NSE4 Question #500: Real Exam Question with Answer & Explanation

Question

Which statement is correct concerning an IPsec VPN with the remote gateway setting configured as 'Dynamic DNS'?

Options

• AThe FortiGate will accept IPsec VPN connection from any IP address.
• BThe FQDN resolution of the local FortiGate IP address where the VPN is terminated must be
• CThe FortiGate will Accept IPsec VPN connections only from IP addresses included on a
• DThe remote gateway IP address can change dynamically.

Explanation

Configuring an IPsec VPN remote gateway as 'Dynamic DNS' enables the FortiGate to connect to a peer whose public IP address is not static but dynamically resolved via an FQDN.

Common mistakes.

• A. The FortiGate will not accept connections from "any IP address"; it will only accept connections from the IP address currently resolved by the configured Dynamic DNS hostname.
• B. The FQDN resolution applies to the remote gateway's IP address, not necessarily the local FortiGate's IP address for the VPN termination.
• C. This statement is incorrect as the purpose of Dynamic DNS is to allow for changing IP addresses, not to restrict to a pre-defined static list of IP addresses.

Concept tested. IPsec VPN dynamic remote gateway

Reference. https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/339230/phase-1-settings

No community discussion yet for this question.