NSE 7 – Enterprise Firewall 7.0 — Question 27

An administrator wants to capture encrypted phase 2 traffic between two FortiGate devices using the built-in sniffer.
If the administrator knows that there is no NAT device located between both FortiGate devices, which command should the administrator run?

Answer options

• A. diagnose sniffer packet any ‘ah’
• B. diagnose sniffer packet any ‘ip proto 50’
• C. diagnose sniffer packet any ‘udp port 4500’
• D. diagnose sniffer packet any ‘udp port 500’

Correct answer: B

Explanation

The correct answer is B, as 'ip proto 50' is used to filter for ESP (Encapsulating Security Payload) packets, which are used in phase 2 of IPsec VPNs. The other options either refer to different protocols or ports that are not relevant for capturing encrypted phase 2 traffic.