Practice NSE7 Advanced VPN and Zero Trust questions with full explanations on every answer.
Start practicing
Advanced VPN and Zero Trust — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is implementing Zero Trust Network Access using Fortinet's ZTNA solution. They have deployed a FortiGate as the ZTNA gateway and are using FortiClient as the ZTNA agent. Users report that they can initiate ZTNA connections but the connections drop after a few minutes. The FortiGate logs show that the ZTNA session is being terminated due to a endpoint compliance check failure. Which action should the administrator take to resolve this issue?
2During a ZTNA deployment, an administrator notices that traffic from a specific internal application is being routed through the ZTNA gateway but is not reaching the destination server. The FortiGate policy allows the traffic, and the client has a valid ZTNA connection. What is the most likely cause of the issue?
3An organization is designing a Zero Trust Network Access solution with Fortinet. They want to ensure that only devices with up-to-date antivirus software can access sensitive applications. Which component is responsible for enforcing this requirement?
4A company uses FortiGate ZTNA to provide remote access to an internal web application. The application requires client certificates for authentication. The administrator has configured the ZTNA rule to use certificate authentication. However, users report that they are prompted for credentials repeatedly. What is the most likely cause?
5In a Zero Trust Network Access architecture, which component acts as the policy enforcement point for access decisions?
6An administrator is troubleshooting a ZTNA connection issue where a user can access the ZTNA gateway but the connection to the internal application fails after a few seconds. The FortiGate logs show 'ZTNA session timeout' but the timeout value is set to 30 minutes. What could be the reason?
7A company wants to deploy ZTNA to secure access to internal applications for remote employees. They have a FortiGate with a public IP and internal servers. Which deployment mode should they choose to minimize changes to existing firewall rules?
8During a ZTNA implementation, the administrator configures a ZTNA rule for an internal application but users cannot connect. The FortiGate policy is correct and the application is reachable from the FortiGate. What is the most likely misconfiguration?
9Which TWO of the following are required components for a Fortinet ZTNA solution? (Select two.)
10Which THREE of the following are valid methods to deliver ZTNA tags to FortiClient? (Select three.)
11Which TWO of the following can be used to authenticate users in a ZTNA connection? (Select two.)
12A multinational corporation is implementing ZTNA for remote access to a critical internal application hosted on a server with IP 10.0.1.200:8443. The FortiGate is deployed at the edge with WAN IP 203.0.113.50. The administrator configures a ZTNA rule with proxy destination 10.0.1.200:8443, a firewall policy allowing traffic from the ZTNA gateway to the internal server, and a VIP for port forwarding for testing. However, remote users report that they can establish a ZTNA connection to the gateway but the application page fails to load, showing a blank page after a long delay. The FortiGate logs show no errors, and the debug output indicates that the proxy successfully forwarded the request to 10.0.1.200:8443 and received a response. The internal server team confirms the application is working correctly for on-site users. What is the most likely cause?
13A healthcare provider is deploying ZTNA to secure access to an internal electronic health records (EHR) system. The EHR system is composed of multiple web services running on different ports behind a load balancer with IP 10.0.10.100. The load balancer listens on ports 443, 8443, and 9090. The administrator configures a single ZTNA rule with proxy destination 10.0.10.100:443, expecting that the other ports will be accessed via the same rule. However, users report that they can only access the service on port 443; connections to ports 8443 and 9090 fail. The FortiGate logs show that requests to other ports are being dropped. What should the administrator do to resolve this?
14A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGate devices. The tunnel is established, but traffic is not passing. Which configuration should the administrator check first?
15A company uses SSL VPN with FortiGate for remote access. Users report that after connecting, they can access internal web servers but cannot ping them. Which configuration is most likely missing?
16An administrator needs to configure a site-to-site IPsec VPN with a remote FortiGate that has a dynamic IP address. Which phase1 parameter must be set to support this?
17Refer to the exhibit. A tunnel interface is configured with IP 10.0.1.1/30 and remote-ip 10.0.1.2/30. The phase2 defines src-subnet as 10.0.1.0/30 and dst-subnet as 10.0.2.0/30. What is the most likely problem with this configuration?
18Refer to the exhibit. Users report that they cannot log in to the SSL VPN portal. The stats show 15 login failures with reason 'auth_fail'. What is the most likely cause?
19Which TWO features are required to implement an always-on SSL VPN tunnel with FortiGate that automatically reconnects when the user's network changes?
20Which THREE conditions must be met for an IPsec VPN to successfully establish phase2?
21An administrator is configuring SSL VPN on FortiGate and wants to allow users to access internal applications via a web portal without installing any client software. Which SSL VPN mode should be used?
22A FortiGate is configured with an IPsec VPN that uses certificate-based authentication. The VPN fails to establish. The administrator checks the phase1 debug and sees the message: 'no suitable certificate found'. What is the most likely cause?
23A company has two FortiGate devices at different sites connected via an IPsec VPN tunnel using IKEv2. The tunnel is established but intermittent packet loss is observed. Which two configuration changes should be applied to improve stability? (Choose two.)
24Refer to the exhibit. An administrator runs the 'diagnose vpn ike stats' command on a FortiGate. What does the output indicate?
25A multinational company uses FortiGate devices as VPN gateways to connect its headquarters (HQ) and branch offices via IPsec VPN tunnels. The company is migrating its remote access solution from IPsec VPN to SSL VPN using FortiClient. Currently, 500 remote users connect via IPsec VPN with pre-shared keys and XAuth authentication. The migration must be seamless with minimal downtime, and users must continue to authenticate using their existing Active Directory credentials. The SSL VPN portal must provide access to internal web applications and some legacy TCP-based applications that do not support HTTP. The security team requires that all traffic between remote users and the internal network be encrypted and that the SSL VPN use a certificate from a public CA to avoid certificate warnings on client devices. The IT team wants to use FortiToken for two-factor authentication (2FA) for all VPN users. Which of the following is the most appropriate course of action to meet all requirements?
26A company's FortiGate is configured with multiple IPsec VPN tunnels to branch offices. One tunnel keeps dropping and re-establishing every few minutes. The logs show 'IPsec SA negotiation failed' with error 'proposal mismatch'. What is the most likely cause?
27Which TWO configurations are required to enable SSL VPN authentication using a RADIUS server on a FortiGate?
28Refer to the exhibit. A FortiGate administrator has configured an IPsec VPN tunnel to a branch office. The tunnel fails to establish. What is the most likely cause?
29Drag and drop the steps to configure a FortiGate as a DHCP server into the correct order.
30Drag and drop the steps to configure a FortiGate VDOM in multi-VDOM mode into the correct order.
31Match each SD-WAN component to its role.
32Match each Fortinet command to its function.
33A network admin is configuring a hub-and-spoke ADVPN. The spoke FortiGates are behind NAT. After configuring IKE phase 1 with aggressive mode, the spokes can establish VPN tunnels to the hub, but shortcut tunnels between spokes are not forming. What is the MOST likely cause?
34An administrator wants to enforce that only devices with the latest antivirus signatures and a corporate disk encryption solution can access a sensitive application via ZTNA. Which two FortiClient EMS components must be configured? (Choose two.)
35A FortiGate is configured as a SAML SP for user authentication. When a user attempts to access a protected resource, the FortiGate redirects the user to the IdP login page, but after successful authentication, the user is not redirected back to the original resource. What is the MOST likely cause?
36You run the following command on a FortiGate: 'diagnose vpn ike gateway list' and see that the DPD status for a VPN peer is 'dead'. What does this indicate?
37A FortiGate is configured with OSPF over an IPsec VPN tunnel to exchange routes with a remote site. The OSPF neighbor states are stuck in 'INIT' and never progress to 'FULL'. What is the MOST likely cause?
38Which FortiGate feature allows an administrator to define a granular policy based on the security posture of the endpoint device, such as OS version, antivirus status, and disk encryption, before granting access to a protected application?
39An administrator is troubleshooting a ZTNA issue where users are able to authenticate but the application access is still blocked. The ZTNA status on FortiClient shows 'Connected' but the application does not load. What is the MOST likely cause?
40A FortiGate admin is configuring a multi-peer IPsec VPN where the remote site has two ISPs for redundancy. The admin wants to ensure that if the primary ISP fails, the VPN automatically fails over to the secondary ISP without manual intervention. Which feature should be enabled?
41An administrator is deploying ZTNA for a legacy application that uses a fixed IP address and port. Which ZTNA component is responsible for securely proxying traffic from the user to the application without exposing the application's actual network location?
42An administrator wants to enforce that only devices with corporate-owned certificates can establish an IPsec VPN tunnel. Which IPsec authentication method should be configured?
43A FortiGate is configured as a SAML IdP for a partner's cloud application. After configuring the application as a service provider, users report that they are prompted for credentials every time they access the application, even though they already authenticated to FortiGate. What is the MOST likely cause?
44A FortiGate administrator needs to integrate with FortiNAC to enforce network access control for wired and wireless devices. The administrator wants FortiNAC to dynamically assign VLANs based on the device's security posture. Which FortiNAC feature enables this?
45An administrator is configuring a new branch office VPN using IKEv2 with PKI certificates. Which TWO steps are essential to ensure the VPN tunnel establishes successfully?
46A FortiGate is experiencing high CPU usage due to IPsec VPN traffic. The admin wants to offload cryptographic operations to the hardware. Which THREE conditions must be met for hardware acceleration to work? (Choose three.)
47An administrator is deploying ZTNA with FortiClient EMS to secure access to a corporate web application. Which THREE components are required for a successful ZTNA deployment? (Choose three.)
48A network administrator configures a hub-and-spoke ADVPN with FortiGates. Phase 1 and phase 2 settings are correct, and spoke gateways can communicate with the hub. However, shortcut tunnels between spokes are not being established. What is the most likely cause?
49A FortiGate administrator wants to ensure that only devices with an up-to-date antivirus and OS patch level can access a sensitive application published via ZTNA. Which ZTNA component should the administrator configure to enforce this requirement?
50An administrator runs the following CLI command on a FortiGate and sees the output below: diagnose vpn ike gateway list vd: root/0 name: REMOTE_GW vrf: 0 version: 2 state: UP IKE SA: created 1s ago 1.2.3.4:500->5.6.7.8:500 What is the most likely explanation for the IKE SA being created only 1 second ago?
51A company uses FortiClient EMS for endpoint compliance and ZTNA tag assignment. An administrator wants to enforce that only endpoints with a ZTNA tag 'Compliant' can access a specific internal application through ZTNA. Which configuration is required on the FortiGate?
52An administrator is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration uses certificates for authentication. The admin sees the following log message: 'Certificate validation failed: unable to get local issuer certificate.' What is the most likely cause?
53A FortiGate administrator configures a multi-peer IPsec VPN with two remote gateways for redundancy. The phase 1 configuration has 'set proposal aes256-sha256' and 'set dpd on-idle'. The tunnel is established but traffic fails over to the backup peer only after a long delay. What change would improve failover time?
54An administrator configures FortiGate as a SAML identity provider (IdP) for a cloud application. The application (SP) initiates the login. Users are redirected to the FortiGate login page and authenticate successfully, but then receive an error from the SP. What is a common cause?
55An organization wants to implement Network Access Control (NAC) using FortiNAC. The goal is to automatically quarantine any device that does not have the latest antivirus definitions. Which FortiNAC component enforces this policy?
56A FortiGate administrator configures a hub-and-spoke VPN with OSPF routing. The spoke FortiGates are learning routes from the hub, but inter-spoke traffic is being routed through the hub instead of using shortcut tunnels. What configuration is missing on the hub to allow ADVPN shortcut establishment?
57An administrator runs the following command on a FortiGate and sees the output: diagnose sys session filter dport 443 diagnose sys session list proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?
58A company wants to use FortiGate as a SAML service provider (SP) for authenticating administrators to the FortiGate GUI. The identity provider (IdP) is Azure AD. After configuration, administrators are redirected to Azure AD login but receive an error that the SAML request is invalid. What is the most likely misconfiguration?
59An administrator configures ZTNA inline CASB to control access to a SaaS application. The goal is to block uploads of files with credit card numbers. The administrator configures a CASB profile with a DLP rule for credit card numbers. However, uploads are not being blocked. What is the most likely reason?
60An administrator needs to configure a FortiGate to act as a SAML identity provider (IdP) for a third-party cloud application (SP). Which TWO settings must be configured on the FortiGate to function as an IdP?
61A network administrator is troubleshooting a scenario where remote users can connect via FortiClient VPN but cannot access internal resources. The FortiGate has a valid IPsec VPN configuration. Which THREE checks should the administrator perform to resolve the issue?
62An administrator configures ZTNA with FortiClient EMS. The goal is to restrict access to an internal application based on device posture. The administrator configures a ZTNA tag for 'Compliant' that checks antivirus and OS patch status. Which TWO additional steps are required on the FortiGate to enforce access based on this tag?
63A network administrator is troubleshooting an IPsec VPN tunnel between Site A (FortiGate) and Site B (third-party VPN peer). The tunnel fails to establish. On FortiGate, phase1 status shows 'up' but phase2 status remains 'down'. What is the MOST likely cause?
64Which feature in FortiOS enables a FortiGate to act as a proxy for client-initiated connections to internal applications without requiring a VPN client, by verifying device posture and user identity?
65An administrator configures a hub-and-spoke ADVPN with FortiGate at the hub and multiple remote sites. After setup, spokes establish shortcuts directly. However, traffic between two spokes consistently goes through the hub even though shortcuts should exist. Running 'diagnose npu np6 ipsec peercache' shows no shortcut entries. What is the MOST likely reason?
66A FortiGate administrator wants to use SAML SSO to authenticate VPN users. The FortiGate will act as the service provider (SP) and an external identity provider (IdP) will be used. Which of the following must be configured on the FortiGate to enable SAML authentication for SSL VPN?
67An administrator configures a ZTNA rule with an inline CASB profile to protect access to a SaaS application. The rule uses a ZTNA tag that requires 'OS Type = Windows' and 'Antivirus = running'. A user with a Windows 10 device and Symantec antivirus running is denied access. What is the MOST likely cause?
68What is the primary purpose of Dead Peer Detection (DPD) in an IPsec VPN configuration?
69A FortiGate administrator receives an error during IPsec VPN configuration: 'Certificate validation failed: certificate uses weak key.' The admin is using a PKI certificate with RSA 2048-bit key. The FortiGate firmware is up-to-date. What is the MOST likely reason for this error?
70An administrator configures OSPF over an IPsec VPN tunnel between two FortiGates. The OSPF adjacency does not form. The tunnel is up and ping works between the loopback interfaces used for OSPF. What is the MOST likely issue?
71In FortiGate's ZTNA, what is the purpose of a 'ZTNA tag'?
72An administrator configures Multi-Peer VPN (MPVPN) on a FortiGate aggregator. The aggregator has two phase1 configurations for the same remote subnet but different peers. The aggregator's routing table shows both peers as next hops. The administrator notices that traffic between the aggregator and the remote subnet is load-balanced across both peers. What is the cause?
73A FortiGate administrator wants to integrate FortiClient EMS to enforce compliance before granting VPN access. The FortiGate is the SSL VPN gateway. Which configuration is required on the FortiGate to use FortiClient's posture check?
74An administrator runs the CLI command 'diagnose vpn ike gateway list' and sees that a phase1 gateway is in 'UP' state, but the 'DPD' field shows 'disabled'. The tunnel is working. What is the implication?
75A FortiGate administrator needs to configure a hub-and-spoke ADVPN with OSPF as the routing protocol over the VPN tunnels. Which TWO steps are required on the hub FortiGate to enable shortcut tunnels?
76An administrator is troubleshooting a ZTNA application access issue. Users can authenticate but cannot reach the internal application via the ZTNA proxy. The FortiGate's ZTNA rule uses a tag requiring 'OS Type = Windows' and 'Antivirus = running'. The device meets both conditions. Which THREE possible reasons could cause the access failure?
77A FortiGate administrator is configuring NAC (Network Access Control) integration with FortiNAC. The goal is to control access for wired clients based on device compliance. Which TWO configurations are required on the FortiGate to support this integration?
78A network administrator has configured an IPsec VPN between two FortiGates using IKEv2 with pre-shared keys. The tunnel establishes successfully, but after a few minutes, traffic stops passing through. The administrator runs 'diagnose vpn ike log' and sees 'DPD timeout' messages. What is the most likely cause of this issue?
79An administrator is configuring a hub-and-spoke ADVPN with FortiGates. The spoke sites use dynamic public IP addresses. The administrator has enabled auto-discovery on the spoke and hub. However, shortcut tunnels are not being established between spokes that communicate frequently. What is the most likely missing configuration?
80A FortiGate administrator wants to integrate ZTNA with FortiClient EMS to control access to an internal application based on device posture. The admin has configured a ZTNA tag in EMS for 'AntiVirus enabled' and created a ZTNA rule in FortiGate. What additional configuration is required on the FortiGate to enforce access based on the ZTNA tag?
81An administrator is troubleshooting a ZTNA access issue. Remote users can connect to the FortiGate's ZTNA proxy, but when they try to access the internal application, they receive a 403 Forbidden error. The administrator has verified that the user is authenticated and the ZTNA rule is configured correctly. What is the most likely cause?
82You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the traffic?
83A FortiGate administrator is configuring OSPF over an IPsec VPN between a hub and a spoke. The OSPF adjacency forms correctly, but routes from the spoke are not being advertised to the hub. The administrator checks the OSPF database on the hub and sees no Type-1 LSAs from the spoke. What is the most likely issue?
84An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal web application. The current network uses FortiGate as the firewall. Which component is required to enforce ZTNA policies on the FortiGate?
85A FortiGate VPN administrator is configuring IKEv2 with certificate-based authentication using a PKI. The administrator has imported the CA certificate and the local certificate onto the FortiGate. When initiating the VPN, the tunnel fails to establish. The CLI log shows 'IKEv2 authentication failed' and 'certificate validation failure'. What is the most likely missing configuration?
86During a routine audit, a FortiGate administrator discovers that all traffic from a specific user group is being denied by a firewall policy. The policy uses a ZTNA rule that requires the device tag 'Compliant'. The administrator checks the user's device in EMS and sees it is tagged as 'Compliant'. However, the traffic is still denied. What could be the problem?
87An administrator wants to use SAML SSO with FortiGate as the Service Provider (SP) to allow users to authenticate via an external IdP. What must be configured first on the FortiGate to establish the SAML trust?
88A FortiGate administrator notices that a VPN tunnel goes down and re-establishes every 30 minutes. The administrator checks the tunnel's phase1 and phase2 lifetimes. The phase1 lifetime is set to 86400 seconds and phase2 to 3600 seconds. What is the most likely cause of the tunnel dropping?
89An administrator is configuring FortiClient EMS to enforce compliance for remote users. The requirement is that all remote devices must have disk encryption enabled. The administrator has created a compliance rule in EMS that checks for 'Full Disk Encryption' and set the action to 'Block'. However, users with unencrypted drives are still able to connect to the VPN. What is the most likely missing configuration?
90A FortiGate administrator needs to ensure that only devices with an updated antivirus can access a sensitive internal application via ZTNA. The administrator has created a ZTNA tag 'AV_Updated' in EMS and configured a ZTNA rule on FortiGate that requires this tag. Which TWO additional steps are necessary to enforce this access control? (Choose two.)
91An administrator is deploying a hub-and-spoke ADVPN with three spoke sites. The spokes have dynamic IP addresses. The hub has a static IP. The administrator wants the spokes to establish direct shortcut tunnels when they communicate with each other. Which THREE conditions must be met for shortcut tunnels to be established? (Choose three.)
92A FortiGate administrator is troubleshooting a VPN tunnel that uses IKEv2 with certificate authentication. The tunnel fails to establish, and the IKE debug shows 'no acceptable proposal' for the initial exchange. Which TWO configuration mismatches could cause this error? (Choose two.)
93A network administrator configured a hub-and-spoke ADVPN with IKEv2. Spoke sites can establish tunnels to the hub, but shortcut tunnels are not being created between spokes. What is the MOST likely cause?
94You run 'diagnose vpn ike gateway list' and see the following: gateway name: HUB_GW version: IKEv2 state: UP mode: main local: 10.0.0.1:500 remote: 203.0.113.5:500 auth: psk dpd: on rekey: 86400 num_peers: 2 total_tunnels: 2 auto-discovery: enabled What does the 'auto-discovery: enabled' indicate about this VPN gateway?
95A FortiGate is configured as a SAML service provider (SP) for user authentication. Users report they are redirected to the identity provider (IdP) for authentication, but after successful login, they are not allowed access to the requested resource. What is the MOST likely cause?
96An administrator wants to enforce that only devices with antivirus software installed and running can access a sensitive application via ZTNA. Which ZTNA feature should be used to verify this requirement?
97A FortiGate administrator configures a hub-and-spoke ADVPN with OSPF over the VPN overlay. Spoke routers receive the OSPF default route from the hub, but cannot reach subnets behind other spokes. What configuration is missing?
98A FortiGate administrator is troubleshooting a ZTNA access proxy issue. The ZTNA rule is configured to require the tag 'AV_Installed' and 'OS_Updated'. Users with compliant devices are still denied access. The admin checks the ZTNA connection monitor and sees 'Tag mismatch'. What is the MOST likely cause?
99A FortiGate administrator is configuring a site-to-site IPsec VPN with IKEv2. The remote peer supports multiple proposals. The administrator wants to ensure that the VPN tunnel uses AES256-GCM for encryption and SHA256 for integrity. Which configuration setting should be used to enforce this preference?
100An organization wants to implement Zero Trust Network Access (ZTNA) for remote users accessing an internal application. The application is hosted on a server that cannot have any client software installed. Which ZTNA deployment method is MOST appropriate?
101An administrator configures BGP over an IPsec VPN between two FortiGates. The BGP session is established, but routes from the remote site are not being installed in the local routing table. The admin verifies that the BGP neighbor configuration is correct and the remote site is advertising routes. What is the MOST likely cause?
102A FortiGate is configured with multiple IPsec VPNs to remote branches. One of the branch VPN tunnels goes down frequently. The administrator runs 'diagnose vpn ike log' and sees repeated INITIAL_CONTACT notifications from the remote peer. What does this indicate?
103A company wants to ensure that only company-managed laptops with up-to-date antivirus can access the internal file server remotely. Which Fortinet solution integrates with FortiGate to enforce device compliance before granting ZTNA access?
104A FortiGate administrator configures a ZTNA access proxy rule to allow access to an internal application only if the user's device has the tag 'Compliant'. The tag is assigned by FortiClient EMS. However, a user with a compliant device is still blocked. The admin sees in the ZTNA logs that the tag is not being received. What should the administrator check FIRST?
105A FortiGate administrator is configuring a hub-and-spoke ADVPN with BGP. The hub has multiple spokes. Which TWO configuration steps are REQUIRED on the hub FortiGate for shortcut tunnels to be established between spokes?
106A company is deploying ZTNA to protect an internal application. They want to ensure that only users with devices that have disk encryption enabled and the latest OS patches can access the application. Which THREE components must be configured to achieve this?
107A FortiGate administrator is troubleshooting an IKEv2 VPN tunnel that fails to establish. The remote peer logs show 'no acceptable proposal' error. Which TWO possible causes should the administrator check?
108A network administrator is configuring a hub-and-spoke ADVPN with FortiGates. The spokes are behind NAT and use dynamic IPs. The hub has a static IP. Which IKEv2 configuration is REQUIRED to allow the spokes to initiate the VPN and receive shortcut tunnels?
109You run 'diagnose vpn ike gateway list' on a FortiGate hub and see the following output for a spoke connection: IKE SA state: ESTABLISHED, IPsec SA state: UP, but the spoke cannot route traffic to other spokes. The ADVPN shortcut tunnel is not being established. What is the MOST likely cause?
110A FortiGate administrator wants to implement ZTNA to control access to an internal application server. Users will access the application via FortiClient. Which configuration step is REQUIRED to allow FortiClient to forward traffic to the ZTNA gateway?
111A FortiGate is configured as a SAML service provider (SP) for SSO. Users authenticate via an external IdP. After successful authentication, the FortiGate should enforce a firewall policy based on the user's group membership. Which FortiGate setting must be enabled to receive group information from the IdP?
112A network administrator is troubleshooting an IPsec VPN between two FortiGates. The phase1 is up, but phase2 keeps failing to establish. The administrator runs 'diagnose vpn ike log' and sees: 'no proposal chosen'. Both sides have the same phase2 configuration: AES256-SHA256, DH group 14, 3600 seconds lifetime. What is the MOST likely cause?
113A FortiGate is configured with a ZTNA access proxy rule for a web application. The administrator wants to enforce that only devices with a specific FortiClient tag (e.g., 'Compliant') can access the application. Where is this tag-based access control configured?
114A FortiGate administrator wants to use Fortinac for network access control. Which of the following is the PRIMARY function of Fortinac in a network?
115A FortiGate is configured with two VPN tunnels to different remote sites. The administrator notices that traffic is not load-balanced across the tunnels; all traffic uses the first tunnel. The administrator wants to use ECMP (Equal Cost Multi-Path) routing. Which two actions are required? (Choose two.)
116An administrator is configuring a FortiGate as a SAML Identity Provider (IdP) for a third-party service provider. Which of the following is REQUIRED for the FortiGate IdP configuration?
117What is the purpose of Dead Peer Detection (DPD) in an IPsec VPN?
118A FortiGate administrator is configuring a multi-peer IPsec VPN where two remote sites connect to a central hub. The administrator wants to ensure that if one remote site loses connectivity, the other site can still reach the hub. Which configuration is essential?
119A FortiGate is configured with ZTNA inline CASB to control access to a SaaS application. The administrator wants to block uploads of files containing credit card numbers. Which ZTNA inline CASB feature should be used?
120A network administrator is configuring a hub-and-spoke ADVPN with BGP over the VPN tunnels. Which TWO conditions are necessary for the spokes to establish direct shortcut tunnels between each other?
121A FortiGate administrator is troubleshooting a ZTNA problem where users are unable to connect to an internal application via FortiClient. FortiClient reports 'Connection refused'. The FortiGate ZTNA gateway is configured correctly. Which THREE steps should the administrator take to diagnose the issue?
122A FortiGate is acting as a SAML Service Provider (SP) for user authentication. Which TWO of the following are required for successful SAML SSO?
123A network administrator is troubleshooting an ADVPN deployment. Spoke FortiGates can communicate with the hub, but shortcut tunnels between spokes are not being established. The administrator verifies that IKE and IPsec settings are correct on all devices. What is the MOST likely cause?
124An administrator configures a ZTNA proxy rule to allow access to an internal application. Users can connect to the FortiGate ZTNA gateway but receive a '403 Forbidden' error. Which step should the administrator take to resolve the issue?
125A FortiGate administrator observes the following CLI output from 'diagnose vpn ike gateway list': vd: root/0 name: VPN_TO_HUB version: IKEv2 status: up mode: main DPD: on ... Number of IPsec tunnels: 1 name: phase2_tunnel status: up inbound: 0 bytes outbound: 0 bytes The tunnel shows up but no traffic is passing. What is the MOST likely cause?
126An administrator wants to integrate FortiClient EMS with FortiGate for ZTNA. Which protocol must be allowed between FortiGate and FortiClient EMS?
127A FortiGate is configured as a SAML service provider (SP) for ZTNA. Users authenticate via an external IdP. After authentication, users are not able to access applications even though the ZTNA proxy rule lists them. What should the administrator check FIRST?
128An administrator configures OSPF over an IPsec VPN overlay between two FortiGates. The OSPF neighbors show a state of 'EXSTART/EXCHANGE' but never reach 'FULL'. The IPsec tunnel is up and passes ICMP traffic. What is the MOST likely cause?
129An administrator wants to enforce that only devices with antivirus software installed and up-to-date can access the corporate network. Which FortiGate feature should be used?
130In a hub-and-spoke VPN, spokes cannot communicate with each other directly. The administrator wants to allow direct spoke-to-spoke traffic without routing through the hub. Which technology should be configured?
131An administrator receives an error when trying to create a ZTNA proxy rule: 'The ZTNA proxy rule requires a valid application mapping.' What does this indicate?
132A FortiGate has multiple IPsec VPNs to different branch offices. The administrator notices that one VPN tunnel is flapping (going up and down repeatedly). From the CLI, 'diagnose vpn ike gateway list' shows the gateway state as 'up' but then quickly goes to 'down'. What is the MOST likely cause?
133Which of the following is a requirement for FortiGate to act as a SAML Identity Provider (IdP) for ZTNA?
134An administrator configures a ZTNA gateway with inline CASB to monitor SaaS applications. Users report that access to Salesforce is blocked. The administrator reviews the ZTNA proxy rule and sees that inline CASB is enabled with a 'monitor-only' action. What is the MOST likely reason for the block?
135An administrator is configuring FortiClient EMS to enforce compliance for ZTNA. Which TWO settings are required on FortiGate to use compliance-based ZTNA tags?
136A network engineer is troubleshooting an ADVPN scenario where shortcut tunnels between spokes are not forming. The hub has IKEv2 configured and the spokes are behind NAT. Which THREE conditions must be met for shortcut tunnels to establish?
137An administrator wants to implement ZTNA with FortiClient EMS to control access to an internal web application. Which TWO components are essential for the ZTNA proxy to function correctly?
138A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is established but traffic is not passing. The administrator runs 'diagnose vpn ike log' and sees 'no matching policy for this IPsec SA'. What is the most likely cause?
139An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal application. The application is hosted on a server with IP 10.1.1.100. Which component acts as the intermediary between users and the application in FortiGate ZTNA?
140A FortiGate administrator is configuring Auto Discovery VPN (ADVPN) in a hub-and-spoke topology. Spokes are FortiGates with dynamic public IPs. Which setting is required on the spoke for it to automatically initiate shortcut tunnels to other spokes when needed?
141A FortiGate administrator configures a ZTNA rule to allow access to an internal application. The rule uses a ZTNA tag to identify the application server. However, users cannot connect to the application. What is the most likely cause if the ZTNA proxy and firewall policies are correctly configured?
142An administrator runs 'diagnose vpn ike gateway list' and sees that the IKE SA state is 'UP' but the IPsec SA state is 'DOWN'. The remote peer is a FortiGate. What is the most likely cause of this issue?
143An organization uses FortiClient EMS to enforce compliance on endpoints. They want to ensure that only devices with updated antivirus definitions can access the corporate VPN. Which FortiClient configuration should be applied?
144A FortiGate administrator configures SAML SSO with FortiGate as the Service Provider (SP) and an external IdP. Users report that they are prompted for credentials repeatedly without successful authentication. What is the most likely cause?
145A FortiGate administrator wants to use PKI certificates for IPsec VPN authentication instead of pre-shared keys. Which phase1 parameter must be set to 'signature' to enable certificate-based authentication?
146An administrator notices that after upgrading FortiOS, the ADVPN shortcut tunnels are no longer being established. The hub and spokes have the same ADVPN configuration as before. What is the most likely cause?
147A FortiGate administrator configures a ZTNA rule with inline CASB to control access to a SaaS application. Users can access the application but the CASB controls are not being applied. What is the most likely reason?
148A FortiGate administrator is configuring a multi-peer IPsec VPN (dial-up) for remote users. The administrator wants to assign different IP pools to different groups of users based on their authentication group. Which configuration is required?
149A FortiGate administrator enables Dead Peer Detection (DPD) on an IPsec VPN tunnel. What is the primary purpose of DPD?
150A FortiGate administrator is troubleshooting a scenario where remote users can connect to the VPN but cannot access internal resources. The VPN policy is configured correctly. Which TWO steps should the administrator take to diagnose the issue?
151A FortiGate administrator is configuring OSPF over an IPsec VPN overlay in a hub-and-spoke topology. The spokes have dynamic IPs and use ADVPN. Which THREE conditions are necessary for OSPF to work correctly over the VPN tunnels?
152A FortiGate administrator wants to integrate FortiClient EMS with FortiGate for ZTNA. Which TWO components must be configured on FortiGate to enable ZTNA access?
153A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is up but traffic is not passing. The administrator runs 'diagnose vpn ike gateway list' and sees that the IKE SA has been established. However, 'diagnose vpn tunnel list' shows no IPsec SA entries. What is the most likely cause?
154An administrator wants to ensure that FortiGate validates the identity of the remote VPN peer using a certificate during IKEv2 phase 1. Which authentication method should the administrator select in the IPsec phase 1 configuration?
155In a hub-and-spoke ADVPN deployment, the spoke FortiGates are configured with IKEv2 and the hub has ADVPN enabled. After initial setup, spokes communicate through the hub. The administrator wants to enable shortcut tunnels so that spokes can directly communicate. What additional configuration is required on the spokes?
156A FortiGate is configured as a ZTNA proxy for an internal web application. The client's device posture check fails due to an outdated antivirus definition. The administrator wants to block access but still display a warning page. Which ZTNA access rule action should be used?
157In a Fortinet ZTNA deployment, which component is responsible for forwarding decrypted traffic to the internal application server after the FortiGate proxy has performed SSL inspection?
158An administrator has configured FortiGate as a SAML service provider (SP) for VPN authentication. Users are prompted for credentials but authentication fails even though they can authenticate directly at the IdP portal. What is the most likely misconfiguration?
159A FortiGate administrator runs the following command on a FortiGate and sees the output: diagnose sys session filter dport 443 diagnose sys session list proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate about the session?
160In a hub-and-spoke VPN using OSPF over the overlay, the hub FortiGate learns routes from spoke1 and advertises them to spoke2. However, spoke2's routing table shows the route with a next-hop of the hub's tunnel IP, not spoke1's tunnel IP. What should the administrator configure to allow spoke2 to reach spoke1 directly (using ADVPN shortcut)?
161A FortiGate is configured with FortiClient EMS to enforce ZTNA posture checks. The administrator finds that some Windows 10 clients are not reporting their antivirus status correctly, causing them to be blocked. However, the clients have antivirus installed and running. What is the most likely cause?
162An administrator wants to use FortiGate as a SAML identity provider (IdP) for a third-party service. Which configuration is required on FortiGate?
163A FortiGate administrator sees the following syslog message repeatedly: 'IPsec phase 2 failed to establish SA with peer due to proposal mismatch.' The administrator has already verified that the phase 2 parameters (encryption, authentication, PFS, and lifetime) match on both sides. What else should the administrator check?
164An administrator is configuring ZTNA inline CASB for a SaaS application. The goal is to block upload of files containing credit card numbers. Which configuration components are required?
165A FortiGate is configured as a ZTNA proxy. The administrator wants to ensure that only devices with a specific ZTNA tag assigned by FortiClient EMS are allowed to access the application. Which two configuration steps are required? (Choose two.)
166An administrator is deploying ADVPN with a hub-and-spoke topology. The hub FortiGate is configured with 'set auto-discovery enable' and 'set add-route enable'. Spokes have 'set auto-discovery-sender enable'. However, shortcut tunnels are not being established. Which two additional conditions must be met for shortcut tunnels to form? (Choose two.)
167A FortiGate administrator is troubleshooting an IPsec VPN that uses IKEv2 with certificate authentication. The VPN fails to establish. The administrator runs 'diagnose vpn ike gateway list' and sees the gateway state is 'IKE_INIT'. Which three possible causes should the administrator investigate? (Choose three.)
168A network administrator configures an IPsec VPN between two FortiGates using IKEv2. The tunnel establishes, but after a period of inactivity, traffic stops passing and the logs show 'IPsec phase 1 down'. The administrator wants to ensure the tunnel is quickly re-established when traffic resumes. Which setting should be configured?
169An administrator is troubleshooting an ADVPN scenario where spoke FortiGates are behind NAT. The shortcut tunnels are not forming between spokes. The hub has the appropriate ADVPN stage settings. What is the most likely cause of the shortcut failure?
170A FortiGate is configured as a SAML Identity Provider (IdP) for a remote user accessing a web application via ZTNA. The user authenticates successfully, but the ZTNA proxy logs show 'access denied' for the user. Which configuration element is most likely missing or misconfigured?
171An administrator wants to ensure that only devices with up-to-date antivirus software can access a sensitive application via ZTNA. Which FortiGate feature should be used to enforce this requirement?
172A FortiGate administrator runs the following diagnostic command: 'diagnose vpn ike gateway list'. The output shows a gateway with state 'down'. The administrator verifies that the peer is reachable and the pre-shared key is correct. What is a possible reason for the gateway state being 'down'?
173An administrator configures a multi-peer IPsec VPN on FortiGate for redundancy. The primary peer is 10.1.1.1 and secondary is 10.1.1.2. The administrator notices that when the primary peer goes down, the FortiGate does not fail over to the secondary peer until the IKE SA times out (about 60 seconds). Which setting can reduce this failover time?
174A FortiGate is configured as a ZTNA proxy for a web application. Users report that after authenticating, they receive a '502 Bad Gateway' error. What is the most likely cause?
175An administrator needs to integrate FortiGate with FortiNAC for network access control. The goal is to dynamically quarantine endpoints that have out-of-date antivirus software. Which component is responsible for enforcing the quarantine on the network?
176A FortiGate is the SAML Service Provider (SP) for a ZTNA application. The IdP is Azure AD. After successful authentication, the user is redirected to the ZTNA proxy with a '403 Forbidden' error. The ZTNA rule has the correct groups allowed. What is the most likely missing configuration?
177An administrator configures OSPF over an IPsec VPN overlay between two FortiGates. The OSPF neighbors form, but routes learned from the remote site are not appearing in the routing table. What is the most likely cause?
178A FortiGate administrator wants to use PKI certificates for IKEv2 authentication instead of pre-shared keys. Which phase1 configuration parameter must be changed to support certificate-based authentication?
179An administrator configures a hub-and-spoke ADVPN with IBGP over the VPN overlays. The spokes receive the default route from the hub, but they cannot reach each other directly. The administrator wants spoke-to-spoke traffic to use shortcut tunnels. Which additional configuration is required on the hub?
180A FortiGate administrator needs to block an application (e.g., Facebook) while allowing HTTPS traffic for ZTNA users. Which TWO configurations are required to achieve this?
181An administrator has a FortiGate hub with multiple spoke FortiGates in an ADVPN topology. The spokes are behind NAT and have dynamic public IPs. The hub is configured with a static IP. Which THREE steps are necessary for the spokes to establish a shortcut tunnel between each other?
182A FortiGate is configured as a ZTNA proxy for an internal application. Users authenticate via SAML with FortiGate as the IdP. The administrator wants to enforce that only devices with a valid ZTNA tag can access the application. Which TWO configurations are required?
183A network administrator is configuring an ADVPN hub-and-spoke topology. The hub is FortiGate-A and the spokes are FortiGate-B and FortiGate-C. The administrator wants spoke-to-spoke traffic to dynamically establish direct tunnels when needed. Which two settings must be enabled on the hub's phase 1 interface to support this?
184An administrator is troubleshooting an IPsec VPN tunnel that connects a branch office to the main office. The tunnel is down. The administrator runs 'diagnose vpn ike gateway list' and sees the following output: IKE gateway: branch state: down DPD: enabled DPD retrycount: 3 DPD retryinterval: 10 What does the DPD configuration indicate?
185A FortiGate has an IPsec VPN with a remote peer that uses IKEv2. The administrator wants to ensure that child SA rekeying uses PFS (Perfect Forward Secrecy) with Diffie-Hellman group 14. Which CLI command should the administrator configure on the FortiGate's phase 2 proposal?
186A FortiGate administrator is configuring ZTNA to provide secure access to an internal application. The application is hosted on a server with IP 10.0.1.100 and port 8080. The administrator creates a ZTNA rule on the FortiGate as an access proxy. What is the correct configuration for the ZTNA rule's 'Application Access' entry?
187An administrator wants to enforce that only managed FortiClient endpoints with up-to-date antivirus and a specific OS version can access a sensitive internal network via IPsec VPN. Which feature should be used to achieve this?
188A FortiGate is configured as a SAML identity provider (IdP) for a partner's SaaS application (SP). Users authenticate via FortiGate's local user database. The administrator successfully tests the SAML flow, but after some time, users are prompted to re-authenticate frequently. What is the most likely cause?
189An administrator has configured an OSPF overlay over an IPsec VPN between two FortiGates. The OSPF neighbors are established, but routes from one side are not being installed in the routing table on the other side. 'get router info ospf neighbor' shows FULL state. What is the most likely cause?
190A FortiGate administrator is using FortiNAC to enforce network access control for wired endpoints. The administrator wants to quarantine any endpoint that fails antivirus compliance. Which action should be configured in the FortiNAC policy to achieve this?
191An administrator wants to configure a multi-peer IPsec VPN where one FortiGate (hub) connects to multiple remote FortiGates (spokes) using a single phase 1 interface with dynamic IP addresses. Which configuration is required on the hub?
192A ZTNA rule is configured to allow access to an internal application only if the client device has the ZTNA tag 'Compliant' and the user is authenticated via SAML. The FortiGate is acting as ZTNA proxy. A user successfully authenticates but the device is not tagged. What happens when the user tries to access the application?
193An administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is up, but traffic is not passing. The administrator runs 'diagnose vpn tunnel list' and sees that both phase 1 and phase 2 are up. The policy allows traffic from both sides. What should the administrator check next?
194An administrator is configuring a hub-and-spoke ADVPN with IBGP as the overlay routing protocol. The hub is configured as a route reflector. Which two conditions must be met for a shortcut tunnel to be established between two spokes? (Choose TWO)
195An administrator wants to implement ZTNA inline CASB to control access to a SaaS application (e.g., Office 365). Which three components are required for this setup? (Choose THREE)
196An administrator is troubleshooting an IPsec VPN tunnel that uses PKI certificates for authentication. The tunnel fails to establish. The administrator checks the certificates and finds that the local certificate is valid and the CA certificate is trusted. Which two additional checks should the administrator perform? (Choose TWO)
197A company wants to provide external contractors with access to a specific internal web application without granting full network access. The solution must authenticate the user, verify device compliance, and log all access. Which three Fortinet features should be combined to meet these requirements? (Choose THREE)
198A network administrator is troubleshooting an IPsec VPN tunnel that is not coming up. The configuration uses IKEv2 with pre-shared keys. The administrator runs 'diagnose vpn ike log-filter' and sees no logs. What is the most likely cause?
199A FortiGate administrator configures a hub-and-spoke ADVPN network. Spokes are behind NAT. After deployment, spokes can communicate with each other only through the hub. What must be configured to allow spokes to establish direct shortcut tunnels?
200An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal application. The application is accessed via HTTPS. Which component must be configured on the FortiGate to act as a reverse proxy for the application?
201A FortiGate administrator configures SAML SSO with FortiGate as the Identity Provider (IdP). Users are redirected to the FortiGate login page, but after successful authentication, they are not redirected back to the service provider. What is a likely cause?
202An administrator wants to enforce that only devices with up-to-date antivirus software can access corporate resources via ZTNA. Which FortiClient feature should be used to enforce this requirement?
203A FortiGate administrator is configuring a multi-peer IPsec VPN where two remote sites (Site A and Site B) connect to a central hub. The administrator wants to ensure that if the primary peer for a site goes down, traffic automatically fails over to the backup peer. Which TWO settings must be configured on the hub's phase1?
204An organization uses FortiNAC for network access control. They want to enforce that only corporate-managed devices with up-to-date patches can access the production VLAN. Which THREE components must be integrated or configured?
205A company is deploying ZTNA to replace their legacy VPN. They want to ensure that only users with a valid certificate and compliant antivirus can access the internal application. Which TWO components are required on the FortiGate for this deployment?
206A FortiGate is configured as the SAML Identity Provider (IdP) for a cloud application. The administrator wants to enforce device compliance as part of authentication. Which THREE steps must be taken?
207An administrator is troubleshooting an OSPF over IPsec VPN overlay. The OSPF neighbor state is stuck in EXSTART. The VPN tunnel is up. Which TWO issues could cause this?
The Advanced VPN and Zero Trust domain covers the key concepts tested in this area of the NSE7 exam blueprint published by Fortinet. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all NSE7 domains — no account required.
The Courseiva NSE7 question bank contains 207 questions in the Advanced VPN and Zero Trust domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Advanced VPN and Zero Trust domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included