Refer to the exhibits.
The exhibits show a network diagram and firewall configurations.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. Remote-User1 must be able to access the Webserver. Remote-User2 must not be able to access the Webserver.
In this scenario, which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two.)
To deny Webserver access for Remote-User2 while allowing access for Remote-User1, the appropriate changes involve modifying the firewall policies to accurately match the traffic. Setting the destination address as the Webserver in the Deny policy ensures that the policy specifically targets traffic intended for the Webserver. Enabling match-vip in the Deny policy allows the policy to correctly match the virtual IP of the Webserver, ensuring that the traffic from Remote-User2 is correctly identified and denied access.
Answer should be BC. It makes sense that the destination address be the webserver which needs to be denied for IP Deny_IP
Answer should be BC.
You are wrong with D. Look and read carefully this Fortinet guide, i.e. FortiGate_Security_7.2_Study_Guide, namely page 114. It says: In case you want to block only traffic destined to one ore more VIPs you can reference the VIP as the destination address in the deny firewall policy. The key here is the Deny policy, not the Allow policy
BC A. Disable match-vip in the Deny policy. - No, because you want to match destination IP 203.0.113.22 B. Set the Destination address as Webserver in the Deny policy. - Yes - Source Remote_user2, dest Webserver (203.0.113.22). - Best practice is to be explicit C. Enable match-vip in the Deny policy. - allows policy to match the Webserver - VIP IPs D. Set the Destination address as Deny_IP in the Allow_access policy. - No because we want to block Remote_user2
You're correct on the answers, It's b and c. But the explanation is wrong. B is correct because. We use destination NAT. Then in the firewall rule, we need to match the the private IP of the server and not the public IP. That's why B is correct but not D. When FG receives a packet, it performs first the DNAT, then firewall rules checking.
Answer should be BC
C and D - match-vip in deny policy needs to be enabled (set match-vip enable) or destination address needs to be the VIP object (set adstaddr "VIP object")
FortiGate Security 7.2 Study Guide p.114
Selected Answer: CD Because they only want to block one public IP
Because they only want to block one public IP
B and C
Correct
B. Set the Destination address as Webserver in the Deny policy. C. Enable match-vip in the Deny policy. Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
Answer is BC see below link for explanation https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641
B. Set the Destination address as Webserver in the Deny policy. C. Enable match-vip in the Deny policy.
B. Set the Destination address as Webserver in the Deny policy. Most Voted C. Enable match-vip in the Deny policy.
BC But what if you want the first policy to block all incoming traffic to all destinations, including the traffic destined to any VIPs?. This is useful if your network is under attack, and you want to temporarily block all incoming external traffic. You can do this by enabling match-vip on the first firewall policy. In case you want to block only traffic destined to one or more VIPs, you can reference the VIPs as thedestination address on the deny firewall policy