ExamTopics Logo
Mail Us[email protected]
Menu
Fortinet Discussions
exam questions

Exam NSE7_ZTA-7.2 All Questions

View all questions & answers for the NSE7_ZTA-7.2 exam
Go to Exam

Exam NSE7_ZTA-7.2 topic 1 question 30 discussion

Actual exam question from Fortinet's NSE7_ZTA-7.2
Question #: 30
Topic #: 1
[All NSE7_ZTA-7.2 Questions]

Which two statements are true regarding certificate-based authentication for ZTNA deployment? (Choose two.)

  • A. FortiGate signs the client certificate submitted by FortiClient.
  • B. The default action for empty certificates is block.
  • C. Certificate actions can be configured only on the FortiGate CLI.
  • D. Client certificate configuration is a mandatory component for ZTNA.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️
by saulcastellanos8 at April 7, 2024, 6:57 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
fottyfan
3 months, 2 weeks ago
I think it's BC I checked on a Fortigate, In the GUI there is no option in the ZTNA server config for certificate actions. It's only possible in the CLI with "set empty-cert-action" wich is also the only action you can configure
upvoted 1 times
...
lucient
5 months ago
Selected Answer: BC
I want to correct my previous answer. The right answe is B and C. Page 118. A is wrong. FortiGate doesn't sign any certificate. FortiClient EMS signs the certificate for FortiClient endpoint. B: BY DEFAULT, client certificate authentication is enabled on the access proxy policy and IT BLOCKS THE TRAFFIC IF THE CLIENT CERTIFICATE IS EMPTY. C: If you look at the slide, the command "set client-cert" has the "disable" option: Disable client certificate request. So, it's true that certificate actions can be configured on the FortiGate CLI. D is wrong: It says "By default", client certificate authentication is enabled on the access proxy policy. So, if there is a "default" mode, there must be another mode. And that other mode is "set client-cert disable". The "disable" option: Disable client certificate request.
upvoted 1 times
...
lucient
5 months ago
B and D are correct. Page 118. D: By default, client certificate authentication is enabled on the access proxy policy and it blocks the traffic if the client certificate is empty.
upvoted 1 times
...
Disposable_Me_2018
7 months, 1 week ago
Selected Answer: BD
Zero Trust Access 7.2 Study Guide p118 "By default, client certificate authentication is enabled on the access proxy policy and it blocks the traffic if the client certificate is empty. You can change the action using the CLI, if required." B is correct D is correct A is wrong I think C is wrong due to the wording implying that all certificate actions can only be configured on the GUI.
upvoted 2 times
Disposable_Me_2018
7 months ago
Correction. I meant "... on the CLI"
upvoted 1 times
...
...
kfaebu
8 months, 1 week ago
By default client certificate authentication is enabled on the access proxy and it block the traffic if the client certificate is empty, You can change the action using the CLI, if required. Study Page 118 i think its BC
upvoted 2 times
...
Fikachew
9 months, 1 week ago
Study guide page 118: By default client certificate authentication is enabled on the access proxy and it block the traffic if the client certificate is empty. You can change the action using the CLI, if required. Could be both BC, BD and CD...
upvoted 1 times
...
saulcastellanos8
9 months, 1 week ago
Selected Answer: BD
By default client certificate authentication is enabled on the access proxy and it block the traffic if the client certificate is empty
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago