Exam NSE4_FGT-7.2 topic 1 question 13 discussion

FortiOS 7.2 Study Guide Page 110: "(Step 2): FortiGate uses as NAT IP the external IP address defined in the VIP when performing SNAT on all egress traffic sourced from the mapped address in the VIP, provided the matching firewall policy has NAT enabled" "Note that you can override the behavior described in step 2 by using an IP pool"

Correct answer: C. 10.200.1.10. In the battle field, I observed this behavior related on article https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947?externalID=FD44529: - The second Firewall policy will activate the VIP so that its external IP address can be used to perform SNAT when the HOST generates traffic towards the Internet. - Internet Traffic from internal network will be allowed by first firewall policy for SNAT with VIP's external IP address.

taken from the study guide: The default VIP type is Static NAT. This is a one-to-one mapping. This means that: 1. FortiGate performs DNAT on ingress traffic destined to the external IP address defined in the VIP, regardless of the protocol and port of the connection, provided the matching firewall policy references the VIP as Destination. 2. FortiGate uses as NAT IP the external IP address defined in the VIP when performing SNAT on all egress traffic sourced from the mapped address in the VIP, provided the matching firewall policy has NAT enabled. That is, FortiGate doesn’t use the egress interface address as NAT IP.

Should be C the study guides have an example like this Now, suppose that the internal web server (172.16.1.10) initiates a DNS connection to the internet DNS server (4.2.2.2). On FortiGate, the traffic matches the firewall policy ID 2, which has nat enabled. Because the source address matches the internal address of the VIP, and because the VIP is configured as static NAT with port forwarding disabled, FortiGate translates the source address of the packet to 70.70.70.71 from 172.16.1.10. Note that FortiGate doesn’t have to perform PAT because the static NAT VIP equals one-to one mapping. That is, the external IP is used by the web server only for SNAT

D. 10.200.1.100

C The VIP configured with static NAT takes precedence over the NAT overload (PAT) of the IP pool.

D. 10.200.1.100

D. 10.200.1.100

Option D is the correct answer

D Because it uses the IP POOL range from LAN to WAN

D. 10.200.1.100

D. 10.200.1.100 Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html

I know that in some situations, the VIP IP is used for SNAT, but are never sure what the requirements are for that to happen ... :( I tried the setup on our live system, but the firewall kept using the NAT pool instead of the VIP NAT

FortiGate Security 7.2 Study Guide p.97-98

D is the correct answer

7.2 SEC 97-98

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947?externalID=FD44529