Examice

Exam nse7_zta-72 All QuestionsBrowse all questions from this exam

Go to Exam

Question 8

Refer to the exhibits.

Which statement is true about the configuration shown in the exhibit?

The domain that FortiClient is connecting to should match the domain to which the certificate is issued.

If the FortiClient EMS server certificate is invalid, FortiClient connects silently.

The connection from FortiClient to FortiClient EMS uses TCP and TLS 1.2.

default_ZTNARoot CA signs the FortiClient certificate for the SSL connectivity to FortiClient EMS.

Correct Answer: A

The domain that FortiClient is connecting to should match the domain to which the certificate is issued. This is a standard practice in SSL/TLS connections to ensure the authenticity and integrity of the connection. The FortiClient validates certificates by checking if the Fully Qualified Domain Name (FQDN) or domain matches the domain on the certificate. This helps prevent man-in-the-middle attacks by ensuring that the client is communicating with the intended server.

Discussion

lil_pc1972Option: A

FortiClient validates certificates using the following industry standards: • The domain or FQDN that FortiClient is connecting to matches the domain to which the certificate is issued. • The validation process correctly handles wildcards in the domain name in the certificate. • The validation process considers both the CN in the subject or the SAN. • The certificate expiry date is in the future. The certificate has not expired. • The certificate issuer or the root certificate in the certificate chain is from a publicly trusted CA. Trusted CAs are read from the operating system.

Disposable_Me_2018Option: D

Zero Trust Access 7.2 Study Guide page 110: "FortiClient EMS has a default_ZTNARootCA certificate generated by default that the ZTNA CA uses to sign CSRs from the FortiClient endpoints." Answer "D"