NSE7_NST-7.2 Fortinet NSE 7 - Network Security 7.2 Support Engineer Questions and Answers

The exhibit displays the output of a real-time debug of the URL filtering process on a FortiGate device. The debug output includes various details about a web request being processed.

SNI (Server Name Indication): This is part of the SSL/TLS handshake where the client specifies the hostname it is trying to connect to. FortiGate can use this information to apply appropriate web filtering rules based on the server name.

CN (Common Name): This is a field in the server's SSL certificate that typically contains the server's hostname. FortiGate can extract this information to verify the identity of the server and apply security policies accordingly.

Given that the debug output includes the hostname "training.fortinet.com," it is likely derived from the SNI in the client's request or the CN in the server's certificate, indicating that FortiGate is using this information to process the web request.

References

Fortinet Community Documentation on Real-time Debugging

OSPF Interface Network Types:

The network types of the interfaces on both FortiGate devices must match. Common network types include broadcast, point-to-point, and non-broadcast multi-access (NBMA).

Authentication Settings:

Both devices must have matching authentication settings (if authentication is used). This includes the same authentication type (none, simple password, or MD5) and the same password or key.

OSPF Router IDs:

Each OSPF router must have a unique router ID within the OSPF domain. The router ID is typically an IPv4 address selected from one of the router's interfaces or manually configured.

Link Costs and Interface Priority:

While link costs and interface priorities are important for route selection and designated router (DR) elections, they do not prevent OSPF adjacency formation if they differ.

References

Fortinet Network Security 7.2 Support Engineer Documentation

OSPF Configuration Guides

Session Creation:The output shows an expected session, likely due to a pinhole, which is a dynamically created rule to allow specific traffic through the firewall.

Routing Decision:

The original direction of traffic comes from the IP address 10.171.121.38.

The next-hop IP address for this traffic is 10.0.1.10 as indicated by the routing decision in the output.

Pinhole Session:Pinhole sessions are typically created for protocols that require additional sessions (e.g., FTP, SIP) to function properly. This ensures the necessary traffic can pass through the firewall.

Debugging Commands:Thediagnose sys session listcommand is used to list session information, which helps in understanding traffic flow and troubleshooting connectivity issues.

References:

Fortinet Network Security Support Engineer Study Guide for FortiOS 7.2​(ebin.pub)​.

General IPsec VPN configuration from Fortinet documentation​(Fortinet Docs)​.

Conserve Mode Overview:Conserve mode is a state that FortiGate enters to protect itself from running out of memory. It is triggered when the memory usage reaches certain thresholds.

Thresholds:The default settings for conserve mode thresholds are:

Red Threshold:88% memory usage.

Extreme Threshold:95% memory usage.

Green Threshold:82% memory usage.

Impact on Sessions:When in conserve mode:

New sessions requiring flow-based content inspection are blocked.

New sessions requiring proxy-based content inspection are also blocked to free up memory resources.

Current Memory State in Exhibit:The exhibit shows:

Total RAM: 3040 MB.

Memory used: 2706 MB (89% of total RAM).

Memory usage exceeds the red threshold (88%), thus triggering conserve mode.

Given that the memory usage is above the red threshold and conserve mode is active, the FortiGate will block new sessions requiring both flow-based and proxy-based content inspection to conserve memory.

References:

Fortinet Community: Explanation of Conserve Mode and Its Impact​(Welcome to the Fortinet Community!)​​(Welcome to the Fortinet Community!)​.

Fortinet Documentation: Conserve Mode Settings and Management​(Fortinet Docs)​.

IKE_SA_INIT Exchange:

The IKE_SA_INIT exchange is the first step in the IKEv2 negotiation process. It is responsible for setting up the initial security association (SA) and performing Diffie-Hellman key exchange.

During this exchange, the responder may employ various measures to protect against Denial of Service (DoS) attacks, such as rate limiting and the use of puzzles to increase the computational cost for an attacker.

DoS Protection Mechanisms:

One key method involves limiting the number of half-open SAs from any single IP address or subnet.

The IKE_SA_INIT exchange can also incorporate the use of stateless cookies, which help to verify the initiator's legitimacy without requiring extensive resource allocation by the responder until the initiator is verified.

References:

RFC 5996: Internet Key Exchange Protocol Version 2 (IKEv2)​(RFC Editor)​.

RFC 8019: Protecting Internet Key Exchange Protocol Version 2 (IKEv2) Implementations from Distributed Denial-of-Service Attacks​(IETF Datatracker)​.

Next-hop IP address:

For a static route to be added to the routing table, the next-hop IP address must be reachable. If it is not reachable, the route cannot be considered valid and will not be added.

Interface status:

If the interface specified in the static route configuration is down, the route will not be added to the routing table. The interface must be up and operational for the route to be valid.

Priority and Distance:

While priority and administrative distance affect route selection, they do not prevent a route from being added to the routing table. Instead, they influence which route is preferred when multiple routes to the same destination exist.

References

Fortinet Network Security 7.2 Support Engineer Documentation

Routing Configuration and Troubleshooting Guides

Session Table Overview:

The session table in FortiOS tracks all active and pending sessions. It includes details like the type of session (TCP, UDP, etc.), status, and statistics.

Interpreting the Exhibit:

The exhibit from thediagnose sys session statcommand shows detailed session statistics.

The specific value indicating "166 TCP sessions waiting to complete the three-way handshake" reflects the number of sessions that have initiatedbut not yet completed the TCP three-way handshake process (SYN, SYN-ACK, ACK).

References:

Fortinet Documentation: Understanding and troubleshooting session tables​(Hammertux)​.

Fortinet Community: Explanation of session states and statistics​(Welcome to the Fortinet Community!)​​(Hammertux)​.

Session Synchronization:

FortiGate HA (High Availability) ensures that active sessions are synchronized between the primary and secondary devices. This synchronization allows for seamless failover and continuity of sessions.

Handling NAT Sessions:

The session in the exhibit has NAT applied, as indicated by thehook=post dir=org act=snatentry. FortiGate's HA setup is designed to handle such sessions, ensuring that traffic continues without interruption during failover.

Session Preservation:

Even with the presence of NAT, the session state is preserved across the HA devices. This means that ongoing sessions do not require re-establishment by the client, thus providing a seamless experience.

References:

Fortinet Documentation: HA session synchronization and failover

Fortinet Community: Understanding session synchronization in FortiGate HA

Diagnose NPU NP6 Port-list Disable Command:

Thediagnose npu np6 port-list disablecommand disables specific ports on the NP6 processor. This can help in cases where you need to analyze traffic and the hardware offloading is interfering.

Command:diagnose npu np6 port-list disable 5 17(as shown in Option A).

Diagnose NPU NP6 Fastpath Disable Command:

Disabling the fastpath feature on NP6 can also allow for better visibility into the traffic as it bypasses hardware acceleration, which might obscure traffic details.

Command:diagnose npu np6 fastpath disable 0(as shown in Option C).

References:

Fortinet Documentation on Troubleshooting BGP and NPU Settings​(Fortinet Docs)​.

Fortinet Community Technical Notes on NPU and Traffic Analysis​(Welcome to the Fortinet Community!)​.