NSE4 Question #4: Real Exam Question with Answer & Explanation

Question

Regarding tunnel-mode SSL VPN, which three statements are correct? (Choose three.)

Options

• ASplit tunneling is supported.
• BIt requires the installation of a VPN client.
• CIt requires the use of an Internet browser.
• DIt does not support traffic from third-party network applications.
• EAn SSL VPN IP address is dynamically assigned to the client by the FortiGate unit.

Explanation

SSL VPN tunnel mode supports split tunneling, requires a dedicated VPN client for operation, and dynamically assigns an IP address to the connected client from the FortiGate.

Common mistakes.

• C. While an initial portal login might use a browser, the actual operation of SSL VPN in tunnel mode requires a dedicated client application, not continuous use of an Internet browser, which is more characteristic of web-mode SSL VPN.
• D. SSL VPN tunnel mode creates a virtual network interface on the client, enabling all network applications on the client to send traffic through the secure tunnel, not just specific or first-party applications.

Concept tested. SSL VPN tunnel mode characteristics

Reference. https://docs.fortinet.com/document/fortigate/7.4.0/fortios-handbook/381559/split-tunneling

No community discussion yet for this question.