Exam FCP_FGT_AD-7.4 topic 1 question 12 discussion

Segun el libro pagina 287 deberia ser B y C When connected to SSL VPN over high latency connections, FortiGate can time out the client before the client can finish the negotiation process, such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl settings have been added to address this. The first command allows you to set up the login timeout, replacing the previous hard timeout value. The second command allows you to set up the maximum DTLS hello timeout for SSL VPN connections.

It is C, In a Fortinet SSL VPN, the "dtls-hello-timeout" setting defines the maximum time a FortiGate will wait for an initial "Hello" message from a client during the DTLS (Datagram Transport Layer Security) handshake process, essentially setting a time limit for establishing a secure connection before considering the attempt failed due to network latency or issues with the client device; this is crucial for preventing prolonged connection attempts and improving overall VPN connection stability. The SSL VPN login-timeout in FortiGate controls the amount of time that the SSL VPN waits before disconnecting

7.6 Admin Study Guide p.347, login-timeout: 10-180 seconds, dtls-hello-timeout: 10-60 seconds

B was the correct answer in the 7.2 exam

SSL VPN dtls-hello-timeout: This setting determines how long the FortiGate will wait for a DTLS hello message from the client. For high-latency connections, increasing this timeout will prevent SSL VPN negotiation failures caused by delays in receiving the DTLS hello message. SSL VPN login-timeout: This setting controls the maximum time allowed for a user to log in, but does not affect connection negotiation.

For high latency client connections, you can adjust the dtls-hello-timeout settings. This is detailed in the FCP FGT admin study guide on pages 287 through 289.

Key word is "negotiation", that's why it is C

Best practices for configuring SSL VPNs require setting the DTLS timeout settings.

Another reason why B is the correct answer is: you have to manualy reconfigure the forticlient to DTLS. To use DTLS with FortiClient: Go to File -> Settings and enable 'Preferred DTLS Tunnel'. Source: To use DTLS with FortiClient: Go to File -> Settings and enable 'Preferred DTLS Tunnel'.

allows more time for the SSL handshake to complete, which is essential in a high-latency environment to prevent the handshake from timing out prematurely

Correct answer: C. SSL VPN dtls-hello-timeout Explanation: Both login-timeout and dtls-hello-timeout are mentioned as important adjustments for solving SSL VPN connection issues in high-latency networks. However, dtls-hello-timeout specifically addresses the timeout for DTLS negotiation, which is crucial for UDP connections. This is supported by the FortiGate Administrator Study Guide 7.4, on page 287, where it is stated that both parameters should be adjusted in high-latency environments, but dtls-hello-timeout is more relevant to negotiation problems. Adjusting both is best practice, but for this scenario, dtls-hello-timeout is the most appropriate answer.

i know most people will pick B, while C also looks feasible option... me too, I will go for B. >> high latency, let's say RTT is 500ms, but it still very unlikely will impact the DTLS handshake cycle that its timeout is in terms of seconds.

Both B and C are correct. A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve SSL VPN connection issues. If the FortiOS version is compatible, upgrade to use one of these versions. Latency or poor network connectivity can cause login timeout on FortiGate. In v5.6.0 and later, use the following commands to allow a user to increase the SSL VPN login timeout setting. config vpn ssl settings set login-timeout 180 (default is 30) set dtls-hello-timeout 60 (default is 10) end

I think that the most correct answer would be C but I have the doubt because there are portals where they indicate that it is a configuration that must have both the dtls and login timed out would be perhaps B and C. I leave a part of the manual where they indicate scenario to use the DTLS "Many factors can contribute to slow throughput.This recommendation tries to improve throughput by using the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS 5.4 and above. DTLS allows SSL VPN to encrypt traffic using TLS and uses UDP as the transport layer instead of TCP. This avoids retransmission problems that can occur with TCP-in-TCP."

You need to give more time to complete the login, so you need to adjust the default 10sec timeout for the login.

C beause this setting determines how long the FortiGate will wait for a DTLS hello message from the client. For high-latency connections, increasing this timeout will prevent SSL VPN negotiation failures caused by delays in receiving the DTLS hello message. imo not B because this setting controls the maximum time allowed for a user to log in, but does not affect connection negotiation.

According to study guide page 287, B AND C are correct. The question is, if this example question is really near on the question in the real exam. Otherwise I prefer the dtls-hello-timeout, because it has a shorter default value