[email protected]
0
[email protected]

Shopping cart

Subtotal:

$0.00
View cartCheckout

FCP_FGT_AD-7.4 Content inspection

Content inspection

Detailed list of FCP_FGT_AD-7.4 knowledge points

Content Inspection Detailed Explanation

3.1 HTTPS Traffic Encryption Inspection

Encrypted HTTPS traffic requires inspection to identify potential threats hidden within the data. FortiGate supports two main modes of SSL/TLS inspection.

Inspection Modes

  1. Certificate Inspection:

    • Examines only the SSL/TLS handshake and certificate details, such as:
      • Validity of the certificate.
      • Issuing Certificate Authority (CA).
      • Domain matching the certificate.
    • Advantages:
      • No need to decrypt the content, ensuring faster performance.
      • Minimal impact on user privacy.
    • Limitations:
      • Cannot inspect the actual payload of the traffic for threats.

  2. Deep Inspection:

    • Decrypts the SSL/TLS traffic to perform a full inspection of the content.
    • Scans for malware, blocked categories, or unsafe data.
    • Requirements:
      • FortiGate must act as a "man-in-the-middle" to decrypt traffic.
      • Requires a trusted FortiGate CA certificate installed on client devices.
    • Advantages:
      • Comprehensive threat detection.
    • Limitations:
      • Higher resource usage and may raise privacy concerns.
Deploying SSL Certificates

  1. Generate FortiGate CA Certificates:

    • Create a self-signed CA certificate in FortiGate to act as the intermediary for HTTPS traffic decryption.

    • Example CLI:

      config vpn certificate local
edit "FortiGate_CA"
set certificate "-----BEGIN CERTIFICATE-----..."
set private-key "-----BEGIN PRIVATE KEY-----..."
end

  2. Distribute Certificates to Clients:

    • Install the CA certificate on client devices so they trust the FortiGate during SSL/TLS inspection.

  3. Enable SSL/SSH Inspection in Policies:

    • Apply the inspection profile in the relevant firewall policy.

    • GUI: Policy & Objects > SSL/SSH Inspection > Create or Edit Profile.

    • CLI Example:

      config firewall policy
edit 1
set ssl-ssh-profile "deep-inspection"
end

3.2 Web Filtering

Web filtering helps control access to web content, ensuring compliance with security policies.

Category-Based Filtering

  1. Enable FortiGuard Web Filtering:

    • Use FortiGuard's dynamic database to classify websites into categories (e.g., gambling, social media).
    • Block or allow categories based on policy requirements.
    • Example GUI: Security Profiles > Web Filter > Enable Categories.

  2. Blocking Specific Categories:

    • Example CLI:

      config webfilter profile
edit "WebFilter"
config categories
set 4 block
set 5 block
end
end

    • Categories 4 and 5 correspond to gambling and malicious websites.

URL-Based Filtering

  1. Custom URL Blacklists/Whitelists:

    • Add specific URLs or domains to allow or block explicitly.
    • GUI: Web Filter > Static URL Filter.

  2. Regular Expressions for URL Matching:

    • Use regex to match patterns within URLs.

    • Example CLI:

      config webfilter urlfilter
edit 1
set url "example.com"
set type regex
set action block
end

3.3 Application Control

FortiGate can identify and control application traffic using its signature database.

Application Identification
  1. FortiGate's Signature Database:
    • Contains predefined signatures for thousands of applications.
    • Recognizes traffic types such as social media apps, streaming services, or file-sharing tools.
Control Rules

  1. Block Specific Applications:

    • Prevent access to undesired applications like P2P file-sharing tools.
    • Example GUI: Security Profiles > Application Control > Enable Application Blocking.

  2. Restrict Specific Features:

    • Allow partial access to an application. For example:

      • Permit YouTube browsing but block video uploads.

    • CLI Example:

      config application list
edit "AppControl"
config entries
edit 1
set application "YouTube"
set action block
end
end

3.4 Antivirus and IPS

Real-Time Scanning

  1. Prevent Malware Propagation:

    • Scans incoming and outgoing files for viruses and malicious content.

    • Protocols such as HTTP, HTTPS, FTP, and SMTP can be scanned.

    • Example CLI:

      config antivirus profile
edit "AntiVirusProfile"
set inspection-mode proxy
end

  2. Advanced Options:

    • Use FortiSandbox integration for zero-day threat detection.
IPS (Intrusion Prevention System)

  1. Block Vulnerability Exploits:

    • Protect against known attacks, such as SQL injection, buffer overflows, or cross-site scripting (XSS).

  2. Custom IPS Signatures:

    • Create signatures tailored to your network's unique threats.

    • Example CLI:

      config ips sensor
edit "IPS_Sensor"
config entries
edit 1
set signature "custom_signature"
set action block
end
end

  3. Enable IPS in Policies:

    • Apply IPS profiles in firewall policies.

    • Example CLI:

      config firewall policy
edit 1
set ips-sensor "IPS_Sensor"
end

Summary

  • HTTPS Traffic Inspection ensures threats within encrypted traffic are identified and mitigated.
  • Web Filtering controls access to content based on categories or specific URLs.
  • Application Control provides granular control over application usage.
  • Antivirus and IPS safeguard the network against malware and known vulnerabilities.

Each feature enhances your FortiGate's ability to protect and manage network traffic effectively.

Content Inspection (Additional Content)

1. SSL Inspection Exceptions

When performing Deep SSL Inspection, FortiGate acts as a man-in-the-middle (MITM) by decrypting and re-encrypting HTTPS traffic. While this is powerful for threat detection, it may cause issues with certain sensitive or security-critical websites, such as:

  • Online banking platforms
  • Healthcare portals
  • Government services

These sites often use certificate pinning or strict security controls that break if their traffic is intercepted, even for inspection.

Why Configure Exceptions?

  • To avoid user experience issues or service outages.
  • To comply with privacy or compliance policies.
  • To preserve trust with highly secure third-party systems.

How SSL Exemptions Work:

SSL exemptions allow you to bypass SSL inspection for specific destinations, services, or ports, even when using Deep Inspection globally.

Configuration Example (CLI):

config firewall ssl-ssh-profile
edit "deep-inspection"
config ssl-exempt
edit 1
set address "BankingSites"
set port 443
next
end
end
  • The address object (BankingSites) contains the IPs or FQDNs of websites you want to exclude from inspection.
  • Port 443 indicates HTTPS traffic.

You can also exempt based on:

  • Services (e.g., HTTPS, SMTPS)
  • Source or destination address groups
  • Categories (with FortiGuard support)

Best Practice:

  • Create a named address group (e.g., Sensitive_Sites) for easier management.
  • Document all exemptions for compliance auditing.

2. FortiGuard Rating Service Availability

The FortiGuard Web Filtering engine relies on a cloud-based classification database that dynamically categorizes websites into topics like:

  • Gambling
  • Malware
  • Social media
  • Business/Finance

These ratings are queried in real-time when a user attempts to access a URL.

Why Availability Matters:

If the FortiGate device cannot reach the FortiGuard servers (e.g., due to network issues or license expiration), it will not be able to determine the category of a requested website.

In such cases, FortiGate follows a configured fallback action, which must be clearly defined in the web filter profile.

Available Options:

  1. Allow – Permit access even when category is unknown.
  2. Block – Deny all requests without a category match.
  3. Monitor – Allow the request but log the event for review.

How to Configure Fallback Behavior (GUI or CLI):

GUI:

  • Navigate to Security Profiles > Web Filter > FortiGuard Category Based Filtering
  • Under “When rating is unavailable”, choose the desired action.

CLI Example:

config webfilter profile
edit "Strict_Filter"
set ftgd-unrated-action block
end

Best Practice:

  • For high-security environments, choose block.
  • For business environments with a balance of security and usability, monitor is often preferred.
  • Avoid defaulting to allow unless access continuity is more critical than risk.

Summary Table

Supplementary Topic Description Exam Value
SSL Inspection Exceptions Bypass SSL decryption for sensitive sites to avoid service disruption High – CLI + scenario
FortiGuard Rating Availability Defines behavior when URL categorization is not possible Medium – policy config

Frequently Asked Questions

Why might users receive certificate warnings after SSL deep inspection is enabled?

Answer:

Because the FortiGate SSL inspection certificate is not trusted by the client devices.

Explanation:

When SSL deep inspection is enabled, the firewall decrypts and re-encrypts HTTPS traffic using its own certificate. If client devices do not trust the FortiGate CA certificate, browsers will display certificate warnings. The correct solution is deploying the FortiGate CA certificate to client devices or enterprise trust stores. Many administrators mistakenly believe SSL inspection is malfunctioning when the real issue is simply missing certificate trust.

Demand Score: 91

Exam Relevance Score: 92

Why might some HTTPS websites fail to load after enabling deep inspection?

Answer:

Because certain applications use certificate pinning that prevents SSL interception.

Explanation:

Some websites and applications verify the server certificate directly and reject connections if the certificate changes. Since SSL deep inspection replaces the original certificate with the FortiGate certificate, these applications may refuse the connection. The typical solution is creating SSL inspection exemptions for those domains or applications. This scenario frequently appears in troubleshooting discussions when administrators enable deep inspection globally.

Demand Score: 88

Exam Relevance Score: 90

Why might a web filtering profile fail to block certain websites?

Answer:

Because the traffic is encrypted and SSL inspection is not enabled.

Explanation:

Modern websites commonly use HTTPS encryption. Without SSL inspection, the firewall cannot view the full URL or web content and must rely only on limited information such as the domain name. If category filtering depends on URL paths or page content, the firewall may not apply the correct filtering action. Enabling SSL inspection allows FortiGate to fully inspect encrypted traffic and enforce web filtering policies more effectively.

Demand Score: 83

Exam Relevance Score: 89

What is the purpose of an antivirus security profile in FortiGate?

Answer:

To detect and block malware within network traffic.

Explanation:

The antivirus security profile scans files transferred through supported protocols such as HTTP, HTTPS, FTP, and email protocols. It uses signature databases and heuristic analysis to identify malware before it reaches internal systems. Administrators attach the antivirus profile to firewall policies so that traffic matching the policy is inspected for malicious content.

Demand Score: 74

Exam Relevance Score: 86

Why might a file download be blocked even when the firewall policy allows the traffic?

Answer:

A security profile such as antivirus or web filtering may be blocking the content.

Explanation:

Firewall policies control whether traffic is permitted or denied, but security profiles inspect the traffic content. If a profile detects malware, prohibited file types, or restricted categories, it can block the traffic even though the firewall policy allows it. Administrators troubleshooting blocked downloads must review the security profiles applied to the policy.

Demand Score: 71

Exam Relevance Score: 85

 FCP_FGT_AD-7.4 Study Plan FCP_FGT_AD-7.4 Study Methods And Exam Tips FCP_FGT_AD-7.4 Training Details
FCP_FGT_AD-7.4 Training Course
$68$29.99
Related Products
FCP_FGT_AD-7.4 Training Course