Refer to the exhibits.
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?
When the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, the FortiGate forwards the packet to the internal network where the VIP (virtual IP) translates the addresses as follows: The source address changes to 10.0.1.254 (the IP of the LAN interface), the destination address changes to 10.0.1.10 (the mapped internal IP address), and the destination port changes to 443 (due to port forwarding settings). The correct response is 10.0.1.254, 10.0.1.10, and 443, respectively.
A. 10.0.1.254, 10.0.1.10, and 443, respectively Question repeated with Q52 Translations: 10.200.3.1 --> 10.0.1.254 because NAT enable in firewall policy 10.200.1.10 --> 10.0.1.10 because VIP as Destination 10443 --> 443 because Port Forwarding enabled on VIP Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
Is this question the same as #52, but here are the 4 answer options.?
exactly!
The correct option is C because the external source IP is never translated, only the server address that is behind the Fortigate, so A option is wrong. The NAT enabled in the firewall policy indicates that egress traffic is translated using the VIP address (10.200.1.10) and not using the 10.200.1.1 (port1 of fortigate) Please see NSE4_FortiGate_Security_7.2_Study_Guide page 97 and 110
Correction!! When you use a secondary IP or IP Pool for VIP (not the outgoing interface IP) fortigate sends traffic from internal port2 to web server, I checked it on my own lab, to have an idea someone in question 52 shared this link: https://yurisk.info/2021/05/24/perform-snat-and-dnat-on-the-same-traffic-in-fortigate/ correct Answer is A (what a tricky question huh?)
There is SNAT configured on firewall policy. That's why it is A.
security guide P112, check the example there
Ans. A it's correct
NAT only operates in one direction at a time. for inbound traffic only the DNAT will apply as the original source has to be preserved so that traffic can be routed back, so C.
The incoming policy has explicit source nat enabled (last column), so any incoming session will use the destination interface IP as snat IP. And of course both SNAT and DNAT can be used together ... have used it before when I needed to ensure returning traffic to get back to the right FW when the same external source could be coming over two different firewalls / locations (redundancy situation)
Lab tested.
It is A
C. SNAT only applies from LAN to WAN, not both way.
The correct answer is: B. 10.0.1.254, 10.200.1.10, and 443, respectively Explanation: The source address of the packet will be the LAN (port3) interface IP address, which is 10.0.1.254. The destination address of the packet will be the VIP (Virtual IP) address, which is 10.200.1.10. The destination port of the packet will be the VIP's port, which is 443.
Answer is A. SNAT and DNAT are both active. We dont see the IP pool of SNAT, but it has to be another IP than the original. The only logical answer is A.
Correct answer is A.. On the security policy NAT is enabled and by default the firewall performs NAT using outgoing interface address
change the source IP address of the outgoing traffic, in the other way, the changes goes for the destination.
A. 10.0.1.254, 10.0.1.10, and 443, respectively
I think the question is asking about post nat ip addresses and ports? then A If they were asking for Pre nat then C. Question needs to be clearer though
Key phrase: After the FortiGate forwards the packet to the destination which means NAT was completed - Answer is A.