nse7_efw-70 Exam QuestionsBrowse all questions from this exam
Go to Exam

nse7_efw-70 Exam - Question 46

Refer to the exhibit, which contains the output of the diagnose vpn tunnel list.

Which command will capture ESP traffic for the VPN named DialUp_0?

Show Answer
Correct Answer: AD

To capture ESP traffic for the VPN named DialUp_0 in this scenario, port 4500 should be used because NAT traversal (NAT-T) is active, indicated by 'natt: mode=silent'. In such cases, the ESP (Encapsulating Security Payload) traffic, which is usually identified by IP protocol 50, is encapsulated within UDP packets on port 4500. Therefore, the correct command to capture this traffic is the one that filters packets based on port 4500.

Discussion

11 comments
Sign in to comment
LiliRoseOption: B
Jan 23, 2023

Answer: B If you need to capture IPsec traffic, remember that the IP protocol and UDP port numbers depend on NAT-T and the use of NAT. If there is NO FG located in the middle that is running NAT, IKE traffic uses "UDP Port 500" and ESP traffic uses "IP Protocol 50". - Sniffers - No NAT IKE Traffic #Diagnose sniffer packet <port> 'host <remote-gateway> and udp port 500' ESP Traffic #Diagnose sniffer packet any 'host <remote-gateway> and esp' If NAT-T is enabled, and there is a FG located in the middle that is running NAT, the sniffer command must use a different filter: 1- In this case, IKE traffic uses "UDP Port 500", but switches to "UDP Port 4500" during the tunnel negotiation. 2- Additionally, ESP traffic is encapsulated inside the UDP 4500 channel. - Sniffer - NAT and NAT-T #Diagnose sniffer packet any 'host <remote-gateway> and (udp port 500 or udp port 4500)'

LiliRose
Jan 23, 2023

Actually correct answer is D natt: silent

racdab
Jan 24, 2023

ESP = NAT-and NAT-T = Encapsulation in udp port 4500 ESP =NO NAT = uses "IP Protocol 50

racdab
Jan 24, 2023

nat is used so correct answer is D

kocalinOption: D
Jan 17, 2023

natt is used, so correct answer is D. (NAT-T used UDP port 4500)

jjejjeOption: D
Jan 6, 2023

D answer

Seph1Option: D
Apr 5, 2023

D - is correct Nat is used

Georgezhong
Jul 26, 2023

study guide pg.443

jjejjeOption: D
Jan 6, 2023

D answer

wengzaii96
May 4, 2023

which line show that NAT is in use?

mau_80
Jun 21, 2023

port 4500

Yaserdfg
Dec 28, 2023

also mode is silent which means forced https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-nattraversal/ta-p/197873

certifi46Option: D
May 10, 2023

nat t enabled

Georgezhong
Jul 26, 2023

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Different-methods-to-capture-packets-for-IPsec-VPN/ta-p/209471

ay_dosOption: A
Nov 28, 2023

Correct Answer A Unfortunately many see the Port4500 as meaning NAT is used. but unfortunately this is not the case. The VPN server will always listen on IKE port 500 and 4500, if port 500 fails it tries 4500 with or without NATT. If NATT is use bot server and clients uses the port 4500, but in this case 4500 is only used on one side. Note the IKE port is configurable. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-custom-IKE-port-between-two-FortiGate/ta-p/202107

Yaserdfg
Dec 28, 2023

NAT-T is forced , Natt mode silent https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-nattraversal/ta-p/197873

J_OlinOption: D
May 9, 2024

Because 'natt: mode=silent' the FortiGate, per RFC 3947, will use the UDP protocol on port 4500. This is why the sniffer should only be looking at port 4500. Hence, answer D.