Need guidance on preparing for fortigate interviews and possible questions
I've been working with fortigates for close to year now.
And at the moment preparing for my interview for a different better firm.
Could y'all please point me in the direction of what kind of fortigate related questions will i mostly face.
My fortigate skillset section is as follows:
o Familiar with Fortigate 30D, 60D, 70D, 100D, 200D models
o Configuring IPSEC (site-to-site) and Remote Access (SSL) VPNs
o Configuring firewall policies to manage and monitor traffic flow
o Applying UTM features like web filtering, application control, anti-virus, email filtering with certificate SSL Inspection
o Configuring Fortigate in HA mode for redundancy
o Static NAT configuration
o Debugging firewall configurations using the FortiOS inbuilt debugging and sniffer functionalities
o Configured user authentication policies with LDAP server authentication
I would really appreciate some help on how best to go about preparing for the interview and what questions can one ask out of these topics i have included.
I was thinking of some general questions one could ask a fortigate engineer.
For eg VPN concepts seem very important now, but im confused whether the workings of a fortigate site to site and ssl vpn is same as that of a cisco vpn. Of course the general idea of a vpn is the same but could there be any major differences between the two which one should focus on?
Also how the utm features like anti virus, webfilter, IPS function on a fortigate etc.
A cisco vpn conceptually is the same but they are technical develop, deployed or administrated the same. It's the same like a Toyota and Chevy are both cars but not 100% the same.
You asking us to determine a question but you need to know what you know."You have it or don't". Just be honest in your responses and I'm sure you will do good. Research the org and determine what they do or the needs or the customers.
You might find out the interviewer are weak or not so experience . Also prepared to get past experiences in examples and projects.
I am just trying to find blind spots so i dont trip somewhere in my answers.
Does the tunnel formation in an ssl vpn use the same IPSEC suite of protocols or is there a difference for the same?
which certificates are used to do the encryption on both site to site and ssl vpns?
hardware differences etc between various models like 30, 60, 70, 100, 200 Ds?
And the problem of inexperienced interviewer already happened to me once, it was more of a language problem in fact, his english was weak, it was a total cringe experience, the guy simply couldn't understand my answers.
The problem i think cisco has a huge amount of tutorials etc. one can study but fortigate not so much. And the documents fortigate has mostly focus on the configuration side of things vs the concept side.
I'd have to agree that its hard to determine what you should expect, especially if you don't know what kind of a shop they are (e.g. Cisco, Fortinet, Juniper, etc.).
You may want to mentally prepare yourself to 'sell' them Fortinet if they are not such a shop. They may ask 'what are compelling features of the Fortinet line of products?' etc. Obviously, the Fortinet can do what most others can do, so look into what makes Fortinet stand out amongst the competition.
If they are a Fortinet shop, be prepared to tell them what the fundamental differences were in the major releases. (Some throw-away merit points would be to know what all the revision numbers of the firmwares are at, currently.)
If they are not a Fortinet, do what you can to not get trapped by what you don't know in competitor products. For instance, if they ask you how you would go about setting up a SonicWall IPSEC VPN, you could say 'I am not as familiar with that line specifically, but in the Fortinet world, an IPSEC VPN needs the following' and then proceed to flesh that out. If they are tech savvy at all, they will quickly pick up the key words they were hoping to hear (e.g. Main Mode/Aggressive, Phase1, Phase2, Quick Mode Selects, etc.).
Be knowledgeable about who owns what (e.g. Dell owns SonicWall, Meraki is a Cisco brand, etc.).
The big take-away is to keep them with you. Don't rush your answer or dive too deep that you lose them. Pay attention to how they are reacting to your responses. It doesn't hurt to start your answer much like a beauty contestant, by repeating the question.
When I interview someone for a technical role with our FortiGates I would prepare a mini lab with a FG60D, a cable that had internet access and a computer.
I would then give them two hours to configure things like:
- Internet access (they would need a route, policy & NAT)
- Incoming VIP so I could ping the computer from the WAN link
- SSL VPN so I could ping the computer via a tunnel
- IPSEC VPN to my lab FortiGate
- Web filtering to block access to gambling sites
- Application control so that Tor browser installed on the computer would not be able to connect
- Antivirus so that downloading the eicar file via HTTPS would be blocked
It would all be open book and they would have another laptop that had access to the internet. I encouraged them to look online and read through materials, but wanted to ensure they configured it right.
You'd be surprised how many people who had FortiGate or other firewall experience on their resumes would not be able to actually configure most of these...
If they say they were comfortable with FortiGate then I would generally ask these type of questions to get a feel on their knowledge:
- What's the difference between flow and proxy mode?
- What's the difference between transparent and NAT mode?
- Talk to me about VDOMs. How would you use them? How would you connect them?
- What's the difference between policy and route based VPNs? Walk me through the steps on configuring both. What are the advantages/disadvantages of each?
- What's the difference between SSL web portal and tunnel mode? What is split tunneling and why would you use it? What steps are involved in creating a SSL VPN?
- What is SSL deep packet inspection? Why would you use it? How would you configure it? What are some potential issues we could face in enabling it?
- What is a zone? Name a scenario where using a zone would be useful.
- What is the difference between proxy, flow and dns web filtering? What will happen to our traffic if the web filter subscription expires and we have it enabled on our policy?
- How do you determine the policy ID for a policy?
- What's the difference between logging security traffic and logging all traffic?
- How many times is a route looking performed for each session?
- What's the difference between aggressive and main mode IPSEC? Where would you use each?
- How would you determine if the FortiGate is in conserve mode?
- Traffic that you feel should be allowed through the firewall is not. How would you troubleshoot the problem here?
- What will happen to our traffic if the antivirus subscription expires and we have it enabled on our policy?
- What will happen to our traffic if the ips/application subscription expires and we have it enabled on our policy?
- How would you block P2P traffic?
- We want to block some credit card numbers from leaking out of the organization. How would you go about configuring this on the FortiGate?
- What's the difference between A/A and A/P in relation to HA?
- Talk me through how the HA cluster determine which device will be master. What steps takes place during the election of a new master?
- How does upgrading a HA cluster work on the FortiGates?
- We've lost the admin password and our RADIUS connection is not working for admin logins. How would you log into the FortiGate to reset the admin password and get access to the ForitGate?
- What is the HQIP test and how do you run it?
- Talk to me about the ASIC chips on FortiGates. What are the different types and what jobs do they perform?
- Whats the difference between polling and DC agent FSSO deployments? What are the pro/cons for each?
- Whats the difference between distance and priority in routes? Give me a scenario where changing each of these could impact the routes used by the FortiGate.
- Memory on our FortiGate is at 80%. How would you determine what is using up the memory?
- How would you create a ticket with the Fortinet TAC? What level of tickets are you able to create online?
As emnoc pointed out, i was again faced with an inexperienced interviewer. While he was interviewing me he kept using his smartphone i couldn't for the life of me understand who was he texting in that moment, now i think about he was fishing for questions to ask me probably comparing my answers from the internet.
For all my fretting over the toughest questions as the firm is a real big giant and all, i was disappointed. They asked me tcp handshake and ports for telnet, dns, NAT. Seriously telnet port. I just feel i never got a chance to answer everything all i know as they didn't know what to ask in the first place.
i exactly use your tactic of answering all their questions in terms of my experience on fortigates, at times it fails though when they want to know about Cisco ASA only.
Also even basic questions like "difference between asa and fortigate" trip me when you are not mentally prepared for something like that, the simplest answer was fortigate is an UTM while ASA is not and I didn't throw that crucial point out there during the interview.
You've gone so thorough on the questions, thanks for taking the time out to type it. I will create answers for some of the questions and post back asap.
Companies rarely take the objective method of evaluating candidates based on labs i feel, the candidate's fate is mostly left to the tech person and his ego i guess.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.