An administrator has configured a FortiGate device to authenticate SSL VPN users using dogotal certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server. Part of the FortiGate configuration is shown below: Based on this configuration, which two statements are true? (Choose two answers)

A. If the OCSP response is CertStatus unknown, authentication will succeed if the certificate matches the CA.
B. OCSP checks will always go to the configured FortiAuthenticator.
C. If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.
D. The OCSP check of the certificate can be combined with a certificate revocation list.

Correct Answer: B.D

Brave-Dump Clients Votes

BD 50%

BC 25%

CD 25%

Comments

Sergio Hernandez 2025-10-13 07:58:08

Selected Answers: B, C

b,c are the two answers

Mohamed laamouri 2025-12-05 20:28:52

Selected Answers: B, D

set strict-ocsp-check enable signifie que la vérification OCSP est stricte :
→ Si le serveur OCSP est inaccessible, l’authentification échoue (donc C serait normalement faux).
En mode strict, FortiGate ne fait pas de fallback sur la CA.

Si strict-ocsp-check était désactivé, alors C serait vrai (authentification réussit si le certificat correspond à la CA).
Mais ici, il est activé.

Donc, selon la configuration affichée, les bonnes réponses sont B et D.

boss123 2025-12-10 20:24:42

Selected Answers: C, D

I would say CD... OSCP will not go to FortiAuthentication because OCSP option is set to certificate not server. OSCP will use URL on the certificate

Brave-Dumps Admin 2025-12-13 22:46:22

Selected Answers: B, D

B,D