CCNA Firewall Policies and NAT Questions

12 of 237 questions · Page 4/4 · Firewall Policies and NAT · Answers revealed

226
MCQmedium

A network administrator creates a firewall policy allowing HTTP traffic from the internal network to a web server in the DMZ. Users report that they cannot access the web server. The administrator runs 'diagnose firewall iprope list' and sees the policy is present. What is the MOST likely cause of the issue?

A.A deny policy with a lower policy ID is matching the traffic before the allow policy
B.The firewall policy has an incorrect source interface
C.The policy is disabled
D.The web server is not responding to HTTP requests
AnswerA

FortiGate evaluates policies sequentially from top to bottom. If a deny policy appears earlier in the list, it will match and block the traffic before reaching the allow policy.

Why this answer

The 'diagnose firewall iprope list' command confirms the allow policy exists in the FortiGate's kernel policy list, meaning it is present and enabled. However, FortiGate evaluates policies in sequential order based on policy ID (lowest first), so a deny policy with a lower ID that matches the same traffic (e.g., from internal to DMZ) will be hit first, blocking the HTTP request before the allow policy can be evaluated. This is the most likely cause because the policy is present but not being matched due to ordering.

Exam trap

The trap here is that candidates assume 'policy is present' means it is working, but FortiGate's policy order (lowest ID first) means a lower-ID deny policy can override a higher-ID allow policy even if both match the same traffic.

How to eliminate wrong answers

Option B is wrong because an incorrect source interface would cause the policy not to match at all, but the 'diagnose firewall iprope list' output would not show the policy as present for that traffic flow; the administrator would see no matching entry. Option C is wrong because a disabled policy would not appear in the 'diagnose firewall iprope list' output at all, yet the administrator sees it present. Option D is wrong because the web server not responding would result in a timeout or connection reset, but the firewall would still allow the traffic (the policy would match), and the issue would be reported differently; the 'diagnose firewall iprope list' check would not be the first troubleshooting step for a server-side problem.

227
MCQmedium

An admin wants to block traffic from a specific geographic region (e.g., North Korea) from reaching the FortiGate's external interface. Which address object type should be used in the firewall policy?

A.Subnet address object
B.Geography address object
C.FQDN address object
D.Wildcard FQDN address object
AnswerB

Geography objects allow matching by country or region.

Why this answer

FortiGate supports geography-based address objects that use IP geolocation databases to match traffic by country.

228
MCQmedium

An administrator wants to log all traffic that is denied by the implicit deny rule. How can this be achieved?

A.Configure a firewall policy with action ACCEPT and enable logging
B.Enable logging on the implicit deny rule
C.Create a firewall policy with action DENY and enable logging, placed above the implicit deny
D.Use the 'diagnose debug flow' command to capture all traffic
AnswerC

Why this answer

The implicit deny rule at the bottom of the firewall policy list cannot be modified to enable logging. To log traffic denied by the implicit deny, you must create an explicit firewall policy with action DENY and logging enabled, placed above the implicit deny rule. This explicit deny policy will match traffic that would otherwise hit the implicit deny, and because it is an explicit policy, logging can be enabled on it.

Exam trap

The trap here is that candidates assume the implicit deny rule can be modified to enable logging, but FortiOS does not allow any configuration changes to the implicit deny rule, so you must create an explicit deny policy above it to log denied traffic.

How to eliminate wrong answers

Option A is wrong because an ACCEPT action would allow the traffic, not deny it, and logging would only show allowed traffic, not the denied traffic you want to capture. Option B is wrong because the implicit deny rule is a built-in, non-configurable rule; you cannot enable logging on it directly in the FortiGate GUI or CLI. Option D is wrong because 'diagnose debug flow' is a real-time troubleshooting tool that captures packet flow information for a specific session, not a method to log all denied traffic persistently.

229
MCQhard

A FortiGate administrator configures a policy-based NAT using an IP pool with type 'Fixed Port Range' for internal users accessing a specific external server. Users report that after some time, they cannot establish new connections to the server. 'diagnose ip pool list' shows many entries with 'used_port=65535'. What is the MOST likely cause?

A.The external server is rate-limiting connections
B.The firewall policy has a timeout setting that is too low
C.The IP pool has run out of IP addresses
D.The fixed port range is too small, causing port exhaustion
AnswerD

Fixed port range NAT assigns a block of ports to each source IP. If the range is small (e.g., 1 port), it fills quickly and blocks new sessions. The 'used_port=65535' indicates the last port in a range is in use.

Why this answer

The 'Fixed Port Range' IP pool type allocates a specific range of ports per IP address for NAT translations. When all ports in the range are exhausted (indicated by 'used_port=65535'), no new connections can be established, causing the reported issue. This is classic port exhaustion, making D correct.

Exam trap

The trap here is that candidates may confuse IP address exhaustion (Option C) with port exhaustion, but the diagnostic output clearly shows IP addresses are still available while ports are maxed out, pointing directly to the fixed port range being too small.

How to eliminate wrong answers

Option A is wrong because the external server rate-limiting would affect all users equally and would not cause the specific symptom of 'used_port=65535' entries in the IP pool list. Option B is wrong because a low firewall policy timeout would cause connections to be dropped prematurely, not prevent new connections from being established due to port exhaustion. Option C is wrong because the 'diagnose ip pool list' output shows many entries with 'used_port=65535', indicating that IP addresses are still available but all ports within the fixed range are in use, not that IP addresses have run out.

230
MCQeasy

A FortiGate administrator needs to block all traffic from a specific geographic region (country) from accessing the internal network. Which type of address object should be used in the firewall policy?

A.Geography object
B.FQDN object
C.Wildcard FQDN object
D.Subnet object
AnswerA

Geography objects use GeoIP database to match countries.

Why this answer

Geography-based address objects allow matching traffic based on the source IP's country. Option B is correct.

231
MCQmedium

When creating a firewall policy, an admin wants to ensure that traffic from a specific user group is allowed only during business hours (Monday to Friday, 09:00-18:00). Which object type must be configured and applied to the policy?

A.A security profile with time-based filtering
B.A schedule object with a recurring schedule
C.A user group object with time restrictions
D.A traffic shaping policy with a time-based rule
AnswerB

Recurring schedules allow setting days of week and time ranges, which matches the requirement.

Why this answer

Schedule objects define time-based conditions. A recurring schedule can be set for weekdays and specific hours.

232
MCQhard

An administrator is configuring a VIP to map a public IP to an internal server. The server hosts both HTTP and HTTPS services. The admin creates a VIP with port forwarding for port 80 to internal port 80, and another VIP for port 443 to internal port 443. Both VIPs use the same public IP. Users can access HTTP but not HTTPS. What is the most likely issue?

A.The firewall policy for HTTPS traffic is missing or has incorrect destination
B.The server's HTTPS service is not running
C.VIPs cannot share the same public IP address
D.The HTTPS VIP is configured with the wrong internal port
AnswerA

A firewall policy must allow traffic to the VIP. If only HTTP is allowed, HTTPS fails.

Why this answer

VIPs with the same external IP but different ports should work. However, if no policy allows HTTPS traffic to the VIP, it will be dropped. Alternatively, the VIP configuration might be incomplete.

233
Multi-Selecthard

Which THREE conditions must be met for a firewall policy with FSSO authentication to work correctly?

Select 3 answers
A.The FortiGate must be able to communicate with the domain controller
B.The user's IP address must be in the destination address range of the policy
C.The user must be a member of a group that is referenced in the firewall policy
D.The FSSO collector agent must be running and properly configured
E.The user must be authenticated to the FortiGate locally
AnswersA, C, D

FSSO requires communication with the DC to receive login events.

Why this answer

Option A is correct because FSSO (Fortinet Single Sign-On) relies on the FortiGate communicating with the domain controller to retrieve user login events via NetAPI or WMI. Without this communication, the FortiGate cannot map user identities to IP addresses, which is essential for FSSO-based authentication in firewall policies.

Exam trap

The trap here is that candidates often confuse source and destination address fields in the policy, mistakenly thinking the user's IP must be in the destination range, or assume FSSO requires local FortiGate authentication, when in fact it relies on domain authentication and the collector agent.

234
MCQeasy

A FortiGate administrator needs to allow SMTP traffic from the internal network to an external mail server. The internal network uses source NAT to the external interface IP. Which firewall policy configuration is correct?

A.Policy: source internal, destination external, service SMTP, enable NAT
B.Policy: source internal, destination external, service SMTP, disable NAT
C.Policy: source internal, destination external, service SMTP (port 587), enable NAT
D.Policy: source internal, destination external, service SMTP (UDP), enable NAT
AnswerA

SMTP uses TCP port 25 and NAT is needed for outbound traffic.

Why this answer

Option A is correct because SMTP traffic from the internal network to an external mail server requires source NAT (masquerading) to translate private source IPs to the FortiGate's external interface IP. This ensures return traffic is routed back correctly. The default SMTP service uses TCP port 25, and enabling NAT on the policy is the standard configuration for outbound traffic to the internet.

Exam trap

The trap here is that candidates may confuse SMTP ports (25 vs 587) or assume SMTP can use UDP, but the exam tests the fundamental requirement that outbound internet traffic must have NAT enabled and that SMTP is TCP-based.

How to eliminate wrong answers

Option B is wrong because disabling NAT would send packets with private source IPs, which are not routable on the internet, causing the external mail server to drop replies or the packets to be discarded by intermediate routers. Option C is wrong because SMTP typically uses TCP port 25, not port 587 (which is SMTP submission, often used for authenticated client-to-server submission); the question specifies SMTP traffic, not SMTP submission, and the service should match the standard SMTP port. Option D is wrong because SMTP uses TCP, not UDP; SMTP relies on reliable, connection-oriented transport, and UDP would break the protocol's delivery guarantees.

235
MCQhard

An admin configures a VIP to map a public IP to an internal server. The firewall policy uses the VIP as the destination. External users can access the server, but the server's logs show the source IP as the FortiGate's internal interface IP instead of the original client IP. Why is this happening?

A.The VIP is configured with port forwarding and the server is expecting a different port
B.The VIP is using a different public IP than expected
C.The firewall policy has NAT enabled, which changes the source IP to the FortiGate's egress interface IP
D.The server's routing is misconfigured and traffic is returning via a different path
AnswerC

Correct. If NAT is enabled on the policy, FortiGate performs SNAT, hiding the original source.

Why this answer

By default, when using NAT (including VIP), FortiGate performs source NAT (SNAT) for the traffic destined to the VIP unless specifically configured otherwise. To preserve the original source IP, the admin must disable NAT on the policy or use a policy with NAT disabled.

236
MCQeasy

What is the purpose of policy-based routing (PBR) in FortiGate?

A.To load balance traffic across multiple WAN links
B.To filter traffic based on application signatures
C.To route traffic based on source address, destination, or other attributes instead of the routing table
D.To authenticate users before allowing traffic
AnswerC

PBR matches traffic using firewall-like criteria and sends it to a specified gateway or interface, independent of the routing table.

Why this answer

Policy-based routing (PBR) in FortiGate allows you to override the default routing table lookup by forwarding traffic based on criteria such as source IP address, destination IP address, protocol, or even application. This is configured under the 'policy route' feature and is evaluated before the routing table, enabling granular control over traffic paths that static or dynamic routes cannot provide.

Exam trap

The trap here is that candidates often confuse PBR with SD-WAN or load balancing, but PBR is strictly about overriding routing decisions based on packet attributes, not about distributing traffic across multiple links for bandwidth or redundancy.

How to eliminate wrong answers

Option A is wrong because load balancing across multiple WAN links is achieved using ECMP (Equal-Cost Multi-Path) routing or SD-WAN rules, not PBR. Option B is wrong because filtering traffic based on application signatures is the function of Application Control, a feature within firewall policies, not PBR. Option D is wrong because authenticating users before allowing traffic is handled by firewall authentication (e.g., FSSO, LDAP) or captive portal, not by PBR.

237
MCQhard

A company uses FortiGate with firewall policies to control access between internal VLANs. Users in VLAN 10 report they can access internet but cannot reach a server in VLAN 20 on port 443. The server is reachable from other VLANs. The administrator checks the firewall policy configuration: there is a policy from VLAN10 to VLAN20 allowing HTTPS, with NAT disabled and logging enabled. The policy has a schedule set to 'Always'. The administrator also checks that there are no overlapping policies. What is the most likely cause?

A.NAT is disabled, so the server cannot send replies back.
B.The policy order is incorrect; a deny policy above is blocking traffic.
C.A security profile applied to the policy is blocking the HTTPS traffic.
D.The schedule is configured incorrectly and the policy is inactive during the current time.
AnswerC

Security profiles such as SSL inspection or application control can block or interfere with HTTPS traffic, especially if the server certificate is not trusted.

Why this answer

The correct answer is C because security profiles (such as web filtering, application control, or SSL inspection) applied to a firewall policy can inspect and block HTTPS traffic even when the policy itself allows the service. Since the server is reachable from other VLANs and the policy explicitly permits HTTPS with NAT disabled and logging enabled, the most likely cause is that a security profile is dropping or denying the traffic.

Exam trap

The trap here is that candidates often assume a policy allowing a service with NAT disabled is sufficient for reachability, overlooking that security profiles can independently block traffic at a higher layer, especially for HTTPS where inspection is required.

How to eliminate wrong answers

Option A is wrong because NAT is not required for reachability between internal VLANs; the server can send replies directly to the client's private IP address without NAT. Option B is wrong because the administrator has already confirmed there are no overlapping policies, so a deny policy above cannot be blocking traffic. Option D is wrong because the schedule is set to 'Always', meaning the policy is active at all times, and the users can access the internet, confirming the policy is not inactive.

← PreviousPage 4 of 4 · 237 questions total

Ready to test yourself?

Try a timed practice session using only Firewall Policies and NAT questions.