Exam NSE5_FCT-7.0 topic 1 question 8 discussion

The Answer is C API gateway cannot be matched: When connecting to the ZTNA access proxy, the client tries to connect to an API gateway that does not match any virtual host. take from fortinet Docs: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/608477/ztna-logging-enhancements-7-0-1 Its meen that is no firewall policy to the server that client want to access

C. Empty Client Certificate = "Denied: empty client certificate" Failed Client Certificate = "Denied: client certificate authentication failed" API gateway that does not match any virtual host = "Denied: failed to match an API-gateway" API gateway but the real server cannot be reached = "Denied: failed to match an API-gateway" A ZTNA rule (proxy policy ) cannot be matched = "Denied: failed to match a proxy-policy" HTTPS SNI virtual host does not match the HTTP host header = "Denied: failed to match an API-gateway" ======================= Wrong Access Proxy Right Access Proxy, down/missing Real Server Right Access Proxy, wrong URI ====================== ZTNA Server = defines the access proxy VIP and the real servers that clients will connect to ZTNA Rule (Proxy Policy) = enforce access control Firewall Policy (Full ZTNA) = The firewall policy matches and redirects client requests to the access proxy VIP.

More than one answer seems right. Any additional comments?

Page 286 of study Guide.

API gateway cannot be matched or real servers cannot be reached

The aswer is B

The answer is D. Page 238 of the study guide reads, "This slide shows the UTM and traffic logs that are generated when FortiGate connects to the ZTNA access proxy but is unable to match the ZTNA rule (proxy policy). For example, no ZTNA rule is matched for the ZTNA tag assigned to the endpoint." I had now way to paste the slide but if you check page 238 you will see the slide with the logs.