Refer to the exhibit, which contains the output of a debug command.
If the default settings are in place, what can be concluded about the conserve mode shown in the exhibit?
nse7_efw-70 Exam QuestionsBrowse all questions from this exam
nse7_efw-70 Exam - Question 28
Show AnswerHide Answer
Correct Answer: BC
When a FortiGate device enters memory conserve mode, it disables certain functionalities to preserve system integrity. According to the default settings, two main configurations are relevant: 'av-failopen-session' and 'av-failopen.' By default, 'av-failopen-session' is disabled, meaning that the FortiGate blocks all new sessions that require proxy-based inspection. Additionally, 'av-failopen' is set to 'pass' by default, but since 'av-failopen-session' is disabled, this setting becomes irrelevant in determining the behavior during conserve mode. Furthermore, flow-based inspection is handled by 'set ips fail-open,' which is also disabled by default, resulting in the dropping of new sessions requiring flow-based inspection. Therefore, in memory conserve mode with default settings, all new sessions requiring either flow-based or proxy-based content inspection are blocked, making the correct conclusion that FortiGate is currently blocking new sessions that require flow-based or proxy-based content inspection.
Discussion
15 commentspcbbj
Jan 22, 2023I'd say that there is no correct answer, as the command says that the FortiGate is running with default settings. The correct would be: "FortiGate is currently ALLOWING new sessions that require PROXY-based content inspection and BLOCKING sessions that require FLOW-based content inspection." References: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Conserve-mode-changes/ta-p/198502 https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/194558/conserve-mode Agree?
klapek
Jan 23, 2023No, I don't agree. By default av-failopen-session is disabled and that particular option is responsible for new session behavior in proxy mode. The new sessions are blocked. By default fail-open is disabled --> new sessions in flow-based inspection mode are blocked too.
manimal666
Jan 26, 2023By default, set av-failopen mode is pass not disable which means pcbbj looks legit.
racdab
Jan 27, 2023by default fortinet bloacks new session( av-failopen-session disable )
k3rnelpanicpj
Jan 21, 2023Based on this https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/194558/conserve-mode Proxy-based have default pass (no inspection) Flow-based have default disable (drop sessions) None of answers are correct
klapekOption: C
Jan 5, 2023With default settings C is correct
racdab
Jan 23, 2023C correct the are two settings av-failopen-session and av-failopen.when you enable av-failopen-session fortinet applies the action configured in av-failopen by default fortinet bloacks new session( av-failopen-session disable )
kachbfeOption: C
Apr 10, 2023NSE7 Page 61,62 Proxy Inspection While in Conserve Mode Note that antivirus is only an example, this applies to all proxy-based inspections. Antivirus failopen governs FortiGate behavior for proxy-based inspection while in conserve mode config system global set av-failopen {off | one-shot | pass} set av-pailopen-session {enable | disable} end set av-failopen-session – Enable or disable failopen Default is disable set av-failopen – Configure how sesions failopen Pass – Stops inspecting new sessions. Inspection is automatically restarted when exiting conserve mode Flow Inspection while in Conserve Mode IPS failopen governs FortiGate behavior for flow-based inspection while in conserve mode config ips global set fail-open {enable | disable} end By default, IPS fail-open is disabled, which means the IPS engine drops all new sessions that require flow-based inspection, but tries to process all existing sessions.If IPS fail-open is enabled, the IPS engine does not perform any scan, but allows new packets.
[Removed]Option: C
May 12, 2023Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 61/62
mau_80
Jul 22, 2023FGT is in extreme mode (89%) so why not A?
talos_2002Option: A
Aug 5, 2023When memory usage becomes extreme, all new sessions are dropped. threshold extreme = 2887 threshold extreme = memory used + freeable memory used + freeable = 2706 + 334 = 3034 3034 > 2887 The unit is in extreme mode, dropping all new sessions.
mikerss
Oct 20, 2023your calculation does not make sense. The "allowing" answers are not correct. Therefore my assumption is that it went to extreme mode at some stage, however it did not reach green state yet. Therefore the correct answer is C - block new proxy and flow sessions.
mikerss
Oct 23, 2023Default setting are: (1) "av-failopen-session" is disabled by default. This block all proxy mode traffic (2) "av-failopen" is "pass" by default. However since (1) is disable it is irrelevant. For it to work (1) must be enabled (3) "set fail-open" is disabled by defualt and drops all new sessions that require flow-based insepction. Therefore by default in conserve mode all proxy/flow traffic is blocked. Hence only C is valid. set av-failopen pass
akukaraciaOption: C
Feb 21, 2023av-failopen (pass) doesn't matter, because av-failopen-session is disabled by default. When it is disabled, FG blocks new sessions. Study guide 61p
akukaracia
Feb 21, 2023C is correct
certifi46Option: C
May 10, 2023default settings
mau_80Option: A
Jul 16, 2023FGT is in extreme mode (89%) so why not A?
mikerss
Nov 20, 2023it is not in extreme mode. to be in extreme mode it needs to be >95%
dosoriomartinsOption: C
Jan 24, 2023agree with klapek2
Seph1Option: C
Mar 11, 2023C is correct.
LeeRoy9912Option: C
Mar 15, 2023C is correct.
FORTIGODOption: B
Jul 31, 2023Correct answer is indeed B. av-failopen-session is to address a connection pool issue, av-failopen is to address conserve mode (the topic at hand). One condition can exists without the other and as the documentation notes, where both are occuring av-failopen is used to resolve any discrepancies (since it takes into account an entire system, not a single connection pool).
alwayz
Dec 6, 2023av-failopen-session kicks in not during a high memory situation (conserve mode) , but when a proxy on FortiGate runs out of available sockets to process more proxy-based inspected traffic. So, none of answers are correct!
YusraaaOption: C
Dec 23, 2023correct answer is C