30 Questions
Which action is taken if a session is flagged as dirty after a routing change?
The session is forwarded
What causes a session to be flagged as dirty?
All of the above
What happens to a session if the new action of the matching firewall is deny?
The session is dropped
When are routing changes common?
In SD-WAN
What happens to dirty sessions in FortiGate?
They are re-evaluated
Which direction(s) of a dirty session must be re-evaluated?
Both the original and reply directions
Why are dirty sessions common in SD-WAN?
Because of the dynamic nature of the solution
What happens to further packets matching a dirty session?
They are dropped
What happens to allowed sessions eventually in FortiGate?
They are offloaded to hardware
What causes routing information of impacted sessions to be flushed?
A routing change
Which session is offloaded to NPU after a routing change?
Sessions without source NAT
What does FortiGate do if the impacted session is offloaded to NPU?
Instructs NPU to send the next packet to the CPU
What does FortiGate do if the session is not offloaded to NPU?
Handles the packet on the CPU
What lookups does FortiGate perform for the first packet in the original direction?
Route and firewall policy lookups
What lookups does FortiGate perform for the first packet in the reply direction?
Only a route lookup
What happens if the firewall policy action is now denied during re-evaluation?
The session is flagged as block and the packet is dropped
When are allowed sessions offloaded again to NPU?
When they no longer meet the NPU offloading requirements
What happens if the current route is not present in the FIB?
The session is flagged as dirty and re-evaluated
What happens if the S-NAT IP changes during re-evaluation?
The session is cleared
What is the default behavior for S-NAT sessions after a routing change?
They remain unchanged
Which action does FortiGate take when a route is removed from the FIB?
FortiGate flags the session as dirty and re-evaluates it on the next packet received.
What happens if the new route and firewall policy lookup results in a change of the S-NAT IP during re-evaluation of S-NAT sessions?
FortiGate drops the packet and clears the session.
When should the snat-route-change setting be enabled?
When the new path for the session uses the same S-NAT IP.
What happens if the impacted application is TCP-based and the session is cleared during re-evaluation of S-NAT sessions?
The impacted application might have to initiate a new connection to resume network connectivity.
What does the debug flow output for S-NAT session during re-evaluation show?
The S-NAT IP of the new path and the S-NAT IP of the current path.
What is the purpose of enabling the snat-route-change setting?
To force the re-evaluation of S-NAT sessions following a related routing change.
What does FortiGate do if the new route and firewall policy lookup results in a change of the S-NAT IP during re-evaluation of S-NAT sessions?
Drops the packet and clears the session.
When does FortiGate flush the outgoing interface and gateway information?
When a route is removed from the FIB.
What does FortiGate do if the S-NAT IP of the new path is different from the S-NAT IP of the current path during re-evaluation of S-NAT sessions?
Drops the packet and clears the session.
When should the snat-route-change setting be enabled?
When the new path for the session uses the same S-NAT IP.
Study Notes
Session Flagging and Routing Changes
- If a session is flagged as dirty after a routing change, it is re-evaluated against the new route and firewall policy.
- A session is flagged as dirty when a routing change occurs, impacting the session's routing information.
Session Re-evaluation
- If the new action of the matching firewall is deny, the session is cleared.
- Dirty sessions are re-evaluated in both directions.
- Further packets matching a dirty session are blocked until the session is re-evaluated.
Routing Changes and SD-WAN
- Routing changes are common in SD-WAN, making dirty sessions common.
- Routing changes are common during SD-WAN path changes or when a link fails.
FortiGate Session Handling
- FortiGate flushes the routing information of impacted sessions after a routing change.
- If a session is offloaded to NPU, FortiGate sends a request to the NPU to flush the session.
- If a session is not offloaded to NPU, FortiGate re-evaluates the session.
Session Lookup
- FortiGate performs a route lookup and firewall policy lookup for the first packet in the original direction.
- FortiGate performs a reverse route lookup and firewall policy lookup for the first packet in the reply direction.
Session Re-evaluation Results
- If the firewall policy action is now denied during re-evaluation, the session is cleared.
- If the current route is not present in the FIB, the session is cleared.
- If the S-NAT IP changes during re-evaluation, the session is re-evaluated with the new S-NAT IP.
S-NAT Sessions
- The default behavior for S-NAT sessions after a routing change is to re-evaluate the session with the new route and firewall policy.
- If the new route and firewall policy lookup results in a change of the S-NAT IP during re-evaluation, the session is re-evaluated with the new S-NAT IP.
- The snat-route-change setting should be enabled when the S-NAT IP changes during re-evaluation.
TCP-Based Sessions
- If the impacted application is TCP-based and the session is cleared during re-evaluation, the TCP connection is terminated.
Debug Flow Output
- The debug flow output for S-NAT session during re-evaluation shows the re-evaluation process.
Snat-Route-Change Setting
- The purpose of enabling the snat-route-change setting is to re-evaluate S-NAT sessions when the S-NAT IP changes during a routing change.
FortiGate Actions
- FortiGate flushes the outgoing interface and gateway information when a route is removed from the FIB.
- If the S-NAT IP of the new path is different from the S-NAT IP of the current path during re-evaluation, the session is re-evaluated with the new S-NAT IP.
Test your knowledge on dirty sessions and how they are flagged and re-evaluated after certain network changes. This quiz will cover topics such as routing changes, firewall policy modifications, and interface adjustments. Perfect for those working with SD-WAN and network security.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
