Zero phase selectors in IPsec Phase 2 mean that no specific traffic selectors (subnets) are defined,

allowing any traffic to be encrypted through the VPN tunnel. This can cause unintended traffic

forwarding issues and disrupt network operations.

To prevent this from happening during future migrations:

● Using routing protocols ensures that only specific subnets are advertised over the tunnel. Dynamic

routing (such as OSPF or BGP) helps define which networks should use the tunnel, preventing

unintended traffic from being encrypted.

● Clearly defining phase 2 selectors avoids the problem of encrypting all traffic by explicitly stating

the allowed source and destination subnets. This prevents the tunnel from affecting unrelated

network traffic.

The Configuration Revision History window in FortiManager shows that the most recent

configuration change (ID 10) was created by script_manager with the action Retrieved.

Since script_manager is a system-level script execution user, the IT team needs to find who actually

triggered this script. This can be done by:

● Checking the FortiManager system logs for script execution events.

● Using the type=script filter to locate the administrator associated with the script execution.

The excessive DNS log requests with random subdomains suggest a DNS exfiltration attack, where

attackers encode and transmit data via DNS queries. Since this technique can use both UDP and TLS

(DoH - DNS over HTTPS), a comprehensive security approach is needed.

Using an IPS profile with DNS exfiltration-specific signatures allows FortiGate to:

● Detect and block abnormal DNS query patterns often used in exfiltration.

● Inspect encrypted DNS (DoH, DoT) traffic if SSL inspection is enabled.

● Identify known exfiltration domains and techniques based on FortiGuard threat intelligence.

The output of the get router info ospf status command provides key information about the OSPF

(Open Shortest Path First) configuration on the FortiGate device.

The FortiGate device is connected to multiple areas

● The output states: "This router is an ABR"

● ABR (Area Border Router) means the device is connected to multiple OSPF areas and maintains

routing information between them.

● This confirms that the FortiGate is not just in one area, but at least one backbone area (Area 0) and

another OSPF area.

The FortiGate device injects external routing information

● The output states: "Supports opaque LSA"

● Opaque LSAs (Type 9, 10, and 11) are used in OSPF extensions, including those that support

external route injection.

● Typically, ABRs or ASBRs (Autonomous System Boundary Routers) inject external routes, allowing

routes from other routing protocols (such as BGP or static routes) to be advertised into OSPF.

Applying an aggressive IPS profile without prior testing can disrupt legitimate applications by

incorrectly identifying normal traffic as malicious. To prevent disruptions while still monitoring for

threats:

● Enable IPS in "Monitor Mode" first:

● This allows FortiGate to log and analyze potential threats without actively blocking traffic.

● Administrators can review logs and fine-tune IPS signatures to minimize false positives before

switching to blocking mode.

● Verify and adjust signature patterns:

● Some signatures might trigger unnecessary blocks for legitimate application traffic.

● By analyzing logs, administrators can disable or modify specific rules causing false positives.