View all questions & answers for the NSE 4 - FortiOS 7.6 Administrator Exam Materials exam


Question 48 Discussion

You are encountering connectivity problems caused by intermediate devices blocking IPsec traffic. In which two ways can you effectively resolve the problem? (Choose two answers)

  • A. You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).
  • B. You can turn on fragmentation to fix large certificate negotiation problems.
  • C. You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.
  • D. You should use the protocol IKEv2.
Correct Answer: A,B

Brave-Dump Clients Votes

AB 75%
AC 25%

Comments



javaughn Bryan 2025-08-27 09:01:09

Selected Answers: A, C


This setup provides IP-level connectivity in tunnel mode and allows you to configure hub-and-spoke
topologies with FortiGate devices as both the SSL VPN hub and spokes. This can be useful to avoid issues caused by intermediate devices, such as:
ESP packets being blocked
UDP ports 500 or 4500 being blocked
Fragments being dropped, causing IKE negotiation that uses large certificates to fail if the peer does not support IKE fragmentation

Goncalo Pereira 2025-10-29 19:35:57

Selected Answers: A, B


corret on

Miguel 2025-12-04 16:53:12

Selected Answers: A, B


Foti 7.4 is C -->You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports. but in forti 7.6 is B.

Miguel 2025-12-05 15:07:42

Selected Answers: A, B


A — Use SSL VPN tunnel mode:
Intermediate devices often block IPsec’s ESP (IP proto 50) and/or the UDP 500/4500 ports used by IKE/NAT-T. SSL VPN tunnel mode encapsulates all traffic over HTTPS/TCP 443, which almost always passes through middleboxes and proxies. That sidesteps the ESP/UDP filtering entirely, letting users connect even when IPsec is blocked.

B — Enable IKE fragmentation:
When peers exchange large certificates or many proposals, IKE messages can exceed the path MTU. Some middleboxes mishandle or drop IP-fragmented packets, breaking negotiation. IKE fragmentation splits the IKE payload itself (not the IP packet), so the exchange succeeds without relying on IP fragmentation. This directly addresses certificate-related failures caused by intermediate devices.

Why not C/D?

C (SSL hub-and-spoke) is a topology choice; the real fix is already in A (using SSL/443).

D (use IKEv2) doesn’t solve ESP/UDP filtering by itself; if ports/protocols are blocked, the tunnel still fails.