FortiGate Network Configuration Basics

Questions and Answers

Which timeout option should be configured on FortiGate to start timing as soon as the user authenticates?

Auth-on-demand

Soft-timeout

Hard-timeout (correct)

New-session

Idle-timeout

Which IP address will be used to source NAT the traffic when the user on Local-Client (10.0.1.10) pings Remote-FortiGate (10.200.3.1)?

10.200.1.149

10.200.1.99 (correct)

10.200.1.1

10.200.1.49

What information will be included in the sniffer output when running the command 'diagnose sniffer packet any "host 10.0.2.10" 3'? (Choose three.)

Packet payload (correct)

Ethernet header (correct)

Interface name

IP header (correct)

Application header

How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10? (Choose three.)

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

How does FortiGate handle web proxy traffic from the IP address 10.2.1.200 that requires authorization?

It authenticates the traffic using the authentication scheme SCHEME1.

Study Notes

FortiGate Timeout Configuration

• Hard-timeout: This option sets a fixed time limit for a user's session, starting from authentication and regardless of activity.

Central NAT Configuration

• Central SNAT Policy: The chosen SNAT policy determines the source IP address for traffic, based on the protocol type.
• IP Pool (SNAT-Remote1): This IP pool provides a source IP range for NAT, with IP address 10.200.1.99.
• Protocol Number: Ping requests are ICMP, which corresponds to protocol number 1.
• Central NAT with Matching Policy: When Central NAT is enabled, traffic is NATted according to the matching Central SNAT policy.

FortiGate Sniffer Command

• diagnose sniffer packet any "host 10.0.2.10" 3: This command will capture packets destined for 10.0.2.10, displaying Ethernet headers, IP headers, and packet data.

Web Proxy and Authentication

• Explicit Web Proxy: This policy applies to traffic from the subnet 10.0.1.0/24, using three explicit web proxy rules.
• Authentication Rule: This rule authenticates HTTP requests from the subnet 10.0.1.0/24 using form-based authentication with the FortiGate local user database.
• User Authentication: Users are prompted for authentication when accessing web resources.
• Browser Categories: Mozilla Firefox and Google Chrome are categorized as "CAT1", Microsoft Internet Explorer is categorized as "CAT2".
• Proxy Address: The specified proxy address determines the web proxy server used.
• User-A and User-B: These users are configured for authentication within the FortiGate local user database.

FortiGate Web Proxy Traffic Handling

• Authorization: The FortiGate checks if web proxy traffic coming from the IP address 10.2.1.200 requires authorization.
• Authentication Scheme: If authorization is required, the FortiGate applies the authentication scheme configured in the matching proxy rule.
• Matching Proxy Policy: The SCHEME1 authentication scheme is applied because it matches the proxy policy for the source IP and requires user authentication.
• Traffic Handling: The traffic is authenticated using the SCHEME1 authentication scheme.

Description

This quiz covers essential concepts in configuring FortiGate features such as timeout settings, NAT policies, packet sniffer commands, and web proxy authentication. Test your understanding of how these components interact within a network. Ideal for those preparing for FortiGate certifications or network management roles.