24 Questions
What is the purpose of passive authentication?
To determine user details without prompting for login credentials
When both active and passive authentication methods are combined, what is the intended use of active authentication?
As a backup, to be used only when passive authentication fails
What is the default behavior when a fall-through policy that does not have authentication enabled follows an active authentication firewall policy?
All traffic uses the fall-through policy and users are not required to authenticate
What is the purpose of One-Time Password Tokens (OTP)?
To add an additional layer of authentication
What is the main characteristic of OTP passwords?
They can only be used once
When is it better to enable captive portal authentication at the interface level?
To have all devices authenticate before accessing any resources
What is the purpose of using two-factor authentication with OTP in an O.T environment?
For critical server and asset access, and VPN access for remote users
What happens when you enable authentication on all firewall policies?
All the systems must authenticate before traffic travels to the egress interface
What is the purpose of using active authentication as a backup?
To be used only when passive authentication fails
What is the main purpose of using hardware tokens for OTP?
To use in O.T for critical servers and assets access
What is the main purpose of using FortiToken cloud for OTP?
To provide OTP via cloud-based service
When is two-factor authentication with OTP used?
For critical server and asset access, and VPN access for remote users
What is the purpose of active authentication when passive authentication fails?
To prompt the user for login credentials
When does FortiGate use active authentication?
When login cannot be determined passively
What happens if all possible policies that could match the source IP have authentication enabled?
The user will receive a login prompt
In the example shown, why does traffic from LOCAL_SUBNET not match policy sequence 1 (Full_Access)?
The user group aspect of the traffic does not match
What is the purpose of enabling a captive portal on the ingress interface for the traffic?
To prompt users for login credentials
When is active authentication intended to be used?
As a backup when passive authentication fails
What does FortiGate do if the policy match is not complete?
Continues its search down the sequence list
What is the outcome if the traffic matches all criteria of a policy?
Traffic is allowed with no need to authenticate
When will FortiGate use the Enforce authentication on demand option?
When active authentication fails
What is the purpose of enabling authentication on every policy that could match the traffic?
To ensure all traffic is authenticated
What is the default intention of active authentication?
To be used as a backup when passive authentication fails
What does FortiGate do if the user can be determined passively?
Will not prompt the user for login credentials
Study Notes
Authentication Concepts
- The purpose of passive authentication is to identify users without prompting them for credentials.
- Combining active and passive authentication methods allows active authentication to be used as a fallback when passive authentication fails.
- When a fall-through policy without authentication follows an active authentication firewall policy, the default behavior is to fall through to the next policy.
One-Time Password Tokens (OTP)
- The purpose of OTP tokens is to provide an additional layer of security.
- OTP passwords are characterized by being generated randomly and valid only for a short period.
- Two-factor authentication with OTP is used in OT environments to add an extra layer of security.
Captive Portal Authentication
- Captive portal authentication is better enabled at the interface level when you want to intercept and authenticate users at the network entrance.
- The purpose of enabling a captive portal on the ingress interface is to intercept and authenticate users.
Authentication Scenarios
- When active authentication is used as a backup, it is intended to be used when passive authentication fails.
- The main purpose of using hardware tokens for OTP is to provide an additional layer of security.
- The main purpose of using FortiToken cloud for OTP is to provide a cloud-based solution for OTP.
- Two-factor authentication with OTP is used when you want to add an extra layer of security.
- Active authentication is intended to be used when passive authentication fails or when the user cannot be determined passively.
Firewall Policies
- When you enable authentication on all firewall policies, every policy that matches the traffic will require authentication.
- If all possible policies that could match the source IP have authentication enabled, the traffic will be authenticated.
- If the policy match is not complete, FortiGate will continue to the next policy.
- If the traffic matches all criteria of a policy, the policy will be enforced.
- FortiGate uses the Enforce authentication on demand option when you want to authenticate users only when they attempt to access a resource.
- The purpose of enabling authentication on every policy that could match the traffic is to ensure that all users are authenticated.
- The default intention of active authentication is to provide an additional layer of security when passive authentication fails.
Test your knowledge of FortiGate authentication options with this quiz. Explore the various methods available to enforce authentication, including enabling it on every policy, using the on-demand option, and setting up a captive portal on the ingress interface. See how well you understand when FortiGate uses active authentication and learn about the different scenarios where it may or may not force an active authentication prompt.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
