Refer to the exhibits.
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?
When the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, the packet traverses the FortiGate firewall, which performs both source NAT (SNAT) and destination NAT (DNAT). SNAT translates the source address from 10.200.3.1 to the outgoing interface address (in this case, 10.0.1.254). DNAT translates the destination address and port from 10.200.1.10:10443 to 10.0.1.10:443, as specified in the Virtual IP (VIP) configuration. Hence, after the FortiGate forwards the packet to the destination, the source address, destination address, and destination port of the packet are 10.0.1.254, 10.0.1.10, and 443, respectively.
A is correct. NAT on the policy means the source gets translated from 10.200.3.1 to 10.0.1.254. The VIP performs DNAT which changes the destination from 10.200.1.10 to 10.0.1.10. Then port forwarding translates the port from 10443 to 443.
The correct answer is A because this rule is set-up with BOTH SNAT and DNAT enabled (which is very uncommon in the real world.) The Destination is a VIP with Port Forwarding which means the FortiGate has to translate the incoming requests destination IP and port to the internal resource's IP and port. Thus destination translation occurs from 10.200.1.1:10443 to 10.0.1.10:443. The firewall rule itself also has NAT set to Enabled. The default setting for this type of source NAT is 'Use Outgoing Interface Address' (in this case port3's IP) and, given the options, this must be set in this case. Thus source translation occurs from 10.200.3.1 to 10.0.1.254. For more information see: https://yurisk.info/2021/05/24/perform-snat-and-dnat-on-the-same-traffic-in-fortigate/
Correct, in the rule there is the nat enable and this change the source ip
I think this is not very uncommon, instead is normal in the real world, and only works in that way if you use a secondary IP or IP Pool for NAT.
FortiGate Security 7.2 Study Guide (p.130): "Use the following best practices when implementing NAT: - Don’t configure a NAT rule for inbound traffic unless it is required by an application. For example, if there is a matching NAT rule for inbound SMTP traffic, the SMTP server might act as an open relay."
One thing you are wrong at is this type of setting is very much common in real world where you have to hide the external IP behind firewall internal interface for security reasons.
C is correct IP Header usually does not change the src-ip and dst-ip address for any packet end-to-end but since we have NAT it will just translate the dst-ip so the correct answer should be C
C is correct. DNAT takes precedent on the incoming traffic, and no rule is configured to translate incoming traffic to the port 3 address.
Definitely C, DNAT does not change source IP address, only destination - tried it several times.
Did you enable NAT which translate public ip to private ip in this scenario?
Lab tested.
C for sure. If IP pool is used, NAT column should show the IP pool name. NAT column will show
A is the correct answer
A nat is enable
Default NAT used, will use the outgoing port ip when packet exits the firewall.
default NAT is used, so the source will be using the outgoing port ip. A is the correct answer.
A. 10.0.1.254, 10.0.1.10, and 443, respectively Translations: 10.200.3.1 --> 10.0.1.254 because NAT enable in firewall policy 10.200.1.10 --> 10.0.1.10 because VIP as Destination 10443 --> 443 because Port Forwarding enabled on VIP Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
A is the right answer The policy has NAT enabled, so the original IP is NATted using the outgoing interface IP address
Correct answer: A
C for sure. If IP pool is used, NAT column should show the IP pool name. NAT column will show enabled even when VIP is configured at destination.
should C
I agree with Phil708, so A it is