Pass the Fortinet Fortinet Network Security Expert FCP_FGT_AD-7.4 Questions and answers with CertsForce

When SSL certificate inspection is enabled on a FortiGate device, the system uses the following three pieces of information to identify the hostname of the SSL server:

Server Name Indication (SNI) extension in the client hello message (B):The SNI is an extension in the client hello message of the SSL/TLS protocol. It indicates the hostname the client is attempting to connect to. This allows FortiGate to identify the server's hostname during the SSL handshake.

Subject Alternative Name (SAN) field in the server certificate (C):The SAN field in the server certificate lists additional hostnames or IP addresses that the certificate is valid for. FortiGate inspects this field to confirm the identity of the server.

Subject field in the server certificate (D):The Subject field contains the primary hostname or domain name for which the certificate was issued. FortiGate uses this information to match and validate the server’s identity during SSL certificate inspection.

The other options are not used in SSL certificate inspection for hostname identification:

Host field in the HTTP header (A):This is part of the HTTP request, not the SSL handshake, and is not used for SSL certificate inspection.

Serial number in the server certificate (E):The serial number is used for certificate management and revocation, not for hostname identification.

References

FortiOS 7.4.1 Administration Guide -SSL/SSH Inspection, page 1802.

FortiOS 7.4.1 Administration Guide -Configuring SSL/SSH Inspection Profile, page 1799.

In this scenario, the FortiGate device is using a Virtual IP (VIP) to map the public IP address (203.0.113.2) to the internal IP address of the web server (172.16.1.10). The fact that the administrator does not see any sniffer output for incoming traffic suggests that the FortiGate is not responding to ARP requests for the public IP address (203.0.113.2).

Enabling arp-reply in the VIP configuration allows the FortiGate to respond to ARP requests for the public IP, thereby allowing traffic to reach the FortiGate, which will then forward it to the web server based on the VIP mapping.

Based on the application sensor configuration and the filter details:

D. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration:The "Excessive-Bandwidth" filter is set to block, which includes "FaceTime" under its application signature. As a result, FaceTime will be blocked regardless of the "Apple" filter configuration because the "Excessive-Bandwidth" filter takes precedence due to its block action setting.

The other options are not correct:

A. Apple FaceTime will be allowed, based on the Video/Audio category configuration:The Video/Audio category is not relevant because FaceTime is specifically included in the Excessive-Bandwidth filter, which blocks it.

B. Apple FaceTime will be allowed, based on the Apple filter configuration:Although the Apple filter is set to monitor, the block action of the Excessive-Bandwidth filter will override this.

C. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow:The allow setting for the Apple filter is irrelevant in this context, as the block action in the Excessive-Bandwidth filter will prevail.

References

FortiOS 7.4.1 Administration Guide -Application Control and Filtering, page 978.

FortiOS 7.4.1 Administration Guide -Application Sensor Configuration, page 982.

For configuring an IPsec VPN tunnel for a sales employee traveling abroad, the "Remote Access" template is the most appropriate choice. This template is designed to allow remote users to securely connect to the internal network of an organization from any location using FortiClient or a compatible client. The other options, such as "Site to Site," "Dial up User," and "iHub-and-Spoke," are used for connecting different networks or sites, not individual remote users.

References:

FortiOS 7.4.1 Administration Guide: IPsec Wizard Template Types

Both interfaces must have directly connected routes on the routing table

In NAT mode, each interface must have a corresponding entry in the routing table, typically as a directly connected route, to route traffic between them effectively.

Both interfaces must have IP addresses assigned

In NAT mode, each interface must have an IP address to participate in routing and NAT operations. The IP addresses allow the FortiGate to forward traffic between different network segments.

A session for denied traffic is created.

The command set ses-denied-traffic enable ensures that sessions for denied traffic are logged, meaning a session will be created for traffic that is denied by security policies.

The number of logs generated by denied traffic is reduced.

The set block-session-timer 30 command sets a timer to prevent excessive logging of denied traffic within a short period, which helps reduce the number of logs generated by repeated denied traffic sessions. This timer blocks sessions for a specified period (30 seconds in this case) to avoid overwhelming the log system with repetitive entries.

The debug flow is for ICMP traffic.

The output shows "proto=1," which indicates that the protocol is ICMP (Internet Control Message Protocol).

A new traffic session was created.

The message "allocate a new session-00003dd5" confirms that a new session was created for this traffic.

In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client.

Flow-based inspection allows real-time scanning of files as they are being transmitted, with minimal impact on performance.

In proxy-based inspection mode antivirus scanning buffers the whole file for scanning, before sending it to the client.

Proxy-based inspection mode holds the file completely, scans it for threats, and only sends the file to the client if no threats are detected.

When FortiGate is configured in NGFW profile-based mode, it primarily uses flow-based inspection for application profiles. Flow-based inspection provides faster processing and lower latency by inspecting traffic in real-time without buffering, making it suitable for scenarios where performance is a priority.

References:

FortiOS 7.4.1 Administration Guide: Inspection Modes

To disable RPF (Reverse Path Forwarding) checking on a FortiGate interface, you need to disable the src-check option in the interface settings. This action disables the RPF check, allowing traffic to bypass the verification that it is arriving on the correct interface based on the routing table.