Security Profiles Flashcards
(39 cards)
FortiGuard DNS lookups:
service.fortiguard.net: UDP and worldwide servers
securewf.fortiguard.net: HTTPS and worldwide server
usservice.fortiguard.net: UDP and USA-based-only servers
ussecurewf.fortiguard.net: HTTPS and USA-based-only servers
How long does FGT wait for response from FortiGuard server before moving on to next one in the list?
2 Seconds
OCSP Stapling Check
Online Certificate Status Protocol - involved appending a time-stamped OSCP status of the server certificate.
This process guarantees that FGT can efficiently validate FDS.
Pull Method Steps
- FGT contacts DNS server to resolve the name: update.fortiguard.net
- FGT gets a list of server IP addresses that it can contact
- FGT periodically connects to one of the servers to check for pending updates
- If there is an update, FGT downloads it.
Persistent Connection Method Steps
Same first two steps as pull method
- FGT contacts DNS server to resolve the name: update.fortiguard.net
- FGT gets a list of server IP addresses that it can contact
- FGT forms persistent secure connection to FortiGuard
- FortiGuard notifies that there is a new update
- FGT forms a separate secure connection to download update.
Command to list servers for web filtering and antispam queries
diagnose debug rating
The server list columns -
RTT - Round Trip Delay
TZ - Server Time Zone
Curr Lost - Consecutive requests sent with no reply
Total Lost - Historical requests sent with no reply, resets upon device reboot
FortiGuard Weight Calculation
FGT uses this to determine which server to send rating requests to:
FGT initially uses the delta between the server time zone and FGT system time zone, multiplied by 10. (To lower possibility of using a remote server, the weight is not allowed to drop below the initial weight.)
Weight increases with each packet lost
Weight decreases over time if there are no packets lost
FGT uses the server with the lowest wight as the one for rating queries. If two or more servers have the same weight, FGT uses the one with the lowest RTT.
Ports for FortiGuard traffic (Webfiltering/Antispam)
53 or 8888
Some ISP’s block traffic based on source port, can configure using:
config sys global
set ip-src-port-range 1031-4999
end
FortiGuard Flags
I - Initial: Server contacted for requesting contract information and updates
D - Default: IP addresses of servers received from DNS resolution
S - Serving: IP addresses of servers received from FortiManager
T - Timing: Actively timing this connection. Server remains in this state for 15 seconds (default) before being considered as failed
F - Failed: Server connection has failed. FGT pings every 15 minutes to check if server is active
T or F: When connecting through a web proxy, FGT can access FortiGuard without DNS resolution
TRUE
Ports for AV and IPS
TCP 443
can also be configured to connect through web proxy:
config system autoupdate tunneling
set address (proxy address)
set password (password)
set port (proxy port)
set status (enable|disable)
set username (name)
end
command to show summary of FortiGuard config on FGT
dianose autoupdate status
Difference between Automatic and manual updates (AV and IPS)
Automatic downloads portions of the database that changes since last update.
Manual downloads the whole database if a new version is available. (this can be useful is database is corrupted)
Command to list FortiGuard database and engines installed
diagnose autoupdate versions
Real-Time Debug command for AV and IPS
diagnose debug application update -1
diagnose debug enable
to force a manual update:
execute update-now
Life of a Packet: Ingress Stage
The packet arrives at the FGT
Bandwidth limit check
DoS check
RPF Check
IP header integrity check
Does traffic terminate at the FGT?
If yes, that means it is Inbound VPN, Web Proxy, DNS, or Admin Access. Traffic is then sent to the necessary daemon
If no, move onto second stage.
Life of a Packet: Routing and Firewall Policy Stage
From Ingress:
Destination NAT
Route to destination? (No = dropped)
Allowed by firewall policy? (No = dropped)
Requires Authentication? (if auth fails = dropped)
if no auth needed or auth is success, identify traffic session helper
Life of a Packet: Protection Profile Inspection Stage
From routing and firewall policy stage
Is SSL inspection required? If yes, then handle SSL.
Once SSL done or if not needed, profiles are checked in this order:
IPS , Application Control , VoIP , DLP , Antispam , Web Filtering , AV
Life of a Packet: Egress
From protection profile stage
Traffic Shaping
Source NAT
Outbound IPsec?
If yes, encryption. Skip if not.
Egress
Web filter Real Time Debug Command
diagnose debug urlfilter src-addr (source_IP)
diagnose debug application urlfilter -1
diagnose debug enable
FortiGuard Web Filter Cache Dump command
diagnose webfilter fortiguard cache dump
displays FortiGuard Category in Hexadecimal
get web filter categories command to show category numbers in Decimal
Command to check global settings for FortiGuard
get system fortiguard
SSL Certificate Inspection Summary
Doesn’t decrypt the traffic, only inspecting the server digital certificates and SNI fields (because they are interchanged before encyption)
It first tries to extract the FQDN of the URL from the SNI (TLS extension) or the SSL certificate common name (CN)
Full SSL Inspection Summary
Decrypts and re-encrypts the SSL traffic.
FGT requires a private key to decrypt and inspect SSL traffic: intercepts traffic coming from the server and re-signs it with its certificate and key
The certificate that FGT provides must be issued to the destination domain name
