Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 175

1000 questions total · 14pages · All types, answers revealed

Page 1 of 14

Page 2
1
MCQmedium

A FortiGate with multiple VDOMs is configured for FSSO with Active Directory polling. Users in VDOM1 are authenticated correctly, but users in VDOM2 are not. What should be checked FIRST?

A.The DNS resolution for the domain controller in VDOM2
B.The firewall policy ordering in VDOM2
C.The FSSO collector agent settings for VDOM2
D.The LDAP server configuration in VDOM2
AnswerC

Each VDOM needs its own FSSO collector agent configuration to poll AD.

Why this answer

FSSO collector agents must be configured per VDOM. If VDOM2 does not have a collector agent or the poll interval is not set, user authentication will fail.

2
MCQeasy

What is the function of Zero Trust Network Access (ZTNA) on a FortiGate?

A.It allows users to securely access internal applications without a VPN, based on identity and device posture
B.It replaces the firewall policy for all traffic
C.It encrypts all traffic between the FortiGate and the internet
D.It is a cloud-based subscription for antivirus updates
AnswerA

ZTNA enables granular, identity-based access to applications without traditional VPN.

Why this answer

ZTNA provides secure access to applications based on identity and device posture, without requiring a VPN.

3
MCQhard

A FortiGate has two firewall policies: Policy ID 1 (source: 10.0.1.0/24, destination: 203.0.113.0/24, action: allow, NAT: enabled) and Policy ID 2 (source: 10.0.1.0/24, destination: all, action: allow, NAT: enabled, IP pool: pool1). A user from 10.0.1.10 sends traffic to 203.0.113.5. Which policy will the traffic match and why?

A.Both policies will be applied because the traffic matches both
B.Policy ID 2 because it has a broader destination and is more inclusive
C.Policy ID 1 because it is the first matching policy in the list
D.Neither policy; implicit deny will block the traffic
AnswerC

Policy lookup stops at the first match. Policy ID 1 matches both source and destination.

Why this answer

Firewall policies are evaluated from top to bottom (lowest policy ID first). Policy ID 1 has a more specific destination (203.0.113.0/24) than Policy ID 2 (all). The traffic matches Policy ID 1 because it is the first policy that matches all criteria (source, destination).

Since policy ID 1 is evaluated first and its destination includes 203.0.113.5, it will be used.

4
MCQhard

An administrator is configuring ZTNA (Zero Trust Network Access) on a FortiGate. The administrator needs to ensure that only clients with a valid posture assessment can access an internal application. Which access proxy setting must be configured to enforce this requirement?

A.Enable SSL deep inspection on the access proxy
B.Configure a ZTNA rule with a ZTNA tag requirement
C.Set the access proxy to use certificate-based authentication
D.Enable multi-factor authentication on the access proxy
AnswerB

ZTNA rules use tags to enforce security posture. The rule must be set to require a specific tag that is only assigned to compliant clients.

Why this answer

ZTNA uses access proxies to secure access. To enforce client posture assessment, the administrator needs to configure an access proxy with a ZTNA rule that includes a ZTNA tag matching the required posture. The tag is assigned by FortiClient EMS based on compliance.

The access proxy rule can then require that the client presents a valid ZTNA tag.

5
MCQhard

An administrator configures a VIP for port forwarding: public IP 203.0.113.10 port 8080 to internal server 10.0.1.10 port 80. External users can connect to http://203.0.113.10:8080 but receive a timeout. The firewall policy allows traffic from any to the VIP on destination port 8080. The internal server is reachable from internal hosts. What is the most likely problem?

A.The internal server is not running a web server
B.The VIP is not associated with the policy
C.The policy destination service is set to HTTP (port 80) instead of port 8080
D.The source NAT is not configured
AnswerC

Before translation, the destination port is 8080; policy must match pre-NAT port.

Why this answer

Option C is correct because the firewall policy must match the destination port of the incoming traffic. External users connect to port 8080 on the VIP, but if the policy's destination service is set to HTTP (port 80), the policy will not match traffic destined for port 8080. Even though the VIP translates the destination to port 80 on the internal server, the firewall policy evaluation occurs before NAT translation, so the policy must match the original destination port (8080).

Exam trap

The trap here is that candidates mistakenly think the policy should match the internal server's port (80) because the VIP translates to that port, but FortiOS policy evaluation occurs before NAT, so the policy must match the original destination port (8080).

How to eliminate wrong answers

Option A is wrong because the internal server is reachable from internal hosts, confirming the web server is running and functional. Option B is wrong because VIPs in FortiOS are automatically associated with firewall policies that reference them; the VIP does not need a separate association step. Option D is wrong because source NAT (SNAT) is not required for inbound port forwarding; the VIP handles destination NAT, and return traffic is automatically handled by the session table without explicit SNAT configuration.

6
MCQmedium

An administrator configures a policy route to force traffic from a specific source subnet to use a particular WAN interface. After applying the configuration, the traffic still uses the default route. What is the most likely cause?

A.The static default route has a lower administrative distance than the policy route
B.The FortiGate's VDOM is enabled and the policy route is in the wrong VDOM
C.The policy route's incoming interface is incorrectly configured
D.The policy route has a lower priority than the static default route
AnswerC

Policy routes match based on incoming interface; if the traffic enters on a different interface, the policy route is not applied.

Why this answer

Policy routes are evaluated based on the incoming interface specified in the rule. If the incoming interface is misconfigured (e.g., set to 'any' or the wrong physical interface), the FortiGate will not match the traffic against the policy route, causing it to fall through to the routing table and use the default route. The policy route must explicitly match the interface on which the traffic enters the FortiGate.

Exam trap

The trap here is that candidates often confuse policy routes with static routes or assume that a policy route applies globally, when in fact the incoming interface is a critical matching condition that must be correctly configured for the policy to take effect.

How to eliminate wrong answers

Option A is wrong because administrative distance applies to routes in the routing table, not to policy routes; policy routes override the routing table regardless of administrative distance. Option B is wrong because while VDOM misplacement can cause policy routes to not apply, the question states the configuration was applied, and VDOM issues would typically prevent the policy from being created or visible, not silently ignore it. Option D is wrong because policy routes do not have a 'priority' value relative to static routes; they are evaluated before the routing table lookup, and if the incoming interface matches, the policy route is used unconditionally.

7
MCQeasy

A FortiGate administrator needs to allow inbound SSH access from the internet to a single internal server at IP 10.0.1.10. The public IP on the WAN interface is 203.0.113.5. Which type of object should be configured to map the public IP and port to the internal server?

A.IP Pool
B.Central NAT policy
C.Virtual IP (VIP)
D.Address object
AnswerC

A VIP maps a public IP and port to an internal IP and port for inbound traffic.

Why this answer

A Virtual IP (VIP) object is the correct choice because it specifically maps a public IP and port (203.0.113.5:22) to a private IP and port (10.0.1.10:22) for inbound destination NAT (DNAT). This allows external SSH traffic to reach the internal server by translating the destination address and port at the FortiGate WAN interface.

Exam trap

The trap here is that candidates often confuse IP Pools (used for source NAT) with Virtual IPs (used for destination NAT), leading them to select Option A when the question clearly requires inbound mapping.

How to eliminate wrong answers

Option A is wrong because an IP Pool is used for source NAT (SNAT) to translate the source IP of outbound traffic, not for inbound destination mapping. Option B is wrong because Central NAT policy is a centralized method to define NAT rules, but it still requires a VIP object to specify the destination translation; it is not the object itself. Option D is wrong because an Address object only defines a network or host IP for policy matching, but it does not provide the port mapping or translation functionality needed for inbound access.

8
MCQmedium

An administrator runs 'diagnose firewall iprope list 100000' and sees 'action=deny' entries for traffic that should be allowed. The policy list shows an allow policy with ID 1 for that traffic. What is the most likely cause of the deny?

A.The traffic is being blocked by a local-in policy
B.The implicit deny rule is being triggered because the policy is disabled
C.The firewall policy is not installed in the kernel due to an error
D.A security profile is dropping the traffic after the policy matches
AnswerC

Why this answer

The 'diagnose firewall iprope list 100000' command displays the kernel-level firewall policy list. If the policy list shows an allow policy (ID 1) but the kernel entries show 'action=deny', it indicates that the policy was not successfully installed into the kernel's connection tracking or firewall engine. This typically occurs due to a policy installation error, such as a configuration inconsistency or a failure during the commit process, causing the kernel to fall back to a default deny action for that traffic.

Exam trap

The trap here is that candidates assume the policy list shown in the GUI or CLI always reflects the active kernel state, but Fortinet tests the understanding that a policy may exist in the configuration yet fail to install into the kernel, causing unexpected denies despite an apparent allow rule.

How to eliminate wrong answers

Option A is wrong because local-in policies apply to traffic destined to the FortiGate itself (e.g., management traffic), not to traffic passing through the firewall, and the question describes traffic that should be allowed by a policy, implying transit traffic. Option B is wrong because if the policy were disabled, it would not appear in the policy list as an allow policy with ID 1; a disabled policy is not evaluated, and the implicit deny would only apply if no other policy matches, but here the policy exists and is enabled. Option D is wrong because security profiles (e.g., antivirus, web filter) are applied after a policy match and would not cause a 'deny' action in the kernel iprope list; they would instead log a separate action like 'block' or 'reset' at the application layer, not a kernel-level deny.

9
MCQmedium

An administrator needs to block all traffic from an application that uses a proprietary protocol not recognized by any application signature. Which security profile method should be used to block this traffic?

A.Create an application control profile and add a custom application signature
B.Use a web filter profile to block by URL
C.Use an IPS profile with a custom signature based on protocol anomalies
D.Use a data leak prevention (DLP) profile to match on data patterns
AnswerC

IPS can detect anomalous behavior or specific payload patterns via custom signatures.

Why this answer

Option C is correct because IPS with custom signatures can detect and block traffic based on protocol anomalies or patterns, even without a pre-defined application signature.

10
MCQhard

An administrator is troubleshooting an IPsec VPN that fails to establish Phase 2. The Phase 1 is up. The administrator runs 'diagnose vpn ike log' and sees the message 'no matching phase2 proposal found'. What is the MOST likely cause?

A.Pre-shared key mismatch
B.IKE version mismatch (IKEv1 vs IKEv2)
C.Phase 1 encryption algorithm mismatch
D.Phase 2 proxy ID mismatch
AnswerD

Phase 2 proposes the local and remote subnets; mismatch causes failure.

Why this answer

Phase 2 uses the proxy IDs (local/remote subnets) to match proposals. If the remote peer expects different subnets, Phase 2 will fail.

11
MCQeasy

An administrator needs to block access to specific websites based on their FQDN (e.g., *.example.com). The FortiGate should match the destination domain regardless of the IP address the domain resolves to. Which type of address object should the admin use in the firewall policy destination?

A.Geography object
B.Subnet object
C.Wildcard FQDN object
D.FQDN object
AnswerC

Wildcard FQDN supports patterns with * to match multiple domains.

Why this answer

Option C is correct because a Wildcard FQDN object allows the FortiGate to match traffic based on the destination domain name pattern (e.g., *.example.com) regardless of the IP address the domain resolves to. This object type performs DNS-based policy enforcement, where the FortiGate inspects the SNI field in the TLS handshake or the Host header in HTTP to match the FQDN pattern, not the destination IP.

Exam trap

The trap here is that candidates often confuse a standard FQDN object with a Wildcard FQDN object, assuming the FQDN object supports wildcard patterns or dynamic IP resolution, when in fact it only resolves to a static IP at policy installation time and cannot match patterns like *.example.com.

How to eliminate wrong answers

Option A is wrong because a Geography object matches traffic based on the source or destination IP address's geographic location (country), not the FQDN. Option B is wrong because a Subnet object matches traffic based on a specific IP address or range (e.g., 10.0.0.0/24), which cannot account for dynamic IP resolution of a domain. Option D is wrong because a standard FQDN object resolves the domain to a single IP address at policy installation time and does not support wildcard patterns like *.example.com; it also cannot match traffic if the domain resolves to multiple IPs or changes over time.

12
MCQhard

An administrator configures a DLP profile to detect credit card numbers in email traffic. The DLP rule uses a regular expression. However, the DLP sensor is not triggering on emails containing credit card numbers. What is a likely reason?

A.SSL deep inspection is not enabled on the policy
B.The regular expression is case-sensitive and credit card numbers are lowercase
C.The DLP sensor is configured to 'monitor' only
D.The DLP profile is applied to the inbound policy only
AnswerA

Email sent over TLS is encrypted. Without SSL deep inspection, the FortiGate cannot read the email content to apply DLP.

Why this answer

DLP sensors operate on traffic that has been decrypted if necessary. If the email is sent over TLS, the FortiGate needs SSL deep inspection to see the email content. Also, the DLP sensor needs to be applied to the correct direction (e.g., both send and receive).

13
MCQeasy

An administrator wants to monitor real-time traffic flows on a FortiGate, specifically to see packet details for traffic matching certain criteria. Which command should the administrator use to capture live packets on an interface?

A.diagnose sniffer packet
B.diagnose debug enable and diagnose debug flow trace
C.diagnose sys session list
D.execute system grep from CLI
AnswerA

'diagnose sniffer packet' captures and displays packet headers and payload in real time.

Why this answer

The 'diagnose sniffer packet' command is the built-in packet capture tool on FortiGate. It allows capturing packets on interfaces with filters for IP, port, protocol, etc. Example: 'diagnose sniffer packet any "host 10.0.0.1" 4'.

14
MCQhard

A FortiGate is configured in an HA active-passive cluster. When the active unit fails, the passive unit takes over, but IPsec VPN tunnels fail to re-establish. The configuration is synchronized. What is the most likely cause?

A.The pre-shared key is different on the two units.
B.The firewall policies for VPN traffic are not synchronized.
C.The HA heartbeat interface is down.
D.The IPsec VPN is using the physical interface IP instead of a virtual IP (VIP) or floating IP.
AnswerD

After failover, the new active unit has a different physical IP, breaking the tunnel. Using a floating IP ensures continuity.

Why this answer

In HA, IPsec tunnels require synchronized states. If the session synchronization is not enabled for IPsec, or if the tunnel is not configured to use floating IP addresses, the standby unit cannot inherit the tunnel state. However, the most common cause is that the tunnel configuration relies on the physical IP of the active unit, which changes after failover.

Using virtual IP (VIP) or floating IPs for the VPN endpoint resolves this.

15
Multi-Selecteasy

A FortiGate admin wants to enforce safe search on Google and Bing for all users. The firewall policy has web filtering enabled. Which TWO configurations are required?

Select 2 answers
A.Install a custom CA certificate on client browsers
B.Use an application control profile to block non-safe search applications
C.Enable SSL deep inspection
D.Configure a URL filter to rewrite search URLs to include safe search parameters
E.Enable 'Safe Search' in the web filter profile's FortiGuard settings
AnswersD, E

Alternative method to enforce safe search.

Why this answer

Options B and C are correct: Safe search enforcement is done via web filter options or URL filter add-ons. DNS filter can also reroute search queries to enforce safe search.

16
Multi-Selecthard

A company wants to implement SSL VPN split tunneling to allow remote users to access both internal resources and the internet directly. Which three configurations are required on the FortiGate?

Select 3 answers
A.Assign a public IP address to the SSL VPN interface
B.Configure a firewall policy allowing the SSL VPN interface to the internet interface with NAT enabled
C.Create a routing policy on the SSL VPN settings to define which subnets are tunneled
D.Configure a static route on the FortiGate to send all traffic through the SSL VPN tunnel
E.Set the SSL VPN tunnel mode client configuration to enable split tunneling
AnswersB, C, E

This allows internet-bound traffic from VPN clients to exit directly.

Why this answer

Split tunneling requires a routing policy to push specific routes to the client, a firewall policy that permits traffic from the SSL VPN interface to the internet (with appropriate NAT if needed), and the tunnel mode client configuration must have split tunneling enabled.

17
MCQmedium

You run the following command on a FortiGate: diagnose vpn ike gateway list. The output shows a gateway with state=DOWN. What is the most likely cause?

A.The remote peer is not reachable or is blocking IKE traffic
B.The pre-shared key is correct but expired
C.The IPsec Phase 2 parameters are mismatched
D.The local certificate is not trusted by the remote peer
AnswerA

If the remote peer is unreachable, IKE cannot establish. Check connectivity and firewall rules.

Why this answer

State=DOWN indicates the IKE gateway is not established. Common causes include mismatched PSK, but the most common is that the remote peer is unreachable due to firewall rules or routing issues.

18
MCQmedium

A FortiGate administrator notices that after upgrading the firmware, the HA cluster fails to form. Both units show the correct HA configuration. What is the most likely cause?

A.The HA heartbeat interfaces are not connected
B.The HA mode is set to active-active on one unit and active-passive on the other
C.The firmware versions are different on the two units
D.The HA priority values are identical
AnswerC

Firmware mismatch is a common cause after upgrade of only one unit.

Why this answer

HA clusters require all members to run the same firmware version. Mismatched firmware prevent cluster formation.

19
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a TCP session that has been active for 1 hour and will expire in about 1 hour
B.The session is a TCP session that has been active for 1 hour and will expire immediately
C.The session is a UDP session that has been idle for 3600 seconds
D.The session is an ICMP session with a short timeout
AnswerA

Duration=3600 seconds (1 hour), expire=3599 seconds (1 hour remaining). This is typical for long-lived TCP sessions.

Why this answer

The output shows a TCP session (proto=6) in state 01 (possibly ESTABLISHED or SYN_SENT), duration 3600 seconds, with 3599 seconds until expiry. It is a normal session.

20
MCQmedium

You run 'get system performance status' and see CPU usage at 95% with high context switch rate. The FortiGate is not passing any traffic. What is the most likely cause?

A.A routing loop is causing continuous packet processing
B.The FortiGate is under a DDoS attack
C.The antivirus engine is updating signatures
D.The FortiGate is in transparent mode
AnswerA

Even with no traffic, a misconfigured route can cause kernel loops that consume CPU.

Why this answer

A routing loop causes the FortiGate to continuously process and re-process packets as they are forwarded in a cycle between routers, leading to high CPU usage and context switch rates. The loop prevents traffic from being successfully delivered, resulting in zero traffic passing through the FortiGate. This matches the observed symptoms of 95% CPU usage and high context switching.

Exam trap

The trap here is that candidates often associate high CPU usage with a DDoS attack, but the key clue is the high context switch rate combined with zero traffic passing, which points to a routing loop rather than a flood of traffic.

How to eliminate wrong answers

Option B is wrong because a DDoS attack would typically cause high CPU usage and packet drops, but the FortiGate would still pass some legitimate traffic or at least process packets; the complete inability to pass traffic is more characteristic of a routing loop. Option C is wrong because antivirus signature updates are a background process that may cause a temporary CPU spike but not sustained 95% usage with high context switching, and they do not prevent all traffic from passing. Option D is wrong because transparent mode does not inherently cause high CPU usage or context switching; it is a Layer 2 forwarding mode that should not impact performance in this way.

21
MCQmedium

A company has a FortiGate 200F with FortiOS 7.2 and two ISPs (WAN1: 100 Mbps, WAN2: 50 Mbps). The company uses SD-WAN to load balance outbound internet traffic. Recently, the company added a new VoIP application that requires low latency and jitter. The administrator configured an SD-WAN rule to match the VoIP traffic and set the strategy to 'best quality' with a performance SLA measuring latency and jitter. However, after testing, the VoIP traffic is still using WAN2 (the slower link) even when WAN1 has lower latency. The performance SLA shows both links meeting the SLA thresholds. What is the most likely reason?

A.The 'best quality' strategy uses bandwidth as a tiebreaker when SLA is met.
B.The VoIP traffic is being offloaded by NPU bypassing SD-WAN.
C.The administrator needs to enable 'set internet-service enable' on the rule.
D.The SD-WAN rule is not matching the VoIP traffic correctly.
AnswerA

Fortinet's best quality uses bandwidth to break ties.

Why this answer

When the 'best quality' strategy is used in an SD-WAN rule, FortiGate selects the best-performing link based on the configured performance SLA metrics (e.g., latency and jitter). However, if multiple links meet the SLA thresholds, the tiebreaker is the link with the highest bandwidth. In this scenario, both WAN1 and WAN2 meet the SLA, so FortiGate selects WAN2 because it has higher bandwidth (100 Mbps vs. 50 Mbps), not because of latency.

This explains why VoIP traffic uses WAN2 despite WAN1 having lower latency.

Exam trap

The trap here is that candidates assume 'best quality' always selects the link with the best SLA metrics (e.g., lowest latency), but FortiGate uses bandwidth as a tiebreaker when multiple links meet the SLA, which is a subtle but critical detail tested in NSE4.

How to eliminate wrong answers

Option B is wrong because NPU offloading does not bypass SD-WAN; SD-WAN policies are applied before hardware acceleration, and NPU offloading only affects forwarding after the policy decision. Option C is wrong because 'set internet-service enable' is used for internet service-based routing, not for matching VoIP traffic in an SD-WAN rule; the rule already matches VoIP traffic via application control or other criteria. Option D is wrong because the question states the rule was configured to match VoIP traffic, and the performance SLA shows both links meeting thresholds, indicating the traffic is being matched and processed by SD-WAN; the issue is the tiebreaker logic, not a matching failure.

22
MCQhard

A company has a FortiGate at headquarters running FortiOS 7.2 and a remote office with a FortiGate 60F running FortiOS 7.0. They have an IPsec VPN tunnel between them for site-to-site connectivity. Recently, the remote office upgraded their FortiGate from 6.4 to 7.0. After the upgrade, the VPN tunnel is down. The Phase 1 status shows 'negotiating' but never completes. The administrator has verified that the pre-shared key, IKE version (IKEv2), and authentication method are the same on both sides. The Phase 1 proposal on the headquarters is: encryption: AES256, SHA256, DH group 14, lifetime 86400. The remote office uses: encryption: AES256, SHA1, DH group 14, lifetime 86400. What is the most likely cause of the failure?

A.The DH group is different; headquarters uses group 14, remote uses group 5.
B.The Phase 1 hash algorithm differs; headquarters uses SHA256, remote uses SHA1.
C.The IKE version is mismatched; headquarters uses IKEv2 and remote uses IKEv1.
D.The pre-shared key is incorrect after the upgrade.
AnswerB

Hash algorithm must match.

Why this answer

The Phase 1 proposal mismatch on the hash algorithm (SHA256 vs. SHA1) prevents the IKEv2 peers from agreeing on a common transform set. Even though all other parameters match, the hash algorithm must be identical on both sides for the IKE SA to be established.

The 'negotiating' state that never completes is a classic symptom of a proposal mismatch.

Exam trap

The trap here is that candidates assume all Phase 1 parameters are correct because the pre-shared key, IKE version, and authentication method match, overlooking the critical requirement that the hash algorithm must also be identical for the IKE SA to be established.

How to eliminate wrong answers

Option A is wrong because the DH group is explicitly stated as group 14 on both sides, so there is no mismatch. Option C is wrong because the administrator verified that IKEv2 is used on both sides, and the question states the IKE version is the same. Option D is wrong because the administrator has verified that the pre-shared key is the same after the upgrade, and an incorrect PSK would typically result in a different Phase 1 status (e.g., 'down' with authentication failures) rather than indefinite 'negotiating'.

23
MCQmedium

An administrator wants to block all traffic to websites in the 'Pornography' category but allow an exception for a specific research site that falls under that category. The FortiGuard category is set to block. How should the administrator configure the exception?

A.Set the FortiGuard category to 'Monitor' and create a URL filter to block all other sites
B.Add a URL filter entry with the site's domain set to 'Allow'
C.Use the DNS filter to allow the site's FQDN
D.Add the site to the FortiGuard category override list with action 'Allow'
AnswerB

URL filter entries are processed before FortiGuard categories. An allow entry for the specific URL will override the category block.

Why this answer

In FortiGate, to allow a specific site that is blocked by a category, you add a URL filter entry with the action 'Allow' above the category block. URL filter entries are evaluated first and can override the category action.

24
MCQeasy

Which command is used to back up the FortiGate configuration to a TFTP server?

A.save config tftp <filename> <server_ip>
B.backup tftp config <filename> <server_ip>
C.execute backup config tftp <filename> <server_ip>
D.copy config tftp <filename> <server_ip>
AnswerC

Correct CLI command.

Why this answer

The correct command to back up the FortiGate configuration to a TFTP server is 'execute backup config tftp <filename> <server_ip>'. This is because FortiGate uses the 'execute' command for operational tasks, and 'backup config tftp' specifically instructs the system to export the running configuration to a TFTP server. The other options use incorrect syntax or commands that are not recognized by the FortiGate CLI.

Exam trap

The trap here is that candidates familiar with Cisco IOS may mistakenly choose 'copy config tftp' (Option D), which is valid for Cisco but not for FortiGate, where the correct syntax requires 'execute backup config tftp'.

How to eliminate wrong answers

Option A is wrong because 'save config tftp' is not a valid FortiGate command; the correct syntax uses 'execute backup' rather than 'save'. Option B is wrong because 'backup tftp config' reverses the order of keywords and omits 'execute', which is required for operational commands in FortiGate. Option D is wrong because 'copy config tftp' is a Cisco IOS command, not a FortiGate command; FortiGate uses 'execute backup config tftp' for this purpose.

25
MCQmedium

An administrator configures an IPS profile with a signature that has a 'block' action. However, traffic matching the signature is only being logged and not blocked. What is the most likely reason?

A.The IPS profile is applied to the inbound policy only
B.The firewall policy is set to 'accept' but logging is disabled
C.The FortiGate is operating in flow-based inspection mode
D.The signature's action is set to 'monitor' in the IPS sensor
AnswerD

If the signature is configured to 'monitor' in the IPS sensor, it will only log, regardless of the default action.

Why this answer

IPS signatures can be set to 'block' but the actual action in the firewall policy's IPS profile may be overridden by the policy's inspection mode or the IPS profile's configuration. Additionally, the signature's action must not be set to 'monitor' or 'pass' at the sensor level.

26
Multi-Selectmedium

A FortiGate administrator is configuring IPS to protect against a known exploit targeting a web server. The administrator wants to ensure that the IPS engine can decode the HTTP protocol. Which TWO actions are necessary?

Select 2 answers
A.Enable the HTTP protocol decoder in the IPS sensor
B.Configure an IP pool for the web server
C.Enable SSL deep inspection on the firewall policy
D.Set the IPS action to 'block'
E.Disable the FTP protocol decoder
AnswersA, C

The decoder must be enabled for the engine to parse HTTP traffic.

Why this answer

IPS protocol decoders are enabled per protocol. For HTTP, you need to enable the HTTP decoder. Additionally, if the traffic is HTTPS, SSL deep inspection must be enabled to decrypt the traffic so the decoder can analyze it.

27
MCQhard

A FortiGate configured with IPS anomaly detection is generating false positives for the 'tcp_syn_flood' anomaly. The administrator wants to reduce the false positives without completely disabling the detection. Which action should the administrator take?

A.Disable the anomaly and use a custom IPS signature
B.Decrease the threshold value
C.Set the action to 'pass'
D.Increase the threshold value
AnswerD

A higher threshold means more SYN packets per second are needed to trigger the anomaly, thus reducing false positives.

Why this answer

The threshold determines the number of SYN packets per second that trigger an alarm. Increasing the threshold will require more SYN packets to trigger, reducing false positives while still detecting heavy floods.

28
MCQeasy

Which inspection mode allows FortiGate to perform virus scanning by reassembling the entire file in memory before scanning, providing better detection but potentially higher latency?

A.Fast-path inspection
B.Deep inspection
C.Proxy-based inspection
D.Flow-based inspection
AnswerC

Proxy-based inspection buffers the entire file before scanning, which improves detection but adds latency.

Why this answer

Option B is correct. Proxy-based inspection reassembles the entire file in memory before scanning, which can detect threats that flow-based might miss, but at the cost of higher latency.

29
Multi-Selecthard

A FortiGate is configured with policy-based NAT and multiple IP pools. The administrator wants traffic from the 192.168.1.0/24 subnet to use IP pool 'POOL1' (203.0.113.1-203.0.113.10) and traffic from 192.168.2.0/24 to use IP pool 'POOL2' (203.0.113.11-203.0.113.20). Which THREE steps are necessary?

Select 3 answers
A.Create two firewall policies, one for each subnet
B.In each policy, enable NAT and select the corresponding IP pool
C.Configure a single firewall policy with both subnets in the source address group
D.Create two IP pool objects, POOL1 and POOL2
E.Enable Central NAT and define two NAT policies
AnswersA, B, D

Each policy will define its source subnet and NAT with the appropriate IP pool.

Why this answer

Option A is correct because policy-based NAT requires separate firewall policies to apply different IP pools to different source subnets. Each firewall policy can have its own NAT settings, including a specific IP pool, allowing traffic from 192.168.1.0/24 to use POOL1 and traffic from 192.168.2.0/24 to use POOL2.

Exam trap

The trap here is that candidates may think a single policy with multiple source addresses can apply different NAT pools, but FortiGate policy-based NAT requires separate policies for distinct NAT configurations.

30
MCQhard

You run the following CLI command on a FortiGate: diagnose sys session filter dport 443 diagnose sys session list The output shows many sessions with 'proto=6 proto_state=01 duration=3600 expire=3599'. What does this indicate about the traffic?

A.The sessions are fully established and idle
B.The sessions are for UDP traffic
C.The sessions are being inspected by SSL deep inspection
D.The sessions are in the SYN_SENT state and have not completed the three-way handshake
AnswerD

Correct as explained.

Why this answer

Option B is correct. The proto=6 indicates TCP, and proto_state=01 indicates a TCP session in the SYN_SENT state (i.e., the three-way handshake is not complete). The long duration suggests these are half-open sessions, possibly indicating a SYN flood attack.

31
MCQmedium

A company uses Active Directory for user authentication. They want users to automatically authenticate to the FortiGate without entering credentials when accessing the internet. Which authentication method should the administrator configure?

A.LDAP authentication with captive portal
B.RADIUS authentication with PAP
C.Local user authentication
D.FSSO with Active Directory polling
AnswerD

FSSO polls AD to get user logon events and provides transparent authentication.

Why this answer

FSSO (Fortinet Single Sign-On) polls Active Directory for user logon events and maps users to IP addresses, allowing transparent authentication without prompting for credentials.

32
MCQmedium

A company is deploying a FortiGate HA cluster in active-passive mode across two data centers. The network team reports that after a failover, some existing TCP sessions are dropped. Which configuration change should be applied to maintain session persistence during failover?

A.Enable session synchronization between cluster members
B.Disable NAT inspection on the firewall policy
C.Configure gratuitous ARP on the virtual IP
D.Increase the heartbeat interval to 2 seconds
AnswerA

Session sync shares session state between primary and secondary, maintaining sessions during failover.

Why this answer

In an active-passive HA cluster, session synchronization (config.sys ha session-sync) ensures that TCP session state information is replicated from the active unit to the passive unit. Without this, the passive unit has no knowledge of existing sessions after a failover, causing them to be dropped. Enabling session synchronization allows the new active unit to continue forwarding traffic for established sessions seamlessly.

Exam trap

The trap here is that candidates often confuse gratuitous ARP (which handles Layer 2 updates) with session persistence, assuming that updating MAC tables is sufficient to maintain TCP sessions, but session state must be replicated at Layer 4.

How to eliminate wrong answers

Option B is wrong because disabling NAT inspection does not affect session persistence during failover; NAT is a separate function and does not control session state replication. Option C is wrong because gratuitous ARP is used to update the network with the new MAC address of the virtual IP after failover, but it does not preserve existing TCP sessions; it only ensures Layer 2 reachability. Option D is wrong because increasing the heartbeat interval to 2 seconds would actually slow down failure detection, potentially increasing session loss, and has no impact on session synchronization.

33
Multi-Selectmedium

An administrator is setting up an active-passive HA pair and wants to ensure that the cluster can properly monitor each unit's health. Which TWO interfaces must be configured as HA heartbeat interfaces? (Choose two.)

Select 2 answers
A.The internal switch interface (e.g., port3)
B.A VLAN interface on a dedicated trunk that is only used for HA
C.A dedicated physical interface that is not used for data traffic
D.The WAN interface (port1)
E.The management interface
AnswersB, C

Using a dedicated VLAN on a trunk also works, as long as it is not shared with data traffic.

Why this answer

Heartbeat interfaces are used for cluster communication and health monitoring. FortiGate requires at least one dedicated heartbeat interface, but best practice is to have two for redundancy. The heartbeat interfaces can be physical interfaces or VLANs.

They should be dedicated to HA traffic and not carry regular data traffic. Options: The correct ones are physical or VLAN interfaces designated as heartbeat. Option C and D are correct because heartbeat interfaces can be any unused interface, and they should not carry data traffic.

Option A is wrong because management interfaces are separate. Option B is wrong because the WAN interface is typically used for data. Option E is wrong because the internal switch interface is usually for LAN traffic.

34
Multi-Selecthard

An administrator wants to block all traffic from the 'P2P' application category but allow traffic from 'File Sharing' applications like Dropbox. Which THREE configurations are required to achieve this?

Select 3 answers
A.Create an application control profile that sets 'P2P' category to 'block' and 'File Sharing' category to 'allow'
B.Set the firewall policy inspection mode to proxy-based
C.Enable SSL/TLS deep inspection on the firewall policy
D.Ensure that the application control signatures are up to date
E.Apply a web filter profile to override the application control
AnswersA, C, D

This is the core configuration to differentiate between the two categories.

Why this answer

To block P2P and allow File Sharing, the administrator needs to create an application control profile that blocks P2P category and allows File Sharing category. This profile must be applied to a firewall policy that has deep inspection enabled for encrypted traffic. Proxy-based inspection might be needed for granular control, but flow-based also works with deep inspection.

35
Multi-Selecthard

An administrator is troubleshooting a FortiGate that is not sending logs to FortiCloud. The FortiGate has internet connectivity and a valid FortiCloud subscription. Which THREE steps should the administrator take to resolve this issue? (Select three.)

Select 3 answers
A.Ensure that the log types (traffic, event, security) are enabled for FortiCloud
B.Verify the FortiCloud status in the dashboard
C.Check if the FortiGate can resolve FortiCloud's FQDN
D.Increase the log buffer size
E.Disable the antivirus profile temporarily
AnswersA, B, C

Log forwarding must have the appropriate log types selected.

Why this answer

The three correct steps are: verify FortiCloud status to ensure registration, check allowed log types, and verify DNS resolution (FortiCloud uses FQDN).

36
MCQhard

An organization has a FortiGate with two internet connections (WAN1 and WAN2). They want traffic to a specific web service (203.0.113.50 port 443) to always exit via WAN2. All other internet traffic should use WAN1. Which feature should be used to achieve this?

A.Central NAT policy to force the traffic out of WAN2
B.Static route with a higher priority for WAN2 to 203.0.113.0/24
C.SD-WAN with a strategy of 'Best Quality'
D.Policy-based routing (PBR) configured with a policy matching the destination and service
AnswerD

PBR allows routing decisions based on firewall policy criteria.

Why this answer

Policy-based routing (PBR) allows traffic matching a policy to be routed to a specific next-hop or interface, overriding the regular routing table. This is the correct approach for selective routing.

37
MCQeasy

Which authentication server type can be used with FortiGate to authenticate remote VPN users with two-factor authentication using FortiTokens?

A.POP3
B.LDAP
C.RADIUS
D.TACACS+
AnswerC

FortiGate can be configured to authenticate users via RADIUS and use FortiToken as the two-factor method.

Why this answer

FortiToken two-factor authentication can be used with local users or with remote authentication servers like RADIUS. However, FortiToken is natively supported by FortiGate local users and can also be used with RADIUS if the FortiGate acts as the RADIUS client forwarding tokens.

38
MCQeasy

A FortiGate administrator wants to restrict access to a sensitive server (10.0.0.100) such that only users who authenticate via LDAP can access it. Which firewall policy configuration is required?

A.Policy: source any, destination 10.0.0.100, service any, action accept
B.Policy: source any, destination 10.0.0.100, service any, action accept, enable authentication, set auth-type LDAP
C.Policy: source any, destination 10.0.0.100, service any, action accept, enable authentication, set auth-type LDAP, set groups "LDAP-Users"
D.Policy: source any, destination 10.0.0.100, service any, action accept, enable FSSO authentication
AnswerC

This configures authentication with LDAP and specifies the group.

Why this answer

Option C is correct because it combines the required firewall policy elements: enabling authentication, setting the authentication type to LDAP, and restricting access to members of the LDAP group 'LDAP-Users'. This ensures that only users who successfully authenticate via LDAP and belong to the specified group can reach the sensitive server at 10.0.0.100. Without the group restriction, any authenticated LDAP user could access the server, which does not meet the requirement of restricting access to only authenticated users.

Exam trap

The trap here is that candidates often think enabling authentication alone is sufficient, but they overlook the critical need to specify a group to restrict access to only the intended subset of authenticated users.

How to eliminate wrong answers

Option A is wrong because it allows all traffic without any authentication, completely bypassing the requirement to restrict access to authenticated users. Option B is wrong because while it enables authentication and sets the auth-type to LDAP, it does not specify a group; this would allow any user who can authenticate via LDAP to access the server, which is too permissive and does not enforce the intended restriction. Option D is wrong because FSSO (Fortinet Single Sign-On) authentication is used for transparent authentication based on Windows domain logins and is not the same as requiring explicit LDAP authentication; it does not meet the requirement for users to authenticate via LDAP.

39
MCQmedium

A FortiGate administrator needs to ensure that traffic logs are sent to a FortiAnalyzer even when the FortiGate's local disk is full. What configuration is required?

A.Enable 'disk logging' with rollover policy
B.Increase the log severity to 'emergency' only
C.Enable 'remote log' under Log Settings and specify the FortiAnalyzer IP
D.Configure a log filter to send only security logs
AnswerC

This directly sends logs to FortiAnalyzer, independent of local disk.

Why this answer

Configuring the FortiAnalyzer as a log destination ensures logs are sent immediately. The local disk issue does not affect remote logging. Optionally, the admin can set logging to 'fallback' or 'any', but the direct method is to configure the remote syslog/FortiAnalyzer.

40
MCQmedium

A school district uses a FortiGate to filter web traffic for students. The administrator wants to enforce that Google searches are filtered for explicit content. Which configuration should be applied?

A.Enable 'Google Safe Search' in the web filter profile under 'FortiGuard Categories' -> 'Safe Search'.
B.Use an application control profile to block the 'Google Search' application.
C.Create a URL filter to block URLs containing 'porn' or 'adult'.
D.Block the URL category 'Search Engines' and allow only approved search engines.
AnswerA

Safe Search enforces strict filtering on Google (and other search engines) to block explicit content in search results.

41
MCQhard

A medium-sized enterprise has a FortiGate 100F in NAT/Route mode with three interfaces: port1 (WAN, 203.0.113.1/24, gateway 203.0.113.254), port2 (internal, 192.168.1.1/24), and port3 (DMZ, 10.0.0.1/24). The internal network hosts a web server at 192.168.1.10 and a mail server at 192.168.1.20. The DMZ hosts a public web server at 10.0.0.10 and a public DNS server at 10.0.0.20. The company has a single public IP 203.0.113.1. The administrator has configured the following: - Port forwarding: external HTTP to DMZ web server (10.0.0.10:80) and external DNS to DMZ DNS server (10.0.0.20:53). - Outbound NAT (IP Pool) for internal users to 203.0.113.1. - Firewall policies allowing internal to external, DMZ to external, and external to DMZ (for forwarded services). Users report that they can access the Internet but cannot reach the internal web server (192.168.1.10) via its public IP (203.0.113.1:80). The DMZ web server is accessible from the Internet. What is the most likely cause?

A.The firewall policy from internal to DMZ is blocking traffic
B.Hairpin NAT is not enabled on the FortiGate
C.The port forwarding rule maps the public IP to the DMZ server, not the internal server
D.The IP Pool for outbound NAT is misconfigured
AnswerC

The port forwarding is set to DMZ server (10.0.0.10), so internal users cannot reach the internal server via the public IP.

Why this answer

The port forwarding rule explicitly maps external HTTP (port 80) to the DMZ web server at 10.0.0.10. Since the internal web server at 192.168.1.10 is not referenced in any port forwarding rule, traffic destined to the public IP 203.0.113.1:80 from the internal network will not be redirected to 192.168.1.10. This is the root cause of the issue, not a missing hairpin NAT or misconfigured outbound NAT.

Exam trap

The trap here is that candidates often assume hairpin NAT is the universal fix for internal access to public IPs, but they overlook that the port forwarding rule must first exist for the target internal server; without that rule, hairpin NAT has no effect.

How to eliminate wrong answers

Option A is wrong because the problem is about accessing the internal web server via its public IP, not about traffic between internal and DMZ zones; the firewall policy from internal to DMZ is irrelevant here. Option B is wrong because hairpin NAT (also called NAT reflection) is only needed when a device on the internal network tries to reach another internal device via the public IP, but in this scenario, the port forwarding rule does not even point to the internal server, so enabling hairpin NAT would not fix the issue. Option D is wrong because the IP Pool for outbound NAT is correctly configured to translate internal users' source IPs to 203.0.113.1 for Internet access, and users can already access the Internet, indicating outbound NAT is functioning properly.

42
MCQmedium

You have a hub-and-spoke IPsec VPN with 10 spokes. The central FortiGate (hub) has 10 phase2 selectors, one for each spoke. You need to add a new spoke. What is the MOST efficient way to configure the hub?

A.Configure a route-based VPN and use dynamic routing protocols to advertise routes
B.Add another phase2 selector for the new spoke
C.Replace all phase2 selectors with a single policy-based VPN
D.Use a single phase2 selector with 0.0.0.0/0.0.0.0 for all spokes
AnswerA

Route-based VPN with dynamic routing scales automatically as new spokes are added.

Why this answer

Using a route-based VPN with dynamic routing (e.g., BGP or OSPF) eliminates the need for multiple phase2 selectors. The hub only needs one phase2 selector for each spoke or can use a wildcard. Route-based VPN is more scalable.

43
MCQeasy

Which of the following is required to allow a FortiGate to synchronize its clock with an NTP server?

A.Firewall policy allowing NTP traffic (UDP 123) from the FortiGate to the NTP server
B.Enable NTP in the admin settings
C.Set the timezone using config system global
D.Disable daylight saving time
AnswerA

If the NTP server is on a different network, NTP traffic must be permitted.

Why this answer

A FortiGate synchronizes its clock with an NTP server using NTP traffic, which relies on UDP port 123. Without a firewall policy that explicitly permits outbound UDP 123 traffic from the FortiGate to the NTP server, the NTP packets are dropped by the FortiGate's own firewall engine, preventing clock synchronization. This policy is required even for traffic originating from the FortiGate itself, as the FortiGate applies firewall rules to all traffic, including management traffic.

Exam trap

The trap here is that candidates assume management traffic (like NTP) is exempt from firewall policies, but FortiGate treats all traffic—including its own—as subject to policy enforcement, so a specific firewall policy for UDP 123 is mandatory for NTP synchronization to succeed.

How to eliminate wrong answers

Option B is wrong because enabling NTP in the admin settings (via 'config system ntp') is necessary to configure NTP servers and enable the NTP client, but it does not bypass the need for a firewall policy to allow the actual UDP 123 traffic. Option C is wrong because setting the timezone using 'config system global' is a separate configuration that affects how the local time is displayed, but it does not enable or facilitate NTP synchronization with an external server. Option D is wrong because disabling daylight saving time is a timezone-related setting that does not impact the ability to send or receive NTP packets; NTP synchronization works independently of DST settings.

44
Matchingmedium

Match each FortiGate CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays current system resource usage

Tests network connectivity to a host

Traces packet flow through the firewall

Displays the entire running configuration

Resets the device to factory defaults

Why these pairings

Common CLI commands used for troubleshooting and management.

45
Multi-Selecthard

A FortiGate administrator is configuring an active-passive HA cluster and needs to ensure that management access is available via a dedicated management IP address that does not fail over. Which three steps should the administrator take? (Choose three.)

Select 3 answers
A.Assign an IP address to the management interface
B.Enable 'set ha-mgmt-interface' on the management interface
C.Set the management interface to be part of the HA cluster management IP
D.Ensure the management interface is not configured as a heartbeat interface
E.Configure a dedicated management interface (e.g., port3)
AnswersA, D, E

The IP must be configured on the interface for management access.

Why this answer

To have a dedicated management IP that does not fail over, the administrator should configure a dedicated management interface (separate from HA heartbeat), assign an IP to it, and ensure the management access is configured on that interface. The management interface can be in a separate VDOM if desired.

46
MCQeasy

An administrator wants to block access to websites that host malware. Which FortiGate feature should be configured to achieve this goal?

A.IPS profile
B.DNS Filter profile
C.Application Control profile
D.Web Filtering profile with FortiGuard categories
AnswerD

Web filtering allows blocking based on URL categories such as 'Malicious Web Sites'.

Why this answer

FortiGate's Web Filtering profile with FortiGuard categories is the correct feature because it allows administrators to block access to websites based on URL categories, including those known to host malware. FortiGuard maintains a continuously updated database of malicious URLs, and applying a web filtering profile that blocks the 'Malicious Websites' category directly prevents users from accessing such sites. This is the most straightforward and effective method for blocking malware-hosting websites at the proxy or flow-based inspection level.

Exam trap

The trap here is that candidates often confuse DNS Filtering (which blocks domains at the DNS level) with Web Filtering (which blocks URLs at the HTTP/HTTPS level), but DNS Filtering cannot block specific URL paths or subdirectories, making it insufficient for blocking malware-hosting websites that may share a domain with legitimate content.

How to eliminate wrong answers

Option A is wrong because an IPS profile is designed to detect and prevent network-based attacks by inspecting traffic for exploit signatures, not to block access to specific websites or URL categories. Option B is wrong because a DNS Filter profile controls access based on domain name resolution, blocking or redirecting DNS queries to known malicious domains, but it does not inspect the full URL path or HTTP content, and it is not the primary feature for blocking malware-hosting websites. Option C is wrong because an Application Control profile identifies and controls applications (e.g., social media, file sharing) based on signatures, not URLs or web categories, so it cannot block specific websites hosting malware.

47
MCQhard

An admin notices that a firewall policy allowing inbound HTTPS to a server is not matching traffic. The policy has source set to 'all', destination to the server's IP, and service to HTTPS. The admin checks the policy list and sees that policy ID 1 matches the traffic. What is the MOST likely reason the intended policy (ID 10) is not matching?

A.Policy ID 1 has a higher priority and matches before policy ID 10
B.The firewall policy is disabled
C.The service object for HTTPS is misconfigured in policy ID 10
D.The destination address is incorrect in policy ID 10
AnswerA

Policies are evaluated in order; the first matching policy is applied. Policy ID 1 is before ID 10 and matches the traffic.

Why this answer

Policy ID 1 has a higher priority because FortiGate evaluates firewall policies in sequential order from top to bottom. When policy ID 1 matches the traffic (e.g., it also allows HTTPS to the same destination), the traffic is processed by policy ID 1 and never reaches policy ID 10. This is the most likely reason the intended policy is not matching.

Exam trap

The trap here is that candidates may think policy ID numbers determine priority, but FortiGate uses the sequential order in the policy list, not the ID number, and the default policy ID 1 is often an 'allow all' or 'deny all' rule that matches before any lower-ID policies.

How to eliminate wrong answers

Option B is wrong because if the firewall policy were disabled, it would simply not match traffic, but the admin would see no match for policy ID 10, not a match on policy ID 1. Option C is wrong because a misconfigured service object for HTTPS in policy ID 10 would cause the policy to not match HTTPS traffic, but it would not explain why policy ID 1 matches the traffic. Option D is wrong because an incorrect destination address in policy ID 10 would prevent matching, but again, it does not account for policy ID 1 matching the traffic.

48
MCQmedium

An administrator wants to prevent data leakage by blocking outbound emails that contain credit card numbers. Which security profile should be configured?

A.Email Filter profile
B.Web Filter profile
C.Antivirus profile
D.DLP profile
AnswerD

DLP profiles can use predefined or custom data patterns to detect sensitive information.

Why this answer

Option C is correct. DLP (Data Leak Prevention) profiles can inspect content for sensitive data patterns like credit card numbers and block or quarantine the traffic.

49
Multi-Selectmedium

A network admin is configuring a hub-and-spoke VPN with three spokes. Which TWO statements are correct about route-based VPN in this topology?

Select 2 answers
A.Each spoke must have a route-based VPN interface configured to the hub
B.A single firewall policy can control traffic to all spokes
C.BGP can be used to exchange routes between the hub and spokes
D.Aggressive mode must be enabled for the hub to accept multiple spokes
E.All spokes can share the same Phase 1 configuration
AnswersA, C

Route-based VPN uses tunnel interfaces.

Why this answer

Option A is correct: each spoke needs a route-based tunnel to the hub. Option D is correct: BGP can be used for dynamic routing. Option B is wrong because aggressive mode is not required.

Option C is wrong because each spoke needs a separate tunnel. Option E is wrong because route-based uses tunnel interfaces, not policy per tunnel.

50
MCQeasy

An admin needs to allow outbound HTTP and HTTPS traffic from the internal network to the internet. Which two built-in service objects can be used in a single firewall policy to achieve this?

A.WEB and SSL
B.ANY and HTTPS
C.ALL_TCP and ALL_UDP
D.HTTP and HTTPS
AnswerD

Correct. HTTP and HTTPS are built-in service objects for TCP 80 and 443.

Why this answer

FortiGate provides predefined service objects for common protocols. HTTP (TCP/80) and HTTPS (TCP/443) are separate objects. To allow both, you can either create a service group containing both or add both individually.

The question asks for two built-in service objects that together cover both protocols.

51
MCQhard

A FortiGate is configured with an SSL deep inspection profile that uses 'Certificate Inspection' (not 'Full SSL Inspection'). Which of the following is TRUE about this configuration?

A.Deep inspection can still see client certificates
B.The antivirus profile can scan the HTTPS payload
C.The FortiGate can block HTTPS connections based on the certificate's CN
D.IPS can still inspect the application layer of HTTPS traffic
AnswerC

Certificate inspection allows blocking based on certificate CN as part of web filtering.

Why this answer

Option C is correct. Certificate inspection only validates the server certificate's Common Name (CN) and expiration; it does not decrypt the traffic payload, so the antivirus and IPS cannot inspect encrypted content.

52
MCQhard

A company with multiple remote sites uses IPsec VPNs. One site reports intermittent connectivity. The administrator checks the logs and sees 'IPsec phase 2 negotiation failed' messages. Which configuration change is most likely to resolve the issue?

A.Enable Dead Peer Detection (DPD) on the Phase 1 interface.
B.Change the encryption algorithm from AES256 to 3DES.
C.Increase the Phase 2 lifetime.
D.Enable NAT traversal.
AnswerA

DPD detects peer failure and triggers renegotiation.

Why this answer

Intermittent IPsec phase 2 negotiation failures often occur when one peer's Phase 2 security association (SA) expires while the other peer still considers it valid, causing a mismatch. Enabling Dead Peer Detection (DPD) on the Phase 1 interface allows the FortiGate to actively probe the peer's liveness and renegotiate Phase 1 and Phase 2 SAs before they expire, preventing the state mismatch that leads to intermittent failures.

Exam trap

The trap here is that candidates often mistake intermittent phase 2 failures for a cryptographic or NAT issue, but the real cause is typically a mismatch in SA state between peers, which DPD is specifically designed to detect and recover from.

How to eliminate wrong answers

Option B is wrong because changing the encryption algorithm from AES256 to 3DES would weaken security and does not address the root cause of intermittent phase 2 negotiation failures; the issue is not about algorithm strength or compatibility. Option C is wrong because increasing the Phase 2 lifetime would only delay the SA expiration, not prevent the mismatch that occurs when one peer's SA expires before the other's; it may even mask the problem temporarily. Option D is wrong because NAT traversal is used to allow IPsec traffic to pass through NAT devices, and the problem described is intermittent connectivity due to SA state mismatch, not NAT-related packet drops.

53
MCQmedium

A FortiGate administrator configures an email filter profile to block spam. Users report that some legitimate emails are being blocked. The administrator wants to reduce false positives while still blocking spam. What should the administrator do?

A.Disable the email filter profile
B.Increase the spam threshold score
C.Decrease the spam threshold score
D.Enable the FortiGuard spam filter only
AnswerB

A higher threshold means emails need a higher spam score to be blocked, reducing false positives.

Why this answer

Spam filtering often uses a heuristic score. Lowering the spam threshold makes the filter more aggressive (more false positives). Increasing the threshold reduces false positives but may let some spam through.

The best approach is to whitelist known good senders or adjust the threshold appropriately.

54
MCQmedium

An administrator has configured a firewall policy that allows outbound traffic from a subnet to the internet, with NAT enabled. The external IP is 203.0.113.1. However, the administrator wants all traffic from a specific internal server (10.0.0.10) to appear with source IP 203.0.113.2. What should the administrator do?

A.Create a VIP with the external IP and apply it to the policy
B.Create an IP Pool with 203.0.113.2 and reference it in the policy
C.Configure route-based NAT
D.Set the NAT to 'Use Outgoing Interface Address'
AnswerB

An IP Pool allows selecting a different source NAT IP.

Why this answer

To use a specific source IP for NAT, an IP Pool object must be created with the desired IP (203.0.113.2) and then referenced in the firewall policy. Option C is correct.

55
MCQhard

A FortiGate is configured in transparent mode. The administrator notices that traffic passing through the FortiGate is not being logged, even though log all sessions is enabled on the policy. What is the most likely reason?

A.Traffic is being bridged without session creation because the policy is set to 'accept' without logging enabled.
B.The FortiGate is not operating in a VDOM.
C.The FortiGate is in transparent mode and cannot log traffic.
D.The log memory buffer is full and not sending to syslog.
AnswerA

In transparent mode, traffic might not create sessions unless logging is explicitly enabled.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge and does not create sessions for traffic that is simply bridged between interfaces. Even with 'log all sessions' enabled on the policy, if the policy action is 'accept' without explicit logging enabled (i.e., the 'Logging' option is not set to 'All Sessions' or 'Security Events'), the traffic is forwarded without session logging. This is because transparent mode policies require separate logging configuration to generate logs, and the default 'accept' action does not log unless specifically configured.

Exam trap

The trap here is that candidates assume 'log all sessions' on the policy automatically logs all traffic, but in transparent mode, the policy must also have logging explicitly enabled (e.g., set to 'All Sessions') for logs to be generated, as the default 'accept' action does not log.

How to eliminate wrong answers

Option B is wrong because VDOM operation is not required for logging in transparent mode; logging functionality is independent of VDOMs. Option C is wrong because transparent mode can log traffic when logging is properly configured on the policy; it is not a limitation of the mode itself. Option D is wrong because a full log memory buffer would cause logs to be dropped or overwritten, but it would not prevent the FortiGate from attempting to log traffic; the issue here is that no log entries are generated at all, which points to a configuration problem, not a buffer issue.

56
MCQhard

A FortiGate is configured with flow-based inspection and an IPS profile. The administrator runs 'diagnose ips session list' and sees many sessions with 'state=bypass'. What does this indicate?

A.The IPS profile is configured with 'pass' action for all signatures
B.The IPS signatures have expired and are not being applied
C.The FortiGate is under DoS attack and is dropping sessions
D.The sessions are being offloaded to the NPU and are not inspected by IPS
AnswerD

In flow-based mode, many sessions are offloaded to NPU. The IPS engine marks them as 'bypass' because they are not sent to the CPU for inspection. This is expected behavior.

Why this answer

In flow-based IPS, sessions can be bypassed when the IPS engine determines that further inspection is unnecessary, for example, if the session is considered low-risk or to reduce CPU load. This is normal behavior in flow-based mode.

57
MCQmedium

A FortiGate administrator is configuring a Virtual IP (VIP) to allow external users to access an internal web server (192.168.1.10) using the public IP 203.0.113.10 on port 80. The admin creates a VIP with mapped IP 192.168.1.10 and port 80. A firewall policy is created from WAN to DMZ with destination set to the VIP. External users report that they can access the web server. What additional step is needed to allow the internal server to respond correctly?

A.No additional step is needed; the FortiGate automatically performs reverse NAT for established sessions
B.Create a second VIP for the return traffic
C.Add a policy from DMZ to WAN allowing the internal server to reply
D.Configure static routing on the internal server to route through the FortiGate
AnswerA

FortiGate tracks the session and translates the response packets back to the VIP address.

Why this answer

When traffic arrives at the VIP, the destination is translated to the internal server IP. The internal server sends its response with source IP 192.168.1.10, which the FortiGate must translate back to the VIP IP (203.0.113.10) before sending to the external user. This reverse translation happens automatically if the policy is correctly configured.

However, if the internal server needs to initiate outbound connections (not just respond), additional policies may be needed. The question asks about the response: no additional step is needed because the FortiGate automatically performs reverse NAT for sessions initiated through the VIP.

58
Multi-Selectmedium

An administrator wants to use FortiManager to manage multiple FortiGates. Which three steps must be performed to establish communication between a FortiGate and FortiManager? (Choose THREE.)

Select 3 answers
A.Place the FortiGate in transparent mode
B.Ensure network connectivity between the FortiGate and FortiManager
C.Configure the FortiGate's management interface with an IP address
D.Enable FortiManager registration and provide a registration password
E.Set the FortiManager IP address on the FortiGate under System > FortiManager
AnswersB, D, E

Without connectivity, registration will fail.

Why this answer

Option B is correct because FortiManager communicates with managed FortiGates over TCP/541 (FGFM protocol). Without IP-level connectivity between the two devices, the registration and management tunnel cannot be established. This is a prerequisite before any configuration steps can succeed.

Exam trap

The trap here is that candidates often confuse general FortiGate interface configuration (Option C) with the specific FortiManager registration steps, or incorrectly assume transparent mode (Option A) is required for management, when in fact the three required steps are ensuring connectivity, enabling registration with a password, and setting the FortiManager IP address on the FortiGate.

59
MCQhard

A FortiGate in NAT/Route mode has a policy with NAT enabled. The admin needs the source IP of traffic from internal users (192.168.1.0/24) to be translated to the interface IP of port1 (203.0.113.1) when accessing the internet. Which configuration is necessary?

A.Add a static route for 192.168.1.0/24 with next-hop 203.0.113.1
B.Set the administrative access to HTTPS on port1
C.Create a central NAT rule with source 192.168.1.0/24 and IP pool 203.0.113.2-203.0.113.10
D.Configure a firewall policy with NAT enabled and the outbound interface set to port1
AnswerD

By default, NAT on a policy uses the egress interface IP as the translated source.

Why this answer

Option D is correct because in NAT/Route mode, enabling NAT on a firewall policy with the outbound interface set to port1 causes the FortiGate to translate the source IP of traffic from the internal network (192.168.1.0/24) to the IP address of that interface (203.0.113.1) by default. This is the standard method for source NAT (SNAT) in a policy-based configuration, requiring no additional IP pool or static route for the translation itself.

Exam trap

The trap here is that candidates may confuse the need for an IP pool or static route with the simple policy-based NAT, assuming that translating to the interface IP requires additional configuration beyond enabling NAT on the policy.

How to eliminate wrong answers

Option A is wrong because a static route for 192.168.1.0/24 with next-hop 203.0.113.1 is unnecessary and incorrect; the internal subnet is directly connected, and the next-hop for internet-bound traffic should be the default gateway, not the interface IP. Option B is wrong because setting administrative access to HTTPS on port1 only enables management access to the interface, not source NAT translation. Option C is wrong because creating a central NAT rule with an IP pool of 203.0.113.2-203.0.113.10 would translate the source IP to a range of addresses, not the single interface IP (203.0.113.1), which does not match the requirement.

60
MCQeasy

Which two inspection modes are available for antivirus scanning on a FortiGate?

A.Stateful and stateless
B.Flow-based and proxy-based
C.Inline and passive
D.Kernel-based and user-based
AnswerB

These are the two standard inspection modes for security profiles on FortiGate.

Why this answer

FortiGate supports two inspection modes: flow-based and proxy-based. Flow-based is more efficient with lower latency, while proxy-based offers deeper inspection and more features like content archiving.

61
Multi-Selectmedium

A FortiGate administrator is configuring logging to meet a compliance requirement that all security events must be stored for at least one year. The FortiGate has limited local disk space. Which THREE actions should the administrator take to meet this requirement? (Choose three.)

Select 3 answers
A.Set the log severity filter to only log 'emergency' events to reduce volume
B.Configure log rolling and retention policies to automatically delete older logs from the local disk after a set period
C.Disable local disk logging to save space
D.Configure the FortiGate to send logs to a FortiAnalyzer device
E.Enable logging to FortiCloud for cloud-based log storage
AnswersB, D, E

This manages local disk space by rotating logs, while external storage retains them long-term.

Why this answer

To store logs for a year with limited local disk, the administrator needs to offload logs to an external storage solution such as FortiAnalyzer or FortiCloud, and also set appropriate log retention policies. The correct actions are: enable logging to FortiAnalyzer (A), enable logging to FortiCloud (C), and configure log rolling and retention to automatically delete old logs from local disk (E). Option B is wrong because increasing log severity to only 'emergency' would lose most logs.

Option D is wrong because disabling disk logs would avoid local storage but without external logging, logs would be lost.

62
Multi-Selecthard

Which TWO statements about IPS in FortiGate are true?

Select 2 answers
A.IPS can be applied to individual firewall policies via IPS sensors.
B.An IPS sensor can only be applied to one firewall policy.
C.IPS is not supported in transparent mode.
D.IPS only works in flow-based inspection mode.
E.IPS signatures can have their actions overridden in an IPS filter.
AnswersA, E

IPS sensors are attached to firewall policies to enable IPS on selected traffic.

Why this answer

Option A is correct because IPS sensors are applied directly to individual firewall policies, allowing granular control over which traffic is inspected for intrusions. This enables administrators to enforce different IPS profiles for different traffic flows, such as applying a stricter sensor to internet-bound traffic and a lighter one to internal traffic.

Exam trap

The trap here is that candidates often assume IPS requires routed mode or flow-based inspection only, but FortiGate supports IPS in transparent mode and in both inspection modes, and sensors are reusable across multiple policies.

63
Matchingmedium

Match each Fortinet HA mode to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

One unit handles traffic; standby unit takes over on failure

Both units handle traffic simultaneously for load balancing

Multiple units act as a single logical firewall

Ensures active sessions are preserved after failover

FortiGate Clustering Protocol used for HA synchronization

Why these pairings

High Availability modes and features in FortiGate.

64
MCQmedium

An admin configures a VIP to map public IP 203.0.113.10 to internal server 10.0.1.100 on port 80. External users can reach the server via the public IP. However, internal users cannot access the server using the public IP. What is the MOST likely cause?

A.The VIP does not have NAT reflection enabled
B.The server is not responding to internal requests
C.The firewall policy for internal to VIP is missing
D.The VIP is configured on a different interface
AnswerA

NAT reflection allows internal users to access the VIP from inside the network.

Why this answer

Without NAT reflection (also called hairpin NAT), traffic from internal users to the public IP goes out then comes back, but the firewall may not translate it correctly. The solution is to enable NAT reflection on the VIP.

65
MCQhard

An administrator needs to allow traffic from a guest network (192.168.100.0/24) to the internet only during business hours (Mon-Fri, 08:00-18:00). The administrator creates a schedule object and applies it to the firewall policy. However, guests can still access the internet outside of the schedule. What is the most likely cause?

A.The guest network is also allowed by another policy without a schedule
B.The schedule is not selected in the firewall policy
C.The schedule object is configured as a group but not applied
D.The FortiGate clock is not synchronized with an NTP server
AnswerB

Why this answer

Option D is correct. If the schedule is not properly associated with the firewall policy, it will not be enforced. Common mistakes include not selecting the schedule in the policy configuration or selecting the wrong schedule.

Option A would affect all policies. Option B is irrelevant to schedule enforcement. Option C is incorrect; schedule is a dedicated object, not part of address.

66
Multi-Selectmedium

An administrator is configuring a FortiGate HA cluster in active-passive mode. Which two statements are correct about this configuration?

Select 2 answers
A.The cluster IP address is assigned to both units simultaneously.
B.One unit is active and forwards traffic, while the other is passive and does not forward traffic unless a failover occurs.
C.Both units can forward traffic simultaneously.
D.Heartbeat interfaces are optional.
E.Session synchronization is configured to maintain stateful failover.
AnswersB, E

This defines active-passive HA.

Why this answer

In an active-passive HA cluster, only the active unit processes and forwards traffic, while the passive unit remains in standby mode and does not forward traffic unless a failover occurs. This ensures high availability without load sharing. Additionally, session synchronization is configured to replicate stateful session information from the active to the passive unit, enabling seamless failover without disrupting established sessions.

Exam trap

The trap here is that candidates often confuse active-passive with active-active mode, mistakenly thinking both units can forward traffic simultaneously, or they assume the cluster IP is shared by both units at all times.

67
MCQhard

An administrator configures HA override on a cluster with priority 200 on primary and 100 on secondary. The primary fails, secondary takes over. When primary recovers, what happens?

A.Both units become active, causing a conflict
B.Secondary remains active until next failover
C.The administrator must manually trigger failback
D.Primary immediately takes over as active
AnswerD

Override enables preemption: when the higher priority unit recovers, it becomes active.

Why this answer

With HA override enabled, the higher priority unit (primary) will preempt the secondary upon recovery, assuming it has higher priority.

68
MCQhard

During an SSL VPN tunnel mode connection, the client reports that they cannot access any internal resources, but the VPN connection is established. The FortiGate debug shows 'no matching policy'. The administrator has configured a policy allowing the SSL VPN interface to internal. What else must be configured?

A.Ensure the incoming interface of the policy is set to 'ssl.root' (or the SSL VPN interface)
B.Add the client's assigned IP to a local user group
C.Configure a static route on the FortiGate for the client's tunnel IP
D.Enable split tunneling on the SSL VPN portal
AnswerA

The policy must have the correct source interface to match traffic from the SSL VPN.

Why this answer

For SSL VPN tunnel mode, the FortiGate assigns an IP to the client from a tunnel IP pool. The policy must use the SSL VPN interface (e.g., ssl.root) as the source interface. If the policy uses a different interface, traffic will not match.

Option C is correct.

69
MCQhard

A FortiGate is configured with two policies: Policy A allows traffic from trust to untrust with schedule 'WorkHours' (Mon-Fri 9-17). Policy B allows traffic from trust to untrust with schedule 'Always'. A user sends traffic at 8:00 AM on Saturday. Which policy matches?

A.Policy B because Policy A's schedule is not active
B.Policy A because schedules are evaluated after policy order
C.Both policies match and the first one in order is used
D.No policy matches because Policy A is first but schedule inactive
AnswerA

Policy A's schedule is inactive at that time, so it is skipped.

Why this answer

Policy A's schedule 'WorkHours' is not active (Saturday 8 AM is outside Mon-Fri 9-17). Policy B's schedule 'Always' is always active. Since Policy A does not match due to schedule, Policy B matches and allows the traffic.

Option B is correct.

70
Multi-Selecteasy

Which TWO are valid types of SSL/TLS inspection available on FortiGate?

Select 2 answers
A.Off-box SSL Inspection
B.Proxy SSL Inspection
C.Full SSL Deep Inspection
D.Passive SSL Inspection
E.Certificate Inspection
AnswersC, E

Decrypts the traffic to inspect the content.

Why this answer

Options A and B are correct. FortiGate supports certificate inspection (examining certificates) and full deep inspection (decrypting and scanning content).

71
MCQeasy

An admin needs to authenticate remote users connecting via SSL VPN. The users are in an Active Directory domain. Which authentication method should be configured on the FortiGate to allow users to log in with their domain credentials?

A.LDAP server
B.Local user database
C.RADIUS server
D.FSSO
AnswerA

LDAP is the standard protocol for authenticating against an AD domain.

Why this answer

LDAP is the protocol used to authenticate against Active Directory. FortiGate can query AD via LDAP to validate user credentials.

72
Multi-Selectmedium

A FortiGate administrator needs to configure a backup and restore strategy for the FortiGate configuration. Which TWO statements are correct regarding configuration backup and restore?

Select 2 answers
A.When restoring a configuration to a different FortiGate model, the interface names may cause the restore to fail.
B.The encrypted backup can only be restored on a FortiGate running the same firmware version.
C.It is not possible to restore only a specific section of the configuration (e.g., only firewall policies).
D.The backup file is encrypted by default to protect sensitive information.
E.The backup file contains all system settings, including firmware version information.
AnswersA, E

Interface names differ between models; restoring a configuration with mismatched interface names will fail.

Why this answer

Option A is correct because FortiGate configurations include interface-specific names (e.g., port1, port2, wan1) that may not exist on a different model. If the target FortiGate lacks those exact interface names, the restore process will fail due to mismatched interface references, preventing the configuration from being applied.

Exam trap

The trap here is that candidates assume encrypted backups are firmware-version locked (Option B) or that partial restore is impossible (Option C), when in fact FortiGate supports both cross-version encrypted restores and partial configuration restoration.

73
MCQmedium

An administrator notices that the FortiGate is not receiving updates from FortiGuard. The DNS settings are correct and the FortiGate can ping update.fortiguard.net. What is the MOST likely cause?

A.The firewall policy blocks outbound HTTPS
B.The antivirus profile is blocking the update traffic
C.The FortiGuard subscription has expired
D.The update server IP address changed
AnswerC

An expired subscription prevents update downloads, even if connectivity is present.

Why this answer

If DNS and connectivity are fine, the issue is often that the FortiGate's FortiGuard subscription has expired or the contract is not properly registered.

74
MCQeasy

Which authentication method allows FortiGate to authenticate users against an Active Directory domain without storing domain credentials locally?

A.FSSO polling
B.RADIUS authentication
C.LDAP authentication
D.Local user database
AnswerC

LDAP allows FortiGate to query the AD server for authentication without local storage.

Why this answer

LDAP authentication requires the FortiGate to contact the domain controller using the LDAP protocol, verifying credentials without storing them locally. Local users store credentials on the FortiGate itself.

75
MCQhard

A FortiGate is configured with FSSO using a DC agent. Users authenticate to the domain, but the firewall policy using FSSO groups is not matching traffic. The admin runs 'diagnose debug authd fsso list' and sees user entries. However, the traffic is being denied by the default deny policy. What is the most likely issue?

A.The FSSO session timeout is too short
B.The session was established before the user logged in and is not updated with the user identity
C.The firewall policy has the wrong schedule applied
D.The user is not a member of the correct FSSO group in Active Directory
AnswerB

FSSO only applies to new sessions after the user is identified. Existing sessions do not acquire the user identity unless re-matched or the session table is cleared.

Why this answer

FSSO collects user login events but does not automatically update existing sessions. If a session was established before the user logged in (or before FSSO learned the user), the session will not be associated with the user until the session is refreshed or re-established. The default deny policy catches unmatched traffic.

Page 1 of 14

Page 2