Helping Hand Questions for FCP_FGT_AD-7.4

An SSL VPN tunnel allows remote users to securely connect to the organization's network and transmit all traffic, including external application data and FTP resources, through an encrypted SSL/TLS connection. This ensures secure access to the network while supporting various protocols such as FTP and other application-specific traffic from the user's PC.

IPsec security associations

IPsec security associations (SAs) are synchronized between HA members to ensure seamless failover and continuity of VPN tunnels.

DHCP leases

DHCP lease information is synchronized between HA members to maintain consistent IP address assignments and prevent disruptions when failover occurs.

When FortiGate is configured in NGFW profile-based mode, it primarily uses flow-based inspection for application profiles. Flow-based inspection provides faster processing and lower latency by inspecting traffic in real-time without buffering, making it suitable for scenarios where performance is a priority.

References:

FortiOS 7.4.1 Administration Guide: Inspection Modes

To resolve the issue of PC3 not being able to access the internet, the administrator needs to adjust the IP pool configuration or the firewall policy. The following two options will fix the connectivity issue:

B. In the IP pool configuration, set the ending IP to 192.2.0.12: The current IP pool range is 192.2.0.10-192.2.0.11, which only provides two IP addresses for network address translation (NAT). To allow PC3 to access the internet, the IP pool should be expanded to include an additional IP address by changing the end of the range to 192.2.0.12.

D. In the IP pool configuration, set type to overload: Instead of using a one-to-one NAT, changing the type to overload will allow multiple internal addresses (such as PC1, PC2, and PC3) to share a single external IP address. This will solve the issue without needing additional public IP addresses.

The other options are not suitable:

A. In the firewall policy configuration, add 10.0.1.3 as an address object in the source field: This option is unnecessary since the firewall policy already allows all addresses from the source (LAN port3).

C. Configure another firewall policy that matches only the address of PC3 as the source, and then place the policy on top of the list: This option is redundant and would not resolve the underlying issue with the IP pool configuration.

References

FortiOS 7.4.1 Administration Guide - Configuring Firewall Policies, page 512.

FortiOS 7.4.1 Administration Guide - Configuring NAT with IP Pools, page 518.