Fortinet Training Institute
DiogGome
New Contributor

Fortigate Essentials 6.2

Hello!

So I was doing the questions of the Fortigate Essentials 6.2, the new "free course" by Fortinet, and I'm here with a doubt about 2 questions that I really think are wrong. Can someone confirm?

1º "Which NAT mode is supported by a VDOM configured as NGFW mode?

2º "Which inspection mode allows administrators to select the network applications from the firewall policy configuration?"

For me:

1º question: from my understanding, NGFW mode can be profile-based or policy-based, in the question they don't say which mode they are talking about, just "NGFW" mode... And they offer the option for Central SNAT and IP Pools...

2º question: from my understanding there is only 2 inspection modes: Flow-Based inspection and Proxy-Based inspection... So it would make sense if the question was "Which NGFW mode allows administrators...."

Am I wrong? I double checked the documentation and I'm almost sure about it, but I need to understand if there is something wrong with my knowledge, or it's an error in both questions...

Thank you!

6 REPLIES 6
AndrKroh
New Contributor II

2º "Which inspection mode allows administrators to select the network applications from the firewall policy configuration?"

The Answer is : NGFW Policy-Based Mode.

In this mode you select the applications not in Security Profiles/ Application Control / ....

You select the application direct in the policy.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/978598/profile-based-ngfw-vs-policy-based-ngfw

Regards
Andreas
DiogGome

Yeah but the answer considered as "correct" in the questionary is "NGFW" only.

They are asking for the "inspection mode", so the specific inspection mode is flow-based, and "inside" flow-based, NGFW Policy-Based mode.
RobeMuel
New Contributor

The combination of VDOMs and Central NAT are only available when using NGFW Profile-Based mode.

Bob
DiogGome

Hi Robert,

I think you are wrong. You can have multiple VDOMs with different NGFW modes (profile or policy mode).

So, you can have a VDOM set to NGFW Profile-based mode, and another VDOM set to NGFW Policy-based mode (and ofc, that VDOM will use CNAT).
Saurabh_FTNT
Staff
Staff

Hello Diogo,

1º "Which NAT mode is supported by a VDOM configured as NGFW mode?


NGFW  has two modes:
Policy-Based : It support central SNAT
Profile-based: It supports Firewall NAT

We will fix the question statement to be more clear.
2º "Which inspection mode allows administrators to select the network applications from the firewall policy configuration?"

NGFW Policy-Based
Yes, you are right, there are two types of NGFW mode. We will fix this issue.

Saurabh Sharma
Network and Cloud Security Team Lead, NSE Curriculum Development

-------------------------------------------
Original Message:
Sent: Apr 16, 2020 11:05 AM
From: Diogo Gomes
Subject: Fortigate Essentials 6.2

Hello!

So I was doing the questions of the Fortigate Essentials 6.2, the new "free course" by Fortinet, and I'm here with a doubt about 2 questions that I really think are wrong. Can someone confirm?

1º "Which NAT mode is supported by a VDOM configured as NGFW mode?

2º "Which inspection mode allows administrators to select the network applications from the firewall policy configuration?"

For me:

1º question: from my understanding, NGFW mode can be profile-based or policy-based, in the question they don't say which mode they are talking about, just "NGFW" mode... And they offer the option for Central SNAT and IP Pools...

2º question: from my understanding there is only 2 inspection modes: Flow-Based inspection and Proxy-Based inspection... So it would make sense if the question was "Which NGFW mode allows administrators...."

Am I wrong? I double checked the documentation and I'm almost sure about it, but I need to understand if there is something wrong with my knowledge, or it's an error in both questions...

Thank you!

Saurabh Manager, NSE Curriculum Development, Network & Cloud Sec
DiogGome

Thank you for your reply! :)

I'm glad to help.