nse4_fgt-72 Exam QuestionsBrowse all questions from this exam
Go to Exam

nse4_fgt-72 Exam - Question 52

Refer to the exhibits.

Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?

Show Answer
Correct Answer: AC

When the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, the packet traverses the FortiGate firewall, which performs both source NAT (SNAT) and destination NAT (DNAT). SNAT translates the source address from 10.200.3.1 to the outgoing interface address (in this case, 10.0.1.254). DNAT translates the destination address and port from 10.200.1.10:10443 to 10.0.1.10:443, as specified in the Virtual IP (VIP) configuration. Hence, after the FortiGate forwards the packet to the destination, the source address, destination address, and destination port of the packet are 10.0.1.254, 10.0.1.10, and 443, respectively.

Discussion

17 comments
Sign in to comment
Phil708Option: A
May 24, 2023

A is correct. NAT on the policy means the source gets translated from 10.200.3.1 to 10.0.1.254. The VIP performs DNAT which changes the destination from 10.200.1.10 to 10.0.1.10. Then port forwarding translates the port from 10443 to 443.

rgenesonOption: A
May 14, 2023

The correct answer is A because this rule is set-up with BOTH SNAT and DNAT enabled (which is very uncommon in the real world.) The Destination is a VIP with Port Forwarding which means the FortiGate has to translate the incoming requests destination IP and port to the internal resource's IP and port. Thus destination translation occurs from 10.200.1.1:10443 to 10.0.1.10:443. The firewall rule itself also has NAT set to Enabled. The default setting for this type of source NAT is 'Use Outgoing Interface Address' (in this case port3's IP) and, given the options, this must be set in this case. Thus source translation occurs from 10.200.3.1 to 10.0.1.254. For more information see: https://yurisk.info/2021/05/24/perform-snat-and-dnat-on-the-same-traffic-in-fortigate/

Amrrax
Jun 4, 2023

Correct, in the rule there is the nat enable and this change the source ip

erawemk
Jul 4, 2023

I think this is not very uncommon, instead is normal in the real world, and only works in that way if you use a secondary IP or IP Pool for NAT.

raydel92
Sep 13, 2023

FortiGate Security 7.2 Study Guide (p.130): "Use the following best practices when implementing NAT: - Don’t configure a NAT rule for inbound traffic unless it is required by an application. For example, if there is a matching NAT rule for inbound SMTP traffic, the SMTP server might act as an open relay."

darkdante24
Jan 16, 2024

One thing you are wrong at is this type of setting is very much common in real world where you have to hide the external IP behind firewall internal interface for security reasons.

marwan93Option: C
Nov 15, 2023

C is correct IP Header usually does not change the src-ip and dst-ip address for any packet end-to-end but since we have NAT it will just translate the dst-ip so the correct answer should be C

VencesOption: C
Jun 22, 2023

Definitely C, DNAT does not change source IP address, only destination - tried it several times.

mirosaty
Nov 21, 2023

Did you enable NAT which translate public ip to private ip in this scenario?

Samhain666Option: C
Sep 14, 2023

C is correct. DNAT takes precedent on the incoming traffic, and no rule is configured to translate incoming traffic to the port 3 address.

lupnoobOption: C
Jul 12, 2023

C for sure. If IP pool is used, NAT column should show the IP pool name. NAT column will show

imwateverOption: A
Jul 13, 2023

Lab tested.

HernandoZOption: A
Jun 10, 2023

I agree with Phil708, so A it is

BundOption: C
Jun 18, 2023

should C

lupnoobOption: C
Jul 12, 2023

C for sure. If IP pool is used, NAT column should show the IP pool name. NAT column will show enabled even when VIP is configured at destination.

rian00z_Option: A
Aug 19, 2023

Correct answer: A

Vic2911Option: A
Sep 8, 2023

A is the right answer The policy has NAT enabled, so the original IP is NATted using the outgoing interface IP address

raydel92Option: A
Sep 13, 2023

A. 10.0.1.254, 10.0.1.10, and 443, respectively Translations: 10.200.3.1 --> 10.0.1.254 because NAT enable in firewall policy 10.200.1.10 --> 10.0.1.10 because VIP as Destination 10443 --> 443 because Port Forwarding enabled on VIP Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html

Mallu_92Option: A
Mar 18, 2024

default NAT is used, so the source will be using the outgoing port ip. A is the correct answer.

Mallu_92Option: A
Mar 19, 2024

Default NAT used, will use the outgoing port ip when packet exits the firewall.

GarryPacaOption: A
Apr 5, 2024

A nat is enable

ElWenjaOption: A
Jun 18, 2024

A is the correct answer