nse4_fgt-72 Exam - Question 13

Question

Refer to the exhibits.

The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The first firewall policy has NAT enabled using IP pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?

Examice · Accepted Answer

The IP address 10.200.1.100 will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10. This is because the first firewall policy, which handles outbound traffic from LAN to WAN, has NAT enabled using an IP pool with a range of 10.200.1.100. When an IP pool is configured in the firewall policy, it takes precedence over other methods of NAT, such as the egress interface or a VIP. Therefore, the SNAT will use an IP from this defined pool.

1239944 · Answer

FortiOS 7.2 Study Guide Page 110:
"(Step 2): FortiGate uses as NAT IP the external IP address defined in the VIP when performing SNAT on all egress traffic sourced from the mapped address in the VIP,  provided the matching firewall policy has NAT enabled"
"Note that you can override the behavior described in step 2 by using an IP pool"

rian00z_ · Answer

Correct answer: C. 10.200.1.10.
In the battle field, I observed this behavior related on article https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947?externalID=FD44529:

- The second Firewall policy will activate the VIP so that its external IP address can be used to perform SNAT when the HOST generates traffic towards the Internet.
- Internet Traffic from internal network will be allowed by first firewall policy for SNAT with VIP's external IP address.

danieldelgado · Answer

I correct my answer to D, because the VIP has portwarding enables plus the outgoing policy has an IPPool enabled

Ygrec · Answer

D

Because it uses the IP POOL range from LAN to WAN

Equiano · Answer

The question says SNAT, so the only correct answer here (looking at the IP Pool) is D

Slash_JM · Answer

FortiGate Security 7.2 Study Guide p.97-98

raydel92 · Answer

D. 10.200.1.100

Reference and download study guide:
https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html

itzuy06 · Answer

D. 10.200.1.100

danieldelgado · Answer

Correct answer is C because the VIP is a static NAT and it takes precedence over the NAT overload of the IP pool

fc8 · Answer

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947?externalID=FD44529

Danny_B · Answer

7.2 SEC 97-98

Mboweni · Answer

D is the correct answer

Garry_G · Answer

I know that in some situations, the VIP IP is used for SNAT, but are never sure what the requirements are for that to happen ... :( I tried the setup on our live system, but the firewall kept using the NAT pool instead of the VIP NAT

GeniusA · Answer

Option D is the correct answer

AMK2ENG · Answer

D. 10.200.1.100

kev91 · Answer

D. 10.200.1.100

GopiChandMurari · Answer

C
The VIP configured with static NAT takes precedence over the NAT overload (PAT) of the IP pool.

nse4_fgt-72 Exam - Question 13

Discussion