Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsNSE7Exam Questions

Fortinet · Free Practice Questions · Last reviewed May 2026

NSE7 Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

30 exam questions
90 min time limit
Pass: 700/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Advanced Networking and SD-WAN2. Advanced VPN and Zero Trust3. Enterprise Firewall and VDOMs4. Advanced Threat Protection5. Troubleshooting and Diagnostics
1

Domain 1: Advanced Networking and SD-WAN

All Advanced Networking and SD-WAN questions
Q1
easyFull explanation →

A network administrator is configuring SD-WAN on a FortiGate. The organization has two internet links: MPLS (primary) and broadband (backup). The administrator wants all traffic to use the MPLS link unless it fails, in which case traffic should fail over to the broadband link. Which SD-WAN configuration best achieves this requirement?

A

Set the MPLS link priority to 10 and the broadband link priority to 5, then configure an SD-WAN rule with the 'best quality' strategy.

Higher priority for MPLS ensures it is preferred. The 'best quality' strategy selects the member with the highest priority when available, providing failover.

B

Enable 'set role' on the MPLS link as 'primary' and on the broadband link as 'standby' with the 'redundant' strategy.

C

Configure both links in the SD-WAN zone with equal priority and use the 'lowest cost' strategy.

D

Create two static routes: one with higher distance for MPLS and one with lower distance for broadband.

Why: Option A is correct because setting the MPLS link priority to 10 (higher) and broadband to 5 (lower) ensures the SD-WAN rule with 'best quality' strategy selects the MPLS link as the preferred path. The 'best quality' strategy evaluates link quality metrics and, when priorities differ, prefers the higher-priority link. If the MPLS link fails, the strategy automatically fails over to the broadband link, meeting the requirement.
Q2
mediumFull explanation →

A FortiGate is configured with SD-WAN and has two WAN members: Member1 (ISP1) with priority 10, and Member2 (ISP2) with priority 5. The SD-WAN rule for traffic from the internal network uses the 'best quality' strategy. During normal operation, traffic flows through Member1. After a link failure on Member1, traffic correctly fails over to Member2. However, when Member1 is restored, traffic does not fail back. What is the most likely cause?

A

The static route for Member1 has a higher administrative distance than Member2.

B

The health-check for Member1 is configured with 'set probe-mode passive' and 'set update-static-route disable'.

Passive monitoring does not trigger fallback; update-static-route must be enabled for the route to be reinstated when the link recovers.

C

The SD-WAN rule is configured with 'set fallback' disabled.

D

The priority of Member2 is higher than Member1.

Why: Option B is correct because when 'set probe-mode passive' is configured, the health-check server only monitors the link without actively generating probe traffic, and 'set update-static-route disable' prevents the static route associated with Member1 from being re-enabled after the link is restored. This means the route remains inactive, so SD-WAN cannot fail back to Member1 even though the physical link is up.
Q3
hardFull explanation →

An enterprise uses FortiGate as an SD-WAN edge device with three WAN links: Link A (MPLS), Link B (broadband), and Link C (LTE). The SD-WAN rule for VoIP traffic uses the 'best quality' strategy with link-quality-measurement enabled. The VoIP traffic is routed via Link A. During peak hours, users report poor voice quality. The administrator checks the SD-WAN performance SLA logs and sees that Link A's jitter and latency are within acceptable thresholds, but packet loss is slightly elevated. Which action would most likely improve VoIP quality without manual intervention?

A

Increase the priority of Link A to ensure it remains the preferred link.

B

Configure a performance SLA for VoIP traffic with jitter < 10ms, latency < 100ms, and packet-loss < 0.5% and apply it to the SD-WAN rule.

Applying a performance SLA with strict thresholds will cause the SD-WAN rule to select a link that meets the criteria, switching away from Link A if it fails the SLA.

C

Disable link-quality-measurement to reduce overhead on Link A.

D

Add a new SD-WAN rule with 'lowest cost' strategy for VoIP traffic.

Why: Option B is correct because configuring a performance SLA with specific thresholds for jitter, latency, and packet loss allows FortiGate to dynamically failover VoIP traffic to another WAN link when Link A's packet loss exceeds the defined threshold (e.g., 0.5%). Since the 'best quality' strategy uses link-quality-measurement to select the link with the best SLA compliance, applying a performance SLA with a packet-loss threshold ensures that even if jitter and latency are acceptable, elevated packet loss triggers a switch to a healthier link, improving voice quality without manual intervention.
Q4
mediumFull explanation →

Which THREE statements are true about FortiGate SD-WAN health-check configuration?

A

Health-check probes can be sent from any interface, including loopback.

B

Health-check can only be configured on physical interfaces, not VLANs or subinterfaces.

C

Health-check can be configured with multiple thresholds for jitter, latency, and packet loss.

Performance SLA thresholds can be defined for jitter, latency, and packet loss.

D

Health-check can update the routing table by setting 'update-static-route' to enable fallback.

When enabled, health-check failure can remove the static route, and recovery can re-add it.

E

Health-check can be configured to use HTTP or DNS protocols to verify link health.

HTTP and DNS are valid protocol options for health-check probes.

Why: Option C is correct because FortiGate SD-WAN health-check allows configuring multiple thresholds for jitter, latency, and packet loss. These thresholds are used to determine the quality of a link; if any threshold is exceeded, the link is considered failed. This enables granular control over link health assessment beyond simple reachability.
Q5
hardFull explanation →

Which TWO statements correctly describe the behavior of SD-WAN rules when using the 'maximize-bandwidth' strategy?

A

The strategy ensures that all traffic uses the member with the highest bandwidth.

B

The administrator can assign different weights to members to influence the proportion of traffic each handles.

Weights can be set per member to control the load-balancing ratio.

C

If a member fails its health-check, it is removed from the set of eligible members for the rule.

Health-check failure marks the member as dead, and it is not considered for traffic distribution.

D

Traffic from a single session can be split across multiple members for better performance.

E

Traffic is distributed based on session count to keep each link equally utilized.

Why: Option B is correct because the 'maximize-bandwidth' strategy in SD-WAN rules uses weighted load balancing, where the administrator assigns weights to each member link. The proportion of traffic each member handles is directly proportional to its assigned weight, allowing fine-grained control over bandwidth utilization across multiple WAN links.
Q6
hardFull explanation →

A FortiGate is deployed with two ISPs and SD-WAN. The organization uses OSPF to exchange routes with a remote branch. The administrator notices that the FortiGate is not installing OSPF-learned routes into the routing table. The OSPF configuration is verified to be correct, and neighbors are established. Which configuration could be causing the issue?

A

The SD-WAN health-check is configured with 'update-static-route' and is overriding OSPF routes.

B

The administrative distance of OSPF is set to 200, which is higher than the default 110.

C

A distribute-list configured under OSPF is filtering the routes from being installed.

A distribute-list in OSPF can filter which routes are installed into the routing table, even if neighbors are up.

D

The OSPF interface is configured as 'passive', which prevents route exchange.

Why: Option C is correct because a distribute-list applied under OSPF can filter routes from being installed into the routing table even when OSPF neighbors are fully established and the OSPF database contains the routes. This is a common cause of routes being learned but not installed, as the filter operates after the SPF calculation and before route insertion.

Want more Advanced Networking and SD-WAN practice?

Practice this domain
2

Domain 2: Advanced VPN and Zero Trust

All Advanced VPN and Zero Trust questions
Q1
mediumFull explanation →

A company is implementing Zero Trust Network Access using Fortinet's ZTNA solution. They have deployed a FortiGate as the ZTNA gateway and are using FortiClient as the ZTNA agent. Users report that they can initiate ZTNA connections but the connections drop after a few minutes. The FortiGate logs show that the ZTNA session is being terminated due to a endpoint compliance check failure. Which action should the administrator take to resolve this issue?

A

Review and adjust the endpoint compliance rules in FortiClient EMS.

Adjusting compliance rules to match the actual endpoint state will allow the connection to persist.

B

Disable endpoint compliance checks on the FortiGate.

C

Increase the session timeout on the FortiGate ZTNA gateway.

D

Change the authentication method from certificate to LDAP.

Why: The correct answer is A because the FortiGate logs explicitly indicate that the ZTNA session is being terminated due to an endpoint compliance check failure. This means the FortiGate is enforcing compliance rules defined in FortiClient EMS, and when the endpoint fails those checks (e.g., missing antivirus updates, firewall disabled), the session is dropped. Reviewing and adjusting the compliance rules in EMS allows the administrator to align the requirements with the actual endpoint posture or correct the misconfiguration causing the failure.
Q2
hardFull explanation →

During a ZTNA deployment, an administrator notices that traffic from a specific internal application is being routed through the ZTNA gateway but is not reaching the destination server. The FortiGate policy allows the traffic, and the client has a valid ZTNA connection. What is the most likely cause of the issue?

A

The ZTNA proxy rule on the FortiGate is misconfigured, pointing to the wrong destination IP or port.

A misconfigured proxy rule would cause traffic to be sent to the wrong destination.

B

The client's FortiClient agent is not connected to the EMS server.

C

The destination server does not have internet connectivity.

D

The FortiGate policy is set to deny traffic from the client's subnet.

Why: Option A is correct because in a ZTNA deployment, the FortiGate acts as a reverse proxy for internal applications. If the ZTNA proxy rule is misconfigured with an incorrect destination IP or port, the FortiGate will forward the traffic to the wrong backend server or service, causing the connection to fail even though the client has a valid ZTNA connection and the firewall policy permits the traffic.
Q3
easyFull explanation →

An organization is designing a Zero Trust Network Access solution with Fortinet. They want to ensure that only devices with up-to-date antivirus software can access sensitive applications. Which component is responsible for enforcing this requirement?

A

FortiAnalyzer

B

FortiClient EMS

FortiClient EMS applies compliance rules and tags devices accordingly.

C

FortiAuthenticator

D

FortiGate ZTNA gateway

Why: FortiClient EMS is the correct component because it manages endpoint compliance policies, including antivirus status. It enforces the requirement by checking that devices have up-to-date antivirus software before issuing a ZTNA access token, which the FortiGate ZTNA gateway then validates to grant access.
Q4
mediumFull explanation →

A company uses FortiGate ZTNA to provide remote access to an internal web application. The application requires client certificates for authentication. The administrator has configured the ZTNA rule to use certificate authentication. However, users report that they are prompted for credentials repeatedly. What is the most likely cause?

A

The user's password has expired.

B

The ZTNA rule is configured to use SAML authentication instead.

C

The client certificate is not trusted by the FortiGate.

An untrusted certificate causes authentication failures.

D

The FortiClient EMS server is not reachable from the client.

Why: When a ZTNA rule is configured for certificate authentication, the FortiGate must trust the client certificate's issuing CA. If the CA certificate is not imported into the FortiGate's trusted CA list, the certificate chain validation fails, causing the authentication to be rejected and the client to be repeatedly prompted for credentials. This is the most common cause of repeated credential prompts in certificate-based ZTNA setups.
Q5
easyFull explanation →

In a Zero Trust Network Access architecture, which component acts as the policy enforcement point for access decisions?

A

FortiClient agent

B

FortiAnalyzer

C

FortiGate ZTNA gateway

The FortiGate enforces access based on tags and policies.

D

FortiClient EMS

Why: In a Zero Trust Network Access (ZTNA) architecture, the FortiGate ZTNA gateway acts as the policy enforcement point (PEP). It terminates encrypted ZTNA tunnels from FortiClient agents, inspects traffic against configured access policies, and enforces decisions based on identity, device posture, and context. This is distinct from the control plane (FortiClient EMS) or logging (FortiAnalyzer).
Q6
hardFull explanation →

An administrator is troubleshooting a ZTNA connection issue where a user can access the ZTNA gateway but the connection to the internal application fails after a few seconds. The FortiGate logs show 'ZTNA session timeout' but the timeout value is set to 30 minutes. What could be the reason?

A

The internal application is not responding to the proxy request.

B

The ZTNA proxy idle timeout is set to a lower value than the global timeout.

The proxy idle timeout can be configured separately and may be shorter.

C

The internal application has a 5-second timeout.

D

The client's FortiClient is not receiving the ZTNA tags.

Why: The ZTNA proxy has its own idle timeout setting that operates independently of the global timeout. Even though the global timeout is set to 30 minutes, if the per-proxy idle timeout is configured to a lower value (e.g., 30 seconds), the proxy will terminate the session after that idle period, logging 'ZTNA session timeout'. This explains why the connection fails after a few seconds despite the long global timeout.

Want more Advanced VPN and Zero Trust practice?

Practice this domain
3

Domain 3: Enterprise Firewall and VDOMs

All Enterprise Firewall and VDOMs questions
Q1
mediumFull explanation →

A network engineer wants to deploy a FortiGate in transparent mode and have it managed by FortiManager. The FortiGate should not participate in routing, but must be able to send logs to FortiAnalyzer. Which two settings must be configured on the FortiGate to achieve this?

A

Enable DHCP client on the management interface

B

Configure a management IP address on the FortiGate

In transparent mode, the management IP is used for management and logging.

C

Enable NAT on the management interface

D

Add a static route to reach FortiManager and FortiAnalyzer

A static route is needed for management traffic.

E

Set the interface IP address in the same subnet as the upstream router

Why: In transparent mode, the FortiGate operates as a Layer 2 bridge and does not participate in routing. However, to be managed by FortiManager and send logs to FortiAnalyzer, the FortiGate must have a management IP address (option B) so that it can be reached as a management endpoint. Additionally, a static route (option D) is required to direct traffic to the management and logging servers, since the FortiGate cannot rely on dynamic routing protocols in transparent mode.
Q2
hardFull explanation →

An organization is deploying multiple FortiGate devices across different geographic locations. The central IT team manages all devices from a single FortiManager. The remote FortiGates connect to FortiManager over a WAN link. Which feature should be enabled on FortiManager to ensure that configuration changes are applied consistently and without interruption to the remote FortiGates?

A

Enable auto-link configuration on the FortiManager

B

Use the 'Install on Next Reboot' option in the install wizard

This ensures changes are applied after reboot, avoiding disruption.

C

Use 'Install Wizard' with 'Immediate Install' option

D

Enable 'Configuration Override' on the managed FortiGates

Why: Option B is correct because the 'Install on Next Reboot' option ensures that configuration changes are staged on the remote FortiGate and applied atomically when the device reboots. This prevents partial or inconsistent application over an unreliable WAN link, as the FortiManager pushes the full configuration revision to the device, which then applies it during the boot process without requiring a persistent management session.
Q3
easyFull explanation →

A company is implementing a Security Fabric with multiple FortiGate devices. They want to use FortiAnalyzer for centralized logging and FortiManager for centralized management. Which of the following is a prerequisite for adding a FortiGate to the Security Fabric?

A

The FortiGate must have FortiAnalyzer configured as a log device

B

The FortiGate's management IP must be configured via DHCP

C

The FortiGate must have network connectivity to the FortiManager

Connectivity is required for management.

D

The FortiGate must be operating in transparent mode

Why: For a FortiGate to join a Security Fabric, it must have network connectivity to the FortiManager that manages the fabric. FortiManager acts as the fabric root or controller, and the FortiGate registers with it using the FortiManager IP or FQDN. Without this connectivity, the FortiGate cannot be added to the Security Fabric topology.
Q4
mediumFull explanation →

A network administrator is troubleshooting a FortiGate that is not appearing in the Security Fabric topology on FortiManager. The FortiGate is reachable from FortiManager via ping. What is the most likely cause?

A

The FortiGate is not authorized in FortiManager

Authorization is required for the device to appear in the fabric.

B

FortiAnalyzer is not configured on the FortiGate

C

SNMP community string is mismatched

D

The FortiGate firewall policy is blocking traffic to FortiManager

Why: For a FortiGate to appear in the Security Fabric topology on FortiManager, it must first be authorized in FortiManager. Even if the FortiGate is reachable via ping, without authorization, FortiManager will not accept its registration or include it in the topology view. This is a prerequisite step that must occur before any fabric communication can be established.
Q5
hardFull explanation →

An organization uses FortiManager to manage multiple FortiGate devices in a Security Fabric. The administrator wants to push a new firewall policy that includes an FQDN address object. Which statement is true regarding FQDN objects in FortiManager policies?

A

FQDN objects must be defined on each managed FortiGate individually

B

The FQDN resolution is done automatically every 60 seconds by FortiManager

C

FortiManager resolves the FQDN to IP addresses at installation time and updates the policy accordingly

This ensures the FortiGate has the resolved IPs.

D

FQDN objects cannot be used in policies pushed from FortiManager

Why: When an administrator pushes a policy containing an FQDN address object from FortiManager, FortiManager resolves the FQDN to its current IP addresses at installation time. The resolved IPs are then written into the policy on the managed FortiGate, ensuring the policy is immediately effective without requiring the FortiGate to perform DNS resolution. This behavior is specific to FortiManager-managed policies and differs from locally configured FQDN objects on FortiGate.
Q6
mediumFull explanation →

Which TWO statements about the Security Fabric and FortiManager are correct? (Choose two.)

A

FortiManager can manage multiple Security Fabrics.

FortiManager can manage multiple fabrics.

B

FortiGate devices must be in transparent mode to join the fabric.

C

FortiAnalyzer must be deployed to use the Security Fabric.

D

The first FortiGate added to the Security Fabric becomes the root FortiGate.

The first device is the root.

E

A FortiGate can be part of multiple Security Fabrics simultaneously.

Why: FortiManager can manage multiple Security Fabrics because it is designed as a centralized management platform that can oversee multiple independent FortiGate clusters or fabric topologies. Each Security Fabric is a logical grouping of FortiGate devices that share a common root FortiGate, and FortiManager can be configured to manage several such fabrics simultaneously, each with its own root and member devices, without requiring separate management servers.

Want more Enterprise Firewall and VDOMs practice?

Practice this domain
4

Domain 4: Advanced Threat Protection

All Advanced Threat Protection questions
Q1
easyFull explanation →

A company is deploying FortiGate with Advanced Threat Protection (ATP) and wants to block advanced malware that uses encrypted C2 communications. Which security profile should be configured to perform SSL inspection and detect malicious traffic?

A

Data Leak Prevention profile

B

Antivirus profile with SSL inspection

Antivirus profiles can be configured with SSL inspection to detect malware in encrypted C2 traffic.

C

Web Filtering profile

D

Intrusion Prevention profile

Why: Option B is correct because an Antivirus profile with SSL inspection enabled is required to decrypt encrypted C2 (command-and-control) traffic so that FortiGate can inspect the payload for malware signatures, heuristics, and behavioral patterns. Without SSL inspection, the ATP engine cannot see inside the encrypted tunnel, rendering the antivirus and other security profiles ineffective against encrypted C2 communications.
Q2
mediumFull explanation →

A network administrator notices that several endpoints are infected with ransomware despite having FortiGate ATP enabled. The logs show that the files were downloaded over HTTPS, and the antivirus profile did not detect them. What is the most likely reason?

A

SSL inspection was not enabled on the antivirus profile

Without SSL inspection, encrypted traffic bypasses antivirus scanning.

B

Application control profile blocked the download

C

FortiSandbox was not configured to analyze the files

D

IPS signature database was outdated

Why: FortiGate ATP's antivirus engine cannot inspect encrypted HTTPS traffic unless SSL inspection is explicitly enabled on the antivirus profile. Without SSL inspection, the antivirus profile only sees encrypted payloads and cannot match file signatures or heuristics, allowing ransomware to pass undetected. The logs confirm files were downloaded over HTTPS, making this the most likely root cause.
Q3
hardFull explanation →

A security engineer is troubleshooting a scenario where FortiGate is not blocking a known malicious URL categorized as 'Malware'. The web filtering profile is configured with 'monitor all' for the Malware category. What change should be made to block the URL?

A

Configure traffic shaping to rate limit the URL

B

Add a static URL filter with the exact URL and action 'block'

C

Enable DNS filter with botnet C2 domain blocking

D

Change the action for Malware category from 'monitor' to 'block' in the web filter profile

Setting the category action to 'block' will block all URLs in that category.

Why: The web filtering profile currently has the Malware category set to 'monitor all', which logs but does not block traffic. To block the URL, the action must be changed from 'monitor' to 'block' within the same web filter profile. This directly enforces the blocking action for all URLs categorized as Malware, including the known malicious URL.
Q4
easyFull explanation →

A company wants to detect and block phishing emails that contain malicious links. Which FortiGate security profile should be used?

A

Antivirus profile

B

Web Filtering profile

C

Data Leak Prevention profile

D

Email Filtering profile

Email filtering can block phishing emails based on content and reputation.

Why: Option D is correct because FortiGate's Email Filtering profile is specifically designed to inspect SMTP, POP3, and IMAP traffic for phishing indicators, including malicious URLs in email bodies and attachments. It can block or quarantine emails based on URL reputation, sender authentication (SPF/DKIM/DMARC), and content analysis, directly addressing the requirement to detect and block phishing emails with malicious links.
Q5
mediumFull explanation →

A FortiGate administrator receives alerts about a device communicating with a known botnet C2 server. The traffic is encrypted with TLS. Which ATP feature is most effective to block this communication?

A

Application control to block the C2 application

B

Antivirus profile with SSL inspection

C

IPS signature for botnet activity

D

DNS Filter with botnet C2 domain blocking

DNS filter blocks resolution of known malicious domains, preventing communication.

Why: DNS Filter with botnet C2 domain blocking is the most effective because it proactively prevents the initial DNS resolution of the botnet's command-and-control domain, stopping the TLS handshake before it even begins. Since the traffic is encrypted with TLS, other security mechanisms like application control or IPS would require decryption to inspect the payload, which may not be feasible or configured. DNS Filter operates at Layer 7 without needing to decrypt the traffic, directly blocking the domain lookup based on FortiGuard's real-time threat intelligence.
Q6
mediumFull explanation →

Which TWO features are part of FortiGate's Advanced Threat Protection (ATP) suite?

A

Data Leak Prevention (DLP)

B

SSL Inspection

C

FortiGuard Antivirus

Part of ATP for malware detection.

D

FortiSandbox

FortiSandbox is an ATP component for advanced analysis.

E

Intrusion Prevention System (IPS)

Why: FortiGate's Advanced Threat Protection (ATP) suite is designed to detect and block advanced, unknown, and zero-day threats. FortiGuard Antivirus (C) is a core ATP component that uses signature-based and heuristics-based scanning to detect known malware at the gateway. FortiSandbox (D) extends this by detonating suspicious files in a virtual environment to identify unknown threats, making both integral to the ATP suite.

Want more Advanced Threat Protection practice?

Practice this domain
5

Domain 5: Troubleshooting and Diagnostics

All Troubleshooting and Diagnostics questions
Q1
mediumFull explanation →

A FortiGate administrator notices that traffic from a specific subnet is being dropped unexpectedly. The security policy allows the traffic, and there are no firewall policies blocking it. What is the most efficient first step to identify the cause of the drops?

A

Use the 'diag sniffer packet any "host 10.0.1.0/24" 4' command to capture packets and analyze where they are dropped.

Packet sniffer with filter can capture the actual packets and show the drop reason in the output.

B

Run 'diagnose debug flow' with the source IP and look for 'no matching policy' or 'dropped' messages.

C

Enable 'deny-log' on all policies and check logs for the subnet.

D

Enable global traffic logging and review logs after some traffic passes.

Why: The 'diag sniffer packet any "host 10.0.1.0/24" 4' command captures packets at the kernel level before firewall processing, allowing you to see if traffic is reaching the FortiGate and where it is being dropped (e.g., due to reverse-path forwarding, session helper, or DoS policies). This is the most efficient first step because it provides immediate, low-level visibility into packet drops without requiring configuration changes or waiting for logs.
Q2
hardFull explanation →

An organization uses FortiGate with OSPF and BGP. Recently, routes from BGP are not being preferred over OSPF routes, causing suboptimal routing. The administrator wants to ensure BGP routes are preferred. Which two actions can achieve this? (Choose two.)

A

Decrease the administrative distance of BGP routes to 5.

Decreasing BGP AD to 5 makes it more preferred over OSPF AD 110.

B

Configure route-map to set metric to 1 on BGP routes.

C

Increase the administrative distance of OSPF routes to 120.

Increasing OSPF AD to 120 makes BGP (AD 20) more preferred.

D

Set a higher weight on BGP routes for the prefixes.

Why: Option A is correct because decreasing the administrative distance (AD) of BGP routes to 5 makes them more trustworthy than OSPF routes (default AD 110). Since a lower AD is preferred, BGP routes will be installed in the routing table over OSPF routes, ensuring BGP is preferred for forwarding decisions.
Q3
easyFull explanation →

A FortiGate is experiencing high CPU usage. The administrator runs 'diagnose sys top' and sees that the process 'ipsengine' is using the most CPU. What is the most likely cause?

A

The firewall is experiencing a memory leak.

B

A large volume of traffic is being inspected by IPS, possibly due to a DoS attack.

IPS engine uses CPU for deep packet inspection; high volume or many signatures increases load.

C

The antivirus engine is scanning large files.

D

There is a routing loop causing packet bouncing.

Why: The ipsengine process handles Intrusion Prevention System (IPS) inspection. High CPU usage by ipsengine typically indicates that the FortiGate is processing a large volume of traffic through IPS signatures, which is computationally intensive. This is often triggered by a DoS attack or a sudden surge in traffic that requires deep packet inspection, overwhelming the CPU.
Q4
mediumFull explanation →

An administrator is troubleshooting a VPN tunnel that is not coming up. The remote peer is a third-party device. Which THREE actions should be taken to diagnose the issue?

A

Ensure that the pre-shared key matches on both sides.

Mismatched PSK is a common cause of tunnel failure.

B

Confirm that UDP ports 500 and 4500 are not blocked by any firewall.

C

Verify that the remote peer's IP address is reachable via ping.

Basic connectivity must exist before IKE negotiation.

D

Check the IPSec VPN logs with 'diag debug application ike -1'.

IKE debug shows detailed negotiation steps.

E

Review the routing table to ensure the remote subnet is reachable through the tunnel interface.

Why: Option A is correct because IPsec IKE (Internet Key Exchange) uses the pre-shared key (PSK) during authentication phase 1 (Main Mode or Aggressive Mode). If the PSK does not match on both peers, the IKE SA will fail to establish, and the VPN tunnel will not come up. This is a fundamental prerequisite for any IPsec VPN, and mismatched PSKs are a common misconfiguration.
Q5
easyFull explanation →

A FortiGate administrator sees the following kernel log: 'kernel: [pid 1234] received packet with unknown or unsupported protocol 0x0800 on interface port1, drop'. What does this log indicate?

A

The packet is an ARP request that failed.

B

The packet has an invalid MAC address.

C

The interface is not configured with an IP address or is in the wrong VDOM.

The kernel drops packets when the interface is not configured to handle that protocol.

D

The packet has IP options set that are not supported.

Why: The kernel log indicates that the interface port1 received an Ethernet frame with EtherType 0x0800 (IPv4) but the FortiGate dropped it because the interface is either not configured with an IP address or is bound to the wrong VDOM. Without an IP address or proper VDOM assignment, the kernel cannot process the packet at Layer 3, so it logs the packet as having an 'unknown or unsupported protocol' even though 0x0800 is standard IPv4.
Q6
hardFull explanation →

Based on the debug flow output, what is the reason the packet is dropped?

A

The route to the destination is missing.

B

There is no firewall policy that matches the traffic.

The message 'no matching policy' clearly states this.

C

The packet has an invalid source IP address.

D

The session table is full.

Why: The debug flow output indicates that the packet was dropped because no firewall policy matched the traffic. In FortiGate, even if a valid route exists, the packet must be evaluated against firewall policies; if no policy permits the traffic based on source, destination, service, and interface, the packet is silently dropped. The debug flow will show a message like 'no matching policy' or 'deny by policy' in such cases.

Want more Troubleshooting and Diagnostics practice?

Practice this domain

Frequently asked questions

How many questions are on the NSE7 exam?

The NSE7 exam has 30 questions and must be completed in 90 minutes. The passing score is 700/1000.

What types of questions appear on the NSE7 exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are NSE7 questions organised by domain?

The exam covers 5 domains: Advanced Networking and SD-WAN, Advanced VPN and Zero Trust, Enterprise Firewall and VDOMs, Advanced Threat Protection, Troubleshooting and Diagnostics. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual NSE7 exam questions?

No. These are original exam-style practice questions written against the official Fortinet NSE7 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 30 NSE7 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all NSE7 questionsTake a timed practice test