Free Preparation Discussions
MENU
Fortinet Exam FCP_FGT_AD-7.4 Topic 1 Question 9 Discussion
Topic #: 1
Refer to the exhibits.
The exhibits show a diagram of a FortiGate device connected to the network, VIP configuration, firewall policy. and the sniffer CLI output on the FortiGate device.
The WAN (port1) interface has the IP address 10.200.1.1 /24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The webserver host (10. 0.1. 10) must use its VIP external IP address as the source NAT (SNAT) when It pings remote server (10.200.3.1).
Which two statements are valid to achieve this goal? (Choose two.)
Enable NAT on the Allow_access firewall policy (A):
The Allow_access firewall policy must have NAT enabled to allow the webserver to use its VIP external IP address (10.200.1.10) as the source NAT when initiating traffic, such as pings, to the remote server.
Disable port forwarding on the VIP object (D):
Port forwarding is designed for specific port mapping, typically for services like HTTP or HTTPS. To use the VIP external IP as a source NAT, port forwarding should be disabled. Disabling port forwarding ensures that the full VIP IP address is used without being tied to specific ports.
Why other options are not correct:
B . Create a new firewall policy before Internet_Access for the webserver and apply the IP pool:
This is unnecessary as the VIP object itself is used for SNAT in this case, and an additional firewall policy is not required.
C . Disable NAT on the Internet_Access firewall policy:
Disabling NAT on this policy would prevent the NAT functionality needed for the webserver to use the VIP external IP address as the source IP.
Thus, enabling NAT on the Allow_access policy and disabling port forwarding on the VIP configuration are the valid steps to achieve the goal.
Currently there are no comments in this discussion, be the first to comment!