ExamTopics Logo
Mail Us[email protected]
Menu
Fortinet Discussions
exam questions

Exam NSE4_FGT-7.2 All Questions

View all questions & answers for the NSE4_FGT-7.2 exam
Go to Exam

Exam NSE4_FGT-7.2 topic 1 question 38 discussion

Actual exam question from Fortinet's NSE4_FGT-7.2
Question #: 38
Topic #: 1
[All NSE4_FGT-7.2 Questions]

Refer to the exhibits.
The exhibits show a network diagram and firewall configurations.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access the Webserver. Remote-User2 must not be able to access the Webserver.


In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

  • A. Disable match-vip in the Deny policy.
  • B. Set the Destination address as Webserver in the Deny policy.
  • C. Enable match-vip in the Deny policy.
  • D. Set the Destination address as Deny_IP in the Allow_access policy.
Show Suggested Answer Hide Answer
Suggested Answer: BC 🗳️
by chromevandium11 at Jan. 8, 2023, 11:14 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
6600d98
3 months ago
Selected Answer: BC
Very tricki question, the question is "which two changes can the administrator make to deny Webserver access for Remote-User2" , to achieve this question NO action is needed for the in place configuration, both A and D simply does not make sense, while B and C also achieve the result needed, so right answer is BC
upvoted 1 times
6600d98
3 months ago
... no actions is needed due to the order of policy
upvoted 1 times
...
...
MengtingLiang
1 year, 2 months ago
BC But what if you want the first policy to block all incoming traffic to all destinations, including the traffic destined to any VIPs?. This is useful if your network is under attack, and you want to temporarily block all incoming external traffic. You can do this by enabling match-vip on the first firewall policy. In case you want to block only traffic destined to one or more VIPs, you can reference the VIPs as thedestination address on the deny firewall policy
upvoted 1 times
...
AMK2ENG
1 year, 6 months ago
B. Set the Destination address as Webserver in the Deny policy. Most Voted C. Enable match-vip in the Deny policy.
upvoted 1 times
...
GeniusA
1 year, 6 months ago
B. Set the Destination address as Webserver in the Deny policy. C. Enable match-vip in the Deny policy.
upvoted 1 times
...
CISUG
1 year, 8 months ago
Answer is BC see below link for explanation https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641
upvoted 1 times
...
Slash_JM
1 year, 9 months ago
Selected Answer: BC
FortiGate Security 7.2 Study Guide p.114
upvoted 2 times
...
raydel92
1 year, 10 months ago
Selected Answer: BC
B. Set the Destination address as Webserver in the Deny policy. C. Enable match-vip in the Deny policy. Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
upvoted 1 times
...
AgentSmith
2 years ago
BC A. Disable match-vip in the Deny policy. - No, because you want to match destination IP 203.0.113.22 B. Set the Destination address as Webserver in the Deny policy. - Yes - Source Remote_user2, dest Webserver (203.0.113.22). - Best practice is to be explicit C. Enable match-vip in the Deny policy. - allows policy to match the Webserver - VIP IPs D. Set the Destination address as Deny_IP in the Allow_access policy. - No because we want to block Remote_user2
upvoted 3 times
Knowledge33
1 year, 9 months ago
You're correct on the answers, It's b and c. But the explanation is wrong. B is correct because. We use destination NAT. Then in the firewall rule, we need to match the the private IP of the server and not the public IP. That's why B is correct but not D. When FG receives a packet, it performs first the DNAT, then firewall rules checking.
upvoted 2 times
...
...
Libexec
2 years, 2 months ago
Selected Answer: BC
Correct
upvoted 1 times
...
emacip23
2 years, 2 months ago
Selected Answer: BC
B and C
upvoted 1 times
...
zheka
2 years, 3 months ago
You are wrong with D. Look and read carefully this Fortinet guide, i.e. FortiGate_Security_7.2_Study_Guide, namely page 114. It says: In case you want to block only traffic destined to one ore more VIPs you can reference the VIP as the destination address in the deny firewall policy. The key here is the Deny policy, not the Allow policy
upvoted 3 times
...
lrnt
2 years, 3 months ago
C and D - match-vip in deny policy needs to be enabled (set match-vip enable) or destination address needs to be the VIP object (set adstaddr "VIP object")
upvoted 2 times
...
claumagagnotti
2 years, 4 months ago
Selected Answer: CD
Because they only want to block one public IP
upvoted 1 times
...
claumagagnotti
2 years, 4 months ago
Selected Answer: CD Because they only want to block one public IP
upvoted 1 times
...
Poseidon458
2 years, 5 months ago
Selected Answer: BC
Answer should be BC. It makes sense that the destination address be the webserver which needs to be denied for IP Deny_IP
upvoted 4 times
...
efot
2 years, 5 months ago
Selected Answer: BC
Answer should be BC
upvoted 2 times
...
chromevandium11
2 years, 6 months ago
Selected Answer: BC
Answer should be BC.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel