Examine the exhibit, which contains a virtual IP and firewall policy configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?
A. 10.200.1.10
B. Any available IP address in the WAN (port1) subnet 10.200.1.0/24
C. 10.200.1.1
D. 10.0.1.254
|
Download Printable PDF. VALID exam to help you PASS. |
 |
So many people here commenting and nobody has clear which is the correct answer.
Correct answer is C.
There are two ways to use SNAT.
1. Outgoing interface IP
2. IP pool
A VIP is for DNAT not for SNAT.
Besides that FW policy ID 2 shows LAN (port 1) and WAN (port 2) which is the exact opposite from the diagram.
The answer depends on “port forwarding” configuration :
if it’s enabled, the correct answer is C (The fortigate interface)
if not, the answer is A (The VIP address)
Something that needs to be considered when there are multiple Public IP addresses on the external interface(s) is that when a Virtual IP address is used without Port Forwarding enabled there is a reciprocal effect as far as traffic flow is concerned. Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.
The correct answer is clearly A. If you lab this up in GNS3 you will see it for yourself.
this traffic has nothing to do with VIP object at all. Traffic is comming from port2 what is rule without VIP object.
VIP object is used in rule 2 where src interface is PORT1. IT has nothing to do with VIP object, therefore answer must be IP of outgoing itnerface 10.200.1.1
Answer is A.. Tested and confirmed.
Shogun46 is correct. when you disable port forwarding, Nat IP address will be 10.200.1.10. when enabled port forwarding, Nat IP will be the outgoing interface
C is correct, as Port Forwarding is enabled. If it was disabled, then, and only then, the answer would be A. See https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Concepts%20-%20Firewall/Static%20NAT.htm
Hi,
besides all of the reasonable ways everyone tried to describe his/her answer: The client where the traffic originates from (10.1.0.10/24) is from the Subnet 10.1.0.0/24 which is directly connected to LAN (port 2) isn’t it? Therefore the traffic comes from LAN (port 2) and only fw policy ID 1 (Full_Access) would and should trigger resulting in the application of the WAN (port1) Public IP Address which is 10.200.1.1 /24 and therefore Answer C or am I totally wrong?
A is correct !
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/186598/port-forwarding
You are referring to port forwarding = DESTINATION NAT
This question is about SOURCE NAT.
The correct answer is A.
The question says it all. The SNAT will then be A.
Try doing diagnose,
#diagnose session sys session list
you will see the SNAT (10.200.1.10).
10.200.1.1 is just the egress IP. 🙂
Since the traffic is going to the internet and web server is it will be 10.200.1.1 option “C”.
Correction: Since the traffic is going to the internet and not to the web server is it will be 10.200.1.1 option “C”.
C is the correct ans. Its clearly mentioned that “Internet traffic” . It did not mentioned “traffic towards webserver” so, Rule 1 will be used.
as SNAT configuraiton , the ip will be use FW’s Outside Interface IP.
I would say that A is correct. From: https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtual%20IPs.htm
Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.
In our case, the policy where VIP si present it doaes not have NAT enabled and it the port forward is checked.
I mean C! Sorry!
C is correct since Port Forwarding is enabled.
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Concepts%20-%20Firewall/Static%20NAT.htm?
Thanks a lot. Didn´t know that
The correct answer is A, Reason the VIP IS a Static NAT, hence the source will leave the interface with 10.200.1.10, instead of the egress Ip address ( 10.200.1.1)
Sorry, but that is wrong. The correct answer is C.
The static NAT has nothing to do with the source NATing. Its there only to confuse you.
Sorry. You were right, since “its a one-to-one mapping, which applies for incoming and outgoing connections; that is, an outgoing policy with NAT enabled would use the VIP address instead of the egress interface address.”
But port forwarding is enabled then A is the correct one !