Exam NSE4_FGT-7.2 topic 1 question 4 discussion

Answer should be (B), The strict RPF check ensures the best route back to the source is used as the incoming interface

According to FortiGate_Infrastructure_7.2_Study_Guide page 40 Strict: In this mode, Fortigate also verifies that the matching route is the best route in the routing table. That is, if the route in table contains a matching route for the source address and the incoming interface, but there is a better route for the source address through another interface the the rpf check fails.

B. Strict RPF checks the best route back to the source using the incoming interface. FortiGate Infrastructure 7.2 Study Guide (p.41): "Strict: In this mode, FortiGate also verifies that the matching route is the best route in the routing table. That is, if the routing table contains a matching route for the source address and incoming interface, but there is a better route for the source address through another interface, then, the RPF check fails."

the matching route should be best route via incoming interface

In strict mode Fortigate also verifies that the matching route is the best route in the routing table.

Difference between "strict" and "feasible path" : 'strict' : a routing lookup (with best match) is made for the packet source IP. Packet is dropped if its ingressing interface does not match the interface selected by the routing lookup. 'feasible path' : not only the best match route is considered. Other routes pointing to packet ingressing interfaces are also checked. If one of them includes the packet source IP address (even if not the best match route), packet is accepted.

You can lab it out yourself, or refer to the study guide on page 41. Loose or feasible path mode which is the default mode, only checks to make sure that a source address exists in the routing table with the incoming interface. But the strict mode, checks to that the source address and incoming interface match it's route table for the best route back to the source address. This could be a scenario where you have a customer with multiple connections back through your fortigate, where you may receive a packet in both interface port1 and port2 for the same source address. But your FGT prefers port1 as the best path. If you have strict mode turned on, and it receives a packet through port2 it will get dropped. Otherwise, RPF or feasible path RPF would be ok with that packet.

Correct

B for the strick RPF check

B definitely

B definitely

B. Strict RPF checks the best route back to the source using the incoming interface. FortiGate Infrastructure 7.2 Study Guide (p.41): "Strict: In this mode, FortiGate also verifies that the matching route is the best route in the routing table. That is, if the routing table contains a matching route for the source address and incoming interface, but there is a better route for the source address through another interface, then, the RPF check fails." Reference and download study guide: https://ebin.pub/fortinet-fortigate-infrastructure-study-guide-for-fortios-72.html

The right answer is C: "Strict RPF requires that the receiving interface is not only valid, but that it is also the best interface for the reply. If you have multiple routes, it must be the preferred one."

FortiGate Infrastructure 7.2 Study Guide p.41

The Correct answer is B Strict chooses best path back Loose chooses a valid path back Feasible path: Formerly known as loose, it’s the default mode. In this mode, FortiGate verifies that the routing table contains a route that matches the source address of the packet and the incoming interface. The matching route doesn’t have to be the best route in the routing table for that source address. It just has to match the source address and the incoming interface of the packet. Strict: In this mode, FortiGate also verifies that the matching route is the best route in the routing table. That is, if the routing table contains a matching route for the source address and incoming interface, but there is a better route for the source address through another interface, then, the RPF check fails. So in short if there is a best route out of its incoming interface then strict will pass. If there is a route from the incoming interface but a better route out of another Strict will deny.

Correct answer: B

Correct is B