Reply Traffic Interface and Session Handling Quiz

Questions and Answers

Which type of sessions are triggered by a change in the reply traffic interface?

Asymmetric sessions

Symmetric sessions

Auxiliary sessions

Dirty sessions (correct)

What handles dirty sessions triggered by reply interface changes?

Symmetric sessions

System CPU (correct)

FortiGate VMs

Hardware offload

Why is hardware offloading not used for dirty sessions triggered by reply interface changes?

To improve performance (correct)

To offload asymmetric sessions

To prevent high CPU utilization

To preserve session symmetry

What is the default behavior for route lookup of reply traffic?

Consider routes over original ingress interface only

What prevents reply traffic from switching to a better performing member?

Default route lookup behavior

What are auxiliary sessions also known as?

Reflect sessions

What is the purpose of auxiliary sessions?

To offload asymmetric traffic to hardware

What is the benefit of using auxiliary sessions for FortiGate VMs?

Performance is improved

What can result from a huge amount of traffic handled by dirty sessions?

High CPU utilization and poor performance

Why is a change in the reply traffic interface often seen in SD-WAN?

To switch to a better performing link

Which FortiGate device routes the reply traffic over port1 in the original direction?

Both FGT-1 and FGT-2

What happens when auxiliary sessions are enabled on both FortiGate devices?

Both FGT-1 and FGT-2 can offload the session to hardware

How can you enable auxiliary sessions per V-Dom on the FortiGate CLI?

config system settings set auxiliary-session enable end

What does the debug flow sample on FGT-1 show when an auxiliary session is created for an SSH connection?

The index number of the interfaces used for creating the auxiliary session

What is an auxiliary session?

An extension of the main session used for symmetric traffic

How can you reference a member in a firewall policy?

By placing the member in a separate zone and referencing that zone

What does the underlay zone contain in the example firewall policy?

Port1 and port2 as members

What can firewall policy changes lead to?

High CPU utilization

Which sessions are flagged as dirty when the 'check-all' option is enabled?

All impacted sessions

How do you configure SD-WAN firewall policies?

By referencing an SD-WAN zone

Which setting instructs FortiGate to flag all sessions as dirty when a change is made to a firewall policy?

check-all

What is the purpose of flagging sessions as dirty when a change is made to a firewall policy?

To perform a firewall policy lookup for all sessions

What can be done to prevent high CPU utilization when a firewall policy change impacts a large number of sessions?

Set firewall-session-dirty to check-new

When is the firewall-session-dirty setting evaluated?

When a new session is established

What does the presence of the persistent flag in a session indicate?

A new session against the new firewall policy configuration

What is the default value for the firewall-session-dirty setting?

check-all

When can the firewall policy-level setting be used?

When the V-Dom-level setting is set to check-policy-option

What does the may_dirty flag indicate?

A configuration change on the matching policy

What is the purpose of the V-Dom-level setting?

To determine if the firewall policy-level setting can be used

What does the check-policy-option value for the V-Dom-level setting indicate?

To follow the firewall policy-level setting