View the following exhibit, which shows the firewall policies and the object uses in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search create shown in the following exhibit.
Which of the following will be highlighted based on the input criteria?
A. Policy with ID1.
B. Policies with ID 2 and 3.
C. Policy with ID 5.
D. Policy with ID 4.
|
Download Printable PDF. VALID exam to help you PASS. |
 |
C
ISDB includes port, service and address. so whenever it is used – the service field will be gone ( no longer required ).
at policy lookup:
facebook.com – is fqdn – hence it will be resolved as IP addr.
since Pol. ID 5 locates before ID.1 – hence it it will be first preffered by FW.
guys you all forgot to one think. WHERE in exam/picture is proof that ISDB called “facebook web” contains facebook.com? NOWHERE! so this is only your “GUESS” that ISDB object facebook-web “SHOULD” contains facebook.com.
Therefore policy 1 hit this lookup always for 100%
and policy 5 hits this lookup only if ISDB object facebook-web contains facebook.com. There is pretty good chance that it will contains this host, but u cant be sure, and at least you can’t find it in this exhibit. => PURE CISCO tricky question
therefore I think that policy1 is correct answerA
For those who missed it, Policy ID 1 has service set to All_UDP as therefore it won’t match the search criteria (which is set to TCP).
There only two other policies for source port3, which are Policy ID 5 and Policy ID 1.
Unless something really bad is going on with the DNS server and/or with FortiGuard, then we know that facebook.com will be resolved to an IP address that is contained on the ISDB object Facebook Web (ISDB ID: 131073).
The same applies for the port 443 that we know is included on the same ISDB object (diagnose internet-service id 131073).
Therefore the correct answer is: C. Policy with ID 5
I tested too. The correct answer is C which is Policy ID 5
Policy ID 5 is wrong, the search criteria explicitly looks for facebook.com, ID 5 explicitly states destination of facebook.web
Therefore A is correct.
It should be A. I have checked and created appropriate rules. When you point ISDB object it includs service but after creating , under the service section there appears “Internet service” not Blank.
A cannot be, the rule has ALL_UDP
La C seria la rspuesta correcta de no ser porque hay un error en su configuracion, debe especificar los servicios, no se si FG permite la creacion de politicas sin especificar el tipo de servicio. por descarte solo queda la A que tambien es correcta.
A isn´t correct as policy ID 1 has Service: ALL_UDP and wouldn´t work with facebook.com, right?
C is correct, as JimyJohnson explained.
The answer is C – Policy ID 5. I just tested it on my Fortigate.
The Facebook.web IDSB object catches facebook.com traffic to port 443
B is out because it matches for UDP (not TCP)
D is out because its source port is port4 (not port3 in the lookup example)
A would match too, but C is above it in the policy tree, so the answer is C
Note the there are no services for policy 5 because the ISDB object defines these explicitly (when you select this ISDB object the services field dissapears).
The correct is C. We just tested in our FortiGate 1500 D the scenario and the policy lookup matches the policy with the Internet Service Database applied.
1000% A
C
Did anyone take the exam recently? Are the questions valid for NSE4-6.2 exam? I will take my exam this month
FortiOS 6.0.8 – matches this line (neapoli yellow – I have asked) with facebook web service. Whatever anybody think about it. While facebook.com is not resolved and after resolving.
a -> facebook web
a-> facebook.com 443
a-> all all
So this lookup is a clever piece of code …
Ans is A. Policy with ID1
facebook.com is a FQDN object defined, not ISDB object.
facebook.com is not equal to Facebook.Web
Policy ID 2 and 3 is out.
Policy ID 4 source interface does not match
Policy ID 5 destination is Facebook.Web, not facebook.com
Policy ID1 best match!
Exactly, if you go on Policy & Objects > Internet Service Database and search for facebook.web you`ll find IP addresses, TCP Ports and Protocols, ISDB doesn`t match FQDN.
I agree the answer is A. Also which give it away is the Protocol is TCP. C there is no service or protocols assigned it is blank. Good catch
The correct answer is policy ID 1. It could be policy ID 5 but based on the output we don’t know if the IP address for facebook.com is part of the Internet Service Object so therefore we’re not sure if it will match that policy. We know that it will match policy ID1 for sure
exactly , u nailed it!
Policy with ID 5 does NOT have any services listed. I think it is A.
Just checked the notes again. You guys are right its C because the ISDB objects contain all the IP addresses, ports and protocols used by that service (you cannot specify a service). I just wish I can delete the confusing comment :).
Correct answer should be C because
“When FortiGate is performing policy lookup, it performs a series of checks on ingress, stateful inspection, and egress, for the matching firewall policy, from top to bottom, before providing results for the match policy.” Since policy 5 is above 1 5 should be the matching policy in the lookup, making C correct in my opinion
Policy with ID 5 will be the first one that matches this traffic.
TCP 443 and facebook.com is defined in the ISDB which is used as a destination object.
Correct answer: C
Correct answer is “C”
Answer is A, it matches all lookup criteria.
– port 3 (from, port3)
– 10.0.1.10 (source IP, all)
– facebook.com (destination, all)
– TCP/443 (service, all)
Penn, you need to study more, you are wrong
C.
the traffic can also pass through from policy 1 but the policy lookup mark the first matching policy and it should be policy 5.
ISDB include TCP port 443 and Facebook site.
Correct answer is A .
No TCP protocol in policy id 2 3 4 5 .
So the answer is A .
Could you explain why it is C.
I see dump which say B.
On Policy #2 and #2 is ways “All_UDP”, which disqualifies HTTPS.
Correct answer should be C