ThisIPsec Phase 1 configurationdefines adynamicVPN tunnel that can accept connections from multiple peers. The settings chosen here suggest a configuration optimized fornetworks with intermittent traffic patternswhile ensuring resources are used efficiently.

Key configurations and their impact:

●set type dynamic→ This allows multiple peers to establish connections dynamically without needing predefined IP addresses.

●set ike-version 2→ UsesIKEv2, which is more efficient and supports features like EAP authentication and reduced rekeying overhead.

●set dpd on-idle→ Dead Peer Detection (DPD) is triggeredonly when the tunnel is idle, reducing unnecessary keep-alive packets and improving resource utilization.

●set add-route enable→ FortiGate automatically adds the route to the routing table when the tunnel is established, ensuring connectivity when needed.

●set proposal aes128-sha256 aes256-sha256→ Uses strong encryption and hashing algorithms, ensuring a secure connection.

●set keylife 28800→ Sets alonger key lifetime(8 hours), reducing the frequency of rekeying, which is beneficial for stable connections.

BecauseDPD is set to on-idle, the tunnel will not constantly send keep-alive messages but will still ensure connectivity when traffic is detected. This makes the configuration ideal fornetworks with regular but non-continuous traffic, balancing security and resource efficiency.

When usingIPsec VPNsandVXLAN, additional headers are added to packets, which can exceed thedefault 1500-byte MTU. This can lead tofragmentation issues, dropped packets, or degraded performance.

To resolve this, theMTU (Maximum Transmission Unit)should be adjustedonly if all devices in the network path support it. Otherwise, some devices may still drop or fragment packets, leading to continued issues.

Why adjusting MTU helps:

●VXLAN adds a 50-byte overheadto packets.

●IPsec adds additional encapsulation(ESP, GRE, etc.), increasing the packet size.

● If packets exceed the MTU, they may befragmented or dropped, causing intermittent connectivity issues.

● Lowering the MTU on interfaces ensurespackets stay within the supported size limitacross all network devices.

To minimizeCPU and RAM usagewhile still enforcingsecurity features like web filtering and application control,SSL certificate inspection modeis the best choice.

●SSL certificate inspectionallows FortiGate to inspectonly the SSL/TLS handshake, including theServer Name Indication (SNI) and certificate details, without decrypting the full encrypted payload.

● This enables features likeweb filtering and application controlbecause FortiGate can determine thedestination website or applicationbased onSNI and certificate information.

● Itsignificantly reduces system loadcompared tofull SSL inspection, which requires full decryption and re-encryption of traffic.

IKEv2 (Internet Key Exchange version 2) is an improvement over IKEv1, offering enhanced security, efficiency, and flexibility in VPN configurations.

It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.

IKEv2 supports stronger cryptographic algorithms, includingElliptic Curve Diffie-Hellman (ECDH)groups such asECP256 and ECP384, providing improved security compared to IKEv1.

It supports the extensible authentication protocol (EAP).

IKEv2 natively supports EAP authentication, which allows integration with external authentication mechanisms such asRADIUS, certificates, and smart cards. This is particularly useful forremote access VPNswhere user authentication must be flexible and secure.

FortiGate, like other security appliances, cannot analyze encrypted HTTPS traffic unless itdecryptsit first. Ifonly certificate inspectionis enabled, FortiGate can see the certificate details (such as the domain and issuer) butcannot inspect the actual web content.

To fully analyze the traffic and detect potential malware threats:

●Full SSL inspection (Deep Packet Inspection)must be enabled in theSSL/SSH Inspection Profile.

● This allows FortiGate todecrypt the HTTPS traffic, inspect the content, and then re-encrypt it before forwarding it to the user.

● Without full SSL inspection, threats embedded in encrypted traffic may go undetected.

Unlike IPS or antivirus databases,FortiGate does not store a full web filter database locally. Instead, FortiGatequeries FortiGuard (or FortiManager, if configured) dynamicallyto classify and filter web content in real time.

Key points:

●Web filtering works on a cloud-based model:

● When a user requests a website,FortiGate queries FortiGuard servers to check its category and reputation.

● The response is then cached locally for faster lookups on repeated requests.

●No local web filter database version:

● UnlikeIPS and antivirus, which download and store signature updates locally,web filtering relies on cloud-based queries.

● This is whyno database version appears in the GUI.

●Flow mode vs Proxy mode:

● Inproxy mode, FortiGate cancachesome web filter data, improving performance.

● Inflow mode, all queries happen dynamically, with no locally stored database.

The MAC addresse0:23:ff:fc:00:86follows the format used inFortiGate High Availability (HA) clusters. When FortiGate devices are in an HA configuration, they usevirtual MAC addressesfor failover and redundancy purposes.

The suspicious packet is related to a cluster that has VDOMs enabled:FortiGate devices withVirtual Domains (VDOMs)enabled use specific MAC address ranges to differentiate HA-related traffic. This MAC address is likely part of that mechanism.

The suspicious packet is related to a cluster with a group-id value lower than 255:FortiGate HA clusters assign virtual MAC addresses based on thegroup ID. The last octet (00:86) corresponds to agroup IDthat isbelow 255, confirming this option.

In anIBGP (Internal BGP) network, all routers must befully meshed, meaning every router must establish a BGP session with every other router in the sameautonomous system (AS). Thisdoes not scale wellin large networks due to the exponential increase in BGP sessions.

Tooptimize and scale IBGP,Route Reflectors (RRs)are used. ARoute Reflector (RR)reduces the number ofIBGP peer connectionsby allowing acentralized router (RR)to redistribute IBGP routes to other IBGP peers (calledclients). This eliminates the need for afull mesh, significantlyreducing BGP session overhead.

By configuring theroute-reflector-clientsetting on IBGP peers, an administrator can:

●Scale IBGP sessionsby reducing the number of direct BGP peer connections.

●Optimize the routing tableby ensuring routes are efficiently propagated within the IBGP network.

●Eliminate the need for full mesh topology, making IBGP more manageable.

TheMulti-Exit Discriminator (MED)is aBGP attributeused to influence the preferred path for incoming traffic from an external autonomous system (AS). The diagram shows that FortiGate_1 advertisesMED 200, while FortiGate_2 advertisesMED 300, meaningthe ISP will prefer the route through FortiGate_1because alower MED is preferredin BGP.

To modify theMED valueon FortiGate_1 for routes advertised to AS 30, the administrator must configure aroute-map-out. A route map canmatch specific routesandset the MED valuebefore sending them to the BGP neighbor.

Thebest wayto block outdated SSL/TLS versions is toconfigure the SSL/SSH inspection profileto enforce aminimum SSL/TLS versionand disable weak SSL versions.

By setting theminimum allowed SSL versionin theHTTPS settings of the SSL/SSH inspection profile, FortiGate will:

● Block any connection usingoutdated SSL/TLS versions(such as SSLv3, TLS 1.0, or TLS 1.1).

● Enforce secure communication usingonly strong SSL/TLS versions(such as TLS 1.2 or TLS 1.3).

● Protect users fromman-in-the-middle (MITM) and downgrade attacksthat exploit weak encryption.

InFortiManager,pre-run CLI templatesare used inZero-Touch Provisioning (ZTP)andLow-Touch Provisioning (LTP)to configure a FortiGate devicebeforeit is fully managed by FortiManager.

These templatesapply configurationswhen a device is initially provisioned.Once the pre-run CLI template is executed, FortiManagerautomatically unassignsit from the device because it isnot meant to persistlike other policy configurations. This prevents conflicts and ensures that the FortiGate configuration isnot repeatedly appliedafter the initial setup.

In a hub-and-spoke topology using OSPF over IPsec VPNs, thepoint-to-multipointnetwork type is necessary to establish neighbor adjacencies between the hub and spokes. This network type ensures that OSPF operates correctly without requiring a designated router (DR) and allows dynamic routing updates across the IPsec tunnels.

Whenadding an additional FortiGateto an enterprise network that is already reaching itsresource limits, the goal is to distribute traffic efficiently and ensurehigh availability.

FGSP (FortiGate Session Life Support Protocol) with external load balancers

FGSP allowssession-aware load balancingbetween multiple FortiGate units without requiring them to be in an HA (High Availability) cluster.

Withexternal load balancers, incoming traffic isevenly distributedacross multiple FortiGate devices.

This approach is useful forscaling outtraffic handling capacity while ensuring that sessions remainsynchronizedbetween firewalls.

FGSP is effectivewhen stateful failover is requiredbut without the constraints of traditional HA.

FGCP (FortiGate Clustering Protocol) in active-active mode and with switches

FGCPactive-active modeenables multiple FortiGate devices toshare traffic loads, increasing throughput and efficiency.

Active-active mode is suitable forbalancing UTM processingacross multiple FortiGates, making it ideal whenresource limits are a concern.

Usingswitchesensures redundancy and avoids single points of failure in the network.

This mode is commonly used inenterprise networkswhere bothscalability and redundancyare required.

When configuringADVPN (Auto-Discovery VPN)to connectoverlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.

●set auto-discovery-crossover enable

● Thisallows cross-hub tunnel discoveryin an ADVPN deployment where multiple hubs are used.

● SinceHub A and Hub Bbelong to different overlays, enablingcrossover discoveryensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.

●set enforce-multihop enable

● This setting ensures thatBGP peers using loopback interfacescan establish connectivityeven if they are not directly connected.

●Multihop BGP sessionsare required when usingloopback addresses as BGP peer sourcesbecause the connection might need to traverse multiple routers before reaching the BGP neighbor.

● This is especially useful inADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.