Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsNSE7DomainsAdvanced VPN and Zero Trust
NSE7Free — No Signup

Advanced VPN and Zero Trust

Practice NSE7 Advanced VPN and Zero Trust questions with full explanations on every answer.

207questions

Start practicing

Advanced VPN and Zero Trust — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

NSE7 Domains

Advanced Networking and SD-WANAdvanced VPN and Zero TrustEnterprise Firewall and VDOMsAdvanced Threat ProtectionTroubleshooting and Diagnostics

Practice Advanced VPN and Zero Trust questions

10Q20Q30Q50Q

All NSE7 Advanced VPN and Zero Trust questions (207)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is implementing Zero Trust Network Access using Fortinet's ZTNA solution. They have deployed a FortiGate as the ZTNA gateway and are using FortiClient as the ZTNA agent. Users report that they can initiate ZTNA connections but the connections drop after a few minutes. The FortiGate logs show that the ZTNA session is being terminated due to a endpoint compliance check failure. Which action should the administrator take to resolve this issue?

2

During a ZTNA deployment, an administrator notices that traffic from a specific internal application is being routed through the ZTNA gateway but is not reaching the destination server. The FortiGate policy allows the traffic, and the client has a valid ZTNA connection. What is the most likely cause of the issue?

3

An organization is designing a Zero Trust Network Access solution with Fortinet. They want to ensure that only devices with up-to-date antivirus software can access sensitive applications. Which component is responsible for enforcing this requirement?

4

A company uses FortiGate ZTNA to provide remote access to an internal web application. The application requires client certificates for authentication. The administrator has configured the ZTNA rule to use certificate authentication. However, users report that they are prompted for credentials repeatedly. What is the most likely cause?

5

In a Zero Trust Network Access architecture, which component acts as the policy enforcement point for access decisions?

6

An administrator is troubleshooting a ZTNA connection issue where a user can access the ZTNA gateway but the connection to the internal application fails after a few seconds. The FortiGate logs show 'ZTNA session timeout' but the timeout value is set to 30 minutes. What could be the reason?

7

A company wants to deploy ZTNA to secure access to internal applications for remote employees. They have a FortiGate with a public IP and internal servers. Which deployment mode should they choose to minimize changes to existing firewall rules?

8

During a ZTNA implementation, the administrator configures a ZTNA rule for an internal application but users cannot connect. The FortiGate policy is correct and the application is reachable from the FortiGate. What is the most likely misconfiguration?

9

Which TWO of the following are required components for a Fortinet ZTNA solution? (Select two.)

10

Which THREE of the following are valid methods to deliver ZTNA tags to FortiClient? (Select three.)

11

Which TWO of the following can be used to authenticate users in a ZTNA connection? (Select two.)

12

A multinational corporation is implementing ZTNA for remote access to a critical internal application hosted on a server with IP 10.0.1.200:8443. The FortiGate is deployed at the edge with WAN IP 203.0.113.50. The administrator configures a ZTNA rule with proxy destination 10.0.1.200:8443, a firewall policy allowing traffic from the ZTNA gateway to the internal server, and a VIP for port forwarding for testing. However, remote users report that they can establish a ZTNA connection to the gateway but the application page fails to load, showing a blank page after a long delay. The FortiGate logs show no errors, and the debug output indicates that the proxy successfully forwarded the request to 10.0.1.200:8443 and received a response. The internal server team confirms the application is working correctly for on-site users. What is the most likely cause?

13

A healthcare provider is deploying ZTNA to secure access to an internal electronic health records (EHR) system. The EHR system is composed of multiple web services running on different ports behind a load balancer with IP 10.0.10.100. The load balancer listens on ports 443, 8443, and 9090. The administrator configures a single ZTNA rule with proxy destination 10.0.10.100:443, expecting that the other ports will be accessed via the same rule. However, users report that they can only access the service on port 443; connections to ports 8443 and 9090 fail. The FortiGate logs show that requests to other ports are being dropped. What should the administrator do to resolve this?

14

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGate devices. The tunnel is established, but traffic is not passing. Which configuration should the administrator check first?

15

A company uses SSL VPN with FortiGate for remote access. Users report that after connecting, they can access internal web servers but cannot ping them. Which configuration is most likely missing?

16

An administrator needs to configure a site-to-site IPsec VPN with a remote FortiGate that has a dynamic IP address. Which phase1 parameter must be set to support this?

17

Refer to the exhibit. A tunnel interface is configured with IP 10.0.1.1/30 and remote-ip 10.0.1.2/30. The phase2 defines src-subnet as 10.0.1.0/30 and dst-subnet as 10.0.2.0/30. What is the most likely problem with this configuration?

18

Refer to the exhibit. Users report that they cannot log in to the SSL VPN portal. The stats show 15 login failures with reason 'auth_fail'. What is the most likely cause?

19

Which TWO features are required to implement an always-on SSL VPN tunnel with FortiGate that automatically reconnects when the user's network changes?

20

Which THREE conditions must be met for an IPsec VPN to successfully establish phase2?

21

An administrator is configuring SSL VPN on FortiGate and wants to allow users to access internal applications via a web portal without installing any client software. Which SSL VPN mode should be used?

22

A FortiGate is configured with an IPsec VPN that uses certificate-based authentication. The VPN fails to establish. The administrator checks the phase1 debug and sees the message: 'no suitable certificate found'. What is the most likely cause?

23

A company has two FortiGate devices at different sites connected via an IPsec VPN tunnel using IKEv2. The tunnel is established but intermittent packet loss is observed. Which two configuration changes should be applied to improve stability? (Choose two.)

24

Refer to the exhibit. An administrator runs the 'diagnose vpn ike stats' command on a FortiGate. What does the output indicate?

25

A multinational company uses FortiGate devices as VPN gateways to connect its headquarters (HQ) and branch offices via IPsec VPN tunnels. The company is migrating its remote access solution from IPsec VPN to SSL VPN using FortiClient. Currently, 500 remote users connect via IPsec VPN with pre-shared keys and XAuth authentication. The migration must be seamless with minimal downtime, and users must continue to authenticate using their existing Active Directory credentials. The SSL VPN portal must provide access to internal web applications and some legacy TCP-based applications that do not support HTTP. The security team requires that all traffic between remote users and the internal network be encrypted and that the SSL VPN use a certificate from a public CA to avoid certificate warnings on client devices. The IT team wants to use FortiToken for two-factor authentication (2FA) for all VPN users. Which of the following is the most appropriate course of action to meet all requirements?

26

A company's FortiGate is configured with multiple IPsec VPN tunnels to branch offices. One tunnel keeps dropping and re-establishing every few minutes. The logs show 'IPsec SA negotiation failed' with error 'proposal mismatch'. What is the most likely cause?

27

Which TWO configurations are required to enable SSL VPN authentication using a RADIUS server on a FortiGate?

28

Refer to the exhibit. A FortiGate administrator has configured an IPsec VPN tunnel to a branch office. The tunnel fails to establish. What is the most likely cause?

29

Drag and drop the steps to configure a FortiGate as a DHCP server into the correct order.

30

Drag and drop the steps to configure a FortiGate VDOM in multi-VDOM mode into the correct order.

31

Match each SD-WAN component to its role.

32

Match each Fortinet command to its function.

33

A network admin is configuring a hub-and-spoke ADVPN. The spoke FortiGates are behind NAT. After configuring IKE phase 1 with aggressive mode, the spokes can establish VPN tunnels to the hub, but shortcut tunnels between spokes are not forming. What is the MOST likely cause?

34

An administrator wants to enforce that only devices with the latest antivirus signatures and a corporate disk encryption solution can access a sensitive application via ZTNA. Which two FortiClient EMS components must be configured? (Choose two.)

35

A FortiGate is configured as a SAML SP for user authentication. When a user attempts to access a protected resource, the FortiGate redirects the user to the IdP login page, but after successful authentication, the user is not redirected back to the original resource. What is the MOST likely cause?

36

You run the following command on a FortiGate: 'diagnose vpn ike gateway list' and see that the DPD status for a VPN peer is 'dead'. What does this indicate?

37

A FortiGate is configured with OSPF over an IPsec VPN tunnel to exchange routes with a remote site. The OSPF neighbor states are stuck in 'INIT' and never progress to 'FULL'. What is the MOST likely cause?

38

Which FortiGate feature allows an administrator to define a granular policy based on the security posture of the endpoint device, such as OS version, antivirus status, and disk encryption, before granting access to a protected application?

39

An administrator is troubleshooting a ZTNA issue where users are able to authenticate but the application access is still blocked. The ZTNA status on FortiClient shows 'Connected' but the application does not load. What is the MOST likely cause?

40

A FortiGate admin is configuring a multi-peer IPsec VPN where the remote site has two ISPs for redundancy. The admin wants to ensure that if the primary ISP fails, the VPN automatically fails over to the secondary ISP without manual intervention. Which feature should be enabled?

41

An administrator is deploying ZTNA for a legacy application that uses a fixed IP address and port. Which ZTNA component is responsible for securely proxying traffic from the user to the application without exposing the application's actual network location?

42

An administrator wants to enforce that only devices with corporate-owned certificates can establish an IPsec VPN tunnel. Which IPsec authentication method should be configured?

43

A FortiGate is configured as a SAML IdP for a partner's cloud application. After configuring the application as a service provider, users report that they are prompted for credentials every time they access the application, even though they already authenticated to FortiGate. What is the MOST likely cause?

44

A FortiGate administrator needs to integrate with FortiNAC to enforce network access control for wired and wireless devices. The administrator wants FortiNAC to dynamically assign VLANs based on the device's security posture. Which FortiNAC feature enables this?

45

An administrator is configuring a new branch office VPN using IKEv2 with PKI certificates. Which TWO steps are essential to ensure the VPN tunnel establishes successfully?

46

A FortiGate is experiencing high CPU usage due to IPsec VPN traffic. The admin wants to offload cryptographic operations to the hardware. Which THREE conditions must be met for hardware acceleration to work? (Choose three.)

47

An administrator is deploying ZTNA with FortiClient EMS to secure access to a corporate web application. Which THREE components are required for a successful ZTNA deployment? (Choose three.)

48

A network administrator configures a hub-and-spoke ADVPN with FortiGates. Phase 1 and phase 2 settings are correct, and spoke gateways can communicate with the hub. However, shortcut tunnels between spokes are not being established. What is the most likely cause?

49

A FortiGate administrator wants to ensure that only devices with an up-to-date antivirus and OS patch level can access a sensitive application published via ZTNA. Which ZTNA component should the administrator configure to enforce this requirement?

50

An administrator runs the following CLI command on a FortiGate and sees the output below: diagnose vpn ike gateway list vd: root/0 name: REMOTE_GW vrf: 0 version: 2 state: UP IKE SA: created 1s ago 1.2.3.4:500->5.6.7.8:500 What is the most likely explanation for the IKE SA being created only 1 second ago?

51

A company uses FortiClient EMS for endpoint compliance and ZTNA tag assignment. An administrator wants to enforce that only endpoints with a ZTNA tag 'Compliant' can access a specific internal application through ZTNA. Which configuration is required on the FortiGate?

52

An administrator is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration uses certificates for authentication. The admin sees the following log message: 'Certificate validation failed: unable to get local issuer certificate.' What is the most likely cause?

53

A FortiGate administrator configures a multi-peer IPsec VPN with two remote gateways for redundancy. The phase 1 configuration has 'set proposal aes256-sha256' and 'set dpd on-idle'. The tunnel is established but traffic fails over to the backup peer only after a long delay. What change would improve failover time?

54

An administrator configures FortiGate as a SAML identity provider (IdP) for a cloud application. The application (SP) initiates the login. Users are redirected to the FortiGate login page and authenticate successfully, but then receive an error from the SP. What is a common cause?

55

An organization wants to implement Network Access Control (NAC) using FortiNAC. The goal is to automatically quarantine any device that does not have the latest antivirus definitions. Which FortiNAC component enforces this policy?

56

A FortiGate administrator configures a hub-and-spoke VPN with OSPF routing. The spoke FortiGates are learning routes from the hub, but inter-spoke traffic is being routed through the hub instead of using shortcut tunnels. What configuration is missing on the hub to allow ADVPN shortcut establishment?

57

An administrator runs the following command on a FortiGate and sees the output: diagnose sys session filter dport 443 diagnose sys session list proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

58

A company wants to use FortiGate as a SAML service provider (SP) for authenticating administrators to the FortiGate GUI. The identity provider (IdP) is Azure AD. After configuration, administrators are redirected to Azure AD login but receive an error that the SAML request is invalid. What is the most likely misconfiguration?

59

An administrator configures ZTNA inline CASB to control access to a SaaS application. The goal is to block uploads of files with credit card numbers. The administrator configures a CASB profile with a DLP rule for credit card numbers. However, uploads are not being blocked. What is the most likely reason?

60

An administrator needs to configure a FortiGate to act as a SAML identity provider (IdP) for a third-party cloud application (SP). Which TWO settings must be configured on the FortiGate to function as an IdP?

61

A network administrator is troubleshooting a scenario where remote users can connect via FortiClient VPN but cannot access internal resources. The FortiGate has a valid IPsec VPN configuration. Which THREE checks should the administrator perform to resolve the issue?

62

An administrator configures ZTNA with FortiClient EMS. The goal is to restrict access to an internal application based on device posture. The administrator configures a ZTNA tag for 'Compliant' that checks antivirus and OS patch status. Which TWO additional steps are required on the FortiGate to enforce access based on this tag?

63

A network administrator is troubleshooting an IPsec VPN tunnel between Site A (FortiGate) and Site B (third-party VPN peer). The tunnel fails to establish. On FortiGate, phase1 status shows 'up' but phase2 status remains 'down'. What is the MOST likely cause?

64

Which feature in FortiOS enables a FortiGate to act as a proxy for client-initiated connections to internal applications without requiring a VPN client, by verifying device posture and user identity?

65

An administrator configures a hub-and-spoke ADVPN with FortiGate at the hub and multiple remote sites. After setup, spokes establish shortcuts directly. However, traffic between two spokes consistently goes through the hub even though shortcuts should exist. Running 'diagnose npu np6 ipsec peercache' shows no shortcut entries. What is the MOST likely reason?

66

A FortiGate administrator wants to use SAML SSO to authenticate VPN users. The FortiGate will act as the service provider (SP) and an external identity provider (IdP) will be used. Which of the following must be configured on the FortiGate to enable SAML authentication for SSL VPN?

67

An administrator configures a ZTNA rule with an inline CASB profile to protect access to a SaaS application. The rule uses a ZTNA tag that requires 'OS Type = Windows' and 'Antivirus = running'. A user with a Windows 10 device and Symantec antivirus running is denied access. What is the MOST likely cause?

68

What is the primary purpose of Dead Peer Detection (DPD) in an IPsec VPN configuration?

69

A FortiGate administrator receives an error during IPsec VPN configuration: 'Certificate validation failed: certificate uses weak key.' The admin is using a PKI certificate with RSA 2048-bit key. The FortiGate firmware is up-to-date. What is the MOST likely reason for this error?

70

An administrator configures OSPF over an IPsec VPN tunnel between two FortiGates. The OSPF adjacency does not form. The tunnel is up and ping works between the loopback interfaces used for OSPF. What is the MOST likely issue?

71

In FortiGate's ZTNA, what is the purpose of a 'ZTNA tag'?

72

An administrator configures Multi-Peer VPN (MPVPN) on a FortiGate aggregator. The aggregator has two phase1 configurations for the same remote subnet but different peers. The aggregator's routing table shows both peers as next hops. The administrator notices that traffic between the aggregator and the remote subnet is load-balanced across both peers. What is the cause?

73

A FortiGate administrator wants to integrate FortiClient EMS to enforce compliance before granting VPN access. The FortiGate is the SSL VPN gateway. Which configuration is required on the FortiGate to use FortiClient's posture check?

74

An administrator runs the CLI command 'diagnose vpn ike gateway list' and sees that a phase1 gateway is in 'UP' state, but the 'DPD' field shows 'disabled'. The tunnel is working. What is the implication?

75

A FortiGate administrator needs to configure a hub-and-spoke ADVPN with OSPF as the routing protocol over the VPN tunnels. Which TWO steps are required on the hub FortiGate to enable shortcut tunnels?

76

An administrator is troubleshooting a ZTNA application access issue. Users can authenticate but cannot reach the internal application via the ZTNA proxy. The FortiGate's ZTNA rule uses a tag requiring 'OS Type = Windows' and 'Antivirus = running'. The device meets both conditions. Which THREE possible reasons could cause the access failure?

77

A FortiGate administrator is configuring NAC (Network Access Control) integration with FortiNAC. The goal is to control access for wired clients based on device compliance. Which TWO configurations are required on the FortiGate to support this integration?

78

A network administrator has configured an IPsec VPN between two FortiGates using IKEv2 with pre-shared keys. The tunnel establishes successfully, but after a few minutes, traffic stops passing through. The administrator runs 'diagnose vpn ike log' and sees 'DPD timeout' messages. What is the most likely cause of this issue?

79

An administrator is configuring a hub-and-spoke ADVPN with FortiGates. The spoke sites use dynamic public IP addresses. The administrator has enabled auto-discovery on the spoke and hub. However, shortcut tunnels are not being established between spokes that communicate frequently. What is the most likely missing configuration?

80

A FortiGate administrator wants to integrate ZTNA with FortiClient EMS to control access to an internal application based on device posture. The admin has configured a ZTNA tag in EMS for 'AntiVirus enabled' and created a ZTNA rule in FortiGate. What additional configuration is required on the FortiGate to enforce access based on the ZTNA tag?

81

An administrator is troubleshooting a ZTNA access issue. Remote users can connect to the FortiGate's ZTNA proxy, but when they try to access the internal application, they receive a 403 Forbidden error. The administrator has verified that the user is authenticated and the ZTNA rule is configured correctly. What is the most likely cause?

82

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the traffic?

83

A FortiGate administrator is configuring OSPF over an IPsec VPN between a hub and a spoke. The OSPF adjacency forms correctly, but routes from the spoke are not being advertised to the hub. The administrator checks the OSPF database on the hub and sees no Type-1 LSAs from the spoke. What is the most likely issue?

84

An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal web application. The current network uses FortiGate as the firewall. Which component is required to enforce ZTNA policies on the FortiGate?

85

A FortiGate VPN administrator is configuring IKEv2 with certificate-based authentication using a PKI. The administrator has imported the CA certificate and the local certificate onto the FortiGate. When initiating the VPN, the tunnel fails to establish. The CLI log shows 'IKEv2 authentication failed' and 'certificate validation failure'. What is the most likely missing configuration?

86

During a routine audit, a FortiGate administrator discovers that all traffic from a specific user group is being denied by a firewall policy. The policy uses a ZTNA rule that requires the device tag 'Compliant'. The administrator checks the user's device in EMS and sees it is tagged as 'Compliant'. However, the traffic is still denied. What could be the problem?

87

An administrator wants to use SAML SSO with FortiGate as the Service Provider (SP) to allow users to authenticate via an external IdP. What must be configured first on the FortiGate to establish the SAML trust?

88

A FortiGate administrator notices that a VPN tunnel goes down and re-establishes every 30 minutes. The administrator checks the tunnel's phase1 and phase2 lifetimes. The phase1 lifetime is set to 86400 seconds and phase2 to 3600 seconds. What is the most likely cause of the tunnel dropping?

89

An administrator is configuring FortiClient EMS to enforce compliance for remote users. The requirement is that all remote devices must have disk encryption enabled. The administrator has created a compliance rule in EMS that checks for 'Full Disk Encryption' and set the action to 'Block'. However, users with unencrypted drives are still able to connect to the VPN. What is the most likely missing configuration?

90

A FortiGate administrator needs to ensure that only devices with an updated antivirus can access a sensitive internal application via ZTNA. The administrator has created a ZTNA tag 'AV_Updated' in EMS and configured a ZTNA rule on FortiGate that requires this tag. Which TWO additional steps are necessary to enforce this access control? (Choose two.)

91

An administrator is deploying a hub-and-spoke ADVPN with three spoke sites. The spokes have dynamic IP addresses. The hub has a static IP. The administrator wants the spokes to establish direct shortcut tunnels when they communicate with each other. Which THREE conditions must be met for shortcut tunnels to be established? (Choose three.)

92

A FortiGate administrator is troubleshooting a VPN tunnel that uses IKEv2 with certificate authentication. The tunnel fails to establish, and the IKE debug shows 'no acceptable proposal' for the initial exchange. Which TWO configuration mismatches could cause this error? (Choose two.)

93

A network administrator configured a hub-and-spoke ADVPN with IKEv2. Spoke sites can establish tunnels to the hub, but shortcut tunnels are not being created between spokes. What is the MOST likely cause?

94

You run 'diagnose vpn ike gateway list' and see the following: gateway name: HUB_GW version: IKEv2 state: UP mode: main local: 10.0.0.1:500 remote: 203.0.113.5:500 auth: psk dpd: on rekey: 86400 num_peers: 2 total_tunnels: 2 auto-discovery: enabled What does the 'auto-discovery: enabled' indicate about this VPN gateway?

95

A FortiGate is configured as a SAML service provider (SP) for user authentication. Users report they are redirected to the identity provider (IdP) for authentication, but after successful login, they are not allowed access to the requested resource. What is the MOST likely cause?

96

An administrator wants to enforce that only devices with antivirus software installed and running can access a sensitive application via ZTNA. Which ZTNA feature should be used to verify this requirement?

97

A FortiGate administrator configures a hub-and-spoke ADVPN with OSPF over the VPN overlay. Spoke routers receive the OSPF default route from the hub, but cannot reach subnets behind other spokes. What configuration is missing?

98

A FortiGate administrator is troubleshooting a ZTNA access proxy issue. The ZTNA rule is configured to require the tag 'AV_Installed' and 'OS_Updated'. Users with compliant devices are still denied access. The admin checks the ZTNA connection monitor and sees 'Tag mismatch'. What is the MOST likely cause?

99

A FortiGate administrator is configuring a site-to-site IPsec VPN with IKEv2. The remote peer supports multiple proposals. The administrator wants to ensure that the VPN tunnel uses AES256-GCM for encryption and SHA256 for integrity. Which configuration setting should be used to enforce this preference?

100

An organization wants to implement Zero Trust Network Access (ZTNA) for remote users accessing an internal application. The application is hosted on a server that cannot have any client software installed. Which ZTNA deployment method is MOST appropriate?

101

An administrator configures BGP over an IPsec VPN between two FortiGates. The BGP session is established, but routes from the remote site are not being installed in the local routing table. The admin verifies that the BGP neighbor configuration is correct and the remote site is advertising routes. What is the MOST likely cause?

102

A FortiGate is configured with multiple IPsec VPNs to remote branches. One of the branch VPN tunnels goes down frequently. The administrator runs 'diagnose vpn ike log' and sees repeated INITIAL_CONTACT notifications from the remote peer. What does this indicate?

103

A company wants to ensure that only company-managed laptops with up-to-date antivirus can access the internal file server remotely. Which Fortinet solution integrates with FortiGate to enforce device compliance before granting ZTNA access?

104

A FortiGate administrator configures a ZTNA access proxy rule to allow access to an internal application only if the user's device has the tag 'Compliant'. The tag is assigned by FortiClient EMS. However, a user with a compliant device is still blocked. The admin sees in the ZTNA logs that the tag is not being received. What should the administrator check FIRST?

105

A FortiGate administrator is configuring a hub-and-spoke ADVPN with BGP. The hub has multiple spokes. Which TWO configuration steps are REQUIRED on the hub FortiGate for shortcut tunnels to be established between spokes?

106

A company is deploying ZTNA to protect an internal application. They want to ensure that only users with devices that have disk encryption enabled and the latest OS patches can access the application. Which THREE components must be configured to achieve this?

107

A FortiGate administrator is troubleshooting an IKEv2 VPN tunnel that fails to establish. The remote peer logs show 'no acceptable proposal' error. Which TWO possible causes should the administrator check?

108

A network administrator is configuring a hub-and-spoke ADVPN with FortiGates. The spokes are behind NAT and use dynamic IPs. The hub has a static IP. Which IKEv2 configuration is REQUIRED to allow the spokes to initiate the VPN and receive shortcut tunnels?

109

You run 'diagnose vpn ike gateway list' on a FortiGate hub and see the following output for a spoke connection: IKE SA state: ESTABLISHED, IPsec SA state: UP, but the spoke cannot route traffic to other spokes. The ADVPN shortcut tunnel is not being established. What is the MOST likely cause?

110

A FortiGate administrator wants to implement ZTNA to control access to an internal application server. Users will access the application via FortiClient. Which configuration step is REQUIRED to allow FortiClient to forward traffic to the ZTNA gateway?

111

A FortiGate is configured as a SAML service provider (SP) for SSO. Users authenticate via an external IdP. After successful authentication, the FortiGate should enforce a firewall policy based on the user's group membership. Which FortiGate setting must be enabled to receive group information from the IdP?

112

A network administrator is troubleshooting an IPsec VPN between two FortiGates. The phase1 is up, but phase2 keeps failing to establish. The administrator runs 'diagnose vpn ike log' and sees: 'no proposal chosen'. Both sides have the same phase2 configuration: AES256-SHA256, DH group 14, 3600 seconds lifetime. What is the MOST likely cause?

113

A FortiGate is configured with a ZTNA access proxy rule for a web application. The administrator wants to enforce that only devices with a specific FortiClient tag (e.g., 'Compliant') can access the application. Where is this tag-based access control configured?

114

A FortiGate administrator wants to use Fortinac for network access control. Which of the following is the PRIMARY function of Fortinac in a network?

115

A FortiGate is configured with two VPN tunnels to different remote sites. The administrator notices that traffic is not load-balanced across the tunnels; all traffic uses the first tunnel. The administrator wants to use ECMP (Equal Cost Multi-Path) routing. Which two actions are required? (Choose two.)

116

An administrator is configuring a FortiGate as a SAML Identity Provider (IdP) for a third-party service provider. Which of the following is REQUIRED for the FortiGate IdP configuration?

117

What is the purpose of Dead Peer Detection (DPD) in an IPsec VPN?

118

A FortiGate administrator is configuring a multi-peer IPsec VPN where two remote sites connect to a central hub. The administrator wants to ensure that if one remote site loses connectivity, the other site can still reach the hub. Which configuration is essential?

119

A FortiGate is configured with ZTNA inline CASB to control access to a SaaS application. The administrator wants to block uploads of files containing credit card numbers. Which ZTNA inline CASB feature should be used?

120

A network administrator is configuring a hub-and-spoke ADVPN with BGP over the VPN tunnels. Which TWO conditions are necessary for the spokes to establish direct shortcut tunnels between each other?

121

A FortiGate administrator is troubleshooting a ZTNA problem where users are unable to connect to an internal application via FortiClient. FortiClient reports 'Connection refused'. The FortiGate ZTNA gateway is configured correctly. Which THREE steps should the administrator take to diagnose the issue?

122

A FortiGate is acting as a SAML Service Provider (SP) for user authentication. Which TWO of the following are required for successful SAML SSO?

123

A network administrator is troubleshooting an ADVPN deployment. Spoke FortiGates can communicate with the hub, but shortcut tunnels between spokes are not being established. The administrator verifies that IKE and IPsec settings are correct on all devices. What is the MOST likely cause?

124

An administrator configures a ZTNA proxy rule to allow access to an internal application. Users can connect to the FortiGate ZTNA gateway but receive a '403 Forbidden' error. Which step should the administrator take to resolve the issue?

125

A FortiGate administrator observes the following CLI output from 'diagnose vpn ike gateway list': vd: root/0 name: VPN_TO_HUB version: IKEv2 status: up mode: main DPD: on ... Number of IPsec tunnels: 1 name: phase2_tunnel status: up inbound: 0 bytes outbound: 0 bytes The tunnel shows up but no traffic is passing. What is the MOST likely cause?

126

An administrator wants to integrate FortiClient EMS with FortiGate for ZTNA. Which protocol must be allowed between FortiGate and FortiClient EMS?

127

A FortiGate is configured as a SAML service provider (SP) for ZTNA. Users authenticate via an external IdP. After authentication, users are not able to access applications even though the ZTNA proxy rule lists them. What should the administrator check FIRST?

128

An administrator configures OSPF over an IPsec VPN overlay between two FortiGates. The OSPF neighbors show a state of 'EXSTART/EXCHANGE' but never reach 'FULL'. The IPsec tunnel is up and passes ICMP traffic. What is the MOST likely cause?

129

An administrator wants to enforce that only devices with antivirus software installed and up-to-date can access the corporate network. Which FortiGate feature should be used?

130

In a hub-and-spoke VPN, spokes cannot communicate with each other directly. The administrator wants to allow direct spoke-to-spoke traffic without routing through the hub. Which technology should be configured?

131

An administrator receives an error when trying to create a ZTNA proxy rule: 'The ZTNA proxy rule requires a valid application mapping.' What does this indicate?

132

A FortiGate has multiple IPsec VPNs to different branch offices. The administrator notices that one VPN tunnel is flapping (going up and down repeatedly). From the CLI, 'diagnose vpn ike gateway list' shows the gateway state as 'up' but then quickly goes to 'down'. What is the MOST likely cause?

133

Which of the following is a requirement for FortiGate to act as a SAML Identity Provider (IdP) for ZTNA?

134

An administrator configures a ZTNA gateway with inline CASB to monitor SaaS applications. Users report that access to Salesforce is blocked. The administrator reviews the ZTNA proxy rule and sees that inline CASB is enabled with a 'monitor-only' action. What is the MOST likely reason for the block?

135

An administrator is configuring FortiClient EMS to enforce compliance for ZTNA. Which TWO settings are required on FortiGate to use compliance-based ZTNA tags?

136

A network engineer is troubleshooting an ADVPN scenario where shortcut tunnels between spokes are not forming. The hub has IKEv2 configured and the spokes are behind NAT. Which THREE conditions must be met for shortcut tunnels to establish?

137

An administrator wants to implement ZTNA with FortiClient EMS to control access to an internal web application. Which TWO components are essential for the ZTNA proxy to function correctly?

138

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is established but traffic is not passing. The administrator runs 'diagnose vpn ike log' and sees 'no matching policy for this IPsec SA'. What is the most likely cause?

139

An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal application. The application is hosted on a server with IP 10.1.1.100. Which component acts as the intermediary between users and the application in FortiGate ZTNA?

140

A FortiGate administrator is configuring Auto Discovery VPN (ADVPN) in a hub-and-spoke topology. Spokes are FortiGates with dynamic public IPs. Which setting is required on the spoke for it to automatically initiate shortcut tunnels to other spokes when needed?

141

A FortiGate administrator configures a ZTNA rule to allow access to an internal application. The rule uses a ZTNA tag to identify the application server. However, users cannot connect to the application. What is the most likely cause if the ZTNA proxy and firewall policies are correctly configured?

142

An administrator runs 'diagnose vpn ike gateway list' and sees that the IKE SA state is 'UP' but the IPsec SA state is 'DOWN'. The remote peer is a FortiGate. What is the most likely cause of this issue?

143

An organization uses FortiClient EMS to enforce compliance on endpoints. They want to ensure that only devices with updated antivirus definitions can access the corporate VPN. Which FortiClient configuration should be applied?

144

A FortiGate administrator configures SAML SSO with FortiGate as the Service Provider (SP) and an external IdP. Users report that they are prompted for credentials repeatedly without successful authentication. What is the most likely cause?

145

A FortiGate administrator wants to use PKI certificates for IPsec VPN authentication instead of pre-shared keys. Which phase1 parameter must be set to 'signature' to enable certificate-based authentication?

146

An administrator notices that after upgrading FortiOS, the ADVPN shortcut tunnels are no longer being established. The hub and spokes have the same ADVPN configuration as before. What is the most likely cause?

147

A FortiGate administrator configures a ZTNA rule with inline CASB to control access to a SaaS application. Users can access the application but the CASB controls are not being applied. What is the most likely reason?

148

A FortiGate administrator is configuring a multi-peer IPsec VPN (dial-up) for remote users. The administrator wants to assign different IP pools to different groups of users based on their authentication group. Which configuration is required?

149

A FortiGate administrator enables Dead Peer Detection (DPD) on an IPsec VPN tunnel. What is the primary purpose of DPD?

150

A FortiGate administrator is troubleshooting a scenario where remote users can connect to the VPN but cannot access internal resources. The VPN policy is configured correctly. Which TWO steps should the administrator take to diagnose the issue?

151

A FortiGate administrator is configuring OSPF over an IPsec VPN overlay in a hub-and-spoke topology. The spokes have dynamic IPs and use ADVPN. Which THREE conditions are necessary for OSPF to work correctly over the VPN tunnels?

152

A FortiGate administrator wants to integrate FortiClient EMS with FortiGate for ZTNA. Which TWO components must be configured on FortiGate to enable ZTNA access?

153

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is up but traffic is not passing. The administrator runs 'diagnose vpn ike gateway list' and sees that the IKE SA has been established. However, 'diagnose vpn tunnel list' shows no IPsec SA entries. What is the most likely cause?

154

An administrator wants to ensure that FortiGate validates the identity of the remote VPN peer using a certificate during IKEv2 phase 1. Which authentication method should the administrator select in the IPsec phase 1 configuration?

155

In a hub-and-spoke ADVPN deployment, the spoke FortiGates are configured with IKEv2 and the hub has ADVPN enabled. After initial setup, spokes communicate through the hub. The administrator wants to enable shortcut tunnels so that spokes can directly communicate. What additional configuration is required on the spokes?

156

A FortiGate is configured as a ZTNA proxy for an internal web application. The client's device posture check fails due to an outdated antivirus definition. The administrator wants to block access but still display a warning page. Which ZTNA access rule action should be used?

157

In a Fortinet ZTNA deployment, which component is responsible for forwarding decrypted traffic to the internal application server after the FortiGate proxy has performed SSL inspection?

158

An administrator has configured FortiGate as a SAML service provider (SP) for VPN authentication. Users are prompted for credentials but authentication fails even though they can authenticate directly at the IdP portal. What is the most likely misconfiguration?

159

A FortiGate administrator runs the following command on a FortiGate and sees the output: diagnose sys session filter dport 443 diagnose sys session list proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate about the session?

160

In a hub-and-spoke VPN using OSPF over the overlay, the hub FortiGate learns routes from spoke1 and advertises them to spoke2. However, spoke2's routing table shows the route with a next-hop of the hub's tunnel IP, not spoke1's tunnel IP. What should the administrator configure to allow spoke2 to reach spoke1 directly (using ADVPN shortcut)?

161

A FortiGate is configured with FortiClient EMS to enforce ZTNA posture checks. The administrator finds that some Windows 10 clients are not reporting their antivirus status correctly, causing them to be blocked. However, the clients have antivirus installed and running. What is the most likely cause?

162

An administrator wants to use FortiGate as a SAML identity provider (IdP) for a third-party service. Which configuration is required on FortiGate?

163

A FortiGate administrator sees the following syslog message repeatedly: 'IPsec phase 2 failed to establish SA with peer due to proposal mismatch.' The administrator has already verified that the phase 2 parameters (encryption, authentication, PFS, and lifetime) match on both sides. What else should the administrator check?

164

An administrator is configuring ZTNA inline CASB for a SaaS application. The goal is to block upload of files containing credit card numbers. Which configuration components are required?

165

A FortiGate is configured as a ZTNA proxy. The administrator wants to ensure that only devices with a specific ZTNA tag assigned by FortiClient EMS are allowed to access the application. Which two configuration steps are required? (Choose two.)

166

An administrator is deploying ADVPN with a hub-and-spoke topology. The hub FortiGate is configured with 'set auto-discovery enable' and 'set add-route enable'. Spokes have 'set auto-discovery-sender enable'. However, shortcut tunnels are not being established. Which two additional conditions must be met for shortcut tunnels to form? (Choose two.)

167

A FortiGate administrator is troubleshooting an IPsec VPN that uses IKEv2 with certificate authentication. The VPN fails to establish. The administrator runs 'diagnose vpn ike gateway list' and sees the gateway state is 'IKE_INIT'. Which three possible causes should the administrator investigate? (Choose three.)

168

A network administrator configures an IPsec VPN between two FortiGates using IKEv2. The tunnel establishes, but after a period of inactivity, traffic stops passing and the logs show 'IPsec phase 1 down'. The administrator wants to ensure the tunnel is quickly re-established when traffic resumes. Which setting should be configured?

169

An administrator is troubleshooting an ADVPN scenario where spoke FortiGates are behind NAT. The shortcut tunnels are not forming between spokes. The hub has the appropriate ADVPN stage settings. What is the most likely cause of the shortcut failure?

170

A FortiGate is configured as a SAML Identity Provider (IdP) for a remote user accessing a web application via ZTNA. The user authenticates successfully, but the ZTNA proxy logs show 'access denied' for the user. Which configuration element is most likely missing or misconfigured?

171

An administrator wants to ensure that only devices with up-to-date antivirus software can access a sensitive application via ZTNA. Which FortiGate feature should be used to enforce this requirement?

172

A FortiGate administrator runs the following diagnostic command: 'diagnose vpn ike gateway list'. The output shows a gateway with state 'down'. The administrator verifies that the peer is reachable and the pre-shared key is correct. What is a possible reason for the gateway state being 'down'?

173

An administrator configures a multi-peer IPsec VPN on FortiGate for redundancy. The primary peer is 10.1.1.1 and secondary is 10.1.1.2. The administrator notices that when the primary peer goes down, the FortiGate does not fail over to the secondary peer until the IKE SA times out (about 60 seconds). Which setting can reduce this failover time?

174

A FortiGate is configured as a ZTNA proxy for a web application. Users report that after authenticating, they receive a '502 Bad Gateway' error. What is the most likely cause?

175

An administrator needs to integrate FortiGate with FortiNAC for network access control. The goal is to dynamically quarantine endpoints that have out-of-date antivirus software. Which component is responsible for enforcing the quarantine on the network?

176

A FortiGate is the SAML Service Provider (SP) for a ZTNA application. The IdP is Azure AD. After successful authentication, the user is redirected to the ZTNA proxy with a '403 Forbidden' error. The ZTNA rule has the correct groups allowed. What is the most likely missing configuration?

177

An administrator configures OSPF over an IPsec VPN overlay between two FortiGates. The OSPF neighbors form, but routes learned from the remote site are not appearing in the routing table. What is the most likely cause?

178

A FortiGate administrator wants to use PKI certificates for IKEv2 authentication instead of pre-shared keys. Which phase1 configuration parameter must be changed to support certificate-based authentication?

179

An administrator configures a hub-and-spoke ADVPN with IBGP over the VPN overlays. The spokes receive the default route from the hub, but they cannot reach each other directly. The administrator wants spoke-to-spoke traffic to use shortcut tunnels. Which additional configuration is required on the hub?

180

A FortiGate administrator needs to block an application (e.g., Facebook) while allowing HTTPS traffic for ZTNA users. Which TWO configurations are required to achieve this?

181

An administrator has a FortiGate hub with multiple spoke FortiGates in an ADVPN topology. The spokes are behind NAT and have dynamic public IPs. The hub is configured with a static IP. Which THREE steps are necessary for the spokes to establish a shortcut tunnel between each other?

182

A FortiGate is configured as a ZTNA proxy for an internal application. Users authenticate via SAML with FortiGate as the IdP. The administrator wants to enforce that only devices with a valid ZTNA tag can access the application. Which TWO configurations are required?

183

A network administrator is configuring an ADVPN hub-and-spoke topology. The hub is FortiGate-A and the spokes are FortiGate-B and FortiGate-C. The administrator wants spoke-to-spoke traffic to dynamically establish direct tunnels when needed. Which two settings must be enabled on the hub's phase 1 interface to support this?

184

An administrator is troubleshooting an IPsec VPN tunnel that connects a branch office to the main office. The tunnel is down. The administrator runs 'diagnose vpn ike gateway list' and sees the following output: IKE gateway: branch state: down DPD: enabled DPD retrycount: 3 DPD retryinterval: 10 What does the DPD configuration indicate?

185

A FortiGate has an IPsec VPN with a remote peer that uses IKEv2. The administrator wants to ensure that child SA rekeying uses PFS (Perfect Forward Secrecy) with Diffie-Hellman group 14. Which CLI command should the administrator configure on the FortiGate's phase 2 proposal?

186

A FortiGate administrator is configuring ZTNA to provide secure access to an internal application. The application is hosted on a server with IP 10.0.1.100 and port 8080. The administrator creates a ZTNA rule on the FortiGate as an access proxy. What is the correct configuration for the ZTNA rule's 'Application Access' entry?

187

An administrator wants to enforce that only managed FortiClient endpoints with up-to-date antivirus and a specific OS version can access a sensitive internal network via IPsec VPN. Which feature should be used to achieve this?

188

A FortiGate is configured as a SAML identity provider (IdP) for a partner's SaaS application (SP). Users authenticate via FortiGate's local user database. The administrator successfully tests the SAML flow, but after some time, users are prompted to re-authenticate frequently. What is the most likely cause?

189

An administrator has configured an OSPF overlay over an IPsec VPN between two FortiGates. The OSPF neighbors are established, but routes from one side are not being installed in the routing table on the other side. 'get router info ospf neighbor' shows FULL state. What is the most likely cause?

190

A FortiGate administrator is using FortiNAC to enforce network access control for wired endpoints. The administrator wants to quarantine any endpoint that fails antivirus compliance. Which action should be configured in the FortiNAC policy to achieve this?

191

An administrator wants to configure a multi-peer IPsec VPN where one FortiGate (hub) connects to multiple remote FortiGates (spokes) using a single phase 1 interface with dynamic IP addresses. Which configuration is required on the hub?

192

A ZTNA rule is configured to allow access to an internal application only if the client device has the ZTNA tag 'Compliant' and the user is authenticated via SAML. The FortiGate is acting as ZTNA proxy. A user successfully authenticates but the device is not tagged. What happens when the user tries to access the application?

193

An administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is up, but traffic is not passing. The administrator runs 'diagnose vpn tunnel list' and sees that both phase 1 and phase 2 are up. The policy allows traffic from both sides. What should the administrator check next?

194

An administrator is configuring a hub-and-spoke ADVPN with IBGP as the overlay routing protocol. The hub is configured as a route reflector. Which two conditions must be met for a shortcut tunnel to be established between two spokes? (Choose TWO)

195

An administrator wants to implement ZTNA inline CASB to control access to a SaaS application (e.g., Office 365). Which three components are required for this setup? (Choose THREE)

196

An administrator is troubleshooting an IPsec VPN tunnel that uses PKI certificates for authentication. The tunnel fails to establish. The administrator checks the certificates and finds that the local certificate is valid and the CA certificate is trusted. Which two additional checks should the administrator perform? (Choose TWO)

197

A company wants to provide external contractors with access to a specific internal web application without granting full network access. The solution must authenticate the user, verify device compliance, and log all access. Which three Fortinet features should be combined to meet these requirements? (Choose THREE)

198

A network administrator is troubleshooting an IPsec VPN tunnel that is not coming up. The configuration uses IKEv2 with pre-shared keys. The administrator runs 'diagnose vpn ike log-filter' and sees no logs. What is the most likely cause?

199

A FortiGate administrator configures a hub-and-spoke ADVPN network. Spokes are behind NAT. After deployment, spokes can communicate with each other only through the hub. What must be configured to allow spokes to establish direct shortcut tunnels?

200

An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal application. The application is accessed via HTTPS. Which component must be configured on the FortiGate to act as a reverse proxy for the application?

201

A FortiGate administrator configures SAML SSO with FortiGate as the Identity Provider (IdP). Users are redirected to the FortiGate login page, but after successful authentication, they are not redirected back to the service provider. What is a likely cause?

202

An administrator wants to enforce that only devices with up-to-date antivirus software can access corporate resources via ZTNA. Which FortiClient feature should be used to enforce this requirement?

203

A FortiGate administrator is configuring a multi-peer IPsec VPN where two remote sites (Site A and Site B) connect to a central hub. The administrator wants to ensure that if the primary peer for a site goes down, traffic automatically fails over to the backup peer. Which TWO settings must be configured on the hub's phase1?

204

An organization uses FortiNAC for network access control. They want to enforce that only corporate-managed devices with up-to-date patches can access the production VLAN. Which THREE components must be integrated or configured?

205

A company is deploying ZTNA to replace their legacy VPN. They want to ensure that only users with a valid certificate and compliant antivirus can access the internal application. Which TWO components are required on the FortiGate for this deployment?

206

A FortiGate is configured as the SAML Identity Provider (IdP) for a cloud application. The administrator wants to enforce device compliance as part of authentication. Which THREE steps must be taken?

207

An administrator is troubleshooting an OSPF over IPsec VPN overlay. The OSPF neighbor state is stuck in EXSTART. The VPN tunnel is up. Which TWO issues could cause this?

Practice all 207 Advanced VPN and Zero Trust questions

Other NSE7 exam domains

Advanced Networking and SD-WANEnterprise Firewall and VDOMsAdvanced Threat ProtectionTroubleshooting and Diagnostics

Frequently asked questions

What does the Advanced VPN and Zero Trust domain cover on the NSE7 exam?

The Advanced VPN and Zero Trust domain covers the key concepts tested in this area of the NSE7 exam blueprint published by Fortinet. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all NSE7 domains — no account required.

How many Advanced VPN and Zero Trust questions are in the NSE7 question bank?

The Courseiva NSE7 question bank contains 207 questions in the Advanced VPN and Zero Trust domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Advanced VPN and Zero Trust for NSE7?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Advanced VPN and Zero Trust questions for NSE7?

Yes — the session launcher on this page draws questions exclusively from the Advanced VPN and Zero Trust domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your NSE7 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide