Fortinet Firewall Interview Questions and Answers

Ques1. You have opened a fresh Fortigate firewall, and need to access it. What is the default password for Fortigate firewall?

Default Username: admin

Default password is blank, means there is no password set for new fortigate firewall

Ques2. As a new firewall is out of the box, and you need to connect it to your laptop for accessing it and then configure it, what is the management IP subnet you should assign to your laptop to access Fortinet firewall? In addition, what is the default IP address for managing the Fortinet firewall?

Subnet: 192.168.1.0/24

Fortinet Default Management IP: 192.168.1.99

Ques3. As a network security expert you should have fair idea of configuring aggregate interface via CLI on fortigate, write basic set of commands needed to configure multiple ports in aggregate interface of IEEE 802.3ad?

Ques4. You are assigned to work on a new Fortigate firewall. What are the options available to access it (mention all those protocols/mechanisms?

  • GUI (HTTP and HTTPS)
  • Telnet
  • SSH

Ques5. In FortiOS, which menu in Web GUI allows you to see the overall status in the form of widgets and to configure some system options?

Dashboard

Ques6. In Fortigate GUI, which menu allows to configure routing options?

NETWORK – In this menu, system interfaces and routing options can be configured.

Ques7. You are assigned a task to configure some security features like web filtering and antivirus.

Which FortiOS GUI menu will you navigate in order to configure these features?

Security Profile

Ques8. You are working as a network security engineer with Fortinet firewalls in your network. Where would you navigate in order to configure user accounts, groups, and authentication methods, including external authentication and single sign-on (SSO)?

User & Device Menu

Ques9. You are supposed to setup an alert mechanism to be automatically notified in case of a critical event. You should setup an email alerts to your network team and management in such cases.

Where should you be able to do the same in WEB GUI of fortigate firewall?

Log & Report – Configure logging and alert emails, also reports can be generated in this menu.

Ques10. Which menu using GUI will you navigate to in order to configure HA cluster in Fortigate Firewall?

Ques11.               You have recently acquired a new SNMP NMS server for you whole network monitoring and visibility. You need to enable Fortigate interfaces to accept SNMP messages. Using GUI how can you perform this task?

  • Go to Network > Interfaces.
  • Edit the interface.
  • In the Administrative Access options, enable SNMP.

Ques12.               As a network Engineer, you prefer to work on CLI always over GUI, because not all settings are available for GUI to configure. So in Fortinet we should be aware of ways to connect with CLI. Can you briefly describe all these ways?

You can access the CLI in three ways:

  • Console connection: Connect your computer directly to the console port of your FortiGate.
  • SSH access: Connect your computer through any network interface attached to one of the network ports on your FortiGate.
  • FortiExplorer: Connect your device to the FortiExplorer app on your iOS device to configure, manage, and monitor

Ques13.               As a network engineer, you are required to create a new soft switch on Fortigate firewall. Using CLI, mention the configurations you should perform to achieve this task.

Ques14.               You have a new FortiGate firewall and for management and testing purposes, need its Port 1 to be allowed for ping, Http and SSH access. What will be the configuration?

Ques15.               You are given a task to back up your configurations using SCP i.e. Secure File Copy and for this, you would need to enable it globally on firewall. How can you configure it to do so?

Ques16.               Explain very briefly the steps you will perform using FortiGate GUI to take configuration backups?

  • Click on the user name in the upper right-hand corner of the screen and select

Configuration > Backup.

  • Direct the backup to your Local PC or to a USB Disk.
  • If VDOMs are enabled, indicate whether the scope of the backup is the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM). If backing up a VDOM configuration, select the VDOM name from the list.
  • Enable Encryption. Encryption must be enabled on the backup file to back up VPN certificates.
  • Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
  • Click OK.
  • When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will have a .conf extension.
    Ques17.                   Mention basic configuration from CLI to configure new Zone?

Ques18.               You are working as operations engineer and for that, your daily task is to take configuration backups to make sure you have latest configurations in case of any disaster. Using CLI, what one line will make sure you can take configuration backup on USB?

Ques19.               You are informed that some users are not getting the servers access, which was working unit recently. After basic information gathering you figured out that there was some change performed on Fortinet, which could have caused services outage. You quickly made a decision to restore the configuration to last best one, which was taken recently. Using GUI how can you restore the configurations?

  • Click on the user name in the upper right-hand corner of the screen and select

Configuration > Restore.

  • Identify the source of the configuration file to be restored: your Local PC or a USB Disk
  • Click Upload, locate the configuration file, and click Open.
  • Enter the password if required.
  • Click OK.

Ques20.               You are informed that some users are not getting the servers access, which they used to get. After basic information gathering you figured out that there was, some change happened on Fortinet, which could have caused services outage. You quickly made a decision to restore the configurations to last best configurations, which was taken recently. Using CLI and having backup configuration on your USB how can you restore the configurations quickly?

Ques21.               Define briefly what a security policy is and why a firewall security policy is very important for any type of traffic passing through the firewall?

A firewall security policy is defining part of whether to allow or deny a particular type of traffic. All traffic passing through a firewall is associated with security policy. Therefore, no traffic goes pass by firewall without being inspected for policy rules.

Ques22.               Using Fortigate in HA, you should always make sure to put hostnames on each device separately so that you can identify them in cluster that which firewall is active or backup. Using CLI how can you configure the hostname on firewall?

Ques23.               You have been using FortiGate on your multiple sites since long time. Now you have decided to move one of your firewalls and dismantle it from one office location because it has been closed. Your plan is not to re-use this Firewall on another location, and for that, you need to erase all configurations to default. Which command you may use to do it?

Ques24.               Your firewall has many settings; including NAT, VPNs, and routing which is all messed up. Now you have decided to re configure all these settings but making sure that interface configurations are not changed during this reset. Which is the shortest way to do it?

Using above command in the CLI you can reset the factory defaults but retain the interface and VDOM configuration

Ques25.               You have many Users who need auto IP assignment. Being aware that Fortigate does provide DHCP feature and so it can act as a DHCP server as well. Using GUI how can you configure it as a DHCP server?

  • Go to Network > Interfaces.
  • Edit an interface.
  • Enable the DHCP Server option and configure the settings.

Ques26.               Which menu will you go to and what steps will be performed to configure an interface on FortiGate firewall?

To configure an interface in the GUI –

  • Go to Network > Interfaces.
  • Click Create New > Interface.
  • Configure the interface fields.

Ques27.               Briefly explain the standard configurations set which is required to configure pair of FortiGate firewalls in Active-Active High Availability cluster?

Ques28.               You need to configure virtual pair in your FortiGate Firewall, and using GUI, you must know all steps to do so. Mention those steps briefly?

  • Go to Network > Interfaces.
  • Click Create New > Virtual Wire Pair.
  • Select the Interface Members to add to the virtual wire pair.
  • These interfaces cannot be part of a switch, such as the default LAN/internal interface.
  • If required, enable Wildcard VLAN and set the VLAN Filter…
  • Click OK.

Ques29.               What are the basic CLI commands, which you must know as a network security engineer, to configure an interface under VDOM?

Ques30.               As a network operations engineer, you need to ensure that not everyone can access or ping your firewall interfaces. For that purposes there is a feature called administrative access. Using FortiOS GUI, how can you allow restricting users for ping, http, https etc. protocols for a particular interface?

To configure administrative access to interfaces in the GUI:

  • Go to Network > Interfaces.
  • Create or edit an interface.
  • In the Administrative Access section, select which protocols to enable for IPv4 and IPv6 Administrative Access.

Ques31.               You need to make sure your virtual Pair interface forwards traffic properly between the paired interfaces Port 3 and Port 4; you are required to make security policy to allow that. Write down CLI configurations to do so?

Ques32.               As a network operations engineer, you need to ensure that not everyone can access or ping your firewall interfaces. For that purposes there is a feature called administrative access. Using FortiOS CLI, how can you allow restricting users for ping, http, https etc. protocols for a particular interface?

Ques33.               You are going to setup new firewalls and that too in High Availability Active-Active Mode (cluster). Using GUI, you should be able to do so. Mention all steps, which you should take to do so?

  • Log into one of the Fortigate
  • Go to System > HA and set the following options:
  • Mode: Active-Active
  • Device priority: 128 or higher
  • Group name Example_cluster
  • Heartbeat interfaces ha1 and ha2

Remember that except for device priority, all settings on both Firewalls must be same. In addition, you can use hostname differently in order to identify the firewall with their names.

Ques34.               What is the name of protocol for link aggregation to combine multiple links for achieving more bandwidth as well as link redundancy?

IEEE 802.3ad – This protocol is open standard based on IEEE, which supports binding multiple links together. In case of one link failure, other link will keep functioning and traffic flow and services will not be affected.

Ques35.               You are given a task by your manager to create link aggregation on ports 1 to 3 on Fortigate firewall using GUI, and assign IP address of 10.1.1.1/24 along with administrative access of ping and HTTPs. How would you accomplish these steps?

To create an aggregate interface using the GUI:

  • Go to Network > Interfaces and select Create New > Interface.
  • For Interface Name, enter Aggregate.
  • For the Type, select 802.3ad Aggregate.
  • In the physical Interface Members, click to add interfaces and select ports 1, 2 and 3
  • For addressing mode, select Manual.
  • For the IP address for the port, enter 10.1.1.1/24.
  • For Administrative Access, select PING and HTTPs
  • Select OK.

Ques36.               What is the main difference between a redundant interface type and aggregate interface type?

  • An aggregate interface type can work as redundant interface type
  • A redundant interface is a backup interface, which will be active in case of a primary link failure.
  • An aggregate interface is always up and functional.

Ques37.               Using CLI, you should know how multiple interfaces could can be configured in redundant type mode. Mention cli configurations to make port 1, 2 and 3 as redundant ports.

Ques40.               You have been given task to separate the networks of different departments into different broadcast domains, using which feature technology can this be achieved so that each network is separated from other in layer 2 broadcast domain?

Using VLANs – By configuring vlans and making each network part of separate vlan the networks will now be having a separate layer 2 broadcast domain.

Ques41.               What is the main different between FortiGate firewall setup in NAT mode and in transparent mode?

NAT Mode – acts as a layer 3 router device

Transparent Mode – acts as a layer 2 bridge between

Ques42.               If you are configuring Fortigate with multiple sub interfaces, related to separate networks and vlans. In such case which mode you have to use on FortiGate?

NAT mode – In NAT mode FortiGate aces as a layer 3 router or gateway for separate VLANs.

Ques43.               You have been working on an existing network without any security appliance. It has been decided to integrate FortiGate firewall between trusted LAN network and Internet Gateway router. You don’t want to disturb existing network and using minimum possible changes want to achieve this, How can this be achieved?

Integrate Fortigate firewall in Transparent Mode. – In Transparent mode, a firewall will act as a bridge between two networks and can provide security features by inspecting the traffic passing through it.

Ques44.               Fortigate firewall is being used in enterprise environment. To avoid overhead associated with static routing, you prefer dynamic routing. Which routing protocol should be preferred in LAN setup?

OSPF – it is one of the most widely used IGP, and has very good convergence capabilities.

Ques45.               Write down the basic configurations for creating a sub interface for vlan 10 in firewall with IP address 192.168.10.1/24?

Ques46.               Describe briefly about the “software switch feature” in Fortigate? What are its main characteristics and benefits?

A software switch also known as soft switch is a virtual switch that is implemented at the software or firmware level and not at the hardware level.

As the name implies, a soft or software switch can be used to simplify communication between devices connected to different FortiGate interfaces.

For example, using a soft switch, we can place the FortiGate interface connected with internal network on the same subnet as your wireless interfaces. Then devices on the internal network can communicate with devices on the wireless network without any additional configuration on the FortiGate unit, such as additional security policies.

Ques47.               One of the strong features of Fortinet Fortiguard is its web filtering and anti-spam. Using GUI how can you setup this feature? Mention basic configuration template to setup web filtering.

Ques48.               Using GUI, you are supposed to configure a new soft switch, write down all steps, which can achieve this task?

  • Go to Network > Interfaces.
  • Click Create New > Interface.
  • Set Type to Software Switch.
  • Configure the Interface Name, Virtual Domain, Interface Members, and other fields.

Ques49.               What is a “ZONE” and what are its benefits in firewall management and administration? Zones are used to group multiple interfaces in a virtual zone so that a common security policy can be applied across zones, which will cover all underlying group of interfaces.

Ques50.               How to create new Zones in Fortigate using GUI?

  • Go to Network > Interfaces.
  • Click Create New > Zone.
  • Configure the Name and add the Interface Members.

Ques51.               Make a basic firewall security policy, which allows LAN traffic from Zone 1 towards Internet Port# 10?

Ques52.               In a single Zone, if you need to deny different interfaces to talk to each other, which command or configuration you should apply so that different interfaces under same zone cannot communicate to each other?

set intrazone deny

Ques53.               Define the term “virtual wire pair” and in what circuimstances it should be used?

Virtual Wire pair means to connect two interfaces so that they can forward traffic. It consists of two interfaces that do not have any IP address and are considered as transparent mode.

Sometimes in layer 2 MAC addresses doesn’t behave as expected and traffic can be impacted, in such cases virtual wire pair is a useful technique to bridge/connect two interface to pass traffic seamlessly.

Ques54.               You are asked by your manager to configure two interfaces as virtual pair in your firewall. Write the configurations steps for adding port 2 and port 4 in virtual pair?

Ques55.               You need to configure failure detection for your aggregate interfaces so that the specific interfaces goes down or becomes up when the aggregate interface changes its state. How can you configure using CLI such feature?

Ques56.               Briefly, mention the steps you will take to navigate and configure the DNS servers on Fortigate firewall?

  • Go to Network > DNS.
  • Set DNS Servers to Specify.
  • Configure the primary and secondary DNS servers as needed.
  • In the Local Domain Name field, enter the first domain

Ques57.               Using CLI, you are asked to configure DNS settings, including DNS servers and local domain list. How can you do so using FortiOS CLI?

Ques58.               Fortigate is very powerful and feature rich firewall. One of the main advantages is that it can be used as a DNS server. Using GUI briefly mention these steps?

  • Go to Network > DNS Servers.
  • In the DNS Database table, click Create New.
  • Set Type to Master.
  • Set View to Shadow.

The View setting controls the accessibility of the DNS server. If you select Public, external users can access or use the DNS server. If you select Shadow, only internal users can use it.

  • Enter a DNS Zone, for example, WebServer.
  • Enter the Domain Name of the zone, for example, fortinet.com.
  • Enter the Hostname of the DNS server, for example, Corporate.
  • Enter the Contact Email Address for the administrator, for example,

admin@example.com.

  • Disable Authoritative.
  • Add DNS entries:

In the DNS Entries table, click Create New. Select a Type, for example Address (A)

Configure the remaining settings as needed. The options vary depending on the selected Type. Click OK.

  • Add more DNS entries as needed.
  • Click OK.
  • Enable DNS services on an interface:
    • Go to Network > DNS Servers.
    • In the DNS Service on Interface table, click Create New.
    • Select the Interface for the DNS server, such as wan2.
    • Set the Mode to Recursive.
    • Click OK.

Ques59.               If internet users are unaware of any proxy that they are being in use and web browsing has been usual, then what kind of proxy is this being in action?

Transparent Proxy – In transparent proxy, we browsers are not aware of any proxy server and usual internet content is accessible.

Ques60.               Which technique used widely in all over the world to map a range of Private IPs to a lesser range of public or single Public IP for giving access over the internet?

Network Address Translation or NAT

Ques61.               Your team lead has noticed that many Fortigate firewall interfaces are not being monitored properly in NMS. To ensure that the firewall interfaces receive the SNMP messages you should configure them properly. Using CLI how can you perform this task?

Ques62.               In Fortigate firewall, you want to give your internet users a seamless internet experience without extra proxy settings at their end. Using CLI, configure the Transparent Proxy settings along with its desired policy to work?

Ques63.               A new network is being setup in your enterprise, and you need to make sure the users get automatically IP assignment. You have already a working FortiGate firewall, which does provide DHCP server features. Using CLI how can you configured DHCP settings, like default gateway, IP range, DNS etc.

Ques64.               LLDP is very powerful feature, which is often required in networks where neighboring devices existence and capabilities information is exchanged. You need to allow LLDP to run globally on your devices, for that how can you configure it on FortiGate?

Ques65.               For administrating the Fortigate firewall for your network security team, you must ensure that your password policy is compliant to the standards. You are asked by the CTO of your company to enforce strict password policy for firewall administration; write a basic configuration template in CLI to do so?

Ques66.               In case you need to only provide security to the network traffic and avoid using new network or layer 3 settings on firewall, which operating mode you should run your FortiGate Firewall?

Transparent Mode – In transparent mode, minimum configurations and network settings are required, it acts as a bridge between two networks or between LAN and gateway network.

Ques67.               You have purchased many Fortinet firewalls, and one of them needs to be used dedicatedly for NAT purposes to translate private LAN IPs to public ISP assigned IP on WAN interface of Firewall. Which firewall mode you must configure to achieve this?

Route Mode – In Route mode, Firewall acts as a layer 3 device and can perform NATing as well. Route Mode is also known as NAT mode.

Ques68.               What are the two main types of NAT in FortiGate firewall, which you can use?

Source NAT or SNAT Destination NAT or DNAT

Ques69.          You have many engineers working on daily basis as operations team on FortiGate firewall. You want to configure specific profiles for administrating the firewall for such users like Name, Access permissions etc. Using GUI, where will you navigate to specific page to do perform this?

  • Go to System > Admin Profiles.
  • Select Create New.
  • Configure the following settings:
    • Name.
  • Access permissions.
    • Override idle timeout.
  • Select OK.

Ques70.               You are working as a network engineer in an enterprise where a dedicated LDAP server for users exists; you want your firewalls to use this LDAP for remote authentication of your firewalls. Using CLI mention basic configuration template for LDAP settings on FortiOS?

Ques71.               You need to secure the management of your FortiGate by using technique of changing default ports. Using CLI how can you change the default common ports, like HTTP, SSH and Telnet?

Ques72.               It happens often that while working on Fortinet, an administrator left his desk for a small break and his system can be accessed physically by someone around. How can you avoid such a situation so that someone around cannot easily take an unattended opened Fortinet access?

By using idle timeout period. It can be set to some minutes so that if a system is unattended for some time then it will automatically log out from Fortinet access.

  • Go to System > Settings.
  • In the Administration Settings section, set the idle timeout to up to 480 minutes.
  • Click Apply.

Ques73.               As a network security engineer, you must know about the Virtual Domains or VDOMs in Fortinet terminology. Can you describe briefly about VDOMs?

VDOMs are nothing but virtual firewalls on main hardware. Two VDOMs can work as independent firewalls with separate VPN, Security, NAT and Routing policies.

Ques74.               All the traffic, which passes through Fortinet firewall, is always inspected by a security policy. Mention the systematic process of packet operation when it enters into firewall?

  • Firewall receives a connection packet, and analyzes source and destination address, and TCP/UDP port number as a service
  • It also registers the incoming interface, the outgoing interface it needs to use, and the time of day.
  • Using above information, FortiGate firewall then attempts to find a security policy that can match incoming packet.
  • If a policy match is found for this packet or traffic, then the FortiGate takes the required action for that policy (i.e. Either Deny or Permit)
  • If a policy match is not found then traffic is denied and not allowed to pass.

Ques75.               Using GUI as well as CLI you must know how to assign an interface to a particular VDOM, briefly explain the steps?

Using GUI

  • On the Fortigate, go to Global > Network > Interfaces.
  • Edit the interface that will be assigned to a VDOM.
  • Select the VDOM that the interface will be assigned to from the Virtual Domain list.
  • Click OK.

VDOM using the CLI:

Ques76.               Which command in CLI in global configurations you can issue to enable Multi VDOM mode in FortiOS?

set vdom-mode multi-vdom

Ques77.               Using GUI, you are assigned to create new VDOMs, you should however also know the same task to do in CLI how can you do so using both GUI and CLI?

Using GUI:

  • In the Global VDOM, go to System > VDOM, and click Create New. The New Virtual Domain page opens.
  • In the Virtual Domain field, enter VDOM-A.
  • If required, set the NGFW Mode. If the NGFW Mode is Policy-based, select an SSL/SSH Inspection from the list
  • Optionally, enter a comment.
  • Click OK to create the VDOM. Repeat the above steps for VDOM-B.

Using GUI:

Go to Network > Static Routes and create a new route. In addition, enter following details.
Destination Subnet

IP address 0.0.0.0/0.0.0.0
Gateway 58.27.1.3
Interface wan1

Ques79.               You have been assigned a task to NAT all the private networks in your enterprise to single Public IP address configured on WAN interface of FortiGuard and assigned by ISP. What kind of NAT you will use to successfully perform the address translations for giving internet access to your networks?

Source NAT or SNAT

Ques80.               Which redundancy feature is used to provide redundancy by employing multiple firewalls for protection against down time of applications and services?

High Availability or HA

Ques81.               What are the basic requirements for FortiGate firewalls to be part of a High Availability cluster, name few of them at least?

  • Same Firmware
  • Same Model
  • same hardware specs

Ques82.               In order to make a cluster of Fortigate firewalls how many minimal firewalls are required? In addition, name the protocol which is used for High Availability clustering setup?

At least two firewall are required to make a cluster for High Availability

The FortiGate Clustering Protocol i.e. FGCP solution is used for High Availability

Ques83.               A high availability or HA cluster is very critical and important for any network setup. In order to ensure that it is properly designed what are the main components we must ensure from design perspective are there so that HA is properly deployed?

Heart beat connections i.e. Back to back link for synchronizing and knowing the status of HA pair, recommended is to use double link for this purpose.

Make sure to achieve redundancy use identical connections for internal and external interfaces. Therefore, if one Firewall goes down, other is always ready to give services if all interfaces were connected as backup there. This has been shown in below diagram.

Ques84.               In Fortinet HA cluster, Link Failure or device failure can trigger a failover; however, you are now instructed to make sure a failure in SSD can also trigger the failover to backup firewall.
Using CLI how can you configure that?

Ques85.               How many ways you can configure the HA cluster setup for FortiGate firewalls?

  • Active-Active
  • Active-Passive
  • Virtual

Ques86.               Write down basic set of commands you need to setup an Active-Passive HA cluster on FortiGate firewalls?

Ques87.               What are the main features you will receive when you subscribe with FortiGuard services on your firewall?

  • Antivirus (AV)
  • Intrusion Protection Service (IPS)
  • Application Control
  • Antispam
  • Web Filtering
  • Web Application Firewall (WAF)

Ques88.               There are 2 VLANs, VLAN 20 for internal network and VLAN 30 for external network i.e. WAN, and you want to configure STATIC NAT from internal network towards WAN external network. Using GUI, mention all steps you should take to configure such NAT.

  • In Policy & Objects > IPv4 Policy, click Create New.
  • Enter the required policy parameters.
  • Enable NAT and select Use Outgoing Interface Address.
  • If needed, enable Preserve Source Port.

Enable Preserve Source Port to keep the same source port for services that expect traffic to come from a specific source port.

Disable Preserve Source Port to allow more than one connection through the firewall for that service.

Ques89.               Fortinet firewall has capability to provide both antivirus and IPS services for any traffic passing through it and to block suspected traffic with its latest updated signatures and definitions. You should always make sure to run IPS and antivirus on your firewall with latest signatures and definitions. Using GUI, which steps you, will take to setup antivirus and IPS on FortiGate firewall?

  • Go to System > FortiGuard
  • Scroll down to the AntiVirus & IPS Updates section.
  • Configure the antivirus and IPS options for connecting and downloading definition files
  • Click Apply.

Ques90.               You have been facing some challenges of inappropriate content coming from Internet to your network. Which FortiGuard feature is used to block access to harmful, inappropriate, and dangerous web sites and how can you configure it?

Web Filtering

To setup Web Filtering

  • Go to System > FortiGuard
  • Scroll down to the Filtering section.
  • Configure the settings as needed
  • Click Apply.

Ques91.               In Fortinet Firewall security policy, what are the options you can use or actions you may configure for match criteria to treat a packet or traffic entering the firewall?

Accept – To allow the traffic and let it pass through firewall

Deny – To block the traffic and a log message may be generated to show why it was denied or details of traffic type can be shown in logs as well.

Important to note that if there is no match criteria for a particular traffic type then traffic will be blocked. So ensure that if you want to allow particular traffic you must make its security policy to allow it to pass through.

Ques92.               Configuring the Firewall security policy, there are many match criteria, like IP address, port number etc. Write down as many you may remember those parameters, which can be used in a security policy?

  • Incoming interface(s)
  • Outgoing interface(s)
  • Source address(s)
  • User(s) identity
  • Destination address(s)
  • Internet service(s)
  • Schedule
  • Service

Ques93.               What are the main QOS techniques you can use in FortiGate to limit the traffic rates and optimizing the bandwidth?

  • Traffic Policing
  • Traffic Shaping
  • Queueing

Ques94.               You have been asked to limit traffic rate on a particular network/VLAN, but you are not sure which technique from QoS you should use; you have come to conclusion to use between policing and shaping. Can you define the basic difference between policing and shaping in terms of bandwidth control?

  • Policing – rate limits the traffic and drops any traffic which exceeds the configured limit
  • Shaping – rate limits the traffic and buffers the extra traffic exceeding the limit.

Ques95.               You need to connect many office locations over VPN but need a quick solution so that your Ike phases, routing and security policies etc. are created automatically. Which kind of Fortinet solution you should use to get this done?

Overlay Controller VPN or OCVPN — is a cloud based VPN solution In OCVPN, main goal is to simplify IPsec VPN setup.

OCVPN can automatically enable IPsec phase1-interfaces, phase2-interfaces, static routes, and firewall policies on all FortiGates that belong to the same community network.

Ques96.               You are interested in seeing router events in the firewall, and for that, need to enable those logs to be captured by FortiGate. Using CLI how can you enable router events?

Ques97.               WAN optimization and security are always in demand, and every vendor tries to provide SD-WAN capability. While you are connected to multiple WAN interfaces towards ISP, how can you enable SD-WAN using GUI for WAN1 and WAN2 interfaces?

Go to Network > SD-WAN. Set the Status to Enable.

Click the plus icon to add members, using the ISPs’ proper gateways for each member.

Create a static route with virtual-wan-link enabled:

  1. Go to Network > Static Routes.
  2. Click Create New. The New Static Route page opens.
  3. From the Interface drop-down list, select SD-WAN.

Click OK to save your changes.

Create a firewall policy to allow the traffic:

  • Go to Policy & Objects > IPv4 Policy.
    • Click Create New. The New Policy page opens.
    • For the Incoming Interface, select DMZ.
    • For the Outgoing Interface, select SD-WAN.
    • Configure the remaining settings as needed, and then click OK to create the policy. Outgoing traffic will now be balanced 50% on each link.

Ques98.               You are going to get multiple Internet connections from ISP, and want to ensure you get full flexibility of routing between your network and ISP as gateway. Which routing protocol you should prefer in this case?

BGP—Broder Gateway Protocol

When using dual home connections, BGP is best choice to manipulate routing and enforcing policies for both inbound and outbound.

Ques99.               You have multiple office locations, and want remote sites to get the internet access from main site along with many IT services like email server, dhcp server and some IT portals to get access from main head office. What solution you should provide to accomplish that?

Use Site-to-Site VPN between remote sites and HUB site.

Ques100.             You have one important server in your local area network, which is not accessible from internet. However, there is a requirement to get this server accessible from internet on a specific IP and port. You are supposed to configure this on Fortigate. What kind of NAT will you use for that?

Destination NAT or DNAT.

Ques101.             You are relocating your network room to another building, therefore need a maintenance window to power off all your network devices, including Fortigate firewall. You must know the safe way to power off the FortiGate. Mention the steps in CLI and GUI method to power off FortiGate firewall?

USING GUI

  • Go to Dashboard.
    • In the System Resources widget, select Shutdown.

USING CLI:

  • execute shutdown