Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam NSE4_FGT-7.2 All Questions

View all questions & answers for the NSE4_FGT-7.2 exam

Exam NSE4_FGT-7.2 topic 1 question 61 discussion

Actual exam question from Fortinet's NSE4_FGT-7.2
Question #: 61
Topic #: 1
[All NSE4_FGT-7.2 Questions]

Refer to the exhibits.

Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.





If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

  • A. 10.0.1.254, 10.0.1.10, and 443, respectively
  • B. 10.0.1.254, 10.200.1.10, and 443, respectively
  • C. 10.200.3.1, 10.0.1.10, and 443, respectively
  • D. 10.0.1.254, 10.0.1.10, and 10443, respectively
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
raydel92
Highly Voted 1 year, 1 month ago
Selected Answer: A
A. 10.0.1.254, 10.0.1.10, and 443, respectively Question repeated with Q52 Translations: 10.200.3.1 --> 10.0.1.254 because NAT enable in firewall policy 10.200.1.10 --> 10.0.1.10 because VIP as Destination 10443 --> 443 because Port Forwarding enabled on VIP Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
upvoted 9 times
...
Timbal
Highly Voted 1 year, 4 months ago
Is this question the same as #52, but here are the 4 answer options.?
upvoted 6 times
[Removed]
1 year, 4 months ago
exactly!
upvoted 1 times
...
...
Redrum702
Most Recent 5 months, 3 weeks ago
Key phrase: After the FortiGate forwards the packet to the destination which means NAT was completed - Answer is A.
upvoted 1 times
...
rpaleto
10 months, 1 week ago
Selected Answer: A
Ans. A it's correct
upvoted 3 times
...
AMK2ENG
10 months, 2 weeks ago
The correct answer is: B. 10.0.1.254, 10.200.1.10, and 443, respectively Explanation: The source address of the packet will be the LAN (port3) interface IP address, which is 10.0.1.254. The destination address of the packet will be the VIP (Virtual IP) address, which is 10.200.1.10. The destination port of the packet will be the VIP's port, which is 443.
upvoted 2 times
...
cerifyme85
10 months, 4 weeks ago
I think the question is asking about post nat ip addresses and ports? then A If they were asking for Pre nat then C. Question needs to be clearer though
upvoted 1 times
...
lliu27
11 months, 1 week ago
C. SNAT only applies from LAN to WAN, not both way.
upvoted 2 times
...
wwwwaaaa
11 months, 3 weeks ago
Selected Answer: C
security guide P112, check the example there
upvoted 3 times
...
costavo
1 year ago
A. 10.0.1.254, 10.0.1.10, and 443, respectively
upvoted 1 times
...
samael666
1 year ago
Selected Answer: C
change the source IP address of the outgoing traffic, in the other way, the changes goes for the destination.
upvoted 1 times
...
Vic2911
1 year, 1 month ago
Selected Answer: A
Correct answer is A.. On the security policy NAT is enabled and by default the firewall performs NAT using outgoing interface address
upvoted 1 times
...
Leodoro
1 year, 2 months ago
Selected Answer: A
Answer is A. SNAT and DNAT are both active. We dont see the IP pool of SNAT, but it has to be another IP than the original. The only logical answer is A.
upvoted 1 times
...
JakubCh
1 year, 3 months ago
Selected Answer: A
There is SNAT configured on firewall policy. That's why it is A.
upvoted 3 times
...
NiciExam
1 year, 3 months ago
Selected Answer: A
It is A
upvoted 2 times
...
imwatever
1 year, 3 months ago
Selected Answer: A
Lab tested.
upvoted 2 times
...
Alwie
1 year, 4 months ago
Selected Answer: C
NAT only operates in one direction at a time. for inbound traffic only the DNAT will apply as the original source has to be preserved so that traffic can be routed back, so C.
upvoted 2 times
Garry_G
1 year, 1 month ago
The incoming policy has explicit source nat enabled (last column), so any incoming session will use the destination interface IP as snat IP. And of course both SNAT and DNAT can be used together ... have used it before when I needed to ensure returning traffic to get back to the right FW when the same external source could be coming over two different firewalls / locations (redundancy situation)
upvoted 1 times
...
...
erawemk
1 year, 4 months ago
Selected Answer: C
The correct option is C because the external source IP is never translated, only the server address that is behind the Fortigate, so A option is wrong. The NAT enabled in the firewall policy indicates that egress traffic is translated using the VIP address (10.200.1.10) and not using the 10.200.1.1 (port1 of fortigate) Please see NSE4_FortiGate_Security_7.2_Study_Guide page 97 and 110
upvoted 4 times
erawemk
1 year, 4 months ago
Correction!! When you use a secondary IP or IP Pool for VIP (not the outgoing interface IP) fortigate sends traffic from internal port2 to web server, I checked it on my own lab, to have an idea someone in question 52 shared this link: https://yurisk.info/2021/05/24/perform-snat-and-dnat-on-the-same-traffic-in-fortigate/ correct Answer is A (what a tricky question huh?)
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...