Table of Contents
Question
What is a valid reason for using session based authentication instead of IP based authentication in a FortiGate web proxy solution?
A. Users are required to manually enter their credentials each time they connect to a different web site.
B. Proxy users are authenticated via FSSO.
C. There are multiple users sharing the same IP address.
D. Proxy users are authenticated via RADIUS.
Answer
C. There are multiple users sharing the same IP address.
Explanation
According to the Fortinet Training Institute, the NSE 4 certification exam tests your ability to install and manage the day-to-day configuration, monitoring, and operation of a FortiGate device to support specific corporate network security policies. The exam covers topics such as firewall policies, user authentication, SSL VPN, IPsec VPN, antivirus, web filtering, application control, and more.
One of the topics is user authentication, which can be done in different ways on a FortiGate device. One of the methods is using an explicit proxy, which requires users to configure their web browsers to use the FortiGate as a proxy server. The explicit proxy can authenticate users based on their IP address or their session.
According to a technical tip from Fortinet Community, there are some differences between IP-based authentication and session-based authentication in an explicit proxy scenario:
- IP-based authentication: The proxy daemon checks for existing logins of the user from other sources (such as SSL VPN or FSSO) and imports them as proxy users if they match an IP-based authentication rule. This avoids prompting the user for credentials again, but it also means that the proxy daemon does not perform any additional group lookup for the user. Therefore, the user may not match some proxy policies that use different groups than the ones used in the original login source.
- Session-based authentication: The proxy daemon ignores any existing logins of the user and prompts them for credentials for each new session. This allows the proxy daemon to perform a renewed group lookup for the user and match them with any proxy policies that use their group membership. However, this also means that the user has to enter their credentials multiple times for different sessions.
Based on this information, a possible answer to your question is:
C. There are multiple users sharing the same IP address.
This is a valid reason for using session-based authentication instead of IP-based authentication in a FortiGate web proxy solution because it allows the proxy daemon to distinguish between different users who have the same IP address and apply the appropriate proxy policies based on their group membership.
Reference
- Authentication ” session based” instead of ” ip … – Fortinet Community
- Technical Tip: FortiGate explicit proxy authentica… – Fortinet Community
- NSE 4 Network Security Professional (fortinet.com)
- Technical Tip: FortiGate explicit proxy authentica… – Fortinet Community
- How to get Certified for Cybersecurity | Fortinet
- User & Authentication | FortiGate / FortiOS 7.2.4 (fortinet.com)
- FortiOS Release Notes|FortiGate / FortiOS 5.4.5 (fortinet.com)
Fortinet Network Security Expert – FortiOS 5.4 NSE4-5.4 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Fortinet Network Security Expert – FortiOS 5.4 NSE4-5.4 exam and earn Fortinet Network Security Expert – FortiOS 5.4 NSE4-5.4 certification.