Exam FCP_FGT_AD-7.4 topic 1 question 40 discussion

Just confirmed the answer is A by replicating this config on my Fortigate. If you don't add DNS to the policy you just get a timeout and the browser cannot find the site. Once you add DNS you get a prompt that you must log in to access the internet. I think the confusing part of this question is that it reads as if the user is able to access the internet and is not being prompted. When in fact, they are not getting prompted AND they can't access the internet.

what if user account is not on remote-user?

A. The Service DNS is required in the firewall policy.

are correct, A

A. The Service DNS is required in the firewall policy. "DNS traffic can be allowed if user has not authenticated yet Hostname resolution is often required by the application layer protocol (HTTP/HTTPS/FTP/Telnet) that is used to authenticate DNS service must be explicity listed as a service in the policy" Reference: FortiGate 7.4 Administration Study Guide, page 115 (Firewall Policy - Service)

It cannot be B, also because the user is never promped to login.

A firewall policy also checks the service in order to transport the named protocols or group of protocols. No service (with the exception of DNS) is allowed through the firewall policy before successful user authentication. DNS is usually used by HTTP so that people can use domain names for websites, instead of their IP address. DNS is allowed because it is a base protocol and will most likely be required to initially see proper authentication protocol traffic. Hostname resolution is almost always a requirement for any protocol. However, the DNS service must still be defined in the policy as allowed, in order for it to pass. A is the correct answer

Page 115

A. page 115 in fortigate 7.4 admin guide