NSE4 Question #520: Real Exam Question with Answer & Explanation

Question

In "diag debug flow" output, you see the message "Allowed by Policy-1: SNAT". Which is true?

Options

• AThe packet matched the topmost policy in the list of firewall policies.
• BB. The packet matched the firewall policy whose policy ID is 1.
• CThe packet matched a firewall policy, which allows the packet and skips UTM checks
• DThe policy allowed the packet and applied session NAT.

Explanation

The message "Allowed by Policy-1: SNAT" in a debug flow indicates that the packet was permitted by the firewall policy specifically assigned Policy ID 1, and Source Network Address Translation was applied.

Common mistakes.

• A. While a policy might be at the top of the list, "Policy-1" specifically refers to the policy with the numerical ID 1, not necessarily its sequential position in the policy table.
• C. The message only indicates the policy allowed the packet and applied SNAT; it does not inherently mean UTM checks were skipped, as UTM profiles are typically applied by policies.
• D. While it is true that the policy allowed the packet and applied session NAT, option B is a more specific and direct interpretation of the 'Policy-1' part of the debug flow message, identifying the exact policy that matched.

Concept tested. FortiGate diag debug flow output interpretation

Reference. https://docs.fortinet.com/document/fortigate/7.4.0/troubleshooting-guide/26330/using-the-debug-flow-tool

No community discussion yet for this question.