NSE4_FGT-7.0 Exam QuestionsBrowse all questions from this exam
Go to Exam

NSE4_FGT-7.0 Exam - Question 21

Refer to the exhibit, which contains a session list output.

Based on the information shown in the exhibit, which statement is true?

Show Answer
Correct Answer: AD

The information in the session list output indicates that multiple connections from the source IP address 10.0.1.10 are being translated to the same NAT IP address (10.200.1.6) with different source ports. This is a characteristic of an overload NAT IP pool, where Port Address Translation (PAT) is used to allow multiple devices on a local network to be mapped to a single public IP address but with a different port number for each session. Since source ports are translated and are different for each session, this shows that an overload NAT IP pool is being used in the firewall policy.

Discussion

9 comments
Sign in to comment
darkspawn117Option: D
Oct 29, 2022

I may be missing something? Wouldn't it be Overload because of the numerous ports used in Source-NAT?

PonPom3Option: A
Oct 11, 2022

Fortigate Security 7.0 Page 164

Virutas
Nov 17, 2022

In the one-to-one pool type, an internal IP address is mapped with an external address on a first-come, firstserved basis. There is a single mapping of an internal address to an external address. Mappings are not fixed and, if there are no more addresses available, a connection will be refused. Also, in one-to-one, PAT is not required. In the example on this slide, you can see the same source port is shown for both the ingress and egress address.

El3den
Oct 5, 2022

is this correct ?

AngraMainyu
Oct 9, 2022

Yes, the port translation shows it's not PAT, therefore it's one to one

ABELQF6Option: A
Jan 10, 2023

A ......

majidsheik23
Jan 27, 2023

i tested this now in firewall. both A and C are correct. they show the similar output when i checked the session table. always do the lab and verify.

darkdante24
Jan 17, 2024

A and C would have been correct only if the port of the source remained same through the http and https connection

ValebinoOption: A
Feb 20, 2023

A "one-to-one" is correct, See FortiGate Security 7.0 Study Guide P.164 "In one-to-one NAT, PAT is not required. Same source port is shown for both the ingress and egress address called also a single mapping of an internal to a external address"

raydel92Option: A
Sep 5, 2023

A. One-to-one NAT IP pool is used in the firewall policy. Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html

ml1190Option: B
Sep 22, 2023

since all packets have the same source IP (10.0.1.10), one-to-one NAT should behave the same as an overload pool since there's no need to apply PAT or share the pool. I think the only fact we're sure about is that there is no DNAT...

warlusonthewebOption: B
Nov 19, 2023

Actually this question appear to me very strange. Answers A,C,D have the same same session table as the one showed, it is not possible to say one-to-one so easy, since, you can configure SNAT overload with preserve source port. One thing, no destination NAT IP is showed, this means any VIP is configured in the firewall policy and this means is something "disabled" in such policy, even if I admit is a bit stretched thought.