TCP State Identification Quiz

Questions and Answers

Which protocol has no state and always has a protocol state of 00?

ICMP (correct)

TCP

HTTP

UDP

What are the two session state values used by FortiGate for UDP traffic?

10 and 11

00 and 01 (correct)

0 and 1

1 and 2

What does the 'local' session flag indicate?

Session is to, and/or, from local stack

Session is checked by IPS anomaly

Session originated from FortiGate or terminates on FortiGate (correct)

Session is being logged

When are sessions created and flagged as may_dirty?

When the first packet for a new session is received

What happens to sessions with the may_dirty flag when there is a change in the firewall policy configuration?

They are flagged as dirty

Which session flag indicates that a session is being bridged?

br

What is the default global session handling setting?

check-all

What happens to packets matching a session with the block flag?

They are dropped

What does the 'auth' session flag indicate?

Session requires (or required) authentication

What does the 'redir' session flag indicate?

Session is being processed by an application layer proxy

Which setting is the most resource-intensive behavior for FortiGate session handling after a policy change?

check-all

What is the alternative option to 'check-all' for FortiGate session handling after a policy change?

check-new

Which setting allows you to modify FortiGate session handling on a per-policy level?

check-policy-option

What is the default option for FortiGate session handling after a policy change?

check-all

Which setting should be enabled if you have policies handling millions of sessions?

check-new

What determines whether the system-level session handling setting is global or per-V-Dom?

V-Doms

What CLI commands can be used to modify FortiGate session handling behavior after policy changes?

config firewall-session-dirty

Which option removes all policy information from sessions affected by a policy change?

check-all

What does FortiGate do when new packets arrive after a policy change with the 'check-all' option enabled?

Reevaluates them

What is the most granular setting for modifying FortiGate session handling?

check-policy-option

Which value represents the TCP state FIN_WAIT?

4

What value is associated with the TCP state CLOSE_WAIT?

6

What is the first digit in the protocol state for TCP sessions subject to flow or proxy inspection?

1

When FortiGate receives the SYN-Ack packet, what value does the second digit in the protocol state change to?

3

What is the state value for sessions that are closed by both sides and kept in the session table for a few seconds more?

5

What does the first digit in the protocol state represent for TCP sessions not subject to any inspection?

0

What is the second digit in the protocol state for TCP sessions when FortiGate receives the SYN packet?

1

What is the value associated with the TCP state LAST_Ack?

8

What is the value of the second digit in the protocol state after the three-way handshake for TCP sessions?

1

What is the value of the first digit in the protocol state for TCP sessions subject to proxy or flow inspection?

1

Study Notes

Protocol State and Flags

• UDP sessions have two session state values on FortiGate: 00 and 01.
• The 'local' session flag indicates that a session is originated from the FortiGate itself.
• Sessions are created and flagged as 'may_dirty' when the firewall policy configuration is changed.

Session Handling

• The 'bridge' session flag indicates that a session is being bridged.
• The default global session handling setting is 'check-all'.
• Packets matching a session with the 'block' flag are blocked.
• The 'auth' session flag indicates that a session is authenticated.
• The 'redir' session flag indicates that a session is redirected.
• The 'check-all' setting is the most resource-intensive behavior for FortiGate session handling after a policy change.
• The alternative option to 'check-all' is 'check-new'.
• The 'per-policy' setting allows you to modify FortiGate session handling on a per-policy level.
• The 'check-all' setting is the default option for FortiGate session handling after a policy change.
• The 'check-new' setting should be enabled if you have policies handling millions of sessions.

Session Handling Options

• The 'session-ttl' setting determines whether the system-level session handling setting is global or per-V-Dom.
• The CLI commands 'config system session' and 'config system vd' can be used to modify FortiGate session handling behavior after policy changes.
• The 'reset' option removes all policy information from sessions affected by a policy change.
• When new packets arrive after a policy change with the 'check-all' option enabled, FortiGate re-evaluates all sessions.
• The 'per-policy' setting is the most granular setting for modifying FortiGate session handling.

TCP State Values

• The TCP state FIN_WAIT is represented by the value 04.
• The TCP state CLOSE_WAIT is represented by the value 05.
• The first digit in the protocol state for TCP sessions subject to flow or proxy inspection is 1.
• When FortiGate receives the SYN-Ack packet, the second digit in the protocol state changes to 1.
• The state value for sessions that are closed by both sides and kept in the session table for a few seconds more is 06.
• The first digit in the protocol state for TCP sessions not subject to any inspection represents the TCP state.
• The second digit in the protocol state for TCP sessions when FortiGate receives the SYN packet is 0.
• The value associated with the TCP state LAST_Ack is 07.
• The value of the second digit in the protocol state after the three-way handshake for TCP sessions is 2.
• The value of the first digit in the protocol state for TCP sessions subject to proxy or flow inspection is 1.

Description

Test your knowledge of server-side and client-side TCP states with this quiz. Identify the corresponding values for each state and challenge yourself to remember the correct digits.