Cross-FortiGate TCP Sessions and SD-WAN Quiz
20 Questions
2 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

Which type of topologies are cross-FortiGate TCP sessions often seen in?

  • Single-hub topologies
  • Auto-discovery topologies
  • Dual-hub topologies
  • AD-VPN topologies (correct)

    • What happens to cross-FortiGate TCP sessions if the session is unknown to the new FortiGate?

  • The session is paused
  • The session is dropped (correct)
  • The session is terminated
  • The session is rerouted

    • What feature needs to be enabled to allow non-TCP SYN packets in cross-FortiGate TCP sessions?

  • tcp-session-allow-syn
  • tcp-session-with-syn
  • tcp-session-ignore-syn
  • tcp-session-without-syn (correct)

    • What happens to a TCP session on the remote end if the new selected member connects to a different FortiGate device?

    <p>The session is dropped</p> Signup and view all the answers

    What are sessions that are routed across two different FortiGate devices called?

    <p>Cross-FortiGate sessions</p> Signup and view all the answers

    In the topology shown on the slide, where is the PC connected?

    <p>Behind Spoke</p> Signup and view all the answers

    What happens if the best member for steering traffic from the PC to the server changes while the TCP connection is still active?

    <p>The packets are forwarded to the new best member</p> Signup and view all the answers

    What happens to the packets if the new best member drops them because they are not the initial TCP SYN packet or do not match any existing sessions?

    <p>The packets are dropped</p> Signup and view all the answers

    How can the issue of dropped packets be solved in cross-FortiGate TCP sessions?

    <p>By enabling the tcp-session-without-syn setting</p> Signup and view all the answers

    What will you learn more about in another lesson?

    <p>AD-VPN topologies</p> Signup and view all the answers

    Which setting must be enabled per V-Dom before enabling tcp-session-without-syn and disabling anti-replay?

    <p>tcp-session-without-syn</p> Signup and view all the answers

    What happens when a TCP session is forwarded back to the original FortiGate and the packets have invalid sequence numbers?

    <p>Packets are dropped</p> Signup and view all the answers

    What is the default expiration timer for established TCP sessions?

    <p>3600 seconds</p> Signup and view all the answers

    What happens if port1 becomes the best member again and the TCP packets are forwarded back to Hub1?

    <p>Packets are dropped</p> Signup and view all the answers

    What is the purpose of disabling the anti-replay setting?

    <p>To skip TCP sequence number check</p> Signup and view all the answers

    How can tcp-session-without-syn and anti-replay be enabled on a firewall policy level?

    <p>config firewall policy</p> Signup and view all the answers

    Why should tcp-session-without-syn and anti-replay be enabled on both Hub1 and Hub2 in the dual-hub topology example?

    <p>Active TCP sessions could be routed back and forth between the hubs</p> Signup and view all the answers

    What does disabling stateful firewall inspection for TCP traffic on Hub1 and Hub2 represent?

    <p>Doesn't represent a security concern</p> Signup and view all the answers

    What are the default values for tcp-session-without-syn and anti-replay settings?

    <p>Disable and enable, respectively</p> Signup and view all the answers

    What must be done before configuring tcp-session-without-syn and anti-replay on the firewall policy level?

    <p>Enable tcp-session-without-syn per V-Dom</p> Signup and view all the answers

    More Like This

    Use Quizgecko on...
    Browser
    Open
    Browser
    Browser