Introduction and Initial Configuration

Question 1

Why would anyone use a virtual Fortigate?

Answer 1

In large-scale networks that change rapidly and may have many tenants, equivalent processing power and distribution may be achievable using larger amounts of cheaper, general purpose hardware.

Question 2

Why do virtual Fortigates have the same features as physical Fortigates, expect for hardware acceleration?

Answer 2

First, the hardware abstraction layer software for hypervisors is made by other vendors, not Fortinet.. Second, the purpose of generic virtual CPUs is to abstract the hardware details of hypervisors. That way, all VM guest OSs can run on a common platform, no matter the different hardware. Unlike vCPUs or vGPUs that use generic, non-optimal RAM and vCPUs for abstraction, SPU chips are optimized circuits. Therefore, a virtualized ASIC ship would not yield the same performance benefits as a physical SPU chip.

Question 3

FOrtigate VMX and Fortigate Connector for Cisco ACI are what?

Answer 3

They are specialized versions of FortiOS and an API that allows you to orchestrate rapid network changes through standards, such as OpenStack for software-defined networking (SDN).

Question 4

Fortigate VM is deployed as what?

Answer 4

A guest VM on the hypervisor.

Question 5

Fortigate VMX is deployed where?

Answer 5

Inside a hypervisor’s virtual networks, between guest VMs.

Question 6

What is Fortigate Connector for Cisco ACI?

Answer 6

It allows ACI to deploy physical or virtual Fortigate VMs for north-south traffic.

Question 7

What are Fortigate VMs’ specifications?

Answer 7

Licenses: Max 1/2/3/4/8 vCPU

Hypervisor: VMWare, Hyper-V, KVM, Citrix Xen Server, Open Source Xen, Azure, Amazon AWS BYOL & on-demand

Memory: Max 1/2/4/8/12 GB

NICs: 2-4 virtual

Storage capacity: 40GB+

Question 8

What are SPUs?

Answer 8

(security processing units) which are used for hardware acceleration. They include NPx and CPx processors.

Question 9

What is NTurbo?

Answer 9

NTurbo offloads firewall sessions that include flow-based security profiles to NP6 or NP7 network processors. Without NTurbo, all firewall sessions that include flow-based security profiles are processed by the Fortigate CPU.

Question 10

What are CPs?

Answer 10

Content Processors. These processors accelerate a wide range of important security processes such as virus scanning, attack detection, encryption and decryption. Most Fortigates include these.

Question 11

What are SPs?

Answer 11

Security processors. They function the same as CPs, but instead accelerate processing of IPS.

Question 12

What are NPs?

Answer 12

Network processors. They offload processing of high volume network traffic.

Question 13

What more information can you provide about Fortinet’s CPs?

Answer 13

CP9 is not bound to an internet, thus works outside the direct flow of traffic. It provides high-speed cryptography and content inspection services.

This allows administrators to deploy advanced security on-demand without impacting network functionality.

Question 14

What is NAT Mode?

Answer 14

Packets are routed based on layer 3. Each logical network interface has an IP address and Fortigate determines the outgoing or egress interface based on the destination IP and entries in routing tables.

Question 15

What is transparent mode?

Answer 15

Packets are forwarded at Layer 2, like a switch. The device in transparent mode has an IP address used for management traffic.

Question 16

What are VDOMs?

Answer 16

These are virtual domains, which divide a Fortigate device into two or more virtual devices that function as independent firewalls. Each VDOM can be configured for NAT or transparent mode.

Question 17

What is Fortiguard?

Answer 17

FortiGuard Subscription Services provide Fortigates with up-to-date threat intelligence. Fortigates use Fortiguard by periodically requesting packages that contain a new engine and signatures, as well as querying the FDN on an individual URL or hostname.

Question 18

What is FDN?

Answer 18

Fortiguard Distribution Network. It uses real-time queries, meaning Fortigate asks the FDN every time it scans for spam or filtered websites. Queries can use UDP or HTTPS for transport which are for speed, not fault tolerance. Thus, queries require a reliable Internet connection.

Question 19

How do Fortigates validate the Fortiguard server certificate efficiently?

Answer 19

The Fortiguard server uses Online Certificate Status Protocol (OCSP) stapling technique. The Gate will only complete the TLS handshake with a Guard server that provides a good OCSP status for its certificate. Otherwise, the SSL connection will fail.

This occurs every 4 hours.

Question 20

What are basic CLI commands of Fortigates?

Answer 20

get system status = current status of Fortigate

show full-configuration system interface : shows all attribute values of the interface

show system interface : shows non-default attribute values for the interface

Question 21

What are Fortigate management protocols?

Answer 21

HTTPS, HTTP, PING, SSH. Telnet is not a visible option on the GUI.

Question 22

What types of management protocols should be disabled?

Answer 22

HTTP and Telnet. Both are insecure protocols that do not support transport encryption.

Question 23

What is CAPWAP?

Answer 23

CAPWAP is a Security Fabric connection used for FortiAP, FortiSwitch, and FortiExtender when they are managed by the Gate.

Question 24

What is FortiTelemetry?

Answer 24

It is a protocol not for admin access, but are protocols used when packets have FortiGate as a destination IP. It is used specifically for managing FortiClients and the Security Fabric.

Question 25

What is the One-Arm Sniffer interface type?

Answer 25

This interface is not assigned an address. It will run in promiscuous mode and receive a copy of the traffic from a mirrored port on a switch. It cannot make changes as the original packet is already processed by the switch.

Question 26

What is link aggregation and why is it useful?

Answer 26

This logically binds multiple physical interfaces into a single channel. It increases bandwidth and provides redundancy between two network devices.

Question 27

How do you enable DHCP on a Fortigate?

Answer 27

Select an interface (internal interface), select the Manual option, enter a static IP, and then enable the DHCP option.

Question 28

What types of DNS can you configure on a Fortigate?

Answer 28

Forwarding: Fortigate will forward requests to a specified DNS server

Non-recursive: Fortigate uses it’s own database to resolve DNS requests.

Recursive: Fortigate queries its own database before forwarding unresolved requests to the external DNS servers.

Question 29

How do you get the firmware version on a Fortigate from CLI?

Answer 29

get system status

Question 30

How do you get a full start-up config backup from a Fortigate’s CLI?

Answer 30

full config backup

Question 31

When restoring an encrypted system configuration file, in addition to needing the Fortigate model and firmware version from the time the configuration file was produced, what must you also provide?

Answer 31

The password to decrypt the file