View all questions & answers for the NSE 7 - Enterprise Firewall 7.6 Administrator Exam Materials exam


NSE 7 - Enterprise Firewall 7.6 Administrator Exam Materials-Question 52 Discussion
Comment Image Comment Image Comment Image

Refer to the exhibit, which shows the packet capture output of a three-way handshake between FortiGate and FortiManager Cloud. What two conclusions can you draw from the exhibit? (Choose two answers)

  • A. FortiGate is connecting to the same IP server and will receive an independent certificate for its connection between FortiGate and FortiManager Cloud.
  • B. If the TLS handshake contains 17 cipher suites it means the TLS version must be 1.0 on this three- way handshake.
  • C. FortiGate will receive a certificate that supports multiple domains because FortiManager operates in a cloud computing environment.
  • D. The wildcard for the domain *.fortinet-ca2.support.fortinet.com must be supported by FortiManager Cloud.
Correct Answer: C,D

Brave-Dump Clients Votes

AC 50%
D 25%
CD 25%

Comments



Mahmoud Mohammedali 2025-12-08 13:16:22

Selected Answers: D


When FortiGate connects to FortiManager Cloud, the TLS handshake involves validating certificates issued by Fortinet's CA. These certificates often use wildcard domains (e.g., *.fortinet-ca2.support.fortinet.com) to cover multiple subdomains in the cloud environment. This ensures secure communication without requiring individual certificates for each subdomain.

Adam 2026-01-20 02:35:09

Selected Answers: C, D


B is wrong because while different TLS versions support different cipher suites, but number of supported cipher suites by client are unrelated to TLS version, and we have "Extension: supported_versions (len=9) TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0" in packet capture so client supports all 4 TLS versions for negotiation with server.

Packet capture shows "Server Name: 9398.support.fortinet-ca2.fortinet.com" in Client Hello.

FortiGate receiving a certificate means receiving FortiManager cloud server certificate, and it will check the requested SNI "Server Name: 9398.support.fortinet-ca2.fortinet.com" against certificate subject CN / SAN DNS.

Both C and D options indicate FortiManager Cloud is using wildcard certificate to be able to support multiple sub-domains.

As there are two required answers, then A can't be right, as it contradicts C and D.
Answer is C and D provided that FortiManager cloud is using wildcard certificate.

Naiyar Rizvi 2026-05-05 15:38:53

Selected Answers: A, C


A. FortiGate is connecting to the same IP server and will receive an independent certificate for its connection between FortiGate and FortiManager Cloud.

Correct.

The packet capture shows FortiGate connecting to FortiManager Cloud using TLS Client Hello with SNI.

The study guide says SNI allows a server to host multiple certificates on the same IP address and send the correct certificate based on the requested domain during the TLS handshake.

So, even if multiple Fortinet cloud services use shared infrastructure, FortiGate can still receive the proper certificate for its specific FortiManager Cloud connection.

B. If the TLS handshake contains 17 cipher suites it means the TLS version must be 1.0 on this three-way handshake.

Incorrect.

The number of cipher suites does not mean TLS version 1.0.

The study guide explains TLS versions separately, including TLS 1.2 and TLS 1.3. Also, in packet captures, the TLS record layer may show older compatibility values, but the actual supported versions are shown in the Client Hello supported versions extension.

So, 17 cipher suites does not prove TLS 1.0.

C. FortiGate will receive a certificate that supports multiple domains because FortiManager operates in a cloud computing environment.

Correct.

The study guide directly says SNI is important in cloud computing environments, where multiple customers or services can be hosted on shared infrastructure. It allows cloud providers to deliver HTTPS services efficiently.

So, FortiManager Cloud can use shared cloud infrastructure and still provide the correct certificate/domain identity.

Anonymous User 2026-05-18 12:40:32

Selected Answers: A, C


D is incorrect: layout of the domain requested in the SNI extension: 9398.support.fortinet-ca2.support.fortinet.com. A standard wildcard certificate for *.fortinet-ca2.support.fortinet.com only covers one level of subdomains directly below it. It cannot natively cover 9398.support... because that contains a nested, multi-level subdomain boundary. A broader wildcard format or a dedicated multi-domain (SAN) certificate is required instead.