ExamTopics Logo
Mail Us[email protected]
Menu
Fortinet Discussions
exam questions

Exam NSE4_FGT-7.2 All Questions

View all questions & answers for the NSE4_FGT-7.2 exam
Go to Exam

Exam NSE4_FGT-7.2 topic 1 question 14 discussion

Actual exam question from Fortinet's NSE4_FGT-7.2
Question #: 14
Topic #: 1
[All NSE4_FGT-7.2 Questions]

Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

  • A. Configure a loopback interface with address 203.0.113.2/32.
  • B. In the VIP configuration, enable arp-reply.
  • C. Enable port forwarding on the server to map the external service port to the internal service port.
  • D. In the firewall policy configuration, enable match-vip.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Spyder_Byte at Jan. 14, 2023, 5:29 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kosta_georgiev
Highly Voted 1 year, 11 months ago
Selected Answer: B
correct answer is B: In the routing table of the ISP we can see that the route is C (connected) which means that if there is no ARP entry, traffic will be dropped by the ISP, and this is why there is no packets in the forti sniffer.
upvoted 29 times
samael666
1 year, 3 months ago
you're right, another thing it will be if in the ISP we have a static route to that subnet, in that case at least we would see traffic
upvoted 3 times
...
...
erawemk
Highly Voted 1 year, 6 months ago
A. Makes no sense B. This option is available for VIP configurations please check page 115 on security study materials, so this is the correct answer C. It is no required to solve the problem due to firewall policy is allowing all traffic for VIP object D. This option is enabled only for deny policies please check the note in https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641?externalID=FD36750
upvoted 8 times
...
davidmdlp85
Most Recent 2 months ago
Selected Answer: B
B is correct
upvoted 1 times
...
Jere2001
8 months, 3 weeks ago
Selected Answer: B
A resposta D não faz sentido.
upvoted 1 times
...
Ygrec
1 year ago
Selected Answer: B
It cannot be C because portforwarding is disabled B is the correct one
upvoted 1 times
...
GeniusA
1 year ago
Option B is the correct answer
upvoted 1 times
...
Satekhi
1 year, 1 month ago
Selected Answer: B
Note that the match-vip setting is available only when the firewall policy action is set to DENY.
upvoted 3 times
...
itzuy06
1 year, 3 months ago
Selected Answer: B
B) In the VIP configuration, enable arp-reply.
upvoted 1 times
...
raydel92
1 year, 4 months ago
Selected Answer: B
B. In the VIP configuration, enable arp-reply. FortiGate Security 7.2 Study Guide (p.115): "Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent devices contain the correct next hop information, so the networks are reachable. However, sometimes the routing configuration is not fully correct, and having ARP reply enabled can solve the issue for you. For this reason, it’s a best practice to keep ARP reply enabled." Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
upvoted 5 times
...
Slash_JM
1 year, 4 months ago
Selected Answer: B
FortiGate Security 7.2 Study Guide p.115
upvoted 1 times
...
Emiaj23
1 year, 5 months ago
Without any doubt the answer is B A,C and D have no sense
upvoted 1 times
...
itka
1 year, 6 months ago
C. Enable port forwarding
upvoted 1 times
...
certchris
1 year, 6 months ago
SG Security p.115: ISP-Router has no entry in it's routing table to access the ip, only connected route (C). So it generates ARP requests to resolve MAC address of any address of the destination subnet.
upvoted 1 times
...
Vingador3000
1 year, 9 months ago
Selected Answer: C
C. Enable port forwarding on the server to map the external service port to the internal service port.
upvoted 2 times
...
shadow2020
1 year, 10 months ago
the reason why its not D match-vip is not allowed in firewall policies when the action is set to accept. https://docs.fortinet.com/document/fortigate/6.4.11/fortios-release-notes/350283/enabling-match-vip-in-firewall-policies
upvoted 5 times
...
santi1509
1 year, 10 months ago
Selected Answer: D
Al estar deshabilitado el match-vip, no iba a ver trafico proveniente de internet porque no se habían conectado
upvoted 1 times
...
BoostBoris
1 year, 11 months ago
Selected Answer: B
the external interface address is different from the external address configured in the VIP. This is not a problem as long as the upstream network has its routing properly set. You can also enable ARP reply on the VPN (enabled by default, here disabled) to facilitate routing on the upstream network
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago