Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Fortinet Discussions

Exam NSE4_FGT-7.2 topic 1 question 38 discussion

Actual exam question from Fortinet's NSE4_FGT-7.2
Question #: 38
Topic #: 1
[All NSE4_FGT-7.2 Questions]

Refer to the exhibits.
The exhibits show a network diagram and firewall configurations.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access the Webserver. Remote-User2 must not be able to access the Webserver.


In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)

  • A. Disable match-vip in the Deny policy.
  • B. Set the Destination address as Webserver in the Deny policy.
  • C. Enable match-vip in the Deny policy.
  • D. Set the Destination address as Deny_IP in the Allow_access policy.
Show Suggested Answer Hide Answer
Suggested Answer: CD 🗳️
by chromevandium11 at Jan. 8, 2023, 11:14 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
MengtingLiang
2 weeks, 6 days ago
BC But what if you want the first policy to block all incoming traffic to all destinations, including the traffic destined to any VIPs?. This is useful if your network is under attack, and you want to temporarily block all incoming external traffic. You can do this by enabling match-vip on the first firewall policy. In case you want to block only traffic destined to one or more VIPs, you can reference the VIPs as thedestination address on the deny firewall policy
upvoted 1 times
...
AMK2ENG
4 months, 4 weeks ago
B. Set the Destination address as Webserver in the Deny policy. Most Voted C. Enable match-vip in the Deny policy.
upvoted 1 times
...
GeniusA
5 months ago
B. Set the Destination address as Webserver in the Deny policy. C. Enable match-vip in the Deny policy.
upvoted 1 times
...
CISUG
6 months, 3 weeks ago
Answer is BC see below link for explanation https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641
upvoted 1 times
...
Slash_JM
7 months, 4 weeks ago
Selected Answer: BC
FortiGate Security 7.2 Study Guide p.114
upvoted 2 times
...
raydel92
8 months, 1 week ago
Selected Answer: BC
B. Set the Destination address as Webserver in the Deny policy. C. Enable match-vip in the Deny policy. Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
upvoted 1 times
...
AgentSmith
10 months, 4 weeks ago
BC A. Disable match-vip in the Deny policy. - No, because you want to match destination IP 203.0.113.22 B. Set the Destination address as Webserver in the Deny policy. - Yes - Source Remote_user2, dest Webserver (203.0.113.22). - Best practice is to be explicit C. Enable match-vip in the Deny policy. - allows policy to match the Webserver - VIP IPs D. Set the Destination address as Deny_IP in the Allow_access policy. - No because we want to block Remote_user2
upvoted 3 times
Knowledge33
7 months, 2 weeks ago
You're correct on the answers, It's b and c. But the explanation is wrong. B is correct because. We use destination NAT. Then in the firewall rule, we need to match the the private IP of the server and not the public IP. That's why B is correct but not D. When FG receives a packet, it performs first the DNAT, then firewall rules checking.
upvoted 2 times
...
...
Libexec
1 year ago
Selected Answer: BC
Correct
upvoted 1 times
...
emacip23
1 year ago
Selected Answer: BC
B and C
upvoted 1 times
...
zheka
1 year, 1 month ago
You are wrong with D. Look and read carefully this Fortinet guide, i.e. FortiGate_Security_7.2_Study_Guide, namely page 114. It says: In case you want to block only traffic destined to one ore more VIPs you can reference the VIP as the destination address in the deny firewall policy. The key here is the Deny policy, not the Allow policy
upvoted 3 times
...
lrnt
1 year, 1 month ago
C and D - match-vip in deny policy needs to be enabled (set match-vip enable) or destination address needs to be the VIP object (set adstaddr "VIP object")
upvoted 2 times
...
claumagagnotti
1 year, 2 months ago
Selected Answer: CD
Because they only want to block one public IP
upvoted 1 times
...
claumagagnotti
1 year, 2 months ago
Selected Answer: CD Because they only want to block one public IP
upvoted 1 times
...
Poseidon458
1 year, 3 months ago
Selected Answer: BC
Answer should be BC. It makes sense that the destination address be the webserver which needs to be denied for IP Deny_IP
upvoted 4 times
...
efot
1 year, 4 months ago
Selected Answer: BC
Answer should be BC
upvoted 2 times
...
chromevandium11
1 year, 4 months ago
Selected Answer: BC
Answer should be BC.
upvoted 3 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel