NSE 7 – Enterprise Firewall 6.4 — Question 35

When using the SSL certificate inspection method to inspect HTTPS traffic, how does FortiGate filter web requests when the client browser does not provide the server name indication (SNI) extension?

Answer options

• A. FortiGate uses the CN information from the Subject field in the server certificate.
• B. FortiGate switches to the full SSL inspection method to decrypt the data.
• C. FortiGate uses the requested URL from the user's web browser.
• D. FortiGate blocks the request without any further inspection.

Correct answer: A

Explanation

The correct answer is A because when SNI is not provided, FortiGate refers to the Common Name (CN) in the server certificate to determine how to handle the request. Options B and C are incorrect as they suggest methods that do not apply when SNI is missing, and option D is wrong because FortiGate does not simply block requests but attempts to inspect them using available information.