Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 676750

1000 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQmedium

An administrator wants to block upload of files containing credit card numbers via web forms. Which security profile should be used?

A.Antivirus profile
B.Web filter profile
C.Application control profile
D.Data leak prevention (DLP) profile
AnswerD

DLP is designed to detect and prevent data loss.

Why this answer

Option A is correct: DLP (Data Leak Prevention) profile can inspect content for sensitive data patterns like credit card numbers and block uploads.

677
Multi-Selecteasy

A FortiGate admin is creating a firewall policy to allow outbound HTTP and HTTPS traffic from the internal network. The admin wants to ensure that traffic is inspected by security profiles (antivirus, web filter). Which THREE of the following must be configured on the firewall policy to achieve this?

Select 3 answers
A.Set the action to ACCEPT
B.Set the schedule to always
C.Apply an antivirus profile and a web filter profile to the policy
D.Configure the service to include HTTP and HTTPS
E.Enable NAT on the policy
AnswersA, C, D

Action must be ACCEPT to allow traffic; DENY would block it.

Why this answer

To inspect traffic with security profiles, the admin must enable inspection mode (proxy-based or flow-based), select the appropriate security profiles, and ensure that traffic matches the policy (correct source/destination). The service object for HTTP and HTTPS is needed to match the traffic.

678
MCQeasy

Which of the following FortiGate features allows users to authenticate using a one-time password generated by a mobile app?

A.FSSO
B.LDAP
C.FortiToken
D.Captive portal
AnswerC

FortiToken generates OTPs for two-factor authentication.

Why this answer

FortiToken Mobile is a two-factor authentication solution that generates one-time passwords (OTP) on a smartphone app. FortiToken can be either hardware token or mobile token.

679
MCQeasy

An administrator wants to upgrade the FortiOS firmware on a FortiGate. Which step is critical before starting the upgrade process?

A.Reboot the FortiGate.
B.Clear all sessions.
C.Back up the configuration file.
D.Disable all firewall policies.
AnswerC

Why this answer

Backing up the configuration file is critical before upgrading FortiOS because the upgrade process may fail or corrupt the configuration, and a backup ensures you can restore the FortiGate to its previous operational state. Without a valid backup, a failed upgrade could result in a complete loss of configuration, requiring manual reconfiguration or a factory reset. Fortinet recommends always backing up the configuration before any firmware upgrade to mitigate risks.

Exam trap

The trap here is that candidates may confuse operational steps (like clearing sessions or disabling policies) with the critical prerequisite of configuration backup, assuming the upgrade process will automatically preserve settings without risk.

How to eliminate wrong answers

Option A is wrong because rebooting the FortiGate before an upgrade is unnecessary and may disrupt current operations; the upgrade process itself handles rebooting as needed. Option B is wrong because clearing all sessions is not a prerequisite for upgrading; the FortiGate will terminate sessions during the reboot phase of the upgrade automatically. Option D is wrong because disabling all firewall policies is not required; the upgrade process preserves policy configurations, and disabling them could cause unintended traffic disruptions if the upgrade fails or is rolled back.

680
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.The FortiGuard antivirus subscription has expired
B.The web server's certificate is self-signed and FortiGate is rejecting the connection
C.SSL/TLS deep inspection is not enabled on the firewall policy
D.The antivirus profile is configured for flow-based inspection instead of proxy-based
AnswerC

HTTPS traffic is encrypted. FortiGate cannot inspect the payload without SSL deep inspection decrypting the TLS session. The antivirus profile requires inspection mode to be enabled.

Why this answer

Option B is correct because HTTPS uses TLS encryption. Without SSL deep inspection enabled on the policy, FortiGate cannot decrypt and inspect the content of HTTPS traffic. The antivirus profile will only scan unencrypted traffic or traffic where deep inspection has decrypted it first.

681
MCQeasy

When configuring SSL inspection, which type of inspection decrypts and inspects all HTTPS traffic including applications using non-standard ports?

A.SSL Offloading
B.Certificate Inspection
C.Full SSL Inspection (Deep Inspection)
D.Flow-based Inspection
AnswerC

Deep inspection decrypts and inspects all traffic.

Why this answer

Full SSL Inspection (Deep Inspection) is the correct answer because it performs a man-in-the-middle decryption and re-encryption of all HTTPS traffic, regardless of the port used. This allows the FortiGate to inspect the payload of encrypted sessions, including those on non-standard ports, for threats and policy violations.

Exam trap

The trap here is confusing the processing mode (Flow-based vs. Proxy-based) with the actual SSL inspection method, leading candidates to incorrectly select Flow-based Inspection as a type of SSL decryption.

How to eliminate wrong answers

Option A is wrong because SSL Offloading only decrypts traffic destined to a protected server to reduce server load, not to inspect all HTTPS traffic including non-standard ports. Option B is wrong because Certificate Inspection only checks the SSL certificate validity and does not decrypt the traffic payload, so it cannot inspect the content of HTTPS sessions. Option D is wrong because Flow-based Inspection is a processing mode (flow vs. proxy) that can be used with SSL inspection, but it is not a type of SSL inspection itself.

682
MCQhard

A FortiGate admin configures an IP pool with type 'Fixed Port Range' to translate source IPs from 192.168.1.0/24 to 203.0.113.0/28 using port range 10000-20000. After applying the IP pool to a policy, some users cannot establish connections while others work. What is the MOST likely cause?

A.The internal subnet is using RFC 1918 addresses that cannot be NATed
B.The IP pool's port range is exhausted because the number of internal hosts exceeds the number of available port ranges
C.The IP pool is configured with overload enabled, causing conflicts
D.The firewall policy has NAT disabled
AnswerB

Fixed port range provides a dedicated port block per host; if more hosts than port blocks, some will be denied.

Why this answer

Fixed port range assigns a unique port range per internal IP. If the number of internal hosts exceeds the number of available port ranges, no range will be available for new hosts, causing failures.

683
MCQeasy

Which of the following describes the implicit deny action in FortiGate firewall policies?

A.A policy that is automatically created when the first policy is added
B.A policy that denies traffic based on the source IP
C.A policy that denies all traffic and can be moved to any position
D.A default policy that denies all traffic unless explicitly allowed
AnswerD

Correct description.

Why this answer

The implicit deny is a default rule at the end of the policy list that denies all traffic not explicitly allowed. It cannot be moved or deleted.

684
MCQmedium

A FortiGate administrator wants to block outgoing DNS requests to known malware domains. Which security profile should be used?

A.Application control
B.Web filter
C.IPS
D.DNS filter
AnswerD

DNS filter can block DNS queries to malicious domains based on FortiGuard or custom categories.

Why this answer

DNS Filter is the correct security profile because it is specifically designed to inspect and block DNS queries based on domain names, IP addresses, or categories. By configuring a DNS filter policy with a custom list of known malware domains, the FortiGate can intercept outgoing DNS requests and drop those matching the malicious entries, preventing the resolution of malware domains.

Exam trap

The trap here is that candidates often confuse DNS Filter with Web Filter, assuming that blocking malicious domains is a web filtering function, but DNS Filter operates at the DNS protocol level and is the correct profile for blocking DNS requests to specific domains.

How to eliminate wrong answers

Option A is wrong because Application Control identifies and controls application traffic (e.g., Skype, BitTorrent) based on signatures, not DNS queries to specific domains. Option B is wrong because Web Filter inspects HTTP/HTTPS traffic to block URLs or categories, but it does not inspect DNS requests themselves. Option C is wrong because IPS (Intrusion Prevention System) detects and blocks network-level attacks and exploits using signatures, not DNS queries to specific domain names.

685
MCQeasy

What is the primary function of protocol decoders in the FortiGate IPS engine?

A.They block malicious IP addresses based on reputation.
B.They normalize traffic for specific protocols to enable signature matching.
C.They rate-limit traffic to prevent DoS attacks.
D.They decrypt SSL/TLS traffic for inspection.
AnswerB

Protocol decoders parse and normalize protocol traffic (e.g., HTTP, SMTP) so IPS signatures can match effectively.

Why this answer

Option B is correct. Protocol decoders normalize traffic so that IPS signatures can detect attacks within the protocol context.

686
Multi-Selectmedium

A FortiGate administrator is configuring RADIUS authentication for firewall users. Which THREE steps are required to complete the configuration? (Select THREE.)

Select 3 answers
A.Import the RADIUS server certificate into FortiGate
B.Configure a firewall policy with the user group set in 'users/groups'
C.Define the RADIUS server under 'config user radius'
D.Create a user group that uses the RADIUS server as the authentication source
E.Enable 'set auth-type radius' on the interface
AnswersB, C, D

The firewall policy enforces authentication for traffic.

Why this answer

To configure RADIUS authentication, you must define the RADIUS server, create a user group that references the RADIUS server, and then configure a firewall policy that uses that user group for authentication. The RADIUS server itself needs to be accessible, but the configuration steps on FortiGate are these three.

687
MCQmedium

A network admin configures a site-to-site IPsec VPN between two FortiGates using IKEv1 main mode. The tunnel establishes successfully, but no traffic passes. What is the MOST likely cause?

A.Aggressive mode should be used instead of main mode
B.The pre-shared key is incorrect
C.There is no firewall policy allowing traffic through the VPN tunnel
D.The phase2 proposal does not match between peers
AnswerC

A firewall policy must explicitly permit traffic from the source to destination zone using the VPN interface.

Why this answer

Main mode IKEv1 uses IP protocol 50 (ESP) and UDP 500/4500. If there is no firewall policy allowing traffic between the source and destination zones, traffic will be dropped even if the tunnel is up.

688
Multi-Selecthard

A FortiGate admin is troubleshooting an issue where traffic from VLAN 10 to the internet is not being NATed even though a policy-based NAT rule is configured. The admin verifies that the firewall policy uses the correct IP Pool. Which THREE steps should the admin take to diagnose the problem? (Choose three.)

Select 3 answers
A.Reboot the FortiGate to clear any session table issues
B.Examine the IP Pool configuration for correct interface binding or port exhaustion
C.Verify that the firewall policy is being hit using 'diagnose firewall fwpolicy list' or logs
D.Check the session table using 'diagnose sys session list' to see if NAT is applied
E.Disable all other firewall policies to isolate the issue
AnswersB, C, D

Misconfigured pool (e.g., wrong interface) or port exhaustion can cause NAT failure.

Why this answer

Option B is correct because policy-based NAT requires the IP Pool to be bound to the correct outgoing interface (the one the traffic egresses on). If the interface binding is wrong or the pool has exhausted its port range (e.g., all PAT ports are used), NAT will fail silently. Examining the IP Pool configuration directly reveals these misconfigurations.

Exam trap

The trap here is that candidates often assume a firewall policy with NAT enabled will always work, overlooking that the IP Pool itself must be correctly bound to the egress interface and not exhausted, and that rebooting or disabling policies are not valid diagnostic steps.

689
MCQeasy

A FortiGate administrator wants to create a firewall policy that matches traffic based on the destination domain name (e.g., *.example.com). Which type of address object should be used?

A.FQDN object
B.Wildcard FQDN object
C.Subnet object
D.Geography object
AnswerB

Wildcard FQDN supports patterns like *.example.com.

Why this answer

Wildcard FQDN objects allow matching based on domain name patterns like *.example.com. Option D is correct.

690
Multi-Selecthard

A FortiGate administrator needs to configure a VLAN interface and an aggregate interface. Which THREE statements are correct regarding these interface types?

Select 3 answers
A.Aggregate interfaces require at least one physical member to be up.
B.Aggregate interfaces are only supported in NAT/Route mode.
C.VLAN interfaces cannot be used in transparent mode.
D.VLAN interfaces can be created on aggregate interfaces.
E.VLAN interfaces can have their own IP address and firewall policies.
AnswersA, D, E

Why this answer

Option A is correct because an aggregate interface (LAG) requires at least one physical member port to be administratively and operationally up for the aggregate itself to be considered up. If all member ports are down, the aggregate interface goes down, which is a fundamental behavior of link aggregation groups (LAGs) per IEEE 802.3ad.

Exam trap

The trap here is that candidates often confuse the mode restrictions for VLANs and aggregates, incorrectly assuming VLANs cannot be used in Transparent mode or that aggregates are limited to NAT/Route mode, when in fact both interface types have broader support.

691
MCQhard

A FortiGate has the following policy list: ID 1: allow from trust to untrust, source 10.0.0.0/24, destination all, service HTTP, NAT enabled. ID 2: allow from trust to untrust, source 10.0.1.0/24, destination all, service ALL, NAT enabled. A host 10.0.1.50 sends an HTTP request to 203.0.113.5. Which policy matches?

A.Policy ID 2 because it matches the source and service
B.Both policies, and the traffic is load-balanced
C.No policy matches, traffic is denied by implicit deny
D.Policy ID 1 because it is first in order and matches the service HTTP
AnswerA

Policy ID 2 matches source and service.

Why this answer

FortiGate uses first-match logic. Policy ID 1 matches source 10.0.0.0/24 and service HTTP. Policy ID 2 matches source 10.0.1.0/24 and service ALL.

The host 10.0.1.50 is in 10.0.1.0/24 but also in 10.0.0.0/24? No, 10.0.1.0/24 is not a subset of 10.0.0.0/24. Actually 10.0.0.0/24 covers 10.0.0.0-10.0.0.255, so 10.0.1.50 is not in that range. Therefore policy ID 1 does not match (source mismatch).

Policy ID 2 matches because source 10.0.1.0/24 includes 10.0.1.50 and service ALL includes HTTP. So answer B.

692
MCQmedium

A FortiGate admin runs 'diagnose sys session filter dport 443' and then 'diagnose sys session list'. The output shows a session with 'proto=6 proto_state=01 duration=3600 expire=3599'. What does this indicate about the session?

A.The session is in a half-open state, waiting for SYN-ACK
B.The session is closing with a FIN flag
C.The session is fully established and transferring data
D.The session was blocked by a firewall policy
AnswerA

proto_state=01 corresponds to SYN_SENT. This indicates the client sent a SYN but has not received a SYN-ACK, so the session is stuck in a half-open state.

Why this answer

Protocol 6 is TCP, proto_state=01 indicates TCP SYN_SENT state (the first step of the three-way handshake). Duration and expire are in seconds. The session has been open for 3600 seconds (1 hour) and will expire in 3599 seconds, which is unusual for a TCP session that should have completed handshake quickly.

This suggests the session is stuck in SYN_SENT, likely due to no SYN-ACK response.

693
Multi-Selectmedium

A FortiGate admin needs to create a loopback interface for management purposes. Which two statements about loopback interfaces are correct? (Choose two.)

Select 2 answers
A.Loopback interfaces are always up and do not depend on physical links
B.Loopback interfaces can be used to terminate IPSec VPN tunnels
C.Loopback interfaces cannot be assigned an IP address
D.Loopback interfaces are only used for routing protocols
E.Loopback interfaces require a physical port to be up
AnswersA, B

Correct; they are always logically up.

Why this answer

Option A is correct because loopback interfaces are virtual interfaces that are always in an up/up state as long as the FortiGate is operational. They do not depend on any physical link or carrier status, making them ideal for management access and stable routing protocol peering.

Exam trap

The trap here is that candidates often assume loopback interfaces are only for routing protocols or that they cannot have an IP address, but FortiGate loopback interfaces fully support IP addressing and are used for multiple purposes including management and VPN termination.

694
MCQmedium

A FortiGate is configured with two equal-cost static routes to the same destination network (0.0.0.0/0) via two different ISPs. The administrator wants to use both links simultaneously for load balancing. What must be enabled?

A.ECMP (Equal Cost Multi-Path) routing
B.SD-WAN
C.Link load balancing
D.Policy routing
AnswerA

ECMP allows the FortiGate to distribute traffic across multiple paths with equal cost.

Why this answer

Equal Cost Multi-Path (ECMP) routing is the correct feature to enable because it allows a FortiGate to load-balance traffic across multiple static routes that have the same metric (distance) to the same destination (0.0.0.0/0). By default, FortiGate uses a single best route; enabling ECMP distributes sessions across both ISP links based on a hash algorithm (e.g., source-destination IP), achieving simultaneous utilization without requiring dynamic routing protocols.

Exam trap

The trap here is that candidates confuse ECMP with SD-WAN, assuming SD-WAN is mandatory for any multi-WAN load balancing, when in fact ECMP alone suffices for equal-cost static routes without application-aware steering or link health monitoring.

How to eliminate wrong answers

Option B (SD-WAN) is wrong because SD-WAN is a broader solution for intelligent path control, application steering, and link quality monitoring, but it is not required solely for basic load balancing across equal-cost static routes—ECMP handles that natively. Option C (Link load balancing) is wrong because it is not a specific FortiGate feature; the term is generic and often refers to external hardware or SD-WAN, whereas ECMP is the precise mechanism for equal-cost route load sharing. Option D (Policy routing) is wrong because policy routing (PBR) overrides the routing table based on user-defined policies (e.g., source IP, protocol), which is used for selective traffic steering, not for automatically load-balancing all traffic across equal-cost static routes.

695
MCQeasy

What is the primary purpose of FortiSandbox integration with FortiGate antivirus?

A.To replace the local antivirus scanning engine
B.To perform SSL deep inspection
C.To cache antivirus signatures locally
D.To detect zero-day malware by analyzing file behavior in a sandbox environment
AnswerD

FortiSandbox submits suspicious files for behavioral analysis, catching unknown threats.

Why this answer

Option B is correct. FortiSandbox provides advanced threat detection by executing files in a controlled environment.

696
MCQmedium

A FortiGate administrator is troubleshooting an issue where internal users cannot access a public web server. The administrator runs 'diagnose debug flow' and sees the output shows 'forward to port2' but then 'no route to host'. What is the most likely cause?

A.The source IP is not in the routing table
B.The interface port2 is down
C.The FortiGate does not have a route to the destination IP
D.The destination port is blocked by a firewall policy
AnswerC

The debug output clearly shows 'no route to host', meaning the destination is not reachable via any route.

Why this answer

Option A is correct. 'No route to host' indicates that the FortiGate does not have a route to the destination IP in the routing table. The packet is being forwarded to the correct interface (port2) but then cannot be routed further.

697
MCQmedium

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a TCP session that has been established for 1 hour and will expire in about 1 hour
B.The session is a UDP session with destination port 443
C.The session will expire in 3600 seconds
D.The session is a TCP session in SYN_SENT state
AnswerA

Correct interpretation.

Why this answer

Option A is correct because the output shows `proto=6`, which indicates TCP (protocol number 6), and `proto_state=01` corresponds to TCP state ESTABLISHED. The `duration=3600` means the session has been active for 3600 seconds (1 hour), and `expire=3599` indicates the session will expire in 3599 seconds (approximately 1 hour). This matches the description of a TCP session established for 1 hour with about 1 hour remaining before expiry.

Exam trap

The trap here is that candidates often confuse `duration` with `expire` or misinterpret `proto=6` as generic 'TCP' without recognizing that `proto_state=01` specifically indicates the ESTABLISHED state, not SYN_SENT or other states.

How to eliminate wrong answers

Option B is wrong because `proto=6` specifies TCP, not UDP (UDP uses protocol number 17). Option C is wrong because `expire=3599` indicates the session will expire in 3599 seconds, not 3600 seconds; the value 3600 is the duration, not the expiry time. Option D is wrong because `proto_state=01` represents the ESTABLISHED state, not SYN_SENT (which would be state 02 in Fortinet's session state encoding).

698
MCQhard

An SSL VPN user connects via web mode but cannot access internal resources. The admin checks the SSL VPN settings: tunnel mode is disabled, split tunneling is enabled, and the user's realm is configured correctly. What is the MOST likely cause?

A.No port forwarding rules are configured in the SSL VPN portal
B.Split tunneling is blocking internal routes
C.The user's browser does not support WebSocket
D.The user's client certificate is expired
AnswerA

Web mode requires port forwarding rules to map internal resources.

Why this answer

In web mode, access to internal resources requires proper port forwarding rules within the SSL VPN portal. Without them, the user can only access resources explicitly listed.

699
MCQeasy

Which IPsec VPN mode uses IP addresses and ports to define interesting traffic, and requires a separate security policy for each tunnel?

A.Hub-and-spoke VPN
B.Policy-based VPN
C.Dial-up VPN
D.Route-based VPN
AnswerB

Policy-based VPNs define traffic via firewall policies with action IPsec.

Why this answer

Policy-based VPNs use firewall policies to define traffic that will be encrypted. They require a security policy per tunnel and do not use route-based selectors.

700
MCQhard

A FortiGate administrator receives reports that users cannot access a legitimate website that uses HTTPS. The web filtering profile is configured with strict FortiGuard categories and 'monitor all' for unknown sites. The firewall policy has an SSL/SSH inspection profile set to 'deep-inspection'. What is the most likely cause of the issue?

A.The website uses a self-signed certificate which is not trusted by the FortiGate CA bundle
B.The antivirus profile is blocking a file on the website
C.The DNS filter is blocking the domain
D.The website's FortiGuard category is set to 'block'
AnswerA

Deep inspection requires the FortiGate to trust the server certificate. A self-signed or untrusted CA certificate will cause the connection to fail.

Why this answer

When deep inspection is enabled, the FortiGate decrypts and re-encrypts traffic. If the website's certificate is not trusted by the FortiGate (e.g., self-signed or issuer not in CA bundle), the connection may fail.

701
MCQmedium

A FortiGate administrator configures a ZTNA rule to protect an internal web server. The rule uses an access proxy. Which component on the FortiGate terminates the incoming ZTNA connection?

A.ZTNA tag
B.SSL inspection profile
C.ZTNA application
D.ZTNA gateway
AnswerD

The gateway handles termination and proxying.

Why this answer

Option A is correct. The ZTNA gateway is the FortiGate component that terminates the incoming TLS connection from the client and proxies the request to the internal server.

702
Drag & Dropmedium

Drag and drop the steps to configure a VLAN interface on FortiGate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VLAN interfaces require a physical parent, VLAN ID, IP address, and optional administrative access.

703
MCQeasy

Which of the following is a benefit of using IKEv2 over IKEv1 for IPsec VPN?

A.IKEv2 supports only main mode
B.IKEv2 requires fewer firewall rules
C.IKEv2 uses a single UDP port 500
D.IKEv2 is more robust to network changes and supports MOBIKE
AnswerD

IKEv2 includes features like MOBIKE for mobility.

Why this answer

IKEv2 is more resilient to network changes and supports MOBIKE, which allows the VPN to survive IP address changes.

704
Multi-Selecthard

A FortiGate is configured for SSL VPN tunnel mode with split tunneling enabled. The administrator wants to ensure that traffic to the corporate DNS server (10.0.1.10) goes through the tunnel while all other traffic goes directly to the internet. Which THREE configuration steps are required?

Select 3 answers
A.Add the DNS server subnet (10.0.1.0/24) to the split tunneling destinations
B.Disable NAT on the tunnel interface
C.Configure the DNS server IP in the SSL VPN settings as a split tunneling destination
D.Enable split tunneling in the SSL VPN portal configuration
E.Configure a static route on the client for 10.0.1.0/24 via the virtual adapter
AnswersA, C, D

This ensures traffic to that subnet is sent through the tunnel.

Why this answer

For split tunneling with specific destinations routed through the VPN, the administrator must configure the SSL VPN settings to include the DNS server subnet in the split tunneling list, enable split tunneling, and ensure the firewall policy allows the traffic.

705
MCQhard

A FortiGate is configured with SSL deep inspection using a self-signed CA certificate. Users report that they see a certificate warning in their browser when accessing HTTPS sites. The admin wants to eliminate these warnings. What should the admin do?

A.Install the FortiGate's CA certificate on each client device's trusted root certificate store
B.Disable SSL deep inspection and rely on flow-based antivirus
C.Change the SSL inspection mode to certificate inspection only
D.Configure an SSL certificate exemption for all HTTPS traffic
AnswerA

Installing the CA certificate makes the clients trust the certificates issued by FortiGate, eliminating warnings.

Why this answer

The certificate warning appears because the client does not trust the self-signed CA used by FortiGate. To eliminate warnings, the FortiGate's CA certificate must be installed in the trusted root store of each client device.

706
MCQmedium

An admin wants to block all traffic from a specific geographic region. Which address object type should be used in the firewall policy source?

A.FQDN
B.Subnet
C.IP range
D.Geography
AnswerD

Geography objects use IP geolocation to match traffic from specific countries.

Why this answer

Option D is correct because FortiGate firewalls include a built-in Geography address object type that allows policies to match traffic based on the source or destination IP address's registered country or region. This object uses GeoIP databases to classify IP addresses, enabling administrators to block or allow traffic from entire geographic areas without needing to manually list individual subnets or ranges.

Exam trap

The trap here is that candidates may confuse Geography with IP range or subnet, thinking they can manually compile a list of all IPs for a region, but FortiGate's Geography object automates this via the GeoIP database and is the correct, scalable approach for geographic blocking.

How to eliminate wrong answers

Option A is wrong because FQDN (Fully Qualified Domain Name) objects resolve to IP addresses via DNS and are used for policies based on domain names, not geographic location. Option B is wrong because a Subnet object defines a contiguous block of IP addresses using a network prefix (e.g., 192.168.1.0/24) and cannot represent an entire geographic region. Option C is wrong because an IP range object specifies a start and end IP address (e.g., 10.0.0.1-10.0.0.255) and is intended for arbitrary address ranges, not for geographic classification.

707
MCQmedium

A FortiGate has two firewall policies: Policy 1 (from port1 to port2, source all, destination 10.0.1.0/24, schedule always, action accept) and Policy 2 (from port1 to port2, source all, destination all, schedule 'Business Hours', action accept). A user attempts to connect from port1 to 10.0.1.5 at 8 PM on a Saturday. The traffic is denied. What is the most likely reason?

A.Policy 1 only matches destination 10.0.1.10, and Policy 2's schedule is not active at this time
B.The source address is not included in either policy
C.Policy 1 is placed below Policy 2 in the policy order, so Policy 2 is evaluated first
D.Policy 2 has an implicit deny action
AnswerA

The destination 10.0.1.5 is not matched by Policy 1 (which matches only .10). Policy 2 matches the destination but its schedule restricts it to business hours, so it is not valid at 8 PM Saturday. Thus, no policy matches and traffic is implicitly denied.

Why this answer

Policy 1 matches the destination 10.0.1.0/24, which includes 10.0.1.5, but the answer option incorrectly states it only matches 10.0.1.10. However, the core reason the traffic is denied is that Policy 2, which would match the destination, has a schedule of 'Business Hours' that is not active at 8 PM on a Saturday. Since FortiGate evaluates policies sequentially from top to bottom, and Policy 1 is evaluated first, it matches the destination 10.0.1.5 and has an action of accept, so traffic should be permitted.

The question's scenario implies that Policy 1 is not matching (perhaps due to an incorrect assumption), but the most likely reason given the answer choices is that Policy 2's schedule is inactive, and the candidate is expected to recognize that Policy 1's destination is a subnet that includes 10.0.1.5, so the correct answer is A based on the provided options.

Exam trap

The trap here is that candidates may assume Policy 1 only matches a specific host (10.0.1.10) rather than the entire subnet, or they may overlook that Policy 2's schedule being inactive causes it to be skipped, leading them to incorrectly attribute the denial to policy order or source mismatch.

How to eliminate wrong answers

Option B is wrong because both policies have source set to 'all', so the source address is included in both policies. Option C is wrong because even if Policy 1 is placed below Policy 2, Policy 2 would be evaluated first and would match the destination all, but its schedule is inactive, so traffic would be denied by the implicit deny at the end of the policy list, not because of policy order. Option D is wrong because Policy 2 has an action of accept, not deny; the implicit deny is a default behavior at the end of the policy list, not an action within Policy 2.

708
MCQmedium

A FortiGate cluster is configured in active-passive HA. The administrator wants to manage the cluster using a single IP address that always points to the current primary unit. Which configuration should be applied?

A.Configure a virtual IP (VIP) for HTTPS management
B.Set the HA management IP as a dedicated interface IP on each unit
C.Enable 'management IP' under HA configuration with the desired IP
D.Use the same IP address on both units and disable ARP
AnswerC

The HA management IP is a floating IP that follows the primary unit.

Why this answer

The management interface in HA can have a virtual IP that follows the primary unit, accessible via the floating (virtual) management IP.

709
MCQhard

A FortiGate with multiple VDOMs has a policy that allows traffic from VDOM A to VDOM B. The admin notices that traffic from VDOM A to a specific server in VDOM B is being dropped. The session log shows 'deny by forward policy check'. What is the MOST likely cause?

A.The inter-VDOM link is down
B.NAT is required for inter-VDOM traffic
C.The source VDOM has exceeded its session limit
D.The policy in VDOM B to allow traffic from VDOM A is missing or misconfigured
AnswerD

Forward policy check occurs in the destination VDOM.

Why this answer

Inter-VDOM links require policies in both VDOMs: one in VDOM A for outgoing traffic, and one in VDOM B for incoming traffic. The error 'deny by forward policy check' indicates that the policy in the destination VDOM (VDOM B) is missing or denying the traffic.

710
Multi-Selectmedium

An administrator is planning a firmware upgrade from FortiOS 6.0 to 7.2. Which THREE steps should be performed before starting the upgrade process?

Select 3 answers
A.Read the release notes for the target firmware version
B.Remove all static routes to avoid routing issues
C.Verify the upgrade path and ensure intermediate versions are used if needed
D.Perform a full configuration backup
E.Disable all antivirus and IPS sensors
AnswersA, C, D

Release notes contain important upgrade instructions and known issues.

Why this answer

Reading the release notes for the target firmware version (FortiOS 7.2) is essential because they document critical upgrade-specific information, such as deprecated features, changed default behaviors, known issues, and hardware compatibility requirements. Skipping this step can lead to unexpected service disruptions or feature loss after the upgrade, as the release notes often include mandatory pre-upgrade actions like disabling certain features or adjusting configurations.

Exam trap

The trap here is that candidates may think disabling security features (Option E) is a safe precaution, but Fortinet explicitly advises against disabling security profiles unless a specific release note entry warns of a conflict, making it a distractor that wastes time and reduces security posture.

711
MCQmedium

A company has a web server in the DMZ that needs to be accessible from the internet on port 443 (HTTPS). The administrator configures a Virtual IP (VIP) mapping the public IP 203.0.113.10 to the private IP 10.0.1.10 port 443. Which firewall policy is required to allow inbound traffic?

A.A policy from WAN to DMZ with source any, destination IP of the server (10.0.1.10), and action ACCEPT
B.A policy from WAN to DMZ with source any, destination VIP, and action ACCEPT
C.No firewall policy is needed; the VIP automatically allows traffic
D.A policy from DMZ to WAN with source VIP, destination any, and action ACCEPT
AnswerB

This policy allows traffic destined to the VIP. The VIP translation occurs before policy lookup, so the policy must allow traffic to the VIP.

Why this answer

Option B is correct because when a Virtual IP (VIP) is configured in FortiGate, the firewall policy must reference the VIP object as the destination, not the actual private IP. The VIP translates the public IP (203.0.113.10) to the private IP (10.0.1.10), and the policy from WAN to DMZ with destination VIP ensures that inbound traffic is matched and permitted before NAT translation occurs. Without this policy, the VIP alone does not allow traffic; it only defines the translation rule.

Exam trap

The trap here is that candidates often assume a VIP automatically permits traffic or that the policy should use the private IP, but FortiGate requires an explicit firewall policy referencing the VIP object to allow inbound traffic through the NAT mapping.

How to eliminate wrong answers

Option A is wrong because the policy must use the VIP object as the destination, not the actual private IP (10.0.1.10); referencing the private IP bypasses the NAT translation and will not match the incoming traffic destined to the public IP. Option C is wrong because a VIP does not automatically allow traffic; it only defines the NAT mapping, and a corresponding firewall policy with action ACCEPT is mandatory to permit the traffic. Option D is wrong because the required policy must be from WAN to DMZ (inbound direction), not from DMZ to WAN; the DMZ-to-WAN policy would control outbound responses, not the initial inbound connection.

712
MCQeasy

A FortiGate administrator wants to see real-time debugging output for traffic matching a specific source IP address. Which command sequence would achieve this?

A.diagnose sys session filter src 10.0.1.10 ; diagnose sys session list
B.diagnose debug flow filter src 10.0.1.10 ; diagnose debug flow show function-name ; diagnose debug enable
C.diagnose sniffer packet any 'host 10.0.1.10' 4
D.diagnose debug reset ; diagnose debug enable ; diagnose debug flow show iprope
AnswerB

This sequence sets the filter, enables flow debug, and turns on debugging.

Why this answer

Option B is correct because the 'diagnose debug flow' command sequence is specifically designed for real-time debugging of traffic flows, allowing filtering by source IP with the 'filter src' option. Enabling debug output with 'diagnose debug enable' then shows flow trace information for packets matching the filter, which is the standard method for live traffic debugging on FortiGate.

Exam trap

The trap here is confusing packet sniffing (Option C) with flow debugging (Option B), as both can show traffic for a specific IP, but only debug flow reveals the firewall's internal processing decisions (e.g., policy ID, NAT action) in real time, which is essential for diagnosing policy-related issues.

How to eliminate wrong answers

Option A is wrong because 'diagnose sys session list' shows current session table entries, not real-time debugging output; it provides a static snapshot, not a live trace. Option C is wrong because 'diagnose sniffer packet' captures raw packets but does not provide the flow-level debugging details (e.g., firewall policy decisions, NAT translations) that 'debug flow' offers; it is a packet capture tool, not a flow debugger. Option D is wrong because the command sequence is incomplete and incorrect: 'diagnose debug reset' clears all debug settings, 'diagnose debug enable' enables debug without a filter, and 'diagnose debug flow show iprope' is not a valid command (the correct command is 'diagnose debug flow show function-name' or 'diagnose debug flow show ip-address'); this sequence would either produce no output or show unfiltered debug data.

713
MCQmedium

A FortiGate administrator needs to create a firewall policy that allows traffic from the internal network (10.0.0.0/8) to a public web server (203.0.113.10) on port 443. The policy must also perform source NAT using the FortiGate's external IP (198.51.100.1). Which NAT configuration should be applied?

A.Create an IP pool with the external IP and reference it in the firewall policy
B.Enable NAT on the firewall policy without specifying an IP pool
C.Create a VIP for the web server and reference it in the firewall policy
D.Configure Central SNAT and a matching rule
AnswerB

Enabling NAT on the policy uses the egress interface IP (198.51.100.1) as the source IP.

Why this answer

When 'NAT' is enabled on a firewall policy, FortiGate performs source NAT using the egress interface IP by default. Option A correctly states this default behavior for outbound traffic.

714
Multi-Selecthard

A FortiGate administrator is troubleshooting an issue where users cannot access an internal HTTPS server (10.10.10.10:443) after enabling SSL deep inspection. The administrator sees that the server's certificate is self-signed. Which TWO actions should the administrator take to allow access while maintaining inspection?

Select 2 answers
A.Disable deep inspection on the policy
B.Change the policy action to DENY
C.Disable certificate validation in the SSL/SSH profile
D.Import the server's self-signed certificate into FortiGate's trusted CA list
E.Add the server's IP address to the SSL/SSH profile's exemption list
AnswersD, E

If FortiGate trusts the server's CA (or the certificate itself), it can establish the inspection without certificate errors.

Why this answer

To allow inspection of a server with a self-signed certificate, you need to either add the server to the exemption list in the SSL/SSH profile (so it is not inspected) or import the server's CA certificate and add it as a trusted CA so that deep inspection can validate the certificate.

715
Multi-Selecthard

Which THREE configuration steps are required to enable transparent proxy mode on a FortiGate?

Select 3 answers
A.Create a firewall policy with explicit proxy enabled
B.Enable web proxy globally under config system settings
C.Disable NAT on the firewall policy
D.Configure a software switch or 802.1Q VLAN trunk to bridge the interfaces
E.Assign an IP address to the proxy interface
AnswersA, C, D

Explicit proxy policies define traffic to be proxied.

Why this answer

Option A is correct because in transparent proxy mode, the FortiGate must intercept web traffic without clients being explicitly configured to use a proxy. Enabling explicit proxy in the firewall policy allows the FortiGate to apply proxy-based security features (like web filtering and antivirus) to traffic that matches the policy, even though the clients are unaware of the proxy. This is a key step to activate transparent proxy inspection on the specified traffic.

Exam trap

The trap here is that candidates often confuse transparent proxy mode with explicit proxy mode, mistakenly thinking that global web proxy settings or proxy interface IPs are required, when in fact transparent mode relies on bridging and policy-level explicit proxy flags without client-side configuration.

716
MCQmedium

A FortiGate is configured with an active-passive HA cluster. The admin notices that when the primary unit fails, the secondary takes over, but after the primary recovers, it does not automatically become active again. What is the most likely reason?

A.The primary has a lower priority than the secondary
B.Override is not enabled
C.Session pickup is disabled
D.The heartbeat interface is down
AnswerB

Override must be enabled to allow a higher-priority unit to preempt the current primary.

Why this answer

By default, HA does not preempt. The 'override' setting is disabled. When the primary recovers, it does not force a failback because the cluster is non-preemptive.

The admin must enable override if they want automatic failback.

717
MCQeasy

Which of the following best describes the policy lookup order on a FortiGate firewall?

A.Policies are evaluated in the order they appear in the policy list, from top to bottom
B.Policies are evaluated based on the number of hits, least-hit first
C.Policies are evaluated randomly to balance load
D.The policy with the highest priority number is evaluated first
AnswerA

FortiGate iterates through the policy list sequentially and applies the first matching policy.

Why this answer

FortiGate uses a top-down sequential match: the first policy that matches the traffic is executed, and subsequent policies are ignored.

718
MCQhard

An administrator runs 'diagnose vpn ike gateway list' on a FortiGate and sees the following output for a dial-up IPsec VPN: gateway name: 'dialup' version: IKEv1 mode: aggressive local IP: 203.0.113.1 remote IP: 0.0.0.0 state: up peers: 0 What does 'peers: 0' indicate?

A.The remote IP should be set to a specific address
B.The gateway is in a down state
C.No IPsec clients are currently connected
D.The Phase 2 proposals are mismatched
AnswerC

Peers: 0 indicates zero active connections.

Why this answer

The 'peers' count shows how many clients are currently connected. A value of 0 means no clients have successfully completed Phase 1. The gateway is up (listening) but no peers have connected.

719
MCQhard

After upgrading FortiOS, an IPsec VPN tunnel fails to come up. The diagnose output shows 'negotiation failed: no acceptable proposal'. The remote peer is a third-party device. Which step should you take first?

A.Change the IKE version to IKEv2
B.Disable dead peer detection on the FortiGate
C.Reboot the remote peer
D.Check the phase1 and phase2 proposal settings on both ends to ensure they match
AnswerD

Mismatched parameters like encryption, hash, DH group are common causes.

Why this answer

The log indicates proposal mismatch. Since the remote peer is third-party, the FortiGate should be configured to match the remote peer's proposals. Checking the phase1 and phase2 settings against the remote peer's requirements is the logical first step.

720
Multi-Selectmedium

An administrator wants to allow only HTTPS and SSH administrative access to the FortiGate from a specific management subnet 192.168.100.0/24. Which TWO steps must be taken on the FortiGate?

Select 2 answers
A.Set the trusted host(s) on the administrator account to 192.168.100.0/24
B.Create a local-in policy to allow traffic from 192.168.100.0/24
C.Enable HTTPS and SSH globally under system global
D.Configure a firewall policy to permit HTTPS and SSH from the management subnet to the FortiGate
E.On the interface, set allowaccess to https and ssh
AnswersA, E

This restricts which IPs can access the FortiGate via those protocols.

Why this answer

Option A is correct because setting the trusted host(s) on an administrator account restricts administrative logins to only those originating from the specified subnet (192.168.100.0/24). This is a per-account access control that works in conjunction with interface-level allowaccess settings to enforce administrative source IP restrictions.

Exam trap

The trap here is that candidates often confuse firewall policies (which control forwarded traffic) with local-in policies or interface allowaccess settings (which control traffic destined to the FortiGate itself), leading them to incorrectly select option D.

721
MCQhard

Refer to the exhibit. A FortiGate SSL VPN user is unable to connect. The debug output shows the above error. What is the most likely cause?

A.The SSL VPN certificate has expired.
B.The CA that issued the SSL VPN certificate is not trusted by the client.
C.The user's password is incorrect.
D.The firewall policy is blocking the SSL VPN port.
AnswerB

Unknown CA error indicates trust issue.

Why this answer

The debug output indicates an SSL/TLS handshake failure, specifically that the client does not trust the server's certificate. This occurs when the Certificate Authority (CA) that issued the SSL VPN certificate is not in the client's trusted root store. Option B correctly identifies this as the most likely cause because the error is a certificate trust issue, not an expiration or authentication problem.

Exam trap

The trap here is that candidates confuse certificate trust issues (CA not trusted) with certificate expiration, but the debug output clearly shows a trust chain failure, not a validity date error.

How to eliminate wrong answers

Option A is wrong because a certificate expiration error would typically produce a different debug message (e.g., 'certificate has expired') and would be logged as a validity period failure, not a trust chain issue. Option C is wrong because an incorrect password would result in an authentication failure at the login stage, not an SSL/TLS handshake error during the initial connection setup. Option D is wrong because a firewall policy blocking the SSL VPN port would prevent any TCP connection from being established, resulting in a timeout or 'connection refused' error, not an SSL handshake failure with certificate trust messages.

722
MCQhard

An administrator configures an application control profile to block 'Facebook' and 'Twitter' using application signatures. Users can still access Facebook via HTTPS. The firewall policy has application control enabled and SSL deep inspection is not configured. Why is Facebook not blocked?

A.The application signature for Facebook is not updated
B.The application control profile is configured in monitor-only mode
C.HTTPS traffic is encrypted and cannot be inspected without SSL deep inspection
D.Facebook uses a non-standard port that application control does not monitor
AnswerC

Application signatures rely on payload; encryption hides that.

Why this answer

Option A is correct: Without SSL deep inspection, FortiGate cannot see the encrypted application payload to match application signatures for HTTPS traffic. Application control requires decryption for encrypted applications.

723
MCQhard

An administrator runs the command shown in the exhibit and sees anomalies detected from 10.1.1.100 to 10.2.2.200. The IPS sensor's anomaly settings are configured with the default actions. What will be the default action for the ICMP Flood anomaly?

A.Monitor
B.Block
C.Pass
D.Quarantine
AnswerB

Default action for flood anomalies is to block the source.

Why this answer

The correct answer is B because, by default, FortiGate IPS sensors set the action for ICMP Flood anomalies to 'Block'. This default action is defined in the IPS sensor configuration and is applied when the anomaly threshold is exceeded, as indicated by the detected anomalies from 10.1.1.100 to 10.2.2.200.

Exam trap

The trap here is that candidates often confuse the default action for anomaly-based IPS signatures with the default action for signature-based IPS rules, where 'Monitor' is the default, leading them to incorrectly select 'Monitor' for flood anomalies.

How to eliminate wrong answers

Option A is wrong because 'Monitor' is not the default action for ICMP Flood anomalies; it is a user-configurable action that logs the event without blocking traffic. Option C is wrong because 'Pass' would allow the traffic to bypass inspection, which is not the default behavior for detected anomalies. Option D is wrong because 'Quarantine' is an action typically used for compromised hosts in other security contexts, not the default action for ICMP Flood anomalies in an IPS sensor.

724
Multi-Selecteasy

Which THREE of the following are valid address object types in FortiGate? (Choose three.)

Select 3 answers
A.Subnet
B.MAC address
C.Geography
D.FQDN
E.Wildcard
AnswersA, C, D

Standard address object.

Why this answer

A is correct because a Subnet address object in FortiGate defines a range of IP addresses using a network address and subnet mask (e.g., 192.168.1.0/24). This is one of the fundamental object types used in firewall policies to match traffic based on source or destination IP ranges.

Exam trap

The trap here is that candidates often confuse the 'Wildcard' address type with the wildcard subnet mask notation (e.g., 0.0.0.255) used within a Subnet object, leading them to incorrectly select Wildcard as a separate object type.

725
MCQmedium

An administrator has configured LDAP authentication on a FortiGate. When testing the LDAP connectivity, the test succeeds. However, users cannot authenticate through the captive portal. What is a possible cause?

A.The captive portal is disabled
B.The user group is not configured to use the LDAP server
C.The LDAP server is not reachable from the captive portal interface
D.The LDAP server's SSL certificate is expired
AnswerB

The user group must include the LDAP server as the authentication source.

Why this answer

Even if LDAP connectivity is successful, the user group must be configured to use the LDAP server. Also, the firewall policy must have the LDAP user group as the allowed user.

726
MCQeasy

A FortiGate administrator wants to block access to gambling websites using web filtering. Which FortiGuard category should be blocked?

A.Spam
B.Malware
C.Gambling
D.Pornography
AnswerC

The FortiGuard web filtering category for gambling is named 'Gambling'.

Why this answer

FortiGuard categorizes websites into many categories. Gambling is a specific category, and blocking it prevents access to those sites.

727
MCQmedium

A FortiGate admin runs 'diagnose sys session filter src 10.0.0.10' and gets no output. What does this indicate?

A.The session table is full
B.The source IP 10.0.0.10 is not currently active in any session table
C.The firewall policy is blocking traffic from 10.0.0.10
D.The diagnose command syntax is incorrect
AnswerB

No sessions match the filter; the source is either idle or the session expired.

Why this answer

The 'diagnose sys session filter' command in FortiGate is used to filter and display active session entries in the session table. When the command 'diagnose sys session filter src 10.0.0.10' returns no output, it means that no session in the session table matches the source IP address 10.0.0.10, indicating that this IP is not currently involved in any active session. This does not imply the session table is full, a policy block, or a syntax error.

Exam trap

The trap here is that candidates may assume no output means a syntax error or a full session table, but FortiGate clearly indicates syntax errors with an error message, and a full table still shows existing sessions; the correct interpretation is that the source IP has no active sessions.

How to eliminate wrong answers

Option A is wrong because a full session table would still show sessions that match the filter, or the command would return an error or warning about table capacity, not simply no output. Option C is wrong because a firewall policy blocking traffic would prevent sessions from being created, but the command only checks the session table; if no session exists, it returns no output regardless of the policy reason. Option D is wrong because the syntax 'diagnose sys session filter src 10.0.0.10' is correct; if the syntax were incorrect, FortiGate would return a syntax error message, not a blank output.

728
MCQhard

An administrator attempts to configure a policy route to route specific traffic from an internal subnet (10.1.1.0/24) to the internet via a different ISP. The policy route is created but traffic is still using the default route. What is the most likely cause?

A.The outgoing interface in the policy route is down.
B.The policy route is not using the correct source interface.
C.The destination address in the policy route is incorrect.
D.The static default route has a lower administrative distance than the policy route.
AnswerA

If the interface is down, the policy route is invalid.

Why this answer

Policy routes in FortiGate have a higher priority than static routes, but they are only applied if the specified outgoing interface is operationally up. If the outgoing interface is down, the policy route is skipped, and traffic falls back to the default route. This is the most likely cause because the administrator confirmed the policy route was created but traffic still uses the default route.

Exam trap

The trap here is that candidates often assume policy routes always override static routes, but they forget that FortiGate requires the outgoing interface to be up for the policy route to be active, leading them to incorrectly select administrative distance or source interface issues.

How to eliminate wrong answers

Option B is wrong because the source interface in a policy route is optional; if omitted, the policy matches based on source IP alone, so an incorrect source interface would not cause the policy to be ignored entirely. Option C is wrong because an incorrect destination address would cause the policy to not match the traffic, but the question states the policy route was created and traffic is still using the default route, implying the policy exists but is not being applied. Option D is wrong because policy routes have a higher precedence than static routes regardless of administrative distance; administrative distance only applies to static route selection, not to policy route enforcement.

729
MCQhard

An administrator integrates FortiGate with FortiSandbox for advanced threat detection. The FortiGate is configured to send files to FortiSandbox for analysis. Despite correct configuration, files are not being submitted. The administrator runs 'diagnose debug application fortisandbox -1' and sees 'no server configured'. What is the issue?

A.The FortiSandbox license has expired
B.Firewall policies are blocking communication to the FortiSandbox server
C.The FortiSandbox server IP address is not configured on the FortiGate
D.The antivirus profile is not configured to submit files to FortiSandbox
AnswerC

The debug message clearly states 'no server configured', meaning the FortiSandbox server definition is missing.

Why this answer

The debug output indicates that the FortiSandbox server is not configured. Even if the integration settings are present, the FortiGate must have the FortiSandbox server IP and credentials properly configured under Security Fabric > FortiSandbox.

730
MCQhard

A FortiGate has a central SNAT policy that translates internal users to a single IP pool address. The admin wants specific traffic (e.g., from a particular subnet) to use a different IP pool. What is the correct approach?

A.Create a new central SNAT policy with the specific subnet as source and place it above the existing policy
B.Create a policy-based NAT rule with the specific subnet and place it above the central SNAT policy
C.Use VIP to translate the source address
D.Modify the existing central SNAT policy to use a dynamic IP pool
AnswerA

Central SNAT policies are evaluated sequentially. A more specific source policy above will match first.

Why this answer

Central SNAT policies are evaluated in order; they can include source and destination criteria. To override the general policy, a more specific policy must be placed above it. Dynamic IP pools cannot be used in policy-based NAT for central SNAT.

731
Multi-Selecteasy

An administrator needs to configure DNS on a FortiGate so that internal hosts can resolve external domain names. Which two settings are required? (Choose two.)

Select 2 answers
A.Configure DNS servers under System > DNS.
B.Create a firewall policy allowing DNS traffic from internal to external.
C.Enable DNS proxy on the FortiGate.
D.Set the FortiGate's hostname to the domain name.
E.Configure a static route for DNS servers.
AnswersA, C

DNS server addresses must be specified for the FortiGate to perform resolution.

Why this answer

Option A is correct because configuring DNS servers under System > DNS is the fundamental step that tells the FortiGate which external DNS resolvers (e.g., 8.8.8.8) to use for resolving domain names. Without this, the FortiGate cannot forward DNS queries from internal hosts to the internet. Option C is correct because enabling the DNS proxy on the FortiGate allows it to intercept DNS requests from internal clients, cache responses for performance, and forward them to the configured DNS servers, which is essential for internal hosts to resolve external domains through the FortiGate.

Exam trap

The trap here is that candidates often think a firewall policy is required for DNS traffic, but the FortiGate's DNS proxy handles the forwarding internally, making the explicit policy unnecessary unless the proxy is disabled and hosts send queries directly.

732
MCQhard

A FortiGate in an HA active-passive cluster is experiencing frequent failovers. The administrator checks the HA statistics and sees that the primary unit's heartbeat interface has a high error rate. What is the most likely cause?

A.The heartbeat cable is faulty or the interface has a duplex mismatch
B.The heartbeat interface is configured as a single link without redundancy
C.The failover threshold is set too low
D.The HA configuration has mismatched passwords
AnswerA

High error rate suggests physical layer problems, causing heartbeat loss and failovers.

Why this answer

Option A is correct because a high error rate on the heartbeat interface indicates physical-layer issues such as a faulty cable or duplex mismatch. In an HA active-passive cluster, the heartbeat link must be reliable and low-latency; errors cause packet loss, leading the primary unit to appear unresponsive and triggering a failover to the secondary unit.

Exam trap

The trap here is that candidates often attribute frequent failovers to configuration mismatches (like passwords) or threshold settings, overlooking the physical-layer cause indicated by the high error rate on the heartbeat interface.

How to eliminate wrong answers

Option B is wrong because while a single heartbeat link without redundancy increases risk, it does not directly cause a high error rate on the interface; the error rate is a physical-layer symptom. Option C is wrong because a low failover threshold would cause failovers based on monitored metrics (e.g., link status or ping response), not a high error rate on the heartbeat interface itself. Option D is wrong because mismatched HA passwords prevent the cluster from forming or synchronizing, but they do not cause interface-level errors; the heartbeat link would still show no errors if the cable and duplex settings are correct.

733
MCQhard

A company has two remote sites connected via an SD-WAN overlay. The headquarters uses a FortiGate with two WAN links: Fiber (priority 1) and LTE (priority 2). The SD-WAN rule for business-critical traffic uses the 'best quality' strategy with SLA targets for latency and jitter. The fiber link occasionally experiences high jitter but low latency. The engineer notices that traffic is not failing over to LTE even when jitter exceeds the threshold. What is the most likely reason?

A.The performance SLA for jitter is not configured, only latency.
B.The SD-WAN rule has SLA match set to 'either' instead of 'all'.
C.The LTE link has a higher cost and is not considered for failover.
D.The fiber link has a higher interface weight.
AnswerA

Correct; only configured SLA targets are measured for failover.

Why this answer

Option A is correct because the SD-WAN rule uses the 'best quality' strategy, which selects the best link based on configured SLA metrics. If only latency is configured in the performance SLA, jitter exceeding the threshold will not trigger a failover, as the SLA only evaluates the configured metrics. The fiber link may still meet the latency SLA, so traffic remains on it despite high jitter.

Exam trap

The trap here is that candidates assume jitter is automatically monitored in SD-WAN SLA, but FortiGate requires explicit configuration of each metric (latency, jitter, packet loss) in the performance SLA; otherwise, unconfigured metrics are ignored for failover decisions.

How to eliminate wrong answers

Option B is wrong because the 'either' vs 'all' setting in SLA match determines whether any or all configured SLA targets must be met for the link to be considered compliant; it does not prevent failover when jitter exceeds the threshold if jitter is not configured. Option C is wrong because SD-WAN failover decisions are based on SLA compliance and strategy, not link cost; cost influences route selection in routing protocols but not SD-WAN rule failover. Option D is wrong because interface weight affects load-balancing ratios in strategies like 'lowest cost' or 'maximize bandwidth', not failover decisions in 'best quality' strategy.

734
MCQmedium

A company has a FortiGate with multiple VDOMs. An admin creates a firewall policy in the root VDOM to allow traffic from a subnet to the internet. The traffic is not matching the policy. What is the most likely cause?

A.The traffic is in a different VDOM than the policy
B.The internet-facing interface is not part of any VDOM
C.The subnet object is defined in the wrong address group
D.The policy is placed at the bottom of the list
AnswerA

Correct. Each VDOM has its own policy set. If the traffic is in VDOM2, policies in root VDOM do not apply.

Why this answer

Firewall policies are VDOM-specific. Traffic in a different VDOM will not match policies from another VDOM. The policy must be created in the VDOM where the traffic is being routed.

735
MCQhard

An administrator configures a FortiGate to use FortiGuard for web filtering. However, some users report that certain categories are not being blocked as configured. The administrator checks the FortiGuard subscription status and it is valid. What is the most likely cause?

A.The users are bypassing the FortiGate
B.The FortiGuard subscription has expired
C.The FortiGate cannot reach the FortiGuard distribution servers
D.The web filter profile is not applied to the firewall policy
AnswerC

If connectivity is lost, the FortiGate uses its local cache, which may be outdated, causing incorrect filtering.

Why this answer

Even with a valid subscription, if the FortiGate cannot reach the FortiGuard distribution servers (e.g., due to firewall policies or routing), it will use the local cache. If the cache is outdated or incomplete, filtering may not work as expected.

736
MCQhard

You run the following CLI command on a FortiGate: 'diagnose vpn ike config list'. The output includes: 'src 10.0.1.0/24:0 dst 192.168.1.0/24:0'. What does this indicate?

A.The firewall policy is allowing traffic from 10.0.1.0/24 to 192.168.1.0/24
B.The Phase 2 configuration is using 10.0.1.0/24 as local subnet and 192.168.1.0/24 as remote subnet
C.The Phase 1 configuration is using 10.0.1.0/24 as local address
D.The tunnel is in dial-up mode with dynamic remote subnet
AnswerB

Phase 2 selectors define the traffic to be encrypted.

Why this answer

The command shows IKE configuration for Phase 2 selectors. The 'src' and 'dst' represent the local and remote subnets that will be protected by the VPN tunnel.

737
MCQhard

A FortiGate administrator is troubleshooting a problem where users cannot access the Internet. The FortiGate has a default route pointing to the ISP gateway. The administrator runs 'execute ping 8.8.8.8' from the FortiGate CLI and it succeeds. However, internal users behind NAT are unable to reach external servers. Which is the most likely cause?

A.The default route is incorrectly configured
B.An implicit deny policy is blocking traffic from internal to external
C.No NAT policy is configured for internal users
D.External access profile is set to read-only
AnswerC

Without NAT, internal source IPs are not translated, so return traffic may be dropped.

Why this answer

The administrator confirmed that the FortiGate itself can reach the Internet (ping 8.8.8.8 succeeds), so the default route and basic connectivity are working. However, internal users behind NAT cannot reach external servers, which indicates that traffic from internal users is either not being translated or is being blocked. The most likely cause is that no NAT policy (or firewall policy with NAT enabled) exists to perform source NAT for internal users, so their private IP addresses are not translated to the FortiGate's public IP, and the ISP gateway drops the packets because private addresses are not routable on the Internet.

Exam trap

The trap here is that candidates assume a successful ping from the FortiGate CLI proves end-to-end connectivity for all users, but they overlook that NAT translation is required for internal private IPs to reach the Internet.

How to eliminate wrong answers

Option A is wrong because the default route is correctly configured — the 'execute ping 8.8.8.8' succeeded, proving the route works. Option B is wrong because an implicit deny policy would block all traffic, including the ping from the FortiGate itself; since the ping succeeded, there is no implicit deny blocking outbound traffic. Option D is wrong because the external access profile is a GUI/administrative access setting that controls read/write permissions for the web interface, not a factor in NAT or traffic forwarding.

738
MCQeasy

An administrator wants to view real-time debug output for traffic flowing through a FortiGate. Which command should they use to enable flow tracing with a specific source IP filter?

A.diagnose debug enable
B.diagnose debug flow filter src
C.diagnose sys session filter src
D.diagnose sniffer packet filter src
AnswerB

This sets a source IP filter for debug flow tracing.

Why this answer

Option D is correct. 'diagnose debug flow' with 'filter src' sets a source IP filter for flow debugging.

739
MCQmedium

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a TCP session that has been active for 3600 seconds and will expire in 3599 seconds
B.The session is a UDP session for DNS
C.The session is an ICMP echo request
D.The session is blocked by a firewall policy
AnswerA

Correct interpretation.

Why this answer

proto=6 indicates TCP, proto_state=01 is TCP SYN_SENT (or ESTABLISHED depending on FortiOS version, but typically 01 is ESTABLISHED), duration=3600 seconds, expire=3599 seconds remaining. The session is established and about to expire (TTL almost up).

740
MCQhard

An administrator is troubleshooting a slow web application. The admin suspects that the FortiGate's session table might be full, causing new sessions to be dropped. Which command should the admin use to check the current session table utilization?

A.get system performance status
B.diagnose sys session list
C.diagnose sys session stat
D.diagnose sys session filter
AnswerC

This shows session statistics including count, max, and utilization percentage.

Why this answer

The 'diagnose sys session stat' command displays statistics about the session table, including the number of current sessions and the maximum allowed. This helps determine if the session table is near capacity.

741
MCQeasy

A FortiGate admin wants to authenticate VPN users against an existing Microsoft Active Directory. Which authentication method should be configured on the FortiGate?

A.LDAP
B.RADIUS
C.FSSO
D.TACACS+
AnswerA

LDAP is designed for directory services like Active Directory.

Why this answer

LDAP is the standard protocol for querying Active Directory for user authentication.

742
MCQmedium

A FortiGate administrator wants to ensure that all DNS queries to known malware domains are blocked. The firewall policy allows DNS traffic. Which security profile must be applied?

A.Web filter profile
B.DNS filter profile
C.Antivirus profile
D.Application control profile
AnswerB

DNS filter blocks malicious domains at DNS level.

Why this answer

Option B is correct: DNS filter is specifically designed to inspect DNS queries and block based on FortiGuard categories or custom lists.

743
MCQeasy

A FortiGate administrator is setting up a new FortiGate in a network that requires the firewall to bridge traffic between two subnets without routing. Which operating mode should the administrator select?

A.Transparent mode
B.NAT/Route mode
C.HA mode
D.VLAN mode
AnswerA

Transparent mode operates at Layer 2, bridging traffic between interfaces.

Why this answer

Transparent mode allows the FortiGate to act as a Layer 2 bridge, forwarding traffic between two subnets without performing any routing or NAT. In this mode, the firewall operates like a 'bump in the wire,' inspecting and filtering traffic based on MAC addresses and Layer 2 headers, while the IP addresses of connected devices remain unchanged. This is ideal for scenarios where the FortiGate must be inserted into an existing network without altering the IP topology.

Exam trap

The trap here is that candidates often confuse transparent mode with VLAN mode, thinking VLANs are a separate operating mode, or they assume NAT/Route mode can bridge traffic by disabling NAT, but it still performs routing at Layer 3.

How to eliminate wrong answers

Option B (NAT/Route mode) is wrong because it operates at Layer 3, performing routing and NAT, which changes the IP topology and is not suitable for bridging traffic without routing. Option C (HA mode) is wrong because it is a high-availability configuration for redundancy, not an operating mode for traffic forwarding; it can be used in either transparent or NAT/Route mode. Option D (VLAN mode) is wrong because it is not a standard operating mode on FortiGate; VLANs are configured as interfaces within transparent or NAT/Route mode, not as a separate mode.

744
MCQeasy

Which of the following statements about firewall policy ordering in FortiGate is correct?

A.Policies are evaluated from bottom to top
B.The most specific policy always takes precedence regardless of order
C.Policies are evaluated from top to bottom, and the first match is applied
D.The implicit permit rule at the end allows all traffic not explicitly denied
AnswerC

This is the correct behavior of FortiGate's policy engine.

Why this answer

FortiGate firewall policies are evaluated sequentially from top to bottom in the policy list. The first policy that matches the source, destination, service, and other criteria is applied, and no further policies are evaluated. This is the fundamental 'first-match' behavior that governs traffic processing in FortiGate.

Exam trap

The trap here is that candidates often confuse FortiGate's top-down first-match logic with other firewall platforms that use bottom-up evaluation or automatic specificity-based precedence, leading them to select option A or B.

How to eliminate wrong answers

Option A is wrong because FortiGate evaluates policies from top to bottom, not bottom to top; bottom-to-top evaluation is a common misconception from other firewall platforms. Option B is wrong because FortiGate does not automatically prioritize the most specific policy; order in the policy list determines precedence, and a more specific policy placed lower will never be reached if a less specific policy above matches first. Option D is wrong because the implicit deny rule at the end of the policy list silently drops all traffic that does not match any explicit policy; there is no implicit permit rule in FortiGate.

745
Multi-Selectmedium

A network administrator wants to ensure that all users are blocked from accessing websites categorized as 'Pornography' and 'Hacking' on a FortiGate. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Create a URL filter to block all URLs containing 'pornography' and 'hacking'
B.Enable DNS filter and block the categories there
C.Apply the web filter profile to the firewall policy that governs outbound internet traffic
D.Enable SSL deep inspection to ensure the categories can be identified
E.Create a web filter profile and set the categories 'Pornography' and 'Hacking' to 'block'
AnswersC, E

The profile must be applied to the relevant policy to take effect.

Why this answer

To block categories, the administrator must configure a web filter profile that blocks the desired categories and apply that profile to the firewall policy handling internet traffic.

746
MCQmedium

A FortiGate administrator is configuring an SSL VPN web mode portal. The administrator wants users to access only a specific internal web application (https://internal-app.company.local) and nothing else. Which SSL VPN setting should be configured to achieve this?

A.In the SSL VPN portal, set the default bookmark to the application URL
B.Configure a firewall policy that allows traffic only to the application's IP address
C.Enable split tunneling under the SSL VPN settings
D.Under the SSL VPN portal, configure 'URL Access' to allow only https://internal-app.company.local
AnswerD

URL Access in the SSL VPN portal restricts which web addresses users can browse. Only the specified URLs are accessible.

Why this answer

Option D is correct. In web mode, 'URL Access' allows the administrator to specify which URLs users can access. By adding only the desired application URL, the administrator restricts access to that application only.

747
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN that is not passing traffic. The Phase 1 and Phase 2 are both up. Which TWO CLI commands can be used to verify the VPN tunnel status and traffic flow? (Choose two.)

Select 2 answers
A.diagnose vpn tunnel list
B.execute ping-options source
C.diagnose vpn ike config
D.diagnose netlink interface list
E.diagnose sys session list
AnswersA, E

Shows the status of IPsec tunnels.

Why this answer

The 'diagnose vpn tunnel list' shows the status of IPsec tunnels. 'diagnose sys session list' with filters shows active sessions that may be using the VPN tunnel.

748
MCQeasy

Which type of address object allows a FortiGate to perform DNS resolution to match traffic based on a domain name?

A.Wildcard FQDN
B.Subnet
C.FQDN
D.Geography
AnswerC

FQDN address objects resolve domain names to IPs via DNS.

Why this answer

Option C is correct because an FQDN (Fully Qualified Domain Name) address object in FortiGate allows the firewall to perform DNS resolution to match traffic based on a domain name. When a policy uses an FQDN object, FortiGate resolves the domain name to IP addresses via DNS and updates the policy dynamically as the DNS record changes, enabling traffic matching by domain rather than static IP.

Exam trap

The trap here is that candidates often confuse FQDN with Wildcard FQDN, thinking the wildcard variant is the only one that performs DNS resolution, but both use DNS; the question specifically asks for the type that 'allows' DNS resolution, and the standard FQDN is the foundational object for this purpose.

How to eliminate wrong answers

Option A is wrong because a Wildcard FQDN (e.g., *.example.com) matches any subdomain of a given domain but still relies on DNS resolution for IP mapping; however, the question asks for the type that 'allows a FortiGate to perform DNS resolution to match traffic based on a domain name,' and the standard FQDN object is the direct answer, while Wildcard FQDN is a variant used for broader domain matching. Option B is wrong because a Subnet object defines a range of IP addresses (e.g., 192.168.1.0/24) and does not involve DNS resolution or domain name matching at all. Option D is wrong because a Geography object matches traffic based on geographical location (country or region) using IP geolocation databases, not domain names or DNS resolution.

749
MCQmedium

A FortiGate administrator needs to ensure that all outbound DNS queries from internal clients are inspected for malicious domains. The administrator has a DNS filter profile configured. What additional configuration is required on the firewall policy to make the DNS filter effective?

A.Enable SSL deep inspection on the policy
B.Configure FortiGuard DNS filtering service on the FortiGate
C.Set the inspection mode to proxy-based
D.Apply the DNS filter profile to a firewall policy that matches DNS traffic (UDP/TCP port 53)
AnswerD

The DNS filter profile must be attached to a policy that handles DNS traffic; otherwise it is not applied.

Why this answer

Option C is correct. The DNS filter profile must be applied to a firewall policy that matches DNS traffic. Without that, the traffic is not inspected.

750
MCQeasy

What is the purpose of configuring an aggregate interface on a FortiGate?

A.To enable VLAN tagging on a physical interface
B.To combine multiple physical interfaces into one logical interface for increased throughput and redundancy
C.To separate management traffic from data traffic
D.To connect two different network segments with a firewall in between
AnswerB

This is the definition of link aggregation.

Why this answer

An aggregate interface (also known as a Link Aggregation Group or LAG) combines multiple physical FortiGate interfaces into a single logical interface. This increases throughput by load-balancing traffic across the member links and provides redundancy: if one physical link fails, traffic continues over the remaining links. FortiGate supports both static aggregation and LACP (IEEE 802.3ad) for dynamic negotiation.

Exam trap

The trap here is that candidates confuse link aggregation with VLAN trunking or interface redundancy protocols like VRRP, but aggregate interfaces specifically combine bandwidth and provide link-level redundancy, not IP-level failover or VLAN separation.

How to eliminate wrong answers

Option A is wrong because VLAN tagging is configured on a physical or aggregate interface via subinterfaces, not by creating an aggregate interface itself. Option C is wrong because separating management traffic from data traffic is achieved through dedicated management interfaces, administrative access controls, or VDOMs, not by link aggregation. Option D is wrong because connecting two different network segments with a firewall in between describes the fundamental role of a firewall (routing/security), not the purpose of an aggregate interface.

Page 9

Page 10 of 14

Page 11