Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Fortinet Exam NSE7_EFW-7.0 Topic 5 Question 25 Discussion

Actual exam question for Fortinet's NSE7_EFW-7.0 exam
Question #: 25
Topic #: 5
[All NSE7_EFW-7.0 Questions]

Which action will FortiGate take when using the default settings for SSL certificate inspection, where the server name indication (SNI) does not match either the common name (CN) or any of the subject altemative names (SAN) in the server certificate?

Show Suggested Answer Hide Answer
Suggested Answer: A

#Config firewall ssl-ssh-profile

edit

config https

set sni-server-cert-check [enable* | strict | disable]

Enable: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG uses the CN field instead of the SNI to obtain the FQDN.

Strict: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG closes the connection.

Disable: FG does not check the SNI.


Contribute your Thoughts:

Malinda
8 months ago
Haha, 'Fort Awesome'? I like it. Maybe we can get a discount on the certification if we come up with the best firewall puns.
upvoted 0 times
Barbra
8 months ago
D) FortiGate closes the connection because this represents an invalid SSL/TLS configuration.
upvoted 0 times
...
Ashlee
8 months ago
C) FortiGate uses the SNI from the user's web browser.
upvoted 0 times
...
Dannie
8 months ago
B) FortiGate uses the first entry listed in the SAN field in the server certificate.
upvoted 0 times
...
Mira
8 months ago
A) FortiGate uses the CN information from the Subject field in the server certificate.
upvoted 0 times
...
...
Kaycee
8 months ago
Good point. Better to be safe than sorry. I'm sticking with option D - FortiGate should just close it down if the SNI doesn't match.
upvoted 0 times
...
Socorro
8 months ago
True, but then you could end up with a mismatch between the SNI and what's actually in the certificate. That doesn't seem super secure to me.
upvoted 0 times
...
Jamal
8 months ago
Alright, alright, let's not get too serious here. I'm just hoping the exam doesn't have a question that's as confusing as this one. Maybe they'll throw in a trick question about configuring a 'Fort Awesome' firewall or something.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77