Exam NSE7_EFW-7.0 topic 1 question 46 discussion

Answer: B If you need to capture IPsec traffic, remember that the IP protocol and UDP port numbers depend on NAT-T and the use of NAT. If there is NO FG located in the middle that is running NAT, IKE traffic uses "UDP Port 500" and ESP traffic uses "IP Protocol 50". - Sniffers - No NAT IKE Traffic #Diagnose sniffer packet <port> 'host <remote-gateway> and udp port 500' ESP Traffic #Diagnose sniffer packet any 'host <remote-gateway> and esp' If NAT-T is enabled, and there is a FG located in the middle that is running NAT, the sniffer command must use a different filter: 1- In this case, IKE traffic uses "UDP Port 500", but switches to "UDP Port 4500" during the tunnel negotiation. 2- Additionally, ESP traffic is encapsulated inside the UDP 4500 channel. - Sniffer - NAT and NAT-T #Diagnose sniffer packet any 'host <remote-gateway> and (udp port 500 or udp port 4500)'

Because 'natt: mode=silent' the FortiGate, per RFC 3947, will use the UDP protocol on port 4500. This is why the sniffer should only be looking at port 4500. Hence, answer D.

Correct Answer A Unfortunately many see the Port4500 as meaning NAT is used. but unfortunately this is not the case. The VPN server will always listen on IKE port 500 and 4500, if port 500 fails it tries 4500 with or without NATT. If NATT is use bot server and clients uses the port 4500, but in this case 4500 is only used on one side. Note the IKE port is configurable. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-custom-IKE-port-between-two-FortiGate/ta-p/202107

study guide pg.443

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Different-methods-to-capture-packets-for-IPsec-VPN/ta-p/209471

nat t enabled

which line show that NAT is in use?

D - is correct Nat is used

natt is used, so correct answer is D. (NAT-T used UDP port 4500)

D answer

D answer