Exam FCP_FGT_AD-7.4 topic 1 question 13 discussion

Pagina 186 When a certificate fails for any of the reasons above, you can configure any of the following actions: • Keep untrusted & Allow: FortiGate allows the website and lets the browser decide the action to take. FortiGate takes the certificate as untrusted. • Block: FortiGate blocks the content of the site. • Trust & Allow: FortiGate allows the website and takes the certificate as trusted.

ABE is correct fortigate 7.4 Administrator pag 186

For invalid certificates we have Allow, block or custom, under custom, we have Keep untrusted and allow, Block, Trust & allow. So BCE

The only 3 configurable actions in response to invalid certificates are: Allow, Allow & Warning, and block.

A: Allow & Warning (Keep Untrusted & Allow) B: Trust & Allow E: Block When a certificate fails for any of the reasons above, you can configure any of the following actions: • Keep Untrusted & Allow: FortiGate allows the website and lets the browser decide the action to take. FortiGate takes the certificate as untrusted. • Block: FortiGate blocks the content of the site. • Trust & Allow: FortiGate allows the website and takes the certificate as trusted.

A: Allow & Warning (Keep Untrusted & Allow) B: Trust & Allow E: Block When a certificate fails for any of the reasons above, you can configure any of the following actions: • Keep Untrusted & Allow: FortiGate allows the website and lets the browser decide the action to take. FortiGate takes the certificate as untrusted. • Block: FortiGate blocks the content of the site. • Trust & Allow: FortiGate allows the website and takes the certificate as trusted.

The three valid actions FortiGate can perform when it detects an invalid certificate are: C. Allow E. Block A. Allow & Warning Let's break down why the others aren't standard options in this context: B. Trust & Allow: "Trust" generally implies adding the certificate to a trusted store. While you can import certificates for legitimate purposes, automatically trusting an invalid certificate defeats the purpose of inspection and introduces a significant security risk. D. Block & Warning: While "Block" is a valid action, FortiGate typically presents the warning before the block (if configured to warn). So, "Block & Warning" isn't usually presented as a distinct action choice in the same way as "Allow & Warning." The warning is often a precursor to a block or an option alongside allowing. Therefore, the three primary actions you'll typically see for handling invalid certificates during FortiGate full inspection are Allow, Block, and Allow with a Warning to the user.

Ref: Admin guide https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/709167/configuring-an-ssl-ssh-inspection-profile DOES NOT exist Allow & Warning choice based on other answers from other users on this question. The correct one is "simple allow" as untrusted following the admin-guide

ABE according to page 186 of the study guide, it states Keep Untrusted and Allow Block Trust and Allow for A: Allow and Warning would be the same as keep untrusted and Allow because the warning shows that it is untrusted but you are able to continue. with B and E stating to either block the content or trust the website and gain access. I Page 186 of the study guide never stated any other actions from C and D from what I can see in the options.

Only 3 valid actions - allow & warning, block and warning and block

ABE is correct fortigate 7.4 Administrator pag 186

BCE Keep Untrusted & Allow: Allow the server certificate and keep it untrusted.l Block: Block the certificate.l Trust & Allow: Allow the server certificate and re-sign it as trusted (page 1966 FortiOS Administrator Guide)

Options available: Trust and Allow (fortigate marks the certificate as trusted) Keep untrusted and allow / allow (Fortigate allow the traffic and let the browser decide) Block (Fortigate blocks the connection)

With invalid certificates the options are Allow, Block or Custom. In custom, you can either select: Trust & Allow, Keep Untrusted and Allow, Block. So BCE is correct.

BCE are correct

I'd go with BCE because on FortiGate it says "Keep untrusted & Allow", "Block", "Trust & Allow". With "Keep untrusted & Allow", Fortigate allows it and does NOT display a warning but let's the browser decide. I'd associate the Fortigate setting "Keep untrusted & allow" with "Allow" from the question (Option C). Anything else doesn't make sense. Since there's no warning displayed in any allow situation, A doesn't make sense and since Block & Warning doesn't exist, it has to be B for this. The other two (Trust & Allow, Block) are the exact same words as written in the question, so it can only be B, C, E.

In "SSL/SSH Inspection" > Create New I can set in "Common Options" Invalid SSL certificates: Allow | Bloc | Custom - Expired certificates: Keep Untrusted & Allow | Block | Trust & Allow - Revoke certificates: Keep Untrusted & Allow | Block | Trust & Allow - Validation time-out certificates: Keep Untrusted & Allow | Block | Trust & Allow - Validation failed certificates: Keep Untrusted & Allow | Block | Trust & Allow