Fortinet · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A network administrator is configuring SD-WAN on a FortiGate. The organization has two internet links: MPLS (primary) and broadband (backup). The administrator wants all traffic to use the MPLS link unless it fails, in which case traffic should fail over to the broadband link. Which SD-WAN configuration best achieves this requirement?
Set the MPLS link priority to 10 and the broadband link priority to 5, then configure an SD-WAN rule with the 'best quality' strategy.
Higher priority for MPLS ensures it is preferred. The 'best quality' strategy selects the member with the highest priority when available, providing failover.
Enable 'set role' on the MPLS link as 'primary' and on the broadband link as 'standby' with the 'redundant' strategy.
Configure both links in the SD-WAN zone with equal priority and use the 'lowest cost' strategy.
Create two static routes: one with higher distance for MPLS and one with lower distance for broadband.
A FortiGate is configured with SD-WAN and has two WAN members: Member1 (ISP1) with priority 10, and Member2 (ISP2) with priority 5. The SD-WAN rule for traffic from the internal network uses the 'best quality' strategy. During normal operation, traffic flows through Member1. After a link failure on Member1, traffic correctly fails over to Member2. However, when Member1 is restored, traffic does not fail back. What is the most likely cause?
The static route for Member1 has a higher administrative distance than Member2.
The health-check for Member1 is configured with 'set probe-mode passive' and 'set update-static-route disable'.
Passive monitoring does not trigger fallback; update-static-route must be enabled for the route to be reinstated when the link recovers.
The SD-WAN rule is configured with 'set fallback' disabled.
The priority of Member2 is higher than Member1.
An enterprise uses FortiGate as an SD-WAN edge device with three WAN links: Link A (MPLS), Link B (broadband), and Link C (LTE). The SD-WAN rule for VoIP traffic uses the 'best quality' strategy with link-quality-measurement enabled. The VoIP traffic is routed via Link A. During peak hours, users report poor voice quality. The administrator checks the SD-WAN performance SLA logs and sees that Link A's jitter and latency are within acceptable thresholds, but packet loss is slightly elevated. Which action would most likely improve VoIP quality without manual intervention?
Increase the priority of Link A to ensure it remains the preferred link.
Configure a performance SLA for VoIP traffic with jitter < 10ms, latency < 100ms, and packet-loss < 0.5% and apply it to the SD-WAN rule.
Applying a performance SLA with strict thresholds will cause the SD-WAN rule to select a link that meets the criteria, switching away from Link A if it fails the SLA.
Disable link-quality-measurement to reduce overhead on Link A.
Add a new SD-WAN rule with 'lowest cost' strategy for VoIP traffic.
Which THREE statements are true about FortiGate SD-WAN health-check configuration?
Health-check probes can be sent from any interface, including loopback.
Health-check can only be configured on physical interfaces, not VLANs or subinterfaces.
Health-check can be configured with multiple thresholds for jitter, latency, and packet loss.
Performance SLA thresholds can be defined for jitter, latency, and packet loss.
Health-check can update the routing table by setting 'update-static-route' to enable fallback.
When enabled, health-check failure can remove the static route, and recovery can re-add it.
Health-check can be configured to use HTTP or DNS protocols to verify link health.
HTTP and DNS are valid protocol options for health-check probes.
Which TWO statements correctly describe the behavior of SD-WAN rules when using the 'maximize-bandwidth' strategy?
The strategy ensures that all traffic uses the member with the highest bandwidth.
The administrator can assign different weights to members to influence the proportion of traffic each handles.
Weights can be set per member to control the load-balancing ratio.
If a member fails its health-check, it is removed from the set of eligible members for the rule.
Health-check failure marks the member as dead, and it is not considered for traffic distribution.
Traffic from a single session can be split across multiple members for better performance.
Traffic is distributed based on session count to keep each link equally utilized.
A FortiGate is deployed with two ISPs and SD-WAN. The organization uses OSPF to exchange routes with a remote branch. The administrator notices that the FortiGate is not installing OSPF-learned routes into the routing table. The OSPF configuration is verified to be correct, and neighbors are established. Which configuration could be causing the issue?
The SD-WAN health-check is configured with 'update-static-route' and is overriding OSPF routes.
The administrative distance of OSPF is set to 200, which is higher than the default 110.
A distribute-list configured under OSPF is filtering the routes from being installed.
A distribute-list in OSPF can filter which routes are installed into the routing table, even if neighbors are up.
The OSPF interface is configured as 'passive', which prevents route exchange.
Want more Advanced Networking and SD-WAN practice?
Practice this domainA company is implementing Zero Trust Network Access using Fortinet's ZTNA solution. They have deployed a FortiGate as the ZTNA gateway and are using FortiClient as the ZTNA agent. Users report that they can initiate ZTNA connections but the connections drop after a few minutes. The FortiGate logs show that the ZTNA session is being terminated due to a endpoint compliance check failure. Which action should the administrator take to resolve this issue?
Review and adjust the endpoint compliance rules in FortiClient EMS.
Adjusting compliance rules to match the actual endpoint state will allow the connection to persist.
Disable endpoint compliance checks on the FortiGate.
Increase the session timeout on the FortiGate ZTNA gateway.
Change the authentication method from certificate to LDAP.
During a ZTNA deployment, an administrator notices that traffic from a specific internal application is being routed through the ZTNA gateway but is not reaching the destination server. The FortiGate policy allows the traffic, and the client has a valid ZTNA connection. What is the most likely cause of the issue?
The ZTNA proxy rule on the FortiGate is misconfigured, pointing to the wrong destination IP or port.
A misconfigured proxy rule would cause traffic to be sent to the wrong destination.
The client's FortiClient agent is not connected to the EMS server.
The destination server does not have internet connectivity.
The FortiGate policy is set to deny traffic from the client's subnet.
An organization is designing a Zero Trust Network Access solution with Fortinet. They want to ensure that only devices with up-to-date antivirus software can access sensitive applications. Which component is responsible for enforcing this requirement?
FortiAnalyzer
FortiClient EMS
FortiClient EMS applies compliance rules and tags devices accordingly.
FortiAuthenticator
FortiGate ZTNA gateway
A company uses FortiGate ZTNA to provide remote access to an internal web application. The application requires client certificates for authentication. The administrator has configured the ZTNA rule to use certificate authentication. However, users report that they are prompted for credentials repeatedly. What is the most likely cause?
The user's password has expired.
The ZTNA rule is configured to use SAML authentication instead.
The client certificate is not trusted by the FortiGate.
An untrusted certificate causes authentication failures.
The FortiClient EMS server is not reachable from the client.
In a Zero Trust Network Access architecture, which component acts as the policy enforcement point for access decisions?
FortiClient agent
FortiAnalyzer
FortiGate ZTNA gateway
The FortiGate enforces access based on tags and policies.
FortiClient EMS
An administrator is troubleshooting a ZTNA connection issue where a user can access the ZTNA gateway but the connection to the internal application fails after a few seconds. The FortiGate logs show 'ZTNA session timeout' but the timeout value is set to 30 minutes. What could be the reason?
The internal application is not responding to the proxy request.
The ZTNA proxy idle timeout is set to a lower value than the global timeout.
The proxy idle timeout can be configured separately and may be shorter.
The internal application has a 5-second timeout.
The client's FortiClient is not receiving the ZTNA tags.
Want more Advanced VPN and Zero Trust practice?
Practice this domainA network engineer wants to deploy a FortiGate in transparent mode and have it managed by FortiManager. The FortiGate should not participate in routing, but must be able to send logs to FortiAnalyzer. Which two settings must be configured on the FortiGate to achieve this?
Enable DHCP client on the management interface
Configure a management IP address on the FortiGate
In transparent mode, the management IP is used for management and logging.
Enable NAT on the management interface
Add a static route to reach FortiManager and FortiAnalyzer
A static route is needed for management traffic.
Set the interface IP address in the same subnet as the upstream router
An organization is deploying multiple FortiGate devices across different geographic locations. The central IT team manages all devices from a single FortiManager. The remote FortiGates connect to FortiManager over a WAN link. Which feature should be enabled on FortiManager to ensure that configuration changes are applied consistently and without interruption to the remote FortiGates?
Enable auto-link configuration on the FortiManager
Use the 'Install on Next Reboot' option in the install wizard
This ensures changes are applied after reboot, avoiding disruption.
Use 'Install Wizard' with 'Immediate Install' option
Enable 'Configuration Override' on the managed FortiGates
A company is implementing a Security Fabric with multiple FortiGate devices. They want to use FortiAnalyzer for centralized logging and FortiManager for centralized management. Which of the following is a prerequisite for adding a FortiGate to the Security Fabric?
The FortiGate must have FortiAnalyzer configured as a log device
The FortiGate's management IP must be configured via DHCP
The FortiGate must have network connectivity to the FortiManager
Connectivity is required for management.
The FortiGate must be operating in transparent mode
A network administrator is troubleshooting a FortiGate that is not appearing in the Security Fabric topology on FortiManager. The FortiGate is reachable from FortiManager via ping. What is the most likely cause?
The FortiGate is not authorized in FortiManager
Authorization is required for the device to appear in the fabric.
FortiAnalyzer is not configured on the FortiGate
SNMP community string is mismatched
The FortiGate firewall policy is blocking traffic to FortiManager
An organization uses FortiManager to manage multiple FortiGate devices in a Security Fabric. The administrator wants to push a new firewall policy that includes an FQDN address object. Which statement is true regarding FQDN objects in FortiManager policies?
FQDN objects must be defined on each managed FortiGate individually
The FQDN resolution is done automatically every 60 seconds by FortiManager
FortiManager resolves the FQDN to IP addresses at installation time and updates the policy accordingly
This ensures the FortiGate has the resolved IPs.
FQDN objects cannot be used in policies pushed from FortiManager
Which TWO statements about the Security Fabric and FortiManager are correct? (Choose two.)
FortiManager can manage multiple Security Fabrics.
FortiManager can manage multiple fabrics.
FortiGate devices must be in transparent mode to join the fabric.
FortiAnalyzer must be deployed to use the Security Fabric.
The first FortiGate added to the Security Fabric becomes the root FortiGate.
The first device is the root.
A FortiGate can be part of multiple Security Fabrics simultaneously.
Want more Enterprise Firewall and VDOMs practice?
Practice this domainA company is deploying FortiGate with Advanced Threat Protection (ATP) and wants to block advanced malware that uses encrypted C2 communications. Which security profile should be configured to perform SSL inspection and detect malicious traffic?
Data Leak Prevention profile
Antivirus profile with SSL inspection
Antivirus profiles can be configured with SSL inspection to detect malware in encrypted C2 traffic.
Web Filtering profile
Intrusion Prevention profile
A network administrator notices that several endpoints are infected with ransomware despite having FortiGate ATP enabled. The logs show that the files were downloaded over HTTPS, and the antivirus profile did not detect them. What is the most likely reason?
SSL inspection was not enabled on the antivirus profile
Without SSL inspection, encrypted traffic bypasses antivirus scanning.
Application control profile blocked the download
FortiSandbox was not configured to analyze the files
IPS signature database was outdated
A security engineer is troubleshooting a scenario where FortiGate is not blocking a known malicious URL categorized as 'Malware'. The web filtering profile is configured with 'monitor all' for the Malware category. What change should be made to block the URL?
Configure traffic shaping to rate limit the URL
Add a static URL filter with the exact URL and action 'block'
Enable DNS filter with botnet C2 domain blocking
Change the action for Malware category from 'monitor' to 'block' in the web filter profile
Setting the category action to 'block' will block all URLs in that category.
A company wants to detect and block phishing emails that contain malicious links. Which FortiGate security profile should be used?
Antivirus profile
Web Filtering profile
Data Leak Prevention profile
Email Filtering profile
Email filtering can block phishing emails based on content and reputation.
A FortiGate administrator receives alerts about a device communicating with a known botnet C2 server. The traffic is encrypted with TLS. Which ATP feature is most effective to block this communication?
Application control to block the C2 application
Antivirus profile with SSL inspection
IPS signature for botnet activity
DNS Filter with botnet C2 domain blocking
DNS filter blocks resolution of known malicious domains, preventing communication.
Which TWO features are part of FortiGate's Advanced Threat Protection (ATP) suite?
Data Leak Prevention (DLP)
SSL Inspection
FortiGuard Antivirus
Part of ATP for malware detection.
FortiSandbox
FortiSandbox is an ATP component for advanced analysis.
Intrusion Prevention System (IPS)
Want more Advanced Threat Protection practice?
Practice this domainA FortiGate administrator notices that traffic from a specific subnet is being dropped unexpectedly. The security policy allows the traffic, and there are no firewall policies blocking it. What is the most efficient first step to identify the cause of the drops?
Use the 'diag sniffer packet any "host 10.0.1.0/24" 4' command to capture packets and analyze where they are dropped.
Packet sniffer with filter can capture the actual packets and show the drop reason in the output.
Run 'diagnose debug flow' with the source IP and look for 'no matching policy' or 'dropped' messages.
Enable 'deny-log' on all policies and check logs for the subnet.
Enable global traffic logging and review logs after some traffic passes.
An organization uses FortiGate with OSPF and BGP. Recently, routes from BGP are not being preferred over OSPF routes, causing suboptimal routing. The administrator wants to ensure BGP routes are preferred. Which two actions can achieve this? (Choose two.)
Decrease the administrative distance of BGP routes to 5.
Decreasing BGP AD to 5 makes it more preferred over OSPF AD 110.
Configure route-map to set metric to 1 on BGP routes.
Increase the administrative distance of OSPF routes to 120.
Increasing OSPF AD to 120 makes BGP (AD 20) more preferred.
Set a higher weight on BGP routes for the prefixes.
A FortiGate is experiencing high CPU usage. The administrator runs 'diagnose sys top' and sees that the process 'ipsengine' is using the most CPU. What is the most likely cause?
The firewall is experiencing a memory leak.
A large volume of traffic is being inspected by IPS, possibly due to a DoS attack.
IPS engine uses CPU for deep packet inspection; high volume or many signatures increases load.
The antivirus engine is scanning large files.
There is a routing loop causing packet bouncing.
An administrator is troubleshooting a VPN tunnel that is not coming up. The remote peer is a third-party device. Which THREE actions should be taken to diagnose the issue?
Ensure that the pre-shared key matches on both sides.
Mismatched PSK is a common cause of tunnel failure.
Confirm that UDP ports 500 and 4500 are not blocked by any firewall.
Verify that the remote peer's IP address is reachable via ping.
Basic connectivity must exist before IKE negotiation.
Check the IPSec VPN logs with 'diag debug application ike -1'.
IKE debug shows detailed negotiation steps.
Review the routing table to ensure the remote subnet is reachable through the tunnel interface.
A FortiGate administrator sees the following kernel log: 'kernel: [pid 1234] received packet with unknown or unsupported protocol 0x0800 on interface port1, drop'. What does this log indicate?
The packet is an ARP request that failed.
The packet has an invalid MAC address.
The interface is not configured with an IP address or is in the wrong VDOM.
The kernel drops packets when the interface is not configured to handle that protocol.
The packet has IP options set that are not supported.
Based on the debug flow output, what is the reason the packet is dropped?
The route to the destination is missing.
There is no firewall policy that matches the traffic.
The message 'no matching policy' clearly states this.
The packet has an invalid source IP address.
The session table is full.
Want more Troubleshooting and Diagnostics practice?
Practice this domainThe NSE7 exam has 30 questions and must be completed in 90 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 5 domains: Advanced Networking and SD-WAN, Advanced VPN and Zero Trust, Enterprise Firewall and VDOMs, Advanced Threat Protection, Troubleshooting and Diagnostics. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Fortinet NSE7 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.