NSE4 Prep Session Presentation

© Copyright Fortinet Inc. All rights reserved.

Section 1
Introduction to FortiGate
 Section 1 – Introduction to FortiGate

 What is a FortiGate?
 FortiGate is a Unified Threat Management Device (UTM)
 A UTM device is a security appliance that integrates a range of
security features into one appliance
 Combines Firewall, Gateway AV, IPS, and App. Control into a single
platform

 FortiASIC – Application Specific Integrated Chip

 CP Chip – Content Processor
 Provides high-speed cryptography and content inspection services
 NP Chip – Network Processor
 Works in-line with FortiOS functions delivering superior firewall
performance
 SOC – System on a Chip
 Integrates both CP and NP processors, along with a RISC-based CPU
into a single processor
 Mostly found on entry-level FortiGate appliances used for smaller network

3
 Section 1 - Introduction to FortiGate

 FortiGuard
 Subscription service that gives FortiGate access to 24x7 security
updates
 Powered by a team of Fortinet researchers
 Queries are real-time
 FortiGate queries FDN (FortiGuard Distribution Network) every time it
scans for SPAM or Filtered Websites
 Uses UDP for transport – connectionless and designed for speed
 AV and IPS packages are not downloaded as frequently and must be
up-to-date to prevent new threats

 Modes of Operation
 NAT mode
 Default operation mode
 Forwards packets based on Layer 3, like a router
 Each logical network interface has an IP address
 Transparent mode
 Forwards packets at Layer 2, like a switch
 Only the management interface has an IP Address

4
 Section 1 - Introduction to FortiGate

 Administration
 Factory default settings
 Port 1 / Internal interface IP: 192.168.1.99/24
 Built-in DHCP server is enabled on Port 1 / Internal Interface
 Default login
 User: admin
 Password: <blank>
 MODIFY THIS DEFAULT “root” password

 Resetting a lost “admin” password

 User: maintainer
 Password: bcbp<serial-number>
 All letters in <serial-number> are upper case
 Only after a hard power cycle, during the first 15-30 seconds after boot, and only via hardware console port

5
 Section 1 - Introduction to FortiGate

 Administration Methods
 GUI - Web Browser (HTTP/HTTPS) or FortiExplorer
 CLI - Console, SSH, Telnet, GUI Widget
 Administrator Profiles
 Super Admin – “admin” – Full access to everything and settings
cannot be changed
 Prof_Admin – full access to its own Virtual Domain and settings can
be changed
 Users can be created with varying permissions (Read only, Read –
Write, etc).
 Admins with smaller scope of permissions cannot create, or even view,
accounts with more permissions, including password changes

 Two-Factor Authentication
 Instead of using one way to verify your identity, you verify in two ways
 FortiToken
 Physical FortiToken
 FortiToken Mobile
 Android or iOS versions available

6
 Section 1 - Introduction to FortiGate

 Administrative Access
 Trusted Sources – define which hosts or subnets are trusted sources of login attempts

 Ports – Customizable port numbers for HTTP, HTTPS, Telnet, etc.

Protocols – Enable/Disable based on protocols such as HTTPS, SSH, PING, etc.

 Specific to each interface

7
 Section 1 - Introduction to FortiGate

 Features Hidden by Default

 NGFW – Next Generation FireWall
 ATP – Advanced Threat Protection
 WF – Web Filtering
 Full UTM – All Inspection Profiles
 Interface IPs
 In NAT mode, interfaced cannot be used until they have an IP
 Manually assigned, via DHCP, or via PPPoE (configured in the CLI)
 Exceptions: One-Arm or FortiAP Link
 One Arm – Sniffer Mode:
 Puts an interface in promiscuous mode
 Inspects all traffic that arrives
 This specific interface can receive traffic, but cannot send
 Dedicate to FortiAP
 Creates an access point controller and DHCP server
 Clients connecting to SSIDs managed through this interface receive
an IP address from the pool on this interface

8
 Section 1 - Introduction to FortiGate

 Configuration Files
 Configuration can be saved to an external file
 Optional encryption
 Can backup automatically
 Upon logout
 Not available on all models
 To restore a previous configuration, upload file. FortiGate will
reboot
 Encrypted & Unencrypted
 Restoring Encrypted requires same device/model + build + password
required
 Restoring Unecrypted only requires the same model
 Different build is OK if the upgrade path is supported
 If VDOMs are enabled, you can back up VDOMs individually
 VDOM details discussed in a later section

 Updgrade/Downgrade
 Easiest method to upgrade: “Update” link on the System
Information widget and choose firmware file
 Clean Install possible via CLI within the boot loader menu
 Have physical access/terminal server in case reversion is needed
 READ THE RELEASE NOTES

9
 Section 1 - Q & A session
What is NOT a FortiGate Feature?

A. Database Auditing
B. Intrusion Prevention
C. Web Filtering
D. Application Control

Answer: (A) Database Auditing

10
 Section 1 - Q & A session
Acme Web Hosting is replacing one of their firewalls with a FortiGate.
It must be able to apply port forwarding to their back-end web servers
while blocking virus uploads and TCP SYN floods from attackers.
Which operation mode is the best choice for these requirements?

A. NAT/route mode
B. NAT mode with an interface in one-arm sniffer mode
C. Transparent mode
D. No appropriate operation mode exists

Answer: (A) NAT/route mode

11
Section 2
Logging & Monitoring
 Section 2 – Logging & Monitoring

 Why do we need Logging & Monitoring?

 To monitor network & Internet traffic volumes
 To diagnose problems
 To establish normality baselines to recognize anomalies
 Log Severity Levels
 Severity levels help indicate the importance of the event
 Highest to Lowest:
 Emergency: System unstable
 Alert: Immediate action required
 Critical: Functionality affected
 Error: Error exists that can affect functionality
 Warning: Functionality could be affected
 Notification: Information about normal events
 Information: General system information
 Debug: Debug log messages
 Only needed to log diagnostic data

13
 Section 2 – Logging & Monitoring

 Log Storage Locations

 Logs can be stored remotely or locally

 FortiAnalyzer/FortiManager
 FortiAnalyzer – Long term, dedicated storage of log data
 FortiManager – Centrally managed multiple FortiGate devices
 Can also store logs and generate reports
 Identical to FortiAnalyzer except for 2GB daily limit on logs received
 Configure logging to FortiAnalyzer/FortiManager in the GUI or
CLI
 FortiCloud
 Subscription service
 Long term log storage & reporting
 Links to FortiCare user

14
 Section 2 – Logging & Monitoring

 Log Types & Subtypes

 Traffic Log: packets to and through the device
 Forward (traffic passed/blocked by Firewall policies)
 Local (traffic aimed direct at, or created by the FortiGate device)
 Invalid (log messages about packets considered invalid/malformed
and dropped)
 Multicast (log messages about multicast traffic)
 Event Log: admin & system activity events on the device
 System (System related events)
 User (firewall authentication events)
 Router, VPN, WanOpt & Cache, Wifi
 Security Log: messages related to profiles acting on traffic
passing through the device
 By security profile type (AV, Web Filter, IPS, etc.)
 Section is not created by default
 Only shows specific subtypes if logs are created within it

15
 Section 2 – Logging & Monitoring

 Which Settings Generate Logs

Policy Log Setting AV, Web Filter, Email Behavior

No Log Disabled No Forward Traffic or Security Logs
No Log Enabled No Forward Traffic or Security Logs
Log Security Events Disabled No Forward Traffic or Security Logs
Log Security Events Enabled Security log events appear in Forward Traffic Log.
Forward Traffic Log generated for packets causing a
security event
Log All Sessions Disabled Forward Traffic log generated for every single
session
Log All Sessions Enabled Security log events appear in Forward Traffic Log.
Forward traffic log generated for every single
session

 Logging is impacted by hardware acceleration

 Traffic offloaded to NP Processors in not logged

16
 Section 2 – Logging & Monitoring

 Viewing Log Messages

 Two Sections: Log Header & Log Body
 Log Header: Common to all log messages
 Information such as date, time, Log ID, Type & Subtype, and
severity level

 Log Body: Varies for each kind of log

 Provides specifics of the log message
 Shows status and policyid (firewall policy applied to the
session)

17
 Section 2 – Logging & Monitoring

 Monitoring Logs
 Monitoring logs is critical to protection of your network
 Three ways to monitor:
 Alert Emails
 Send notification to email upon detection of event
 Can’t configure alert email until SMTP server is defined and at
least one DNS server
 Can send up to 3 addresses
 Alert Message Console
 GUI widget on the FortiGate dashboard
 Individual alerts can be acknowledged and removed from the
list
 Customizable alert options
 SNMP
 Configure FortiGate interface for SNMP access
 Compile and load FortiGate MIBs into SNMP manager
 Create SNMP communities to allow connection between
FortiGate to SNMP manager
 Traps received by agent sent to SNMP manager

18
 Section 2 – Logging & Monitoring

 Configuring Log Settings

 Log settings can be configured in the GUI or CLI
 Can configure where to send the logs, different kind of traffic you
want to appear in the Local Traffic log, etc.
 Firewall policy setting decides if a log message is generated or
not
 “Log Settings” option decided if/where any log is stored

 Logging Resources
 The more logs that get generated, the more CPU memory and
disk storage space is required in order to process them
 Traffic logs can be abbreviated to free up firewall resources

 Crash Logs
 Inspection of traffic handled by processes
 Any time a process closes, it is a “crash”
 Some are normal (closing scanunit to update definitions)
 Normal shut down with no abnormalities shows a status of 0 (zero)

19
 Section 2 - Q & A session
1. There are eight (8) log severity levels that indicate the importance of
an event. Not including Debug, which is only needed to log
diagnostic data, what are both the lowest AND highest severity
levels?

A. Notification, Emergency
B. Information, Critical
C. Error, Critical
D. Information, Emergency
E. Information, Alert

Answer: (D) Information, Emergency

20
 Section 2 - Q & A session
1. Which of the following are considered log types?
(Choose 3)

A. Forward log
B. Traffic log
C. Syslog
D. Event log
E. Security log

Answer: (B) Traffic Log, (D) Event log, (E) Security Log

21
Section 3
Firewall Policies
 Section 3 – Firewall Policies

 What are Firewall Policies?

 Policies define which traffic matches them and how to process
traffic that matches
 When packet for new IP session arrives, FortiGate looks for a
matching policy
 Only first matching policy applies
 Starts at the top of the list
 Implicit Deny
 No Matching Policy? FortiGate drops the packet

 How Are Policy Matches Determined?

 Each policy has match criteria which can be defined using
objects:
 Ingress and Egress interfaces
 Source & Destination, by IP address, device ID, or user
 Network service(s) (that is, IP protocol and port number)
 Schedule
 Once a matching policy is found, settings for packet
processing are applied

23
 Section 3 – Firewall Policies

 Policy List:
 Policy & Objects > Policy > IPv4
 Section View: Lists policies by ingress/egress interface pairs
 Global View: Lists policies by policy sequence numbers
 When policy has multiple source/destination interfaces or matches
any
 Policy order can be adjusted
 GUI: drag and drop Seq. #
 CLI: use policy ID #, not Seq. #
 config firewall policy
move <policy_id> (before|after) <policy_id>
end

 Interfaces vs Zones
 Incoming Interface: Interface / zone receiving packets
 Outgoing interface: Interface / zone forwarding packets
 Zone: Logical group of interfaces
 Interface in a zone cannot be referenced individually

24
 Section 3 – Firewall Policies

 Matching by Source
 Must specify at least one source
 May express either, neither, or both
 Source User
 Source Device
 Source Address - IP Address Object
 Source User – Individual user or user group. May refer to:
 Local firewall accounts
 Accounts on a remote server (e.g. Active Directory)
 FSSO
 Personal Certificate (PKI-authenticated) users
 Source Device – Identified or manually defined client device
 Enables device identification on the source interface

 Device Identification
 Agentless
 Agent-Based

25
 Section 3 – Firewall Policies

 Matching By Destination
 Like source, address objects can use IP or FQDN
 DNS query used to resolve FQDN
 Country defines addresses by ISP’s geographical location
 Database updated periodically within FortiGuard

 Scheduling
 Policies that only apply during specific times/days
 Example: less restrictive “Lunch time” policy
 Default schedule applies all the time
 Recurring – happens every time during specified day(s) of the week

 Matching By Service
 Services determines matching transmission protocol and port
number
 Can be predefined or custom
 ALL matches all ports and protocols
 Web Proxy Service also available if incoming interface is set to
web-proxy
 Group Services and Web Proxy Service Group to simplify
administration

26
 Section 3 – Firewall Policies

How Are Packets Handled?

 Phase 1 – Ingress  Phase 3 – UTM Scanning

 Denial of Service (DOS) Sensor  Flow-Based Inspection
 Packet Integrity Check  IPS
 IPSec tunnel match  Application Control
 Destination NAT  Web Filtering
 Routing  Antivirus
 Proxy-based Inspection
 VOIP inspection
 Phase 2 – Stateful Inspection
 Data Leak Prevention
 Management traffic  Email Filtering
 Policy lookup  Web Filtering
 Session tracking  Antivirus
 Session helpers  ICAP
 SSL VPN
 User Authentication  Phase 4 – Egress
 Traffic Shaping  IPSec
 Source NAT
 Routing

27
 Section 3 – Firewall Policies

 Logging
 If you enable session starts, FortiGate will create a traffic log
when the session begins
 Once a firewall policy closes an IP session, if you have
enabled logging in the policy, FortiGate will generate traffic
logs
 During the session, if a security profile detects a violation,
FortiGate will record the attack log immediately
 Monitoring
 Active sessions, bytes or packets per policy
 Can be used to determine how much traffic is matching each
firewall policy
 Session Table
 Accepted IP Sessions tracked in session table
 Stores information about the state
 Source and destination addresses, port number pairs, state, timeout
 Source and destination itnerfaces
 Source and Destination NAT actions
 Performance Metrics
 Max. Concurrent Sessions
 New Sessions per second
28
 Section 3 – Firewall Policies

 Network Address Translation – NAT

 Change an IP layer address of a packet
 Some protocols like HTTP also have addresses at the application
layer, requiring session helpers/proxies
 Source Network Address Translation – SNAT
 Destination Network Address Translation – DNAT
 Port Address Translation – PAT
 Change the IP layer port number of a packet
 IP Pool Types
 Overload (default)
 One-to-many/few relationship. PAT is used
 One-to-One
 Single mapping of an internal address to an external address.
 PAT is not used
 Fixed Port Range
 Associates an internal IP range with an External IP Range
 PAT is disabled
 Port Block Allocation
 Port block allocation limits the client to 64 connections for that IP pool
 Prevents users from being impacted by rogue client sending many SYN
packets per second

29
 Section 3 – Firewall Policies

 Virtual IP (VIP)
 Desitnation NAT objects
 Default type is static NAT
 Can be restricted to forward only certain ports
 VIPs should be routable to the external facing (ingress)
interface for return traffic
 Traffic Shaping aka QoS (Quality of Service)
 Rate limiting is configurable
 Inbandwidth and Outbandwidth
 Forward traffic subject to ToS/DSCP priority queuing
 Traffic shaping applied by a firewall policy may guarantee,
increase or decrease priority queue, or drop packets (policing)
 Types:
 Shared Shaper: applies a total bandwidth to all traffic using that
shaper
 Per IP shaper: Bandwidth management per IP address

30
 Section 3 – Firewall Policies

 NP Session Offloading & Packet Forwarding

 FortiGates with Network Processors (NP) offload packet

handling from the CPU

 If the session can be offloaded to an available NP, the kernel

sends session information to the NP.

 All subsequent packets in that session are forwarded to the NP

and not the CPU, so their transmission is accelerated

 When the last packet is sent or received, such as a TCP FIN or

a TCP RST signal, the NP returns the session to the CPU,
which handles tear down.

31
 Section 3 - Q & A session
Which correctly define “Section View” and “Global View” to firewall policies?
(Choose Two)

A. Section View lists firewall policies primarily by their interface pairs

B. Section View lists firewall policies primarily by their sequence number
C. Global View lists firewall policies primarily by their interface pairs
D. Global View lists firewall policies by their policy sequence number
E. The ‘any’ interface may be used with Section View

Answer: (A) Section View…interface pairs, (D) Global View...policy sequence number

32
 Section 3 - Q & A session
If you enable the option “Generate Logs when Session Starts”, what
effect does this have on the number of traffic log messages generated
for each session?

A. No traffic log message is generated

B. One traffic log message is generated
C. Two traffic log messages are generated
D. A log message is only generated if there is a security event

Answer: (C) Two traffic log messages are generated

33
Section 4
Firewall Authentication
 Section 4 – Firewall Authentication

 What is Authentication?
 Confirms identity of a user or device
 Once the FortiGate identifies the user/device, FortiGate
applies the right firewall policies and profiles to allow / deny
access to each network resource
 Allows action based on the user, not just the IP address.
 Inspection rules follow individuals across multiple devices

 Methods of Authentication
 Local Password Authentication
 Remote password authentication
 Two-Factor authentication
 Enabled on top of an existing method
 Requires something you know and something you have

35
 Section 4 – Firewall Authentication

 Local Password Authentication

 Local password authentication is based on user accounts
stored locally on FortiGate
 For each account, a username and password (credentials) is
stored

 Remote Server Authentication

 Accounts are stored in an external authentication server
 Administrators can:
 Create an account for the user locally and specify the server to
verify the password or
 Add the authentication server to a user group
 All users in that server become members of the group

36
 Section 4 – Firewall Authentication

 Remote Server Authentication – Protocols

 Multiple protocols are supported for remote user authentication
 POP3
 RADIUS
 LDAP
 TACACS+

 Single Sign On (SSO)

 FSSO, NTLM, and RSSO are supported
 Users who authenticate to a domain can leverage existing
authentication event for firewall authentication
 Users enter their credentials once and get access to multiple
network resources without receiving additional prompts

 FSSO & RSSO

 FSSO: Fortinet proprietary communication framework for
collecting and forwarding user login events to FortiGate
devices
 RSSO: Communication frame for sending Radius Accounting
packets to the FortiGate device containing login and logoff
events

37
 Section 4 – Firewall Authentication

 Two-Factor Authentication (2FA)

 Strong authentication that improves security by preventing
attacks associated with the use of static passwords alone
 Requires two independent ways of identifying a user
 Something you know, such as a password or PIN
 Something you have, such as a token or PKI certificate
 One-Time Passwords (OTP) algorithms can be either time-
based or event-based
 Methods of delivery used to send OTP
 FortiToken/FortiToken Mobile
 Email
 SMS

 Authentication Types
 Active
 User receives a login prompt and must manually enter credentials to
authenticate
 Used with LDAP, RADIUS, Local, and TACACS+
 Passive
 User does not receive a login prompt as credentials are determined
automatically
 Method varies depending on type of authentication used
 Used with FSSO, RSSO, and NTLM
38
 Section 4 – Firewall Authentication

 Order of Operations
 When both active and passive authentication are enabled, the
first method that can determine a user name is used
 If the user’s information cannot first be determined through
passive means, active methods are employed

 Firewall Policy: Source

 A source is comprised of source address(es), Source
User(s)/groups, and/or Source Devices
 Firewall policy defines and matches traffic going from the
source to the destination
 An IP address is required as part of the policy configuration for
the source and destination
 Users, User groups, and device information can be enabled
 When enabled, they become part of the source definition for
that policy

39
 Section 4 – Firewall Authentication

 Firewall Policy: DNS

 DNS traffic is allowed through an authentication policy even if
the user has not authenticated yet
 Hostname resolution is often required to see the
HTTP/HTTPS/FTP/Telnet traffic with which a user can actually
authenticate
 DNS service must be explicitly listed as a service in the policy

 Mixing Policies
 Enabling authentication on a single policy does not always
force an active authentication prompt
 2 Options:
 Enable authentication on every policy that could match the traffic
 Enable a captive portal on the ingress interface for the traffic

40
 Section 4 – Firewall Authentication

 Captive Portal
 Network interfaces perform authentication at the interface level
 Convenient way to authenticate web users on wired or Wi-Fi
 Must be enabled on the ingress interface of the traffic
 Only ACTIVE authentication methods can use captive portal
 Exceptions:
 Exempt list can be setup for devices that cannot use active
authentication
 Example: Printers, Fax machines, game consoles

 Disclaimers
 Can be used in conjunction with captive portal, if desired.
 Not considered authentication or a captive portal
 Displays the Terms & Disclaimer agreement page before user
authenticates
 Neither a security exemption list nor a captive portal exemption
on a firewall can bypass a disclaimer

41
 Section 4 – Firewall Authentication

 Authentication Timeout
 Specifies how long a user can remain idle before the user must
authenticate again
 Ensures users do not authenticate and then stay in memory
indefinitely
 Three options for Timeout behavior:
 IDLE (default)
 Looks at the packets from the hosts IP
 If no packets generated by the host device in the configured timeframe, the
user is logged out
 HARD
 Regardless of the user’s behavior, the timer starts as soon as the user
authenticates and expires after the configured value
 NEW SESSION
 Even if traffic is being generated on existing communications channels, the
authentication expires if no new sessions are created through the firewall
from the host device, within the configured timeout

42
 Section 4 – Firewall Authentication

 Users and User Groups

 LDAP
 Application protocol for accessing and maintaining distributed
directory information services
 Structure is similar to a tree

 RADIUS
 Protocol that provides Authentication, Authorization, and Accounting
Services (AAA)
 No tree structure
 Supported schemes:
 chap
 pap
 mschap
 mschap2

43
 Section 4 – Firewall Authentication

LDAP QUERY CONFIGURATION RADIUS QUERY CONFIGURATION

44
 Section 4 – Firewall Authentication

 User Groups
 Firewall policies can be assigned per user group
 By assigning individual users to the appropriate user
groups, you can control access to network resource
 The firewall user groups do not need to match any sort
of group that may already exist on a server

 Configuring Policies with Users

 The definition of a traffic’s source can include both user
account and IP address

45
 Section 4 – Firewall Authentication

 Monitoring Users
 After creating firewall policies, you can
monitor access of your firewall users
 User Monitor Section in the GUI
 User & Device > Monitor > Firewall
 User Monitor displays who has authenticated
through the firewall policies of your FortiGate
device
 Does include administrators
 Also allows you to de-authenticate a user or
multiple users simultaneously

46
 Section 4 - Q & A session
Which authentication scheme is not supported by the RADIUS
implementation on FortiGate?

A. CHAP
B. MSCHAP2
C. PAP
D. FSSO

Answer: (D) FSSO

47
 Section 4 - Q & A session
Which best describes the authentication timeout?

A. How long FortiGate waits for the user to enter his or her credentials
B. How long a user is allowed to send and receive traffic before he or she
must authenticate again
C. How long an authenticated user can be idle (without sending traffic)
before they must authenticate again
D. How long a user-authenticated session can exist without having to
authenticate again

Answer: (C) How long an authenticated user can be idle (without sending traffic)
before they must authenticate again

48
Section 5
SSL VPN
 Section 5 - SSL VPN

 What is a VPN?
 Secure logical network created for physically separated networks
 Establishes connectivity using SSL (Layer 4 & Layer 5)
 Information encapsulated at layer 6 & layer 7 (highest level in OSI model)

 Component of a VPN – Authentication, Encapsulation & Encryption

 Types:
 PPTP, L2TP, SSL VPN, IPsec

 Benefits and advantages over physical connection

 Inexpensive solution (No need for leased lines or linking cables via providers)
 Scalable
 Performance

 Characteristics of SSL VPN

 SSL VPN are commonly used to secure web transaction
 Clients connect to a web portal and log in
 There’s no need special software or configuration

 Authentication Methods
 Remote Password Authentication (RADIUS, LDAP)
 Two-Factor Authentication
 Local Password Authentication

50
 Section 5 - SSL VPN

 SSL VPN Mode Of Operation

 Web-only mode
 Provides remote users with a clientless and efficient way to access resources from any thin client computer
equipped with a web browser
 Compromise of SSL daemon that provides access to services/resources (HTTP/HTTPS, Telnet, FTP,
SMB/CIFS, VNC, RDP, Ping and SSH)
 Tunnel Mode
 User connect to the Fortigate via HTTPS & successfully authenticate
 Web portal initiated and tunnel is created (Can also be initiated using Forticlient or native OS VPN client)
 Access resources (Traffic is encapsulated over HTTPS)
 Port forwarding
 SSL VPN port forwarding listens on local ports on the user’s computer
 When it receives data from a client application, the port forward module encrypts and sends the data to the
FortiGate unit, which then forwards the traffic to the application server
 Caveats
 The user must configure the application on the PC to point to the local proxy
 Doesn’t support UDP or dynamically mapped ports
.

51
 Section 5 - SSL VPN

 Split tunneling
 Ensures that only the traffic for the private network is sent to the SSL VPN
gateway
 Internet traffic is sent through the usual unencrypted route
 This conserves bandwidth and alleviates bottlenecks

 Ways of Connecting SSL VPN Tunnel Mode

 Using a browser – Web portal access
 Using standalone FortiClient SSL VPN client (clients PC is assigned a virtual IP

 Securing Access: Client Integrity Checking

 Detects clients security applications recognized by windows security center
(antivirus and firewall)
 Checks if required software is installed on the connecting PC - eg Forticlient

52
 Section 5 - SSL VPN

 Troubleshooting Tips
 No response from URL when connecting to portal
 Check the SSL VPN port assignment. Also verify that the
SSL VPN policy is configured correctly
 Also check URL pattern - https://<FortiGate
IP>:<Port>/remote/login (port # and FortiGate IP)
 Forticlient can’t connect
 Check for compatibility
 Ensure that you have the right remote gateway IP and port
 Ensure you have the proper authentication
 Tunnel connectivity or access issues
 Ensure that there is a static route to direct packets destined
SSL VPN interface
 Examine the policy allowing VPN access to the destination
network
 Ensure the traffic is pointing to the right ingress/egress
interfaces

53
 Section 5 – Q & A

Which statement is correct regarding SSL VPN Web-only mode?

A. IP traffic is encapsulated over HTTPS

B. Access to internal network resources is possible from the SSL VPN portal
C. It can only be used to connect to web services
D. The standalone FortiClient SSL VPN client can be used to establish Web
SSL VPN

Answer: (B) Access to internal network resources is possible from the SSL VPN portal

54
 Section 5 – Q & A

Which of the following authentication methods can be used for SSL VPN
authentication? (Choose three.)

A. Remote Password Authentication (RADIUS, LDAP)

B. Two-Factor Authentication
C. Local Password Authentication
D. FSSO
E. RSSO

Answer: (A) Remote Password Authentication (RADIUS,LDAP), (B) Two-

Factor Authentication, (C) Local Password Authentication

55
Section 6
Basic IPSec VPN
 Section 6 – Basic IPSec VPN
 What’s IPsec VPN?
 Vendor neutral protocol used to connect distinct networks separated
by the internet. (L3 protocol – RFC 2401)
 Benefits?
 Authentication – Verify identity of initiator and sometimes
responder(signatures and certificates)
 Data Integrity – Ensures data hasn’t been altered during transit
(hashing and data checksum)
 Confidentiality – Ensured message access to intended recipient
(Encryption)
 IPsec Encapsulation Modes
 Tunnel Mode – Entire packet is encrypted and becomes the
data component of a new IP packet
 Transport Mode – IPsec header is inserted into the IP packet,
and no new packet is created
 Route-based (interface-based)
 Traffic must be routed to IPsec virtual network interface.
 Two firewall policies with action ACCEPT required per direction
 In FortiOS 5.2+, VPN wizard automatically adds routes &
policies.
 Policy based (tunnel based)
 One firewall policy with action IPSEC required – bidirectional
policy
 Policy based VPN settings are available in CLI by default
57
 Section 6 – Basic IPSec VPN

 IPsec Protocol
 Internet Key Exchange (IKE)
 Negotiation method of authentication
 Transfers SA parameters (algorithm, key & protocol)

 Authentication Header (AH)

 Host and client authentication
 Data integrity
 Anti-Replay
 Doesn’t support NAT

 Encapsulating Security Payload (ESP)

 All of the above as AH (data encryption and NAT is supported)

58
 Section 6 – Basic IPSec VPN

 Phase I
 Authenticate peers
 Authenticate peers eg PSK or signatures
 Negotiate temporary IKE security association
 In IKEv1 two possible ways:
 Main mode – IKE proposal on SA - 6 packets exchanged
 Aggressive mode – Not negotiable. 3 packets exchanged; phase 1
fails if responder doesn’t accept strict proposal

 Diffie-Hellman - key agreement method for ESP

 FortiGate uses shared secret key + nonce to calculated keys for
encryption (3DES,AES) & authentication (HMACs)

 NAT Traversal
 Detect if NAT devices exist on path (if yes, use UDP 4500)

59
 Section 6 – Basic IPSec VPN

 Phase II
 Negotiate Ipsec SA for ESP.
 Phase 2 periodically renegotiates cryptography, this maintains security.

 Optionally, more Diffie-Hellman exchanges

 If Perfect Forward Secrecy is enabled, a new secret key is recalculated
in Quick Mode each time session key expires
 If old key is compromised, new messages are protected

 Quick Mode Selector

 If multiple phase 2 exist, direct traffic to the right phase 2
 Allows granular security settings for each LAN
 If traffic doesn’t match an IPsec SA selector, it is dropped

 Best Practices
 Do not use Pre-shared keys – Weak authentication and keys are stored
in plaintext
 Do not use Diffie-Hellman Group 1 (low) – low key strength 768bits
 Use strong encryption algorithm - 3DES, AES
 Use strong hashing algorithm SHA instead of MD5
 Reduce the lifetime of the Security Association by enabling Perfect
Forward Secrecy

60
 Section 6 – Q & A

Which of the following IKE modes is the one used during the IPsec phase 2
negotiation?

A. Aggressive mode
B. Quick mode
C. Main mode
D. Fast mode

Answer: (B) Quick Mode

61
 Section 6 – Q & A

Which of the following statements is true regarding the differences between route-
based and policy-based IPsec VPNs? (Choose two.)

A. The firewall policies for policy-based are bidirectional. The firewall policies for
route-based are unidirectional
B. In policy-based VPNs the traffic crossing the tunnel must be routed to the virtual
IPsec interface. In route-based, it doesn’t
C. The action for firewall policies for route-based VPNs may be Accept or Deny, for
policy-based VPNs it is Encrypt
D. Policy-based VPN uses an IPsec interface, route-based does not.

Answer: (A), (C)

62
Section 7
Antivirus and Conserve Mode
 Section 7: Antivirus & Conserve Mode
 What is a Malware?
 is a category of software that is capable of copying itself and has detrimental effects,
such as corrupting computing system/environment

 Types of Malware
 Virus – Code injected into a system and spreads on its own via an exploit
eg. Trojan - Doesn’t replicate (such as Zeus. Worms – spreads to other hosts via network
(such as conficker and code red)
 Grayware – Requires some kind of user interaction. Sometimes embedded in plugins,
toolbars that track user’s activity

 Evasion Techniques
 Polymorphism
 Polymorphic viruses/malware can change the uniqueness of the file
making comparing a files unique digital signature to millions of signature a
challenge
 Metamorphic
 Avoid detection by mutating into several variants
 Rewrites its code with each infection

64
 Section 7: Antivirus & Conserve Mode

 Signature Based
 Matches FortiGuard AV signature database

 Heuristics
 Looks for “virus-like” attribute/code (eg Modify registry, encrypting files)
 If greater than “virus-like” threshold, mark as suspicious
 Greater chances of false positives

 Sandboxing
 Can detect Zero-day attacks with high certainty
 Files (larger than oversize limit of 10MB) are sent to an isolated environment for
malware inspection

 Proxy vs Flow-Based Scanning

 Proxy-based
 Scan entire file, up to max buffer size(Doesn’t retransmit until scan is completed
 Transmits clean traffic; blocks infected traffic
 Higher perceived latency
 Flow-based
 Buffers but also retransmits simultaneously
 Packets are not delayed by scan, except last packet
 If virus is detected, last packet is dropped/connection reset
 Lower perceived latency

65
 Section 7: Antivirus & Conserve Mode

 FortiGuard AntiVirus DataBase

 Regular Database
 Which contains signatures for viruses that are in the wild
 Contains viruses detected in recent months (Smallest database)

 Extended Database
 Contain viruses that haven’t been detected for some time

 Extreme Database
 Detects all known viruses, including legacy OS such as DOS,Win95,
Windows 98, and so on

 FortiGuard Antivirus Profile

 Contain settings for the inspection mode
 Define what a FortiGate should do when it detects an infected file
 Ensure Full SSL inspection is enabled to decrypt payloads for
antivirus scanning

66
 Section 7: Antivirus & Conserve Mode

 FortiGate goes into the "conserve mode" state as a self protection

measure when a memory shortage occurs
 Types of conserve mode
 Kernel – Not enough RAM available for the OS
 System – Occurs when system memory hits around 80% (exits at 70%)
 Proxy – occurs when proxy runs out of available connections

 How can the usage of the different memory sections be seen?

 By using "diagnose hardware sysinfo shm” it reveals memory counter
 Additionally, "diagnose system top" displays the memory occupied in
userspace by the different processes as a percentage of total memory
 What can be done to save memory resource?
 Reduce the number of firewall sessions
 Reduce the maximum file size for antivirus scanning
 Reduce log entries (Posted schedule reports or running reports)

67
 Section 7 - Q & A

Files reported to be infected by the "Suspicious" virus were subject to which Antivirus
check?

A. Grayware
B. Virus
C. Sandbox
D. Heuristics

Answer: (D) Heuristics

68
 Section 7 – Q & A

Which are the three different types of Conserve Mode that can occur on a FortiGate
device? (Choose three.)

A. Proxy
B. Flow
C. Kernel
D. System
E. Device

Answer – A, C, D

Answer: (A) Proxy, (C) Kernel, (D) System

69
 Section 7 – Q & A
Files that are larger than the oversized limit are subjected to which Antivirus check?

A. Virus
B. Grayware
C. Sandbox
D. Heuristic

Answer: (C) Sandbox

70
Section 8
Explicit Proxy
 Section 8 - Explicit Proxy
 What is web proxy?
 Forwards requests for clients to website
 May cache responses
 If cache exist, proxy is a shortcut: responds itself with cached content

 Two TCP connections required

 From client to proxy
 From proxy to server

 Types of proxies
 Implicit Proxy
 Intercepts request even though traffic isn’t pointing to proxy’s IP
 Proxy listens on port 80 and port 443
 Explicit Proxy
 Client’s send request to a configured proxy, Not directly to a website
 Proxy listens for packets to its IP and port number (Often port 8080 or
4443)

72
 Section 8 - Explicit Proxy
 How’s explicit proxy configured?
 Browser proxy settings
 Manually configure browser with one proxy’s IP (or FQDN) & port number
 Can configure exception (Bypasses proxy settings)
 Proxy Automatic Configuration
 Support for more than one proxy
 Defines how browsers choose a proxy
 Specifies which traffic will be sent to which proxy
 Configure each browser with PAC file URL
 By default FortiGate host PAC file at: http://<FG_IP:<port>/proxy.pac
 Web Proxy Auto-Discovery protocol
 Allow browser to automatically discover where the proxy is located
 Two Methods
 DHCP Query
 Sends a DHCPINFORM request to the DHCP server
 The DHCP server replies with PAC file’s URL
 DNS Query
 Browser queries DNS server to resolve IP address of web server
 Browser downloads PAC file & accesses web

73
 Section 8 - Explicit Proxy

 Proxy with Web Cache

 Upon first request, cache keeps copy of web content
 Subsequent request for the same web content is pulled from cache

 Benefits
 Improves WAN bandwidth usage
 Improves Server load
 Increases Perceived responsiveness

74
 Section 8 – Q & A

Which of the following are benefits of using web caching? (Choose three.)

A. Decrease bandwidth utilization

B. Reduce server load
C. Reduce FortiGate CPU usage
D. Reduce FortiGate memory usage
E. Decrease traffic delay

Answer: (A) Decrease Bandwidth Utilization, (B) Reduce Server Load, (E)
Decrease Traffic Delay

75
 Section 8 – Q & A

Which of the following statements is true regarding the TCP SYN packets that
go from a client, through an implicit web proxy (transparent proxy), to a web
server listening at TCP port 80? (Choose three.)

A. The source IP address matches the client IP address

B. The source IP address matches the proxy IP address
C. The destination IP address matches the proxy IP address
D. The destination IP address matches the server IP addresses
E. The destination TCP port number is 80

Answer: (A) The source IP address matches the client IP address, (D) The
destination IP Address matches the server IP Addresses, (E) The destination
TCP port number is 80

76
Section 9
Web Filtering
 Section 9 – Web Filtering
 Web Filtering
 Control or track web activity

 Reasons For Web Filtering

 Decrease exposure to web-based threats
 Prevent network congestion
 Prevent copyright infringement
 Uphold compliance/regulatory standards

 Web Filtering Inspection Methods

 Proxy-Based Filtering
 Intercepts client server communication at layer 7
 Inspects full URL and offers custom block page
 Resource intensive as traffic is cached
 Flow-Based Filtering
 Intercepts communication at layer 3 and works with layer 4 data
 Doesn’t recover actual files, so content cannot be sent to scanunit
 Higher throughput than proxy-based
 DNS-Based Filtering
 Utilize FortiGuard DNS server queries to decide access
 Very lightweight as SSL inspection isn’t required (DNS is plaintext)
 No block page is triggered (If blocked, user gets a browser reset)

78
 Section 9 – Web Filtering
 FortiGuard Category Filter
 Split into multiple categories and sub-categories
 Layout will switch periodically as the internet changes
 New categories and sub-categories are released and compatible with updates
firmware

 Possible FortiGuard actions:

 Allow
 Monitor
 Block
 Warning
 Authenticate

 Live connection to FortiGuard and subscription license is required

 Port 53 used for FortiGuard communication (Alternate port 8888)
 7 day grace period on expiration
 Larger FortiManager models can be used instead of FortiGuard (uses port 80)

79
 Section 9 – Web Filtering
 Static URL Filtering
 Control web access by creating exception
 Possible Static URL filter actions are:
 Allow, Monitor, Block, Exempt

 Web Rating Override

 Can bypass FortiGuard rating
 Reassigns hostname to a different category
 Changes are not submitted to FortiGuard services

 FortiGuard Quota
 Can be used to limit the time user spend on web sites
 By default, based on the user ID, otherwise tracked by IP
 Can apply to categories with action: Monitor, Warn, or Authenticate

 Fortinet Bar
 Provide direct feedback to the user on quota
 Applicable to ONLY http traffic

 Safe search
 Re-write URL to enable safe search
 SSL inspection should be enabled
 YouTube EDU redirect – Appends a unique identifier & redirects
YouTube search to configure YouTube profile page
80
 Section 9 – Q & A

Which of the following are possible actions for static URL filtering? (Choose
three.)

A. Allow
B. Block
C. Warn
D. Exempt
E. Shape

Answer: (A) Allow, (B) Block, (D) Exempt

81
 Section 9 – Q & A

Which of the following statements are true regarding the web filtering modes?
(Choose two)

A. Proxy based mode allows for customizable block pages to display when
sites are prevented
B. Proxy based mode requires more resources than flow-based
C. Flow based mode offers more settings under the advanced configuration
section of the GUI
D. Proxy based mode offers higher throughput than flow-based mode

Answer: (A) Proxy based mode allows for customizable block pages to
display when sites are prevented, (B) Proxy mode requires more resrouces
than flow-based
82
 Section 9 – Q & A

Which of the following web filtering modes can inspect the full URL? (Choose
two.)

A. Proxy based
B. DNS based
C. NAT based
D. Flow based

Answer: (A) Proxy based, (D) Flow based

83
Section 10
Application Control
 Section 10 - Application Control

 What’s application control?

 Detects and acts on network applications traffic
 Facebook, Skype, Gmail, etc.
 Supports many applications & categories - including P2P
 Even if encapsulated by other protocols
 Encrypted encapsulation requires SSL/TLS/SSH inspection

 Supported actions:
 Shared and Per-IP traffic shaping
 Block, Allow, Monitor, Quarantine
 Uses IPSEngine
 Not proxy-based – pattern matching
 Can detect even if users try to circumvent via an external
proxy
 Can start OSI Layer 2
 Use byte flag to match Ethernet headers
 For higher layers, protocol-specific flags and generic strings

85
 Section 10 - Application Control

 Why is P2P traffic so difficult to detect?

 Traditional protocols (HTTP, FTP…) have client-server architecture
 Single server with large bandwidth for many clients
 Requires predictable port numbers, server location for NAT, port forwarding,
and firewall policies

 Peer-to-peer protocols (BitTorrent, Skype etc)

 Each peer is a “server” with small bandwidth to share
 Would be difficult to manage so many firewall policies etc.
 Does not depend on port forwarding, etc.
 Uses evasive techniques to bypass these limitations
 eg. Port Randomization, pinholes, encryption

 How does Application Control Work on FortiGate?

 Compares traffic to known application patterns - Flow based
 Only reports packets matched by an enabled pattern
 Custom Application signatures can be created for unknown
applications

86
 Section 10 - Application Control
 Application Control Profile
 Detect categories
 Configure FortiGate action
 Apply profile via firewall policy

 Catch-All Categories
 All Other Known Applications
 Categories that belong to extended IPS database but don’t
appear on GUI
 All Other Unknown Applications
 Matches traffic that doesn’t conform to any application
control signature
 Identifies the traffic as ‘Unknown Application’ in the logs
 Custom Signature
 Use proper syntax identifying the application name, protocol,
ports, context, and service

87
 Section 10 – Q & A

Which of the following statements are true regarding application control?

(Choose two.)

A. Application control is based on TCP destination port numbers

B. Application control is proxy based
C. Encrypted traffic can be identified by application control
D. Traffic shaping can be applied to the detected application traffic

Answer: (C) Encrypted traffic can be identified by the application control, (D)
Traffic shaping can be applied to the detected application traffic

88
 Section 10 – Q & A

Which answer best describes what an "Unknown Application" is?

A. All traffic that matches the internal signature for unknown applications
B. Traffic that does not match the RFC pattern for its protocol
C. Any traffic that does not match an application control signature
D. A packet that fails the CRC check.

Answer: (C) Any traffic that does not match an application control signature

89
Section 11
Routing
 Section 11 - Routing
 Static Route  Policy-Based Route
 Manually configured routes  More sophisticated then static and dynamic routes
 Requiring a source, gateway IP and destination  Can route by
 Matches destination IP with the appropriate route  Protocol
 Source IP
 Dynamic Route
 Ports – Source or Destination
 Automatically created route based on discovery from neighboring  Type of Service
router
 Precedent over routing table
 Routing is based on destination IP
 Can forward traffic or stop the policy
 Supported protocols
 RIP  Blackhole Route
 OSPF  Traffic is dropped
 BGP  Prevents unnecessary traffic to unused subnets
 IS-IS  Unlike other routes, Blackhole routes are designed to make
networks unreachable
 Multicast Route
 Source sends single traffic stream to many receivers
 FortiGate can be configured as multicast router

91
 Section 11 - Routing
 Destination – IP address and netmask
 Gateway – IP address and interface
 Distance
 Estimates the quality of the route
 Varies based on how route is determined
 If 2 routes have the same destination, the lowest distance will be loaded into the routing table
 Metric
 Used to determine best route for dynamic routing protocols
 Different protocols count metric differently
 If 2 routes have the same destination and distance, the lowest metric will be loaded into the
routing table
 Priority
 Used by static routes to determine the best route
 If 2 static routes have the same destination and distance, both will be loaded into the routing table
but only the lowest priority will be used
 Device –The interface the route will apply to
 Routes are active if the interface is both physically connected and administratively up

92
 Section 11 - Routing

Codes
Defines what the flags
means

Flags
What kind of
route this is

Destination
[distance/Priority]
Gateway
Interface

93
 Section 11 - Routing
 Equal Cost Multi-path
 Used if multiple static, BGP, OSPF routes have the same
 Distance
 Metric
 Priority
 Methods for determining route
 Source IP
 Source and Destination IP
 Weighted Load Balancing
 Spillover

 Link Health Monitor

 Sends probe to detect health of routes along the way.
 If probes do not get a reply, all routes associated with the gateway will be
removed from the routing table.
 Can use
 HTTP
 ICMP (ping)
 TCP Echo and UDP Echo
 Does NOT measure jitter or latency

94
 Section 11 - Routing
 Link aggregation - A method of bundling multiple point to point links
 Achieve greater bandwidth
 Provides link redundancy
 Wan Link Load Balancing
 Group of links connected to multiple ISPs
 Virtual WAN link is created by the FortiGate
 Only 1 Virtual WAN link per VDOM
 Methods of Load Balancing
 Source IP
 Source and Destination IP Pair
 Weighted Round Robin
 Spillover
 Quality of the link can also be measured
 Similar to Link Health Monitor
 Can measure jitter and latency

95
 Section 11 - Routing

Reverse Path Forwarding

 Protects against IP Spoofing attacks
 Checks the Source IP of the first packet of each session each time the route changes
 Loose Reverse Path Forwarding
 Checks for the existence of a route
 Does not matter if there is a better route available
 Strict Reverse Path Forwarding
 Source IP is check to find the best possible route for the traffic
 If the traffic comes in on an Interface which can forward the traffic to the destination it is
allowed

96
 Section 11 – Q & A

The exhibit shows two static routes to the same

destination subnet 172.20.168.0/24. Which of the
following statements correctly describes this static
routing configuration? (Choose two.)
A. Both routes will show up in the routing table.
B. The FortiGate unit will evenly share the traffic to
172.20.168.0/24 between both routes.
C. Only one route will show up in the routing table.
D. The FortiGate will route the traffic to
172.20.168.0/24 only through one route.

Answer: (C),(D)

97
 Section 11 – Q & A

Examine the network topology diagram in the exhibit; the workstation

with the IP address 212.10.11.110 sends a TCP SYN packet to the
workstation with the IP address 212.10.11.20. Which of the following
sentences best describes the result of the reverse path forwarding
(RPF) check executed by the FortiGate on the SYN packet? (Choose
two.)
A. Packet is allowed if RPF is configured as loose.
B. Packet is allowed if RPF is configured as strict.
C. Packet is blocked if RPF is configured as loose.
D. Packet is blocked if RPF is configured as strict.

Answer: (A) Packet is allowed if RPF is

configured as loose, (D) Packet is blocked
if RPF is configured as strict

98
Section 12
Virtual Networking
 Section 12 – Virtual Networking
 VLAN vs VDOM
 VLAN turn one physical interface into many logical interfaces
 VDOM takes a physical FortiGate and turns in to many logical firewalls
 VLAN Concepts
 NAT/Route Mode – VLANs are interfaces
 Transparent Mode – VLANs are just identifiers
 VDOM Concepts
 VDOM share physical resources of the device
 When enabled certain setting remain global
 VDOMs can have their own administrators
 Inter-VDOM Links
 Connect different VDOMs via virtual interface
 Only works between NAT-NAT and NAT-Transparent
 Firewall polices and Routes are required to pass traffic
 Management VDOM
 Default is root
 Where system, alert and FortiGuard update traffic originates

100
 Section 12 – Virtual Networking

Independent VDOM

101
 Section 12 – Virtual Networking

Route Through Management VDOM

102
 Section 12 – Virtual Networking

Mesh VDOM

103
 Section 12 – Q & A

A FortiGate device is configured with four VDOMs: 'root' and 'vdom1' are in
NAT/route mode; 'vdom2' and 'vdom3' are in transparent mode. The
management VDOM is 'root'. Which of the following statements are true?
(Choose two.)
A. An inter-VDOM link between 'root' and 'vdom1' can be created.
B. An inter-VDOM link between 'vdom1' and 'vdom2' can be created.
C. An inter-VDOM link between 'vdom2 ' and 'vdom3' can be created.
D. Inter-VDOM link links must be manually configured for FortiGuard traffic.

Answer: (A) An inter-VDOM link between ‘room’ and ‘vdom1’ can be created,
(B) An inter-VDOM link between ‘vdom1’ and ‘vdom2’ can be created

104
 Section 12 – Q & A

A FortiGate unit has multiple VDOMs in NAT/route mode with multiple VLAN
interfaces in each VDOM. Which of the following statements is correct
regarding the IP addresses assigned to each VLAN interface?
A. Different VLANs can share the same IP address as long as they have
different VLAN IDs.
B. Different VLANs can share the same IP address as long as they are in
different physical interfaces.
C. Different VLANs can share the same IP address as long as they are in
different VDOMs.
D. Different VLANs can never share the same IP addresses.

Answer: (C) Different VLANs can share the same IP Address as long as they
are in different VDOMs
105
Section 13
Transparent Mode
 Section 13 – Transparent Mode
 Modes of Operation
 NAT/Route Mode – OSI Layer 3 Router
 Transparent Mode – Forwards based on MAC as a transparent Bridge
 Transparent Bridge
 Stores MAC address and the interfaces used to access those addresses
 Splits the network into multiple collision domains
 Forwarding Domains/Broadcast Domains
 By default ALL interfaces are part of a single broadcast domain regardless of VLAN by default
 Broadcast storm
 MAC flapping
 Breaking up the Broadcast Domain into Forwarding domains reduces the traffic
 Forwarding Domains will only broadcast to interfaces on the same domain.
 Pairing Ports
 2 ports logically bound makes for easier configuration
 Prevents Broadcast Storm and MAC address flapping issues
 Spanning Tree Protocol (STP)
 Link Management Protocol for preventing Layer 2 loops
 FortiGate’s with switch interfaces support STP
 Other FortiGate does not participate but can be configured to forward and block STP PDUs

107
 Section 13 – Q & A

Which of the following statements is correct regarding FortiGate

interfaces and spanning tree protocol? (Choose two.)
A. Only FortiGate switch interfaces participate in spanning tree.
B. All FortiGate interfaces in transparent mode VDOMs participate in
spanning tree.
C. All FortiGate interfaces in NAT/route mode VDOMs participate in
spanning tree.
D. All FortiGate interfaces in transparent mode VDOMs may block or
forward BPDUs.

Answer: (A) Only FortiGate switch interfaces participate in spanning tree, (D)
All FortiGate interfaces in transparent mode VDOMs may block or forward
BPDUs
108
 Section 13 – Q & A

Which of the following statements are correct concerning layer 2

broadcast domains in transparent mode VDOMs? (Choose two.)
A. The whole VDOM is a single broadcast domain even when multiple
VLAN are used.
B. Each VLAN is a separated broadcast domain.
C. Interfaces configured with the same VLAN ID can belong to different
broadcast domains.
D. All the interfaces in the same broadcast domain must use the same
VLAN ID.

Answer: (A) The whole VDOM is a single broadcast domain even when
multiple VLANs are used, (C) Interfaces configured with the same VLAN ID
can belong to different broadcast domains
109
Section 14
High Availability
 Section 14 – High Availability
 HA requirements
 2-4 FortiGates that are the same.
 Model
 Firmware
 Operating Mode
 At least 1 heartbeat link, multiple links are recommended
 Uses FGCP
 TCP 703
 Detected state of FortiGate devices in the HA Cluster
 Elects primary
 Same interface on the FortiGate are attached to the same switch.
 HA Modes of Operation
 Active-Passive – Only the Master device processes traffic
 Active-Active – Multiple devices processes traffic
 Determine the Primary device
 Override disabled (Default Configuration)
 Monitored interfaces, uptime, priority, serial number
 ‘diagnose sys ha reset-uptime’
 Override enabled
 Highest HA priority determines the primary device
 Easiest way to change primary is to change the HA priority

111
 Section 14 – High Availability
 Tasks of each device
 Primary
 Send ‘HELLO’ to secondary devices
 Sycnchronize routing table, configurations, DHCP addresses and session information for failover
 Active-Active – Distribute traffic among devices in the cluster
 Secondary
 Monitor ‘HELLO’ messages from the primary
 Active-Active – Processes traffic distributed to the device from the primary

 Failover
 Types of Failover
 Device – Primary stops sending heartbeat messages
 Link – A monitors interface on the Primary is no longer responding
 What happens during Failover
 Log event is generated, email alerts and SNMP trap can be generated also
 Virtual MAC from Primary moves to new elected master.
 Gratious ARP is sent to let the network know the Virtual MAC is available through a new device

112
 Section 14 – High Availability

 Virtual Cluster
 Allows a FortiGate to be the primary for some VDOMs and secondary on other
VDOMs on the same device
 Can be used to traffic load balancing by sending traffic to mulitple FortiGates
 Allows failover for VDOMs across FortiGates

 FortiGate Session Life Support Protocol (FGSP)

 Synchronizes sessions between 2 FortiGates in Standalone mode.
 Configured per-VDOM
 Easier configuration than HA because traffic redirection is done with external load
balancers
 By default only TCP sessions are synchronized but UDP, ICMP and NAT session
synchronization can be enabled.

113
 Section 14 – Q & A

Which of the following statements are correct concerning the

FortiGate session life support protocol? (Choose two.)
A. By default, UDP sessions are not synchronized.
B. Up to four FortiGate devices in standalone mode are supported.
C. Only the master unit handles the traffic.
D. Allows per-VDOM session synchronization.

Answer: (A) By default, UDP sessions are not synchronized, (D)

Allow per-VDOM session synchronization

114
 Question 2

What is the default criteria for selecting the HA master unit in a HA

cluster?
A. port monitor, priority, uptime, serial number
B. port monitor, uptime, priority, serial number
C. priority, uptime, port monitor, serial number
D. uptime, priority, port monitor, serial number

Answer: (B) port monitor, uptime, priority, serial number

115
Section 15
Advanced IPSec VPN
 Section 15 – Advanced IPSec
 VPN Configuration Wizard
 Automatically Configures IKE Phase 1 and Phase 2 settings
 Types of Peers
 Static – Static IP can be Initiator or Responder
 Dynamic DNS – Dynamic IP which can be resolved with DNS can be
Initiator or Responder
 Dialup – Dynamic IP can only be a Initiator
 VPN Topologies
 Point-to-point
 Dialup – Point to Multipoint
 Hub and Spoke – Multiple sites connecting to a single site
 Meshed – All sites are connected to multiple other sites

117
 Section 15 – Advanced IPSec
 Remote Gateway
 Point-to-Multipoint configurations use dialup user
 Point-to-Point configurations use Static IP or Dynamic DNS
 Hub and Spoke – Multiple sites connecting to a single site
 Meshed – All sites are connected to multiple other sites
 Mode Config – Similar to DHCP allows Clients to get network setting
for IPSec network
 NAT Traversal – required if clients are behind a NAT device
 IKE Mode
 Main
 Aggressive
 Extended Authentication (XAUTH)
 Happens between phase 1 and phase 2
 Requires a username and password be provided
 Stonger authentication than just a pre-shared key
 Quick Mode Selector (Phase 2)
 The source and destination should matches all local and remote ip
subnets. 0.0.0.0/0 is a catch all to match everything.

118
 Section 15 – Advanced IPSec

Main Mode Aggressive Mode

 6 Packets exchanged  3 Packets exchanged

 Initiator suggests tunnel security policy  Initator suggests tunnel security policy, sends key and
Peer ID
 Responders selects security policy
 Responders selects security policy and replied with key,
 Initiator send key Peer ID and hash payload
 Responder sends key  Initator send hash payload
 Initiator sends Peer ID and hash  Can be used when initiator source ip is not fix.
 Responder send Peer ID and hash  Peer ID send in the clear. XAUTH makes it more secure
 Used when the initiator source ip is fixed

119
 Section 15 – Advanced IPSec
 Most Common issue is setting mismatches
 Check debug output from the responder side
 Initiator side will only show what the initiator sends
 Most of the useful information is coming for the responder
 If the tunnel is created but traffic is still not seen in the tunnel, the issue is
likely related to routing

120
 Section 15 – Q & A

Which of the following combinations of two FortiGate device configurations (side A and
side B), can be used to successfully establish an IPsec VPN between them? (Choose
two.)
A. Side A: main mode, remote gateway as static IP address, policy-based VPN. Side B:
aggressive Mode, remote Gateway as static IP address, policy-based VPN.
B. Side A: main mode, remote gateway as static IP Address, policy-based VPN. Side B:
main mode, remote gateway as static IP address, route-based VPN.
C. Side A: main mode, remote gateway as static IP address, route-based VPN. Side B:
main mode, remote gateway as dialup, route-based VPN.
D. Side A: main mode, remote gateway as dialup, policy-based VPN. Side B: main mode,
remote gateway as dialup, policy-based VPN.

Answer: (B),(C)

121
 Question 2

What is required in a FortiGate configuration to have more than one dialup

IPsec VPN using aggressive mode?
A. All the aggressive mode dialup VPNs MUST accept connections from
the same peer ID.
B. Each peer ID MUST match the FQDN of each remote peer.
C. Each aggressive mode dialup MUST accept connections from different
peer ID.
D. The peer ID setting must NOT be used.

Answer: (C) Each aggressive mode dialup MUST accept connections from
different peer ID

122
Section 16
Intrusion Protection System
 Section 16 – Intrusion Protection Systems

Types of attacks

Anomaly Exploit

• Can be zero-day attack/errors • A known, confirmed attack

• Detected by behavioral analysis • Detected when the packet
• Heuristics & Statistics matches the Signature pattern.
• Rate based signatures and DoS • Pattern-Based signatures in GUI
policies in GUI • Similar to AV signatures
• Examples:
• Abnormally high rate of traffic
(Dos/Flood)
• Use of unhandled errors
• Inappropriate commands for the
network

124
 Section 16 – Intrusion Protection Systems

FortiGuard
 IPS Package
 IPS Enigine
 IPS Signatures
 Signature Database
 Which database to use
 Regular – Common attacks no/rare false positves
 Extended – Regular plus everything else. Enabled by default on devices with CP8
 Each signature has a default action
 Severity level often correlates to the attacks CVSS 2 rating
 There are exceptions. All remote code execution signares are marks high or critical
sevaerity

 Protocol Decoder
 Parses packets to determine the protocol
 Generally protocol detection is not port dependent
 FortiGuard provides automatic updates to signature packages
 FortiGuard website provides a lot of information regard vulnerabilities
and threat to network security

125
 Section 16 – Intrusion Protection Systems
 Zero Days
 Exploits for unknown vulnerabilties
 Detecting Zero Day attacks requires knowing your network baselines
 Custom IPS Signatures can protect against new attacks when detected
 Custom Signatures
 Start with ‘F-SBID{‘ followed by a list of keywords
 The first keyword is always the name
 Protocol keyword should be included to prevent false postives with lower level
protocols
 Attack ID is automatically generated and thus does not need to be included
 FortiGate IPS
 Does not scan each signatures. Instead a decision tree is used
 Decision tree is loaded into RAM so enabling only the signatures that are needed
will increase system performance
 Hardware accelerated anomaly detection also help system performance

126
 Section 16 – Intrusion Protection Systems
 DoS
 Goal: Consume so many resources the system cannot respond to legitimate traffic
 DoS sensor supports 4 protocols. TCP, UDP, ICMP, SCTP
 Flood Sensor – High Volumes of a particular protocol or signal (TCP Syn Flood)
 Sweep/Scan Sensor – Attempts to map which host ports respond to find possible
vulnerabilities (ICMP Sweep)
 Source Signature – Detects high volume of traffic from a source
 Destination Signature – Detects high volume of traffic to a destination
 One arm sniffer
 Uses SPAN/Mirror Port to monitor traffic
 No added latency
 Supported Profiles using IPS Engine
 Web Filter (Flow)
 Email Filter (Flow)
 Intrustion Protection
 Application Control
 Reason to use One-arm sniffer
 Easy way to demonstrate the capabilities of the FortiGate
 Non-disruptive deployment

127
 Section 16 – Intrusion Protection Systems

IPS Logs

128
 Section 16 – Q & A

On your FortiGate 60D, you’ve configured firewall policies. They port forward traffic to your
Linux Apache web server. Select the best way to protect your web server by using the IPS
engine.
A. Enable IPS signatures for Linux servers with HTTP, TCP, and SSL protocols and Apache
applications. Configure DLP to block HTTP GET requests with credit card numbers.
B. Enable IPS signatures for Linux servers with HTTP, TCP, and SSL protocols and Apache
applications. Configure DLP to block HTTP GET requests with credit card numbers. Also
configure a DoS policy to prevent TCP SYN floods and port scans.
C. None. FortiGate 60D is a desktop model, which does not support IPS.
D. Enable IPS signatures for Linux and Windows servers with FTP, HTTP, TCP, and SSL
protocols and Apache and PHP applications.

Answer: (A) Enable IPS signatures for Linux servers with HTTP, TCP, and
SSL Protocols and Apache applications. Configure DLP to block HTTP GET
requests with credit card numbers
129
 Question 3

 Which profiles could IPSEngine use on an interface that is in sniffer

mode? (Choose three.)
 A. Antivirus (flow-based)
 B. Web filtering (proxy-based)
 C. Intrusion protection
 D. Application control
 E. Endpoint control

Answer: (A) Antivirus (flow-based), (C) Intrusion Protection, (D)

Application control

130
Section 17
Fortinet Single Sign On
 Chapter 17 – Fortinet Single Sign-On

 Types of SSO: MS AD:

 Domain Controller (Agent Based)
 Polling Mode (Agent based or Agentless)

 Novell eDir (eDirectory agent based)

 For RSSO: Radius accounting notifies firewall upon user logon and
logoff
 DC Agent mode requires:
 DC agent on DC to monitor Logon events
 Collector agent on Windows server to receive logon event info from DC agents
and forward to Fortigate
 Agent Based Polling mode:
 Requires collector agent installed on a windows server; no DC agent required;
CA polls DC directly on port 445 for user logon events every few seconds
 Net API: Faster, but will miss some info if DC is under heavy load
 Winsec Log (Security Event log)
 Polls security events in DC|| log latency for large networks of if system is slow
 Slower but see’s all logon events

132
Chapter 17 – Fortinet Single Sign-On

133
 Chapter 17 – Fortinet Single Sign-On

 Agentless Polling mode:

 Fortigate directly polls DC
 Event logging must be enabled
 Only supports WinSec Logon
 NTLM is used as backup for FSSO only in Windows environments
 Fortigate initiates NTLM negotiation with clients browser
 Does not require DC agents
 Not transparent to users, so web browser must support it

 Collector always uses DNS to lookup IP of stations for Microsoft logons

 Must be able to poll workstations every few seconds
 Informs FSSO whether or not user is still logged in
 Remote registry service must be running on each workstation
 TCP ports 139 and 445 must be open
 If user is not part of any FSSO group during passive authentication, then auto added to
SSO_guest_group. Active authentication is is forced if available as an option

134
 Chapter 17 – Fortinet Single Sign-On

 AD Access mode:
 Standard: Domain\Username: Protection profile
applied only to user groups
 Advanced: LDAP convention
 Profile for User and User group
 Nested or inherited groups
 Fortigate must be configured as LDAP client

 From FSSO agent configuration application, we

can configure:
 Listening port for the communication with DC agents
 Listening port for the communication with the
Fortigate
 Enabling or disabling NTLM authentication
 Enabling pre-shared password authentication
between the collector agent and the Fortigate

135
 Chapter 17 – Q & A

Which of the following FSSO agents are required for a DC agent mode solution? (Choose two.)

A. FSSO Agent
B. DC agent
C. Collector Agent
D. Radius Server
Answer: (B) DC Agent, (C) Collector Agent
What are the advantages of FSSO DC agent mode over FSSO polling mode? (Choose two.)

A. Redundancy in the collector agent.

B. Allows Transparent Authentication
C. DC agents are not required in the AD domain controller
D. Scalability
Answer: (A) Redundancy in the collector Agent, (D) Scalability

136
Section 18
Certificate Operations
 Chapter 18 – Certificate Operation

 Secure Communication includes:

 Data Privacy: data is private while in transit
 Data integrity: data has not been modified
 Authentication: verify participants identity
 Non-repudiation: participants cannot deny participation
 Symmetric Cryptography uses same key to encrypt and decrypt data. Ideal for bulk
data due to simplicity and faster processing
 Number of keys that must be managed increases with the size of the community
 Asymmetric Cryptography uses private and public keys both mathematically related
 Public keys can be distributed using email, secure web sites, public repositories, PKI server like CA
 Private keys must be stored in a secure and private place

 Digital Certificates identifies the end entity

 Contains information about entity, including its public key
 Issued and signed by Certification Authority (CA)
 Public CA’s: GoDaddy, Verisign, etc.

138
 Chapter 18 – Certificate Operation

 CA certifies that requester info is valid and true in Digital certificate. Types of Digital CA:
 CA certificates: validates CA and contains CA public key
 Local Service Certificates: defines network services like HTTPS web portals or EAP 802.1X auth servers; contains network
service public key
 User certificates: identifies a user & contains users public key

 Some fields in a digital certificate:

 Serial Number: Unique ID
 Subject (AKA issued to): The entity identified
 Signature Algorithm: The algorithm used to create the signature
 Signature: The CA signature encrypted with the CA’s private key
 Issuer: The CA that issued and signed the certificate
 Valid-From: The date the certificate starts to be valid
 Valid-To: The expiration date
 Key-Usage: Purpose of the public key
 Public-Key: The public key of the entity identified

139
 Chapter 18 – Certificate Operation

 SSL Handshake:
 Client-Server exchange certs & validate
 Symmetric key exchange, decrypt using private key
 Decide on which protocols & ciphers to use for communication
 Asymmetric crypto used to exchange symmetric key valid only for that session

 Digital Certificate Generation

 Public half of the key is submitted to CA as a .CSR (Certificate Signing
Request)
 User information and key data is verified
 Digital certificate is published to public repository
 Certificate Revocation list:
 Contains the serial numbers of all certificates deemed untrustworthy
 Will always be checked before a certificate is used to insure it is trusted
 CRL’s must be manually kept up-to-date on the Fortigate

 Back up and restoring certificates on FortiGate done only through

CLI and requires TFTP server
 Keys and certificates are stored in a PKCS#12 file
 A configuration backup also contains the keys and certificates

140
 Chapter 18 – Certificate Operation

 Fortigate requires the private key to decrypt and inspect SSL traffic
 Intercepts traffic from server and ‘re-signs’ with its certificate and key
 FortiGate acts as ‘Sub-CA’
 SSL Content Inspection requires a certificate that allows Fortigate to
issue certificates to any website. Requirements:
 “CA = True” or “Key Usage = KeyCertSign”

 Fortigate’s default local certificate called ‘Fortinet_CA_SSLProxy’ is

issued by a private CA called “Fortigate CA”
 Some softwares have specific requirements for SSL
 Chrome requires a google certificate when accessing any google resources on
HTTPS
 HSTS: HTTPS Strict Transport Security
 Inline SSL decoding works only if deep scanning is enabled and all
UTM features are flow based
 IPS engine is used for scanning traffic
 No session termination is performed
 SSL is decoded on the fly, rather then through man-in-the-middle, so this does
not break layer 3 communications
141
 Chapter 18 – Certificate Operation

 Admin access can be further secured with certificates

 PKI users must be created from the CLI
 PKI users get added to a group
 Groups with PKI users are assigned to admin users

142
 Chapter 18 – Certificate Operation Quiz

Which of the following statements describe some of the differences between symmetric and asymmetric
cryptography? (Choose two.)
A. In symmetric cryptography, the keys are publicly available. In asymmetric cryptography, the keys
must be kept secret.
B. Asymmetric cryptography can encrypt data faster that symmetric cryptography.
C. Symmetric cryptography uses one pre-shared key. Asymmetric cryptography uses a pair or keys.
D. Asymmetric keys can be sent to the remote peer via digital certificates. Symmetric keys cannot.
Answer: (C) Symmetric cryptography uses one pre-shared key. Assymetric cryptography uses a pair of keys
Which of the following statements are true about PKI users created in a FortiGate device? (Choose two.)
E. Can be used for token-based authentication.
F. Can be used for two-factor authentication.
G. Are used for certificate-based authentication.
H. Cannot be members of user groups.

Answer: (B) Can be used for two-factor authentication, (C) Are used for certificate-based authentication

143
Section 19
Data Leak Protection
 Chapter 19 – Data Leak Prevention
 DLP is for outbound traffic only
 Sensitive documents
 Account numbers
 Personal data, etc.

 DLP delegates scans to appropriate processes (IPS, proxy, etc); does not directly
scan any traffic and Fortigate applies first matching criteria
 DLP actions: None, Log only, Block, Quarantine IP address
 For custom text/numbers, use RegEx with PCRE syntax
 File Filters
» File types: examine contents regardless of filename/extension
» File Name patterns: Examine & filter purely based on filenames.

145
 Chapter 19 – Data Leak Prevention

 SSL/SSH inspection
 Certificate inspection
 Full Inspection

 Full Certificate inspection is a must for scanning

files. Supported file types are hard coded in
FortiOS
 DLP can record traffic ‘summary’ or even full
files:
 Email summary (from, to, size)
 Browsing summary (every URL)
 Full Archiving-> Log and copy of the traffic
 For short term only
 Resource intensive
 Enabled in CLI

146
 Chapter 19 – Data Leak Prevention

 Fingerprinting
 DLP sensors blocks traffic if fingerprint matches the sensors security
level
 Identifies specific document, not name or file type
 Fortigate makes checksum for each chunk of file
 Checksums are stored in memory, even for large files
 If most chunks match DLP positively identifies the file
 Can function even if the file is changed a little
 Default chunk size is 2800 bytes
 DLP sensor actions apply to all fingerprints with its sensitivity level.
 Default levels
 Critical
 Private
 Warning

147
 Chapter 19 – Q & A

Which of the following network protocol can be inspected by the Data Leak Prevention profile? (Choose
three.)
A. SMTP
B. HTTP-POST
C. AIM
D. MAPI
E. ICQ

Answer: (A) SMTP, HTTP-POST, (D) MAPI

148
 Chapter 19 – Data Leak Prevention Quiz

Which of the following statements best describes what the Document Fingerprinting feature is for?
A. Protects sensitive documents from leakage.
B. Appends a fingerprint signature to all documents sent by users.
C. Appends a fingerprint signature to all the emails sent by users.
D. Validates the fingerprint signature included in users emails.

Answer: (A) Protects sensitive documents from leakage

149
Section 20
Diagnostics
 Chapter 20 – Diagnostics

 Network diagrams are critical

» Physical: Cables, ports, devices
» Logical: VLAN’s, Subnets, Routing, App protocols
 SNMP and SIEM are more scalable as UDP traffic
 get system status
 Provides most general purpose information
 get system performance status
 Provides resource usage

 diagnose firewall statistic show

 Categorizes packets and bandwidth by application type

 diagnose hardware deviceinfo nic for that interface

 Link speed and statistics for transmitted and received
bandwidth
 Physical MAC address
 Errors and collisions.

 If NPU is disabled then session is processed by CPU

151
 Chapter 20 – Diagnostics

 Process states:
» S – Sleeping (killable)
» R – Running (killable)
» D – Do not Disturb/interrupt (not killable)
» Z – Zombie (not killable) -> requires a
reboot

152
 Chapter 20 – Diagnostics Quiz

Which of the following outputs are for the diagnostic command ‘diagnose hardware deviceinfo nic’?
(Choose two.)
A. ARP cache
B. Physical MAC address
C. Errors and collisions
D. Listening TCP ports
Answer: (B) Physical MAC Address, (C) Errors and Collisions
Which of the following commands are appropriate for investigating high CPU? (Choose two.)
E. diag sys top
F. diag hardware sysinfo mem
G. diag debug flow
H. get system performance status

Answer: (A) diag sys top, (D) get system performance status

153
Section 21
Hardware Acceleration
 Chapter 21 – Hardware Acceleration

 Offload processing from CPU to efficient specialized processors called ASIC

 Network Processor (NP)
 Packet transmission and link aggregation
 NP6offloads IPv4 and IPv6
 CAPWAP traffic (FortiAP and Extender), Multicast
 Supports logs, reports, SNMP
 Wired using ISF, so communication is possible without passing through CPU
 Requirements
 L2 must be IPv4, L3 must be IPv4, IPv6, NAT64, NAT46.
 L4 must be UDP, TCP, SCTP, ICMP
 F/W policy must not require AV, Antispam, content inspection.
 Multicast not supported by NP4
 A-A HA load balancing
 IPsec encryption/decryption and hashing
 Pre-IPS anomaly detection, Basic traffic shaping, link aggregation
 ‘diag sys session list’ : for offloaded sessions with npu info
 For Packet capture, always disable NP

155
 Chapter 21 – Harware Acceleration

 Security Processor (SP)

 IP session processing
 IPv4 and IPv6 packet offloading
 IP multicast offload
 NAT 64 offload
 Application processing (must ingress and egress on
same SP)
 Attack signature inspection
 Anomaly signature inspection
 Flow based Antivirus signature inspection
 TCP syn flood detection
 SP sends connection to kernel only after Client ACK is
received
 Ingress port must be bound to SP
 Fortigate acts as proxy for 3-way TCP handshake: SYN,
SYN-ACK, ACK

156
 Chapter 21 – Hardware Acceleration
 Content Processor (CP)
 CP4: All kinds of cryptography and key related to IPsec Phase 2
 CP6: SSL VPN and SSL/TLS inspection
 CP8: IPS pattern matching with over 10Gbps throughput
 Cascade interface for processor extension (multiple CP8)

 System on a Chip (SoC)

 CP + NP
 Energy-efficient: Cost-effective, more green, suitable for desktop/small
office
 VPN module  IPsec engine + SSL/TLS engine + RNC
 NPLite module for packet classification and stats counting
 IPS DFA module

157
 Chapter 21 – Hardware Acceleration Quiz

Which statement best describes what the FortiGate hardware acceleration processors main task is?
A. Offload traffic processing tasks from the main CPU.
B. Offload management tasks from the main CPU. Answer: (A) Offload traffic processing tasks
C. Compress and optimize the network traffic. from the main CPU

D. Increase the maximum bandwidth available in a FortiGate interface.

Which of the following traffic shaping functions can be offloaded to a NP processor? (Choose two.)
E. Queue prioritization
F. Traffic cap (bandwidth limit)
G. Differentiated services field rewriting
H. Guarantee bandwidth

Answer: (A) Queue Prioritization, (B) Traffic Cap (bandwidth limit)

158
 Chapter 21 – Hardware Acceleration Quiz

Which statement best describes what a Fortinet System on a Chip (SoC) is?
A. Low-power chip that provides general purpose processing power.
B. Chip that combines general purpose processing power with Fortinet’s custom ASIC technology.
C. Light-version chip (with fewer features) of a SP processor.
D. Light-version chip (with fewer features) of a CP processor

Answer: (B) Chip that combines general purpose processing

power with Fortinet’s custom ASIC technology

159
Section 22
IPV6
 Chapter 22 – IPv6
 IPv6  128 bit identifiers
 Unicast identifier for single interface; 64 subnet & 64 interface ID
 Anycast for a set of interfaces (packet delivered to nearest interface)
 Allocated from the unicast address space
 Multicast for a set of interfaces (packet delivered to all interfaces)
 Neighbor Discovery Protocol (NDP)
 For Nodes:
 Address resolution and Neighbor reachability
 Link layer address changes
 For Hosts:
 Discover neighbor routers
 Auto-config address, prefix and other parameters
 For Routers:
 Advertise their presence, on-link prefixes, and host config parameters
 Maintain next-hop info
 NDP replaces ARP, ICMPv4 router discovery & ICMPv4 redirect

161
 Chapter 22 – IPv6
 AutoConfiguration
 Is stateless
 ICMPv6 used to deliver IP address
 Duplicate Address Detection mechanism
 Link Local is the first address generates, connecting the
node to its own private network
 While using Auto Config, DHCPv6 may be used to
provide DNS and other values.
 IPv6 Transition techniques
 Dual stack where IPv4 and IPv6 coexist on the same
device
 Translation between IPv6 and IPv4 addresses, such as
NAT64 and DNS64
 Tunneling of IPv6 traffic in IPv4 traffic such as 6in4
 AH and ESP are mandatory and integral in IPv6
 FortiOS supports IPv6 versions of dynamic routing
protocols
 NAT64: IPv6 to IPv4 translation
 Source v6  destination v4
162
 Chapter 22 – Q & A

Which of the following are valid address types in IPv6? (Choose three.)
A. Unicast
Answer: (A) Unicast, (B) Anycast, (C) Multicast
B. Anycast
C. Multicast
D. Broadcast
E. Allcast

Neighbor Discovery replaces which IPv4 mechanisms? (Choose two.)

F. DHCP
G. ICMP redirect
H. ARP
I. OSPF

Answer: (B) ICMP redirect, (D) OSPF

163