Fortinet FCSS_EFW_AD-7.4 Dumps

VXLAN (Virtual Extensible LAN)is an overlay network technology that extends Layer 2 networks over Layer 3 infrastructure. When VXLAN is used extensively on FortiGate, hardware acceleration is crucial for maintaining performance.

●NP7 (Network Processor 7)is Fortinet’s latest network processor designed to accelerate high-performance networking features, including:

●VXLAN encapsulation/decapsulation

●IPsec VPN offloading

●Firewall policy enforcement

●Advanced threat protection at wire speed

NP7 significantlyreduces latency and improves throughputwhen handling VXLAN traffic, making it the best choice for large-scale VXLAN deployments.

In thisADVPN (Auto-Discovery VPN) network, there are two hubs (Hub A and Hub B) connected viaEBGP, whileIBGPis used within each overlay. To ensure proper BGP routing between the overlays, the administrator must configure specific BGP options..

set ebgp-enforce-multihop enable

By default, EBGP requires directly connected neighbors. Since Hub A and Hub B are not directly connected but reach each other over an IPsec tunnel, multihop must be enabled for EBGP sessions to work.

set next-hop-self enable

In IBGP, the next-hop attribute does not change by default. When an IBGP route is advertised from a spoke to another hub or spoke, the next-hop needs to be updated to ensure proper reachability. Enabling next-hop-self forces the BGP speaker to advertise itself as the next-hop, ensuring that all spokes properly reach routes across the overlays.

Thebest wayto block outdated SSL/TLS versions is toconfigure the SSL/SSH inspection profileto enforce aminimum SSL/TLS versionand disable weak SSL versions.

By setting theminimum allowed SSL versionin theHTTPS settings of the SSL/SSH inspection profile, FortiGate will:

● Block any connection usingoutdated SSL/TLS versions(such as SSLv3, TLS 1.0, or TLS 1.1).

● Enforce secure communication usingonly strong SSL/TLS versions(such as TLS 1.2 or TLS 1.3).

● Protect users fromman-in-the-middle (MITM) and downgrade attacksthat exploit weak encryption.

When configuringADVPN (Auto-Discovery VPN)to connectoverlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.

●set auto-discovery-crossover enable

● Thisallows cross-hub tunnel discoveryin an ADVPN deployment where multiple hubs are used.

● SinceHub A and Hub Bbelong to different overlays, enablingcrossover discoveryensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.

●set enforce-multihop enable

● This setting ensures thatBGP peers using loopback interfacescan establish connectivityeven if they are not directly connected.

●Multihop BGP sessionsare required when usingloopback addresses as BGP peer sourcesbecause the connection might need to traverse multiple routers before reaching the BGP neighbor.

● This is especially useful inADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.

When multiple remote sites connect to thesame hubusingoverlapping subnets, FortiGate needs to determine which route should be used for traffic forwarding. Theroute-overlapsetting in IPsec Phase 2 allows FortiGate to handle this scenario by deciding whether to keep theexisting route(use-old) or replace it with anew route(use-new).

In anECMP (Equal-Cost Multi-Path) routing setup,both routes should be retained and balanced, but FortiGate does not supportECMP directly over overlapping routesin IPsec Phase 2. Instead, an administrator must decide which connection takes precedence usingroute-overlapsettings.

InADVPN (Auto-Discovery VPN) configurations, security concerns includeprotecting peer IDsduring VPN establishment. Peer IDs are exchanged in theIKE (Internet Key Exchange) negotiation phase, and their exposure could lead toprivacy risks or targeted attacks.

●IKEv2 encrypts peer IDs, making itmore securecompared to IKEv1, where peer IDs can beexposed in plaintextin aggressive mode.

●IKEv2 also provides better performance and flexibilitywhile supporting dynamic tunnel establishment in ADVPN.

InFortiManager,pre-run CLI templatesare used inZero-Touch Provisioning (ZTP)andLow-Touch Provisioning (LTP)to configure a FortiGate devicebeforeit is fully managed by FortiManager.

These templatesapply configurationswhen a device is initially provisioned.Once the pre-run CLI template is executed, FortiManagerautomatically unassignsit from the device because it isnot meant to persistlike other policy configurations. This prevents conflicts and ensures that the FortiGate configuration isnot repeatedly appliedafter the initial setup.

Theset tcp-mss-senderandset tcp-mss-receivercommands in afirewall policyallow an administrator to adjust theMaximum Segment Size (MSS)of TCP packets.

This setting controls thelargest payload sizethat a device can handle in a singleTCP segment, ensuring that packets do not exceed the allowed MTU (Maximum Transmission Unit) along the network path.

●set tcp-mss-senderadjusts the MSS value foroutgoing TCP traffic.

●set tcp-mss-receiveradjusts the MSS value forincoming TCP traffic.

This helps prevent issues withfragmentationandMTU mismatches, improving network performance and avoiding retransmissions.

IKEv2 (Internet Key Exchange version 2) is an improvement over IKEv1, offering enhanced security, efficiency, and flexibility in VPN configurations.

It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.

IKEv2 supports stronger cryptographic algorithms, includingElliptic Curve Diffie-Hellman (ECDH)groups such asECP256 and ECP384, providing improved security compared to IKEv1.

It supports the extensible authentication protocol (EAP).

IKEv2 natively supports EAP authentication, which allows integration with external authentication mechanisms such asRADIUS, certificates, and smart cards. This is particularly useful forremote access VPNswhere user authentication must be flexible and secure.

TheInternet Service Database (ISDB)in FortiGate is used to enforce content filtering atLayer 3 (Network Layer) and Layer 4 (Transport Layer)of the OSI model by identifying applications based on theirpredefined IP addresses and ports.

FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard:

● FortiGate retrieves and updates apredefined listof IPs and ports for different internet services fromFortiGuard.

● This allows FortiGate to block specific services atLayer 3 and Layer 4without requiring deep packet inspection.

The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard:

● ISDB works by matching traffic to knownIP addresses and portsof categorized services.

● When an application or service is blocked, FortiGate prevents communication bydenying traffic based on its destination IP and port number.

From theOSPF status output, the key information is:

●"This router is an ASBR"→ This means the FortiGate is acting as anAutonomous System Boundary Router (ASBR).

● AnASBRis responsible for injectingexternal routing informationinto OSPF from another routing protocol (such as BGP, static routes, or connected networks).

When configuring aloopback interface as the BGP sourceforconnecting to an ISP, two important settings must be applied:

1.Enable EBGP Multihop (ebgp-enforce-multihop)

BGP normally expects directly connected neighbors, but since the ISP and FortiGate A are usingloopback interfaces,packets will not be sent directly between their physical interfaces.

Theebgp-enforce-multihopcommandallows BGP to form an eBGP peering over multiple hops.

2.Set the Update Source (update-source)

Since FortiGate is using aloopback interface as the source, theupdate-sourcecommand ensures thatBGP updates originate from the loopback interfacerather than a physical interface.

This is essential becauseBGP peers must match the source IP with the configured neighbor address.

TheMulti-Exit Discriminator (MED)is aBGP attributeused to influence the preferred path for incoming traffic from an external autonomous system (AS). The diagram shows that FortiGate_1 advertisesMED 200, while FortiGate_2 advertisesMED 300, meaningthe ISP will prefer the route through FortiGate_1because alower MED is preferredin BGP.

To modify theMED valueon FortiGate_1 for routes advertised to AS 30, the administrator must configure aroute-map-out. A route map canmatch specific routesandset the MED valuebefore sending them to the BGP neighbor.

Whenadding an additional FortiGateto an enterprise network that is already reaching itsresource limits, the goal is to distribute traffic efficiently and ensurehigh availability.

FGSP (FortiGate Session Life Support Protocol) with external load balancers

FGSP allowssession-aware load balancingbetween multiple FortiGate units without requiring them to be in an HA (High Availability) cluster.

Withexternal load balancers, incoming traffic isevenly distributedacross multiple FortiGate devices.

This approach is useful forscaling outtraffic handling capacity while ensuring that sessions remainsynchronizedbetween firewalls.

FGSP is effectivewhen stateful failover is requiredbut without the constraints of traditional HA.

FGCP (FortiGate Clustering Protocol) in active-active mode and with switches

FGCPactive-active modeenables multiple FortiGate devices toshare traffic loads, increasing throughput and efficiency.

Active-active mode is suitable forbalancing UTM processingacross multiple FortiGates, making it ideal whenresource limits are a concern.

Usingswitchesensures redundancy and avoids single points of failure in the network.

This mode is commonly used inenterprise networkswhere bothscalability and redundancyare required.

The MAC addresse0:23:ff:fc:00:86follows the format used inFortiGate High Availability (HA) clusters. When FortiGate devices are in an HA configuration, they usevirtual MAC addressesfor failover and redundancy purposes.

The suspicious packet is related to a cluster that has VDOMs enabled:FortiGate devices withVirtual Domains (VDOMs)enabled use specific MAC address ranges to differentiate HA-related traffic. This MAC address is likely part of that mechanism.

The suspicious packet is related to a cluster with a group-id value lower than 255:FortiGate HA clusters assign virtual MAC addresses based on thegroup ID. The last octet (00:86) corresponds to agroup IDthat isbelow 255, confirming this option.

From theRoot FortiGate - System Administrator Configurationexhibit:

● TheAdminSSOaccount has thesuper_admin_readonlyrole.

From theDownstream FortiGate - Security Fabric Settingsexhibit:

● TheSecurity Fabric roleis set toJoin Existing Fabric, meaning it will authenticate with the root FortiGate.

●SAML Single Sign-On (SSO) is enabled, and thedefault admin profileis set tosuper_admin_readonly.

When theAdminSSOuser logs into the downstream FortiGate usingSSO, the authentication request is sent to the root FortiGate, where AdminSSO hassuper_admin_readonlypermissions. Since the downstream FortiGate inherits this permission through the Security Fabric configuration, the user will be grantedsuper_admin_readonlyaccess.

To minimizeCPU and RAM usagewhile still enforcingsecurity features like web filtering and application control,SSL certificate inspection modeis the best choice.

●SSL certificate inspectionallows FortiGate to inspectonly the SSL/TLS handshake, including theServer Name Indication (SNI) and certificate details, without decrypting the full encrypted payload.

● This enables features likeweb filtering and application controlbecause FortiGate can determine thedestination website or applicationbased onSNI and certificate information.

● Itsignificantly reduces system loadcompared tofull SSL inspection, which requires full decryption and re-encryption of traffic.