Refer to the exhibits.
The exhibits show a diagram of a FortiGate device connected to the network, VIP configuration, firewall policy. and the sniffer CLI output on the FortiGate device.
The WAN (port1) interface has the IP address 10.200.1.1 /24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The webserver host (10. 0.1. 10) must use its VIP external IP address as the source NAT (SNAT) when It pings remote server (10.200.3.1).
Which two statements are valid to achieve this goal? (Choose two.)
Answer : A, D
Enable NAT on the Allow_access firewall policy (A):
The Allow_access firewall policy must have NAT enabled to allow the webserver to use its VIP external IP address (10.200.1.10) as the source NAT when initiating traffic, such as pings, to the remote server.
Disable port forwarding on the VIP object (D):
Port forwarding is designed for specific port mapping, typically for services like HTTP or HTTPS. To use the VIP external IP as a source NAT, port forwarding should be disabled. Disabling port forwarding ensures that the full VIP IP address is used without being tied to specific ports.
Why other options are not correct:
B . Create a new firewall policy before Internet_Access for the webserver and apply the IP pool:
This is unnecessary as the VIP object itself is used for SNAT in this case, and an additional firewall policy is not required.
C . Disable NAT on the Internet_Access firewall policy:
Disabling NAT on this policy would prevent the NAT functionality needed for the webserver to use the VIP external IP address as the source IP.
Thus, enabling NAT on the Allow_access policy and disabling port forwarding on the VIP configuration are the valid steps to achieve the goal.
Refer to the exhibit.
The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity.
What must the administrator configure to answer this specific request from the NOC team?
Answer : D
'You can override the idle timeout setting per administartor profile using the Override Idle Timeout setting. You can configure an administrator profile to increase inactivity timeout and facilitate use of the GUI for central monitoring. Then Override Idel Timeout setting allows the admintimeout value, under the config system accprofile, to be overridden per access profile.'
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?
Answer : B
When full SSL inspection is enabled, FortiGate intercepts HTTPS traffic, decrypts it for inspection, and re-encrypts it using its own SSL certificate before forwarding it to the browser. If the browser does not trust the SSL certificate being used by FortiGate for re-encryption, it will display certificate warning errors. To resolve this, the certificate used by FortiGate for SSL inspection must be installed and trusted in the browser's certificate store.
An administrator has configured a strict RPF check on FortiGate.
How does strict RPF check work?
Answer : A
Strict RPF (Reverse Path Forwarding) check ensures that the packet is received on the same interface that the FortiGate device would use to send traffic back to the source. It verifies that the best route to the source of the packet is through the same interface it arrived on, enhancing security by preventing IP spoofing. If the check fails, the packet is dropped.
Which three statements about SD-WAN zones are true? (Choose three.)
Answer : A, B, E
An SD-WAN zone can contain physical and logical interfaces
SD-WAN zones can include both physical and logical interfaces, allowing flexible configuration for different network types.
You can use an SD-WAN zone in static route definitions
SD-WAN zones can be referenced in static routes, enabling dynamic path selection based on SD-WAN rules.
An SD-WAN zone is a logical grouping of members
An SD-WAN zone is a logical grouping of interfaces (members), used to simplify the management and application of SD-WAN rules.
An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is outbound traffic but no response from the peer.
Which DPD mode on FortiGate meets this requirement?
Answer : A
The On Demand mode for Dead Peer Detection (DPD) on FortiGate sends DPD probes only when there is outbound traffic and no response from the peer. This mode is used to detect if the peer is still available without continuously sending DPD probes, reducing unnecessary traffic.
Which three CLI commands, can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.)
Answer : A, B, E