View all questions & answers for the NSE 4 - FortiOS 7.6 Administrator Exam Materials exam


Question 20 Discussion

Refer to the exhibit. What would be the impact of these settings on the Server certificate SNI check configuration on FortiGate? (Choose one answer)

  • A. FortiGate will accept and use the CN in the server certificate for URL filtering if the SNI does not match the CN or SAN fields.
  • B. FortiGate will accept the connection with a warning if the SNI does not match the CN or SAN fields.
  • C. FortiGate will close the connection if the SNI does not match the CN or SAN fields.
  • D. FortiGate will close the connection if the SNI does not match the CN and SAN fields.
Correct Answer: C

Brave-Dump Clients Votes

C 63.64%
D 36.36%

Comments



MOHAMED IBRAHIM ELHADI AHMED 2025-08-07 19:03:19

Selected Answers: D


Refer to guide

javaughn Bryan 2025-08-27 04:15:40

Selected Answers: D


its D....strict SNI must match with the CN AND SAN...if not..the connect will close

Miroslaw Lerch 2025-08-28 12:54:49

Selected Answers: C


FortiGate Study Guide (SSL Inspection Section)
“When the Server certificate SNI check configuration is Enable, FortiGate uses the domain in the CN field instead of the domain in the SNI field if the domain in the SNI field does not match any of the domains listed in the CN and SAN fields. With Strict, FortiGate closes the client connection if there is a mismatch. When SNI check is Disable, FortiGate always rates URLs based on the FQDN.”

Key Clarifications (Direct from Study Guide):
Enable: FortiGate falls back to the certificate’s CN when the SNI doesn’t match the certificate’s CN or SAN values.
Strict: FortiGate closes the connection immediately if SNI does not match either CN or SAN.
Disable: FortiGate ignores SNI and makes URL decisions solely on the FQDN.

Alessandro 2025-09-17 10:54:42

Selected Answers: C


C is correct

Mazzonetto 2025-10-14 18:34:13

Selected Answers: D


When the Server certificate SNI check configuration is Enable, FortiGate uses the domain in the CN field
instead of the domain in the SNI field if the domain in the SNI field does not match any of the domains listed in
the CN and SAN fields. With Strict, FortiGate closes the client connection if there is a mismatch. When SNI
check is Disable, FortiGate always rates URLs based on the FQDN.
  • Mazzonetto 2025-10-14 18:37:44
    Correct : C

chiras theodoros 2025-10-30 17:51:03

Selected Answers: C


Server certificate SNI Check options
Strict: Closes the connection if the SNI in the client's hello message does not match the CN or SAN fields in the server's certificate.
Enable: Checks the SNI against the CN/SAN. If there is a mismatch, it uses the CN in the server certificate to perform URL filtering instead of closing the connection.
Disable: Does not perform the SNI check. FortiGate will always use the FQDN from the server certificate for URL rating, even if the SNI was different.

Mohamed 2025-10-31 16:13:42

Selected Answers: D


Guide

imade 2025-11-20 00:53:45

Selected Answers: C


page 263

Miguel 2025-12-04 12:55:07

Selected Answers: C


strict SNI must match with the CN or SAN, You are not required, when creating a certificate, to put the same name in the CN (Common Name) as in the SAN (Subject Alternative Name). So as long as it is in one of the two, it would be enough. It is ridiculous to require it to be in both. The only thing is to verify both fields

Vic Geek 2025-12-17 04:25:01

Selected Answers: C


Page 287 of the 7.6 Study Guide shows that its CN or SAN

Anonymous User 2026-01-22 22:55:36

Selected Answers: C


C because if one of the 2 has a mismatch it will close the connection
Check the SNI in the hello message with the CN or SAN field in the returned server certificate:
Strict: If it is mismatched, close the connection.