Fortinet Exam FCP_FGT_AD-7.4 Topic 1 Question 9 Discussion

Actual exam question for Fortinet's FCP_FGT_AD-7.4 exam

Question #: 9
Topic #: 1

Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, VIP configuration, firewall policy. and the sniffer CLI output on the FortiGate device.

The WAN (port1) interface has the IP address 10.200.1.1 /24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The webserver host (10. 0.1. 10) must use its VIP external IP address as the source NAT (SNAT) when It pings remote server (10.200.3.1).

Which two statements are valid to achieve this goal? (Choose two.)

AEnable NAT on the Allow_access firewall policy.

BCreate a new firewall policy before lnternet_Access for the webserver and apply the IP pool.

CDisable NAT on the lnternet_Access firewall policy.

DDisable port forwarding on the VIP object.

Show Suggested Answer

Suggested Answer: A, D

Enable NAT on the Allow_access firewall policy (A):

The Allow_access firewall policy must have NAT enabled to allow the webserver to use its VIP external IP address (10.200.1.10) as the source NAT when initiating traffic, such as pings, to the remote server.

Disable port forwarding on the VIP object (D):

Port forwarding is designed for specific port mapping, typically for services like HTTP or HTTPS. To use the VIP external IP as a source NAT, port forwarding should be disabled. Disabling port forwarding ensures that the full VIP IP address is used without being tied to specific ports.

Why other options are not correct:

B . Create a new firewall policy before Internet_Access for the webserver and apply the IP pool:

This is unnecessary as the VIP object itself is used for SNAT in this case, and an additional firewall policy is not required.

C . Disable NAT on the Internet_Access firewall policy:

Disabling NAT on this policy would prevent the NAT functionality needed for the webserver to use the VIP external IP address as the source IP.

Thus, enabling NAT on the Allow_access policy and disabling port forwarding on the VIP configuration are the valid steps to achieve the goal.

by Gladis at Jan 23, 2025, 10:43 AM

Limited Time Offer

25%

Off

Get Premium FCP_FGT_AD-7.4 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Huey

27 days ago

I think both options A and B could be valid, depending on the specific configuration.

upvoted 0 times

...

Shalon

29 days ago

I disagree, I believe we should create a new firewall policy before Internet_Access for the webserver and apply the IP pool.

upvoted 0 times

...

Ilene

30 days ago

Definitely B and D. Anything else would be like trying to fit a square peg in a round hole. Not today, FortiGate!

upvoted 0 times

Loreta

5 days ago

D) Disable port forwarding on the VIP object.

upvoted 0 times

...

Marica

22 days ago

B) Create a new firewall policy before lnternet_Access for the webserver and apply the IP pool.

upvoted 0 times

...

Elly

1 months ago

I'm going with B and D as well. Disabling port forwarding on the VIP is key to make sure the webserver uses the VIP for SNAT.

upvoted 0 times

...

2 months ago

B and D seem like the right choices here. The VIP should handle the SNAT, and we don't want to interfere with that by enabling NAT on the firewall policy.

upvoted 0 times

Lisandra

1 months ago

Yes, enabling NAT on the firewall policy could interfere with the VIP configuration. It's important to keep that in mind.

upvoted 0 times

...

Monte

1 months ago

I agree, B and D are the correct choices. The VIP should handle the SNAT for the webserver.

upvoted 0 times

...

Elli

2 months ago

I think we need to enable NAT on the Allow_access firewall policy.

upvoted 0 times

...