NSE4 Question #3: Real Exam Question with Answer & Explanation

Question

A user logs into a SSL VPN portal and activates the tunnel mode. The administrator has enabled split tunneling. The exhibit shows the firewall policy configuration: Which static route is automatically added to the client's routing table when the tunnel mode is activated?

Options

• AA route to a destination subnet matching the Internal_Servers address object.
• BA route to the destination subnet configured in the tunnel mode widget.
• CA default route.
• DA route to the destination subnet configured in the SSL VPN global settings.

Explanation

When split tunneling is enabled for SSL VPN, the client's routing table automatically receives routes for specific destination subnets defined in the FortiGate firewall policies that allow traffic from the SSL VPN tunnel interface.

Common mistakes.

• B. While the tunnel mode widget configures general tunnel parameters, the specific routes pushed to the client for split tunneling are derived from the destination networks allowed in the firewall policy, not directly from the widget's general configuration.
• C. A default route (0.0.0.0/0) would direct all traffic through the VPN, which is characteristic of full tunneling, not split tunneling, where only specific traffic goes through the tunnel.
• D. SSL VPN global settings configure overall parameters and IP pools for clients, but the specific routes for split tunneling are determined by the firewall policies dictating accessible destinations through the VPN tunnel.

Concept tested. SSL VPN split tunneling routing

Reference. https://docs.fortinet.com/document/fortigate/7.4.0/fortios-handbook/381559/split-tunneling

No community discussion yet for this question.