Change the csf setting on ISFW (downstream) to set configuration-sync local.

Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.

Change the csf setting on both devices to set downstream-access enable.

Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

The public key of the web server certificate must be installed on the browser.

The web-server certificate must be installed on the browser.

The CA certificate that signed the web-server certificate must be installed on the browser.

The private key of the CA certificate that signed the browser certificate must be installed on the browser.

It can be configured only when FortiGate is operating in NAT mode

Can act as a Layer 2 switch as well as a Layer 3 router

All interfaces in the software switch share the same IP address

It can group only physical interfaces

Disabled

On Demand

Enabled

On Idle

The strict RPF check is run on the first sent and reply packet of any new session.

Strict RPF checks the best route back to the source using the incoming interface.

Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.

Strict RPF allows packets back to sources with all active routes.

Subject Key Identifier value

SMMIE Capabilities value

Subject value

Subject Alternative Name value

Full Content inspection

Proxy-based inspection

Certificate inspection

Flow-based inspection

Implement a web filter category override for the specified website

Implement a DNS filter for the specified website.

Implement web filter quotas for the specified website

Implement web filter authentication for the specified website.

SSL VPN idle-timeout

SSL VPN http-request-body-timeout

SSL VPN login-timeout

SSL VPN dtls-hello-timeout

10.200. 1. 149

10.200. 1. 1

10.200. 1.49

10.200. 1.99

Fabric Connectors

Automation Stitches

Security Rating

Logical Topology

It limits the scanning of application traffic to the DNS protocol only.

It limits the scanning of application traffic to use parent signatures only.

It limits the scanning of application traffic to the browser-based technology category only.

It limits the scanning of application traffic to the application category only.

On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking

On the Static URL Filter configuration, set Type to Simple

On the Static URL Filter configuration, set Action to Exempt.

On the Static URL Filter configuration, set Action to Monitor.

Traffic is blocked because Action is set to DENY in the firewall policy.

Traffic belongs to the root VDOM.

This is a security log.

Log severity is set to error on FortiGate.

Application control can identity child and parent applications, and perform different actions on them.

Application control signatures are organized in a nonhierarchical structure.

Application control does not require SSL inspection to identity web applications.

Application control does not display a replacement message for a blocked web application.

Destination NAT is disabled in the firewall policy.

One-to-one NAT IP pool is used in the firewall policy.

Overload NAT IP pool is used in the firewall policy.

Port block allocation IP pool is used in the firewall policy.

System event logs

Forward traffic logs

Local traffic logs

Security logs

IP address

Once Internet Service is selected, no other object can be added

User or User Group

FQDN address

The debug flow is of ICMP traffic.

A firewall policy allowed the connection.

A new traffic session is created.

The default route is required to receive a reply.

diagnose wad session list

diagnose wad session list | grep hook-pre&&hook-out

diagnose wad session list | grep hook=pre&&hook=out

diagnose wad session list | grep "hook=pre"&"hook=out"

Browsers can be configured to retrieve this PAC file from the FortiGate.

Any web request to the 172.25. 120.0/24 subnet is allowed to bypass the proxy.

All requests not made to Fortinet.com or the 172.25. 120.0/24 subnet, have to go through altproxy.corp.com: 8060.

Any web request fortinet.com is allowed to bypass the proxy.

They will be re-evaluated to match the endpoint policy.

They will be re-evaluated to match the firewall policy.

They will be re-evaluated to match the ZTNA policy.

They will be re-evaluated to match the security policy.

The sensor will allow attackers matching the Microsoft Windows.iSCSI.Target.DoS signature.

The sensor will block all attacks aimed at Windows servers.

The sensor will reset all connections that match these signatures.

The sensor will gather a packet log for all matched traffic.

Social networking web filter category is configured with the action set to authenticate.

The action on firewall policy ID 1 is set to warning.

Access to the social networking web filter category was explicitly blocked to all users.

The name of the firewall policy is all_users_web.

AH does not provide any data integrity or encryption.

AH does not support perfect forward secrecy.

AH provides data integrity bur no encryption.

AH provides strong data integrity but weak encryption.

Inter-VDOM links are required to allow traffic between the Local and Root VDOMs.

A static route is required on the To_Internet VDOM to allow LAN users to access the internet.

Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM.

On HQ-FortiGate, set IKE mode to Main (ID protection).

On both FortiGate devices, set Dead Peer Detection to On Demand.

On HQ-FortiGate, disable Diffie-Helman group 2.

On Remote-FortiGate, set port2 as Interface.

Policy lookup will be disabled.

By Sequence view will be disabled.

Search option will be disabled

Interface Pair view will be disabled.

The session is in SYN_SENT state.

The session is in FIN_ACK state.

The session is in FTN_WAIT state.

The session is in ESTABLISHED state.

Warning

Exempt

Allow

Learn

System time

FortiGuaid update servers

Operating mode

NGFW mode

get system status

get system performance status

diagnose sys top

get system arp

There are five devices that are part of the security fabric.

Device detection is disabled on all FortiGate devices.

This security fabric topology is a logical topology view.

There are 19 security recommendations for the security fabric.

NGFW policy-based mode does not require the use of central source NAT policy

NGFW policy-based mode can only be applied globally and not on individual VDOMs

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

NGFW policy-based mode policies support only flow inspection

For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

The traffic sourced from the client and destined to the server is sent to FGT-1.

The cluster can load balance ICMP connections to the secondary.

For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

FortiGuard web filter cache

FortiGate hostname

NTP

DNS

The IPS engine was inspecting high volume of traffic.

The IPS engine was unable to prevent an intrusion attack .

The IPS engine was blocking all traffic.

The IPS engine will continue to run in a normal state.

The IP version of the sources and destinations in a firewall policy must be different.

The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

The IP version of the sources and destinations in a policy must match.

The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Video filtering FortiGuard categories are based on web filter FortiGuard categories.

It does not require a separate FortiGuard license.

Full SSL inspection is not required.

its available only on a proxy-based firewall policy.

VLAN interface

Software Switch interface

Aggregate interface

Redundant interface

To detect intermediary NAT devices in the tunnel path.

To dynamically change phase 1 negotiation mode aggressive mode.

To encapsulation ESP packets in UDP packets using port 4500.

To force a new DH exchange with each phase 2 rekey.

The interface has been configured for one-arm sniffer.

The interface is a member of a virtual wire pair.

The operation mode is transparent.

The interface is a member of a zone.

Captive portal is enabled in the interface.

Antivirus engine

Intrusion prevention system engine

Flow engine

Detection engine

Add the support of NTLM authentication.

Add user accounts to Active Directory (AD).

Add user accounts to the FortiGate group fitter.

Add user accounts to the Ignore User List.

The signature setting uses a custom rating threshold.

The signature setting includes a group of other signatures.

Traffic matching the signature will be allowed and logged.

Traffic matching the signature will be silently dropped and logged.

Make SSL inspection needs to be a deep content inspection.

Force access to Facebook using the HTTP service.

Get the additional application signatures are required to add to the security policy.

Add Facebook in the URL category in the security policy.