NSE 7 – Enterprise Firewall 6.2 — Question 31

When using the SSL certificate inspection method to inspect HTTPS traffic, how does FortiGate filter web requests when the client browser does not provide the server name indication (SNI) extension?

Answer options

• A. FortiGate uses the requested URL from the user's web browser.
• B. FortiGate uses the CN information from the Subject field in the server certificate.
• C. FortiGate blocks the request without any further inspection.
• D. FortiGate switches to the full SSL inspection method to decrypt the data.

Correct answer: B

Explanation

The correct answer is B because, in the absence of SNI, FortiGate refers to the Common Name (CN) in the server certificate to identify the server. Option A is incorrect as the requested URL cannot be used without SNI. Option C is wrong because FortiGate does not simply block requests without inspection when it has the CN information available. Option D is incorrect since switching to full SSL inspection is unnecessary when the server certificate can be used.