15096380
Descrição
Quiz por Marcos Avila, atualizado more than 1 year ago
|
Criado por Marcos Avila
aproximadamente 6 anos atrás
|
|
Questão 1
Questão
Uses UDP port 500 (and UDP port 4500 when crossing NAT)
Negotiates a tunnel’s private keys, authentication, and encryption
One lPsec SA is used per traffic direction.
Phases:
Phase1
Phase2
Responda
-
IKE
-
ESP
-
AH
Questão 2
Questão
Phase 1 negotiation modes
Responda
-
main mode aggresive mode
-
main mode quick mode
Questão 3
Questão
Phase 2 negotiation mode
Responda
-
aggresive mode
-
quick mode
Questão 4
Questão
takes place when each endpoint of the tunnel—the initiator and the responder—connects and begins to set up the VPN.
Responda
-
Phase 1
-
Phase 2
Questão 5
Questão
[blank_start]2.[blank_end] Negotiate one bidirectional SA (called IKE SA) *ln IKE v1, two possible ways: -Main mode: six packets exchanged -Aggressive mode: three packets exchanged *Not the same as final SAs later *Encrypted tunnel for Diffie-Hellman (DH)
[blank_start]1 .[blank_end] Authenticate peers *Pre—shared key or digital signature *Extended authentication (XAuth)
[blank_start]3.[blank_end] DH exchange for secret keys
Responda
-
2.
-
1 .
-
3.
Questão 6
Questão
Key agreement method:
Independently calculate a private key using only public keys
Each FortiGate uses a shared secret key plus a nonce to calculate keys for the following:
Symmetric encryption algorithms (such as 3DES, AES)
Symmetric authentication (HMACs)
Responda
-
Diffie-Hellman
-
IKE
-
ESP
Questão 7
Questão
ESP can´t support NAT because it has no port numbers.
Responda
- True
- False
Questão 8
Questão
Negotiates two unidirectional SAs for ESP (called lPsec SAS)
Protected by phase IKE SA
When SAs are about to expire, it renegotiates
Optionally, if Perfect Forward Secrecy is set to Enabled, FortiGate uses Diffie-Hellman to generate new keys each time phase 2 expires.
Each phase 1 can have multiple phase 2s.
High security subnets can have stronger ESP.
Responda
-
Phase 2
-
Phase 1
Questão 9
Questão
Also, if you set ____________ to Enable, each time phase 2 expires, FortiGate will use Diffie-Hellman to recalculate new secret keys. In this way, new keys are not derived from older keys, making it much harder for an attacker to crack the tunnel.
Responda
-
Perfect Forward Secrecy
-
NAT-Transversal
-
Split tunneling
Questão 10
Questão
If multiple phase 2 exist, FortiGate directs traffic to the correct phase 2.
Allows granular security settings for each LAN.
If traffic does not match an lPsec SA selector, it is dropped.
ln point-to-pointVPNs, selectors must match.
- The source on one FortiGate is the destination setting on the other.
Select which SA to apply using:
Destination and source IP subnet(s)
Protocol number
Source port and destination port
Responda
-
Quick mode selectors
-
Phase 2
-
Phase 1
-
Agressive mode
Questão 11
Questão
During phase 2, you must configure a pair of settings called quick mode selectors. They identify and direct traffic to the appropriate phase 2. In other words, they allow granular SAs.
Responda
- True
- False
Questão 12
Questão
In aggressive mode, how many packets are exchanged to establish phase 1 of the lPsec tunnel?
Responda
-
A. Six
-
B. Three
Questão 13
Questão
Which statement about quick mode selectors is true?
Responda
-
A. Only phase 2 has quick mode selectors.
-
B. Only phase 1 has quick mode selectors.
Questão 14
Questão
Settings need in Dialup VPN between two fortigates
Responda
-
A phase 1 At least one phase 2 Firewall policies Static routes or a dynamic routing protocol
-
A phase 1 At least one phase 2 Firewall policies Static routes or a dynamic routing protocol IPsec interface
Questão 15
Questão
Dialup IPsec is also known as
Responda
-
A. point-to-point
-
B. point-to—multipoint
Questão 16
Questão
IKE mode configuration automatically configures network settings?
Responda
-
A. client
-
B. server
Quer criar seus próprios Quizzes gratuitos com a GoConqr? Saiba mais.