NSE7_NST-7.2 Fortinet NSE 7 - Network Security 7.2 Support Engineer Questions and Answers

Soft Reset of BGP:

Performing a soft reset of BGP is a common method to resolve issues where prefixes are not being received. It forces both BGP peers to resend their complete routing tables to each other.

This can be done using the command:execute router clear bgp soft inandexecute router clear bgp soft out.

Network Import Check:

Thenetwork-import-checkcommand controls whether the FortiGate should verify that the prefix exists in the routing table before advertising it.

Disabling this check can resolve issues where valid prefixes are not advertised due to stringent verification.

The command to disable this is:config router bgp set network-import-check disable end.

BGP Configuration Verification:

Ensure that the BGP configuration on FGT-B is correctly set to advertise the network 172.16.54.0/24.

Verify that the network statement is correctly configured and matches the intended prefix.

References:

Fortinet Community: Technical Note on Configuring BGP​(Welcome to the Fortinet Community!)​.

Fortinet Documentation: Configuring BGP on FortiGate​(Fortinet Document Library)​.

The BGP summary output shows the state of the 10.200.3.1 peer as "Connect." This state indicates that the local router has attempted to initiate a BGP session with the peer, but the peer has not yet responded to the initial connection request.

State Explanation: The "Connect" state in BGP indicates that the TCP connection has been initiated but is waiting for a response. If the peer does not respond within the configured timers, the session will transition to the "Active" state and retry the connection.

Possible Causes: This can occur due to network issues preventing the peer from responding, a misconfiguration on the peer device, or issues like access control lists (ACLs) blocking the BGP traffic.

To troubleshoot, check the connectivity between the routers, ensure that the BGP configurations on both sides match, and verify that there are no firewalls or ACLs blocking the BGP packets.

References

Fortinet Documentation on BGP Troubleshooting

Fortinet Community Discussion on BGP State Issues

Capturing ESP Traffic:

ESP (Encapsulating Security Payload) traffic is associated with IPsec and is identified by the protocol number 50. To capture ESP traffic, you need to filter packets based on this protocol.

In this specific case, you also need to filter for the host associated with the VPN tunnel, which is10.200.3.2as indicated in the exhibit.

Sniffer Command:

The correct command to capture ESP traffic for the VPN namedDialUp_0is:

diagnose sniffer packet any ‘espandhost10.200.3.2’

This command ensures that only ESP packets to and from the specified host are captured, providing a focused and relevant data set for troubleshooting.

References:

Fortinet Documentation: Verifying IPsec VPN Tunnels​(Fortinet Docs)​​(Welcome to the Fortinet Community!)​.

Fortinet Community: Troubleshooting IPsec VPN Tunnels​(Welcome to the Fortinet Community!)​​(Fortinet Docs)​.

The exhibit shows log entries from the FSSO (Fortinet Single Sign-On) collector agent logs. These logs provide insights into why there might be issues with the collector agent connecting to workstations or the registry.

Remote registry is not running on the workstation: The failure to connect to the workstation registry can occur if the remote registry service on the workstation is not running. This service needs to be active to allow the FSSO collector agent to query the workstation for user login information.

DNS resolution is unable to resolve the workstation name: The logs indicate a failure in connecting to a workstation by name, which can happen if the DNS server is unable to resolve the workstation's name to an IP address. This is a common issue when the DNS settings are incorrect or the workstation name is not properly registered in the DNS.

A firewall is blocking traffic to port 139 and 445: Communication issues to the workstation or registry are often caused by firewall rules blocking essential ports. Ports 139 (NetBIOS) and 445 (SMB) are critical for these operations. Ensure these ports are open on both the workstation and any intermediate firewalls.

References

Fortinet Community Documentation on FSSO Troubleshooting

Fortinet Community on FSSO Collector Agent Issues

OSPF Interface Network Types:

The network types of the interfaces on both FortiGate devices must match. Common network types include broadcast, point-to-point, and non-broadcast multi-access (NBMA).

Authentication Settings:

Both devices must have matching authentication settings (if authentication is used). This includes the same authentication type (none, simple password, or MD5) and the same password or key.

OSPF Router IDs:

Each OSPF router must have a unique router ID within the OSPF domain. The router ID is typically an IPv4 address selected from one of the router's interfaces or manually configured.

Link Costs and Interface Priority:

While link costs and interface priorities are important for route selection and designated router (DR) elections, they do not prevent OSPF adjacency formation if they differ.

References

Fortinet Network Security 7.2 Support Engineer Documentation

OSPF Configuration Guides

Session Table Overview:

The session table in FortiOS tracks all active and pending sessions. It includes details like the type of session (TCP, UDP, etc.), status, and statistics.

Interpreting the Exhibit:

The exhibit from thediagnose sys session statcommand shows detailed session statistics.

The specific value indicating "166 TCP sessions waiting to complete the three-way handshake" reflects the number of sessions that have initiatedbut not yet completed the TCP three-way handshake process (SYN, SYN-ACK, ACK).

References:

Fortinet Documentation: Understanding and troubleshooting session tables​(Hammertux)​.

Fortinet Community: Explanation of session states and statistics​(Welcome to the Fortinet Community!)​​(Hammertux)​.

The routing table shown in the exhibit lists all the routes known to the FortiGate device. It includes routes learned through different protocols such as BGP, OSPF, and static routes.

The entryS * 0.0.0.0/0 [20/0] via 10.200.2.254, port2, [5/0]indicates that there is a static route to the default gateway (0.0.0.0/0) throughport2with a gateway IP of10.200.2.254.

The asterisk*next to the route signifies that this route is selected and currently active in the forwarding information base (FIB). This means the FortiGate uses this route to forward packets destined for addresses not otherwise specified in the routing table.

References

Fortinet Documentation on Routing Table

Fortinet Community Discussion on Routing

The session table entry provided shows detailed information about a specific network session passing through the FortiGate device. From the session details, we can see that the session has various attributes such as state, protocol, policy, and inspection details.

The session state (proto_state=11) indicates that the session is being actively processed and inspected.

Thenpd_state=00000000suggests that the session is being handled by the CPU rather than offloaded to a Network Processor (NP).

The session is marked for security profile inspection, evident from the detailed byte/packet counts and other session parameters.

From these indicators, it's clear that FortiGate is using its CPU to perform security profile inspection on this session rather than simply forwarding the traffic without inspection or relying solely on IPS inspection.

References

Fortinet Documentation on Session Table

Fortinet Community Discussion on Session Table

Examine the OSPF debug output:

The OSPF Hello packet debug output shows the Router ID as0.0.0.112.

It shows that the OSPF packet is being sent from0.0.0.112viaport2:192.168.37.114.

The OSPF Hello packet contains information such as the network mask (255.255.255.0), hello interval (10), router priority (1), dead interval (40), and designated router (192.168.37.114) and backup designated router (192.168.37.115).

Check the area configuration:

The area ID is shown as0.0.0.0, indicating that the two devices attempting adjacency are in area0.0.0.0.

Authentication mismatch:

The debug output indicates an "Authentication type mismatch". This means one device is configured to require authentication while the other is not.

Password configuration:

The statement claiming that "A password has been configured on the local OSPF router but is not shown in the output" is false because the output indicates an authentication mismatch, not the presence or absence of a password. The other statements are true based on the provided debug output.

References

Fortinet Network Security 7.2 Support Engineer Documentation

OSPF Configuration Guides