Fortinet Exam NSE7_EFW-7.0 Topic 5 Question 25 Discussion

Actual exam question for Fortinet's NSE7_EFW-7.0 exam

Question #: 25
Topic #: 5

Which action will FortiGate take when using the default settings for SSL certificate inspection, where the server name indication (SNI) does not match either the common name (CN) or any of the subject altemative names (SAN) in the server certificate?

AFortiGate uses the CN information from the Subject field in the server certificate.

BFortiGate uses the first entry listed in the SAN field in the server certificate.

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration.

Show Suggested Answer

Suggested Answer: A

#Config firewall ssl-ssh-profile

edit

config https

set sni-server-cert-check [enable* | strict | disable]

Enable: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG uses the CN field instead of the SNI to obtain the FQDN.

Strict: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG closes the connection.

Disable: FG does not check the SNI.

by Dorothy at Jan 22, 2024, 08:40 PM

Limited Time Offer

25%

Off

Get Premium NSE7_EFW-7.0 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

12 months ago

Alright, alright, let's not get too serious here. I'm just hoping the exam doesn't have a question that's as confusing as this one. Maybe they'll throw in a trick question about configuring a 'Fort Awesome' firewall or something.

upvoted 0 times

...