Exam NSE4_FGT-6.4 topic 1 question 58 discussion

D - is correct FortiGate Security 6.4 Study Guide p.237-239

D is correct. Because port3 has captive portal enable for HR group, no mater which destination they try to reach, they will have to authenticate. A) There is no fall-through policy because "auth-on-demand always" B) Sales group will authenticate ONLY if they try to go to internet though wan1. If Sales group traffic enters port3 but with destination different from wan1, then they will not have to authenticate. C) Authentication is enforced at a policy level only for Sales group and, again, ONLY if they try to reach internet though wan1.

I think the key here is the wording "when traffic arrives". If you're using policy based authentication (with auth-on-demand set to enable AND you have a policy with active authentication enabled), fortinet says "traffic is allowed until authentication is successful." But, if you authenticate through the interface, "all devices must authenticate before they are allowed to access any resources." Let alone that they say "Captive portal, for both wired and Wi-Fi networks, is enabled at the interface level—regardless of the firewall policy that allows it or the port that it ultimately leaves by (authentication being enabled or disabled on the policy is not a factor)." Fortigate security 7.0 pg 243 Fortigate security 7.0 pg 248-249

I think C. The question is not asking who will be granted access but rather what will happen when someone tries to access. They will all be prompted but only HR will be granted. The rest will fail

Answer is C. D cannot be correct. Yes only HR can successfully authenticate, but the ForitGate doesn't know if you are HR until you authenticate. ALL users will be prompted to authenticated, only HR will be allowed access.

How would the firewall know if you are in sales or HR before you log in? B and D can not be correct. They are putting the cart before the horse.

I vote for C. Auth is enforced in policy, but also on interface so because of this all users will have to authenticate. D i think is not ok because it says to authenticate with credentials, but the method used is based on certificates.

A is correct. test on lab

A is the correct Answer because as pointed out by all; configure on Fortigate: - captive portal authentication required - Authentication failed message for Sales users - Authentication success for HR users - second policy used by HR users

D is obviously correct according to Study Guide, as pointed out by others here

D - is correct

I vote for C because, Captive Portal is activate on interface level, All Users will be prompted for authentication but only members of HR group will authenticate succesfully. Cause of this formulation i think D in not correct Interface : All Users will Be prompted HR group -->pass Policy : If HR group User is member of sales group too --> pass

D-is correct

I tell you that I did a test, what I saw is that the configuration made in config user settings has less priority in relation to the configuration made in the captive portal of the interface. After my experiment I can determine that the answer is the letter D because it authenticates with the HR group and for the traffic to go out it matches the auth users policy.

For my understanding, the best practice is to have the same groups on both the interface and on the policies. Is that right? In the described scenario, what will happen? The Sales team is not explicetely included in the interface, so I think that they will never authenticate.

Interface settings came before the policy settings. So I think D is the right answer

Always trigger firewall authentication on demand.