ExamTopics Logo
Mail Us[email protected]
Menu
Fortinet Discussions
exam questions

Exam NSE7_NST-7.2 All Questions

View all questions & answers for the NSE7_NST-7.2 exam
Go to Exam

Exam NSE7_NST-7.2 topic 1 question 1 discussion

Actual exam question from Fortinet's NSE7_NST-7.2
Question #: 1
Topic #: 1
[All NSE7_NST-7.2 Questions]

Consider the scenario where the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate.
Which action will FortiGate take when using the default settings for SSL certificate inspection?

  • A. FortiGate closes the connection because this represents an invalid SSL/TLS configuration.
  • B. FortiGate uses the CN information from the Subject field in the server certificate.
  • C. FortiGate uses the first entry listed in the SAN field in the server certificate.
  • D. FortiGate uses the SNI from the user’s web browser.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Cyn0wn at Dec. 11, 2024, 9:49 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Mothman619
1 month, 2 weeks ago
Selected Answer: B
The question specifies the default settings. Default setting is 'enable' for the SNI check which = using the CN in the server cert
upvoted 1 times
...
79cab4d
3 months ago
Selected Answer: B
https://docs.fortinet.com/document/fortigate/7.2.11/administration-guide/709167/configuring-an-ssl-ssh-inspection-profile: Server certificate SNI check Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable(default): If it is mismatched, use the CN in the server certificate for URL filtering.
upvoted 1 times
...
So190d
6 months, 2 weeks ago
Selected Answer: D
I took this exam but only about 10 out of 40 questions were in this list
upvoted 1 times
...
PabloSL
6 months, 3 weeks ago
Selected Answer: D
D, it will not look at CN or SAN while it can see the SNI
upvoted 1 times
...
Cyn0wn
7 months, 1 week ago
Selected Answer: D
FortiGate, by default, evaluates the SNI (Server Name Indication) field in the SSL/TLS handshake for certificate inspection. The SNI is compared against rules in the web filter or policies to determine access permissions or actions. It does not prioritize the CN (Common Name) field from the certificate unless explicitly configured to do so. This aligns with standard behavior where the SNI is used for identifying the target host when dealing with HTTPS traffic​ https://community.fortinet.com/t5/Support-Forum/website-access-problems/m-p/266814
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel