Reply Traffic Interface and Session Handling Quiz

Questions and Answers

Which type of sessions are triggered by a change in the reply traffic interface?

• Asymmetric sessions
• Symmetric sessions
• Auxiliary sessions
• Dirty sessions (correct)

What handles dirty sessions triggered by reply interface changes?

• Symmetric sessions
• System CPU (correct)
• FortiGate VMs
• Hardware offload

Why is hardware offloading not used for dirty sessions triggered by reply interface changes?

• To improve performance (correct)
• To offload asymmetric sessions
• To prevent high CPU utilization
• To preserve session symmetry

What is the default behavior for route lookup of reply traffic?

Consider routes over original ingress interface only (A)

What prevents reply traffic from switching to a better performing member?

Default route lookup behavior (A)

What are auxiliary sessions also known as?

Reflect sessions (A)

What is the purpose of auxiliary sessions?

To offload asymmetric traffic to hardware (C)

What is the benefit of using auxiliary sessions for FortiGate VMs?

Performance is improved (C)

What can result from a huge amount of traffic handled by dirty sessions?

High CPU utilization and poor performance (A)

Why is a change in the reply traffic interface often seen in SD-WAN?

To switch to a better performing link (C)

Which FortiGate device routes the reply traffic over port1 in the original direction?

Both FGT-1 and FGT-2 (C)

What happens when auxiliary sessions are enabled on both FortiGate devices?

Both FGT-1 and FGT-2 can offload the session to hardware (C)

How can you enable auxiliary sessions per V-Dom on the FortiGate CLI?

config system settings set auxiliary-session enable end (A)

What does the debug flow sample on FGT-1 show when an auxiliary session is created for an SSH connection?

The index number of the interfaces used for creating the auxiliary session (C)

What is an auxiliary session?

An extension of the main session used for symmetric traffic (D)

How can you reference a member in a firewall policy?

By placing the member in a separate zone and referencing that zone (D)

What does the underlay zone contain in the example firewall policy?

Port1 and port2 as members (D)

What can firewall policy changes lead to?

High CPU utilization (B)

Which sessions are flagged as dirty when the 'check-all' option is enabled?

All impacted sessions (A)

How do you configure SD-WAN firewall policies?

By referencing an SD-WAN zone (C)

Which setting instructs FortiGate to flag all sessions as dirty when a change is made to a firewall policy?

check-all (B)

What is the purpose of flagging sessions as dirty when a change is made to a firewall policy?

To perform a firewall policy lookup for all sessions (B)

What can be done to prevent high CPU utilization when a firewall policy change impacts a large number of sessions?

Set firewall-session-dirty to check-new (B)

When is the firewall-session-dirty setting evaluated?

When a new session is established (D)

What does the presence of the persistent flag in a session indicate?

A new session against the new firewall policy configuration (B)

What is the default value for the firewall-session-dirty setting?

check-all (A)

When can the firewall policy-level setting be used?

When the V-Dom-level setting is set to check-policy-option (A)

What does the may_dirty flag indicate?

A configuration change on the matching policy (D)

What is the purpose of the V-Dom-level setting?

To determine if the firewall policy-level setting can be used (A)

What does the check-policy-option value for the V-Dom-level setting indicate?

To follow the firewall policy-level setting (D)

Flashcards are hidden until you start studying