Fortinet Updated NSE7_NST-7.2 Exam Questions and Answers by cerys

The exhibits show the configuration of static routes and a session table entry for an active session. The static routes are configured with different priorities:

Route throughport1with a gateway of10.200.1.254and priority5.

Route throughport2with a gateway of10.200.2.254and priority10.

If the priority of the route throughport2is changed from10to0, this route will become more preferred than the route throughport1because lower priority values indicate higher preference. As a result, the traffic for the existing session will switch to using the more preferred route:

The session would remain active in the session table, as FortiGate does not immediately clear sessions upon route changes unless explicitly configured to do so.

The traffic for the session would then start egressing fromport2, which now has the higher priority route due to its lower priority value.

References

Fortinet Documentation on Routing Configuration

Fortinet Community on Session Handling

Analyzing Debug Output:

The debug output shows multiple proposals with encryption algorithms likeAES CBCand hashing algorithms likeSHA256.

The negotiation failure (no SA proposal chosen) suggests that there is a mismatch in the encryption or hashing algorithms between the local and remote gateways.

Configuration Change:

To resolve the phase 1 negotiation error, the local gateway needs to include a compatible proposal.

AddingAES256-SHA256to the phase 1 proposal configuration ensures that both gateways have a matching set of encryption and hashing algorithms.

References:

Fortinet Documentation: Configuring IPsec Tunnels​(Fortinet Docs)​​(Welcome to the Fortinet Community!)​.

Fortinet Community: Troubleshooting IKE Negotiation Failures​(Welcome to the Fortinet Community!)​​(Welcome to the Fortinet Community!)​.

Current Configuration Analysis:

The firewall policy currently allows ICMP traffic from port1 to port3, enabling the ICMP echo request to reach the server.

However, for the server to send an ICMP echo reply back to the laptop, the traffic must be allowed from port3 to port1.

Required Configuration:

To ensure the server at10.4.0.1/24can send the ICMP echo reply back to the laptop at10.1.0.1/24, the administrator needs to configure a new firewall policy.

The policy must explicitly allow ICMP traffic from port3 to port1.

Steps to Configure:

Access the FortiGate configuration interface.

Navigate to the Firewall Policy section.

Create a new policy allowing ICMP traffic from port3 to port1.

Save and apply the new policy to ensure bidirectional ICMP traffic is permitted.

References

Fortinet Network Security 7.2 Support Engineer Documentation

FortiGate Firewall Policy Configuration Guides

The commanddiagnose test application ipsmonitor 5is used to restart all IPS (Intrusion Prevention System) engines and monitors on the FortiGate device. This command is part of the diagnostic tools available for troubleshooting and maintaining the IPS functionality on the FortiGate.

Running this command forces the IPS system to reset and reinitialize, which can be useful in situations where the IPS functionality appears to be malfunctioning or not responding correctly.

This action helps in clearing any issues that might have arisen due to internal errors or misconfigurations, ensuring that the IPS engines operate correctly after the restart.