Fortinet Exam NSE7_EFW-7.0 Topic 5 Question 25 Discussion

Actual exam question for Fortinet's NSE7_EFW-7.0 exam

Question #: 25
Topic #: 5

Which action will FortiGate take when using the default settings for SSL certificate inspection, where the server name indication (SNI) does not match either the common name (CN) or any of the subject altemative names (SAN) in the server certificate?

AFortiGate uses the CN information from the Subject field in the server certificate.

BFortiGate uses the first entry listed in the SAN field in the server certificate.

CFortiGate uses the SNI from the user's web browser.

DFortiGate closes the connection because this represents an invalid SSL/TLS configuration.

Show Suggested Answer

Suggested Answer: A

#Config firewall ssl-ssh-profile

edit

config https

set sni-server-cert-check [enable* | strict | disable]

Enable: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG uses the CN field instead of the SNI to obtain the FQDN.

Strict: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG closes the connection.

Disable: FG does not check the SNI.

by Dorothy at Jan 22, 2024, 08:40 PM

Limited Time Offer

25%

Off

Get Premium NSE7_EFW-7.0 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Malinda

8 days ago

Haha, 'Fort Awesome'? I like it. Maybe we can get a discount on the certification if we come up with the best firewall puns.

upvoted 0 times

...

Kaycee

9 days ago

Good point. Better to be safe than sorry. I'm sticking with option D - FortiGate should just close it down if the SNI doesn't match.

upvoted 0 times

...

Socorro

11 days ago

True, but then you could end up with a mismatch between the SNI and what's actually in the certificate. That doesn't seem super secure to me.

upvoted 0 times

...

Jamal

11 days ago

Alright, alright, let's not get too serious here. I'm just hoping the exam doesn't have a question that's as confusing as this one. Maybe they'll throw in a trick question about configuring a 'Fort Awesome' firewall or something.

upvoted 0 times

...