NSE 7 Enterprise firewall ALL SOLUTION 100% CORRECT LATEST UPDATE GUARANTEED GRADE A+

APT Advanced Persistent Threat What modern day tech and threats create the need for more protection (protecting the perimeter of a network is no longer enough) Zero day attacks APT Polymorphic malware Insider threats BYOD Cloud tech What factors are contributing to a border less network Mobile workforce Partners accessing your network services Public and private clouds Internet of things BYOD Enterprise firewall solution (2) Apply end to end security Segment your network End to end security with a consolidated operating system FortiOS Core of the solution is security fabric which allows all devices to communicate in network And manage all deployments through fortimanager Core of enterprise firewall solution Core of the solution is security fabric which allows all devices to communicate in network Five firewall roles depending on where fortigate is deployed DEFW (distributed enterprise firewall) CFW (Cloud firewall) NGFW (next generation firewall) DCFW (data center firewall) ISFW (Internal segmentation firewall) NGFWs Next generation firewall 1g-40gb throughput Deployed for firewall, app control, IPS, AV, and VPN Can be deployed at edge or in core DCFW data center firewall Protect servers, low latency, inbound security focused 10g-1tb throughput Firewall, application control, and IPS common Places in data center and in enterprise DMZ Deployed at distribution layer ISFW Internal segmentation firewall Breach containment for attacks that come from inside zero trust network 1g-100gbs throughput Firewall, app control, web filtering, and IPS (sandbox inspection also) Placed in access layer These prevent propagation DEFW Distributed enterprise firewall Extension of the enterprise network VPN dependent (connects to Corp HQ using vpn) 1Gbps throughput Security for smaller location and branch offices All-in-one security (firewall, app control, vpn, ips, AV) What five areas does the SF (security fabric) deliver solutions in Zero trust access Security driven networking Dynamic cloud security AI-driven security operations Fabric management center Describe fortinet send to end solution NAC/Client/AUTH/EDR AP/Switch/Extender Fortigate Fortigate VM/FortiCWP WEB/mail/CASB/ADC Analyzer/Sandbox/SIEM/SOAR Manager/cloud What devices comprise the core of the security fabric (MANDATORY) and what is comprised in the recommended and extended portions Two or more fortigates + fortianalyzer in core Recommended- Fortimanager, fortiAP, switch, client, sandbox, and mail Extended- Other fortinet products and third party products using the API What must be configured in the SF first Root fortigate What is end to end security Security from endpoints to the cloud Purpose of ISFW To segment the network so that any breach coming from inside can be contained in one segment of the network without reaching others Problem with multiple vendor networks No central visibility or central management What consolidated OS does the fortinet solution offer FortiOS Single pane of glass management through which solution Fortimanager Highest Throughout requirements of all firewall roles DCFW What kind of firewall role would a fgt deployed in a smaller branch office or remote site DEFW What protocol must be enabled bidirectionally on all fortigates in the security fabric Fortitelemetry What port does fortitelemetry use 8013 Fortitelemetry Port 8013 Fortigate uses to communicate with other fortigate devices and distribute information about the network topology and it also uses to integrate with forticlient How does the root fortigate use fortitelemetry, where does it share what it learns, and how does it share it It uses the network topology information collected from the other fortigates and forwards it to fortianalyzer used the fortianalyzer API What does the root fortigate use to send topology info about the SF to fortianalzyer Fortianalyzer API How does fortianalyzer generate topology vies and IoC It combines info received from the root fortigate SF tree structure Branch fortigate devices connect to upstream fortigate devices How does fortigate verify the fortianalyzer Verifies serial number against it's certificate and then the serial is stored in the fortigate config Command to see upstream AND downstream fortigates if the fortigate is not the SF root ( will show serial number, IP, connecting interface and connection status) Diagnose sys csf upstream Diagnose sys csf downstream What is configuration sync for SF FAZ And fmg config on the root fortigate will be pushed down to the other fortigates How to disable configuration sync for SF Config system csf Set configuration-sync local Security fabric map All fortigate devices in a SF maintain their own SF map that include the MAC address and IP address of all connected fortigate devices and their interface How to see the security fabric map Diagnose sys csf neighbor list If a fortigate receives a packet from a MAC address that belong to another fortigate in the security fabric (security fabric map) it will ______that session unless.... Not log Unless it it's the first fortigate that handled the session in the security fabric Will a fortigate log a session from another gate in the SF and why What exception is there to this rule besides being the first fortigate No and it eliminates repeated logging of a session by multiple fortigate devices It will log if it is the first fortigate that handled the session Exception is if one of the fortigate performs NAT another log will be generated to record NAT details such as translated ports and addresses How many times does the SF as a hole log a session Once by the first fortigate in the SF unless passed to a FGT performing NAT What does fortinet recommend for centralized management of fortigate devices and access devices in the SF Fortimanager What devices can extend the SF to the access layer Switch and AP Is the SF an open or closed protocol Open Why is the SF API and protocol Open So other vendors can join for partner integration so fortinet devices can communicate with third party devices How to configure fabric connectors Security fabric external connectors What connectors are available as public SDN multi cloud support Amazon AWS Microsoft AZURE Google cloud platform (GCP) Oracle cloud infrastructure (OCI) Alicloud ACI Application centric infrastructure What is the purpose of the public SDN connectors Bridge SDN controllers and fortigate devices such as in connecting and registering itself to APIC in the Cisco ACI fabric, polling interesting objects, translating them into address objects and populating the address objects and endpoints onto fortigate Where can you view the SF topology Root fortigate GUI (or FAZ) Security fabric physical topology Two options to view SF GUI Physical and logical What does the SF physical topology display Shows the physical topology of devices in the SF and the connections between them What actions can you perform from physical topology view in Sf (4) Authorize switches and APs Upgrade devices Connect to a devices CLI Ban and unban compromised IPS Security fabric security rating What is security rating and how can you get a rating Subscription services that requires a security rating license Provides ability to see and perform many best practices such as password checks, to audit strength of your network security Broken down into score cards that provide a letter grade SF scorecard Shows performance in sub categories and gives an overall grade, clicking a scorecards drills down to a detailed report of itemized results and compliance reccomendations What compliance policies are used for the SF rating (2) FSBP or PCI compliance What does the point score represent for SF rating The net score for all passed and failed items in the area What three sections is security rating scorecards Security posture Fabric coverage Optimization Security fabric security rating security posture The scorecard that shows a ranking presented as a percentile based on security audit information. What data is used to provide customer ratings for SF security rating Fortiguard When are security audit running In the background when an admin is logged into GUI What does the security rating score help you identify Security issues in your network How can you apply security reccomendations to your firewall settings in one click Under SF security rating security posture and click apply on the failed controls Name some security checks under SF ratinf Enforcing password security Applying recommended login attempt thresholds Encouraging 2FA Nick name for administrator-defined automated work flows and what are the function Stitches Stitches use if/then statements to cause FortiOS to automatically respond to an event in a preprogrammed way. True or false SF is required to use stitches False, not required. But you can use stitches to detect events from any source in the SF and apply actions to any destination Stitches Automated actions based on triggers How many actions can be paired with a trigger foe a stitch One or more Where to configure stitches Security fabric automation What must you specify when configuring an automation stitch (4) Fortigate device Trigger Action Minimum interval What do you need to configure for stitch so you don't receive repeat alert notification about the same event Minimum interval Compromised host trigger for automation stitch This trigger uses indicator of compromise (IOC) event reporting from fortianalyzer Set a threat level threshold (medium or high) Based on that you can configure the stitch to take different remediation steps such as: Quarantine the compromise host and switch or AP (access layer quarantine) Quarantine forticlient on the compromise host using EMS Ban the IP What is access layer quarantine for stitch action Quarantine host and switch or AP What is required to use the compromise host trigger for stitches Requires fortiAnalyzer IoC reporting When are quarantined addresses automatically removed and when are banned IPs automatically removed After a configurable period of time Banned IPs are not auto removed and need to be removed by an admin Where can you view quarantined and banned IPS Under the quarantine widget dashboard What two ways can you test an automation stitch Right click in CLI In CLI with command Diagnose automation test stitchname What is created automatically when an automation stitch is triggered Fortigate creates an event log in Log & report system events PPP (parallel path processing) PPP chooses from a group of parallel options to identify the optimal path for processing a packet uses the firewall policy configuration to choose from a group of parallel options to determine the optimal path for processing a packet. Most FortiOS features are applied through Firewall policies and the features applied determine the path a packet takes. Where is UTM or NGFW traffic offloaded for acceleration Security processors CP8 or CP9 Where is traffic not requiring any UTM or NGFW processing offloaded for acceleration network processor NP6 What two parts of the firewall affect the path that a packet takes The hardware and software configuration What are some security inspections performed on a packet in the life of the packet and why does it perform security inspections so early on in the processing DoS checking, RPF checking, and IP integer header checking and it does this so the fortigate can make sure the packets are within acceptable parameters before allowing the packet to move through the rest of the processes Describe life of a packet for a fgt without a network processor (17 main) (13 sub) Describe life of a packet for a FGT without network processor Ingress All packets accepted by a FortiGate pass through a network interface and are processed by the TCP/IP stack. Then if DoS policies have been configured the packet must pass through these as well as automatic IP integrity header checking. DoS scans are handled very early in the life of the packet to determine whether the traffic is valid or is part of a DoS attack. The DoS module inspects all traffic flows but only tracks packets that can be used for DoS attacks (for example, TCP SYN packets), to ensure they are within the permitted parameters. Suspected DoS attacks are blocked, other packets are allowed. IP integrity header checking reads the packet headers to verify if the packet is a valid TCP, UDP, ICMP, SCTP or GRE packet. The only verification that is done at this step to ensure that the protocol header is the correct length. If it is, the packet is allowed to carry on to the next step. If not, the packet is dropped. Incoming IPsec packets that match configured IPsec tunnels on the FortiGate are decrypted after header checking is done. If the packet is an IPsec packet, the IPsec engine attempts to decrypt it. If the IPsec engine can apply the correct encryption keys and decrypt the packet, the unencrypted packet is sent to the next step. Non-IPsec traffic and IPsec traffic that cannot be decrypted passes on to the next step without being affected. IPsec VPN decryption is offloaded to and accelerated by CP8 or CP9 processors. Admission control Admission control checks to make sure the packet is not from a source or headed to a destination on the quarantine list. If configured admission control then imposes FortiTelemetry protection that requires a device to have FortiClient installed before allowing packets from it. Admission control can also impose captive portal authentication on ingress traffic. Kernel Once a packet makes it through all of the ingress steps, the FortiOS kernel performs the following checks to determine what happens to the packet next. Destination NAT Destination NAT checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT. DNAT is typically applied to traffic from the internet that is going to be directed to a server on a network behind the FortiGate. DNAT means the actual address of the internal network is hidden from the internet. This step determines whether a route to the destination address actually exists. DNAT must take place before routing so that the FortiGate can route packets to the correct destination. Routing (including SD-WAN) Routing uses the routing table to determine the interface to be used by the packet as it leaves the FortiGate. Routing also distinguishes between local traffic and forwarded traffic. Firewall policies are matched with packets depending on the source and destination interface used by the packet. The source interface is known when the packet is received and the destination interface is determined by routing. SD-WAN is a special application of routing that provides route selection, load balancing, and failover among two or more routes. SD-WAN also supports using the Internet Services Database (ISDB) and Application Control to select a route in the following way: SD-WAN uses Application Control to compare the first packet of a new session against the layer 4 ISDB. If Application Control can identify the new session as a known application, SD-WAN is applied to the session according to the matching SD-WAN rule. SD-WAN then routes all of the packets in the session according to the selected SD-WAN rule. If Application Control cannot match a new session with an application in the layer 4 ISDB, the implicit SD-WAN rule is applied to the session. As the session is being processed by the implicit SD-WAN rule, layer 7 Application Control attempts to identify the application. If the application can be identified, the ISDB is extended by adding a layer 4 match record for the application to the ISDB cache. New sessions can then be matched and routed by SD-WAN using both the ISDB and the ISDB cache. Stateful inspection/policy lookup/session management Stateful inspection looks at the first packet of a session and looks in the policy table to make a security decision about the entire session. Stateful inspection looks at packet TCP SYN and FIN flags to identity the start and end of a session, the source/destination IP, source/destination port and protocol. Other checks are also performed on the packet payload and sequence numbers to verify it as a valid session and that the data is not corrupted or poorly formed. When the first packet of a session is matched in the policy table, stateful inspection adds information about the session to its session table. So when subsequent packets are received for the same session, stateful inspection can determine how to handle them by looking them up in the session table (which is more efficient than looking them up in the policy table). Stateful inspection makes the decision to drop or allow a session and apply security features to it based on what is found in the first packet of the session. Then all subsequent packets in the same session are processed in the same way. When the final packet in the session is processed, the session is removed from the session table. Stateful inspection also has a session idle timeout that removes sessions from the session table that have been idle for the length of the timeout. See the Stateful Firewall Wikipedia article ( Session helpers Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. For example, the SIP VoIP protocol uses TCP control packets with a standard destination port to set up SIP calls. To successfully process SIP VoIP calls, FortiOS must be able to extract information from the body of the SIP packet and use this information to allow the voice-carrying packets through the firewall. FortiOS uses session helpers to analyze the data in the packet bodies of some protocols and adjust the firewall to allow those protocols to send packets through the firewall. FortiOS includes the following session helpers: PPTP H323 RAS TNS TFTP RTSP FTP MMS PMAP SIP DNS-UDP RSH DCERPC MGCP User authentication User authentication added to security policies is handled by the stateful inspection, which is why Firewall authentication is based on IP address. Authentication takes place after policy lookup selects a policy that includes authentication. Device identification Device identification is applied if required by the matching policy. SSL VPN Local SSL VPN traffic is treated like special management traffic as determined by the SSL VPN destination port. Packets are decrypted and are routed to an SSL VPN interface. Policy lookup is then used to control how packets are forwarded to their destination outside the FortiGate. SSL encryption and decryption is offloaded to and accelerated by CP8 or CP9 processors. Local management traffic Local management traffic terminates at a FortiGate interface. This can be any FortiGate interface including dedicated management interfaces. In multiple VDOM mode local management traffic terminates at the management interface. In transparent mode, local management traffic terminates at the management IP address. Local management traffic includes administrative access, some routing protocol communication, central management from FortiManager, communication with the FortiGuard network and so on. Management traffic is allowed or blocked according to the Local In Policy list which lists all management protocols and their access control settings. You configure local management access indirectly by configuring administrative access and so on. Management traffic is processed by applications such as the web server which displays the FortiOS GUI, the SSH server for the CLI or the FortiGuard server to handle local FortiGuard database updates or FortiGuard Web Filtering URL lookups. Local management traffic is not involved in subsequent stateful inspection steps. SSL VPN traffic terminates at a FortiGate interface similar to local management traffic. However, SSL VPN traffic uses a different destination port number than administrative HTTPS traffic and can thus be detected and handled differently. UTM/NGFW If the policy matching the packet includes security profiles, then the packet is subject to Unified Threat Management (UTM)/Next Generation Firewall (NGFW) processing. UTM/NGFW processing depends on the inspection mode of the security policy: Flow-based (single pass architecture) or proxy-based. Proxy-based processing can include explicit or transparent web proxy traffic. Many UTM/NGFW processes are offloaded and accelerated by CP8 or CP9 processors. Single pass flow-based UTM/NGFW inspection identifies and blocks security threats in real time as they are identified using single-pass Direct Filter Approach (DFA) pattern matching to identify possible attacks or threats. Packets are then subject to botnet checking to make sure they are not destined for known botnet addresses. Proxy-based UTM/NGFW inspection can apply both flow-based and proxy-based inspection. Packets initially encounter the IPS engine, which can apply single-pass flow-based IPS and Application Control (as configured). The packets are then sent to the proxy for proxy-based inspection. Proxy-based inspection can apply VoIP inspection, DLP, Email Filter (Anti-Spam), Web Filtering, Antivirus, and ICAP. Explicit web proxy inspection is similar to proxy based inspection. CP9 content processors Most FortiGate models contain Security Processing Unit (SPU) Content Processors (CPs) that accelerate many common resource intensive security related processes. CPs work at the system level with tasks being offloaded to them as determined by the main CPU. Capabilities of the CPs vary by model. Newer FortiGate units include CP9 processors. Older CP versions still in use in currently operating FortiGate models include the CP4, CP5, CP6, and CP8. CP9 capabilities The CP9 content processor provides the following services: Flow-based inspection (IPS, application control etc.) pattern matching acceleration with over 10Gbps throughput IPS pre-scan IPS signature correlation Full match processors High performance VPN bulk data engine IPsec and SSL/TLS protocol processor DES/3DES/AES128/192/256 in accordance with FIPS46-3/FIPS81/FIPS197 MD5/SHA-1/SHA256/384/512-96/128/192/256 with RFC1321 and FIPS180 HMAC in accordance with RFC2104/2403/2404 and FIPS198 ESN mode GCM support for NSA "Suite B" (RFC6379/RFC6460) including GCM-128/256; GMAC-128/256 Key Exchange Processor that supports high performance IKE and RSA computation Public key exponentiation engine with hardware CRT support Primary checking for RSA key generation Handshake accelerator with automatic key material generation True Random Number generator Elliptic Curve support for NSA "Suite B" Sub public key engine (PKCE) to support up to 4096 bit operation directly (4k for DH and 8k for RSA with CRT) DLP fingerprint support TTTD (Two-Thresholds-Two-Divisors) content chunking Two thresholds and two divisors are configurable Kernel Traffic is now in the process of exiting the FortiGate. The kernel uses the routing table to forward the packet out the correct exit interface. The kernel also checks the NAT table and determines if the source IP address for outgoing traffic must be changed using SNAT. SNAT is typically applied to traffic from an internal network heading out to the internet. SNAT means the actual address of the internal network is hidden from the internet. Egress Before exiting the FortiGate, outgoing packets that are entering an IPsec VPN tunnel are encrypted and encapsulated. IPsec VPN encryption is offloaded to and accelerated by CP8 or CP9 processors. Traffic shaping is then imposed, if configured, followed by WAN Optimization. The packet is then processed by the TCP/IP stack and exits out the egress interface. Ingress packet flow Network Interface TCP/IP stack DoS Policy IP integrity header checking IPsec VPN decryption Admission Control Quarantine FortiTelemetry User Authentication Kernel Destination NAT Routing (including SD-WAN) Stateful inspection/Policy Lookup/Session management Session Helpers User Authentication Device Identification SSL VPN Local Management Traffic UTM/NGFW Flow-based inspection NTurbo IPSA Botnet check Proxy-based inspection Explicit Web Proxy Kernel Forwarding Source NAT (SNAT) Egress packet flow IPsec VPN Encryption Traffic shaping WAN Optimization TCP/IP stack Network Interface IP header integrity checking reads the packet headers to verify if the packet is a valid TCP, UDP, ICMP, SCTP or GRE packet. The only verification that is done at this step to ensure that the protocol header is the correct length. If it is, the packet is allowed to carry on to the next step. If not, the packet is dropped. DoS module inspects all traffic flows but only tracks packets that can be used for DoS attacks (for example, TCP SYN packets), to ensure they are within the permitted parameters. Suspected DoS attacks are blocked, other packets are allowed. FortiOS architecture (pic) (4 layers) Configuration layer User space Kernel Hardware What is the heart of FortiOS and explain Kernel What bridges the kernel and the hardware Device drivers What runs in the user space in the FortiOS arch Application processes and daemons What runs in the configuration layer of the FortiOS arch (4) CLI GUI API FMG What arch is fortios 64bit x64 Refers to 64bit CPY and OS instead of a 32 bit system meaning the CPU can process 64 bit chunks of data compared to 32bit chunks. 64 bit can access 2^64 memory addresses (18quintillian ram) 2^32 is only 4GB of ram. 64 can also perform more calculations per second and the processors can be multi core. Memory pagings A portion of the hard disk can act as virtual RAM when there is not enough RAM available. The portion that acts as this is called the page file. Memory paging is when the OS moves pages of memory to the hard disk page file when RAM space is low and it needs to make room for other current processes. Reliance on paging can impair performance. Accessing the page file is slower than actual RAM. Difference between swap files and page files Swapping is when a whole process is transferred to disk and paging is when part of a process is transferred back and forth as needed Does FortiOS need to use memory paging No Why doesn't the kernel need to use memory paging to access the whole memory space All the memory space is directly accessible to the kernel because of 64 bit arch Command to show the total amount of sys memory (memtotal) and amount of free memory (memfree) Diagnose hardware sysinfo memory How the the kernel access the ENTIRE memory Directly Five main purposes that fortigate allocates memory Kernel memory slabs System I/O cache Buffers Shared memory Process memory What is a kernel memory slab and 7 examples of kernel slabs Collection of objects with a common purpose and fixed size. Used by the kernel to store information in memory. Tcp_session tcp session Ip_session non-tcp session ip_dst_cache route cache Buffer_head read/write data from disk,flash Inode_cache information about files and directories Dentry_cache cache for file system directory entries Arp _cache cache for arp Command shown to check how much memory is being allocated to kernel slabs Diagnose hardware sysinfo slab How to calculate memory allocated to each kernel slab (2) involves math Do command diag hardware sysinfo slab Multiple available objects in slab (num_objects) by the size (objsize) in What command can you use to identify how much memory the session table is using or if the fortigate model is too small for the amount of traffic crossing the device and what to do if session memory value is too high Diag hardware sysinfo slab Look at memory allocated to TCP and IP sessions by multiplying num_obj by objsize If too high get bigger fgt or tune session TTLs Total slab size Available objects x objects size There are no _____ reads and writes made too hard discs or flash discs. Each one is done through a ____ held in memory called the ______ Direct Cache System IO cache System IO cache and examples of operation sped up by this cache Used to speed up the access to information stored in the hard and flash disk memories Logging Wan optimization Explicit proxy When is an IO cache page labeled as active and when is it labeled as inactive If it has been recently used or modified Enters the inactive state after it has not been used for sometime Two types of System IO cache Active and inactive What is the system IO cache made of and what size Made of pages 4K size of disk block 1K size Command to display total amount of memory allocated for the I/O cache. Diagnose hardware sysinfo memory Check "cached" The system IO cache value is a sum of all ___ and ___ pages Active and in active pages See diagnose hardware sysinfo memory How is memory allocated to each process that runs above the kernel layer in the user space As separate blocks of memory for each process Can processes access the memory allocated to other processes No only to memory allocated to that specific process If processes are allocated individual blocks of memory, how can they share information with eachother The OS dynamically allocated shared memory (SHM) so multiple processes can share information. Command to see shared memory and what is shared memory SHM is memory allocated dynamically to multiple processes so they can share information with each other Diagnose hardware sysinfo shm Shows total, free, avail, alloc How do user space daemons share info OS Dynamically allocates shared memory Command to show how much memory space is being used by each process Displays ID number State CPU use And how can you sort the list by CPU use and memory Use Diag sys top refresh time in sec num lines Shift P for CPU Shift M for Mem Cmdbsrv Process that applies config changes Miglogd Process that controls log collections and automation stitches Httpsd Process that controls GUI access Sslvpnd Ssl vpn process Updated Process that controls fortiguard updates Wad Process for wan optimization, explicit proxy, proxy based inspection for HTTP and HTTPS and FTP Scanunitd File scanning process Iked IPSec process Pppoed Pppoed process Hatalk, hasync Ha protocol and sync process Pptpd, l2tps Pptp and l2tp protocol processes Authd User authentication process Fssod Fsso process Proxyworker Proxy based inspection for IMAP POP SMTP process Command to show the state of each process and what the 4 states are Diag sys top Sleeping (s) Running (R) do not disturb (D) Zombie (Z) Which process states are normal and what are not S and R are normal D is normal if briefly Z is not normal D is not normal for a long time(indicates process is not working properly) What is a fork? System call to create a new process (child process) from an existing process (parent process) Describe process diagram Command to show firmware version, FGDB version, license status, operation mode, num VDOMs, system time, etc. should be first command in troubleshooting Get system status Command to see resource usage including overall memory and CPU use, session creation rate, number of viruses caught, number of attacks blocked by IPS, sys uptime and quick view on how much traffic the device is handling Get system performance status Command to enable real time app debug And some apps (daemons) that can be debugged in real time (4) Diag debug application app name debug level Di de en Ike Snmpd Sslvpnd Authd Updated What is the debug level for real time debugs Bit value that specifies which messages are displayed 0 means no output (disabled) Debug -1 means enable all possible message types Debug 0 Disabled no output Debug -1 Enable all possible messaging types IPSec real-time debug Diag debug app ike -1 Di de en Option to prepend a timestamp to each debug line Diagnose debug console timestamp enable Command to disable all app debugging diagnose debug reset Why is it important to disable real-time debugging after using it It consumes fortigate resources and can be CPU intensive What are application layer test commands for Don't display information in real time but show statistics and config information about a feature or process. Can also be used to restart a process or execute a change in operation Diagnose test application _____ Options (12) Mm17 Smtp Ftpd Pop3 Imap Nntp Forticldd Miglogd Urlfilter Ipsmonitor ips monitor Ipsengine IPs sensor Ipldbd (IP load balancing daemon) Conserve mode A protection mechanism that is triggered by the fortigate when it does does not have enough memory available to handle traffic It prevents using so much memory that fortigate becomes unresponsive What is the conserve mode trigger based on Memory use When is it likely for fortigate to go into conserve mode When fortigate is using content inspection (especially proxy based) or AV because it's more likely to increase memory How can you identify if a process is using too much memory so the fortigate doesn't go into conserve mode Diag sys top What three memory thresholds can you configure in the CLI for conserved mode Extreme - when fortigate starts dropping new sessions Red - when fortigate enters conserve mode Green - when fortigate exits conserved mode Command to change default conserve mode values and what are defaults for each Config sys global Set memory-use-threshold-extreme, red, green Extreme default- 95 red default- 88 Green default- 82 What is default for when fortigate drops new sessions for conserve mode 95 Default for when fortigate enters conserve mode 88 What two places can you view logs for conserve mode and what will the message be Log and report events system events Message- kernel enter memory conserve mode If GUI is unresponsive what should you do View the crash log in the CLI for conserve mode messages and try to look for processes using too much memory Diagnose debug crash log read What is AV failopen CONTINUED..