Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Fortinet Exam FCP_FGT_AD-7.4 Topic 1 Question 9 Discussion

Actual exam question for Fortinet's FCP_FGT_AD-7.4 exam
Question #: 9
Topic #: 1
[All FCP_FGT_AD-7.4 Questions]

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, VIP configuration, firewall policy. and the sniffer CLI output on the FortiGate device.

The WAN (port1) interface has the IP address 10.200.1.1 /24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The webserver host (10. 0.1. 10) must use its VIP external IP address as the source NAT (SNAT) when It pings remote server (10.200.3.1).

Which two statements are valid to achieve this goal? (Choose two.)

Show Suggested Answer Hide Answer
Suggested Answer: A, D

Enable NAT on the Allow_access firewall policy (A):

The Allow_access firewall policy must have NAT enabled to allow the webserver to use its VIP external IP address (10.200.1.10) as the source NAT when initiating traffic, such as pings, to the remote server.

Disable port forwarding on the VIP object (D):

Port forwarding is designed for specific port mapping, typically for services like HTTP or HTTPS. To use the VIP external IP as a source NAT, port forwarding should be disabled. Disabling port forwarding ensures that the full VIP IP address is used without being tied to specific ports.

Why other options are not correct:

B . Create a new firewall policy before Internet_Access for the webserver and apply the IP pool:

This is unnecessary as the VIP object itself is used for SNAT in this case, and an additional firewall policy is not required.

C . Disable NAT on the Internet_Access firewall policy:

Disabling NAT on this policy would prevent the NAT functionality needed for the webserver to use the VIP external IP address as the source IP.

Thus, enabling NAT on the Allow_access policy and disabling port forwarding on the VIP configuration are the valid steps to achieve the goal.


Contribute your Thoughts:

Huey
27 days ago
I think both options A and B could be valid, depending on the specific configuration.
upvoted 0 times
...
Shalon
29 days ago
I disagree, I believe we should create a new firewall policy before Internet_Access for the webserver and apply the IP pool.
upvoted 0 times
...
Ilene
30 days ago
Definitely B and D. Anything else would be like trying to fit a square peg in a round hole. Not today, FortiGate!
upvoted 0 times
Loreta
5 days ago
D) Disable port forwarding on the VIP object.
upvoted 0 times
...
Marica
22 days ago
B) Create a new firewall policy before lnternet_Access for the webserver and apply the IP pool.
upvoted 0 times
...
...
Elly
1 months ago
I'm going with B and D as well. Disabling port forwarding on the VIP is key to make sure the webserver uses the VIP for SNAT.
upvoted 0 times
...
Pedro
1 months ago
I agree with Sina. B and D are the way to go. Gotta love these tricky firewall questions, am I right?
upvoted 0 times
Nicholle
11 days ago
It's all about understanding the configurations and making the right choices.
upvoted 0 times
...
Viki
15 days ago
Definitely, these firewall questions always have some tricky scenarios to consider.
upvoted 0 times
...
Chery
16 days ago
Yeah, I agree. Those seem like the best options to achieve the goal.
upvoted 0 times
...
Roslyn
17 days ago
I think B and D are the correct choices.
upvoted 0 times
...
...
Sina
2 months ago
B and D seem like the right choices here. The VIP should handle the SNAT, and we don't want to interfere with that by enabling NAT on the firewall policy.
upvoted 0 times
Lisandra
1 months ago
Yes, enabling NAT on the firewall policy could interfere with the VIP configuration. It's important to keep that in mind.
upvoted 0 times
...
Monte
1 months ago
I agree, B and D are the correct choices. The VIP should handle the SNAT for the webserver.
upvoted 0 times
...
...
Elli
2 months ago
I think we need to enable NAT on the Allow_access firewall policy.
upvoted 0 times
...

Save Cancel