Dirty Sessions and Network Changes Quiz

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to Lesson

Podcast

Play an AI-generated podcast conversation about this lesson
Download our mobile app to listen on the go
Get App

Questions and Answers

Which action is taken if a session is flagged as dirty after a routing change?

  • The session is forwarded (correct)
  • The session remains in the session table
  • The session is dropped
  • The session is offloaded to hardware

What causes a session to be flagged as dirty?

  • A routing change
  • A firewall policy change
  • An interface change
  • All of the above (correct)

What happens to a session if the new action of the matching firewall is deny?

  • The session is forwarded
  • The session is offloaded to hardware
  • The session is dropped (correct)
  • The session remains in the session table

When are routing changes common?

<p>In SD-WAN (A)</p> Signup and view all the answers

What happens to dirty sessions in FortiGate?

<p>They are re-evaluated (B)</p> Signup and view all the answers

Which direction(s) of a dirty session must be re-evaluated?

<p>Both the original and reply directions (D)</p> Signup and view all the answers

Why are dirty sessions common in SD-WAN?

<p>Because of the dynamic nature of the solution (A)</p> Signup and view all the answers

What happens to further packets matching a dirty session?

<p>They are dropped (C)</p> Signup and view all the answers

What happens to allowed sessions eventually in FortiGate?

<p>They are offloaded to hardware (A)</p> Signup and view all the answers

What causes routing information of impacted sessions to be flushed?

<p>A routing change (D)</p> Signup and view all the answers

Which session is offloaded to NPU after a routing change?

<p>Sessions without source NAT (D)</p> Signup and view all the answers

What does FortiGate do if the impacted session is offloaded to NPU?

<p>Instructs NPU to send the next packet to the CPU (C)</p> Signup and view all the answers

What does FortiGate do if the session is not offloaded to NPU?

<p>Handles the packet on the CPU (A)</p> Signup and view all the answers

What lookups does FortiGate perform for the first packet in the original direction?

<p>Route and firewall policy lookups (C)</p> Signup and view all the answers

What lookups does FortiGate perform for the first packet in the reply direction?

<p>Only a route lookup (D)</p> Signup and view all the answers

What happens if the firewall policy action is now denied during re-evaluation?

<p>The session is flagged as block and the packet is dropped (D)</p> Signup and view all the answers

When are allowed sessions offloaded again to NPU?

<p>When they no longer meet the NPU offloading requirements (D)</p> Signup and view all the answers

What happens if the current route is not present in the FIB?

<p>The session is flagged as dirty and re-evaluated (B)</p> Signup and view all the answers

What happens if the S-NAT IP changes during re-evaluation?

<p>The session is cleared (C)</p> Signup and view all the answers

What is the default behavior for S-NAT sessions after a routing change?

<p>They remain unchanged (D)</p> Signup and view all the answers

Which action does FortiGate take when a route is removed from the FIB?

<p>FortiGate flags the session as dirty and re-evaluates it on the next packet received. (A)</p> Signup and view all the answers

What happens if the new route and firewall policy lookup results in a change of the S-NAT IP during re-evaluation of S-NAT sessions?

<p>FortiGate drops the packet and clears the session. (C)</p> Signup and view all the answers

When should the snat-route-change setting be enabled?

<p>When the new path for the session uses the same S-NAT IP. (B)</p> Signup and view all the answers

What happens if the impacted application is TCP-based and the session is cleared during re-evaluation of S-NAT sessions?

<p>The impacted application might have to initiate a new connection to resume network connectivity. (D)</p> Signup and view all the answers

What does the debug flow output for S-NAT session during re-evaluation show?

<p>The S-NAT IP of the new path and the S-NAT IP of the current path. (B)</p> Signup and view all the answers

What is the purpose of enabling the snat-route-change setting?

<p>To force the re-evaluation of S-NAT sessions following a related routing change. (D)</p> Signup and view all the answers

What does FortiGate do if the new route and firewall policy lookup results in a change of the S-NAT IP during re-evaluation of S-NAT sessions?

<p>Drops the packet and clears the session. (D)</p> Signup and view all the answers

When does FortiGate flush the outgoing interface and gateway information?

<p>When a route is removed from the FIB. (B)</p> Signup and view all the answers

What does FortiGate do if the S-NAT IP of the new path is different from the S-NAT IP of the current path during re-evaluation of S-NAT sessions?

<p>Drops the packet and clears the session. (D)</p> Signup and view all the answers

When should the snat-route-change setting be enabled?

<p>When the new path for the session uses the same S-NAT IP. (C)</p> Signup and view all the answers

Flashcards are hidden until you start studying

Study Notes

Session Flagging and Routing Changes

  • If a session is flagged as dirty after a routing change, it is re-evaluated against the new route and firewall policy.
  • A session is flagged as dirty when a routing change occurs, impacting the session's routing information.

Session Re-evaluation

  • If the new action of the matching firewall is deny, the session is cleared.
  • Dirty sessions are re-evaluated in both directions.
  • Further packets matching a dirty session are blocked until the session is re-evaluated.

Routing Changes and SD-WAN

  • Routing changes are common in SD-WAN, making dirty sessions common.
  • Routing changes are common during SD-WAN path changes or when a link fails.

FortiGate Session Handling

  • FortiGate flushes the routing information of impacted sessions after a routing change.
  • If a session is offloaded to NPU, FortiGate sends a request to the NPU to flush the session.
  • If a session is not offloaded to NPU, FortiGate re-evaluates the session.

Session Lookup

  • FortiGate performs a route lookup and firewall policy lookup for the first packet in the original direction.
  • FortiGate performs a reverse route lookup and firewall policy lookup for the first packet in the reply direction.

Session Re-evaluation Results

  • If the firewall policy action is now denied during re-evaluation, the session is cleared.
  • If the current route is not present in the FIB, the session is cleared.
  • If the S-NAT IP changes during re-evaluation, the session is re-evaluated with the new S-NAT IP.

S-NAT Sessions

  • The default behavior for S-NAT sessions after a routing change is to re-evaluate the session with the new route and firewall policy.
  • If the new route and firewall policy lookup results in a change of the S-NAT IP during re-evaluation, the session is re-evaluated with the new S-NAT IP.
  • The snat-route-change setting should be enabled when the S-NAT IP changes during re-evaluation.

TCP-Based Sessions

  • If the impacted application is TCP-based and the session is cleared during re-evaluation, the TCP connection is terminated.

Debug Flow Output

  • The debug flow output for S-NAT session during re-evaluation shows the re-evaluation process.

Snat-Route-Change Setting

  • The purpose of enabling the snat-route-change setting is to re-evaluate S-NAT sessions when the S-NAT IP changes during a routing change.

FortiGate Actions

  • FortiGate flushes the outgoing interface and gateway information when a route is removed from the FIB.
  • If the S-NAT IP of the new path is different from the S-NAT IP of the current path during re-evaluation, the session is re-evaluated with the new S-NAT IP.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Quiz Team

More Like This

Use Quizgecko on...
Browser
Open
Browser
Browser