An admin needs to configure a FortiGate to allow multiple internal servers to be accessible from the internet using the same public IP but different ports. For example, internal server A (192.168.1.10:80) should be reachable via 203.0.113.10:8080, and internal server B (192.168.1.20:443) via 203.0.113.10:8443. Which TWO configuration steps are required?
VIP groups allow combining multiple VIPs under one destination object.
Why this answer
Option A is correct because each internal server requires a unique Virtual IP (VIP) to map a specific external port to a specific internal IP and port. Adding these VIPs to a VIP group allows a single firewall policy to reference all of them, enabling the FortiGate to differentiate traffic based on the destination port and forward it to the correct internal server.
Exam trap
The trap here is that candidates often think a single VIP with multiple port mappings can handle different internal servers, but FortiGate VIPs are one-to-one mappings; a VIP group is required to aggregate multiple VIPs under one policy.