Exam NSE4_FGT-7.2 topic 1 question 52 discussion

A is correct. NAT on the policy means the source gets translated from 10.200.3.1 to 10.0.1.254. The VIP performs DNAT which changes the destination from 10.200.1.10 to 10.0.1.10. Then port forwarding translates the port from 10443 to 443.

The correct answer is A because this rule is set-up with BOTH SNAT and DNAT enabled (which is very uncommon in the real world.) The Destination is a VIP with Port Forwarding which means the FortiGate has to translate the incoming requests destination IP and port to the internal resource's IP and port. Thus destination translation occurs from 10.200.1.1:10443 to 10.0.1.10:443. The firewall rule itself also has NAT set to Enabled. The default setting for this type of source NAT is 'Use Outgoing Interface Address' (in this case port3's IP) and, given the options, this must be set in this case. Thus source translation occurs from 10.200.3.1 to 10.0.1.254. For more information see: https://yurisk.info/2021/05/24/perform-snat-and-dnat-on-the-same-traffic-in-fortigate/

The question is missing some information, I think they cut off something. You do not see the IPPool field, which normally is before NAT. So this could be nat'ing to an IPPool, the interface, or anything. A would be the best answer but know that this may not be true in the real world or even on the exam. (This exam is eol anyways)

A is the correct answer

A nat is enable

Default NAT used, will use the outgoing port ip when packet exits the firewall.

default NAT is used, so the source will be using the outgoing port ip. A is the correct answer.

C is correct IP Header usually does not change the src-ip and dst-ip address for any packet end-to-end but since we have NAT it will just translate the dst-ip so the correct answer should be C

C is correct. DNAT takes precedent on the incoming traffic, and no rule is configured to translate incoming traffic to the port 3 address.

A. 10.0.1.254, 10.0.1.10, and 443, respectively Translations: 10.200.3.1 --> 10.0.1.254 because NAT enable in firewall policy 10.200.1.10 --> 10.0.1.10 because VIP as Destination 10443 --> 443 because Port Forwarding enabled on VIP Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html

A is the right answer The policy has NAT enabled, so the original IP is NATted using the outgoing interface IP address

Correct answer: A

Lab tested.

C for sure. If IP pool is used, NAT column should show the IP pool name. NAT column will show

C for sure. If IP pool is used, NAT column should show the IP pool name. NAT column will show enabled even when VIP is configured at destination.

Definitely C, DNAT does not change source IP address, only destination - tried it several times.

should C