Comprehensive and Detailed Explanation From Exact Extract documents and Knowledge:

By default, FortiGate ' s SSL/SSH Inspection profile is configured to recognize and inspect HTTPS traffic on the standard port 443. To inspect HTTPS traffic on a non-standard port , such as 8443 , the administrator must modify the protocol-to-port mapping within the security profile.

In the SSL/SSH Inspection configuration (accessible via Policy & Objects > Security Profiles), there is a section for " HTTPS " where additional ports can be specified. By adding 8443 to this list alongside 443, the FortiGate ' s inspection engine (IPS and UTM) is instructed to apply SSL decryption and analysis to any traffic using port 8443 as if it were standard HTTPS traffic. Without this mapping, the firewall would treat the traffic as an unknown encrypted protocol and would not be able to perform deep content analysis.

==============

In BGP (Border Gateway Protocol), a neighbor (peer) configuration is required to establish a connection between two BGP routers. Since FortiGate A is connecting to the ISP (Autonomous System 10) from AS 30, the administrator must define the ISP ' s BGP router as a neighbor.

The config neighbor command is used to:

● Define the ISP ' s IP address as a BGP peer

● Specify the remote AS (AS 10 in this case)

● Allow BGP route exchanges between FortiGate A and the ISP

Comprehensive and Detailed Explanation From Exact Extract documents and Knowledge:

In enterprise environments, " scaling " refers to increasing the total throughput or processing capacity of the security fabric.

FGCP Active-Active (B): This clustering mode uses all members of the cluster to process traffic simultaneously, effectively distributing the UTM/IPS load and scaling performance beyond the limits of a single unit.

FGSP (A): The FortiGate Session Life Support Protocol allows independent FortiGate units (or clusters) to synchronize session information. This is used to scale performance in asymmetrical routing environments or when using external load balancers to distribute traffic across multiple FortiGates.

Note: FGCP Active-Passive (D) and VRRP (C) provide redundancy/high availability but do not scale performance, as only one unit processes traffic at any given time.

The exhibit shows an active-passive HA (high availability) cluster with two virtual clusters, where FortiGate_A is the primary device for both Core1 and Core2. If the goal is to have FortiGate_B take over Core2 traffic, its priority must be higher than FortiGate_A for Virtual Cluster 2.

Currently, FortiGate_A has a priority of 150 for Core2, while FortiGate_B has 128. Increasing FortiGate_B’s priority to 200 ensures it becomes the primary for Virtual Cluster 2, taking over the Core2 VDOM traffic while keeping Core1 traffic on FortiGate_A.

Disabling override would prevent forced failovers but wouldn’t change the role distribution. Adjusting the load-balancing method is irrelevant in an active-passive setup, as it only applies to active-active configurations.

ADVPN (Auto-Discovery VPN) 2.0 is the optimal solution for enabling direct spoke-to-spoke communication without passing through the hub, while also allowing automatic link selection based on quality metrics.

● Dynamic Direct Tunnels:

● ADVPN 2.0 allows spokes to establish direct IPsec tunnels dynamically based on traffic patterns, reducing latency and improving performance.

● Unlike static VPNs, spokes do not need to pre-configure tunnels for each other.

● Automatic Link Optimization:

● ADVPN 2.0 monitors the quality of multiple internet connections on each spoke.

● It automatically switches to the best available connection when the primary link degrades or fails.

● This is achieved by dynamically adjusting BGP-based routing or leveraging SD-WAN integration.

FortiGate_A and FortiGate_B are in the same autonomous system (AS), and FortiGate_A does not currently have route 172.16.1.248/30 in its routing table. However, FortiGate_B has this route as a connected route.

To dynamically advertise only 172.16.1.248/30 from FortiGate_B to FortiGate_A, the administrator must configure a BGP route map out on FortiGate_B that specifically permits only this prefix.

A BGP route map out on FortiGate_B controls which routes FortiGate_B advertises to FortiGate_A. If no filtering is applied, FortiGate_B might advertise all BGP-learned and connected routes, which is not what the administrator wants. The route map should include a prefix-list that explicitly allows only 172.16.1.248/30 and denies everything else.

In FortiOS, security services like Antivirus and Intrusion Prevention (IPS) download local databases to the FortiGate unit for inspection. However, Web Filter and DNS Filter function differently. Instead of a local database, FortiGate performs real-time queries to the cloud-hosted FortiGuard category servers. Because the database is hosted in the cloud and not locally stored on the device, there is no " version " number for a local file to display in the dashboard. The unit maintains a connection to FortiGuard Labs to retrieve ratings for URLs dynamically.

==============

Standard certificate inspection (which relies on the SNI) only identifies the destination domain; it does not allow the FortiGate to see the actual content of the encrypted session. As noted in the lab documentation, " certificate inspection on its own does not help HQ-DCFW to see the encrypted traffic " . To identify and block malware hidden within HTTPS traffic, the FortiGate must be configured with full SSL inspection (also known as deep inspection). This process involves the FortiGate acting as a man-in-the-middle to decrypt the packets, scan the payload for threats using the applied security profiles (like Antivirus or IPS), and then re-encrypt the traffic before sending it to the host. Without full decryption, the unit " will not decrypt packets to analyze if there is a possible attack, " allowing malware to bypass security layers.

==============

In the given ADVPN (Auto-Discovery VPN) topology, BGP is being used to dynamically establish routes between spokes. The neighbor-range configuration is crucial for simplifying BGP peer setup by automatically assigning neighbors based on their IP range.

set neighbor-group advpn

● The neighbor-group parameter is used to apply pre-defined settings (such as AS number) to dynamically discovered BGP neighbors.

● The advpn neighbor-group is already defined in the configuration, and assigning it to the neighbor-range ensures consistent BGP settings for all spoke neighbors.

set prefix 172.16.1.0 255.255.255.0

● This command allows dynamic BGP peer discovery by defining a range of potential neighbor IPs (172.16.1.1 - 172.16.1.255).

● Since each spoke has a unique /32 IP within this subnet, this ensures that any spoke within the 172.16.1.0/24 range can automatically establish a BGP session with the hub.

neighbor-group:

● This command is used to group multiple BGP neighbors with the same configuration, reducing redundant configuration.

● Instead of defining individual BGP settings for each spoke, the administrator can create a neighbor-group and apply the same policies, reducing manual work.

neighbor-range:

● This command allows the configuration of a range of neighbor IPs dynamically, reducing the need to manually define each spoke neighbor.

● It automatically adds BGP neighbors that match a given prefix, simplifying deployment.