Fortinet FCP_FWB_AD-7.4 FCP - FortiWeb 7.4 Administrator Exam Practice Test

The Payment Card Industry Data Security Standard (PCI DSS) sets forth security requirements to protect cardholder data. Requirement 6.6 specifically mandates that public-facing web applications be protected against known attacks by either:​Exclusive Networks+3Gordion+3layer7solutions.com+3

Reviewing applications via manual or automated vulnerability security assessment tools or methods, at least annually and after any changes.​

Installing an automated technical solution that detects and prevents web-based attacks, such as a web application firewall (WAF), in front of public-facing web applications to continually inspect all traffic.​

FortiWeb, Fortinet's web application firewall, offers various deployment modes to protect web applications:​

Reverse Proxy Mode: FortiWeb acts as an intermediary, terminating client sessions and initiating sessions to the backend servers. This mode provides comprehensive protection and allows for features like SSL offloading, URL rewriting, and advanced routing capabilities.​

Transparent Mode: FortiWeb operates at Layer 2, inspecting traffic without modifying it, making it invisible to both clients and servers. This mode simplifies deployment as it doesn't require changes to the existing network topology.​

Full Transparent Proxy Mode: Combines aspects of both reverse proxy and transparent modes, providing inspection and modification capabilities while remaining transparent to network devices.​

PCI DSS Mode: A specialized deployment tailored to meet PCI DSS compliance requirements. This mode ensures that FortiWeb is configured with security policies and features aligned with PCI DSS standards, offering robust protection against threats targeting cardholder data.​

Given the need to meet PCI DSS compliance criteria, deploying FortiWeb inPCI DSS modeis the most appropriate choice. This mode is specifically designed to align with PCI DSS requirements, ensuring that all necessary security measures are in place to protect cardholder data

In the SVM plot of potential bot activity, you can see that the sample value (orange) is significantly different from the average value (green) and the maximum value (blue) in most of the metrics. This suggests unusual or abnormal behavior, indicating that the connection might be a bot. Typically, botsexhibit patterns that diverge from normal user activity, such as higher frequencies of certain types of requests, abnormal throughput, or an unusual pattern of HTTP requests (such as requests without referers or excessive TCP connections).

To forward requests for web application B to a single web server, you would configure FortiWeb to use HTTP content routing and create a server pool specifically for web application B. In FortiWeb, server pools are used to group servers together based on application requirements, and you can configure the pool to contain only a single web server for application B.

In the configuration, the command set sample-limit-by-ip 0 disables the sample limit for any specific IP address. This means that during the machine learning (ML) running phase, FortiWeb will not limit the number of samples it accepts from the same IP address. Setting this to 0 effectively removes any restrictions on the number of samples from a given IP address.

Virtual proxy: In virtual proxy mode, FortiWeb acts as an intermediary between clients and the server, and it can modify HTTP packets. It performs various security checks, such as inspecting and filtering HTTP traffic before forwarding it to the web server.

Reverse proxy: In reverse proxy mode, FortiWeb sits between the client and the server, handling incoming requests from clients, modifying or inspecting HTTP packets as needed, and forwarding them to the backend servers.

Model building: In this stage, you design and develop the ML model, which involves selecting appropriate algorithms and features to detect bot activity.

Model verification: This is where you test and evaluate the model's performance to ensure it can accurately detect bots without false positives or negatives.

Sample collecting: Gathering relevant data samples (e.g., bot and non-bot traffic) to train the machine learning model is crucial to ensure it can learn from various scenarios.

The web application is unable to accept any more connections because of network socket exhaustion: A Denial of Service (DoS) attack often floods the web server with an overwhelming number of requests, leading to network socket exhaustion. This can prevent the server from accepting new legitimate connections, effectively disrupting service.

The web application server is unable to accept new client sessions due to memory exhaustion: DoS attacks can consume a significant amount of server memory, causing memory exhaustion. This results in the web application being unable to accept new client sessions or handle requests properly.

Bot ML models analyze multiple connections over time instead of analyzing each connection as a single unit: This is the key distinction. Bot ML models focus on analyzing patterns over a period of time, looking at behavioral patterns across multiple requests or connections from the same source to identify potential bot activity. Unlike traditional anomaly detection or API models that may focus on single connections or individual transactions, bot detection typically examines aggregated behavior to identify patterns indicative of bots, such as high-frequency requests or unusual traffic flows.

The best way to limit brute force login attacks on FortiWeb is to configure a brute force login custom policy. FortiWeb provides the ability to detect and mitigate brute force login attempts by automatically limiting the number of failed login attempts within a specific time period. This approach allows you to block or rate limit suspicious IP addresses while still allowing legitimate users access, based on your configuration.

In the provided configuration, the signature exception has been set for the URL This means that any request to this specific URL will bypass the signature ID 01000001, which is designed to block cross-site scripting (XSS) attacks using the mousedown event. As the request comes from the URL which does not match the exception rule for the attack will be allowed through.

Therefore, the connection will be allowed because the exception rule bypasses protection for the specified URL.