NSE 8 – Network Security Expert (811) — Question 12

You configured a firewall policy with only a Web filter profile for accessing the Internet. Access to websites belonging to the "Information Technology" category are blocked and to the "Business" category are allowed. SSL deep inspection is not enabled on this policy.
A user wants to access the website https://www.it-acme.com which presents a certificate with CN=www.acme.com. The it-acme.com domain is categorized as
"Information Technology" and the acme.com domain is categorized as "Business".
Which statement regarding this scenario is correct?

Answer options

• A. The FortiGate is able to read the URL within HTTPS sessions when using SSL certificate inspection so the website will be blocked by the "Information Technology".
• B. The website will be blocked by category "Information Technology" as the SNI takes precedence over the certificate name.
• C. The website will be allowed by category "Business" as the certificate name takes precedence over the URL.
• D. Only with SSL deep inspection enabled will the FortiGate be able to categorized this website.

Correct answer: B

Explanation

The correct answer is B because the SNI (Server Name Indication) in the HTTPS request is used to determine the category of the website, and it takes precedence over the certificate name. Since the SNI indicates 'it-acme.com', which is categorized as 'Information Technology', access will be blocked. Options A and D are incorrect because SSL deep inspection is not enabled, and thus the FortiGate cannot read the URL or categorize the website accurately. Option C is wrong as the certificate name's precedence does not apply here.