Fortigate Interview Questions and Answers
- What is UTM?
Unified threat management (UTM) is a move toward security management that allows a network administrator to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console. UTM appliances not only combine firewall, gateway anti-virus, and intrusion detection and prevention capabilities into a single platform but also works within themselves interdependently just like a piece of fabric.
2. What is Security fabric?
Security Fabric uses FortiTelemetry to connect different security sensors and tools together to collect, coordinate, and respond to malicious behavior anywhere it occurs on the network in real-time. The core of a security fabric is an upstream FortiGate located at the edge of the network, with several FortiGates functioning as Internet Segmentation Firewalls (ISFWs).
A security fabric is used to coordinate with the behavior of other Fortinet products in the network, including FortiAnalyzer, FortiManager, FortiClient, FortiClient EMS, FortiWeb, FortiSwitch, and FortiAP.
3. What is Threat Management?
Integrated threat management is a complete approach to network security issues that address multiple types of malware, as well as blended threats and spam, and protects from invasion not only at the gateway but also at the endpoint levels.
4. What is a Next-Generation Firewall?
Next-Generation Firewall (NGFW) is part of the third generation in firewall technology, combining a traditional firewall with other network device filtering functionalities, such as an application firewall using an in-line deep packet inspection system (DPI), an intrusion prevention system (IPS).
Other techniques might also be employed, such as TLS/SSL encrypted traffic examination, website filtering, QoS/bandwidth management, antivirus scrutiny, and third-party identity management integration (i.e. LDAP, RADIUS, Active Directory)
5. When inspecting and delivering email messages, what does a FortiMail unit do in a transparent mode?
First, inspect viruses, then Inspect the content of the message payload, then Inspect for spam, followed by performing a routing lookup to decide the next hop in MTA.
6. What are the benefits of the Scalable feature in Fortinet Fabric?
Fortinet Security Fabric protects any organization from IoT to the Cloud. A complete security strategy needs both in-depth performances and deep inspection along with the breadth i.e. end to end. Security not only needs to scale to meet volume and performance demands, but it also needs to scale itself up laterally, seamlessly tracking and securing data from IoT and endpoints, across the distributed network and data center, and into the cloud.
Fortinet Security Fabric provides seamless, protection across the distributed enterprise, as well as inspection of packet data, application protocols, and deep analysis of unstructured content at wire speeds.
7. What does Aware mean in Fortinet Security fabric?
Security Fabric behaves as a single entity from a Policy and Logging perspective, enabling end-to-end segmentation in order to lessen the risk from advanced threats. We not only need to see data that flows into and out of the network but how that data pass through the network once it is inside the perimeter.
Fortinet Security Fabric enables end-to-end network segmentation for deep visibility and inspection of traffic traveling the network, and controls who and what gets to go where thereby minimizing the risk from advanced threats.
8. What is Traditional Firewall?
A traditional firewall is a device that controls the flow of traffic that enters or exits the network. It either uses a stateless or stateful method to achieve this. It can only track the traffic on 2 to 4 layers.
9. Explain the differences between a Next-Generation Firewall and a Traditional Firewall
The NGFW can find the identity of a user, whereas the traditional firewall can’t.
A traditional firewall can only track the traffic based on 2 to 4 layers. The NGFW tracks the traffic through 5 to 7 layers.
A traditional firewall only looks at the header, footer, source, and destination of the incoming packets. The NGFW will also look at the data of the incoming packet.
10. Name the different encryption mechanisms available in Fortigate Firewall
des-md5
des-sha1
des-sha256
des-sha384
des-sha512
aes128-md5
aes128-sha1
11. Explain about ‘Actionable’ in Fortinet Security Fabric
Security Fabric provides a unified view of the distributed attack surface. It has a common set of threat intelligence and centralized orchestration. So it correlates global threat intelligence with local network data and delivers actionable threat intelligence to every security device in your network.
12. What is the FGCP cluster?
FGCP stands for FortiGate Clustering Protocol. This is one of the proprietaries and popular high availability solutions offered by Fortinet firewall. FortiGate High Availability solution mainly contains two firewalls, which are used for configuring the high availability operation.
13. How to take a backup of the Fortinet firewall configuration?
Execute backup config management- station
Execute backup config USD < Filename-backup>
For FTP;
Execute backup config ftp
For TFTP;
Execute backup config tftp .
14. What happens if the disk logging is disabled in the FortiGate unit?
If the hard disk logging is disabled, then the logs are written to flash memory. Constant rewrites to flash drives will reduce the lifetime and efficiency of the memory.
15. Packet Flow in Fortigate firewall
Ingress
All packets accepted by a FortiGate pass through a network interface and are processed by the TCP/IP stack. Then if DoS policies have been configured the packet must pass through these as well as automatic IP integrity header checking.
DoS scans are handled very early in the life of the packet to determine whether the traffic is valid or is part of a DoS attack. The DoS module inspects all traffic flows but only tracks packets that can be used for DoS attacks (for example, TCP SYN packets), to ensure they are within the permitted parameters. Suspected DoS attacks are blocked, other packets are allowed.
IP integrity header checking reads the packet headers to verify if the packet is a valid TCP, UDP, ICMP, SCTP or GRE packet. The only verification that is done at this step to ensure that the protocol header is the correct length. If it is, the packet is allowed to carry on to the next step. If not, the packet is dropped.
Incoming IPsec packets that match configured IPsec tunnels on the FortiGate are decrypted after header checking is done.
If the packet is an IPsec packet, the IPsec engine attempts to decrypt it. If the IPsec engine can apply the correct encryption keys and decrypt the packet, the unencrypted packet is sent to the next step. Non-IPsec traffic and IPsec traffic that cannot be decrypted passes on to the next step without being affected. IPsec VPN decryption is offloaded to and accelerated by CP8 or CP9 processors.
Admission control
Admission control checks to make sure the packet is not from a source or headed to a destination on the quarantine list. If configured admission control then imposes FortiTelemetry protection that requires a device to have FortiClient installed before allowing packets from it. Admission control can also impose captive portal authentication on ingress traffic.
Kernel
Once a packet makes it through all of the ingress steps, the FortiOS kernel performs the following checks to determine what happens to the packet next.
Destination NAT
Destination NAT checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT. DNAT is typically applied to traffic from the internet that is going to be directed to a server on a network behind the FortiGate. DNAT means the actual address of the internal network is hidden from the internet. This step determines whether a route to the destination address actually exists. DNAT must take place before routing so that the FortiGate can route packets to the correct destination.
Routing (including SD-WAN)
Routing uses the routing table to determine the interface to be used by the packet as it leaves the FortiGate. Routing also distinguishes between local traffic and forwarded traffic. Firewall policies are matched with packets depending on the source and destination interface used by the packet. The source interface is known when the packet is received and the destination interface is determined by routing.
SD-WAN is a special application of routing that provides route selection, load balancing, and failover among two or more routes. SD-WAN also supports using the Internet Services Database (ISDB) and Application Control to select a route in the following way:
As the session is being processed by the implicit SD-WAN rule, layer 7 Application Control attempts to identify the application. If the application can be identified, the ISDB is extended by adding a layer 4 match record for the application to the ISDB cache. New sessions can then be matched and routed by SD-WAN using both the ISDB and the ISDB cache.
Stateful inspection/policy lookup/session management
Stateful inspection looks at the first packet of a session and looks in the policy table to make a security decision about the entire session. Stateful inspection looks at packet TCP SYN and FIN flags to identity the start and end of a session, the source/destination IP, source/destination port and protocol. Other checks are also performed on the packet payload and sequence numbers to verify it as a valid session and that the data is not corrupted or poorly formed.
When the first packet of a session is matched in the policy table, stateful inspection adds information about the session to its session table. So when subsequent packets are received for the same session, stateful inspection can determine how to handle them by looking them up in the session table (which is more efficient than looking them up in the policy table).
Stateful inspection makes the decision to drop or allow a session and apply security features to it based on what is found in the first packet of the session. Then all subsequent packets in the same session are processed in the same way.
When the final packet in the session is processed, the session is removed from the session table. Stateful inspection also has a session idle timeout that removes sessions from the session table that have been idle for the length of the timeout.
See the Stateful Firewall Wikipedia article (https://en.wikipedia.org/wiki/Stateful_firewall) for an excellent description of stateful inspection.
Session helpers
Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. For example, the SIP VoIP protocol uses TCP control packets with a standard destination port to set up SIP calls. To successfully process SIP VoIP calls, FortiOS must be able to extract information from the body of the SIP packet and use this information to allow the voice-carrying packets through the firewall.
FortiOS uses session helpers to analyze the data in the packet bodies of some protocols and adjust the firewall to allow those protocols to send packets through the firewall. FortiOS includes the following session helpers:
User authentication
User authentication added to security policies is handled by the stateful inspection, which is why Firewall authentication is based on IP address. Authentication takes place after policy lookup selects a policy that includes authentication.
Device identification
Device identification is applied if required by the matching policy.
SSL VPN
Local SSL VPN traffic is treated like special management traffic as determined by the SSL VPN destination port. Packets are decrypted and are routed to an SSL VPN interface. Policy lookup is then used to control how packets are forwarded to their destination outside the FortiGate. SSL encryption and decryption is offloaded to and accelerated by CP8 or CP9 processors.
Local management traffic
Local management traffic terminates at a FortiGate interface. This can be any FortiGate interface including dedicated management interfaces. In multiple VDOM mode local management traffic terminates at the management interface. In transparent mode, local management traffic terminates at the management IP address.
Local management traffic includes administrative access, some routing protocol communication, central management from FortiManager, communication with the FortiGuard network and so on. Management traffic is allowed or blocked according to the Local In Policy list which lists all management protocols and their access control settings. You configure local management access indirectly by configuring administrative access and so on.
Management traffic is processed by applications such as the web server which displays the FortiOS GUI, the SSH server for the CLI or the FortiGuard server to handle local FortiGuard database updates or FortiGuard Web Filtering URL lookups.
Local management traffic is not involved in subsequent stateful inspection steps.
SSL VPN traffic terminates at a FortiGate interface similar to local management traffic. However, SSL VPN traffic uses a different destination port number than administrative HTTPS traffic and can thus be detected and handled differently.
UTM/NGFW
If the policy matching the packet includes security profiles, then the packet is subject to Unified Threat Management (UTM)/Next Generation Firewall (NGFW) processing. UTM/NGFW processing depends on the inspection mode of the security policy: Flow-based (single pass architecture) or proxy-based. Proxy-based processing can include explicit or transparent web proxy traffic. Many UTM/NGFW processes are offloaded and accelerated by CP8 or CP9 processors.
Single pass flow-based UTM/NGFW inspection identifies and blocks security threats in real time as they are identified using single-pass Direct Filter Approach (DFA) pattern matching to identify possible attacks or threats.
Packets are then subject to botnet checking to make sure they are not destined for known botnet addresses.
Proxy-based UTM/NGFW inspection can apply both flow-based and proxy-based inspection. Packets initially encounter the IPS engine, which can apply single-pass flow-based IPS and Application Control (as configured). The packets are then sent to the proxy for proxy-based inspection. Proxy-based inspection can apply VoIP inspection, DLP, Email Filter (Anti-Spam), Web Filtering, Antivirus, and ICAP.
Explicit web proxy inspection is similar to proxy based inspection.
CP9 content processors
Most FortiGate models contain Security Processing Unit (SPU) Content Processors (CPs) that accelerate many common resource intensive security related processes. CPs work at the system level with tasks being offloaded to them as determined by the main CPU. Capabilities of the CPs vary by model. Newer FortiGate units include CP9 processors. Older CP versions still in use in currently operating FortiGate models include the CP4, CP5, CP6, and CP8.
CP9 capabilities
The CP9 content processor provides the following services:
Kernel
Traffic is now in the process of exiting the FortiGate. The kernel uses the routing table to forward the packet out the correct exit interface.
The kernel also checks the NAT table and determines if the source IP address for outgoing traffic must be changed using SNAT. SNAT is typically applied to traffic from an internal network heading out to the internet. SNAT means the actual address of the internal network is hidden from the internet.
Egress
Before exiting the FortiGate, outgoing packets that are entering an IPsec VPN tunnel are encrypted and encapsulated. IPsec VPN encryption is offloaded to and accelerated by CP8 or CP9 processors.
Traffic shaping is then imposed, if configured, followed by WAN Optimization. The packet is then processed by the TCP/IP stack and exits out the egress interface.
Leave a Reply