Refer to the exhibit, which contains the output of a debug command. If the default settings are in place, what can be concluded about the conserve mode shown in the exhibit?
A.
FortiGate is currently blocking all new sessions regardless of the content inspection requirements or configuration settings due to high memory use.
B.
FortiGate is currently allowing new sessions that require flow-based or proxy-based content inspection but is not performing inspection on those sessions.
C.
FortiGate is currently blocking new sessions that require flow-based or proxy-based content inspection.
D.
FortiGate is currently allowing new sessions that require flow-based content inspection and blocking sessions that require proxy-based content inspection.
I'd say that there is no correct answer, as the command says that the FortiGate is running with default settings.
The correct would be:
"FortiGate is currently ALLOWING new sessions that require PROXY-based content inspection and BLOCKING sessions that require FLOW-based content inspection."
References:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Conserve-mode-changes/ta-p/198502
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/194558/conserve-mode
Agree?
No, I don't agree.
By default av-failopen-session is disabled and that particular option is responsible for new session behavior in proxy mode. The new sessions are blocked.
By default fail-open is disabled --> new sessions in flow-based inspection mode are blocked too.
Based on this
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/194558/conserve-mode
Proxy-based have default pass (no inspection)
Flow-based have default disable (drop sessions)
None of answers are correct
av-failopen-session kicks in not during a high memory situation (conserve mode) , but when a proxy on FortiGate runs out of available sockets to process more proxy-based inspected traffic. So, none of answers are correct!
When memory usage becomes extreme, all new sessions are dropped.
threshold extreme = 2887
threshold extreme = memory used + freeable
memory used + freeable = 2706 + 334 = 3034
3034 > 2887
The unit is in extreme mode, dropping all new sessions.
your calculation does not make sense.
The "allowing" answers are not correct. Therefore my assumption is that it went to extreme mode at some stage, however it did not reach green state yet. Therefore the correct answer is C - block new proxy and flow sessions.
Default setting are:
(1) "av-failopen-session" is disabled by default. This block all proxy mode traffic
(2) "av-failopen" is "pass" by default. However since (1) is disable it is irrelevant. For it to work (1) must be enabled
(3) "set fail-open" is disabled by defualt and drops all new sessions that require flow-based insepction.
Therefore by default in conserve mode all proxy/flow traffic is blocked. Hence only C is valid.
set av-failopen pass
Correct answer is indeed B. av-failopen-session is to address a connection pool issue, av-failopen is to address conserve mode (the topic at hand). One condition can exists without the other and as the documentation notes, where both are occuring av-failopen is used to resolve any discrepancies (since it takes into account an entire system, not a single connection pool).
NSE7 Page 61,62
Proxy Inspection While in Conserve Mode
Note that antivirus is only an example, this applies to all proxy-based inspections.
Antivirus failopen governs FortiGate behavior for proxy-based inspection while in conserve mode
config system global
set av-failopen {off | one-shot | pass}
set av-pailopen-session {enable | disable}
end
set av-failopen-session – Enable or disable failopen
Default is disable
set av-failopen – Configure how sesions failopen
Pass – Stops inspecting new sessions. Inspection is automatically restarted when exiting conserve mode
Flow Inspection while in Conserve Mode
IPS failopen governs FortiGate behavior for flow-based inspection while in conserve mode
config ips global
set fail-open {enable | disable}
end
By default, IPS fail-open is disabled, which means the IPS engine drops all new sessions that require flow-based inspection, but tries to process all existing sessions.If IPS fail-open is enabled, the IPS engine does not perform any scan, but allows new packets.
C correct
the are two settings av-failopen-session and av-failopen.when you enable av-failopen-session fortinet applies the action configured in av-failopen
by default fortinet bloacks new session( av-failopen-session disable )
upvoted 1 times
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
pcbbj
Highly Voted 1 year, 4 months agoklapek
1 year, 4 months agomanimal666
1 year, 4 months agoracdab
1 year, 4 months agok3rnelpanicpj
Highly Voted 1 year, 4 months agotuky88
Most Recent 1 day, 7 hours agoYusraaa
5 months, 3 weeks agoalwayz
6 months, 1 week agotalos_2002
10 months, 2 weeks agomikerss
7 months, 4 weeks agomikerss
7 months, 3 weeks agoFORTIGOD
10 months, 2 weeks agomau_80
11 months agomikerss
6 months, 4 weeks ago[Removed]
1 year, 1 month agomau_80
10 months, 4 weeks agocertifi46
1 year, 1 month agokachbfe
1 year, 2 months agoLeeRoy9912
1 year, 3 months agoSeph1
1 year, 3 months agoakukaracia
1 year, 3 months agoakukaracia
1 year, 3 months agodosoriomartins
1 year, 4 months agoklapek
1 year, 5 months agoracdab
1 year, 4 months ago