cluster 2.

Currently, FortiGate_A has a priority of150for Core2, while FortiGate_B has128. IncreasingFortiGate_B’s priority to 200ensures it becomes theprimary for Virtual Cluster 2, taking over the Core2 VDOM traffic while keeping Core1 traffic on FortiGate_A.

Disabling override would prevent forced failovers but wouldn’t change the role distribution. Adjusting the load-balancing method is irrelevant in anactive-passive setup, as it only applies to active-active configurations.

The MAC addresse0:23:ff:fc:00:86follows the format used inFortiGate High Availability (HA) clusters. When FortiGate devices are in an HA configuration, they usevirtual MAC addressesfor failover and redundancy purposes.

The suspicious packet is related to a cluster that has VDOMs enabled:FortiGate devices withVirtual Domains (VDOMs)enabled use specific MAC address ranges to differentiate HA-related traffic. This MAC address is likely part of that mechanism.

The suspicious packet is related to a cluster with a group-id value lower than 255:FortiGate HA clusters assign virtual MAC addresses based on thegroup ID. The last octet (00:86) corresponds to agroup IDthat isbelow 255, confirming this option.