EMEA-Advanced-Support Questions and Answers

A hybrid cloud combines on-premises infrastructure (local datacenter) with public cloud resources, allowing workloads to operate across both environments for flexibility and scalability. Fortinet solutions like FortiGate-VM support hybrid cloud deployments. Option A refers to hardware diversity, C to OS variety, and D to architecture types, none of which define hybrid cloud. Exact extract: "Hybrid cloud is the combination of public cloud services with an on-premises private cloud or datacenter... This allows customers to run some systems in the public cloud and others in their local datacenter, managed seamlessly."

An Intrusion Prevention System (IPS) actively blocks malicious traffic, such as code execution or injection attacks, by matching against known signatures or anomalies, protecting the webserver until patches are applied. Intrusion Detection System (IDS) only detects and alerts, not blocks. Anti-virus and anti-rootkit are less effective for web-based attacks. The original document’s answer B is incorrect, as IDS does not prevent attacks. Exact extract: "IPS provides active protection by blocking malicious traffic based on signatures or anomaly detection... Unlike IDS, which only detects and alerts, IPS can drop packets to prevent attacks like code execution or SQL injection."

A Virtual IP (VIP) in FortiGate maps an external IP address to an internal IP for Destination NAT (DNAT), commonly used for accessing internal servers from external networks. It is not for VLANs (B), secondary IPs (C), or VPN load balancing (D). Exact extract: "Virtual IPs (VIPs) are used for Destination NAT, mapping an external IP address to an internal IP to allow external access to internal resources, such as servers."

FortiGate operates on a default-deny principle; if a packet does not match any firewall policy, it is dropped to ensure security. No forwarding (A), IPS processing (C), or automatic allowing (D) occurs without a matching policy. Exact extract: "FortiGate uses a default-deny approach; packets that do not match any configured firewall policy are dropped to prevent unauthorized traffic."

FortiGate uses SSH (Secure Shell) by default for secure management access, providing encrypted command-line access. Telnet (A) and HTTP (C) are insecure, and SNMP (D) is for monitoring, not management. Exact extract: "FortiGate enables SSH by default for secure management access, providing encrypted CLI access to administrators."

In OSPF, the Area Border Router (ABR) generates Type-4 Summary LSAs to advertise the location of an Autonomous System Boundary Router (ASBR) to other areas. This LSA informs routers in different areas how to reach the ASBR for external routes. ASBR generates Type-5 LSAs for external routes, but ABR summarizes them with Type-4. Not all routers or stub routers do this. Exact extract: This article describes the basic steps to configure FortiGates in an OSPF scenario where the FortiGates will be ABR and ASBR OSPF routers across 3 areas. Router3 is the Autonomous System Border Router (ASBR). It routes all traffic to the ISP BGP router for internet access. It redistributes routes from BGP and ... Type 4 LSAs exist to let the area know the router-id of the ASBR, so the routers can look at the type 5 route, find advertising-router, and map ... An ASBR summary LSA is generated by an ABR and describes the location of an ASBR (Autonomous System Boundary Router) that connects to an external network. The FortiGate in the middle shall be a ABR between the two areas. But I don't want R2 in area 0.0.0.0 to have every /32 route for every VPN client. So I tried ...

The ‘diagnose vpn tunnel list’ command on FortiGate displays detailed status information about IPsec VPN tunnels, including phase 1 and phase 2 states, uptime, and traffic statistics. Options B, C, and D are not valid FortiGate commands for this purpose. Exact extract: "Use diagnose vpn tunnel list to view the status of IPsec VPN tunnels, including phase 1 and phase 2 details, such as SA status, uptime, and traffic counters."

FortiGate’s SSL Inspection feature decrypts and inspects SSL/TLS traffic to detect threats or enforce policies, using techniques like full SSL inspection or certificate inspection. Deep Packet Inspection (A) is a broader term, Application Control (C) identifies apps, and Web Filtering (D) blocks URLs, not specific to SSL. Exact extract: "SSL Inspection allows FortiGate to decrypt and inspect SSL/TLS traffic to detect hidden threats or enforce security policies, supporting full or certificate-based inspection."

BGP path selection follows a specific order of attributes to determine the best path. The process prefers the path with the highest local preference first, as it is one of the earliest steps in the decision process. Local preference is used within an AS to influence outbound traffic. Only if local preferences are equal does it move to the next criteria, such as shortest AS path. The AS path length is considered after local preference, MED after that, and eBGP over iBGP even later. Therefore, among the options, the highest local preference (D) is the most preferred criterion. The original document's answer B is incorrect based on standard BGP selection rules implemented in Fortinet. Exact extract: This article describes the BGP route selection process. Scope FortiGate. Solution Consider only routes with no AS loops and a valid next hop. BGP makes routing decisions based on path, network policies and rulesets ... select the route with the lowest router ID as the best path. Network. Type. To achieve this, multiple route selection techniques can be used. Some are protocol-agnostic (for example, weight) and others are protocol-specific (for example ...).

An ARP (Address Resolution Protocol) request is broadcast to resolve an IP address to a MAC address. The source MAC is the sender’s MAC address, and the destination MAC is the broadcast address (FF:FF:FF:FF:FF:FF) to reach all devices on the local network. Fortinet devices handle ARP for Layer 2 communication. Options B, C, and D are incorrect as switches don’t originate ARP requests, the target’s MAC is unknown, and ARP uses broadcast, not multicast. Exact extract: "In an ARP request, the source MAC address is that of the sending device, and the destination MAC address is the broadcast address (FF:FF:FF:FF:FF:FF), sent to all devices in the local network segment."