nse4_fgt-72 Exam QuestionsBrowse all questions from this exam
Go to Exam

nse4_fgt-72 Exam - Question 14

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

Show Answer
Correct Answer: BD

In the VIP configuration, enable arp-reply. This is necessary because the ISP router needs to resolve the MAC address for the public IP address (203.0.113.2) through ARP. Without an ARP reply from the FortiGate, the ISP router cannot route traffic to the FortiGate, resulting in the connection timing out. Therefore, enabling arp-reply ensures that the ISP router can properly route the traffic to the FortiGate device.

Discussion

17 comments
Sign in to comment
kosta_georgievOption: B
Jan 18, 2023

correct answer is B: In the routing table of the ISP we can see that the route is C (connected) which means that if there is no ARP entry, traffic will be dropped by the ISP, and this is why there is no packets in the forti sniffer.

samael666
Oct 8, 2023

you're right, another thing it will be if in the ISP we have a static route to that subnet, in that case at least we would see traffic

erawemkOption: B
Jul 2, 2023

A. Makes no sense B. This option is available for VIP configurations please check page 115 on security study materials, so this is the correct answer C. It is no required to solve the problem due to firewall policy is allowing all traffic for VIP object D. This option is enabled only for deny policies please check the note in https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641?externalID=FD36750

shadow2020Option: B
Mar 1, 2023

the reason why its not D match-vip is not allowed in firewall policies when the action is set to accept. https://docs.fortinet.com/document/fortigate/6.4.11/fortios-release-notes/350283/enabling-match-vip-in-firewall-policies

raydel92Option: B
Sep 8, 2023

B. In the VIP configuration, enable arp-reply. FortiGate Security 7.2 Study Guide (p.115): "Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent devices contain the correct next hop information, so the networks are reachable. However, sometimes the routing configuration is not fully correct, and having ARP reply enabled can solve the issue for you. For this reason, it’s a best practice to keep ARP reply enabled." Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html

BoostBorisOption: B
Feb 11, 2023

the external interface address is different from the external address configured in the VIP. This is not a problem as long as the upstream network has its routing properly set. You can also enable ARP reply on the VPN (enabled by default, here disabled) to facilitate routing on the upstream network

SatekhiOption: B
Dec 9, 2023

Note that the match-vip setting is available only when the firewall policy action is set to DENY.

Spyder_ByteOption: D
Jan 14, 2023

match vip is only needed if the policy is using a firewall address object as the destination. In this case, we see the destination is the vip object so the traffic would match either way.

Vingador3000Option: C
Apr 14, 2023

C. Enable port forwarding on the server to map the external service port to the internal service port.

santi1509Option: D
Feb 20, 2023

Al estar deshabilitado el match-vip, no iba a ver trafico proveniente de internet porque no se habían conectado

certchrisOption: B
Jun 29, 2023

SG Security p.115: ISP-Router has no entry in it's routing table to access the ip, only connected route (C). So it generates ARP requests to resolve MAC address of any address of the destination subnet.

itkaOption: C
Jun 30, 2023

C. Enable port forwarding

Emiaj23Option: B
Aug 6, 2023

Without any doubt the answer is B A,C and D have no sense

Slash_JMOption: B
Aug 29, 2023

FortiGate Security 7.2 Study Guide p.115

itzuy06Option: B
Sep 15, 2023

B) In the VIP configuration, enable arp-reply.

GeniusAOption: B
Dec 19, 2023

Option B is the correct answer

YgrecOption: B
Jan 5, 2024

It cannot be C because portforwarding is disabled B is the correct one

Jere2001Option: B
Apr 23, 2024

A resposta D não faz sentido.