考题篇(5.2) 11. 路由 ❀ FortiGate ❀ Fortinet 网络安全专家 NSE 4

最新推荐文章于 2023-08-22 13:06:32 发布

飞塔老梅子

最新推荐文章于 2023-08-22 13:06:32 发布

阅读量2k

点赞数

分类专栏： # NSE4 FortiGate 5.2 考题文章标签： Fortinet 防火墙飞塔 NSE 认证

NSE4 FortiGate 5.2 考题专栏收录该内容

22 篇文章 0 订阅

订阅专栏

Examine the static route configuration shown below; then answer the question following it. 〖检查如下所示的静态路由配置，然后回答下面问题〗

　　config router static
　　edit 1
　　set dst 172.20.1.0 255.255.255.0
　　set device port1
　　set gateway 172.11.12.1
　　set distance 10
　　set weight 5
　　next
　　edit 2
　　set dst 172.20.1.0 255.255.255.0
　　set blackhole enable
　　set distance 5
　　set weight 10
　　next
　　end

　　Which of the following statements correctly describes the static routing configuration provided?(Choose two) 〖下面哪些陈述给予静态路由配置正确的描述? (选择两个)〗

　　A. All traffic to 172.20.1.0/24 is dropped by the FortiGate. 〖所有到172.20.1.0/24的流量都被FortiGate防火墙丢弃了〗

　　B. As long as port1 is up, all traffic to 172.20.1.0/24 is routed by the static route number 1. If the interface port1 is down, the traffic is routed using the blackhole route. 〖只要接口1长时间启动，所有到172.20.1.0/24的流量路由到静态路由表１，如果接口1关闭，流量使用路由黑洞的路线〗

　　C. The FortiGate unit does NOT create a session entry in the session table when the traffic is being routed by the blackhole route. 〖当流量路由黑洞的路线时候，FortiGate设备没有在会话表创建一个会话〗

　　D. The FortiGate unit creates a session entry in the session table when the traffic is being routed by the blackhole route.〖当流量路由黑洞的路线时候，FortiGate设备在会话表创建一个会话〗

　　【分析】

　　黑洞路由：主要是指指向null接口的路由，null接口是一个虚拟的接口，无法被配置ip地址，转发到该接口上的数据包都会被丢掉，不会去区分数据包是正常数据或是异常数据，所以对于所有可能因为中断故障产生路由回路的路由都加上一条黑洞路由。例如在配置有默认路由的环境中如果该路由器中的某一个路由项因为故障中断，那么很可能在两个路由器中造成路由环路。

　　静态路由1的distance值是10，静态路由2的distance值是5，因此是静态路由2被执行，由表静态路由2开启了黑洞路由，因此所有发往172.20.1.0/24的包都被丢弃。

　　【答案】ＡＣ

A static route is configured for a FortiGate unit from the CLI using the following commands: 〖从FortiGate设备用以下命令配置一条静态路由〗

　　config router static
　　edit 1
　　set device "wan1"
　　set distance 20
　　set gateway 192.168.100.1
　　next
　　end

　　Which of the following conditions are required for this static default route to be displayed in the FortiGate unit’s routing table? (Choose two) 〖下面哪些条件是这个静态默认路由在FortiGate设备的路由表中显示所必需的? (选择两个)〗

　　A. The administrative status of the wan1 interface is displayed as down. 〖Wan1接口的管理状态显示是down〗

　　B. The link status of the wan1 interface is displayed as up. 〖Wan1接口的连接状态显示是up〗

　　C. All other default routes should have a lower distance. 〖所有其他默认路由应该有一个较低的距离〗

　　D. The wan1 interface address and gateway address are on the same subnet. 〖wan1接口地址和网关地址在同一子网〗

　　【分析】

　　接口必须为UP，否则省略该路由，网关地址为Wan1口的下一跳，所以Wan1口和网关地址要在同一网段。

　　【答案】ＢＤ

Examine the exhibit; then answer the question below. 〖查看图例，然后回答下面的问题〗

　　In this scenario, the FortiGate unit in Ottawa has the following routing table: 〖在这个场景中，渥太华FortiGate防火墙有以下路由表〗

　　S* 0.0.0.0/0 [10/0] via 172.20.170.254, port2
　　C 172.20.167.0/24 is directly connected, port1
　　C 172.20.170.0/24 is directly connected, port2

　　Sniffer tests show that packets sent from the source IP address 172.20.168.2 to the destination IP address 172.20.169.2 are being dropped by the FortiGate located in Ottawa. Which of the following correctly describes the cause for the dropped packets? 〖嗅探器的测试表明，从源IP地址172.20.168.2发送的数据包到目的地IP地址172.20.169.2，被位于渥太华的FortiGate防火墙丢弃了，下列哪一项正确地描述了丢包的原因?〗

　　A. The forward policy check.〖检查转发策略〗

　　B. The reverse path forwarding check. 〖检查反向路径转发〗

　　C. The subnet 172.20.169.0/24 is NOT in the Ottawa FortiGate’s routing table.〖子网172.20.169.0/24不是在渥太华FortiGate的路由表〗

　　D. The destination workstation 172.20.169.2 does NOT have the subnet 172.20.168.0/24 in its routing table.〖目的地工作站172.20.169.2没有子网172.20.168.0/24路由表〗

　　【分析】

　　渥太华的FortiGate防火墙没有172.20.168.2的回程路由。

　　【答案】Ｂ

When does a FortiGate load-share traffic between two static routes to the same destination subnet? 〖什么时候FortiGate在两个静态路由到相同的目的子网进行负载均流?〗

　　A. When they have the same cost and distance.〖当他们有相同的成本和距离时〗

　　B. When they have the same distance and the same weight. 〖当他们有同样的距离和相同的权重时〗

　　C. When they have the same distance and different priority.〖当他们有相同的距离和不同的优先级时〗

　　D. When they have the same distance and same priority.〖当他们有相同的距离和相同的优先级时〗

　　【分析】

　　多条路由佣有相同的距离和优先级时，数据包平均分配给这些等价路径。

　　【答案】Ｄ

Review the output of the command get router info routing-table database shown in the exhibit below; then answer the question following it. 〖检查输出命令，从路由表数据库得到路由信息表，然后回答问题〗

　　Which two statements are correct regarding this output? (Choose two) 〖哪两个关于这个输出的描述是正确的? (选择两个)〗

　　A. There will be six routes in the routing table.〖在路由表中有六条路由〗

　　B. There will be seven routes in the routing table. 〖在路由表中有七条路由〗

　　C. There will be two default routes in the routing table.〖会有两个默认路由的路由表〗

　　D. There will be two routes for the 10.0.2.0/24 subnet in the routing table.〖将会有两个路线10.0.2.0/24子网的路由表〗

　　【分析】

　　每个路由器搜索中都有一个路由表和FIB(Forward Information Base)表：路由表用来决策路由，FIB用来转发分组。路由表中路由有三类：（1）链路层协议发现的路由（即是直连路由）；（2）静态路由；（3）动态路由协议发现的路由。FIB表中每条转发项都指明分组到某个网段或者某个主机应该通过路由器的那个物理接口发送，然后就可以到达该路径的下一个路由器，或者不再经过别的路由器而传送到直接相连的网络中的目的主机。

　　上图中有六条路由标记是FIB路由。

　　两条默认路由的距离和优先级都相同，所有同时存在。

　　【答案】ＡＣ

In the case of TCP traffic, which of the following correctly describes the routing table lookups performed by a FortiGate operating in NAT/Route mode, when searching for a suitable gateway? 〖对于TCP流量，当寻找一个合适的网关的时候，下列哪一项正确地描述了路由表查找执行由FortiGate操作NAT/路由模式?〗

　　A. A lookup is done only when the first packet coming from the client (SYN) arrives. 〖仅当来自客户端(SYN)第一个数据包到达的时候查找完成〗

　　B. A lookup is done when the first packet coming from the client (SYN) arrives, and a second one is performed when the first packet coming from the server (SYN/ACK) arrives. 〖当来自客户端(SYN)第一个数据包到达的时候查找完成，并且当来自来自服务器(SYN / ACK)第一个数据包到达时执行第二个〗

　　C. Three lookups are done during the TCP 3-way handshake (SYN, SYN/ACK, ACK).〖TCP三次握手期间(SYN / ACK,SYN ACK)完成三次查找〗

　　D. A lookup is always done each time a packet arrives, from either the server or the client side.〖从服务器或客户端，每次查找总是做一个数据包到达〗

　　【分析】

　　在TCP/IP协议中，TCP协议提供可靠的连接服务，采用三次握手建立一个连接。
　　第一次握手：建立连接时，客户端发送SYN包(SYN=j)到服务器，并进入SYN_SEND状态，等待服务器确认；
　　第二次握手：服务器收到SYN包，必须确认客户的SYN（ack=j+1），同时自己也发送一个SYN包（syn=k），即SYN+ACK包，此时服务器进入SYN_RECV状态；
　　第三次握手：客户端收到服务器的SYN＋ACK包，向服务器发送确认包ACK(ack=k+1)，此包发送完毕，客户端和服务器进入ESTABLISHED状态，完成三次握手。

　　【答案】Ｃ

Examine the two static routes to the same destination subnet 172.20.168.0/24 as shown below; then answer the question following it. 〖检查如下所示两个到相同的目的地子网172.20.168.0/24的静态路由，然后回答这个问题〗

　　config router static
　　edit 1
　　set dst 172.20.168.0 255.255.255.0
　　set distance 20
　　set priority 10
　　set device port1
　　next
　　edit 2
　　set dst 172.20.168.0 255.255.255.0
　　set distance 20
　　set priority 20
　　set device port2
　　next
　　end

　　Which of the following statements correctly describes the static routing configuration provided above? 〖下面哪个陈述正确描述了提供静态路由配置〗

　　A. The FortiGate evenly shares the traffic to 172.20.168.0/24 through both routes.〖FortiGate通过路由均匀流量到172.20.168.0/24〗

　　B. The FortiGate shares the traffic to 172.20.168.0/24 through both routes, but the port2 route will carry approximately twice as much of the traffic. 〖FortiGate通过路由共享到172.20.168.0/24的流量，但端口2的路线有大约两倍的流量〗

　　C. The FortiGate sends all the traffic to 172.20.168.0/24 through port1.〖FortiGate通过端口1发送所有的流量到172.20.168.0/24〗

　　D. Only the route that is using port1 will show up in the routing table.〖只有使用端口1的路线将出现在路由表〗

　　【分析】

　　路由协议的优先级（Preference，即管理距离Administrative Distance）一般为一个0到255之间的数字，数字越大则优先级越低。

　　实际的应用中，路由器选择路由协议的依据就是路由优先级。给不同的路由协议赋予不同的路由优先级，数值小的优先级高。当有到达同一个目的地址的多条路由时，可以根据优先级的大小，选择其中一个优先级数值最小的作为最优路由，并将这条路由写进路由表中。

　　【答案】Ｃ

Examine the exhibit; then answer the question below. 〖查看图例，然后回答下面的问题〗

　　The Vancouver FortiGate initially had the following information in its routing table:〖在这个场景中，温哥华FortiGate防火墙有以下路由表〗

　　S 172.20.0.0/16 [10/0] via 172.21.1.2, port2
　　C 172.21.0.0/16 is directly connected, port2
　　C 172.11.11.0/24 is directly connected, port1

　　Afterwards, the following static route was added: 〖后来添加以下静态路由〗

　　config router static
　　edit 6
　　set dst 172.20.1.0 255.255.255.0
　　set pririoty 0
　　set device port1
　　set gateway 172.11.12.1
　　next
　　end

　　Since this change, the new static route is NOT showing up in the routing table. Given the information provided, which of the following describes the cause of this problem? 〖因为这个改变，新的静态路由没有出现在路由表中，根据提供的信息，下列哪项描述是这个问题的原因?〗

　　A. The subnet 172.20.1.0/24 is overlapped with the subnet of one static route that is already in the routing table (172.20.0.0/16), so, we need to enable allow-subnet-overlap first.〖子网172.20.1.0/24重叠，一个静态路由的子网路由表中已经有(172.20.0.0/16)，所以我们首先需要启用allow-subnet-overlap〗

　　B. The 'gateway' IP address is NOT in the same subnet as the IP address of port1. 〖作为端口1的IP地址，网关的IP地址不在同一子网〗

　　C. The priority is 0, which means that the route will remain inactive.〖优先级为0,这意味着路线仍不活跃〗

　　D. The static route configuration is missing the distance setting.〖静态路由配置缺少距离设置〗

　　【分析】

　　温哥华Port1的IP地址是172.11.11.1，静态路由的网关地址是172.11.12.1，不在同一网段上。

　　【答案】Ｂ

飞塔技术-老梅子 QQ：57389522