Exam NSE4_FGT-7.0 topic 1 question 83 discussion

Actual exam question from Fortinet's NSE4_FGT-7.0

Question #: 83
Topic #: 1

Refer to the exhibits.

An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access the
Webserver. Remote-User2 must not able to access the Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

A. Set the Destination address as Deny_IP in the Allow_access policy.
B. Enable match-vip in the Deny policy.
C. Set the Destination address as Webserver in the Deny policy.
D. Disable match-vip in the Deny policy.

Show Suggested Answer

Suggested Answer: BC 🗳️

by h0p3l3ss at Sept. 3, 2022, 2:35 p.m.

Comments

Submit Cancel

h0p3l3ss

Highly Voted 1 year, 3 months ago

Selected Answer: BC

It should set match-vip enable, nor disable it... Reference:https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641

upvoted 15 times

...

theFrank198

Most Recent 9 months, 2 weeks ago

Selected Answer: BC

B and C

upvoted 1 times

...

Fabio6699

11 months ago

Selected Answer: BC

Answer is B & C. Enable match VIP and set as destination on policy ID 4

upvoted 2 times

...

PoBratsky

11 months ago

Selected Answer: BC

B and C is correct

upvoted 3 times

...

giulianorco

12 months ago

Selected Answer: BC

By default firewall address objects not match VIPs and match-vip is disabled on policy, The ALL in first policy not include any VIPs, so traffic skip the first policy and match Allow_access. The Admin have solution: 1. enable match-vip in in Deny policy 2. Set escplicitly in field destination of Deny policy address Webserver

upvoted 2 times

...