100% found this document useful (1 vote)

851 views528 pages

NSE7 - Enterprise Firewall FortiOS 7.0 - Study Guide

Uploaded by

hedilon740

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

851 views528 pages

NSE7 - Enterprise Firewall FortiOS 7.0 - Study Guide

Uploaded by

hedilon740

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 528

DO NOT REPRINT

Enterprise Firewall
Study Guide
for FortiOS 7.0
DO NOT REPRINT
© FORTINET
Fortinet Training

https://training.fortinet.com

Fortinet Document Library

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Network Security Expert Program (NSE)

https://training.fortinet.com/local/staticpage/view.php?page=certifications

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Feedback

Email: askcourseware@fortinet.com

10/20/2021
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Security Fabric 4
02 FortiOS Architecture 31
03 Traffic and Session Monitoring 85
04 Routing 126
05 FortiGuard 166
06 High Availability 200
07 Central Management 236
08 OSPF 264
09 Border Gateway Protocol 309
10 Web Filtering 348
11 Intrusion Prevention System 371
12 IPsec 411
13 Auto-Discovery VPN 455
Solution Slides 489
Security Fabric
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the Fortinet Enterprise Firewall solution and the Fortinet Security Fabric.

Enterprise Firewall 7.0 Study Guide 4

Security Fabric
DO NOT REPRINT
© FORTINET

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of the Fortinet Security Fabric, you will be able to describe the
Fortinet Enterprise Firewall solution. You will also be able to configure the Fortinet Security Fabric, perform a
security rating audit of your Security Fabric, and configure automation.

Enterprise Firewall 7.0 Study Guide 5

Security Fabric
DO NOT REPRINT
© FORTINET

In this section, you will learn about the Fortinet Enterprise Firewall solution at a high level.

Enterprise Firewall 7.0 Study Guide 6

Security Fabric
DO NOT REPRINT
© FORTINET

The traditional way of protecting a network by securing the perimeter has become a thing of the past. Network
and security administrators today must protect against a wide range of threats such as zero-day attacks, APTs,
polymorphic malware, and many more. They must also protect the network from any potential insider threats.
BYOD, mobile users, a remote workforce, and evolving cloud technologies are creating borderless networks,
which is further compounding the challenge of securing such complex networks.

Malware can easily bypass any entry-point firewall, and get inside the network. This could happen through an
infected USB stick, or an employee’s compromised personal device being connected to the corporate network.
Additionally, network administrators can no longer take for granted that everything and everyone inside the
network can be trusted. Attacks can now come from inside the network. To secure such a vast network, you must
apply the zero-trust model. The attack can come from anywhere, using any method, and affect anything.

Enterprise Firewall 7.0 Study Guide 7

Security Fabric
DO NOT REPRINT
© FORTINET

The Fortinet Enterprise Firewall solution answers those challenges. It offers effective and fast end-to-end security
with a consolidated operating system: FortiOS. The core of the solution is the Security Fabric, which enables the
communication of all the security devices in an enterprise network. The Fortinet Enterprise Firewall solution offers
guidelines about where to install your network security devices and what roles they’ll have in each part of the
enterprise network. You can deliver single-pane-of-glass management and reporting for all of the deployments
across the enterprise using a FortiManager and FortiAnalyzer, respectively.

Enterprise Firewall 7.0 Study Guide 8

Security Fabric
DO NOT REPRINT
© FORTINET

In the Enterprise Firewall solution, each FortiGate device has a specific role, depending on where it is installed
and what assets it is protecting. In this lesson you will learn about the Distributed Enterprise Firewall (DEFW),
Next Generation Firewall (NGFW), Data Center Firewall (DCFW), and Internal Segmentation Firewall (ISFW).

• DEFWs are usually smaller devices installed in branch offices and remote sites. Distributed enterprises
usually don’t follow a standardized enterprise network design, and therefore multiple layers are collapsed into
one or two layers. They are connected to the corporate headquarters using a VPN. DEFWs are all-in-one
security devices, doing firewall, application control, IPS, web filtering, and antivirus inspection.
• NGFWs are usually deployed for firewall, application visibility, intrusion prevention, malware detection, and
VPNs. NGFWs can play the traditional role of the entry-point firewall or, depending on the network
infrastructure, can be deployed in the core.
• DCFWs protect corporate services. They focus on inspecting incoming traffic and are usually installed at the
distribution layer. Because of the high performance requirements, in most cases the security functions are
kept to a minimum: firewall, application control, and IPS.
• ISFWs split your network into multiple security segments. They serve as breach containers for attacks that
come from inside. Firewall, application control, web filtering, and IPS are the features that are commonly
enabled in these firewalls.

Enterprise Firewall 7.0 Study Guide 9

Security Fabric
DO NOT REPRINT
© FORTINET

In this section, you will learn about the Fortinet Security Fabric.

Enterprise Firewall 7.0 Study Guide 10

Security Fabric
DO NOT REPRINT
© FORTINET

Two or more FortiGate devices and FortiAnalyzer are the mandatory products at the core of the solution. To add
more visibility and control, Fortinet recommends adding FortiManager, FortiAP, FortiClient, FortiSandbox,
FortiMail, and FortiSwitch. You can extend the solution by adding other network security devices.

Enterprise Firewall 7.0 Study Guide 11

Security Fabric
DO NOT REPRINT
© FORTINET

Fortinet recommends using FortiManager for centralized management of all FortiGate devices, and access
devices in the Security Fabric. You can integrate FortiSwitch devices, and FortiAP devices to extend the Security
Fabric down to the access layer.

You can also extend the Security Fabric by integrating FortiMail, FortiWeb, FortiSandbox, and FortiClient EMS.

The Security Fabric is open. The API and protocol itself is available for other vendors to join and for partner
integration. This allows for communication between Fortinet and third-party devices.

Enterprise Firewall 7.0 Study Guide 12

Security Fabric
DO NOT REPRINT
© FORTINET

Fabric connectors allow you to integrate multi-cloud support, such as ACI and AWS, to name a few.

In an application-centric infrastructure (ACI), the SDN connector serves as a gateway bridging SDN controllers
and FortiGate devices. The SDN connector registers itself to APIC in the Cisco ACI fabric, polls interested
objects, and translates them into address objects. The translated address objects and associated endpoints
populate on FortiGate.

FortiGate VM supports cloud-init and bootstrapping in various cloud providers, such as Microsoft Azure and
Google Cloud Platform (GCP).

Enterprise Firewall 7.0 Study Guide 13

Security Fabric
DO NOT REPRINT
© FORTINET

The Security Fabric follows a tree model. You must configure the root FortiGate first. This includes FortiAnalyzer
registration and, if any, FortiManager registration. The branch FortiGate devices connect to upstream FortiGate
devices to form the Security Fabric tree. The root FortiGate is typically the NGFW device at the edge of the
enterprise network that provides connectivity to service providers, but this is not a requirement for deployment.

All FortiGate devices in the Security Fabric must have bidirectional FortiTelemetry connectivity. FortiTelemetry
uses TCP port 8013. FortiGate uses the FortiTelemetry protocol to communicate with other FortiGate devices
and distribute information about the network topology. FortiGate also uses FortiTelemetry to integrate with
FortiClient.

The root FortiGate collects the network topology information and forwards it to FortiAnalyzer using the
FortiAnalyzer API. FortiAnalyzer combines that information with the logs received from all FortiGate devices to
generate different topology views, as well as indicators of compromise (IoC), in cases when endpoints get
compromised. FortiAnalyzer sends the topology views and the IoC events to the root FortiGate. You can
configure FortiGate to take automatic actions any time it receives an IoC from FortiAnalyzer.

Enterprise Firewall 7.0 Study Guide 14

Security Fabric
DO NOT REPRINT
© FORTINET

If a FortiGate is not the Security Fabric root, you can see which upstream or downstream FortiGate it is
connected to, using the commands shown on this slide.

Enterprise Firewall 7.0 Study Guide 15

Security Fabric
DO NOT REPRINT
© FORTINET

By default, in a Security Fabric, all FortiGate devices send logs to a single FortiAnalyzer. FortiAnalyzer is
configured on the root FortiGate, which is pushed to all downstream FortiGate devices as they join the Security
Fabric. In a similar way, the FortiManager and FortiSandbox configuration is also pushed from the root to all other
FortiGate devices. So, all Security Fabric members are managed by the same FortiManager. You can disable this
configuration synchronization using the setting configuration-sync under config system csf.

All FortiGate devices in the Security Fabric maintain their own Security Fabric map. Security Fabric maps include
the MAC address and IP address of all connected FortiGate devices and their interfaces.

Enterprise Firewall 7.0 Study Guide 16

Security Fabric
DO NOT REPRINT
© FORTINET

By default, in a Security Fabric, the root FortiGate pushes global CMDB firewall address objects, address groups,
service objects, service groups, schedule objects and schedule groups to all downstream FortiGate Security
Fabric members. This synchronization simplifies policy configuration within the Security Fabric by eliminating the
need to create the same objects many times on various FortiGate devices. You can disable this configuration
synchronization using the setting fabric-object-unification under config system csf. In the
example topology shown on this slide, there are three FortiGate devices forming a Security Fabric. The root
(FGTA-1) sends its global CMDB objects to FGTB-1, which has fabric-object-unification set to local,
so FGTB-1 will not import objects sent by the root . However, FGTB-1 will still forward these messages
downstream to FGTC, which has fabric-object-unification set to default, so FGTC will receive and
synchronize the objects sent from the root FortiGate (FGTA-1).

On the root FortiGate, you can configure individual objects and groups to be locally scoped, the default setting, or
global CMDB objects. You can set this option either on the GUI for the object, or on the CLI using the set
fabric-object enable configuration option. Setting objects or groups to enable will make them global
CMDB objects to be distributed to downstream Security Fabric members.

Enterprise Firewall 7.0 Study Guide 17

Security Fabric
DO NOT REPRINT
© FORTINET

A session’s traffic logging is always done by the first FortiGate that handled it in the Security Fabric. FortiGate
devices in the Security Fabric know the MAC addresses of their upstream and downstream peers. If FortiGate
receives a packet from a MAC address that belongs to another FortiGate in the Security Fabric, it does not
generate a new traffic log for that session. This helps to eliminate the repeated logging of a session by multiple
FortiGate devices. One exception to the behavior is that if upstream FortiGate performs NAT, then another log is
generated. The additional log is needed to record NAT details such as translated ports and/or addresses.

Upstream devices complete UTM logging, if configured, and FortiAnalyzer performs UTM and traffic log
correlation for the Security Fabric, in order to provide a concise and accurate record of any UTM events that may
occur. No additional configuration is required for this to take place because FortiAnalyzer performs this function
automatically.

Note that each FortiGate in the Security Fabric logs traffic to FortiAnalyzer independent of the root or other leaf
devices. If the root FortiGate is down, logging from leaf FortiGate devices to FortiAnalyzer continues to function.

Enterprise Firewall 7.0 Study Guide 18

Security Fabric
DO NOT REPRINT
© FORTINET

This slide shows how logging functions in the Security Fabric to give full visibility while eliminating duplicate logs
throughout the environment. There are three Fortigate devices configured in a Security Fabric along with a
FortiAnalyzer device.
• ISFW is installed in the access layer providing device detection, breach isolation and basic DoS protection
from the attached end-user LANs.
• NGFW is installed between the corporate network and their internet service provider where it performs SNAT
on outbound communications for RFC-1918 hosts, as well as web filtering for HTTP/HTTPS sessions.
• DCFW is the installed in the data center where it runs IPS for all inbound communications to the servers
behind it.

All traffic from Client-1 is received by ISFW and it creates traffic logs for the initial session.

The web session is forwarded to NGFW, which doesn’t duplicate the initial traffic log but does generate a traffic
log as a result of SNAT being applied to the session. Additionally, NGFW applies a web filtering policy to this
session and generates the relevant UTM logs, if appropriate.

The SMB session is forwarded to NGFW, which does not duplicate the initial traffic log. NGFW doesn’t need to
perform NAT or apply web filtering, so it forwards the traffic to DCFW. DCFW also does not generate a duplicate
traffic log, but it performs IPS inspection based on its configuration and, should a signature match be triggered
that results in an action generating a log, logs the event.

FortiAnalzyer receives the various traffic and UTM logs, and correlates them automatically so that they are linked
for proper viewing, reporting, and automation actions.

Enterprise Firewall 7.0 Study Guide 19

Security Fabric
DO NOT REPRINT
© FORTINET

You can view the Security Fabric topology on the root FortiGate GUI. There are two options: Physical Topology
view and Logical Topology view.

The Physical Topology view displays the physical structure of your network, by showing the devices in the
Security Fabric and the connections between them. The Logical Topology view displays the logical structure of
your network, by showing information about logical and physical network interfaces in the Security Fabric and the
interfaces that connect devices in the Security Fabric.

The topology views are interactive. You can authorize, and deauthorize access devices, such as FortiSwitch and
FortiAP. You can ban or unban compromised clients. You can also perform some device management tasks
directly in the topology view, such as device upgrades, or connect to a specific device CLI.

Only Fortinet devices are shown in the topology views.

Enterprise Firewall 7.0 Study Guide 20

Security Fabric
DO NOT REPRINT
© FORTINET

Security rating is a subscription service that requires a security rating license. This service now provides the
ability to perform many best practices, including password checks, to audit and strengthen your network security.
The Security Rating page is separated into three major scorecards:
• Security Posture
• Fabric Coverage
• Optimization
These scorecards provide an executive summary of the three largest areas of security focus in the Security
Fabric.

The scorecards show an overall letter grade and breakdown of the performance in subcategories. Clicking a
scorecard drills down to a detailed report of itemized results and compliance recommendations.
The point score represents the net score for all passed and failed items in that area. The report includes the
security controls that were tested against, linking to specific FSBP or PCI compliance policies. You can click the
FSBP and PCI buttons to reference the corresponding standard.

Enterprise Firewall 7.0 Study Guide 21

Security Fabric
DO NOT REPRINT
© FORTINET

On the Security Rating page, click the Security Posture scorecard to expand it and see more details.

The security posture service now supports the following:

• Customer ranking based on the security audit information. FortiGuard data is used to provide customer
ratings. A customer rating is presented as a percentile. The rating is based on results sent to FortiGuard and
statistics received from FortiGuard.
• Security audits running in the background, not just on demand, when an administrator is logged into the GUI.
When you view the security audit page, the latest saved security audit data is loaded. From the GUI, you can
run audits on demand and view results for different devices in the Security Fabric. You can also view all
results or just-failed test results.
• New security checks that can help you make improvements to your organization’s network. These checks
include enforcing password security, applying recommended login attempt thresholds, encouraging two-factor
authentication, and more.

Enterprise Firewall 7.0 Study Guide 22

Security Fabric
DO NOT REPRINT
© FORTINET

Administrator-defined automated work flows (called stitches) use if/then logic to cause FortiOS to automatically
respond to an event in a preprogrammed way. Because this workflow is part of the Security Fabric, you can set
up stitches for any device in the Security Fabric. However, a Security Fabric is not a requirement to use stitches.
If you configure stitches in a Security Fabric, you must configure them on the root FortiGate. You configure
stitches to run on all FortiGate devices in the Security Fabric or a subset of FortiGate devices. Stitches
configured on the root FortiGate are pushed to the relevant leaf FortiGate devices. The root FortiGate does not
need to be operational for previously configured stitches to function on leaf FortiGate devices.

Each automation stitch pairs an event trigger and one or more actions, which allows you to monitor your network
and take appropriate action when the Security Fabric detects a threat or other actionable event. You can use
automation stitches to detect events from many sources. Some examples include high CPU, conserve mode, HA
failover, reboot, FortiOS event logs with customizable filters, IoCs, and event handlers from FortiAnalyzer.

You can configure the Minimum interval (seconds) setting to make sure you don’t receive repeat notifications
about the same event.

Enterprise Firewall 7.0 Study Guide 23

Security Fabric
DO NOT REPRINT
© FORTINET

Automation stitches require you to either select a preconfigured or custom automation trigger to define the event
that instructs FortiOS to take one or more actions. In the example shown on this slide, two custom automation
triggers are being created. One custom trigger, High_CPU_Trigger, identifies when the FortiGate exceeds the
CPU utilization threshold configured with the set cpu-usage-threshold CLI command—which, by default, is
90%. The other custom trigger, Admin_Login_Failure, identifies when a user attempts to log in to FortiGate
using the default administrator account with an invalid password.

Enterprise Firewall 7.0 Study Guide 24

Security Fabric
DO NOT REPRINT
© FORTINET

Automation stitches also require you to specify either preconfigured or custom automation action(s) that define
what FortiOS should do based on the defined automation trigger occurring. In the example shown on this slide,
two custom automation actions are being created. One custom automation action, Collect_Diagnostics_Action,
tells FortiOS to run a custom CLI script consisting of various diagnostic commands that help to identify the cause
of performance issues on FortiGate. The second automation action, Email_Diagnostics_Action, sends an
email message to staff to notify them that a FortiGate device has experienced a period of high CPU utilization,
and to provide the output of the Collect_Diagnostics_Action in the email body so they have the relevant details
needed for troubleshooting.

Enterprise Firewall 7.0 Study Guide 25

Security Fabric
DO NOT REPRINT
© FORTINET

After you define the automation trigger and actions, you can create the stitch on FortiGate. You must specify a
single trigger, then you can add one or more actions to the stitch. The FortiGate GUI displays this as a visual
workflow, so you can see the order of operations. When adding multiple actions, you must decide whether the
actions should be executed sequentially or in parallel. Sequential execution allows you to configure a delay
between actions to allow for tasks to be completed before proceeding to the next action. This is important
because when using sequential execution, you can take action parameters from actions that have happened
previously and use them as input for the action currently being executed. In the example shown on this slide, the
automation stitch is going to execute actions sequentially. Once the High_CPU_Trigger occurs, the
Collect_Diagnostics_Action runs, followed by a 30-second delay before proceeding to the
Email_Diagnostics_Action. The Collect_Diagnostics_Action runs a series of CLI diagnostic commands so
the 30-second delay allows time for the commands to finish. Email_Diagnostics_Action uses the output of
these commands as a parameter, %%results%% , which forms the body of the email message to be sent.

Enterprise Firewall 7.0 Study Guide 26

Security Fabric
DO NOT REPRINT
© FORTINET

You can test your automation stitch using the command shown on this slide. When an automation stitch is
triggered, FortiGate creates an event log.

Enterprise Firewall 7.0 Study Guide 27

Security Fabric
DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about the Fortinet Enterprise Firewall solution and
the Fortinet Security Fabric.

Enterprise Firewall 7.0 Study Guide 28

Security Fabric
DO NOT REPRINT
© FORTINET

Now, you will work on Lab 1–Security Fabric.

Enterprise Firewall 7.0 Study Guide 29

Security Fabric
DO NOT REPRINT
© FORTINET

In the first exercise, you will configure the Security Fabric on NGFW-1 and DCFW. The Security Fabric follows a
tree topology. NGFW-1 will be the root of the tree, and ISFW and DCFW will be branches.

Enterprise Firewall 7.0 Study Guide 30

FortiOS Architecture

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the architecture of FortiOS.

Enterprise Firewall 7.0 Study Guide 31

FortiOS Architecture

DO NOT REPRINT
© FORTINET

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in FortiOS architecture, you will be able to identify how FortiOS processes packets
and uses memory. You will be able to also diagnose high resource utilization and conserve mode issues, and
optimize memory usage.

Enterprise Firewall 7.0 Study Guide 32

FortiOS Architecture

DO NOT REPRINT
© FORTINET

In this section, you will learn about the life of a packet.

Enterprise Firewall 7.0 Study Guide 33

FortiOS Architecture

DO NOT REPRINT
© FORTINET

PPP uses the firewall policy configuration to choose from a group of parallel options to identify the optimal path
for processing a packet. The path identified by PPP is made up of the various processes the packet must pass
through. Hardware, such as CP8, CP9, or network processors, can offload and accelerate many of these
processes. FortiGate hardware and software configuration affects the path that a packet takes. The next few
slides provide flowcharts displaying examples of packet processing in several scenarios. Note that these
examples do not cover all possible scenarios, nor do they show every step or process packets are subjected to
during inspection. The purpose of these slides is to provide common examples of packet flow on FortiGate.

Enterprise Firewall 7.0 Study Guide 34

FortiOS Architecture

DO NOT REPRINT
© FORTINET

This slide shows the steps that the first packets of a session go through as they enter, pass though, and exit
FortiGate. This scenario is for FortiGate with SPUs.

FortiGate performs some security inspections early in the life of the packet, such as ACL, Host Protection Engine,
and IP integrity header checking. FortiGate does this to make sure the packets are within acceptable parameters
before allowing the packet to move through the rest of the processes. These inspections are handled by the
network processor in order to minimize impact on the FortiGate CPU.

Each version of the network processor has criteria that defines which traffic can be offloaded. The network
processor enhances overall performance by allowing offloaded sessions to bypass the FortiGate CPU after the
session is established and the session key is installed in the network processor. The network processor can also
handle IPsec VPN encryption and decryption operations, where the configured encryption and hashing algorithms
are supported in hardware.

The content processor functions like a co-processor for the FortiGate CPU to improve overall system
performance by offloading certain tasks, such as pattern matching for flow-based UTM inspection with the IPS
engine, SSL/TLS decryption and encryption for deep SSL inspection, and IPsec encryption and decryption
operations for supported algorithms.

Enterprise Firewall 7.0 Study Guide 35

FortiOS Architecture

DO NOT REPRINT
© FORTINET

This slide shows how subsequent packets in an established session where UTM/NGFW inspection is not
configured are handled by FortiGate after being offloaded to a network processor. After the session key is
installed in the network processor, subsequent packets for the offloaded session skip routing and kernel
processors, bypassing the FortiGate CPU, and are forwarded out the egress interface by the network processor.
An important consideration is the impact offloading has on troubleshooting. While a session is offloaded to the
network processor, you are unable to view these accelerated packets through the diagnose sniffer packet
or diagnose debug flow CLI commands or the packet capture feature on the GUI.

Enterprise Firewall 7.0 Study Guide 36

FortiOS Architecture

DO NOT REPRINT
© FORTINET

This slide shows how subsequent packets in an established session with flow-based UTM/NGFW configured are
handled by FortiGate where NTurbo and IPSA are supported and enabled.

NTurbo is a feature that enables flow-based UTM/NGFW sessions to be accelerated by NP6 or NP7 network
processors to and from the IPS engine.

IPSA is a feature that allows basic or advanced pattern matching operations required for flow-based security
profile inspection to be offloaded to CP8 or CP9 content processors. When IPSA is enabled, flow-based pattern
matching databases are compiled and downloaded to the content processors from the IPS engine and IPS
database.

After the session key is installed in the network processor, subsequent packets for the accelerated session skip
routing and kernel processors but UTM/NGFW operations are still handled by the CPU with IPSA offloading
pattern matching to the CP8 or CP9 content processors.

Enterprise Firewall 7.0 Study Guide 37

FortiOS Architecture

DO NOT REPRINT
© FORTINET

This slide shows how subsequent packets in an established session with proxy-based UTM/NGFW configured
are handled by FortiGate.

The network processor does not offload sessions where proxy-based features are configured, so the FortiGate
CPU handles packet processing and inspection through a combination of the IPS engine and the FortiOS proxy.
The network processor still conducts some early security inspections before handing off the packets to the IPS
engine, and can still be leveraged for IPsec tunnel decryption and encryption.

The FortiGate CPU can leverage the content processors to handle SSL/TLS encryption and decryption—if SSL
deep inspection is configured. Note that the packet flow is modified when SSL deep inspection is configured.

If the IPS engine determines that the session needs to be decrypted:

• The IPS engine sends the packet to the proxy for decryption
• The proxy decrypts the SSL/TLS packet by offloading the operation to the content processor
• The proxy sends the decrypted packet back to the IPS engine for IPS and application control inspection
• The IPS engine sends the decrypted packet back to the proxy for the configured proxy-based inspection
• The proxy encrypts the SSL/TLS packet by offloading the operation to the content processor

Enterprise Firewall 7.0 Study Guide 38

FortiOS Architecture

DO NOT REPRINT
© FORTINET

In this section, you will learn about how FortiGate uses memory.

Enterprise Firewall 7.0 Study Guide 39

FortiOS Architecture

DO NOT REPRINT
© FORTINET

To understand how FortiGate uses its memory, you must understand the architecture of FortiOS. The heart of
FortiOS is its kernel. The kernel is where FortiGate makes some of the most basic and important decisions, such
as how to route a packet, or when to offload a session to an NPU processor. FortiOS runs on hardware. The
device drivers bridge the kernel with the hardware. The user space is located above the kernel. Several
application processes or daemons run in the user space. Above the kernel and the user space is the configuration
layer.

Enterprise Firewall 7.0 Study Guide 40

FortiOS Architecture

DO NOT REPRINT
© FORTINET

FortiOS is a 64-bit architecture, therefore the kernel doesn't need to use memory paging to access the whole
memory space. All the memory space is directly accessible by the kernel.

The command shown on this slide displays:

• The total amount of system memory (MemTotal)
• The total amount of free memory (MemFree)

Enterprise Firewall 7.0 Study Guide 41

FortiOS Architecture

DO NOT REPRINT
© FORTINET

FortiGate allocates memory for five main purposes:

• Kernel memory slabs
• System I/O cache
• Buffers
• Shared memory
• Process memory

You will learn about each of these purposes in this lesson.

Enterprise Firewall 7.0 Study Guide 42

FortiOS Architecture

DO NOT REPRINT
© FORTINET

The kernel memory slabs are collections of objects with a common purpose. They are used by the kernel to store
information in memory.

This slide shows an example of some slabs. There are slabs for storing information about the TCP sessions. The
entries in the route cache are also stored in memory slabs.

Enterprise Firewall 7.0 Study Guide 43

Enterprise Firewall 7.0 Study Guide 52

FortiOS Architecture

DO NOT REPRINT
© FORTINET

The command shown on this slide displays overall memory and CPU use. It also shows session creation rate,
number of viruses caught, and number of attacks blocked by the IPS. The last line displays the system uptime.
This output gives you a quick view of how much traffic the device is handling.

Enterprise Firewall 7.0 Study Guide 53

FortiOS Architecture

DO NOT REPRINT
© FORTINET

The real-time debug commands generate information in real time about what a specific FortiGate process or
feature is doing.

The debug level is a bitmask value that specifies which types of messages are displayed. The meaning of the
debug value depends on each process. However, for all cases, a debug level of 0 means no output (disabled)
and a debug level of -1 means enabling all possible message types.

Enterprise Firewall 7.0 Study Guide 54

FortiOS Architecture

DO NOT REPRINT
© FORTINET

This slide shows the two commands you use to enable the IPsec real-time debug output. You can also enable
the option to prepend the system time to each debug line. It is important to disable any real-time debug after
using it because they consume FortiGate resources and some can be CPU intensive. The command diagnose
debug reset resets any filters that are configured for debugging, as well as disables debug output for all
administrators currently running debugs on FortiGate.

Enterprise Firewall 7.0 Study Guide 55

FortiOS Architecture

DO NOT REPRINT
© FORTINET

Application layer test commands don’t display information in real time, but they do show statistics and
configuration information about a feature or process. You can also use some of these commands to restart a
process or execute a change in its operation.

Enterprise Firewall 7.0 Study Guide 56

FortiOS Architecture

DO NOT REPRINT
© FORTINET

In this section, you will examine conserve mode, now that you have a better understanding of how FortiGate uses
memory.

Enterprise Firewall 7.0 Study Guide 57

FortiOS Architecture

DO NOT REPRINT
© FORTINET

Conserve mode is a protection mechanism that is triggered when FortiGate doesn’t have enough memory
available to handle traffic. Content inspection (especially proxy-based) increases memory use beyond simple
firewall policies. In other words, when antivirus is enabled, FortiGate is more likely to use more memory, which
can cause FortiGate to enter conserve mode. You can identify whether antivirus or any other process is using too
much memory by running the CLI command diagnose sys top.

FortiGate has only one conserve mode. It is triggered based on memory usage. There are three memory
thresholds that you can configure on the CLI:
• Extreme: The threshold at which FortiGate starts dropping new sessions.
• Red: The threshold at which FortiGate enters conserve mode.
• Green: The threshold at which FortiGate exits conserve mode.

Enterprise Firewall 7.0 Study Guide 58

FortiOS Architecture

DO NOT REPRINT
© FORTINET

FortiOS Architecture

DO NOT REPRINT
© FORTINET

Use the command shown on this slide to identify if a FortiGate device is currently in conserve mode.

Enterprise Firewall 7.0 Study Guide 63

FortiOS Architecture

DO NOT REPRINT
© FORTINET

FortiGate has one more mechanism to free memory when there is not much available. If the kernel cannot
allocate more memory pages, it deletes the oldest sessions. The command shown on this slide displays the
numbers of sessions deleted by the kernel because of this mechanism.

Enterprise Firewall 7.0 Study Guide 64

FortiOS Architecture

DO NOT REPRINT
© FORTINET

FortiGate has a mechanism to protect memory use against some forms of DoS attacks. FortiGate categorizes an
entry in the session table as an ephemeral session when it is a TCP session that is not fully established (three-
way handshake not completed), or it is a UDP session with only one packet received. During some DoS attacks,
the number of these types of sessions tends to increase abnormally, potentially consuming the unit memory.
FortiGate sets a hard limit on the maximum number of ephemeral sessions that can exist at the same time in the
session table.

Enterprise Firewall 7.0 Study Guide 65

FortiOS Architecture

DO NOT REPRINT
© FORTINET

What can you do if FortiGate enters conserve mode frequently, or if its memory utilization is too high? In this
section, you will learn how to optimize memory use by fine-tuning the FortiGate configuration.

Enterprise Firewall 7.0 Study Guide 66

FortiOS Architecture

DO NOT REPRINT
© FORTINET

Many FortiGate processes, such as DLP or AV scanning, are memory intensive. So, memory optimization is
important, especially in small devices, to guarantee that these processes do not force FortiGate into memory
conserve mode. This slide shows some recommendations for optimizing memory use. These tips might
significantly increase the available memory in a device that is frequently entering conserve mode.

The first and most logical step is to disable features that are not required. For example, if the network already has
a FortiMail device doing antispam, an administrator does not need to do antispam on FortiGate. Also, usually not
all the IPS signatures are required.

Another recommendation is to reduce the maximum file size to inspect, which is set to 10 MB by default. You can
reduce this value to 2 or 3 MB without significantly reducing the virus catching rate, because a typical virus size is
less than 1 MB.

Enterprise Firewall 7.0 Study Guide 67

FortiOS Architecture

DO NOT REPRINT
© FORTINET

Additionally, you can reduce the amount of memory allocated to some caches, such as the ones for FortiGuard
and DNS.

Enterprise Firewall 7.0 Study Guide 68

FortiOS Architecture

DO NOT REPRINT
© FORTINET

The FortiGate session table can consume an important portion of memory, especially in networks with a high rate
of traffic. By default, a session without traffic remains in the table for up to one hour.

Although a TTL this high might be required by some applications, in most networks, you can reduce the session
TTL. When you reduce the TTL, FortiGate ages out idle sessions much more quickly, increasing the amount of
available memory.

There are four places in the FortiGate configuration where you can reduce the session TTL. Two of them are:
• Globally, for all the traffic
• On an IP protocol and port number basis

Enterprise Firewall 7.0 Study Guide 69

FortiOS Architecture

DO NOT REPRINT
© FORTINET

The other two places where you can reduce the session TTL are:
• For each firewall policy
• For each application control

If an application requires a high session TTL, you can reduce the TTL globally to five minutes. However, you can
also set it to a higher number for the specific application port number, firewall policy, or with an application control
application override entry by setting the session-ttl option using the CLI.

Enterprise Firewall 7.0 Study Guide 70

FortiOS Architecture

DO NOT REPRINT
© FORTINET

You can also reduce most TCP session timers from their default values without causing problems to the
applications. This slide shows some recommended values that are equal to or below the default values. Use
these recommended values to optimize the memory use.

The tcp-halfopen-timer controls for how long, after a SYN packet, a session without SYN/ACK remains in
the table.

The tcp-halfclose-timer controls for how long, after a FIN packet, a session without FIN/ACK remains in
the table.

The tcp-timewait-timer controls for how long, after a FIN/ACK packet, a session remains in the table. A
closed session remains in the session table for a few seconds more to allow any out-of-sequence packet.

Enterprise Firewall 7.0 Study Guide 71

FortiOS Architecture

DO NOT REPRINT
© FORTINET

In this section, you will learn about FortiOS workspace mode.

Enterprise Firewall 7.0 Study Guide 72

FortiOS Architecture

DO NOT REPRINT
© FORTINET

Workspace mode allows administrators to make a batch of changes that are not implemented until they commit
the transaction. Prior to committing, the administrator can revert or edit the changes as needed without impacting
current operations.

When an administrator edits an object in workspace mode, it is locked, preventing other administrators from
editing that object. A warning message is shown to let the administrator know that the object is currently being
configured in another workspace transaction.

All administrators can use workspace mode; their permissions in workspace mode are the same as the
permissions defined in their account profile.

A workspace mode transaction times out in five minutes if there is no activity. When a transaction times out, all
changes are discarded. A warning message is shown to let the administrator know that a timeout is imminent, or
has already happened.

Workspace mode is available only through the FortiGate CLI.

Enterprise Firewall 7.0 Study Guide 73

FortiOS Architecture

DO NOT REPRINT
© FORTINET

The command config-transaction status shows if the current administrator is working on a workspace
that is pending being committed. If that is the case, the output shows the transaction ID for the workspace.

To view information about all the active workspace transactions (from multiple concurrent administrators), use the
command config-transaction show txn-info. The output shows the identifier for each transaction and
their expiration times. It also shows the usernames of the administrators working on each workspace, as well as
information about how and from where those administrators are connecting.

You can list the CLI changes pending to be committed in your workspace using the command config-
transaction show txn-cli-commands.

Enterprise Firewall 7.0 Study Guide 74

So, how do you know if the crash log is normal or not?

In most cases, entries in the crash log are normal. You can consider a crash log entry to be suspicious if it
happens at the same time as a failure in a FortiGate feature, or abnormal behavior of FortiGate.

For example, a crash log entry that is generated when the device unexpectedly restarts might provide information
about the cause. A crash in the sslvpnd process when all SSL VPN users get disconnected is also relevant.
The crash log includes the details about the crash and information that can be used by Fortinet support to identify
which code triggered the problem.

Enterprise Firewall 7.0 Study Guide 81

FortiOS Architecture

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about the architecture of FortiOS.

By demonstrating competence in traffic and session monitoring, you will be able to interpret the information in the
session table, capture traffic using the built-in sniffer, analyze the output of the debug flow, and configure and
troubleshoot session helpers and the SIP application layer gateway.

Use the command shown on this slide to remove all sessions that match the session filter. You must be careful
with this command because it can, potentially, clear all the existing sessions if no filter has been set. Before
clearing out any sessions, use appropriate filters.

The check-new option is another alternative. When you enable this option, FortiGate does not modify any
existing session after a policy change. When new sessions arrive, FortiGate evaluates them against the modified
policies. You can use this option if you have policies handling millions of sessions.

The check-policy-option is the most granular setting you can use. When you enable this option, the firewall
policy-level settings become available, which you can use to modify how FortiGate handles sessions on a per-
policy level.

Enterprise Firewall 7.0 Study Guide 96

Traffic and Session Monitoring

DO NOT REPRINT
© FORTINET

You can now configure FortiGate to operate in NGFW policy mode. NGFW policy mode is a flow-based
inspection mode that allows you to configure application signatures, categories, groups, and FortiGuard web filter
categories directly on the firewall policy. Other security inspection features, such as antivirus and DLP, are still
configured as profiles.

Enterprise Firewall 7.0 Study Guide 97

Traffic and Session Monitoring

If you do not specify an option for the timestamp, the debug shows the time, in seconds, since it started running.
As you learned earlier in the lesson, you can prepend the local system time to easily correlate a packet with
another recorded event.

Enterprise Firewall 7.0 Study Guide 103

Traffic and Session Monitoring

DO NOT REPRINT
© FORTINET

Another useful FortiGate troubleshooting tool is the debug flow.

Enterprise Firewall 7.0 Study Guide 111

Traffic and Session Monitoring

DO NOT REPRINT
© FORTINET

This slide shows a packet capture of the previous FTP traffic before the port command reaches FortiGate. You
can see the original client IP address, 10.0.1.10.

Enterprise Firewall 7.0 Study Guide 112

Traffic and Session Monitoring

DO NOT REPRINT
© FORTINET

This slide shows another packet capture, this time after the port command crosses FortiGate. The session
helper has translated the IP address inside the port command to 10.200.1.1.

Enterprise Firewall 7.0 Study Guide 113

Traffic and Session Monitoring

Fortinet recommends that FortiGate use the SIP ALG. FortiGate should use the SIP helper only when the SIP
ALG is not working as expected.

Enterprise Firewall 7.0 Study Guide 119

Traffic and Session Monitoring

DO NOT REPRINT
© FORTINET

This slide shows the commands you use to change the ports for the SIP ALG. The SIP ALG supports SIP over
UDP, SIP over TCP, and encrypted (SSL) SIP.

Enterprise Firewall 7.0 Study Guide 120

Traffic and Session Monitoring

DO NOT REPRINT
© FORTINET

You can display all active SIP calls, and disconnect any active SIP calls, using the commands shown on this
slide.

Enterprise Firewall 7.0 Study Guide 121

Traffic and Session Monitoring

DO NOT REPRINT
© FORTINET

You can use im and sip real-time debugs to display real-time information about SIP traffic.

Enterprise Firewall 7.0 Study Guide 122

Traffic and Session Monitoring

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about traffic and session monitoring.

By demonstrating competence in routing, you will be able to describe how FortiGate routes traffic, diagnose
routing problems caused by the reverse path forwarding check, identify sessions that are routed through a
different path, and use debug commands to troubleshoot routing problems.

Enterprise Firewall 7.0 Study Guide 127

Routing

DO NOT REPRINT
© FORTINET

In this section, you will learn about general routing concepts and troubleshooting.

Enterprise Firewall 7.0 Study Guide 128

Routing

DO NOT REPRINT
© FORTINET

FortiGate is a stateful device, so it decodes a lot of information at the beginning of a session, based on the first
packets. For any traffic session, FortiGate usually performs only two routing lookups: one on the first packet sent
by the originator and another one on the first reply packet coming from the responder. After that, all the routing
information is written in the FortiGate session table. However, after a change to the routing table, the route
information is flushed from the affected entries in the session table. So, FortiGate would perform additional
routing table lookups in order to repopulate the session table with the new routing information.

Enterprise Firewall 7.0 Study Guide 129

Routing

DO NOT REPRINT
© FORTINET

How does FortiGate decide routes? FortiGate has multiple routing modules. The diagram shown on this slide
illustrates the logic of the routing modules.

First, FortiGate searches its policy routes. You can view them using the command diagnose firewall
proute list. If there is a match in a policy route, and the action is Forward Traffic, FortiGate routes the
packet accordingly. If the action is Stop Policy Routing, FortiGate goes to the next table, which is the route
cache. You can view that content using the CLI command diagnose ip rtcache list.

Finally, FortiGate searches the forwarding information base (FIB). The FIB is generated by the routing process,
and is the table used for packet forwarding. Think of the purpose of the routing table as management, while the
purpose of the FIB is forwarding. This separation becomes clearer in a FortiGate high availability (HA) cluster. In
an HA cluster, both route management and forwarding tables exist on the primary FortiGate. But on the
secondary FortiGate, only the FIB exists.

If there is no match in any of those tables, FortiGate drops the packet because it is unroutable.

Enterprise Firewall 7.0 Study Guide 130

Routing

DO NOT REPRINT
© FORTINET

When there is more than one route to a destination, this slide shows the process for selecting which route to use.

First, FortiGate uses the most specific route, which is the one with the longest netmask (smallest subnet). If there
are two or more routes with the same longest netmask, the device selects the one with the shortest distance.
After that, FortiGate uses the lowest metric as the tiebreaker for dynamic routes. In the case of static routes,
FortiGate uses the lowest priority instead. If there are multiple routes with the same netmask, distance, metric,
and priority, FortiGate shares the traffic among all of them. This is called equal cost multipath (ECMP). ECMP is
supported for static, BGP, and OSPF routes.

Routing

DO NOT REPRINT
© FORTINET

Content inspection requires that routing be kept as symmetric as possible; that is, traffic must follow the same
path both ways. There are multiple scenarios where asymmetric routing prevents FortiGate from inspecting traffic
content. So, FortiGate routes traffic symmetrically. This means that, under some network topologies, FortiGate
might not route the return traffic through the best path, but through the same path that the originating traffic used.
For that purpose, FortiGate remembers the interface to source and uses that interface to route the return packets,
even when a better route using a different interface exists. You will look at an example on the next slides.

Enterprise Firewall 7.0 Study Guide 136

Routing

DO NOT REPRINT
© FORTINET

Now, you will analyze the network topology shown on this slide. The local network 10.1.0.0/24 has three
network devices: a local workstation, local router, and FortiGate port1. Also, FortiGate port2 is directly connected
to the local router (using the subnet 10.2.0.0/24).

There is a remote router connected to FortiGate port3 and, behind that, a remote server (10.4.0.1). So, any
traffic destined to the remote server must be routed through FortiGate. One important detail in this network is that
the local workstation default gateway is 10.1.0.254. This means that if you send an ICMP echo request from
the local workstation to the remote server, the packet goes to the local router first, then to FortiGate, then to the
remote router, and finally to the destination. When the ICMP packet arrives at FortiGate, an entry for the
originating traffic is created in the device route cache. This entry contains the interface to source, or the incoming
interface where the packet arrived which, in this case, is port2.

Enterprise Firewall 7.0 Study Guide 137

Routing

DO NOT REPRINT
© FORTINET

Additionally, FortiGate creates an entry in the session table. This entry also contains information about the
interface to source.

As explained earlier, FortiGate does a first routing lookup to find the next hop to the destination. That IP address
is also stored in the session information.

Because there is no ICMP echo reply yet, the next hop to source is still unknown (it is 0.0.0.0). It is identified
with the second routing lookup that happens with the first reply packet.

Enterprise Firewall 7.0 Study Guide 138

This slide shows an example of a session just after a routing change. The gateways in both directions change to
0.0.0.0/0 and the interfaces to 0, indicating that FortiGate must learn this information again. Additionally, the
dirty flag is added.

Enterprise Firewall 7.0 Study Guide 143

Routing

DO NOT REPRINT
© FORTINET

You can configure session route persistence at the interface level using the commands shown on this slide. The
default value is disable. If you enable this setting, sessions passing through that interface continue to pass
without being affected by the routing changes. The routing changes apply only to new sessions.

Enterprise Firewall 7.0 Study Guide 144

Routing

DO NOT REPRINT
© FORTINET

In sessions where SNAT is applied, the action that FortiGate takes after a routing change depends on the snat-
route-change setting.

Enterprise Firewall 7.0 Study Guide 145

Routing

DO NOT REPRINT
© FORTINET

When you disable snat-route-change, the behavior that occurs after a routing change is different for sessions
using SNAT. Sessions using SNAT continue using the same outbound interface, as long as the old route is still
active.

In the example shown on this slide, FortiGate is connected to two different ISPs. A client with the IP address
10.1.0.1/24 is connected behind FortiGate. FortiGate is doing SNAT of the client traffic to a public IP address,
depending on which ISP is using it. The FortiGate routing table contains two default routes: one for each ISP. The
two default routes are the same distance, but have different priorities. The route with the lowest priority (port1) is
the primary route. When both ISP connections are up, FortiGate selects the primary route for internet traffic. So,
FortiGate creates all sessions to the internet using port1 as the outbound interface.

Enterprise Firewall 7.0 Study Guide 146

Routing

DO NOT REPRINT
© FORTINET

If you increase the priority assigned to port1 to a value that is higher than the value assigned to port2, and if you
disable snat-route-change, all new sessions start using port2, because it has the lowest priority. However, all
the existing sessions continue to use port1. The default route is through port1. Even though the default route is
no longer the best route, it is still active. If FortiGate is doing SNAT, the existing sessions continue to use the
original route until they expire. If FortiGate isn’t doing SNAT, all the existing sessions switch to port2 after the
change.

Enterprise Firewall 7.0 Study Guide 147

Routing

DO NOT REPRINT
© FORTINET

When you disable snat-route-change, when a route changes, the actions are the same as they are for
sessions without SNAT:

• FortiGate flushes routing information from the session table

• FortiGate removes route cache entries
• FortiGate performs routing lookups again for the next packets, which can potentially change the outbound
interface being used to route the traffic
• FortiGate performs an RPF check again for the first packet in the original direction

In the example shown on this slide, FortiGate is connected to two different ISPs. A client with the IP address
10.1.0.1/24 is connected behind a FortiGate device. The FortiGate routing table contains two default routes,
one for each ISP. The two default routes are the same distance, but have different priorities. The route with the
lowest priority (port1) is the primary route. When both ISP connections are up, the primary route is selected by
FortiGate for internet traffic. So, FortiGate creates all sessions to the internet using port1 as the outbound
interface.

Enterprise Firewall 7.0 Study Guide 148

Routing

DO NOT REPRINT
© FORTINET

The scenario shown on this slide has multiple ISPs. If the customer owns a pool of public IP addresses, the
customer can configure a single IP pool for SNAT for all the internet providers. The advantage is that if the main
ISP goes down, sessions are routed through a secondary ISP, maintaining the same public source IP address. In
this way, sessions can remain up.

So, in the example shown on this slide, if you increase the priority for port1 to a value higher than the priority for
port2, and if you enable snat-route-change, when a route changes, FortiGate flushes routing information
from existing SNAT sessions. All sessions start using port2 because it has the lowest priority. Additionally, if the
port2 route shared a common IP pool with the old best route of port1, the SNAT sessions continue using the
same public IP addresses for the translation of the private IP addresses.

Enterprise Firewall 7.0 Study Guide 149

Routing

DO NOT REPRINT
© FORTINET

When you enable auxiliary-session, the FortiGate kernel creates a new auxiliary session and attaches it to
the main session. For each traffic path (incoming or outgoing), FortiGate continues to create a new auxiliary
session.

Enterprise Firewall 7.0 Study Guide 150

Routing

DO NOT REPRINT
© FORTINET

In the example shown on this slide, ECMP is configured for both client and server. FortiGate uses ECMP through
port1 and port2 to the client, and ECMP through port3 and port4, to the server.

Based on this example, you can see how sessions are handled on FortiGate:
1. Initially, traffic is coming from port1 to port3. FortiGate creates a new session: the main session.
2. The reply from the server comes from port4 to port1. FortiGate creates auxiliary session 1 and attaches it to
the main session.
3. The client sends traffic from port1 to port4. FortiGate matches auxiliary session 1.
4. The client sends traffic from port2 to port3. FortiGate creates auxiliary session 2 and attaches it to the main
session.
5. The server replies from port3 to port2. FortiGate matches auxiliary session 2.
6. The server replies from port4 to port2. FortiGate creates auxiliary session 3 and attaches it to the main
session.
7. The client sends traffic from port2 to port4. FortiGate matches auxiliary session 3.
8. Finally, the server replies from port3 to port1. FortiGate matches main session.

FortiGate can offload all of these sessions, if the policy allows offloading.

Enterprise Firewall 7.0 Study Guide 151

Routing

Routing

DO NOT REPRINT
© FORTINET

FortiGate supports Layer 3 routing isolation using VRFs. You can configure a VRF ID on an interface. FortiGate
supports a wide range of interfaces, such as physical, VLAN, IPsec, switch, and aggregate interfaces. FortiGate
isolates interfaces with matching VRF IDs to a VRF instance.

This slide shows the commands you use to configure a VRF ID on an interface. The VRF ID is an integer
between 0 and 31.

OSPF and BGP are the only dynamic routing protocols that support VRF. RIP does not support VRF.

FortiGate also supports route leaking capabilities between locally defined VRFs.

Enterprise Firewall 7.0 Study Guide 159

Routing

DO NOT REPRINT
© FORTINET

After you configure VRF IDs on interfaces, the routing table diagnostic command output changes. FortiGate
groups routes based on VRF ID. In the routing table output shown on this slide, you can see that port1 and port3
are in the same VRF instance (VRF=1), and port2 is segregated to a separate VRF instance (VFR=2).

Enterprise Firewall 7.0 Study Guide 160

Routing

DO NOT REPRINT
© FORTINET

The routing table database output also changes. The database groups active and inactive routes based on their
VRF instance.

Enterprise Firewall 7.0 Study Guide 161

Routing

DO NOT REPRINT
© FORTINET

The route cache entries also show VRF ID information for recently used route entries.

Enterprise Firewall 7.0 Study Guide 162

Routing

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about advanced routing concepts that are
relevant to enterprise networks.

By demonstrating competence in FortiGuard, and how FortiGate connects to public FortiGuard servers, you will
be able to troubleshoot problems that occur when FortiGate is connecting to public FortiGuard services, and
when FortiManager is acting as a local FortiGuard server.

Enterprise Firewall 7.0 Study Guide 167

FortiGuard

DO NOT REPRINT
© FORTINET

Enterprise Firewall 7.0 Study Guide 177

FortiGuard

DO NOT REPRINT
© FORTINET

For antivirus and IPS, communication between FortiGate and FortiGuard happens much less frequently. In the
case of web filtering and antispam, FortiGate goes to FortiGuard each time it needs to rate a website or email (if
the information is not in the FortiGate cache). In the case of the pull method for antivirus and IPS, by default
FortiGate contacts FortiGuard at an interval calculated based on the model of FortiGate and the percentage of
valid subscriptions. The update interval is within one hour to check and download any new version of the
antivirus or IPS databases and engines. This is done using port TCP 443.

This slide shows the commands you use if FortiGate must connect through a web proxy. Usually, clients
connecting through a web proxy do not contact the DNS server to resolve names, because it is the web proxy
that does it. When connecting through a web proxy, FortiGate can access FortiGuard without DNS resolution.

Enterprise Firewall 7.0 Study Guide 178

FortiGuard

DO NOT REPRINT
© FORTINET

The command diagnose test application dnsproxy 7 displays the FQDN and IP addresses of the
FortiGuard servers available for antivirus and IPS updates.

The command diagnose autoupdate status provides a summary of the FortiGuard configuration on
FortiGate.

Enterprise Firewall 7.0 Study Guide 179

FortiGuard

DO NOT REPRINT
© FORTINET

The command shown on this slide lists all the FortiGuard databases and engines installed. The information
includes the version, contract expiration date, time it was updated, and what happened during the last update.

Enterprise Firewall 7.0 Study Guide 180

FortiGuard

DO NOT REPRINT
© FORTINET

If there are problems updating the antivirus or the IPS, or if there are problems validating the license, you can use
the FortiGuard real-time debug to get more information.

After enabling debug, you can force a manual update from the CLI using the command execute update-now.

Enterprise Firewall 7.0 Study Guide 181

FortiGuard

DO NOT REPRINT
© FORTINET

Remember that FortiGuard traffic always originates from the management VDOM. So, the management VDOM
(which is root by default) must have internet access.

Correct DNS access from the management VDOM is also important. FortiGate must be able to resolve the
names:
update.fortiguard.net
service.fortiguard.net

FortiGuard

DO NOT REPRINT
© FORTINET

The GUI section shown on this slide, and related CLI commands, show the status of FortiGuard licenses for all
FortiGate devices.

Enterprise Firewall 7.0 Study Guide 186

FortiGuard

DO NOT REPRINT
© FORTINET

Select Update History to open the update history page for a package. It shows the update times, the events that
occurred, the status of the updates, the version number, and size of the download.

Enterprise Firewall 7.0 Study Guide 192

FortiGuard

DO NOT REPRINT
© FORTINET

You can view statistics about rating requests made by FortiGate to FortiManager using the command shown on
this slide. By default, this command displays the request rates for the last 60 minutes. However, the time period
can be changed using the command shown on this slide. This information is also periodically logged in the event
log.

Enterprise Firewall 7.0 Study Guide 193

FortiGuard

DO NOT REPRINT
© FORTINET

FortiManager can log rating services events in the same way that it logs update services events. For
troubleshooting, it is recommended that you enable the debug level first.

Enterprise Firewall 7.0 Study Guide 194

FortiGuard

DO NOT REPRINT
© FORTINET

You can use the steps shown on this slide to reinitialize the web filtering and antispam databases and services.

Enterprise Firewall 7.0 Study Guide 195

FortiGuard

DO NOT REPRINT
© FORTINET

This slide shows other debug commands available on FortiManager to troubleshoot FortiGuard-related problems.

Enterprise Firewall 7.0 Study Guide 196

FortiGuard

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about FortiGuard. You also learned how to
troubleshoot problems that occur when FortiGate is connecting to public FortiGuard services, and when
FortiManager is acting as a local FortiGuard server.

By demonstrating competence in HA, you will be able to monitor and troubleshoot common HA problems,
unexpected reboots, and frozen devices.

In most networks, that’s enough for the switches to update their MAC forwarding tables with the new information.
However, some high-end switches might not clear their MAC tables correctly after a failover. So, they keep
sending packets to the former primary even after receiving the gratuitous ARPs. In these cases, you should use
the command shown on this slide to force the former primary to shut down all its interfaces for one second when
the failover happens, excluding heartbeat and reserved management interfaces. This simulates a link failure that
clears the related entries from the MAC table of the switches.

Enterprise Firewall 7.0 Study Guide 206

High Availability

DO NOT REPRINT
© FORTINET

FortiGate HA uses the FGCP, for HA-related communications. FGCP travels among the clustered FortiGate
devices over the links that you have designated as the heartbeats.

The FGCP traffic uses a different Ethernet type than the IP protocol. It actually uses three different Ethernet
types, depending on the operation mode (transparent or NAT/route).

Enterprise Firewall 7.0 Study Guide 207

High Availability

DO NOT REPRINT
© FORTINET

Take a look at how an HA cluster in active-active mode handles traffic.

First, the client sends a SYN packet, which is always forwarded to the primary FortiGate using the internal
interface virtual MAC address as the destination. If the primary decides that the session is going to be inspected
by a secondary, the primary forwards the SYN packet to the respective secondary.

In the example shown on this slide, the destination MAC address is the physical MAC address of the secondary
FortiGate. The secondary responds with a SYN/ACK to the client and starts the connection with the server by
directly sending a SYN packet.

Enterprise Firewall 7.0 Study Guide 208

High Availability

DO NOT REPRINT
© FORTINET

Next, the client acknowledges the SYN/ACK. The client forwards to the primary using the virtual MAC address as
the destination. The primary device forwards the packet to the secondary inspecting that session, using the
secondary physical MAC address.

Enterprise Firewall 7.0 Study Guide 209

High Availability

DO NOT REPRINT
© FORTINET

When the server responds to the TCP SYN, the packet is sent to the primary using the external interface virtual
MAC. The primary signals the secondary, and it is the secondary that replies to the server.

As you can see, the objective of active-active mode is not to load balance bandwidth. The traffic is always sent to
the primary first. The main objective is to share CPU and memory among multiple FortiGate devices for traffic
inspection.

Enterprise Firewall 7.0 Study Guide 210

High Availability

DO NOT REPRINT
© FORTINET

If you connect to the console port of a secondary device while it’s joining an HA cluster, you should see the
messages shown on this slide. First, the secondary tries to synchronize the external files. The external files
include the FortiGuard databases and digital certificates. After that, the secondary synchronizes the configuration.
The last message indicates that the secondary has successfully joined the cluster.

Enterprise Firewall 7.0 Study Guide 211

High Availability

DO NOT REPRINT
© FORTINET

In this section, you will learn about FGCP virtual clustering.

Enterprise Firewall 7.0 Study Guide 212

High Availability

DO NOT REPRINT
© FORTINET

Virtual clustering is essentially a cluster of two FortiGate devices operating with multiple VDOMs enabled.

You can configure a virtual cluster in active-passive mode to provide standard failover protection between two
instances of a VDOM operating on two different devices. You can also configure a virtual cluster in active-active
mode to load balance sessions between two cluster devices. There is another way you can load balance
sessions in a virtual cluster, which is VDOM partitioning.

Virtual clustering operates on a cluster of only two FortiGate devices. If you want to create a cluster of more than
two FortiGate devices operating with multiple VDOMs, you could consider other solutions that either do not
include multiple VDOMs in one cluster, or employ a feature, such as standalone session synchronization with
FGSP.

Other requirements to configure virtual clustering are the same as in a standard HA configuration.

Enterprise Firewall 7.0 Study Guide 213

High Availability

Enterprise Firewall 7.0 Study Guide 223

High Availability

DO NOT REPRINT
© FORTINET

A good indication of the health of an HA cluster is the status of the configuration synchronization. To verify that all
the secondary configurations are synchronized with the primary configuration, you can use the command shown
on this slide on all the HA devices. If a secondary FortiGate displays the same sequence of numbers as the
primary, its configuration is synchronized. Also, and as long as there are no configuration changes happening, on
each of the devices, the debugzone and the checksum zone must display the same sequence of numbers.
Later in this lesson, you will learn some tips for troubleshooting when this is not the case.

The checksum zone contains the checksum of the configuration that is actually running on the device. The
debugzone is where configuration changes are first stored before applying them to the running configuration. So,
during a configuration change you might see that the debugzone checksum differs from the checksum for a
short time, while the configuration changes are copied to the running configuration. After that short time, both
checksums should match again.

Enterprise Firewall 7.0 Study Guide 224

High Availability

DO NOT REPRINT
© FORTINET

Instead of using the checksum show command on each of the cluster devices, you can use the command
shown on this slide only on the primary. It shows the checksum for all the cluster members. This command is
easier to use; however, if there are communication problems between one of the secondary devices and the
primary, you might need to use the checksum show command instead.

Enterprise Firewall 7.0 Study Guide 225

High Availability

DO NOT REPRINT
© FORTINET

By default, HA session synchronization is disabled. If you enable it, you can check the session table of the
primary device to see which sessions have been synchronized to the secondary devices. They are the ones with
the synced flag. Additionally, and in the case of all sessions, the ha_id field shows the HA member ID of the
device that is processing the traffic.

Enterprise Firewall 7.0 Study Guide 226

High Availability

High Availability

DO NOT REPRINT
© FORTINET

If a device can’t join a cluster, follow these steps:

1. Verify the HA settings.
2. Verify the firmware versions and hardware models.
3. Verify the physical layer connections.
4. Use the HA real-time debug while the device tries to join the cluster. Run the debug on both the primary
device and the device with the problem.

If the problem is that the checksums between the debugzone and checksum zones don’t match, you can try to
fix it by forcing the recalculation.

Enterprise Firewall 7.0 Study Guide 231

High Availability

DO NOT REPRINT
© FORTINET

Traffic from session synchronization is bandwidth intensive. If the session creation rate is high, session
synchronization traffic can interfere with heartbeat traffic, creating delays in heartbeat replies. There are two
configuration changes that you can make that might help:
• Use a different interface from the heartbeat interface for session synchronization.
• Delay the synchronization of new sessions by 30 seconds, so short-lived sessions are not synchronized.

High CPU issues could also create HA heartbeat problems. In those cases, troubleshoot and fix the high CPU
problem first, before checking the HA status.

Enterprise Firewall 7.0 Study Guide 232

High Availability

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By demonstrating competence in using FortiManager, you will be able to centralize the administration of all
FortiGate devices in an enterprise network.

Enterprise Firewall 7.0 Study Guide 237

Central Management

DO NOT REPRINT
© FORTINET

In this section, you will review the key features of FortiManager.

Enterprise Firewall 7.0 Study Guide 238

Central Management

DO NOT REPRINT
© FORTINET

When should you use FortiManager in your network?

In large enterprises and managed security service providers (MSSPs), the size of the network introduces
challenges that smaller networks don’t have: mass provisioning; scheduling rollout of configuration changes; and
maintaining, tracking, and auditing many changes.

Centralized management through FortiManager can help you to more easily manage many deployment types
with many devices, and to reduce the cost of operation.

What can FortiManager do?

• Provision firewall policies across your network

• Act as a central repository for configuration revision control and security audits
• Deploy and manage complex mesh and star IPsec VPNs
• Act as a private FortiGuard distribution server (FDS) for your managed devices
• Script and automate device provisioning, policy changes, and more, with JSON APIs

Enterprise Firewall 7.0 Study Guide 239

Central Management

DO NOT REPRINT
© FORTINET

FortiManager can help you to better organize and manage your network. Key features of FortiManager include:

• Centralized management: Instead of logging in to hundreds of FortiGate devices individually, you can use
FortiManager to manage them all from a single console.
• Administrative domains (ADOMs): FortiManager can group devices into geographic or functional ADOMs,
which is ideal if you have a large team of network security administrators.
• Configuration revision control: Your FortiManager keeps a history of all configuration changes. You can
schedule FortiManager to deploy a new configuration or revert managed devices to a previous configuration.
• Local FortiGuard service provisioning: To reduce network delays and minimize internet bandwidth usage,
your managed devices can use FortiManager as a private FDN server.
• Firmware management: FortiManager can schedule firmware upgrades for managed devices.
• Scripting: FortiManager supports CLI-based and TCL-based scripts for configuration deployments.
• Pane Managers (VPN, FortiAP, FortiSwitch, and Fabric View): FortiManager management panes simplify
the deployment and administration of VPN, FortiAP, FortiSwitch, and Fabric View (Security Fabric).
• Logging and reporting: Managed devices can store logs on FortiManager. From that log data, you can
generate SQL-based reports, because FortiManager has many of the same logging and reporting features as
FortiAnalyzer.
• FortiMeter: Allows you turn FortiOS-VMs and FortiWebOS-VMs on and off as needed, paying only for the
volume and consumption of traffic that you use. These VMs are also sometimes called pay-as-you-go VMs.
You must have a FortiMeter license and the FortiMeter license must be linked with FortiManager by using
FortiCare.

Enterprise Firewall 7.0 Study Guide 240

Central Management

DO NOT REPRINT
© FORTINET

In this section, you will examine FortiManager software architecture.

Enterprise Firewall 7.0 Study Guide 241

Central Management

DO NOT REPRINT
© FORTINET

Inside FortiManager, there are management layers that are represented as panes on the GUI. The device
management layer, for example, is represented by the Device Manager pane, which performs revision history
and scripting.

Now, you will look at the management layers in further detail.

Enterprise Firewall 7.0 Study Guide 242

Central Management

DO NOT REPRINT
© FORTINET

To organize and efficiently manage a large-scale network, FortiManager has multiple management layers.

The Global ADOM layer has two key pieces: the global object database, and header and footer policy packages.
Header and footer policy packages envelop the policies of each ADOM. An example of where policy packages
are used is in a carrier environment, where the carrier allows customer traffic to pass through their network, but
does not allow the customer to have access to the carrier network infrastructure.

The ADOM layer is where policy packages are created, managed, and installed on managed devices or device
groups. You can create multiple policy packages here. The ADOM layer includes one common object database
for each ADOM. The common object database contains information such as addresses, services, and security
profiles.

The Device Manager layer records information on devices that are centrally managed by the FortiManager
device, such as the name of the device, type of device, model, IP address, current firmware installed, revision
history, and real-time status.

Enterprise Firewall 7.0 Study Guide 243

Central Management

DO NOT REPRINT
© FORTINET

Understanding the layers of the FortiManager management model is important.

In the Global ADOM layer, you create header and footer policy rules. You can assign these policy rules to
multiple ADOMs. If multiple ADOM policy packages require the same policies and objects, you can create them in
this layer so that you don’t have to maintain copies in each ADOM.

In the ADOM layer, objects and policy packages in each ADOM share a common object database. You can
create, import from, and install policy packages on many managed devices at once.

In the Device Manager layer, you can configure and install device settings for each device. If a configuration
change is detected—made locally or on FortiManager—FortiManager compares the current configuration to the
changed configuration, and creates a new configuration revision on FortiManager. Whether the configuration
change is big or small, FortiManager records it and saves the new configuration. This can help administrators to
audit configuration changes, and to revert to a previous revision, if required.

Enterprise Firewall 7.0 Study Guide 244

Central Management

DO NOT REPRINT
© FORTINET

What is an ADOM?

ADOMs enable the administrator account to create groupings of devices for administrators to monitor and
manage. For example, administrators can manage devices specific to their geographic location or business
division. ADOMs are not enabled by default and must be enabled by the administrator.

The purpose of ADOMs is to divide the administration of devices, by grouping them based on management
criteria, and to control (restrict) administrative access. Administrative access is assigned based on an
administrator profile that allows access to one or multiple ADOMs on the device. If the administrator uses virtual
domains (VDOMs), ADOMs can further restrict access to data from only the VDOM of a specific device. The
number of available ADOMs varies based on model.

Enterprise Firewall 7.0 Study Guide 245

Central Management

DO NOT REPRINT
© FORTINET

The Device Manager pane provides device and installation wizards to aid you in various administrative and
maintenance tasks. Using these wizards can decrease the amount of time it takes to do many common tasks.
There are four main wizards in the Device Manager pane:
• Add Device is used to add devices to central management and import their configurations.
• Install Wizard is used to install configuration changes from the Device Manager pane or Policies & Objects
pane to the managed devices. It allows you to preview the changes and, if the administrator doesn’t agree with
the changes, cancel and modify them.
• Import Policy is used to import interface mappings, policy databases, and objects associated with the
managed devices into a policy package under the Policy & Object pane. It runs with the Add Device wizard,
by default, and may be run at any time from the managed device list.
• Re-install Policy is used to perform a quick install of the policy package. It provides the ability to preview the
changes that will be installed on the managed device.

You can open the Import policy and Re-install Policy wizards by right-clicking your managed device in the
Device Manager.

Enterprise Firewall 7.0 Study Guide 246

Central Management

DO NOT REPRINT
© FORTINET

In this section, you will learn how to configure IPsec VPNs using the FortiManager VPN manager.

Enterprise Firewall 7.0 Study Guide 247

Central Management

DO NOT REPRINT
© FORTINET

On the VPN manager screen, you can configure IPsec VPN settings that you can install on multiple devices. The
settings are stored as objects in the objects database. You push the IPsec VPN settings to one or more devices
by installing a policy package. Follow these steps to configure VPNs with the VPN manager:
1. Create a VPN community.
2. Add gateways (members) to the community.
3. Install the VPN community and gateways configuration.
4. Add the firewall policies.
5. Install the firewall policies.

Enterprise Firewall 7.0 Study Guide 248

Central Management

DO NOT REPRINT
© FORTINET

Depending on the VPN topology you are installing, there are three types of communities:
• Full meshed
• Star
• Dial-up

Central Management

DO NOT REPRINT
© FORTINET

In this section, you will learn about the scripting options that are available on FortiManager.

Enterprise Firewall 7.0 Study Guide 253

Central Management

DO NOT REPRINT
© FORTINET

A script can make many changes to a managed device and is useful for bulk configuration changes and
consistency across multiple managed devices. FortiManager supports two types of scripts: CLI scripts and TCL
scripts.

CLI scripts include only FortiOS CLI commands as they are entered on the command line prompt on a FortiGate
device. TCL is a dynamic scripting language that extends the functionality of CLI scripting. In FortiManager TCL
scripts, the first line of the script is #!. This is standard for TCL scripts. Do not include the exit command that
normally ends TCL scripts because it prevents the script from running. You need to be familiar with the TCL
language and regular expressions. For more information on TCL scripts, refer to the official TCL website:
http://www.tcl.tk.

CLI scripts are enabled by default.

CLI scripts can be run in three different ways:

• Device database: By default, a script is run on the device database. It is recommend that you run the
changes on the device database (default setting), because this allows you to check what configuration
changes you will send to the managed device. After scripts run on the device database, you can install these
changes to a managed device using the installation wizard.
• Policy package, ADOM database: If a script contains changes related to ADOM-level objects and policies,
you can change the default selection to run on Policy package, ADOM database, and then install it using the
installation wizard.
• Remote FortiGate directly (through CLI): You can run a script directly on the device without installing these
changes using the installation wizard. Because you installed the changes directly on the managed device, the
system does not provide an option to verify and check the configuration changes through FortiManager before
executing it.

Enterprise Firewall 7.0 Study Guide 254

Central Management

DO NOT REPRINT
© FORTINET

For TCL scripts, you must enable the show command for TCL scripts on the FortiManager CLI.

Note that TCL scripts do not run through the FGFM tunnel like CLI scripts do. TCL scripts use SSH to tunnel
through FGFM, and they require SSH authentication to do so. If FortiManager does not use the correct
administrative credentials in Device Manager, the TCL script fails. CLI scripts use the FGFM tunnel, and the
FGFM tunnel is authenticated using the FortiManager and FortiGate serial numbers.

You can run TCL scripts only on the remote FortiGate directly (through the CLI).

Enterprise Firewall 7.0 Study Guide 255

Central Management

DO NOT REPRINT
© FORTINET

The example on this slide shows how you can run a CLI command from a TCL script. Any TCL script must start
with #!.

The next line, exec TCL, runs the CLI command get system status.

The CLI command runs only if the TCL interpreter gets the # from the FortiGate command prompt within 10
seconds. If that is not the case, the CLI command does not run, and the script generates an error.

You can use the TCL command puts to save the output of the CLI command to the FortiManager script history
log.

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding OSPF, you will be able to understand, configure, and
troubleshoot OSPF.

Each router starts advertising its locally connected subnets by sending LSAs.

Enterprise Firewall 7.0 Study Guide 271

OSPF

DO NOT REPRINT
© FORTINET

OSPF routers use Dijkstra’s algorithm to determine the best route to each destination. The best routes can be
represented as a tree with the local router at the root. Dijkstra’s algorithm is a recursive process that the router
repeats multiple times until it finds the best routes. For example, this slide shows the OSPF tree for router R2. It
indicates that the best route to Net 5 and Net 4 is through R3, and that Net 1, Net 2, and Net 3 are locally
connected.

Enterprise Firewall 7.0 Study Guide 272

OSPF

DO NOT REPRINT
© FORTINET

You can segment an OSPF network into areas. Each area is identified by a unique number, which you can
represent either in decimal or IP address format.

Enterprise Firewall 7.0 Study Guide 273

OSPF

DO NOT REPRINT
© FORTINET

Each area has its own separate LSDB. All routers in the same area maintain an identical copy of the LSDB of an
area. As you will learn in this lesson, a router can belong to more than one area. In those cases, the router
maintains multiple LSDBs—one LSDB for each area connected to it.

Segmenting big OSPF networks into areas reduces the sizes of the LSDB tables. Additionally, a topology change
does not impact the whole network, but only the area where the change happens.

Using OSPF areas requires good planning and may complicate the troubleshooting process.

OSPF

DO NOT REPRINT
© FORTINET

There are three types of OSPF networks:

• Point-to-point networks contain only two peers, one at each end of a point-to-point link.
• Broadcast networks support more than two attached routers. They also support sending messages to
multiple recipients (broadcasting).
• Point-to-multipoint networks support more than two attached routers. But they do not support broadcasting.

Enterprise Firewall 7.0 Study Guide 278

OSPF

DO NOT REPRINT
© FORTINET

An OSPF session between two OSPF peers is called an adjacency. This slide shows the initial interchange
between two peers that are forming an adjacency. Any new adjacency goes through different states: Init, 2-way,
ExStart, Exchange, Loading, and Full. The Full state indicates that the adjacency has successfully formed, and
both routers have identical copies of the LSDB.

Enterprise Firewall 7.0 Study Guide 279

OSPF

DO NOT REPRINT
© FORTINET

This slide lists the requirements for two peers to form an OSPF adjacency. If any of the requirements are not met,
the adjacency fails and will not reach the full state.

Enterprise Firewall 7.0 Study Guide 280

OSPF

DO NOT REPRINT
© FORTINET

In any multi-access network there is one DR and one BDR. The OSPF network elects the router with the highest
priority as the DR. If two or more routers are tied with the highest priority, the network elects the router with the
highest OSPF ID.

The BDR monitors the DR status. If the DR fails, the BDR takes the DR role.

Other routers form adjacencies only with the DR and the BDR. The DR forwards the link state information from
one router to another. This simplifies the number of adjacencies required in multi-access networks.

Enterprise Firewall 7.0 Study Guide 281

OSPF

DO NOT REPRINT
© FORTINET

This slide shows the multicast addresses used by OSPF in broadcast multi-access, and point-to-point networks.
Keep in mind that OSPF also uses unicast addresses for LSA retransmissions and database description packets.

Enterprise Firewall 7.0 Study Guide 282

OSPF

DO NOT REPRINT
© FORTINET

There are 11 LSA types. This lesson covers the five most commonly used:
• Type 1 describes all the links connected to a router.
• Type 2 describes all the routers (if more than one) in a multi-access network.
• Type 3 describes the networks within an area (only generated by an ABR).
• Type 4 describes the path to reach an ASBR.
• Type 5 describes the external destinations originated by an ASBR.

You will see examples of each of these five types in the next slides.

Enterprise Firewall 7.0 Study Guide 301

OSPF

DO NOT REPRINT
© FORTINET

This is a sample of output generated by the OSPF real-time debug. This sample shows the Hello packet being
sent.

Enterprise Firewall 7.0 Study Guide 302

OSPF

DO NOT REPRINT
© FORTINET

This is another sample of output generated by the OSPF real-time debug. This sample shows the Hello packet
being received.

Enterprise Firewall 7.0 Study Guide 303

OSPF

DO NOT REPRINT
© FORTINET

By default, FortiGate logs the most important OSPF routing events, such as:
• Neighbor down or up
• OSPF message exchange
• Negotiation errors

Enterprise Firewall 7.0 Study Guide 304

OSPF

DO NOT REPRINT
© FORTINET

You can view OSPF-related router events on the GUI. You can click any logged entry to view the details.

Enterprise Firewall 7.0 Study Guide 305

OSPF

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about OSPF concepts, and how to configure and
troubleshoot OSPF.

By demonstrating competence in BGP, you will be able to configure FortiGate for BGP, monitor and check the
status of a BGP communication, and troubleshoot the most common external BGP issues.

Enterprise Firewall 7.0 Study Guide 310

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

In this section, you will review BGP and how to configure it on FortiGate.

Enterprise Firewall 7.0 Study Guide 311

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

An AS is a set of routers and networks under the same administration. Each AS is identified by a unique number,
and usually runs an interior gateway protocol, such as OSPF or RIP.

Enterprise Firewall 7.0 Study Guide 312

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

BGP can serve one of two purposes: EBGP and IBGP.

An exterior gateway protocol (EGP) exchanges routing information between autonomous systems. BGP4, which
runs in the internet, is the dominant EGP protocol today. EBGP is typically used when strict control is required
over a large number of routes.

Two EBGP routers exchange AS path information for destination prefixes or subnets. When two routers start an
EBGP communication, the whole BGP routing table is interchanged. After that, only network updates are sent.

Enterprise Firewall 7.0 Study Guide 313

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

Enterprise Firewall 7.0 Study Guide 317

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

A BGP router stores the routing information in three logical tables. The RIB-in table contains all the routing
information received from other BGP routers before any filtering. The local RIB table contains that same
information after the filtering. The RIB-out table contains the BGP routing information selected to advertise to
other BGP routers.

Enterprise Firewall 7.0 Study Guide 318

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

This slide shows a flowchart that summarizes the BGP process. The BGP router stores the BGP routes it
receives from other routers in the RIB-in table. The BGP router applies a filter, and the resulting routes are stored
in the local RIB table. Then, the BGP router adds routes that were redistributed from the routing table, and applies
another filter (outbound). The BGP router advertises the resulting routes.

Enterprise Firewall 7.0 Study Guide 319

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

BGP routes traffic based on AS paths. Each AS path includes attributes, which BGP uses to select the best route
to each destination. One of the attributes is the AS list, which contains the autonomous systems through which
the traffic must pass to reach the destination.

Enterprise Firewall 7.0 Study Guide 320

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

There are four types of BGP attributes:

• Well-known mandatory
• Well-known discretionary
• Optional transitive, which can be passed from one AS to another
• Optional non-transitive, which can’t be passed from one AS to another

This slide shows a list of the BGP attributes and their attribute types that are supported by FortiGate.

Enterprise Firewall 7.0 Study Guide 321

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

FortiGate uses some of the BGP attributes during the routing selection process. If all those attributes for multiple
routes to the same destination match, and if ECMP is enabled, FortiGate shares the traffic among up to 10 BGP
routes. If you don’t enable ECMP, FortiGate uses the route that goes to the router with the lowest BGP router ID.

Enterprise Firewall 7.0 Study Guide 322

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

There are three important things to consider when you implement BGP on FortiGate.

First, there are no hardcoded limits. Limitations on the number of neighbors, routes, and policies depend
exclusively on the available system memory.

Second, by default, FortiGate doesn’t originate any prefix. You must enable redistribution, or manually indicate
the prefixes that FortiGate originates.

Third, by default, FortiGate accepts all the prefixes it receives. Optionally, you can filter out or modify some
prefixes.

Enterprise Firewall 7.0 Study Guide 323

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

By default, FortiGate BGP doesn’t advertise prefixes. You can use the redistribution command to configure
FortiGate to advertise prefixes. You can redistribute connected and static routes, and routes learned from other
routing protocols, into BGP. Optionally, you can add route maps to filter the prefixes or modify some of their BGP
attributes.

Enterprise Firewall 7.0 Study Guide 324

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

You can also use the network command to configure FortiGate BGP to advertise prefixes. However, an exact
match of the prefix in the network command must be active in the routing table. If the routing table doesn’t
contain an active route whose destination subnet matches the prefix, FortiGate doesn’t advertise the prefix. You
can change this behavior by disabling the network-import-check setting. After you disable the setting,
FortiGate advertises all prefixes in the BGP network table, regardless of the active routes present in the routing
table.

Enterprise Firewall 7.0 Study Guide 325

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

By default, the subnets under the config network command, and the subnets redistributed from other routing
protocols, are advertised to all the neighbors.

With a prefix list, you can be more selective about which prefixes to advertise to each neighbor. Additionally,
prefix lists allow you to select which prefixes you want to use from each neighbor. This example shows a prefix
list that allows the prefix 10.0.0.0/8, but blocks the prefix 10.1.0.0/16. By default, all the traffic that does
not match a prefix list is denied. The prefix list is applied in the incoming direction from the neighbor
10.3.1.254. The local FortiGate applies this filter for all the prefix advertisements coming from 10.3.1.254.

When applying a prefix list, all the prefixes that don’t match an entry in the list are denied by default.

Enterprise Firewall 7.0 Study Guide 326

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

This slide shows an example of a basic FortiGate configuration. In this case, remote-as is the same as local
AS, which means it is an IBGP configuration.

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

In this section, you will learn about tools and tips for troubleshooting BGP.

Enterprise Firewall 7.0 Study Guide 331

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

This slide shows a flow chart of the BGP neighbor states and how they change:
• Idle: Initial state
• Connect: Waiting for a successful three-way TCP connection
• Active: Unable to establish the TCP session
• OpenSent: Waiting for an OPEN message from the peer
• OpenConfirm: Waiting for the keepalive message from the peer
• Established: Peers have successfully exchanged OPEN and keepalive messages

Enterprise Firewall 7.0 Study Guide 332

Border Gateway Protocol

Enterprise Firewall 7.0 Study Guide 340

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

The command shown on this slide is used to restart a BGP session between two peers. You can also use this
command to run a BGP soft reset, which forces both peers to exchange their complete BGP routing tables.

Enterprise Firewall 7.0 Study Guide 341

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

Now FortiGate can log routing events, which enables you to get information that used to be available only when
you ran the BGP real-time debug. By default, BGP event logging is enabled. You can disable BGP event logging
by using the command shown on this slide.

Enterprise Firewall 7.0 Study Guide 342

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

You can view BGP-related router events on the GUI. You can click any logged entry to view the details.

Enterprise Firewall 7.0 Study Guide 343

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

Follow these steps to troubleshoot a BGP problem between two peers:

• Check that the local router can reach the remote peer
• Check the TCP session
• Check the BGP session
• If the BGP session is established, check the prefixes received and advertised by each peer

Enterprise Firewall 7.0 Study Guide 344

Border Gateway Protocol

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By demonstrating competence in web filtering, you will be able to implement, maintain, and troubleshoot web
filtering on FortiGate.

Enterprise Firewall 7.0 Study Guide 349

Web Filtering

DO NOT REPRINT
© FORTINET

Web filtering in FortiOS operates in one of two inspection modes: proxy and flow. By default, FortiGate caches
the rating results it receives from FortiGuard. So, before it sends rating requests to FortiGuard, FortiGate checks
that the website category isn’t already in the local cache. You can configure the time-to-live (TTL) of the entries in
the web filtering cache.

Enterprise Firewall 7.0 Study Guide 350

Web Filtering

DO NOT REPRINT
© FORTINET

During web filtering inspection, FortiGate first checks the static URL filter list, then the FortiGuard categories, and
then the content filtering list. Finally, FortiGate can execute some advanced options, such as manipulation of
HTTP headers.

Web Filtering

DO NOT REPRINT
© FORTINET

You can configure full SSL inspection to inspect all of the packet contents, including the payload. FortiGate
performs this inspection by proxying the SSL connection. Two SSL sessions are established—client-to-FortiGate
and FortiGate-to-server. The two established sessions allows FortiGate to encrypt and decrypt packets using its
own keys, which allows FortiGate to fully inspect all data inside the encrypted packets.

Web Filtering

DO NOT REPRINT
© FORTINET

Use the following CLI command to list error counters and other statistics related to web filtering: diagnose
webfilter fortiguard statistics list. A continual increase in some of the error counters usually
indicates communication problems with FortiGuard.

Enterprise Firewall 7.0 Study Guide 360

Web Filtering

DO NOT REPRINT
© FORTINET

The output also shows counters for the number of sites that were allowed, blocked, logged, monitored, and so on.

Enterprise Firewall 7.0 Study Guide 361

Web Filtering

DO NOT REPRINT
© FORTINET

Use the same command to display counters for the web filtering cache, including memory, requests, and hits and
misses.

Enterprise Firewall 7.0 Study Guide 362

Web Filtering

DO NOT REPRINT
© FORTINET

Use the diagnose test application urlfilter 1 command to display all options available for the web
filtering test command. You can use this command to troubleshoot issues related to web filtering.

Enterprise Firewall 7.0 Study Guide 363

Web Filtering

DO NOT REPRINT
© FORTINET

To list the content of the FortiGuard web filtering cache, use the command diagnose webfilter
fortiguard cache dump. For each URL, the output lists its rating by domain name and IP address. The rating
by domain name is the first two digits of the first number from left to right. It is the category ID represented in
hexadecimal. The rating by IP address is the first two digits of the second number. It is also the category ID
represented in hexadecimal.

The command get webfilter categories lists all the categories with their respective ID numbers. In this
list, the IDs are represented in decimal. So, if you want to find the category name for a URL in the cache, use the
first command to list the cache, and convert the ID number from hexadecimal to decimal. Then, use the second
command to find the category name for that ID number.

Enterprise Firewall 7.0 Study Guide 364

Web Filtering

DO NOT REPRINT
© FORTINET

Another tool you can use to troubleshoot web filtering is the web filter real-time debug. You can use the
commands shown on this slide.

This slide shows an example real-time debug output when the URL to categorize isn't in the FortiGuard cache.
The output shows the URL, category, source, destination IP addresses, and service.

IPS and WAD will only send request to urlfilter daemon when cache is missed. After the URL is in the FortiGuard
cache, IPS engine/WAD will start looking up the cache themselves before sending requests to urlfilter.

Enterprise Firewall 7.0 Study Guide 365

Web Filtering

DO NOT REPRINT
© FORTINET

Now you will learn some tips for troubleshooting web filtering.
• Get the specifics first:
• What URLs are having the problem?
• Is it random?
• Does it happen with all the users?
• Check the logs
• Is the problem caused by an incorrect user group configuration? Are the user access privileges correct?
• Run the real-time debug while reproducing the issue

Enterprise Firewall 7.0 Study Guide 366

Web Filtering

DO NOT REPRINT
© FORTINET

Additional tips:
• Check that web filtering isn't disabled globally.
• If users are having intermittent issues, check that the communication with FortiGuard is stable (check the web
filtering statistics). Check also that the device is not entering conserve mode.

Enterprise Firewall 7.0 Study Guide 367

Web Filtering

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to implement, maintain, and troubleshoot
web filtering on FortiGate.

Enterprise Firewall 7.0 Study Guide 368

There is no single correct way to deploy an IPS solution. It depends greatly on the network and application
requirements. However, in most cases, you will follow the steps shown on this slide.

There are usually three stages in the deployment of an IPS solution:

• Analysis: The administrator defines what to protect and where.
• Evaluation: After an initial IPS configuration, the administrator makes further adjustments based on the IPS
logs. During this stage, you configure the IPS only to monitor traffic, not block it.
• Maintenance: After the IPS configuration is working correctly, the administrator sets IPS to protect. The
administrator must continue to monitor the logs, and make further adjustments if any false positives or
negatives occur.

You will learn more about each stage in this lesson.

Enterprise Firewall 7.0 Study Guide 375

Intrusion Prevention System

During the analysis stage, you must identify:

• What services to protect
• The threats to those services
• Where to enable IPS inspection

Set realistic expectations. Focus on protecting the services that need protection. Start with the most critical
services, and classify the threats into groups.

Intrusion Prevention System

Eliminate as many false positives as possible. For each false positive, try to fix the problem by making changes in
either the source or destination of the traffic first. You can also use IPS exemptions.

Enterprise Firewall 7.0 Study Guide 380

Intrusion Prevention System

Enterprise Firewall 7.0 Study Guide 385

Intrusion Prevention System

You can include multiple options in the rule by separating them with a semicolon. The maximum length is 1024
bytes for custom signatures and 4096 bytes for predefined signatures.

Enterprise Firewall 7.0 Study Guide 386

Intrusion Prevention System

Now you’ll learn about supported option types. The options are divided into four categories based on their
purpose.

Enterprise Firewall 7.0 Study Guide 387

Intrusion Prevention System

When creating a custom signature, you must define required options which are name, service, and flow.

The signature name must be unique for each custom signature. The maximum length of a signature name is 64
characters.

The service option specifies the session type, such as HTTP or FTP. You can use the service keyword only once
in a signature. If a signature has neither a service keyword nor a port keyword, it will be added to all service trees
including the unknown_service tree.

Similar to the service option, the flow option can appear only once in the signature because it defines flow
direction of the detection packet.

Enterprise Firewall 7.0 Study Guide 388

Intrusion Prevention System

Use protocol-related options to match protocol headers.

Enterprise Firewall 7.0 Study Guide 389

Enterprise Firewall 7.0 Study Guide 397

Intrusion Prevention System

There are two important types of daemons that handle IPS-related tasks:
• ipsengine is the main type of daemon that handles all inspection and detection tasks.
• ipshelper handles actions whose results can be shared by different ipsengine daemons. ipshelper
also monitors configuration changes that impact IPS so it can also start or spawn additional instances of
ipsengine. For this reason, it’s normal to see ipshelper running even if you don’t have IPS configured on
FortiGate.

In some FortiGate models, it is normal to see multiple instances of the ipsengine daemon running.

Enterprise Firewall 7.0 Study Guide 398

Intrusion Prevention System

IPS goes into fail open mode when there is not enough available memory in the IPS socket buffer for new
packets. The IPS also goes into fail open mode when the FortiGate is in conserve mode. What happens during
that state depends on the IPS configuration. If the fail-open setting is enabled, some new packets (depending
on the system load) might pass through without being inspected. If it is disabled, new packets might be dropped.
Note that NTurbo doesn’t support the fail-open setting. If fail open is triggered, new sessions that would
typically be accelerated with NTurbo are dropped, even if the fail-open setting is enabled.

Enterprise Firewall 7.0 Study Guide 399

Intrusion Prevention System

The IPS fail open event generates a log in the crashlog. The log indicates if new packets are dropped or passed
through.

Enterprise Firewall 7.0 Study Guide 400

Intrusion Prevention System

IPS fail open entry and exit events also generate event logs.

Enterprise Firewall 7.0 Study Guide 401

Intrusion Prevention System

Frequent IPS fail open events usually indicate that the IPS is not able to keep up with the traffic demands. So, try
to identify patterns. Has the traffic volume increased recently? Have throughput demands increased?

Tune and optimize your IPS configuration: create IPS profiles specific for the type of traffic being inspected, and
disable IPS profiles on policies that don’t need them.

Enterprise Firewall 7.0 Study Guide 402

Intrusion Prevention System

The Protocol Options setting, configurable within each firewall policy, can impact the performance of a FortiGate
due to the need for the IPS engine to identify the protocol where particular protocol-to-port mappings are not
explicitly set. When a policy is set to proxy-based inspection, the settings in Protocol Options instruct FortiGate
to direct specified destination ports to their respective proxy processes except when Any is set for an enabled
protocol. In this scenario, the traffic must be sent to the IPS engine, and processed by the CPU, in order to
identify the protocol before directing it to the proxy process. This is significant, as it can affected how traffic is
processed during an IPS fail-open event for both proxy-based and flow-based traffic.

Enterprise Firewall 7.0 Study Guide 403

Intrusion Prevention System

Short spikes in the CPU usage by IPS processes could be caused by firewall policy or profile changes. These
spikes are usually normal. Spikes might happen when FortiGate has hundreds of policies and profiles, or many
virtual domains. Continuous high CPU usage by the IPS engines is not normal, and you should investigate it.

Enterprise Firewall 7.0 Study Guide 404

Intrusion Prevention System

If there are high CPU use problems caused by the IPS, you can use the diagnose test application
ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass
mode. In this mode, the IPS is still running, but it is not inspecting traffic. If the CPU use decreases after that, it
usually indicates that the volume of traffic being inspected is too high for that particular FortiGate model. If the
CPU use remains high after enabling IPS bypass mode, it usually indicates a problem in the IPS engine that you
must report to Fortinet's support.

If you enable IPS bypass mode, remember to disable it, after you finish troubleshooting, using option 5.

Another recommendation to keep in mind: if you need to restart the IPS, don't use the diagnose sys top
kill command. Instead, use option 99, as shown on this slide. This guarantees that all the IPS-related
processes will restart properly.

Enterprise Firewall 7.0 Study Guide 405

Intrusion Prevention System

If the IPS is generating false positives, first determine which signature is generating them. You can use IP
exemptions as a solution. Additionally, you can provide sniffer samples and the matching logs to the FortiGuard
team for further investigation.

Enterprise Firewall 7.0 Study Guide 406

Intrusion Prevention System

False negatives are more difficult to discover and troubleshoot. Check the following:
• Is traffic hitting the correct policy or IPS profile? Use sniffer and debug flow if necessary.
• CPU and memory use is normal.
• IPS engines aren’t crashing.
• IPS configuration is correct.

Again, after you verify all of those factors, you can collect sniffer samples and, along with details of the application
traffic, provide all the information to the Fortinet IPS team for investigation.

Enterprise Firewall 7.0 Study Guide 407

Intrusion Prevention System

This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this
lesson, you learned how to tune, configure, and troubleshoot IPS.

Enterprise Firewall 7.0 Study Guide 408

Intrusion Prevention System

Now, you will work on Lab 11–IPS.

Enterprise Firewall 7.0 Study Guide 409

Intrusion Prevention System

In this lab, you will configure FortiGate to protect a web server using IPS inspection. Then, you will test the
configuration by generating suspicious traffic from outside to the server. Additionally, you will use the information
gathered by the built-in sniffer to write a custom IPS signature.

Enterprise Firewall 7.0 Study Guide 410

Enterprise Firewall 7.0 Study Guide 414

IPsec

IKE negotiates the private keys, authentications, and encryption that FortiGate uses to create an IPsec tunnel.
Security associations (SAs) provide the basis for building security functions into IPsec. There are two distinct
phases that IKE uses: phase 1 and phase 2. Phase 1 uses a single bi-directional SA, and phase 2 uses two IPsec
SAs, one for each traffic direction.

Enterprise Firewall 7.0 Study Guide 415

IPsec

Now, you will review the differences between aggressive mode and main mode. This slide shows main mode,
where six packets are exchanged:
1. The client initiates by proposing the security policies.
2. The responder selects which security policy it will agree to use, and replies.
3. The initiator sends its Diffie Hellman public value.
4. The responder replies with its own Diffie Hellman public value.
5. The initiator sends its peer ID and hash payload.
6. The responder replies with its peer ID and hash payload.

Enterprise Firewall 7.0 Study Guide 416

IPsec

In comparison, this slide shows the aggressive mode negotiation in which only three packets are exchanged:
1. The client initiates by suggesting the security policies, and providing its Diffie Hellman public value and peer
ID.
2. The responder replies with the same information, plus a hash.
3. The initiator sends its hash payload.

Enterprise Firewall 7.0 Study Guide 417

IPsec

Extended authentication (XAuth) can be used as an additional level of authentication. When XAuth is used, one
side must provide credentials (username and password) in order to successfully authenticate.

XAuth happens after the phase 1 is up and before any phase 2 negotiation. That is why XAuth is sometimes
referred to as phase 1.5.

In any XAuth communication, there is always one client and one server. The server sends a CFG_REQUEST
packet, which must be replied by the client with a CFG_REPLY packet. The CFG_REPLY packet includes the user
credentials. If the authentication is successful, the server sends CFG_SET and the client replies with CFG-ACK.

Enterprise Firewall 7.0 Study Guide 418

IPsec

FortiGate supports three different methods for automatically configuring the IP settings of IPsec clients: IKE mode
configuration, DHCP over IPsec, and L2TP over IPsec.

This slide shows the IKE mode configuration.

After phase 1 is up, and before the phase 2, the client sends a CFG_REQUEST message listing the required IP
settings (or attributes). The server replies with a CFG_REPLY, which contains the assigned values for each of the
attributes requested.

Enterprise Firewall 7.0 Study Guide 419

IPsec

When the first phase 1 IPsec packet arrives, the FortiGate acting as the responder uses the first phase 1
configuration (in alphabetical order) that matches the following:

• Local gateway IP
• Mode (aggressive or main)
• Peer ID, if aggressive mode is used. As explained, only aggressive mode includes the peer ID in the first
packet.
• Authentication method (for pre-shared key and certificates)
• Digital certificate information, if certificates are used as the authentication method
• Proposal
• DH group

However, in some circumstances, FortiOS can switch to a different phase 1, if it finds that it initially selected the
wrong phase 1. This is called gateway revalidation and applies only to the following:

• IKEv1 with certificate authentication

• IKEv2 with pre-shared key authentication
• IKEv2 with certificate authentication

Enterprise Firewall 7.0 Study Guide 420

IPsec

If FortiGate has multiple dial-up VPNs using pre-shared keys and sharing the same local gateway, proposal, and
DH group, you must use aggressive mode and different peer IDs. Using this method, the FortiGate identifies the
right VPN configuration for each incoming IPsec proposal.

Enterprise Firewall 7.0 Study Guide 421

IPsec

Two or more IPsec tunnels between two sites can be combined to create an aggregated tunnel. This is similar to
LACP port aggregation. One single aggregated IPsec interface is created and used for routing and firewall
policing.

Aggregated IPsec tunnels support five load-balancing methods:

• round-robin: Traffic is balanced per packet.

• L3: Traffic is balanced based on the Layer 3 header information.
• L4: Traffic is balanced based on the Layer 4 header information.
• redundant: All traffic is sent though the tunnel that came up first. The other tunnels are used for backup.
• weighted-round-robin: Traffic is load balanced in a round-robin manner based on link weights configured
for each tunnel.

Enterprise Firewall 7.0 Study Guide 429

IPsec

Forward error correction (FEC) is a phase 1 setting that, when enabled, adds additional packets with redundant
data. The recipient can use this redundant information to reconstruct any lost packet, or any packet that arrived
with errors. Although this feature increases the bandwidth usage, it improves reliability that can overcome
adverse WAN conditions such as lossy or noisy links. FEC can be critical for delivering a better user experience
for business-critical applications like voice and video services.

Enterprise Firewall 7.0 Study Guide 430

Enterprise Firewall 7.0 Study Guide 436

IPsec

This slide shows the output of the real-time debug for phase 1 aggressive mode. It displays the three aggressive-
mode packets interchanged, and the proposals.

Enterprise Firewall 7.0 Study Guide 437

IPsec

The IKE real-time debug shows, after phase 1, the exchange of XAuth packets. On this slide, you can see the
CFG_REQUEST packet. You can also see the CFG_REPLY, showing the XAuth user and group name.

After that, the IKE real-time debug shows the CFG_SET and CFG_ACK.

Enterprise Firewall 7.0 Study Guide 438

IPsec

After the extended authentication, the remote site proceeds to request and receive the IP settings through IKE
mode configuration.

The output shows the CFG_REQUEST and CFG_REPLY packets.

Enterprise Firewall 7.0 Study Guide 439

IPsec

This slide shows the phase 2 negotiation.

The debug shows the phase 2 proposal from the local gateway, and the phase 2 proposal coming to the remote
gateway. In this case, both proposals (local and remote) match.

Enterprise Firewall 7.0 Study Guide 440

IPsec

Next, the output shows the negotiated phase 2 settings. The last messages confirm that the phase 2 is up.

Enterprise Firewall 7.0 Study Guide 441

IPsec

If the VPN is up but the traffic can’t cross the tunnel, you should use the debug flow. This slide shows an example
output of the debug flow for traffic that is crossing an IPsec tunnel. The output shows the following:
• Packet arriving
• Packet being allowed by a firewall policy
• Packet entering the tunnel
• Packets being encrypted and sent

If the traffic is not crossing the tunnel because of a routing misconfiguration, the output of the debug flow shows it.
The debug flow also displays if the traffic drops and why (for example, when packets don’t match the quick mode
selector).

Enterprise Firewall 7.0 Study Guide 442

IPsec

If you need to capture IPsec traffic, remember that the IP protocol and UDP port numbers depend on NAT-T and
the use of NAT.

If there is no FortiGate located in the middle that is running NAT, IKE traffic uses UDP port 500 and ESP traffic
uses IP protocol 50. This slide shows the two sniffer filters that the sniffer command must use to capture each of
those traffic protocols.

If NAT-T is enabled, and there is a FortiGate located in the middle that is running NAT, the sniffer command must
use a different filter. In this case, IKE traffic uses port UDP 500, but switches to UDP port 4500 during the tunnel
negotiation. Additionally, ESP traffic is encapsulated inside the UDP 4500 channel.

Note that port 500 and port 4500 are the default UDP port numbers for IKE and IKE NAT-T, respectively. These
ports can be configured using the command config system settings and options set ike-port
<value> and set ike-natt-port <value>.

Enterprise Firewall 7.0 Study Guide 443

IPsec

The command diagnose vpn tunnel list displays the current IPsec SA information for all active tunnels.

The command diagnose vpn tunnel list name <tunnel name> provides SA information about a
specific tunnel.

IPsec

All IPsec SAs have an npu_flag field indicating offloading status. In the case of IPsec traffic, the FortiGate
session table also includes that field.

First, when phase 2 goes up, the IPsec SAs are created and loaded to the kernel. As long as there is no traffic
crossing the tunnel, the SAs are not copied to the NPU, and the npu_flag shows 00. The value of that field also
remains 00 when IPsec offloading is disabled.

Second, if the first IPsec packet that arrives is an outbound packet that can be offloaded, the outbound SA is
copied to the NPU and the npu_flag changes to 01. However, if the first IPsec packet is inbound and can be
offloaded, the inbound SA is copied to the NPU and the npu_flag changes to 02.

After both SAs are copied to the NPU, the npu_flag changes to 03.

The value 20 in the npu_flag field indicates that hardware offloading is unavailable because of an unsupported
cipher or HMAC algorithm.

Enterprise Firewall 7.0 Study Guide 449

IPsec

This slide shows a summary of the most common IPsec problems and solutions.

If the tunnel doesn’t come up, use the IKE real-time debug. In such cases, an error message usually appears.

One point-to-multipoint topology variation is called hub-and-spoke. As its name describes, all clients connect
through a central hub, similar to the way spokes connect to hubs on wheels.

In the example shown on this slide, each client—spoke—is a branch-office FortiGate. For any branch office to
reach another branch office, its traffic must pass through the hub.

One advantage of using this topology is that you can easily manage the VPN configuration and firewall policies.
Also, system requirements are minimal for the FortiGate devices that function as branch offices, because each
FortiGate must maintain only one tunnel, or two SAs. In this example, four tunnels, or eight security associations
(SAs), are necessary in the hub.

A disadvantage of using this topology is that communication between branch offices through headquarters (HQ)
is slower than it would be using a direct connection, especially if HQ is physically distant, as it can be for global
companies. For example, if your company’s HQ is in Brazil, and your company also has offices in Japan and
Germany, latency can be significant. Another disadvantage is lack of redundancy. For example, if FortiGate at
HQ fails, the VPN fails company wide. Also, FortiGate at HQ must be more powerful, because it handles four
tunnels simultaneously, or eight SAs.

Enterprise Firewall 7.0 Study Guide 458

Auto-Discovery VPN

Auto-Discovery VPN

This slide shows an example of how ADVPN works.

An administrator configures IPsec VPNs in multiple FortiGate devices to form VPN hub-and-spoke topologies. In
this example, there are two hubs. Hub 1 has three spokes. Hub 2 has two spokes. There is also a VPN
connecting both hubs.

The dynamic tunnels between spokes are created on demand. Say that a user in Boston sends traffic to London.
Initially, the direct tunnel between Boston and London has not been negotiated. So, the first packets from Boston
to London are routed through Hub 1 and Hub 2. When Hub 1 receives those packets, it knows that ADVPN is
enabled in all the VPNs all the way to London because of auto-discovery-sender enable settings. So,
Hub 1 sends an IKE message to Boston informing it that it can try to negotiate a direct connection to London. On
receipt of this IKE message, Boston creates a FortiOS-specific IKE information message that contains its public
IP address, its local subnet, the desired destination subnet (London's subnet), and an auto-generated PSK
(alternatively can also use digital certificate authentication). This IKE message is sent to London through Hub 1
and Hub 2. When London receives the IKE message from Boston, it stores the PSK and replies with another IKE
information message that contains London's public IP address. After the reply arrives in Boston, the dynamic
tunnel is negotiated between both peers. The negotiation succeeds because London is expecting a connection
attempt from Boston's public IP address. You will explore this in greater detail in this lesson.

Enterprise Firewall 7.0 Study Guide 463

Auto-Discovery VPN

Now, you will examine how IKE messages that are exchanged when an on-demand tunnel is being negotiated:
1. The client behind Spoke-1 generates traffic for devices located behind Spoke-2.
2. Spoke-1 receives the packet, encrypts it, and sends it to the Hub.
3. The Hub receives the packet from Spoke-1 and forwards it to Spoke-2.
4. Spoke-2 receives the packet, decrypts it, and forwards it to the destination device.
5. The Hub knows that a more direct tunnel option might be available from Spoke-1 to Spoke-2. The Hub sends
a shortcut offer message to Spoke-1.
6. Spoke-1 acknowledges the shortcut offer by sending a shortcut query to the Hub.
7. The Hub forwards the shortcut query message to Spoke-2.
8. Spoke-2 acknowledges the shortcut query and sends a shortcut reply to the Hub.
9. The Hub forwards the shortcut reply to Spoke-1.
10. Spoke-1 and Spoke-2 initiate the tunnel IKE negotiation.

Enterprise Firewall 7.0 Study Guide 464

Auto-Discovery VPN

ADVPN requires the use of a dynamic routing protocol. In this lesson, you will learn how to configure ADVPN with
IBGP.

Enterprise Firewall 7.0 Study Guide 469

Auto-Discovery VPN

If you are configuring ADVPN on FortiManager using the VPN manager, remember the following:
• Set the protected networks to all.
• Use scripts to enable ADVPN in phase 1.
• Disable the option Add Route on the hub .
• Use scripts to enable net-device on spokes.
• Configure IP addresses on the IPsec virtual interfaces.
• Configure dynamic routing. If you are using IBGP, use a script to enable route reflector on the hub.
• It is important to know that when creating phase-1 using a FortiManager VPN console, the phase-1 name is
created with an underscore and a zero (phase1name_0). For example, a phase-1 named VPN will be created
as VPN_0.

Enterprise Firewall 7.0 Study Guide 470

Hub receives the shortcut-reply and forwards it to Spoke-1.

Enterprise Firewall 7.0 Study Guide 476

Auto-Discovery VPN

Finally, Spoke-1 receives the reply message and initiates a shortcut negotiation directly with Spoke-2, and the
dynamic tunnel interface is created.

Auto-Discovery VPN

Now, you will work on Lab 13–ADVPN.

Enterprise Firewall 7.0 Study Guide 481

Auto-Discovery VPN

In this lab, you will run CLI and TCL scripts to configure ADVPN and IBGP on the three FortiGate devices.

Enterprise Firewall 7.0 Study Guide 482

Auto-Discovery VPN

This slide shows your IBGP network, including router IDs and the IP addresses used in the IPsec interfaces.

Enterprise Firewall 7.0 Study Guide 483

Auto-Discovery VPN

This slide shows the CLI script that configures the NGFW with ADVPN and IBGP. The first part enables ADVPN.
The second part configures the IP address in the IPsec interface. The last part configures IBGP with route-
reflector-client enabled.

Enterprise Firewall 7.0 Study Guide 484

Auto-Discovery VPN

Configuration is slightly different from one spoke to another, so you will use TCL to create a single script that can
run on all the spokes, and configure each spoke individually. What changes from one spoke to another is the
router ID, the prefix to advertise, and the IP address in the IPsec interface. The script derives those items from
the spoke hostname.

The first part of the CLI script shown on this slide defines a function that is called each time a CLI command
needs to be run. This simplifies the TCL script.

The second part extracts the hostname from the output of the command get system status.

The third part extracts the spoke number from the hostname. For example, Spoke-1 is the spoke number 1,
Spoke-10 is the spoke number 10, and so on.

Two variables are created:

• $spokenumber is the spoke number. It is used to set the prefix to advertise.
• $spokenumberplusone is the spoke number plus 1. It is used to set the router ID and IPsec interface IP
address.

Enterprise Firewall 7.0 Study Guide 485

Auto-Discovery VPN

Next, the TCl script enables ADVPN. After that, it configures the IPsec interface IP address: for example,
172.16.1.2 for Spoke-1, 172.16.1.11 for Spoke-10, and so on. It uses the variable
$spokenumberplusone.

Enterprise Firewall 7.0 Study Guide 486

Auto-Discovery VPN

Finally, the TCL configures BGP. For example, the router ID for Spoke-1 is 172.16.1.2, for Spoke-7 is
172.16.1.8, and so on. The script uses the variable $spokenumberplusone again.

In the case of the BGP prefix, Spoke-1 advertises 10.1.1.0/24, Spoke-5 advertises 10.1.5.0/24, and so on.
The script uses the variable $spokenumber.

Enterprise Firewall 7.0 Study Guide 487

Auto-Discovery VPN

Additionally, you will troubleshoot a routing problem with OSPF and BGP.

Enterprise Firewall 7.0 Study Guide 488

Solution Slides

These slides contain the solutions to the troubleshooting exercises.

Enterprise Firewall 7.0 Study Guide 489

Solution Slides

Now, we will look at the solutions for the troubleshooting exercise in the traffic and session monitoring lab.

Enterprise Firewall 7.0 Study Guide 490

Solution Slides

There were four problems:

• Unable to telnet to ISFW (10.1.10.254)
• No Internet access
• Unable to telnet to Linux-Router (100.64.1.254)

Enterprise Firewall 7.0 Study Guide 491

Solution Slides

In the first problem, packets were arriving to ISFW as verified with the sniffer command. However ISFW was not
replying with the SYN/ACK packets.

Enterprise Firewall 7.0 Study Guide 492

Solution Slides

The next step was to use the debug flow, which showed the error iprope_in_check() check failed on
policy 1, drop. As this is FortiGate management traffic, the problem could be one of the following:
• The telnet service was not enabled in port3
• The telnet service was using a different port
• The source IP address was not in the trusted host list
• There was a local-in firewall configured to block telnet traffic

Enterprise Firewall 7.0 Study Guide 493

Solution Slides

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiGate 7.6 Administrator Study Guide
100% (1)
FortiGate 7.6 Administrator Study Guide
558 pages
Fortigate Administratior 7.4 Lab Guide
60% (5)
Fortigate Administratior 7.4 Lab Guide
250 pages
FCP - FortiManager Administrator 7.4 - Study Guide
100% (2)
FCP - FortiManager Administrator 7.4 - Study Guide
327 pages
NSE7 - OT Security FortiOS 7.2 - Study Guide
100% (2)
NSE7 - OT Security FortiOS 7.2 - Study Guide
317 pages
FCSS - EFW - AD-7.4 Exam Dumps Questions
No ratings yet
FCSS - EFW - AD-7.4 Exam Dumps Questions
19 pages
(FCSS Sec Ops) - Security Operations Analyst FortiAnalyzer 7.4 - Study Guide
No ratings yet
(FCSS Sec Ops) - Security Operations Analyst FortiAnalyzer 7.4 - Study Guide
158 pages
FCSS - EFW - AD-7.4 FCSS - Enterprise Firewall 7.4 Administrator Free Updated Dumps
100% (2)
FCSS - EFW - AD-7.4 FCSS - Enterprise Firewall 7.4 Administrator Free Updated Dumps
27 pages
FortiSwitch Study Guide For Fortiswitch 7.4
No ratings yet
FortiSwitch Study Guide For Fortiswitch 7.4
462 pages
Ebin - Pub Fortinet Enterprise Firewall Study Guide For Fortios 72
No ratings yet
Ebin - Pub Fortinet Enterprise Firewall Study Guide For Fortios 72
390 pages
FortiGate 7.4 Administrator Course Description
0% (1)
FortiGate 7.4 Administrator Course Description
3 pages
(FCSS NW) - Enterprise Firewall Administrator FortiOS 7.4 - Study Guide
100% (1)
(FCSS NW) - Enterprise Firewall Administrator FortiOS 7.4 - Study Guide
384 pages
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
100% (1)
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
171 pages
(FCSS NW) - Network Security Support Engineer FortiOS 7.4 - Study Guide
100% (2)
(FCSS NW) - Network Security Support Engineer FortiOS 7.4 - Study Guide
555 pages
(Fcss NW) - Sd-Wan Fortios 7.2 - Study Guide
No ratings yet
(Fcss NW) - Sd-Wan Fortios 7.2 - Study Guide
381 pages
FCP Sec Ops - FortiAnalyzer Analyst 7.4 - Study Guide
100% (3)
FCP Sec Ops - FortiAnalyzer Analyst 7.4 - Study Guide
216 pages
(FCSS Cloud - NSE7) - Public Cloud Security Fortigate 7.2 - Study Guide
No ratings yet
(FCSS Cloud - NSE7) - Public Cloud Security Fortigate 7.2 - Study Guide
194 pages
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
100% (1)
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
247 pages
FortiGate Infrastructure 7.2 Study Guide-Online
No ratings yet
FortiGate Infrastructure 7.2 Study Guide-Online
388 pages
FortiGate Infrastructure 7.2 Lab Guide-Online
No ratings yet
FortiGate Infrastructure 7.2 Lab Guide-Online
123 pages
Do Not Reprint © Fortinet: Fortimanager Lab Guide
No ratings yet
Do Not Reprint © Fortinet: Fortimanager Lab Guide
182 pages
SD-WAN 6.2 Lab Guide-Online PDF
100% (3)
SD-WAN 6.2 Lab Guide-Online PDF
85 pages
Fortinet Fortimanager Study Guide For Fortimanager 72
100% (1)
Fortinet Fortimanager Study Guide For Fortimanager 72
372 pages
Fortinet Network Security Support Engineer Study Guide For Fortios 72
No ratings yet
Fortinet Network Security Support Engineer Study Guide For Fortios 72
536 pages
Fortinet NSE4 FGT 7.2 - 2023.06.22 194Q v2.0
100% (1)
Fortinet NSE4 FGT 7.2 - 2023.06.22 194Q v2.0
106 pages
FortiGate 7.4 Administrator Exam Description
No ratings yet
FortiGate 7.4 Administrator Exam Description
3 pages
EWM CLASS 41 - RF Framework - Configuration
100% (1)
EWM CLASS 41 - RF Framework - Configuration
9 pages
FortiOS 7.4.3 Administration Guide
No ratings yet
FortiOS 7.4.3 Administration Guide
3,620 pages
NSE4 FGT-7.2 Updated
No ratings yet
NSE4 FGT-7.2 Updated
100 pages
B Fortinet Fortisoar Administrator Study Guide For Fortisoar 73
No ratings yet
B Fortinet Fortisoar Administrator Study Guide For Fortisoar 73
310 pages
Fortinet Fortigate Security Lab Guide For Fortios 72
100% (1)
Fortinet Fortigate Security Lab Guide For Fortios 72
204 pages
Nse4 - Fgt-7.0 Fortinet Nse 4 - Fortios 7.0 Fortinet 58 V2022-06-01 131 673
No ratings yet
Nse4 - Fgt-7.0 Fortinet Nse 4 - Fortios 7.0 Fortinet 58 V2022-06-01 131 673
24 pages
Fortinac Admin Operation 83 PDF
No ratings yet
Fortinac Admin Operation 83 PDF
2,020 pages
Fortigate Security Study Guide: Do Not Reprint © Fortinet
No ratings yet
Fortigate Security Study Guide: Do Not Reprint © Fortinet
459 pages
FortiGate Security 7.0 Study Guide - FortiGate - Security - 7.0 - Study - Guide-Online
No ratings yet
FortiGate Security 7.0 Study Guide - FortiGate - Security - 7.0 - Study - Guide-Online
42 pages
Enterprise Firewall 7.2 Lab Guide-Online U
No ratings yet
Enterprise Firewall 7.2 Lab Guide-Online U
158 pages
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
100% (1)
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
533 pages
FortiGate 7.4 Operator Lesson Scripts
100% (1)
FortiGate 7.4 Operator Lesson Scripts
33 pages
Getting Started with FortiGate
From Everand
Getting Started with FortiGate
Fabrizio Volpe
No ratings yet
FortiGate 7.4 Administrator Study Guide-Online v2 Español
No ratings yet
FortiGate 7.4 Administrator Study Guide-Online v2 Español
818 pages
(FCSS ZT - NSE7) - Zero Trust Access FortiOS 7.2 - Study Guide
100% (1)
(FCSS ZT - NSE7) - Zero Trust Access FortiOS 7.2 - Study Guide
192 pages
FortiNAC Demo Walkthrough
No ratings yet
FortiNAC Demo Walkthrough
13 pages
FCP FGT AD-7.4-demo
No ratings yet
FCP FGT AD-7.4-demo
5 pages
FortiOS 7.4 Best Practices
No ratings yet
FortiOS 7.4 Best Practices
47 pages
Fortinet Fortiedr Lab Guide For Fortiedr 50
No ratings yet
Fortinet Fortiedr Lab Guide For Fortiedr 50
104 pages
FortiNAC-7.2 F-FortiGate Endpoint Management Integration Guide
No ratings yet
FortiNAC-7.2 F-FortiGate Endpoint Management Integration Guide
42 pages
(FCP Sec Ops - NSE5) - FortiAnalyzer Analyst 7.2 - Study Guide
No ratings yet
(FCP Sec Ops - NSE5) - FortiAnalyzer Analyst 7.2 - Study Guide
209 pages
NSE7 - SD-WAN FortiOS 6.4.5 - Study Guide
No ratings yet
NSE7 - SD-WAN FortiOS 6.4.5 - Study Guide
229 pages
(FCP Sec Ops - NSE5) - FortiEDR 5.0 - Study Guide
100% (1)
(FCP Sec Ops - NSE5) - FortiEDR 5.0 - Study Guide
257 pages
FortiGate Infrastructure 6.2 Study Guide-Online
No ratings yet
FortiGate Infrastructure 6.2 Study Guide-Online
414 pages
NSE7 - LAN Edge FortiGate 7.0 - Study Guide
No ratings yet
NSE7 - LAN Edge FortiGate 7.0 - Study Guide
478 pages
SD-WAN 7.2 Exam Description
No ratings yet
SD-WAN 7.2 Exam Description
3 pages
FortiGate Security 7.2 Lab Guide-Online
No ratings yet
FortiGate Security 7.2 Lab Guide-Online
203 pages
Fortinet Advanced Analytics Lab Guide For Fortisiem 63
No ratings yet
Fortinet Advanced Analytics Lab Guide For Fortisiem 63
224 pages
Fortianalyzer Lab Guide: Do Not Reprint © Fortinet
No ratings yet
Fortianalyzer Lab Guide: Do Not Reprint © Fortinet
90 pages
LAB 7 - High Availability (HA)
100% (1)
LAB 7 - High Availability (HA)
17 pages
FortiGate 7.4 Administrator Study Guide-Online-401-466
No ratings yet
FortiGate 7.4 Administrator Study Guide-Online-401-466
66 pages
FortiGate Infrastructure 7.0 Study Guide-Online Compressed
100% (1)
FortiGate Infrastructure 7.0 Study Guide-Online Compressed
387 pages
NSE7 - Advanced Analytics FortiSIEM 6.3 - Study Guide
No ratings yet
NSE7 - Advanced Analytics FortiSIEM 6.3 - Study Guide
476 pages
(FCSS SASE) - FortiSASE Administrator FortiSASE 23 - Study Guide
No ratings yet
(FCSS SASE) - FortiSASE Administrator FortiSASE 23 - Study Guide
149 pages
Install and Configure FortiGate Default Certificate
100% (1)
Install and Configure FortiGate Default Certificate
3 pages
Forti Lecture
No ratings yet
Forti Lecture
69 pages
Enterprise Firewall 6.0 Study Guide-Online
No ratings yet
Enterprise Firewall 6.0 Study Guide-Online
518 pages
Enterprise Firewall 7.4 Administrator Study Guide-Online-4-52
No ratings yet
Enterprise Firewall 7.4 Administrator Study Guide-Online-4-52
49 pages
Enterprise Firewall 7.4 Administrator Study Guide-Online-251-275
No ratings yet
Enterprise Firewall 7.4 Administrator Study Guide-Online-251-275
25 pages
Enterprise FW 01 Introduction To Network Security Architecture
No ratings yet
Enterprise FW 01 Introduction To Network Security Architecture
26 pages
(FCSS Cloud) - Public Cloud Security Architect FortiOS 7.6 - Study Guide
100% (2)
(FCSS Cloud) - Public Cloud Security Architect FortiOS 7.6 - Study Guide
237 pages
LAB 06 Certificate Operations
100% (1)
LAB 06 Certificate Operations
15 pages
LAB 01 System and Network Settings
No ratings yet
LAB 01 System and Network Settings
22 pages
LAB 02 Firewall Policies and NAT
100% (1)
LAB 02 Firewall Policies and NAT
23 pages
FX2 USB To ATA Design Notes
No ratings yet
FX2 USB To ATA Design Notes
6 pages
Software Engineer Job Description
No ratings yet
Software Engineer Job Description
5 pages
Microsoft's July 2023 Patch Tuesday Addresses 130 CVEs
No ratings yet
Microsoft's July 2023 Patch Tuesday Addresses 130 CVEs
8 pages
India Ink Guide
No ratings yet
India Ink Guide
16 pages
S4 HANA FI-GL User Manual
100% (1)
S4 HANA FI-GL User Manual
27 pages
Seif Ezzat
No ratings yet
Seif Ezzat
3 pages
Lab - Implementing Identity Services and Group Policy
No ratings yet
Lab - Implementing Identity Services and Group Policy
5 pages
Windows Programming Chapter Two
No ratings yet
Windows Programming Chapter Two
59 pages
History of Computer Graphics
No ratings yet
History of Computer Graphics
10 pages
JARKOM - Setting Modem Yang Digunakan Untuk Layanan Internet Pascabayar (Telkom Speedy)
No ratings yet
JARKOM - Setting Modem Yang Digunakan Untuk Layanan Internet Pascabayar (Telkom Speedy)
14 pages
CS Investigatory On Grocery Shop
No ratings yet
CS Investigatory On Grocery Shop
26 pages
Lesson 3
No ratings yet
Lesson 3
10 pages
Online Voting System SRS
No ratings yet
Online Voting System SRS
7 pages
G A II: Boruvka's Algorithm Demo
No ratings yet
G A II: Boruvka's Algorithm Demo
8 pages
Level 2 Digital Technologies and Hangarau Matihiko 2024: 91898 Demonstrate Understanding of A Computer Science Concept
No ratings yet
Level 2 Digital Technologies and Hangarau Matihiko 2024: 91898 Demonstrate Understanding of A Computer Science Concept
19 pages
Multiplexer, Decoder and Flipflop
No ratings yet
Multiplexer, Decoder and Flipflop
10 pages
NodeJS PDF
No ratings yet
NodeJS PDF
66 pages
Sa1 CH1 MCQ
No ratings yet
Sa1 CH1 MCQ
4 pages
Network Firmware Update Instruction 210602
No ratings yet
Network Firmware Update Instruction 210602
5 pages
Soa Module 1
No ratings yet
Soa Module 1
150 pages
5G Cloud RAN Architecture-Unlocked
No ratings yet
5G Cloud RAN Architecture-Unlocked
128 pages
Splunk Soar
No ratings yet
Splunk Soar
2 pages
CNC1990 TNC4T1000 KX1S
No ratings yet
CNC1990 TNC4T1000 KX1S
4 pages
Lokesh Pandey
No ratings yet
Lokesh Pandey
2 pages
5.web Crawler Writeup
No ratings yet
5.web Crawler Writeup
7 pages
Crystal Reports From SQL Query String
No ratings yet
Crystal Reports From SQL Query String
5 pages
Diagnostic Questions: Security and Compliance
No ratings yet
Diagnostic Questions: Security and Compliance
9 pages
Cisco UCS Hardware and Software Compatibility B200M5 FW 4.2 (1) ESXi 7.0U3
No ratings yet
Cisco UCS Hardware and Software Compatibility B200M5 FW 4.2 (1) ESXi 7.0U3
37 pages
Unit 5 Algorithm Part 1
No ratings yet
Unit 5 Algorithm Part 1
4 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.