Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 751825

1000 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
Multi-Selecthard

An admin needs to configure a FortiGate to allow multiple internal servers to be accessible from the internet using the same public IP but different ports. For example, internal server A (192.168.1.10:80) should be reachable via 203.0.113.10:8080, and internal server B (192.168.1.20:443) via 203.0.113.10:8443. Which TWO configuration steps are required?

Select 2 answers
A.Create two separate VIPs, one for each server, and add them to a VIP group
B.Disable NAT on the policy to preserve the source IP
C.Configure a firewall policy with destination set to the VIP group and action set to allow
D.Configure Central SNAT to translate the source IP
E.Create a single VIP with port forwarding that maps multiple ports
AnswersA, C

VIP groups allow combining multiple VIPs under one destination object.

Why this answer

Option A is correct because each internal server requires a unique Virtual IP (VIP) to map a specific external port to a specific internal IP and port. Adding these VIPs to a VIP group allows a single firewall policy to reference all of them, enabling the FortiGate to differentiate traffic based on the destination port and forward it to the correct internal server.

Exam trap

The trap here is that candidates often think a single VIP with multiple port mappings can handle different internal servers, but FortiGate VIPs are one-to-one mappings; a VIP group is required to aggregate multiple VIPs under one policy.

752
MCQeasy

Which of the following is a valid address object type in FortiGate that can be used to match traffic based on the domain name of the destination?

A.Wildcard FQDN
B.Subnet
C.FQDN
D.Geography
AnswerC

FQDN address objects match traffic to a specific domain name, resolving to IP.

Why this answer

FQDN address objects allow matching traffic based on fully qualified domain names, which are resolved to IP addresses dynamically.

753
MCQeasy

Which IPS detection method analyzes traffic patterns over time to identify attacks that are characterized by a threshold of events?

A.Protocol decoder-based detection
B.Rate-based detection
C.Signature-based detection
D.Anomaly-based detection
AnswerB

Rate-based detection uses thresholds to detect events like port scans or DoS attacks.

Why this answer

Rate-based detection monitors the rate of events (e.g., connections per second) and triggers when a threshold is exceeded. Anomaly detection looks for deviations from a baseline, not specifically thresholds.

754
MCQeasy

What is the primary function of Fortinet Single Sign-On (FSSO) in a FortiGate deployment?

A.To provide two-factor authentication using FortiToken
B.To sync FortiGate configuration with Active Directory
C.To authenticate users against a RADIUS server
D.To collect user login events from Active Directory for user-based policies
AnswerD

FSSO polls AD for logon events to map usernames to IPs.

Why this answer

FSSO collects user login information from Active Directory to dynamically associate IP addresses with usernames, enabling user-aware firewall policies without requiring explicit user authentication on the FortiGate.

755
MCQmedium

An admin configures two static routes to the same destination with different distances. The route with distance 10 points to ISP1, and the route with distance 20 points to ISP2. The admin wants to use ISP2 only if ISP1 fails. What is the expected behavior?

A.Traffic will load-balance between ISP1 and ISP2
B.Traffic will use ISP1 until its route is removed, then use ISP2
C.The route with distance 20 will be ignored entirely
D.Both routes will be active simultaneously, and the FortiGate will choose based on source IP
AnswerB

The lower distance route is preferred; higher distance becomes backup.

Why this answer

When two static routes have different administrative distances, the route with the lower distance (10) is preferred and installed in the routing table. The route with distance 20 remains in the routing table as a backup. If the preferred route (via ISP1) is removed due to a failure, the backup route (via ISP2) is automatically activated.

This behavior is fundamental to how FortiGate (and most routers) handle static routes with unequal distances.

Exam trap

The trap here is that candidates often think both routes are active and load-balancing occurs, but FortiGate only uses the route with the lowest administrative distance unless equal-cost load balancing is explicitly configured.

How to eliminate wrong answers

Option A is wrong because load-balancing requires equal-cost routes (same distance), but here distances are different (10 vs 20), so only the best route is used. Option C is wrong because the route with distance 20 is not ignored; it remains in the routing table as a backup and will be used if the primary route is removed. Option D is wrong because both routes are not active simultaneously; only the route with the lowest distance is active, and source IP is not a factor in static route selection.

756
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.The web server's certificate is self-signed and FortiGate is rejecting the connection
B.The FortiGuard antivirus subscription has expired
C.The antivirus profile is configured for flow-based inspection instead of proxy-based
D.SSL/TLS deep inspection is not enabled on the firewall policy
AnswerD

HTTPS traffic is encrypted. FortiGate cannot inspect the payload without SSL deep inspection decrypting the TLS session. The antivirus profile requires inspection mode to be enabled.

Why this answer

Option B is correct because HTTPS uses TLS encryption. Without SSL deep inspection enabled on the policy, FortiGate cannot decrypt and inspect the content of HTTPS traffic. The antivirus profile will only scan unencrypted traffic or traffic where deep inspection has decrypted it first.

757
MCQmedium

An administrator wants to ensure that traffic from the engineering department (subnet 192.168.10.0/24) to the internet uses a specific public IP address for source NAT. Additionally, traffic from the marketing department (192.168.20.0/24) should use a different public IP. Which method should be used?

A.Configure a single Central SNAT rule with multiple source subnets and a single IP pool
B.Create two firewall policies, each with its own IP pool, for the respective subnets
C.Use VIP for source NAT
D.Use a single policy with a dynamic IP pool that randomly assigns IPs
AnswerB

This allows granular control over which IP is used for each subnet.

Why this answer

Option B is correct because the requirement is to map specific source subnets to different public IP addresses. In FortiGate, this is achieved by creating separate firewall policies for each subnet, each with its own IP pool configured for source NAT. A single Central SNAT rule with one IP pool cannot differentiate between subnets to assign different public IPs.

Exam trap

The trap here is that candidates often confuse IP pools (used for source NAT) with Virtual IPs (used for destination NAT), leading them to incorrectly select VIP for source NAT.

How to eliminate wrong answers

Option A is wrong because a single Central SNAT rule with one IP pool would apply the same public IP to all traffic matching the rule, regardless of source subnet, failing to meet the requirement for different public IPs per department. Option C is wrong because Virtual IP (VIP) is used for destination NAT (port forwarding), not source NAT; it translates incoming traffic's destination, not outgoing traffic's source. Option D is wrong because a dynamic IP pool randomly assigns IPs from a range, which does not guarantee that traffic from engineering always uses one specific public IP and marketing uses another; it would mix them.

758
MCQmedium

A remote user connects via SSL VPN web mode but cannot access internal resources. The SSL VPN portal is configured with the default settings. What is the most likely reason?

A.The user must be authenticated via LDAP
B.The user has not installed the FortiClient VPN plugin
C.Web mode only allows access to specific bookmarks configured in the portal
D.The SSL VPN policy is missing a security profile
AnswerC

Web mode is clientless and limited to pre-configured bookmarks. Without bookmarks, no access is granted.

Why this answer

Web mode provides clientless access only to bookmarked web applications. To access other internal resources, tunnel mode (with a virtual adapter) is required.

759
MCQhard

An admin has configured an application control profile to block 'Facebook' and 'Twitter' using application signatures. Users can still access these sites via HTTPS. The firewall policy has SSL deep inspection enabled and the application control profile is applied. What is the MOST likely cause?

A.The application control profile does not have deep inspection enabled for HTTPS traffic
B.Users are accessing the sites via IP address instead of domain name
C.The firewall policy is using a proxy policy instead of an explicit policy
D.The application signatures for Facebook and Twitter are outdated
AnswerA

Application control requires SSL deep inspection to identify applications in encrypted traffic. If the profile's 'Other Applications' or specific application signatures are not set to block, it may not work.

Why this answer

Option A is correct. Application control signatures for web-based applications often rely on the HTTP Host header or SNI. Without deep inspection, the FortiGate cannot see the hostname in encrypted HTTPS traffic, so it cannot identify the application.

Even with SSL deep inspection enabled, the profile must be configured to inspect HTTPS traffic; if the application control profile's 'Other Applications' category is not set to block, it might pass.

760
Multi-Selecthard

A FortiGate is configured with FSSO and Active Directory polling. Users report that they are frequently prompted for authentication even though they are logged into the domain. Which THREE possible causes should the administrator investigate?

Select 3 answers
A.The user's IP address has changed and the FortiGate still has a stale mapping
B.The FortiToken server is overloaded
C.The user's workstation is not sending logon events to the domain controller
D.The captive portal is enabled on the policy
E.The FortiGate is not polling the domain controllers correctly
AnswersA, C, E

IP changes can cause loss of FSSO session.

Why this answer

Polling issues (A), logon event not sent (B), and stale IP mapping (C) are common causes. Option D is about FortiToken, which is not relevant to FSSO. Option E is for captive portal, not FSSO.

761
MCQhard

Refer to the exhibit. An administrator wants to enable SNMP access on the wan1 interface. Which of the following is the most efficient method?

A.Execute 'config system interface' and edit wan1, then set allowaccess ping https ssh snmp.
B.Change the interface type to 'management' to allow SNMP.
C.Execute 'config system interface' and edit wan1, then set snmp-index 1.
D.Configure an SNMP community under 'config system snmp community'.
AnswerA

Adding 'snmp' to allowaccess enables SNMP on that interface.

Why this answer

Option A is correct because the 'allowaccess' parameter under 'config system interface' controls which management protocols (ping, https, ssh, snmp, etc.) are permitted on a given interface. By adding 'snmp' to the allowaccess list for wan1, the administrator enables SNMP access on that interface without changing its role or type.

Exam trap

The trap here is that candidates often confuse configuring an SNMP community (which defines who can query) with enabling SNMP access on an interface (which allows the SNMP agent to listen on that interface); both are required, but the question asks for the most efficient method to enable SNMP access on wan1, which is setting 'allowaccess snmp' on that interface.

How to eliminate wrong answers

Option B is wrong because changing the interface type to 'management' is not required; the 'management' type is used for dedicated management interfaces (e.g., FortiGate models with a separate MGMT port) and does not apply to a standard data interface like wan1. Option C is wrong because 'snmp-index' is used to assign an OID index for SNMP monitoring of the interface, not to enable SNMP access on the interface. Option D is wrong because configuring an SNMP community defines the community strings and hosts allowed to query the FortiGate, but it does not enable SNMP access on a specific interface; the interface-level 'allowaccess' must still be set.

762
MCQmedium

In an active-passive HA cluster, the administrator wants to ensure that new connections are load-balanced across both units only for specific services while maintaining failover capability. Which configuration should be applied?

A.Set 'set ha-priority' to 100 on both units
B.Change HA mode to active-active
C.Configure virtual IPs for each service
D.Enable 'set load-balance-schedule' on the HA interface
AnswerD

This setting allows selective load balancing of new connections while keeping active-passive for existing sessions.

Why this answer

Option B is correct. Load balancing in HA is achieved by enabling 'load-balance-schedule' on the HA interface. This allows distributing new sessions across cluster units while retaining active-passive failover behavior.

763
MCQhard

Refer to the exhibit. The FortiGate has two default routes. The administrator attempts to ping 8.8.8.8 from the CLI and receives no response. What is the most likely reason?

A.The second route is overwriting the first route
B.Both routes are equal-cost and load-balancing is not working
C.The configuration is invalid because duplicate default routes are not allowed
D.The gateway 203.0.113.1 (port1) is unreachable
AnswerD

The first route is preferred (distance 10), so if its gateway is unreachable, traffic fails.

Why this answer

When a FortiGate has multiple default routes, it uses the route with the lowest distance (administrative distance) as the primary route. If the gateway for the primary route (203.0.113.1 on port1) is unreachable, the FortiGate will not be able to reach 8.8.8.8, even if a secondary default route exists. The ping fails because the device cannot ARP for the gateway or the next-hop is down, causing the route to be inactive.

Exam trap

The trap here is that candidates often assume both default routes are active and load-balanced, but FortiGate uses administrative distance to select a single active route, and if the gateway of that route is unreachable, the route becomes invalid and no traffic is forwarded until the next route is considered.

How to eliminate wrong answers

Option A is wrong because a second default route does not 'overwrite' the first; FortiGate supports multiple default routes and selects the best one based on distance or priority, not by overwriting. Option B is wrong because both routes are not equal-cost (they have different distances, 10 and 20), so load-balancing is not applicable; FortiGate uses the route with the lowest distance. Option C is wrong because duplicate default routes are allowed in FortiGate; they are valid as long as they have different distances or priorities, providing redundancy.

764
MCQhard

An administrator configures a dial-up IPsec VPN with IKEv2 to allow remote users to connect. The Phase 1 is set to use certificate-based authentication (PKI). Users can establish Phase 1, but Phase 2 fails with 'no proposal chosen'. The administrator checks the Phase 2 proposal: AES256-SHA256, and the remote network is 10.0.0.0/8 (the corporate LAN). What is the MOST likely cause?

A.The remote network in Phase 2 is set to 10.0.0.0/8
B.The remote network in Phase 2 is set to 0.0.0.0/0
C.The Phase 1 encryption algorithm is mismatched
D.The authentication type requires EAP instead of certificate
AnswerA

The remote network in Phase 2 should be 0.0.0.0/0 for dial-up, because the client's real IP is dynamic. Setting it to 10.0.0.0/8 means the FortiGate expects the client's IP to be in that range, which it is not.

Why this answer

In dial-up VPN, the Phase 2 selector on the FortiGate must be set to 0.0.0.0/0 to accept traffic from any remote IP, or the specific remote subnet must match the user's assigned IP pool. If the remote network is set to anything other than 0.0.0.0/0, it may mismatch the client's proposal.

765
MCQmedium

A FortiGate HA cluster is operating in active-passive mode. The active unit fails over to the passive unit. After the failover, some existing TCP sessions are dropped. What is the MOST likely cause?

A.The HA heartbeat interface has a high latency
B.The failover time is too slow, causing TCP timeouts
C.Session synchronization is not enabled or not working properly
D.The TCP sessions are using NAT, which cannot be synchronized
AnswerC

Active-passive HA relies on session sync to maintain state after failover. Without it, sessions are dropped.

Why this answer

TCP sessions require session synchronization to survive failover. If session sync is not configured or not functioning, sessions are lost.

766
MCQmedium

An administrator wants to prevent employees from uploading sensitive credit card numbers via web forms. Which security profile feature is MOST appropriate to achieve this?

A.Antivirus with FortiSandbox integration
B.Data Leak Prevention (DLP) with a credit card number sensor
C.Web Filter to block all upload sites
D.Application Control to block web forms
AnswerB

Why this answer

DLP can inspect traffic content for patterns like credit card numbers and block or log the transmission. Antivirus handles malware, application control identifies apps, and web filter blocks URLs.

767
MCQeasy

Which of the following FortiGate operating modes allows the firewall to act as a Layer 3 device, performing NAT and routing between interfaces?

A.Flow-based inspection mode
B.NAT/Route mode
C.VLAN mode
D.Transparent mode
AnswerB

Correct. NAT/Route mode enables routing and NAT.

Why this answer

NAT/Route mode (option B) is correct because it configures the FortiGate as a Layer 3 device with distinct interfaces in different subnets, enabling it to perform routing (forwarding packets based on routing table entries) and Network Address Translation (NAT) to translate private IP addresses to public IP addresses. This mode is the default and most common operational mode for perimeter firewalls, allowing policy-based routing and NAT rules to be applied between zones.

Exam trap

The trap here is confusing operational modes (NAT/Route vs. Transparent) with inspection modes (Flow-based vs. Proxy-based), leading candidates to incorrectly select Flow-based inspection mode as the answer for Layer 3 routing and NAT capabilities.

How to eliminate wrong answers

Option A is wrong because Flow-based inspection mode is a processing mode (not an operational mode) that inspects packets in a single pass using pattern matching and heuristics, but it does not define the firewall's Layer 3 routing or NAT capabilities. Option C is wrong because VLAN mode is not a standard FortiGate operational mode; VLANs are configured as sub-interfaces within NAT/Route or Transparent modes to segment traffic, but they do not independently enable Layer 3 routing or NAT. Option D is wrong because Transparent mode operates as a Layer 2 bridge (similar to a switch) without IP addresses on its interfaces, meaning it cannot perform NAT or routing between interfaces—it forwards traffic based on MAC addresses.

768
MCQeasy

An administrator needs to ensure that IPS signatures are updated automatically on the FortiGate. Which configuration should be verified?

A.The IPS engine is upgraded to the latest version.
B.The intrusion prevention profile is applied to the firewall policy.
C.The application control profile is set to 'monitor' for all applications.
D.The FortiGuard service is enabled and the signature update schedule is configured.
AnswerD

Automatic updates require FortiGuard service enabled and schedule set.

Why this answer

Option D is correct because automatic IPS signature updates require the FortiGuard service to be enabled and a signature update schedule to be configured. Without a schedule, updates occur only manually; without the service enabled, the FortiGate cannot connect to FortiGuard distribution servers to retrieve new signatures.

Exam trap

The trap here is confusing IPS signature updates with IPS engine updates or profile application, leading candidates to select options that affect detection or inspection rather than the update mechanism itself.

How to eliminate wrong answers

Option A is wrong because upgrading the IPS engine version improves detection capabilities but does not enable automatic signature updates; signature updates and engine updates are separate processes. Option B is wrong because applying an intrusion prevention profile to a firewall policy enables IPS inspection on traffic but does not control how signatures are updated. Option C is wrong because setting the application control profile to 'monitor' for all applications configures application visibility, not IPS signature updates.

769
Multi-Selectmedium

A FortiGate admin is troubleshooting an issue where traffic from a specific internal host (10.0.1.50) to the internet is not being NATed as expected. The firewall policy has NAT enabled with an IP pool of type Overload. Which TWO conditions could cause the traffic to bypass the IP pool?

Select 2 answers
A.The firewall policy's NAT setting is set to 'disable'
B.The IP pool is configured for one-to-one NAT
C.The internal host is using a non-standard source port
D.A policy with a lower policy ID matches the traffic and has NAT enabled with a different IP pool or no pool
E.The IP pool is configured with a source filter that does not include 10.0.1.50
AnswersD, E

Policy matching stops at the first match; if a higher-priority policy matches, the intended policy is not evaluated.

Why this answer

Traffic may bypass the IP pool if a higher-priority policy matches first (policy ordering) or if the IP pool is incorrectly configured (e.g., the pool's source filter does not include the internal host).

770
MCQmedium

An administrator wants to enable two-factor authentication for SSL VPN users using FortiToken. Which configuration is required on the FortiGate?

A.Create a RADIUS server pointing to FortiAuthenticator
B.Set the authentication timeout to 60 seconds
C.Configure SSL VPN to use certificate authentication
D.Add the FortiToken to the user's account and enable 'fortitoken' in the user group
AnswerD

The token must be assigned to the user, and the group must require token authentication.

Why this answer

FortiToken two-factor authentication is enforced by enabling 'fortitoken' in the user group settings. The group must be added to the SSL VPN firewall policy.

771
MCQeasy

Which CLI command is used to configure NTP on a FortiGate?

A.config system ntp-server
B.config system time
C.execute ntp sync
D.config system ntp
AnswerD

This is the correct command to configure NTP settings.

Why this answer

The correct command to configure NTP on a FortiGate is `config system ntp`, which enters the NTP configuration context where you can set the NTP server addresses, authentication, and sync interval. This is the top-level command for NTP settings in the FortiOS CLI, as documented in the FortiGate Administration Guide.

Exam trap

The trap here is that candidates confuse `config system ntp` with `config system ntp-server` (which does not exist) or think `execute ntp sync` is a valid command, when in fact the correct command to force a sync is `execute time ntp`.

How to eliminate wrong answers

Option A is wrong because `config system ntp-server` is not a valid FortiOS command; the correct parent context is `config system ntp`, and individual servers are added under `config system ntp` using `set server`. Option B is wrong because `config system time` is used to manually set the system date and time, not to configure NTP synchronization. Option C is wrong because `execute ntp sync` is not a valid FortiOS command; the correct command to trigger an immediate NTP sync is `execute time ntp`.

772
MCQeasy

An administrator is configuring a VLAN interface on a FortiGate. The physical interface is port2 and the VLAN ID is 100. Which of the following correctly creates the VLAN interface?

A.config system interface edit port2.100 set vlanid 100 set type vlan next end
B.config system interface edit port2 set vlanid 100 next end
C.config system interface edit port2.100 set type vlan next end
D.config system vlan edit port2.100 set vlanid 100 next end
AnswerA

This is the correct CLI syntax to create a VLAN subinterface with ID 100.

Why this answer

Option A is correct because it uses the correct CLI syntax to create a VLAN subinterface on a FortiGate. The command `config system interface` enters the interface configuration context, `edit port2.100` creates or edits the subinterface named with the physical interface and VLAN ID, `set vlanid 100` assigns the VLAN tag, and `set type vlan` explicitly defines the interface type as VLAN. This matches the required configuration for 802.1Q VLAN tagging on FortiGate.

Exam trap

The trap here is that candidates often confuse the FortiGate CLI with Cisco IOS, where `interface port2.100` automatically implies a VLAN subinterface without needing an explicit `set type vlan` or `set vlanid` command, leading them to choose Option C or D.

How to eliminate wrong answers

Option B is wrong because it attempts to set the VLAN ID directly on the physical interface `port2` instead of creating a separate VLAN subinterface; FortiGate does not allow a VLAN ID on a physical interface. Option C is wrong because it creates the subinterface `port2.100` and sets the type to VLAN but omits the `set vlanid 100` command, which is mandatory to specify the 802.1Q tag. Option D is wrong because it uses the invalid command `config system vlan`; FortiGate does not have a `system vlan` configuration context—VLAN interfaces are always configured under `config system interface`.

773
Drag & Dropmedium

Drag and drop the steps to configure a static route on a FortiGate firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes on FortiGate are configured in the router static configuration context, requiring a sequence number, destination, device, and gateway.

774
MCQeasy

A FortiGate admin wants to ensure that traffic destined to a specific web server is inspected by an IPS profile. Which configuration is necessary?

A.Enable IPS on the firewall policy directly
B.Set the policy's action to 'IPS'
C.Create a security profile group containing the IPS profile and apply it to the policy
D.Configure a VIP for the web server
AnswerC

Security profiles are applied to policies via security policy groups.

Why this answer

Option C is correct because in FortiGate, IPS inspection is applied via a security profile group that includes the IPS profile, which is then attached to a firewall policy. The firewall policy itself does not have a direct 'enable IPS' toggle; instead, IPS profiles are part of the security profiles that must be explicitly assigned to the policy to inspect traffic.

Exam trap

The trap here is that candidates may think IPS can be enabled directly on the policy or that a special policy action exists for IPS, but FortiGate requires IPS to be applied as a security profile, not as a policy attribute.

How to eliminate wrong answers

Option A is wrong because FortiGate does not allow enabling IPS directly on the firewall policy; IPS is a security profile that must be applied through a security profile group or individually. Option B is wrong because setting the policy's action to 'IPS' is not a valid configuration; the policy action is either 'ACCEPT' or 'DENY', and IPS inspection is configured separately via security profiles. Option D is wrong because configuring a Virtual IP (VIP) is used for destination NAT and port forwarding, not for applying IPS inspection to traffic.

775
Multi-Selecthard

An administrator is configuring an IPS profile on FortiGate to detect and block SQL injection attacks. The profile must be applied to inbound traffic to a web server. Which TWO settings should the administrator enable to achieve this goal? (Choose two.)

Select 2 answers
A.Add the 'SQL.Injection' signature to the IPS sensor and set action to 'block'.
B.Create a DoS policy to limit the number of connections per second.
C.Enable the HTTP protocol decoder in the application control profile.
D.Configure the IPS sensor to bypass traffic from trusted IP addresses.
E.Enable the IPS sensor in the firewall policy.
AnswersA, E

The specific signature for SQL injection must be included and configured to block.

Why this answer

Option A is correct because SQL injection attacks are identified by specific IPS signatures, and adding 'SQL.Injection' to an IPS sensor with the action set to 'block' directly instructs FortiGate to detect and block those attacks. Option E is correct because an IPS sensor must be enabled within a firewall policy to apply its inspection to the traffic passing through that policy, ensuring the profile is active on inbound traffic to the web server.

Exam trap

The trap here is that candidates often confuse DoS policies (rate limiting) with IPS (signature-based detection), or mistakenly think application control profiles handle IPS signatures, when in fact IPS sensors are separate and must be explicitly enabled in a firewall policy.

776
MCQhard

During a security audit, the administrator runs the command 'diagnose firewall policy list' and sees the following output: policy id=1: allow from port1 to port2, src=10.0.0.0/8, dst=any, action=accept policy id=2: deny from port1 to port2, src=10.0.0.0/8, dst=172.16.0.0/12, action=deny policy id=3: allow from port1 to port2, src=any, dst=any, action=accept A host with IP 10.0.1.5 sends traffic to 172.16.0.1. Which policy will match?

A.Policy 3
B.Policy 1
C.Implicit deny
D.Policy 2
AnswerB

The traffic matches policy 1 because the source is within 10.0.0.0/8 and destination is any. Policy 2 is more specific but comes after policy 1, and FortiGate uses first-match.

Why this answer

Policy 1 matches because the source IP 10.0.1.5 falls within the 10.0.0.0/8 range, the destination IP 172.16.0.1 is not explicitly matched by policy 2's destination of 172.16.0.0/12 (since 172.16.0.1 is the network address itself and is included, but policy 2 is a deny and is evaluated before policy 3; however, policy 1 is evaluated first due to its lower ID, and since it matches both source and destination with action accept, the traffic is permitted by policy 1 before reaching policy 2). In FortiGate, policies are evaluated sequentially by ID, and the first match is applied.

Exam trap

The trap here is that candidates assume a deny rule with a more specific destination will override a broader allow rule, forgetting that FortiGate uses first-match logic based on policy ID order, not longest-prefix matching or specificity.

How to eliminate wrong answers

Option A is wrong because policy 3 is an 'allow any/any' catch-all, but it is evaluated after policy 1 and policy 2; since policy 1 matches first, policy 3 is never reached. Option C is wrong because the implicit deny only applies if no explicit policy matches; here policy 1 matches, so the traffic is accepted before any implicit deny is considered. Option D is wrong because policy 2's destination is 172.16.0.0/12, which includes 172.16.0.1, but policy 1 has a lower ID and matches first, so policy 2 is not evaluated for this traffic.

777
Multi-Selectmedium

Which TWO web filtering features can be used to block access to malicious websites? (Choose two.)

Select 2 answers
A.Static URL filtering
B.Application control
C.FortiGuard category-based filtering
D.Web rating override
E.DNS filter
AnswersC, D

Blocks categories like 'Malicious'.

Why this answer

FortiGuard category-based filtering (C) is correct because it leverages FortiGuard's cloud-based web rating database to categorize URLs and block access to known malicious sites, such as those hosting malware or phishing. Web rating override (D) is correct because it allows administrators to manually override the FortiGuard rating for specific URLs, enabling them to block a site that may not yet be categorized as malicious by FortiGuard. Both features directly control access to malicious websites based on URL reputation.

Exam trap

The trap here is that candidates often confuse DNS filter with web filtering, but DNS filter is a separate security feature (under DNS Filter profile) and is not considered a web filtering feature in the NSE4 exam; the question explicitly asks for 'web filtering features' as defined in the FortiGate Web Filter profile.

778
MCQeasy

Which FortiGuard subscription service is required for URL filtering and web categorization?

A.FortiGuard IPS
B.FortiGuard Application Control
C.FortiGuard Web Filtering
D.FortiGuard Antivirus
AnswerC

Web Filtering provides URL categorization.

Why this answer

FortiGuard Web Filtering provides URL categorization and filtering capabilities.

779
MCQmedium

A company wants to allow FTP (TCP ports 20-21) from their internal network (192.168.1.0/24) to a specific external server (203.0.113.50). They also need to inspect FTP traffic for viruses. What should the admin configure?

A.Create a policy from internal to external with service FTP and enable antivirus
B.Configure an explicit proxy policy for FTP and apply antivirus
C.Enable NAT on the policy and use a custom service for FTP
D.Use a policy with service ALL and rely on the antivirus profile
AnswerA

A standard policy with FTP service and antivirus profile will inspect FTP traffic.

Why this answer

FTP inspection requires an explicit proxy policy for FTP or enabling FTP inspection in the security profile. The simplest is to create a policy allowing FTP and apply an antivirus profile.

780
Multi-Selecthard

Which THREE of the following are valid methods to exclude certain HTTPS traffic from SSL inspection on a FortiGate?

Select 3 answers
A.Adding the domain to the 'SSL Exempt Domains' list in the SSL/SSH inspection profile.
B.Setting the firewall policy action to 'accept' with no inspection.
C.Using a certificate category exemption (e.g., exempting 'Fortinet Trusted Certificate').
D.Using a web filter category exemption.
E.Adding the destination IP address to the 'SSL Exempt IPs' list in the SSL/SSH inspection profile.
AnswersA, C, E

Domain-based exemption is a supported method.

Why this answer

Option A is correct because the 'SSL Exempt Domains' list in the SSL/SSH inspection profile allows you to specify domain names (e.g., *.example.com) that will bypass SSL inspection entirely. When FortiGate matches the SNI field in the ClientHello or the certificate CN/SAN against this list, it skips decryption and passes the traffic through without inspection, reducing overhead for trusted or non-critical domains.

Exam trap

The trap here is that candidates often confuse web filter category exemptions with SSL inspection exemptions, but web filter exemptions only affect URL filtering decisions, not the decryption process itself.

781
MCQmedium

An admin creates a firewall policy allowing HTTP traffic from internal users to the internet. Users complain that they cannot access HTTPS websites. The admin checks and sees that the policy only has HTTP service. What is the BEST course of action to allow HTTPS while maintaining security?

A.Create a new policy above the existing one with HTTPS service
B.Add the HTTPS service to the existing policy
C.Use a security policy that automatically adds HTTPS
D.Change the HTTP service to ALL services
AnswerB

This allows HTTPS traffic without changing the HTTP rule, maintaining least privilege.

Why this answer

The simplest and most secure approach is to add the HTTPS service to the existing policy, as it is a common web protocol.

782
Multi-Selectmedium

An administrator wants to configure traffic shaping to limit bandwidth for YouTube video streaming. Which THREE objects or settings must be configured on the FortiGate to apply traffic shaping?

Select 3 answers
A.Traffic shaper (e.g., shared or per-IP shaper)
B.Application control profile to identify YouTube traffic
C.A DNS filter to block YouTube
D.A firewall policy that applies the traffic shaper and the application control profile
E.A static route for YouTube's IP range
AnswersA, B, D

Defines the bandwidth limits.

Why this answer

To apply traffic shaping, you need a traffic shaper (defining bandwidth limits), an application control profile to identify YouTube traffic, and a firewall policy that applies both the shaper and the profile.

783
MCQmedium

A FortiGate administrator is configuring a hub-and-spoke IPsec VPN. The hub has multiple Phase 2 selectors for each spoke. What is the recommended way to simplify configuration on the hub when adding new spokes?

A.Use a single Phase 2 selector with 0.0.0.0/0.0.0.0 for both local and remote
B.Configure each spoke in a separate VDOM
C.Use aggressive mode for Phase 1
D.Use policy-based VPN instead of route-based
AnswerA

This accepts any subnet, simplifying configuration.

Why this answer

Using a single Phase 2 with 0.0.0.0/0 as local/remote subnet allows the hub to accept all traffic without needing per-spoke Phase 2 selectors. But security-conscious admins often use specific selectors. The question asks for simplification; dynamic routing (BGP) is even better.

784
Multi-Selecthard

A FortiGate admin is troubleshooting an IPsec VPN that fails to establish. The output of 'diagnose debug application ike -1' shows: 'IKE: No proposal chosen from x.x.x.x'. The admin checks the Phase1 configuration. Which of the following mismatches could cause this error? (Choose three.)

Select 3 answers
A.Diffie-Hellman group mismatch (e.g., group 2 vs group 14)
B.Pre-shared key mismatch
C.Lifetime mismatch (e.g., 86400 vs 3600)
D.Authentication method mismatch (e.g., SHA1 vs SHA256)
E.Encryption algorithm mismatch (e.g., AES128 vs AES256)
AnswersA, D, E

DH group is also part of the proposal.

Why this answer

The error 'no proposal chosen' indicates that the local and remote IKE peers have no common Phase1 proposal. This can be caused by mismatched encryption, authentication, or Diffie-Hellman group. Lifetime mismatch usually results in a different error.

785
MCQeasy

A FortiGate is configured with two WAN interfaces (port1 and port2) connected to different ISPs. The administrator wants to load-balance outbound traffic across both links using equal-cost routes. Which routing configuration should be applied?

A.Configure policy routes to direct traffic based on source IP.
B.Enable BGP to dynamically learn routes from both ISPs.
C.Configure static routes with equal distance and enable ECMP.
D.Configure static routes with different distances (e.g., 10 and 20) to the same destination.
AnswerC

Why this answer

Option C is correct because ECMP (Equal-Cost Multi-Path) routing allows a FortiGate to load-balance outbound traffic across multiple interfaces when static routes have the same distance (administrative distance) and destination. By configuring two static routes with equal distance (e.g., 10) to 0.0.0.0/0 via port1 and port2, the FortiGate automatically distributes sessions across both links using a hash-based algorithm (e.g., source-destination IP), achieving the desired load balancing without dynamic routing protocols.

Exam trap

The trap here is that candidates confuse 'different distances' (which creates failover) with 'equal distances' (which enables load balancing), often selecting option D because they think varying metrics distributes traffic, but in reality, only equal administrative distances trigger ECMP load sharing.

How to eliminate wrong answers

Option A is wrong because policy routes are used for policy-based routing (PBR) based on criteria like source IP, not for simple load balancing across equal-cost links; they override the routing table and do not inherently provide ECMP load sharing. Option B is wrong because BGP is a dynamic routing protocol that can learn routes from ISPs, but it requires ISP cooperation and is unnecessary for simple outbound load balancing; ECMP with static routes is simpler and sufficient. Option D is wrong because configuring static routes with different distances (e.g., 10 and 20) creates a primary/backup (failover) scenario, not load balancing; the route with the lower distance is always preferred, and traffic never uses the higher-distance route unless the primary fails.

786
MCQmedium

A network administrator notices that users can access websites categorized as 'Pornography' despite a web filter profile blocking that category. The firewall policy uses the web filter profile and is applied to the users' traffic. What is the MOST likely cause?

A.The FortiGate cannot reach the FortiGuard servers
B.The web filter profile is applied to the wrong policy
C.The users are bypassing the FortiGate using a proxy
D.The web filter profile has the 'Override' feature enabled
AnswerA

Without FortiGuard connectivity, web filtering fails open, allowing all categories. This is a common issue.

Why this answer

Option C is correct because if the FortiGate cannot reach the FortiGuard servers, web filtering will fail open by default, allowing all web traffic. The administrator should verify FortiGuard connectivity.

787
MCQhard

A large enterprise uses a FortiGate 600E in NAT mode to protect its internal network. The security team has implemented an Application Control profile that categorizes applications and allows only 'Business' and 'General-Interest' categories. They have also applied an IPS sensor with default settings and enabled SSL inspection for outbound traffic. Recently, the helpdesk has received reports that some users cannot access a critical cloud-based CRM application, while others can. The CRM uses HTTPS on port 443. The Application Control profile is applied to the firewall policy for outbound traffic. The IPS sensor is also applied. The FortiGate is not configured for load balancing. Which of the following is the most likely cause of the issue?

A.The IPS sensor is detecting and blocking the CRM traffic as an attack.
B.The CRM application is not categorized in the Application Control database.
C.The FortiGate is performing load balancing and some users are directed to a different path.
D.SSL inspection is blocking the CRM traffic due to certificate validation failure.
AnswerB

If uncategorized, it may be blocked by default; some users might be using different IPs that match a different policy.

Why this answer

The correct answer is B because the Application Control profile is configured to allow only 'Business' and 'General-Interest' categories. If the CRM application is not categorized in FortiGuard's Application Control database, or if it falls under a different category (e.g., 'Uncategorized' or 'Unknown'), the FortiGate will block the traffic by default. This explains why some users can access the CRM (if they are using a different path or the application is categorized differently) while others cannot, as the FortiGate enforces the profile based on the application signature match.

Exam trap

The trap here is that candidates often assume IPS or SSL inspection is the culprit for selective access issues, but the key clue is that the problem affects only some users, pointing to a categorization mismatch in Application Control rather than a global block.

How to eliminate wrong answers

Option A is wrong because the IPS sensor with default settings is unlikely to block legitimate CRM HTTPS traffic on port 443 unless it matches a known attack signature, and the issue is user-specific, not global. Option C is wrong because the FortiGate 600E is explicitly stated as not configured for load balancing, so this cannot be the cause. Option D is wrong because SSL inspection certificate validation failure would affect all users equally, not just some, and the issue is isolated to a specific application, not all HTTPS traffic.

788
MCQhard

A FortiGate is configured with multiple policies. The first policy allows traffic from 10.0.0.0/8 to any destination. The second policy denies traffic from 10.0.1.0/24 to any destination. What happens when a packet from 10.0.1.5 to 8.8.8.8 arrives?

A.The packet is denied by implicit deny
B.The packet is allowed by the first policy
C.The packet matches both policies and is allowed
D.The packet is denied by the second policy
AnswerB

The source 10.0.1.5 is within 10.0.0.0/8, so the first policy matches and allows the traffic.

Why this answer

FortiGate firewall policies are evaluated in sequential order from top to bottom. The first policy matches source 10.0.0.0/8, which includes 10.0.1.5, and allows the traffic to any destination. Since the packet matches this policy first, it is accepted and the second policy is never evaluated.

Therefore, the packet is allowed by the first policy.

Exam trap

The trap here is that candidates often assume FortiGate uses a longest-prefix match or that a more specific deny policy will override a broader allow policy, but FortiGate strictly follows first-match order, not prefix length.

How to eliminate wrong answers

Option A is wrong because the packet matches an explicit allow policy (the first policy) before any implicit deny rule can apply; implicit deny only triggers when no explicit policy matches. Option C is wrong because FortiGate uses first-match logic, not a longest-prefix or combined-match approach; once a packet matches the first policy, subsequent policies are not checked. Option D is wrong because the second policy is never reached; the packet is evaluated against the first policy, which matches and allows it, so the deny policy is ignored.

789
Multi-Selecthard

Which TWO of the following are best practices when configuring IPS on a FortiGate in a high-throughput environment?

Select 2 answers
A.Set all signatures to block action to maximize security.
B.Set the IPS severity filter to high and above only.
C.Disable all custom signatures to simplify management.
D.Enable only relevant signatures based on the network environment.
E.Use flow-based inspection for better performance.
AnswersD, E

Enabling only necessary signatures reduces overhead and false positives.

Why this answer

Option D is correct because enabling only relevant signatures based on the network environment reduces false positives and unnecessary processing overhead, ensuring that IPS resources are focused on threats that actually apply to the traffic traversing the FortiGate. Option E is correct because flow-based inspection uses a single-pass, pattern-matching engine that offers higher throughput and lower latency compared to proxy-based inspection, making it ideal for high-throughput environments.

Exam trap

The trap here is that candidates often assume 'maximum security' means enabling all signatures or using the strictest action, but the NSE4 exam emphasizes that effective IPS in high-throughput environments requires balancing security with performance by selectively enabling relevant signatures and using flow-based inspection.

790
MCQhard

You are troubleshooting an SSL VPN connection. The user can reach the SSL VPN portal but cannot ping or access any internal resources. The portal shows the user as authenticated. Which configuration is MOST likely missing?

A.There is no firewall policy allowing traffic from ssl.root to the internal network
B.Client certificate authentication is required but not provided
C.Split tunneling is disabled
D.The SSL VPN realm is not configured correctly
AnswerA

A firewall policy is required to permit traffic from the SSL VPN interface to destination zones.

Why this answer

Even if authentication succeeds, SSL VPN tunnel mode requires a firewall policy to allow traffic from the SSL VPN interface to internal networks. Without it, traffic is dropped.

791
Multi-Selecteasy

Which TWO of the following are prerequisites for configuring a high availability (HA) cluster on FortiGate? (Choose two.)

Select 2 answers
A.An HA heartbeat interface must be a dedicated interface.
B.All interfaces must be configured with static IP addresses.
C.The FortiGate units must be running the same firmware version.
D.The configuration must be identical on both units.
E.The FortiGate units must be the same model.
AnswersC, E

Firmware must match for HA.

Why this answer

Option C is correct because FortiGate HA requires all cluster members to run the same firmware version to ensure configuration compatibility and consistent behavior. Mismatched firmware can lead to synchronization failures or unpredictable failover events, as the HA heartbeat and session synchronization protocols depend on identical code bases.

Exam trap

The trap here is that candidates often assume identical configuration is required before forming the cluster, but FortiGate automatically synchronizes the primary's configuration to the secondary, making pre-existing identical configs unnecessary.

792
MCQmedium

A FortiGate has multiple WAN interfaces (port1, port2) connected to different ISPs. The administrator wants traffic from the internal network to use port1 for general internet access but use port2 for traffic to a specific cloud service (203.0.113.0/24). Which feature should be used to achieve this?

A.Create a VIP for the cloud service
B.Configure static routes with different distances
C.Use SD-WAN rules to load balance
D.Use policy-based routing (PBR) to route traffic based on destination
AnswerD

PBR can match specific traffic and route it out a specific interface.

Why this answer

Policy-based routing (PBR) allows you to override the default routing table based on criteria such as source/destination IP, protocol, or port. In this scenario, PBR can match traffic destined to 203.0.113.0/24 and force it out through port2, while all other internet traffic follows the default route via port1. This provides granular control without affecting the general routing behavior.

Exam trap

The trap here is that candidates often confuse SD-WAN load balancing with policy-based routing, assuming that SD-WAN rules can enforce a strict 'always use this interface for this destination' policy, when in fact SD-WAN is primarily for dynamic load balancing and failover, not for static, deterministic path selection based solely on destination.

How to eliminate wrong answers

Option A is wrong because a Virtual IP (VIP) is used for destination NAT (port forwarding) to map a public IP to an internal server, not to control outbound path selection. Option B is wrong because static routes with different distances influence the routing table based on administrative distance, but they cannot selectively route traffic based on destination subnet when both interfaces have a default route; they would simply prefer one default route over the other for all traffic. Option C is wrong because SD-WAN rules load-balance or failover traffic across multiple links based on performance metrics or volume, but they do not provide the deterministic, policy-based path selection required to send specific traffic to a specific interface while using another for general internet access.

793
MCQhard

After upgrading FortiGate firmware, the administrator notices that the 'config router static' command now shows a new keyword 'distance' instead of 'weight'. The upgrade also changed the ECMP load-balancing behavior. What was the likely change in the ECMP algorithm?

A.The ECMP algorithm changed from source-IP-based to weighted (hash-based)
B.The ECMP algorithm changed from weighted to source-dest-IP
C.The ECMP algorithm is now configurable via 'config system ecmp'
D.The ECMP algorithm changed from source-dest-IP to round-robin
AnswerA

In older versions, ECMP by default used source-IP; newer versions use a hash of src-dst IP/port.

Why this answer

The correct answer is A because the upgrade replaced the 'weight' keyword with 'distance' in static routes, indicating a shift from a weighted ECMP algorithm (where routes with lower weight were preferred) to a hash-based algorithm (using source IP by default). This change aligns with FortiOS moving to a more deterministic ECMP load-balancing method, where the 'distance' parameter now influences route selection but ECMP hashing distributes traffic across equal-cost paths based on packet attributes.

Exam trap

The trap here is that candidates confuse the 'distance' keyword with administrative distance or assume the ECMP algorithm change is configurable via a dedicated 'ecmp' command, when in fact it is set under 'config system settings' and the default changed from weighted to source-IP-based hashing.

How to eliminate wrong answers

Option B is wrong because the change is from weighted to source-IP-based hashing, not from weighted to source-dest-IP; source-dest-IP is a separate hash algorithm that can be configured but is not the default after the upgrade. Option C is wrong because ECMP load-balancing is configured via 'config system settings' with the 'ecmp-algorithm' command, not via 'config system ecmp', which does not exist in FortiOS. Option D is wrong because the algorithm changed from weighted to source-IP-based hashing, not from source-dest-IP to round-robin; round-robin is not a supported ECMP algorithm in FortiOS.

794
MCQmedium

An administrator wants to use Fortinet Single Sign-On (FSSO) with Active Directory to transparently authenticate users. Which component is responsible for polling Active Directory for user logon events?

A.Active Directory Domain Controller
B.FortiGate directly with NTLM authentication
C.FortiAuthenticator
D.FSSO Collector Agent
AnswerD

The Collector Agent polls AD security logs.

Why this answer

The FSSO Collector Agent (or the FortiGate itself with embedded agent) polls AD for logon events.

795
MCQmedium

A network administrator configures an application control profile to block social media applications. Users can still access Facebook through a web browser. What is the MOST likely reason?

A.The application signatures are outdated
B.Application control is not enabled for HTTPS traffic without deep inspection
C.The firewall policy is in proxy-based mode
D.The application control profile is not applied to the correct policy
AnswerB

Facebook uses HTTPS. Without SSL deep inspection, application control cannot identify the application within encrypted traffic.

Why this answer

Option A is correct. Application control requires deep inspection to identify applications in encrypted traffic.

796
MCQeasy

An administrator wants to block the use of social media applications like Facebook and Twitter on the company network. Which security profile should be used?

A.DNS Filter profile
B.Web Filter profile
C.Application Control profile
D.IPS profile
AnswerC

Application control can block the Facebook and Twitter applications regardless of the URL used.

Why this answer

Option B is correct. Application control can identify and block specific applications based on signatures, including social media apps.

797
Multi-Selecteasy

An administrator wants to integrate FortiGate with FortiAnalyzer for logging. Which TWO steps are necessary?

Select 2 answers
A.Set the FortiAnalyzer IP under 'config system log-fortianalyzer set status enable set server <ip>'.
B.Enable logging to FortiAnalyzer under the log settings.
C.Create a firewall policy allowing traffic from FortiGate to FortiAnalyzer on port 514.
D.Configure SNMP traps to send logs to FortiAnalyzer.
E.Install a FortiAnalyzer license on FortiGate.
AnswersA, B

Why this answer

Option A is correct because the command 'config system log-fortianalyzer set status enable set server <ip>' directly configures FortiGate to send logs to a specific FortiAnalyzer server. Option B is correct because enabling logging to FortiAnalyzer under the log settings activates the log forwarding mechanism, which is a necessary step to ensure logs are actually transmitted after the server IP is configured.

Exam trap

The trap here is that candidates often assume a firewall policy is needed to allow outbound syslog traffic, but FortiGate's own traffic is not subject to its firewall policies unless explicitly restricted, making option C a common distractor.

798
Multi-Selectmedium

A FortiGate administrator is configuring intrusion prevention (IPS) for a web server. The administrator wants to both block known exploits and detect anomalous traffic patterns. Which TWO features should be enabled? (Choose two.)

Select 2 answers
A.IPS signatures
B.Web filter
C.Antivirus
D.Anomaly detection
E.Application control
AnswersA, D

IPS signatures detect and block known exploits based on pattern matching.

799
MCQmedium

An administrator wants to configure SNMP on a FortiGate to allow a monitoring server 192.168.1.100 to poll read-only information. Which set of commands is correct?

A.config system snmp sysinfo set status enable set community public set trap-receiver 192.168.1.100 end
B.config system snmp community edit 1 set name public set query enable set query-port 161 set hosts 192.168.1.100 end
C.config system snmp set enable set community public set host 192.168.1.100 end
D.config system interface edit port1 set snmp-index 1 set allowaccess snmp end
AnswerB

Why this answer

Option B is correct because SNMP read-only polling on FortiGate is configured under the `config system snmp community` hierarchy. The `set query enable` command allows SNMP GET requests, `set query-port 161` specifies the standard SNMP port, and `set hosts 192.168.1.100` restricts polling to that specific monitoring server. This matches the requirement for read-only access without configuring traps or enabling SNMP globally via the sysinfo context.

Exam trap

The trap here is that candidates often confuse the `config system snmp sysinfo` context (for system contact/location) with the community configuration context, or mistakenly think SNMP is enabled globally via a simple `set enable` command, when in fact the community must be explicitly created and enabled with `set query enable`.

How to eliminate wrong answers

Option A is wrong because `config system snmp sysinfo` is used to set system contact and location information, not to enable SNMP polling or define communities; `set community public` is invalid in that context, and `set trap-receiver` configures trap destinations, not polling hosts. Option C is wrong because `config system snmp` is not a valid configuration path on FortiGate; SNMP is configured under `config system snmp community` and `config system snmp sysinfo`, and `set enable` and `set community` are not valid commands at that level. Option D is wrong because `config system interface` with `set allowaccess snmp` only enables SNMP access on a specific interface, but it does not configure the SNMP community, query settings, or allowed hosts, which are required for the monitoring server to poll.

800
MCQeasy

An administrator wants to authenticate VPN users against an external LDAP server. Which authentication method should be configured in the user group for the SSL VPN portal?

A.RADIUS
B.FSSO
C.Local
D.LDAP
AnswerD

LDAP authentication allows FortiGate to query the LDAP server for user credentials and group membership.

Why this answer

To authenticate users against an LDAP server, the administrator must create an LDAP server object and then create a user group that references that LDAP server. The group membership is typically based on LDAP group membership.

801
Multi-Selectmedium

A FortiGate admin needs to block all traffic from the 'Guest' VLAN (192.168.100.0/24) to the internal network (10.0.0.0/8) except for DNS traffic (UDP 53) to the internal DNS server at 10.0.0.10. Which TWO firewall policy configuration elements are required to achieve this? (Choose two.)

Select 2 answers
A.An address group for the internal DNS server
B.A firewall policy with source 'Guest' VLAN, destination 'Internal network', service 'ALL', action 'deny'
C.A firewall policy with source 'Guest' VLAN, destination 'Internal DNS server', service 'DNS', action 'accept'
D.A traffic shaper to limit DNS traffic
E.A schedule object to apply the policies only during business hours
AnswersB, C

This policy will block all other traffic from Guest to internal.

Why this answer

Option B is correct because a deny policy with source 'Guest' VLAN (192.168.100.0/24), destination 'Internal network' (10.0.0.0/8), and service 'ALL' will block all traffic from the Guest VLAN to the internal network. Option C is correct because an explicit accept policy for DNS (UDP 53) to the internal DNS server (10.0.0.10) must be placed before the deny policy, as FortiGate firewall policies are evaluated in order from top to bottom, and the first matching policy determines the action.

Exam trap

The trap here is that candidates often think an address group (Option A) is necessary for the DNS server, but a single address object works just as well, and the real key is the policy ordering between the explicit accept and the explicit deny.

802
Matchingmedium

Match each FortiGate routing concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manually configured path to a destination network

Link-state routing protocol for internal networks

Path-vector routing protocol for internet and WAN

Routes traffic based on source/destination or service

Load-balances traffic across multiple routes with same cost

Why these pairings

Routing methods used in FortiGate.

803
MCQeasy

Which FortiGate feature allows the administrator to scan SMTP, IMAP, and POP3 traffic for spam and apply actions such as tagging or discarding?

A.Email filter profile
B.Application control profile
C.Antivirus profile
D.Web filter profile
AnswerA

Email filter inspects email traffic (SMTP, IMAP, POP3) for spam and other threats.

Why this answer

Option C is correct. The email filter profile is designed to scan email traffic for spam and can apply actions like tag, discard, or quarantine.

804
Multi-Selecthard

A FortiGate administrator is planning an upgrade from FortiOS 6.4 to 7.2. Which THREE steps should be performed before the upgrade? (Choose three.)

Select 3 answers
A.Verify hardware compatibility with the target firmware
B.Check the upgrade path and required intermediate versions
C.Back up the current configuration
D.Remove all firewall policies
E.Enable automatic firmware checks
AnswersA, B, C

Some models may not support newer versions.

Why this answer

Verifying hardware compatibility with the target firmware is essential because FortiGate models have specific hardware limitations (e.g., CPU, RAM, storage) that may not support newer FortiOS versions. For example, older models like the FortiGate 100D cannot upgrade beyond FortiOS 6.0, and attempting to install 7.2 could result in a failed boot or bricked device. This step ensures the hardware meets the minimum requirements for the target firmware.

Exam trap

The trap here is that candidates may think removing firewall policies is necessary to avoid compatibility issues during the upgrade, but FortiOS automatically handles policy migration, and deleting them only adds unnecessary risk and downtime.

805
MCQhard

An administrator configures a web filter profile to block the URL category 'Pornography'. The profile is applied to a policy for the sales department. Users report they can still access some sites that should be blocked. The administrator verifies that the FortiGuard web filter service is licensed and the FortiGate has internet connectivity. What should the administrator check next?

A.Verify that the antivirus profile is not interfering with web filtering.
B.Ensure the web filter profile has 'FortiGuard category based filter' enabled and the action for 'Pornography' is set to 'Block'.
C.Check if the sales department policy is using NAT that might bypass the FortiGate.
D.Confirm that the FortiGate has a static route to the FortiGuard servers.
AnswerB

If the category action is not set to block, or if the profile has other allow rules that override, the blocking may not occur. Also check for URL exemptions or override rules.

806
Multi-Selectmedium

A network admin needs to configure a FortiGate to allow remote VPN users (IPsec VPN) to access a web server in the DMZ. The VPN users are assigned IPs from 10.10.10.0/24. The web server is at 192.168.2.10:80. Which TWO objects must be created to define the traffic for the firewall policy? (Choose two.)

Select 2 answers
A.A service object for HTTP (TCP/80)
B.An address object for the web server 192.168.2.10
C.An address object for the VPN user subnet 10.10.10.0/24
D.A user group object for VPN authentication
E.A schedule object for business hours
AnswersB, C

Destination address object.

Why this answer

The firewall policy needs to identify the source (VPN users) and destination (web server). Address objects for the VPN subnet and the web server IP are required.

807
MCQmedium

A FortiGate administrator configures an SSL VPN web mode portal. Users can access internal web applications but cannot access internal file shares via SMB. What is the most likely reason?

A.The SSL VPN policy does not allow SMB traffic
B.The fileserver requires client certificates for authentication
C.The firewall policy for SSL VPN is configured with the wrong interface
D.Web mode does not support the SMB protocol; users must use tunnel mode to access fileshares
AnswerD

Correct. Web mode only supports web-based applications via a browser. SMB requires tunnel mode.

Why this answer

Web mode provides clientless access via a web browser, supporting HTTP/HTTPS, but does not support native protocols like SMB (port 445). To access SMB shares, users need tunnel mode with a VPN client that can route all traffic.

808
Multi-Selectmedium

A FortiGate administrator needs to prevent data leakage by blocking the upload of files containing credit card numbers via web traffic. Which THREE components must be configured? (Choose three.)

Select 3 answers
A.Application control profile to block file upload applications
B.DLP profile with a rule to detect credit card numbers
C.Firewall policy that applies the DLP profile and SSL inspection to the traffic
D.Antivirus profile to scan the files for malware
E.SSL deep inspection to decrypt HTTPS traffic
AnswersB, C, E

A DLP (Data Leak Prevention) profile can use predefined or custom patterns to detect sensitive data like credit card numbers.

809
MCQmedium

A FortiGate admin has configured FSSO (Fortinet Single Sign-On) using Active Directory polling. Users authenticate to the domain but when accessing the internet through the FortiGate, they are still prompted for credentials. What is the MOST likely cause?

A.The FortiGate is not polling the AD domain controllers
B.The users are using non-Windows machines
C.The firewall policy does not have FSSO authentication enabled
D.The FortiGate is not joined to the domain
AnswerA

Without polling, FSSO cannot map user logins to IP addresses.

Why this answer

FSSO polling requires the FortiGate to monitor domain controller logs. If polling is not working, users won't be detected and will be prompted.

810
MCQmedium

An administrator notices that traffic matching a firewall policy is not being logged. The policy has logging enabled. The FortiGate has local disk storage. What should the administrator check first?

A.Whether the FortiGate has a valid FortiAnalyzer subscription
B.Whether FortiCloud logging is enabled
C.The disk health and available space using 'diagnose sys disk' commands
D.The log severity level on the policy
AnswerC

Disk issues can prevent logging; checking disk status is the first step.

Why this answer

Logging to disk requires the disk to be operational; if it's full or faulty, logs may not be written.

811
MCQmedium

A FortiGate administrator wants to configure a dial-up IPsec VPN where remote users connect using VPN clients with pre-shared key authentication. The company has recently experienced a data breach where the PSK was compromised. What is the best method to improve security without changing all clients immediately?

A.Switch to aggressive mode with a complex PSK
B.Enable XAuth with a second authentication factor using FortiToken
C.Increase the PSK length to 64 characters
D.Migrate to certificate-based authentication for Phase 1
AnswerD

Certificates provide per-peer authentication. Even if one certificate is compromised, others are not affected. This is the best improvement.

Why this answer

Using certificate-based authentication (IKE with certificates) replaces the static PSK with dynamic per-device certificates. This provides stronger authentication and allows revocation of compromised certificates without affecting other clients. PSK is shared, so if compromised, all clients are vulnerable.

812
MCQhard

A FortiGate has a firewall policy with NAT enabled using an IP pool of type 'Fixed Port Range'. The pool range is 203.0.113.10-203.0.113.20 with port range 10000-20000. A user initiates a connection to an external server. Which of the following describes how the FortiGate will assign the source address and port?

A.The FortiGate uses the pool IPs in round-robin and assigns the same port number as the original source port
B.The FortiGate assigns a fixed IP and port mapping based on the original source IP and port, so the same internal host always gets the same public IP and port range
C.The FortiGate randomly selects an IP from the pool and a random port from 10000-20000 for each session
D.The FortiGate uses the first available IP in the pool and assigns a port sequentially from 10000 upward
AnswerB

Fixed Port Range maps the internal IP/port to a consistent public IP and port range, ensuring that the same internal host uses the same public IP (if possible) and port range.

Why this answer

Fixed Port Range NAT (also known as NAT with fixed port range) creates a deterministic mapping between an internal host's source IP and port and a specific public IP and port range from the pool. This ensures that the same internal host always receives the same public IP and a dedicated port range (10000-20000 in this case), which is essential for protocols that require consistent source addressing, such as SIP or H.323. The FortiGate does not round-robin, randomly assign, or sequentially assign ports; it uses a hash of the original source IP to select the fixed public IP and port range.

Exam trap

The trap here is that candidates often confuse 'Fixed Port Range' with 'Port Block Allocation' or assume it behaves like standard dynamic PAT (Port Address Translation), where each session gets a random or sequential port, but Fixed Port Range is specifically designed for deterministic mapping per internal host.

How to eliminate wrong answers

Option A is wrong because Fixed Port Range NAT does not use round-robin IP assignment; it uses a deterministic mapping based on the original source IP, and it does not preserve the original source port number. Option C is wrong because the IP and port assignment is not random; it is fixed per internal host to maintain session consistency for protocols like SIP. Option D is wrong because the FortiGate does not use the first available IP or assign ports sequentially; it uses a hash-based algorithm to allocate a specific public IP and a dedicated port range for each internal host.

813
Drag & Dropmedium

Drag and drop the steps to create a firewall policy allowing HTTP traffic from internal to DMZ into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall policies require defining interfaces, source/destination addresses, and services before enabling.

814
MCQmedium

An administrator is troubleshooting a policy that should allow HTTP traffic but it is being blocked. They run 'diagnose debug flow' and see the output ends with 'msg=deny by forward policy check'. What is the most likely cause?

A.The policy is configured with action DENY
B.The routing table is missing a default route
C.The session table is full
D.The HTTP traffic is not matching any policy
AnswerA

The debug flow output clearly states the packet was denied by a forward policy check, meaning a policy matched and denied it.

Why this answer

The message indicates the packet was denied by a firewall policy, meaning there is no matching policy or the matching policy has action DENY.

815
MCQeasy

Which statement best describes the implicit deny policy at the end of a FortiGate policy list?

A.It denies all traffic that does not match any explicit policy, and it logs the denied traffic
B.It can be moved to a different position in the policy list
C.It can be disabled or deleted by the admin
D.It is always present and denies any traffic that does not match an explicit allow policy
AnswerD

Correct. The implicit deny is always at the end of the policy list and blocks all traffic that does not match a preceding explicit policy.

Why this answer

The implicit deny policy is a built-in rule that denies all traffic not matching any explicit policy. It cannot be moved, modified, or deleted. Traffic that hits it is logged if logging is enabled on the last explicit policy? Actually, logging for implicit deny is not configurable; it is not logged by default.

The correct answer is that it denies all unmatched traffic.

816
Multi-Selectmedium

A FortiGate administrator wants to prevent users from downloading executable files via HTTP from the internet. Which TWO security profile features can be used together to achieve this? (Choose two.)

Select 2 answers
A.Antivirus profile with a file filter to block 'exe' files
B.Web filter profile with a URL filter to block '*.exe' URLs
C.DNS filter to block domains that host executable files
D.Application control profile to block HTTP file transfer applications
E.SSL deep inspection to allow inspection of encrypted traffic
AnswersA, B

The file filter in antivirus can block specific file types.

Why this answer

Antivirus can block file types by signature (e.g., exe), and application control can block file transfer applications or protocols. Additionally, web filter can block specific file extensions, but the most straightforward combination is antivirus and file filter within antivirus.

817
MCQhard

An administrator configures SSL deep inspection with a CA certificate. Users accessing an internal site (internal.company.com) receive a certificate error. The administrator wants to avoid the error without disabling deep inspection. What should be done?

A.Replace the CA certificate with a self-signed one
B.Use certificate inspection instead of deep inspection
C.Disable certificate validation in the deep inspection profile
D.Add internal.company.com to the SSL/SSH inspection exemption list
AnswerD

Exempting the domain from deep inspection will allow traffic without decryption, avoiding certificate errors.

Why this answer

Option A is correct. The exemption list allows certain domains to bypass deep inspection, preserving trust.

818
MCQmedium

An administrator has configured the policy shown in the exhibit. Traffic to the web server at 10.0.1.10 over HTTPS is allowed, but users complain that they cannot access the web server's login page. The IPS sensor 'High_Security_Sensor' has a signature that blocks SQL injection attempts. The application list 'Block_Social_Media' blocks Facebook and Twitter. What is the most likely cause of the issue?

A.The IPS sensor is blocking the login page due to a false positive.
B.The firewall policy action is set to 'deny' but the exhibit shows 'accept'.
C.The HTTPS service is not correctly defined and blocking the traffic.
D.The application control profile is blocking the web application.
AnswerD

Application control may block the web application if it is misclassified.

Why this answer

The policy explicitly allows HTTPS traffic to 10.0.1.10, but the application control profile 'Block_Social_Media' is applied. This profile blocks Facebook and Twitter, which are web-based applications. If the web server's login page is served over HTTPS and is incorrectly classified by the FortiGate as a social media application (e.g., due to shared CDN or similar traffic patterns), the application control profile will block it, preventing user access despite the firewall policy allowing the service.

Exam trap

The trap here is that candidates assume the IPS sensor is the cause of the block, but the question specifies the IPS sensor only blocks SQL injection attempts, not login pages, while the application control profile explicitly blocks social media applications that could be misclassifying the web server's traffic.

How to eliminate wrong answers

Option A is wrong because the IPS sensor 'High_Security_Sensor' has a signature that blocks SQL injection attempts, not login pages; a false positive for SQL injection would block specific HTTP requests containing malicious patterns, not the entire login page. Option B is wrong because the exhibit shows the policy action as 'accept', and the question states traffic is allowed; a 'deny' action would block all traffic, not just the login page. Option C is wrong because HTTPS is a well-defined service (TCP/443) and the policy explicitly allows it; if the service were misdefined, all HTTPS traffic would be blocked, not just the login page.

819
Multi-Selectmedium

A FortiGate HA cluster in active-passive mode is experiencing unexpected failovers. The administrator suspects the heartbeat link is unreliable. Which TWO actions would help diagnose the heartbeat link issue? (Select two.)

Select 2 answers
A.Disable session synchronization
B.Configure a dedicated heartbeat interface
C.Increase the HA hello timer
D.Ping the heartbeat interface IP from the peer unit
E.Enable 'diagnose debug ha heartbeat'
AnswersD, E

This tests basic connectivity.

Why this answer

Pinging the heartbeat interface IP checks connectivity; enabling debug HA heartbeat provides detailed heartbeat status.

820
MCQmedium

A FortiGate admin is troubleshooting an IPsec VPN tunnel that fails to establish. The remote site uses aggressive mode. The local FortiGate is configured for main mode. The admin sees 'no proposal chosen' in the IKE debug. What is the MOST likely cause?

A.The pre-shared key is incorrect
B.The IKE mode (main vs aggressive) does not match between peers
C.The local firewall is blocking UDP port 500
D.The Phase 2 encryption algorithm is not supported
AnswerB

Main mode and aggressive mode use different packet formats. A mismatch causes the peers to reject each other's proposals.

Why this answer

Option D is correct. IKE mode (main vs aggressive) must match between peers. If one side uses main mode and the other aggressive mode, Phase 1 will fail with 'no proposal chosen' because the IKE exchange format differs.

821
Multi-Selectmedium

A FortiGate admin is troubleshooting a policy that should allow VoIP traffic. The admin suspects that the SIP ALG is interfering. Which TWO actions should the admin take to verify or resolve the issue?

Select 2 answers
A.Disable the SIP ALG on the firewall policy
B.Enable 'set sip-nat-trace' on the policy
C.Enable 'set ssl-ssh-profile' on the policy
D.Increase the session TTL for SIP
E.Create a service object for SIP and set 'alg-mode' to 'disable'
AnswersA, E

Disabling the ALG for the policy prevents ALG from modifying packets.

Why this answer

Option A is correct because disabling the SIP ALG on the firewall policy stops the FortiGate from inspecting and modifying SIP traffic at the application layer. This is a common troubleshooting step when the SIP ALG interferes with VoIP traffic, as it can alter SIP headers or signaling in ways that break compatibility with certain VoIP providers or endpoints.

Exam trap

The trap here is that candidates may confuse 'sip-nat-trace' (a diagnostic tool) with a fix for ALG interference, or think increasing session TTL addresses the problem, when the real solution is to disable the ALG's application-layer processing.

822
MCQmedium

An administrator wants to use ZTNA (Zero Trust Network Access) to secure access to an internal application. Which component is required on the client device to enforce ZTNA policies?

A.FortiManager
B.FortiToken
C.FortiClient
D.FortiAnalyzer
AnswerC

FortiClient provides endpoint compliance and is the agent for ZTNA.

Why this answer

FortiClient is required on the client device to collect endpoint posture information (e.g., antivirus status, OS patches) and enforce ZTNA rules. The FortiGate uses FortiClient telemetry to make access decisions.

823
MCQmedium

A network administrator notices that traffic from a specific internal host is not being inspected by the application control profile applied to the firewall policy. The policy is configured with proxy-based inspection and the application control profile includes a rule to block 'Facebook'. The administrator confirms the host can still access Facebook. What is the MOST likely cause?

A.The host is accessing Facebook over HTTPS and the policy does not have SSL/TLS deep inspection enabled.
B.The firewall policy is using flow-based inspection instead of proxy-based.
C.The application control profile is configured with 'deep inspection' disabled.
D.The application control profile is applied only to outgoing traffic, but the host is using a proxy.
AnswerA

Application control cannot inspect encrypted application signatures without SSL deep inspection to decrypt the traffic.

Why this answer

Option D is correct because Facebook uses HTTPS. Without SSL deep inspection, FortiGate cannot see the application layer inside the encrypted tunnel, so application control cannot block Facebook.

824
MCQeasy

An administrator needs to configure a FortiGate to allow web traffic from the internal network to the Internet. The internal network is 192.168.1.0/24 and the WAN interface is port1 with IP 203.0.113.1. Which firewall policy is correct?

A.Source: internal, Destination: port1, Service: HTTP/HTTPS, Action: ACCEPT
B.Source: port1, Destination: internal, Service: HTTP/HTTPS, Action: ACCEPT
C.Source: external, Destination: internal, Service: HTTP/HTTPS, Action: ACCEPT
D.Source: internal, Destination: port1, Service: ALL, Action: ACCEPT
AnswerA

This policy allows internal users to access web services on the Internet.

Why this answer

Option A is correct because the firewall policy must match traffic originating from the internal network (source: internal) destined for the Internet via the WAN interface (destination: port1), and the service must be restricted to HTTP/HTTPS to allow web traffic only. The action ACCEPT permits the traffic. This aligns with the standard stateful inspection flow where source and destination interfaces are defined based on traffic direction.

Exam trap

The trap here is that candidates often confuse the source and destination interfaces in a policy, thinking the destination should be the internal network instead of the WAN interface for outbound traffic, or they select Service: ALL to avoid missing any protocol, ignoring the requirement for web traffic only.

How to eliminate wrong answers

Option B is wrong because it reverses the source and destination interfaces: traffic from port1 (WAN) to internal would be inbound, not outbound web traffic from internal to the Internet. Option C is wrong because 'external' is not a valid source interface in this context; the source must be the internal network interface, and the destination interface must be port1 for outbound traffic. Option D is wrong because it uses Service: ALL, which would allow all protocols (e.g., SSH, SMTP) instead of restricting to HTTP/HTTPS as required for web traffic only, violating the principle of least privilege.

825
MCQeasy

An administrator wants to ensure that traffic to a specific web server always exits through a particular ISP link, regardless of route changes. Which feature should be configured?

A.Equal-cost multi-path (ECMP) routing
B.Policy-based routing (PBR)
C.Static route with higher distance
D.SD-WAN with load balancing
AnswerB

Policy routes allow forwarding decisions based on source/destination, overriding the routing table.

Why this answer

Policy-based routing (PBR) allows you to override the routing table by applying a route map to match traffic (e.g., source/destination IP, port) and explicitly set the next-hop interface or ISP link. This ensures traffic to the specific web server always exits through the designated ISP, regardless of dynamic route changes or the routing table's default behavior.

Exam trap

The trap here is that candidates confuse PBR with static routing or SD-WAN load balancing, thinking that a static route with a higher distance or SD-WAN can force traffic to a specific link, but only PBR provides the granular match-and-set logic to override the routing table for specific traffic flows regardless of route changes.

How to eliminate wrong answers

Option A is wrong because ECMP distributes traffic across multiple equal-cost paths for load balancing, not for pinning traffic to a specific link. Option C is wrong because a static route with a higher distance (administrative distance) acts as a backup route and only takes effect when the primary route is unavailable, not for forcing traffic to a particular link when the primary route is active. Option D is wrong because SD-WAN with load balancing distributes traffic across multiple WAN links based on policies or performance metrics, which does not guarantee that all traffic to a specific web server always uses the same ISP link.

Page 10

Page 11 of 14

Page 12