Pass NSE7_NST-7.2 Exam Guide

Understanding protocol states:

proto_state=00: Indicates no traffic or a closed session.

proto_state=01: Typically indicates one-way ICMP traffic or a partially established TCP session.

proto_state=10: Indicates an established TCP session, where the session has completed the three-way handshake and both sides can send and receive data.

proto_state=11: Often indicates a fully established and active bidirectional session.

Explanation of correct answer:

proto_state=10is the correct indication for an established TCP session as it signifies that the session is fully established and active.

References

Fortinet Network Security 7.2 Support Engineer Documentation

Fortinet Firewall Protocol State Documentation

SNI and Certificate Mismatch:When the Server Name Indication (SNI) does not match either the Common Name (CN) or any of the Subject Alternative Names (SAN) in the server certificate, FortiGate's default behavior is to consider this as an invalid SSL/TLS configuration.

Default Action:FortiGate, under default settings for SSL certificate inspection, will close the connection to prevent potential security risks associated with mismatched certificates.

References:

Fortinet Community: SSL Certificate Inspection Configuration and Behavior​(Welcome to the Fortinet Community!)​.

The session table entry provided shows detailed information about a specific network session passing through the FortiGate device. From the session details, we can see that the session has various attributes such as state, protocol, policy, and inspection details.

The session state (proto_state=11) indicates that the session is being actively processed and inspected.

Thenpd_state=00000000suggests that the session is being handled by the CPU rather than offloaded to a Network Processor (NP).

The session is marked for security profile inspection, evident from the detailed byte/packet counts and other session parameters.

From these indicators, it's clear that FortiGate is using its CPU to perform security profile inspection on this session rather than simply forwarding the traffic without inspection or relying solely on IPS inspection.

References

Fortinet Documentation on Session Table

Fortinet Community Discussion on Session Table

Session Synchronization:

FortiGate HA (High Availability) ensures that active sessions are synchronized between the primary and secondary devices. This synchronization allows for seamless failover and continuity of sessions.

Handling NAT Sessions:

The session in the exhibit has NAT applied, as indicated by thehook=post dir=org act=snatentry. FortiGate's HA setup is designed to handle such sessions, ensuring that traffic continues without interruption during failover.

Session Preservation:

Even with the presence of NAT, the session state is preserved across the HA devices. This means that ongoing sessions do not require re-establishment by the client, thus providing a seamless experience.

References:

Fortinet Documentation: HA session synchronization and failover

Fortinet Community: Understanding session synchronization in FortiGate HA