Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Fortinet Exam FCP_FGT_AD-7.4 Topic 1 Question 9 Discussion

Actual exam question for Fortinet's FCP_FGT_AD-7.4 exam
Question #: 9
Topic #: 1
[All FCP_FGT_AD-7.4 Questions]

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, VIP configuration, firewall policy. and the sniffer CLI output on the FortiGate device.

The WAN (port1) interface has the IP address 10.200.1.1 /24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The webserver host (10. 0.1. 10) must use its VIP external IP address as the source NAT (SNAT) when It pings remote server (10.200.3.1).

Which two statements are valid to achieve this goal? (Choose two.)

Show Suggested Answer Hide Answer
Suggested Answer: A, D

Enable NAT on the Allow_access firewall policy (A):

The Allow_access firewall policy must have NAT enabled to allow the webserver to use its VIP external IP address (10.200.1.10) as the source NAT when initiating traffic, such as pings, to the remote server.

Disable port forwarding on the VIP object (D):

Port forwarding is designed for specific port mapping, typically for services like HTTP or HTTPS. To use the VIP external IP as a source NAT, port forwarding should be disabled. Disabling port forwarding ensures that the full VIP IP address is used without being tied to specific ports.

Why other options are not correct:

B . Create a new firewall policy before Internet_Access for the webserver and apply the IP pool:

This is unnecessary as the VIP object itself is used for SNAT in this case, and an additional firewall policy is not required.

C . Disable NAT on the Internet_Access firewall policy:

Disabling NAT on this policy would prevent the NAT functionality needed for the webserver to use the VIP external IP address as the source IP.

Thus, enabling NAT on the Allow_access policy and disabling port forwarding on the VIP configuration are the valid steps to achieve the goal.


by Gladis at Jan 23, 2025, 10:43 AM

Limited Time Offer

25%

Off

Get Premium FCP_FGT_AD-7.4 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Huey
2 months ago
I think both options A and B could be valid, depending on the specific configuration.
upvoted 0 times
...
Shalon
2 months ago
I disagree, I believe we should create a new firewall policy before Internet_Access for the webserver and apply the IP pool.
upvoted 0 times
...
Ilene
2 months ago
Definitely B and D. Anything else would be like trying to fit a square peg in a round hole. Not today, FortiGate!
upvoted 0 times
Heike
15 days ago
Let's make sure we follow those steps to avoid any issues.
upvoted 0 times
...
Jame
18 days ago
Agreed, those are the correct steps to achieve the goal.
upvoted 0 times
...
Loreta
26 days ago
D) Disable port forwarding on the VIP object.
upvoted 0 times
...
Marica
1 months ago
B) Create a new firewall policy before lnternet_Access for the webserver and apply the IP pool.
upvoted 0 times
...
...
Elly
2 months ago
I'm going with B and D as well. Disabling port forwarding on the VIP is key to make sure the webserver uses the VIP for SNAT.
upvoted 0 times
...
Pedro
2 months ago
I agree with Sina. B and D are the way to go. Gotta love these tricky firewall questions, am I right?
upvoted 0 times
Nicholle
1 months ago
It's all about understanding the configurations and making the right choices.
upvoted 0 times
...
Viki
1 months ago
Definitely, these firewall questions always have some tricky scenarios to consider.
upvoted 0 times
...
Chery
1 months ago
Yeah, I agree. Those seem like the best options to achieve the goal.
upvoted 0 times
...
Roslyn
1 months ago
I think B and D are the correct choices.
upvoted 0 times
...
...
Sina
2 months ago
B and D seem like the right choices here. The VIP should handle the SNAT, and we don't want to interfere with that by enabling NAT on the firewall policy.
upvoted 0 times
Lisandra
2 months ago
Yes, enabling NAT on the firewall policy could interfere with the VIP configuration. It's important to keep that in mind.
upvoted 0 times
...
Monte
2 months ago
I agree, B and D are the correct choices. The VIP should handle the SNAT for the webserver.
upvoted 0 times
...
...
Elli
3 months ago
I think we need to enable NAT on the Allow_access firewall policy.
upvoted 0 times
...

Save Cancel