Fortinet FCP_FGT_AD-7.4 - FCP - FortiGate 7.4 Administrator

When SSL certificate inspection is enabled on a FortiGate device, the system uses the following three pieces of information to identify the hostname of the SSL server:

Server Name Indication (SNI) extension in the client hello message (B):The SNI is an extension in the client hello message of the SSL/TLS protocol. It indicates the hostname the client is attempting to connect to. This allows FortiGate to identify the server's hostname during the SSL handshake.

Subject Alternative Name (SAN) field in the server certificate (C):The SAN field in the server certificate lists additional hostnames or IP addresses that the certificate is valid for. FortiGate inspects this field to confirm the identity of the server.

Subject field in the server certificate (D):The Subject field contains the primary hostname or domain name for which the certificate was issued. FortiGate uses this information to match and validate the server’s identity during SSL certificate inspection.

The other options are not used in SSL certificate inspection for hostname identification:

Host field in the HTTP header (A):This is part of the HTTP request, not the SSL handshake, and is not used for SSL certificate inspection.

Serial number in the server certificate (E):The serial number is used for certificate management and revocation, not for hostname identification.

References

FortiOS 7.4.1 Administration Guide -SSL/SSH Inspection, page 1802.

FortiOS 7.4.1 Administration Guide -Configuring SSL/SSH Inspection Profile, page 1799.

FortiGate interfaces can be configured in different roles, such as WAN or LAN. If an interface is set as a "WAN" role, you cannot configure it to act as a DHCP server through the GUI. The interface role must be set to "LAN" or "Undefined" to allow DHCP server configuration.

References:

FortiOS 7.4.1 Administration Guide: DHCP Server Configuration

The port1 and port2 default routes are active in the routing table

The routes with 0.0.0.0/0 for both port1 and port2 are marked with an asterisk * and > symbol, which indicates that these routes are active and selected in the routing table.

The port3 default route has the highest distance

The route via port3 has a distance of [20/0], which is higher than the distances for the routes via port1 [10/0] and port2 [30/0]. This indicates that the port3 default route has the highest distance.

NAT Configuration: The first firewall policy has NAT enabled using the configured IP pool.

IP Pool Configuration: The IP pool is configured with an external IP range of 10.200.1.100.

Source NAT: When traffic is being NATed, the source IP address is replaced with an IP from the configured pool. In this scenario, the specific IP defined in the pool is 10.200.1.100.

Thus, any internet-bound traffic from the workstation (10.0.1.10) will have its source IP address NATed to 10.200.1.100.

When multiple web filtering features are enabled in FortiGate, the HTTP inspection process follows a specific sequence: Static URL Filter: This filter checks URLs against a predefined list of allowed or blocked URLs. FortiGuard Category Filter: This checks the category of the website using the FortiGuard database. Advanced Filters: These include features like -> "Safe Search" <-, YouTube EDU filtering, and other advanced filtering options. This order ensures efficient and layered filtering of web traffic based on various criteria.

A session for denied traffic is created.

The command set ses-denied-traffic enable ensures that sessions for denied traffic are logged, meaning a session will be created for traffic that is denied by security policies.

The number of logs generated by denied traffic is reduced.

The set block-session-timer 30 command sets a timer to prevent excessive logging of denied traffic within a short period, which helps reduce the number of logs generated by repeated denied traffic sessions. This timer blocks sessions for a specified period (30 seconds in this case) to avoid overwhelming the log system with repetitive entries.

Advanced mode allows for configuration as an LDAP client and supports group filtering directly on the FortiGate, as well as nested or inherited groups.

Based on the system performance output provided, the memory usage on the FortiGate device is at 90%, which is above the green threshold (82%) but below the red threshold (88%). Given this high memory usage, the FortiGate device will enter "conserve mode" to prevent further resource exhaustion. In conserve mode:

B. FortiGate has entered conserve mode:When the memory usage reaches or exceeds certain thresholds (in this case, the green and red thresholds), the FortiGate enters conserve mode to protect itself from running out of memory entirely. This mode limits some functionalities to reduce memory usage and avoid a potential system crash.

D. Administrators can access FortiGate only through the console port:During conserve mode, administrative access might be restricted, and administrators may only be able to connect to the device via the console port. This restriction is in place to ensure that the FortiGate can be managed directly, even under low resource conditions.

The other options are not correct:

A. FortiGate will start sending all files to FortiSandbox for inspection:This is unrelated to memory usage and conserve mode.

C. Administrators cannot change the configuration:While access may be limited, configuration changes can still be made via the console port.

References

FortiOS 7.4.1 Administration Guide -Monitoring System Resources and Performance, page 325.

FortiOS 7.4.1 Administration Guide -Conserve Mode, page 330.

To resolve the issue of PC3 not being able to access the internet, the administrator needs to adjust the IP pool configuration or the firewall policy. The following two options will fix the connectivity issue:

B. In the IP pool configuration, set the ending IP to 192.2.0.12:The current IP pool range is 192.2.0.10-192.2.0.11, which only provides two IP addresses for network address translation (NAT). To allow PC3 to access the internet, the IP pool should be expanded to include an additional IP address by changing the end of the range to 192.2.0.12.

D. In the IP pool configuration, set type to overload:Instead of using a one-to-one NAT, changing the type to overload will allow multiple internal addresses (such as PC1, PC2, and PC3) to share a single external IP address. This will solve the issue without needing additional public IP addresses.

The other options are not suitable:

A. In the firewall policy configuration, add 10.0.1.3 as an address object in the source field:This option is unnecessary since the firewall policy already allows all addresses from the source (LAN port3).

C. Configure another firewall policy that matches only the address of PC3 as the source, and then place the policy on top of the list:This option is redundant and would not resolve the underlying issue with the IP pool configuration.

References

FortiOS 7.4.1 Administration Guide -Configuring Firewall Policies, page 512.

FortiOS 7.4.1 Administration Guide -Configuring NAT with IP Pools, page 518.