Exam NSE7_EFW-7.2 topic 1 question 28 discussion

enable, so answer is B. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. From FortiOS CLI Reference : https://docs.fortinet.com/document/fortigate/7.2.0/cli-reference/319620/config-firewall-ssl-ssh-profile

The set sni-server-cert-check enable command ensures that FortiGate validates the Server Name Indication (SNI) in the SSL/TLS handshake. If the SNI provided by the client does not match the Common Name (CN) or any of the Subject Alternative Names (SAN) in the server's certificate, FortiGate considers the SSL/TLS configuration invalid and terminates the connection. This is a security measure to prevent potential mismatches or man-in-the-middle attacks.

Further inspection strict not enable would close the connection page 238 explains this. The question is phrased poorly and so are the answers. If the sni does not match then it uses the domain in the cn.

Questions asks what action when the sni does not match the cn nor san of a certificste. The fortigate should block it.

B is correct Study Guide p238

D is correct. Read the question. CN does not match.

The Correct answer i B as detailed on page 238 in the Study Guide.

Answer B p238

study guide page 238

If the domain in the SNI field does not match any of the domains listed in the CN and SAN fields, FortiGate uses the domain in the CN field instead of the domain in the SNI field.

answer is B : Enterprise_Firewall_7.2_Study_Guide-Online.pdf / p 238