ExamTopics Logo
Mail Us[email protected]
Menu
Fortinet Discussions
exam questions

Exam NSE4_FGT-7.2 All Questions

View all questions & answers for the NSE4_FGT-7.2 exam
Go to Exam

Exam NSE4_FGT-7.2 topic 1 question 86 discussion

Actual exam question from Fortinet's NSE4_FGT-7.2
Question #: 86
Topic #: 1
[All NSE4_FGT-7.2 Questions]

Refer to the exhibits.

Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.

The administrator disabled the WebServer firewall policy.





Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.1?

  • A. 10.200.1.10
  • B. 10.0.1.254
  • C. 10.200.1.1
  • D. 10.200.3.1
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Dave304409 at July 18, 2023, 12:14 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Gorgoyle
Highly Voted 1 year, 10 months ago
Selected Answer: C
If WebServer firewall policy was active it would be A because: SNAT changes it to 10.200.1.10 due to VIP. But correct is C due to the disabled WebServer firewall policy. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947
upvoted 12 times
raydel92
1 year, 9 months ago
Even if WebServer firewall policy was active it would be C the correct answer. This traffic is coming from LAN to WAN, so match is in the first policy which has NAT enable so use outgoing interface IP address.
upvoted 13 times
...
...
ccnax2
Highly Voted 1 year, 11 months ago
Selected Answer: A
SNAT changes it to 10.200.1.10 due to VIP.
upvoted 6 times
ccnax2
1 year, 11 months ago
Disregard. Correct is C due to disabled the WebServer firewall policy.
upvoted 5 times
MrSherman
1 year, 8 months ago
Disabling the policy of the VIP does not deactivate the VIP. On a VIP called one-on-one or with no port forwarding assign. The external ip address will be used to snat the internal ip address. Try it on a lab.
upvoted 2 times
DC095
1 year, 7 months ago
The caveat is that there has to be an active firewall policy with the vip as the destination address object for the external vip to be used in SNAT as well.
upvoted 4 times
...
...
...
Deep_Purple
1 year, 11 months ago
You are correct. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947
upvoted 3 times
...
alaaomar1985
1 year, 6 months ago
The VIP entry must be referenced in at least one firewall policy in order to use VIP's external IP for performing SNAT.
upvoted 3 times
...
...
[Removed]
Most Recent 1 year, 4 months ago
Selected Answer: C
Fortigate Security 7.2 Study Guide Pg 112 If policy with VIP is disabled, FG will not used it for SNAT purposes.
upvoted 2 times
...
GeniusA
1 year, 6 months ago
C is a valid response
upvoted 1 times
...
yxpoh
1 year, 6 months ago
C Fortigate Security 7.2 Study Guide Pg 112 If policy with VIP is disabled, FG will not used it for SNAT purposes. Therefore the alternative would be the NAT rule used in Full_access, which since there’s no pool specified, it will be PAT which is the egress interface IP of 10.200.1.1.
upvoted 2 times
...
alaaomar1985
1 year, 6 months ago
The VIP entry must be referenced in at least one firewall policy in order to use VIP's external IP for performing SNAT.
upvoted 1 times
...
[Removed]
1 year, 6 months ago
Selected Answer: C
VIPs are DNAT and this traffic is originating from LAN to WAN which would then use SNAT if enabled on the firewall policy.
upvoted 2 times
...
MtoE
1 year, 7 months ago
Selected Answer: A
ChatGPT answer (XD): "Disabling a security policy on a Fortigate device will not deactivate the NAT VIP configured in it. The VIP will still translate traffic regardless of the policy being disabled. The security policy and NAT VIP are separate configurations on the Fortigate device, and disabling the security policy will not affect the operation of the NAT VIP"
upvoted 1 times
alaaomar1985
1 year, 6 months ago
The VIP entry must be referenced in at least one firewall policy in order to use VIP's external IP for performing SNAT.
upvoted 1 times
...
...
Hummer1
1 year, 8 months ago
Selected Answer: C
The question is about SNAT so LAN to WAN rule, if traffic is destined from the LAN to WAN then it would NAT out over the WAN IP or if a IPPOOL was present it would NAT out over that. DNAT is inbound WAN to LAN so incoming traffic sent towards the VIP rule would be affected by the NAT. I think the correct answer is C.
upvoted 1 times
...
Sfeleka
1 year, 8 months ago
Selected Answer: C
c is the correct anser
upvoted 1 times
...
MrSherman
1 year, 8 months ago
Selected Answer: A
10.0.1.10 has been natted with 10.200.1.10 as one-on-one nat. Disabling the VIP policy does not deactivate the VIP.
upvoted 1 times
MrSherman
1 year, 8 months ago
CORRECTION, C is the right one because the VIP policy is disabled.
upvoted 1 times
...
...
raydel92
1 year, 9 months ago
Selected Answer: C
C. 10.200.1.1 Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface. Simple SNAT. Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
upvoted 3 times
...
raydel92
1 year, 9 months ago
Selected Answer: C
C. 10.200.1.1 Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface. Simple SNAT. Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
upvoted 2 times
...
raydel92
1 year, 9 months ago
C. 10.200.1.1 Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface. Simple SNAT. Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
upvoted 2 times
...
kittituch01
1 year, 10 months ago
Selected Answer: C
C is correct
upvoted 3 times
...
Retro
1 year, 10 months ago
Selected Answer: C
NAT enabled will use outgoing interface address
upvoted 3 times
...
[Removed]
1 year, 10 months ago
Selected Answer: A
Correct answer: A
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel