nse4-fgt-7-2 question 88 discussion

View all Fortinet NSE 4 - FortiOS 7.2 here
back to fortinet forum

Question 88

Refer to the exhibit.
The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.
When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

  • A. Configure a loopback interface with address 203.0.113.2/32.
  • B. In the VIP configuration, enable arp-reply.
  • C. Enable port forwarding on the server to map the external service port to the internal service port.
  • D. In the firewall policy configuration, enable match-vip.
Answer:

d

User Votes:
A
50%
B 6 votes
50%
C 1 votes
50%
D 3 votes
50%
Discussions
0 / 1000
javalcasan
8 months, 2 weeks ago

Packets won't reach Fortigate unless the ARP-reply is enabled and the router learns the mac where to send the packets.

0
deepz142
5 months, 1 week ago

Answer is B.

the reason why its not D

match-vip is not allowed in firewall policies when the action is set to accept.

https://docs.fortinet.com/document/fortigate/6.4.11/fortios-release-notes/350283/enabling-match-vip-in-firewall-policies

0