Interface LAN(Pport3)is configured to authenticate and only allow HR to access, so the correct answer is D. " All users will be prompted for authentication, users from the HR group can authenticate successfully with the correct credentials"

i think the firewall policy and the cli user setting are not relevant for the question, its about the authentication at port level so only HR will be allowed --> answer D After that no one will get access because the firewall policy without authentication will never hit.

D is correct

Captive Portal on Port 3

Active Authentication Behaviour in Security Study Guide - page 165. this suggests the auth-on-demand makes the answer B.

I think D make sense

D is correct. from page 246 in Fortigate Security 7.0 Study Guide. Captive portal authendtication at interface level and is bypassing for specific policy with "set captive-portal-exempt enable" by CLI on policy edit mode.

ok this clearly needs clarification, correct answer is D, captive portal security enabled means all HTTP requests coming to the interface will return to the auth portal until successfully authenticated, therefore it will not even get to a policy lookup if the user didn't authenticate. D states that HR users can authenticate and are allowed, which is true, they can authenticate and the 2nd rule (in order of precedence) allows traffic for all local_subnet hosts.

the correct answer is B because the HR user group is not specified in the policies, therefore they will not be able to authenticate

The policy states the "sales" group. In the preview shows "HR" (so not the active policy) unless it maybe nested, I think it is C

Interface LAN(Pport3)is configured to authenticate and only allow HR to access