NSE 7 – Enterprise Firewall 7.0 — Question 36

Which action will FortiGate take when using the default settings for SSL certificate inspection, where the server name indication (SNI) does not match either the common name (CN) or any of the subject altemative names (SAN) in the server certificate?

Answer options

• A. FortiGate uses the CN information from the Subject field in the server certificate.
• B. FortiGate uses the first entry listed in the SAN field in the server certificate.
• C. FortiGate uses the SNI from the user's web browser.
• D. FortiGate closes the connection because this represents an invalid SSL/TLS configuration.

Correct answer: A

Explanation

The correct answer is A because, by default, FortiGate falls back to using the CN information when the SNI does not match. Options B and C are incorrect as they do not reflect FortiGate's default behavior, and option D is wrong because it does not close the connection in this scenario.