Which two statements describe how the RPF check is used? (Choose two.)
The Reverse Path Forwarding (RPF) check is run on the first sent packet of any new session to ensure that the packet arrives on a legitimate interface. This check protects the network from IP spoofing attacks by verifying that a return route exists from the receiving interface back to the source IP address. If the route is invalid or not found, the packet is discarded. Options B and C are incorrect because RPF checks are performed on the first sent packet, not the reply packet.
FortiOS 7.4.1 Administration Guide: Reverse Path Forwarding (RPF) Check
Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)
To bring Phase 1 up, the following changes can be made:
A . On HQ-FortiGate, disable Diffie-Helman group 2: This is incorrect because Diffie-Hellman group 2 is already selected on both devices. Disabling it would not help.
B . On Remote-FortiGate, set port2 as Interface: This is incorrect as both sides should be consistent in their interface settings for the IPsec tunnel, and the interface is correctly set to port1 on both FortiGates in the IPsec configuration.
C . On both FortiGate devices, set Dead Peer Detection to On Demand: This is a valid option. Setting Dead Peer Detection (DPD) to 'On Demand' helps maintain the IPsec connection by checking if the peer is still available, which can help in some cases where the connection fails due to timeouts.
D . On HQ-FortiGate, set IKE mode to Main (ID protection): This is also a valid option because the Remote-FortiGate is already set to Main mode (ID protection). Ensuring that both ends use the same mode is crucial for successful phase 1 negotiation.
Thus, the correct answers are: C . On both FortiGate devices, set Dead Peer Detection to On Demand. D . On HQ-FortiGate, set IKE mode to Main (ID protection).
How can you disable RPF checking?
To disable RPF (Reverse Path Forwarding) checking on a FortiGate interface, you need to disable the src-check option in the interface settings. This action disables the RPF check, allowing traffic to bypass the verification that it is arriving on the correct interface based on the routing table.
Refer to the exhibit which contains a RADIUS server configuration.
An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.
What is the impact of using the Include in every user group option in a RADIUS configuration?
By selecting the 'Include in every user group' option in the RADIUS configuration, FortiGate automatically includes this RADIUS server as an authentication source for all user groups. This means any user group configured on the FortiGate will authenticate using this RADIUS server, allowing users to authenticate against the server for any group they belong to.
Refer to the exhibit.
FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles.
Which action must the administrator perform to consolidate the two policies into one?
To consolidate the two separate firewall policies for Sales and Engineering departments accessing the same web server, you can create an Interface Group that includes both port1 (Sales) and port2 (Engineering). Once the Interface Group is created, you can use this group as a single incoming interface in a single firewall policy. This approach reduces the number of policies, making management more efficient.
FortiOS 7.4.1 Administration Guide: Firewall Policy Configuration
