Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 826900

1000 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQhard

A FortiGate is configured with two WAN interfaces in an SD-WAN zone. The administrator wants to ensure voice traffic uses the interface with the lowest latency. Which SD-WAN configuration should be used?

A.Set the strategy to 'Manual'
B.Set the strategy to 'Load Balance'
C.Configure an SD-WAN rule with a performance SLA that monitors latency and set strategy to 'Best Quality'
D.Use policy-based routing with a higher priority for voice traffic
AnswerC

Best Quality selects the best performing interface based on SLA metrics.

Why this answer

Option C is correct because SD-WAN rules with a performance SLA allow the FortiGate to monitor real-time latency on each WAN interface and dynamically route voice traffic to the interface with the lowest latency. The 'Best Quality' strategy selects the best-performing interface based on the SLA metrics, ensuring optimal voice quality.

Exam trap

The trap here is that candidates often confuse policy-based routing (PBR) with SD-WAN rules, not realizing that PBR lacks dynamic SLA-based path selection and cannot automatically adapt to changing network conditions.

How to eliminate wrong answers

Option A is wrong because setting the strategy to 'Manual' requires the administrator to statically assign traffic to a specific interface, which cannot adapt to changing latency conditions. Option B is wrong because 'Load Balance' distributes traffic across interfaces based on load, not latency, and does not guarantee the lowest-latency path for voice traffic. Option D is wrong because policy-based routing (PBR) uses static routing rules that do not dynamically adjust based on real-time latency measurements, unlike SD-WAN rules with performance SLAs.

827
MCQeasy

A FortiGate has been configured with two WAN interfaces (wan1, wan2) in an SD-WAN zone. The administrator wants to ensure that traffic for a specific internal server uses only wan1. What is the most appropriate method?

A.Disable wan2 in the SD-WAN zone
B.Use policy routing with a higher priority for wan1
C.Configure a static route with a higher distance for wan2
D.Create an SD-WAN rule to match the server's traffic and set the preferred member to wan1
AnswerD

SD-WAN rules provide application-aware steering and can force specific traffic to use wan1.

Why this answer

Option D is correct because SD-WAN rules allow granular traffic steering based on application, source, or destination. By creating an SD-WAN rule that matches the traffic destined for the internal server and setting the preferred member to wan1, the FortiGate will use SD-WAN's policy-based routing to ensure that traffic egresses exclusively via wan1, while other traffic can still use both WAN interfaces as per other rules.

Exam trap

The trap here is that candidates often confuse policy routing (Option B) with SD-WAN rules, not realizing that SD-WAN rules are the proper mechanism for per-traffic member selection within an SD-WAN zone, and that policy routing operates at a different layer and can override SD-WAN behavior if not carefully managed.

How to eliminate wrong answers

Option A is wrong because disabling wan2 in the SD-WAN zone removes it from all load-balancing and failover, which is overly broad and not a targeted solution for a single server's traffic. Option B is wrong because policy routing (PBR) operates independently of SD-WAN and can create conflicts; SD-WAN rules are the intended method for per-traffic member selection within an SD-WAN zone. Option C is wrong because configuring a static route with a higher distance for wan2 affects all traffic using that route, not just the specific server's traffic, and static routes do not integrate with SD-WAN's application-aware steering.

828
MCQmedium

A FortiGate administrator receives reports that some users are receiving spam emails despite an email filter profile being applied to the SMTP traffic. The email filter profile has 'spam' action set to 'discard'. What is the most likely reason spam is still reaching users?

A.The internal email server receives email directly from the internet without passing through the FortiGate
B.The spam dictionary is not updated with latest spam signatures
C.The email filter profile is not configured to scan outbound emails
D.The email filter profile is applied to the wrong policy direction (inbound vs outbound)
AnswerA

If the mail server is accessible directly from the internet, the FortiGate cannot inspect the SMTP traffic. The email filter only works on traffic that flows through the FortiGate.

Why this answer

Email filter profiles scan email traffic that passes through the FortiGate. If users are receiving spam from external mail servers that connect directly to the internal mail server without passing through the FortiGate, the email filter will not inspect that traffic.

829
MCQeasy

Which of the following security profiles is used to prevent malicious files from being downloaded via HTTP, FTP, or email by inspecting the content of the traffic?

A.Antivirus
B.Application Control
C.Web Filter
D.Intrusion Prevention System (IPS)
AnswerA

Why this answer

Antivirus profiles scan files transferred over HTTP, FTP, and email for malware. Web filter controls URL access, application control identifies applications, and IPS detects network-based attacks.

830
MCQmedium

You run the following command on a FortiGate: ``` diagnose sys session filter dport 443 diagnose sys session list ``` The output shows: ``` proto=6 proto_state=01 duration=3600 expire=3599 ``` What does this indicate?

A.The session has been established for 3600 seconds and has 3599 seconds remaining before timeout.
B.The session is using TCP state 01 (SYN_SENT) and is still in the process of establishing.
C.The session has been idle for 3600 seconds and will expire in 3599 seconds.
D.The session is using UDP protocol and will expire in 3599 seconds.
AnswerA

Duration shows seconds since session started, expire shows seconds until timeout.

Why this answer

Option A is correct because the output shows `duration=3600` and `expire=3599`, which indicate the session has been active for 3600 seconds and has 3599 seconds remaining before timeout. The `proto=6` confirms TCP (protocol 6), and `proto_state=01` represents the TCP state for an established connection (ESTABLISHED), not a handshake state.

Exam trap

The trap here is confusing `duration` (time since session creation) with idle time, and misinterpreting `proto_state=01` as a handshake state (SYN_SENT) instead of the correct ESTABLISHED state.

How to eliminate wrong answers

Option B is wrong because `proto_state=01` in FortiGate's session table represents TCP state ESTABLISHED (not SYN_SENT); SYN_SENT would be state 02. Option C is wrong because `duration` measures the total time since the session was created, not idle time; idle time is tracked separately via the `idle` field in the session list. Option D is wrong because `proto=6` explicitly indicates TCP, not UDP (which would be proto=17).

831
MCQmedium

An administrator configures a FortiGate to use NTP for time synchronization. After configuration, the FortiGate still shows the wrong time. Which command should the administrator run to verify NTP status?

A.show system ntp
B.execute ntp status
C.diagnose sys time status
D.diagnose sys ntp status
AnswerD

This command displays NTP synchronization status.

Why this answer

Option D is correct because 'diagnose sys ntp status' is the FortiGate CLI command that provides detailed NTP synchronization status, including whether the FortiGate is synchronized to an NTP server, the stratum level, and the last sync time. This command is specifically designed for troubleshooting NTP issues, unlike the other options which either show configuration or are invalid.

Exam trap

The trap here is that candidates confuse configuration commands (show system ntp) with diagnostic commands, or they assume a generic 'ntp status' command exists, when Fortinet specifically uses 'diagnose sys ntp status' for operational verification.

How to eliminate wrong answers

Option A is wrong because 'show system ntp' displays the NTP configuration (e.g., server addresses, authentication settings), not the operational status or synchronization state. Option B is wrong because 'execute ntp status' is not a valid FortiGate command; the correct execute command for NTP is 'execute ntp sync' to force synchronization. Option C is wrong because 'diagnose sys time status' shows the system time and time source (e.g., NTP, manual), but it does not provide detailed NTP peer status, offset, or jitter information.

832
MCQeasy

A FortiGate administrator needs to ensure that all internal users (10.0.0.0/8) accessing the internet use a single public IP address 203.0.113.10 for source NAT. Which NAT configuration should be used?

A.Create a Central SNAT rule with a Dynamic IP Pool using overload
B.Enable NAT on the outgoing interface policy without an IP pool
C.Create a policy-based NAT rule with fixed port range
D.Configure a VIP with port forwarding
AnswerA

Overload allows many internal users to share one public IP via port address translation.

Why this answer

Option A is correct because Central SNAT with a Dynamic IP Pool using overload (Port Address Translation) allows all internal users in 10.0.0.0/8 to share a single public IP (203.0.113.10) by dynamically mapping multiple private source IPs and ports to unique source ports on the public IP. This is the standard method for many-to-one NAT, ensuring all outbound internet traffic appears from the same public address.

Exam trap

The trap here is that candidates often confuse enabling NAT on the interface policy (Option B) with using a specific IP pool, not realizing that interface NAT uses the interface's own IP and cannot force a different public address without an explicit IP pool.

How to eliminate wrong answers

Option B is wrong because enabling NAT on the outgoing interface policy without an IP pool uses the interface's own IP address (typically the WAN IP) for source NAT, not a specific public IP like 203.0.113.10, and may not guarantee a single IP if the interface has multiple addresses. Option C is wrong because a policy-based NAT rule with fixed port range would restrict the number of concurrent sessions to the size of the port range, causing connection failures under load, and is not designed for many-to-one overload NAT. Option D is wrong because a VIP with port forwarding is used for inbound destination NAT (port mapping to internal servers), not for outbound source NAT from internal users to the internet.

833
MCQmedium

A network administrator configures a firewall policy allowing HTTP traffic from the internal network (10.0.0.0/8) to the internet. After applying the policy, users report they can browse the web, but the FortiGate logs show that all sessions are using the 'implicit deny' policy ID 0. What is the most likely cause?

A.The source interface on the policy is set to the WAN interface instead of the internal interface
B.Central NAT is enabled and overriding the policy-based NAT
C.The policy has a schedule applied that is currently inactive
D.The policy is placed after the implicit deny rule
AnswerA

If the source interface is wrong, the traffic will not match this policy. The administrator may have a different policy (or the implicit allow) allowing the traffic, but the logs show the implicit deny is being hit because the correct policy is not matched.

Why this answer

Option A is correct because if the source interface on the firewall policy is set to the WAN interface instead of the internal interface, traffic arriving from the internal network (10.0.0.0/8) on the internal interface will not match that policy. The FortiGate then falls through to the implicit deny policy (ID 0), which logs and drops the session. Since HTTP traffic is still reaching the internet, it suggests that another mechanism (such as a default route or NAT) is allowing the traffic, but the policy matching fails due to the interface mismatch.

Exam trap

The trap here is that candidates assume a policy with correct source/destination addresses will match regardless of the interface setting, but FortiOS strictly enforces interface matching, and a mismatch causes the policy to be ignored, leading to the implicit deny being hit.

How to eliminate wrong answers

Option B is wrong because Central NAT (centralized NAT policies) does not cause the implicit deny policy to be used; it only affects how NAT is applied, not the firewall policy matching itself. Option C is wrong because an inactive schedule would cause the policy to not match, but the logs would show the policy ID of the scheduled policy (not ID 0) if it were present, and the traffic would still be denied by the implicit deny; however, the question states users can browse the web, which would not happen if the only applicable policy had an inactive schedule. Option D is wrong because the implicit deny rule is always the last rule in the policy list; a policy placed after it is impossible in FortiOS, as the implicit deny is a built-in rule that cannot be reordered.

834
MCQhard

A FortiGate administrator runs 'diagnose debug flow' with a filter for a specific source IP. The output shows 'no policy matched' for the traffic. The administrator verifies that a firewall policy exists with that source IP. What is the most likely reason for the 'no policy matched' message?

A.The firewall policy is disabled
B.The debug flow filter is not configured correctly
C.The source IP is not in the routing table
D.The traffic is being blocked by an implicit deny or a different policy before reaching the expected policy
AnswerD

In FortiGate, the first matching policy is applied. If an earlier policy denies the traffic, debug flow shows 'no policy matched' from the perspective of the correct policy, but actually a preceding policy matched.

Why this answer

Option B is correct. Debug flow may show 'no policy matched' when traffic hits an implicit deny before reaching the explicit policy, e.g., due to inter-VDOM routing or policy order where an earlier policy with a broader match blocks it.

835
MCQmedium

An administrator configures a FortiGate in transparent mode. Which of the following is correct regarding transparent mode operation?

A.The FortiGate performs NAT between its interfaces.
B.The FortiGate interfaces can be on different subnets.
C.The FortiGate requires a management IP on each interface.
D.The FortiGate is invisible to end devices and does not modify IP addresses.
AnswerD

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses without performing any IP-level modifications. This means it does not perform NAT, and end devices are unaware of its presence, making option D correct.

Exam trap

The trap here is that candidates confuse transparent mode with NAT/Route mode, assuming that all FortiGate modes perform NAT or require IP addresses on each interface, when in fact transparent mode is purely Layer 2 and does not modify IP headers.

How to eliminate wrong answers

Option A is wrong because transparent mode does not perform NAT; NAT is a Layer 3 function used in NAT/Route mode. Option B is wrong because all interfaces in transparent mode must belong to the same subnet to maintain Layer 2 bridging. Option C is wrong because transparent mode requires only a single management IP (typically on the management interface or a dedicated VLAN), not an IP on each interface.

836
MCQmedium

A FortiGate is set to NAT/Route mode. The admin wants traffic from internal users to the internet to use an IP address on the WAN interface for source NAT. Which configuration is required?

A.Set the FortiGate to transparent mode
B.Configure a policy route to force traffic through a specific interface
C.Configure a virtual IP mapping internal IPs to the WAN IP
D.Enable NAT on the policy from internal to WAN and set the outgoing interface to the WAN interface
AnswerD

This performs source NAT to the WAN IP.

Why this answer

In NAT/Route mode, source NAT (SNAT) is configured by enabling NAT on the firewall policy that governs traffic from the internal network to the WAN interface. When NAT is enabled on the policy and the outgoing interface is set to the WAN interface, FortiGate automatically translates the source IP of internal users to the primary IP address of that WAN interface (or a configured IP pool). This is the standard method for allowing internal users to access the internet with a public IP address.

Exam trap

The trap here is that candidates often confuse virtual IP (VIP) for source NAT, but VIP is strictly for destination NAT (inbound traffic), whereas source NAT for outbound traffic requires enabling NAT on the firewall policy.

How to eliminate wrong answers

Option A is wrong because transparent mode operates at Layer 2 without routing or NAT capabilities, which would prevent the required source NAT for internet access. Option B is wrong because policy routes control the path traffic takes based on routing criteria, not source NAT; they do not perform IP address translation. Option C is wrong because a virtual IP (VIP) is used for destination NAT (port forwarding), mapping an external IP/port to an internal server, not for source NAT of outbound traffic.

837
MCQeasy

What is the purpose of the 'safe search' option in a FortiGate web filter profile?

A.It enforces the use of HTTPS for search engines
B.It allows users to bypass URL filters during safe search
C.It filters explicit content from search engine results
D.It blocks all search engine traffic
AnswerC

Safe search activates the safe search mode of search engines (e.g., Google SafeSearch) to filter adult content.

Why this answer

Safe search enforces strict filtering on search engines to block explicit content in search results. It works by redirecting search queries to the safe search versions of supported search engines (Google, Bing, YouTube, etc.) when enabled.

838
MCQmedium

An organization uses Application Control to allow only business-critical applications and block social media. The administrator has configured the profile to block Facebook and Twitter, but users can still access Facebook. The firewall policy applies the profile correctly. What is the most likely cause?

A.The application control profile is applied to the wrong direction.
B.Facebook is not included in the default application signatures.
C.SSL inspection is not enabled on the firewall policy.
D.The FortiGate is in flow-based inspection mode.
AnswerC

Without SSL inspection, HTTPS traffic cannot be decrypted and inspected.

Why this answer

Application Control relies on SSL inspection to identify applications like Facebook that use HTTPS. Without SSL inspection enabled on the firewall policy, FortiGate can only see encrypted traffic as generic SSL/TLS flows and cannot match the application signatures for Facebook. Enabling SSL inspection (deep inspection or certificate-based inspection) allows the FortiGate to decrypt the traffic and apply the application control profile correctly.

Exam trap

The trap here is that candidates assume application control works on encrypted traffic by default, but FortiGate requires explicit SSL inspection to decrypt and identify HTTPS applications like Facebook.

How to eliminate wrong answers

Option A is wrong because the application control profile is applied to the firewall policy, which is bidirectional by default; the direction is not the issue since the policy is correctly applied and the traffic is passing through it. Option B is wrong because Facebook is included in the default application signatures provided by FortiGuard; the administrator would not need to add it manually. Option D is wrong because flow-based inspection mode does not prevent application control from working; it actually supports application control and can still identify applications, but without SSL inspection, encrypted traffic remains opaque regardless of inspection mode.

839
MCQeasy

A FortiGate administrator needs to allow all internal users (10.0.0.0/8) to access a web server in the DMZ (192.168.1.100) using HTTPS. The administrator wants to apply a web filter profile to block malicious URLs while allowing legitimate traffic. Which of the following is the correct policy configuration?

A.Policy: source=internal, destination=DMZ, service=ALL, action=ACCEPT, web filter profile=default
B.Policy: source=internal, destination=DMZ, service=HTTP, action=ACCEPT, web filter profile=default
C.Policy: source=internal, destination=DMZ, service=HTTPS, action=ACCEPT, web filter profile=default
D.Policy: source=internal, destination=DMZ, service=HTTPS, action=DENY, web filter profile=default
AnswerC

This correctly allows HTTPS traffic and applies web filtering.

Why this answer

To allow HTTPS traffic from internal to DMZ with web filtering, the policy must have source=internal_network, destination=DMZ_server, service=HTTPS, action=ACCEPT, and the web filter profile applied. The other options either block the traffic, use the wrong service, or misapply the profile.

840
Multi-Selecteasy

Which TWO of the following are valid methods to view real-time debug output on a FortiGate? (Choose two.)

Select 2 answers
A.diagnose sniffer packet
B.diagnose debug enable
C.diagnose sys session list
D.execute tail log
E.diagnose debug flow
AnswersA, E

Captures packets in real-time.

Why this answer

Diagnose debug flow and diagnose sniffer packet are real-time debug commands. Execute tail log is not a standard command.

841
MCQhard

A FortiGate with multiple WAN interfaces uses policy-based routing (PBR) to route traffic from a specific subnet out of a particular interface. The admin also has a firewall policy allowing that subnet to the internet. However, the traffic is not being routed as expected. What could be the issue?

A.The firewall policy is placed above the PBR rule
B.The PBR rule does not have a matching protocol or service defined
C.The PBR rule uses an incorrect source or destination address
D.The FortiGate is in transparent mode
AnswerC

If the PBR rule does not match the traffic (e.g., wrong subnet), traffic follows the routing table instead.

Why this answer

Policy-based routing is evaluated after the routing table lookup but before firewall policy matching. If the PBR rule is incorrectly configured (e.g., wrong source/destination), traffic may take a different path. Another common issue is that PBR might conflict with the default route.

The question asks for the most likely issue — often it's that the PBR rule is not matching the traffic.

842
MCQmedium

An administrator configures an email filter profile to block spam. Users complain that legitimate emails from a specific partner are being blocked. The admin wants to allow emails from that partner's domain without disabling spam filtering for other domains. What is the BEST approach?

A.Add the partner's domain to the IP allowlist in the email filter profile
B.Increase the spam threshold until the emails pass
C.Disable spam filtering for the entire firewall policy
D.Create a separate firewall policy for the partner's traffic without email filtering
AnswerA

This ensures emails from that domain are not scanned for spam, while others are.

Why this answer

Option A is correct. An IP allowlist or domain whitelist in the email filter profile can be used to bypass spam filtering for specific senders, while still filtering other emails.

843
Multi-Selectmedium

A FortiGate administrator is investigating a performance issue and suspects that a large number of incomplete TCP connections are consuming session table resources. Which TWO commands would help identify such sessions? (Choose two.)

Select 2 answers
A.diagnose debug flow filter dport 80 ; diagnose debug enable
B.diagnose sys session stat
C.diagnose sniffer packet any 'tcp' 4
D.diagnose sys session filter state syn-sent ; diagnose sys session list
E.diagnose sys session filter proto 6 ; diagnose sys session list
AnswersB, D

Shows counts of sessions by state, including incomplete states.

Why this answer

Diagnose sys session list with filter can show sessions by state. Diagnose sys session stat shows counts by state. The sniffer shows packets, not session state; debug flow is for tracing specific streams.

844
MCQhard

During a firmware upgrade, the admin uploads the image via the GUI and clicks 'Upgrade'. The FortiGate reboots but comes up with the old firmware. What is the MOST likely cause?

A.The firmware image file is corrupted or not compatible with the platform
B.The FortiGate was in HA mode and the peer did not upgrade
C.The admin did not reboot after the upgrade
D.The admin forgot to save the configuration before upgrading
AnswerA

Corrupted or incompatible images cause upgrade failure; the FortiGate reverts to previous firmware.

Why this answer

When a FortiGate reboots after an upgrade but loads the old firmware, the most likely cause is that the uploaded firmware image was corrupted or incompatible with the platform. The FortiGate verifies the image integrity (e.g., checksum) during the upgrade process; if the image fails validation, the system will not commit the new firmware and will fall back to the previous version stored in the secondary boot partition. This ensures the device remains operational even if the upgrade image is invalid.

Exam trap

The trap here is that candidates often assume a failed upgrade is due to a missing reboot or HA misconfiguration, but Fortinet specifically designs the upgrade process to automatically reboot and validate the image, making image corruption or incompatibility the primary cause when the old firmware reappears.

How to eliminate wrong answers

Option B is wrong because in an HA cluster, the upgrade process is coordinated; if the peer does not upgrade, the primary would either fail to upgrade or the cluster would split, but the FortiGate would not reboot to the old firmware on its own—it would typically remain on the new firmware or fail to complete the upgrade. Option C is wrong because the admin explicitly clicked 'Upgrade', which triggers an automatic reboot; no separate manual reboot is required, and the issue is that the device came up with old firmware, not that it didn't reboot. Option D is wrong because configuration is stored separately from firmware; forgetting to save the config does not affect which firmware version loads after reboot—the config is saved automatically before upgrade or can be restored, but it does not cause the old firmware to load.

845
MCQhard

An administrator notices that a specific application (e.g., Skype) is not being detected by the application control profile. The profile includes the 'Skype' application signature but traffic is passing through without being logged as Skype. What is the most likely reason?

A.The application control profile is set to 'Monitor' mode
B.The traffic is using a non-standard port
C.The application signature is outdated
D.SSL deep inspection is not enabled on the firewall policy
AnswerD

Skype uses encryption. Without deep inspection, FortiGate cannot decrypt the traffic to inspect the application layer.

Why this answer

Application control requires deep inspection for encrypted traffic because it needs to see into the TLS session to match application signatures. If the policy does not have SSL deep inspection, the traffic appears as generic HTTPS and cannot be identified as Skype.

846
MCQmedium

A FortiGate administrator has configured a route-based IPsec VPN. After Phase 2 is up, traffic is not passing. The administrator verifies that the firewall policy allows traffic and the routes are correct. What should the administrator check next?

A.The static route uses the VPN interface as the outgoing interface
B.The remote gateway's IP address is reachable
C.The pre-shared key is correct
D.The Phase 2 proposal includes the correct local and remote subnets
AnswerA

For route-based VPN, a static route must point to the virtual IPsec interface for the remote subnet.

Why this answer

In route-based VPN, the VPN interface must have the correct remote IP address or the route must be via the VPN interface. A common issue is that the remote subnet is not correctly learned or the static route points to the correct interface.

847
MCQeasy

A FortiGate is deployed in NAT/Route mode. The administrator wants to create a policy that allows internal users to access the internet and also translates their private IP addresses to the public IP of the FortiGate's WAN interface. Which policy configuration is required?

A.Configure a virtual IP (VIP) for the WAN interface
B.Set the policy action to ACCEPT and enable SNAT in the policy advanced options
C.Add a static route with NAT enabled
D.Enable NAT on the firewall policy
AnswerD

Enabling NAT on the policy performs source NAT to the outgoing interface IP.

Why this answer

Option D is correct because in NAT/Route mode, enabling NAT on the firewall policy performs source NAT (SNAT) by default, translating the private source IP addresses of internal users to the public IP address of the FortiGate's WAN interface. This is the standard method for allowing internal users to access the internet while hiding their private addresses behind a single public IP.

Exam trap

The trap here is that candidates may confuse source NAT (enabled on the firewall policy) with destination NAT (configured via VIPs) or mistakenly think NAT is a routing feature, leading them to select options like static route with NAT or VIP configuration.

How to eliminate wrong answers

Option A is wrong because a virtual IP (VIP) is used for destination NAT (DNAT), translating incoming traffic's destination IP to an internal server, not for translating source IPs of outbound traffic. Option B is wrong because while setting the policy action to ACCEPT is necessary, SNAT is not a separate toggle in advanced options; NAT is enabled directly on the firewall policy, and there is no 'SNAT' checkbox distinct from the NAT option. Option C is wrong because static routes do not have a NAT feature; NAT is configured at the firewall policy level, not on routing entries.

848
MCQmedium

An administrator is troubleshooting a firewall policy that should apply application control. The application control profile is configured but traffic is not being inspected. The administrator runs 'diagnose debug flow' and sees that the traffic is hitting the correct policy. What could be the issue?

A.The FortiGate has not downloaded the latest application signatures
B.The firewall policy inspection mode is set to proxy-based
C.The traffic is using encryption that prevents inspection
D.The application control profile is not enabled on the policy
AnswerB

Application control requires flow-based inspection mode.

Why this answer

Application control requires flow-based inspection; if the policy is set to proxy-based, application control may not work.

849
Multi-Selecthard

An admin needs to configure NAT for internal users accessing the internet. The requirements are: 1) All internal users must be translated to a single public IP. 2) The translation should use port address translation (PAT). 3) The configuration must allow tracking of which internal user initiated a connection. Which THREE settings must be configured? (Choose three.)

Select 3 answers
A.Set the policy's NAT to use the egress interface IP
B.Configure a central SNAT policy with the same pool
C.Enable NAT on the firewall policy and select the IP pool
D.Enable logging on the firewall policy to record user activity
E.Create an IP pool with the public IP address and set type to Overload
AnswersC, D, E

The policy must use NAT and reference the IP pool for translation.

Why this answer

To translate to a single public IP with PAT, the admin should use an IP pool configured as overload (PAT). Additionally, to track users, the policy must have logging enabled for user activity, and optionally, identity-based policy or authentication can be used. The pool itself does not track users; logging does.

850
MCQeasy

Which security profile is used to detect and prevent network-based attacks by analyzing traffic patterns and comparing them against known attack signatures?

A.DLP profile
B.IPS profile
C.Web filter profile
D.Antivirus profile
AnswerB

IPS uses signatures to detect and prevent network attacks.

Why this answer

Option C is correct. Intrusion Prevention System (IPS) profiles analyze traffic for malicious patterns and can block attacks in real-time.

851
Multi-Selecthard

A FortiGate administrator is setting up a new FortiGate and needs to integrate it with FortiAnalyzer and FortiManager. Which THREE statements are correct regarding this integration?

Select 3 answers
A.FortiAnalyzer can generate reports based on the logs received from FortiGate.
B.FortiManager can be used to manage multiple FortiGate devices from a central console.
C.FortiAnalyzer can push configuration changes to the FortiGate.
D.FortiGate uses the FGFM protocol to communicate with FortiAnalyzer.
E.FortiAnalyzer can receive logs from the FortiGate for centralized logging and analysis.
AnswersA, B, E

FortiAnalyzer provides reporting capabilities.

Why this answer

Option A is correct because FortiAnalyzer is designed to receive logs from FortiGate devices and use them to generate comprehensive reports. The FortiGate sends logs via syslog or the FGFM protocol, and FortiAnalyzer stores them in its SQL database, allowing administrators to create scheduled or on-demand reports for compliance, traffic analysis, and security events.

Exam trap

The trap here is that candidates often confuse the roles of FortiAnalyzer and FortiManager, assuming FortiAnalyzer can manage configurations or that FGFM is used for both, when in fact FGFM is the FortiGate-FortiManager protocol, while FortiAnalyzer uses syslog or FGFM only for log forwarding.

852
MCQmedium

A FortiGate administrator configures a captive portal on a VDOM to authenticate users connecting to a guest SSID. The authentication method is set to LDAP. Users can reach the captive portal login page, but after entering valid credentials, they receive an authentication failure. The LDAP server is reachable from the FortiGate. What is the MOST likely cause?

A.The user is not a member of the configured user group
B.The captive portal is using HTTP instead of HTTPS
C.The captive portal interface is not in the same VDOM as the LDAP server
D.The LDAP server requires TLS and FortiGate is using plain LDAP
AnswerA

FortiGate checks membership in the group referenced in the policy. If the user is not in that group, authentication fails.

Why this answer

Captive portal authentication requires the user to be a member of a user group that is referenced in the firewall policy. If the LDAP user is not in the configured group (or the group is not properly mapped to an LDAP query), authentication will fail.

853
MCQeasy

An administrator needs to send logs from a FortiGate to a remote FortiAnalyzer for centralized log storage and analysis. Which configuration step is required on the FortiGate?

A.Configure a firewall policy allowing traffic from FortiGate to FortiAnalyzer on port 514
B.Set the FortiAnalyzer as the log destination in Log Settings
C.Create a log forwarding rule to forward all logs to the FortiAnalyzer
D.Install a FortiGate connector on the FortiAnalyzer
AnswerB

The administrator must enter the FortiAnalyzer IP address and enable logging to FortiAnalyzer under System > Settings or via CLI.

Why this answer

To send logs to FortiAnalyzer, the administrator must configure the FortiAnalyzer as a remote log destination under Log Settings. This is done via 'config log fortianalyzer setting' and specifying the server IP and other parameters.

854
MCQmedium

An administrator creates a firewall policy to allow internal users to access the internet. The source interface is 'internal', destination interface is 'wan1', and NAT is enabled. Users complain that they cannot access external resources. The administrator verifies that the default route points to the ISP gateway. What is the most likely missing configuration?

A.The DNS server is not configured on the FortiGate
B.The FortiGate is in transparent mode
C.The policy action is set to DENY
D.The session helper for FTP is disabled
AnswerC

If the policy action is DENY, traffic is blocked despite other correct settings.

Why this answer

The most likely missing configuration is that the firewall policy action is set to DENY. Even with correct NAT, routing, and DNS settings, if the policy action is DENY, traffic from the internal interface to the wan1 interface will be dropped. The administrator must ensure the policy action is ACCEPT to permit outbound traffic.

Exam trap

The trap here is that candidates often overlook the policy action and instead focus on routing or NAT issues, assuming that if the default route and NAT are configured, traffic must flow, but the policy action is the gatekeeper that must be set to ACCEPT.

How to eliminate wrong answers

Option A is wrong because DNS server configuration is not required for basic internet access; users can use external DNS servers or IP addresses directly. Option B is wrong because transparent mode operates at Layer 2 and does not use NAT or routing in the same way; the scenario describes NAT enabled and a default route, which implies the FortiGate is in NAT/route mode. Option D is wrong because the session helper for FTP is only relevant for FTP traffic, not general internet access, and its disabling would not block all external resources.

855
MCQeasy

What is the difference between 'certificate inspection' and 'full SSL deep inspection' on a FortiGate?

A.Certificate inspection decrypts the traffic but does not check the certificate.
B.Deep inspection is less secure than certificate inspection.
C.Certificate inspection only validates the server certificate, while deep inspection decrypts and inspects the entire TLS session content.
D.Both methods provide the same level of inspection.
AnswerC

Certificate inspection checks the certificate chain and validity but does not decrypt traffic. Deep inspection decrypts the session, inspects the payload, then re-encrypts.

856
Multi-Selectmedium

An administrator wants to ensure that all DNS traffic from internal users is filtered by the FortiGate to block malicious domains. Which TWO configurations are necessary? (Choose two.)

Select 2 answers
A.Set DNS server to FortiGate's IP
B.Apply the DNS filter profile to a firewall policy that matches DNS traffic
C.Create a DNS filter profile and set action for malicious domains to 'block'
D.Enable sinkhole on the DNS filter profile
E.Configure SSL deep inspection for DNS over HTTPS
AnswersB, C

The profile must be applied to a policy that intercepts DNS queries (typically port 53).

Why this answer

Options A and B are correct. The DNS filter profile and its application to a firewall policy are necessary.

857
MCQhard

An administrator executes 'diagnose debug flow' for a specific session and sees the output: 'id=20085 trace_id=10 func=print_pkt_detail line=5567 msg="vd-root:0 received packet via port1".' Later, the trace shows 'msg="Deny by policy"'. What is the most likely next step the administrator should take?

A.Check the routing table for the destination
B.Review the firewall policies that apply to the traffic and modify as needed
C.Restart the FortiGate to clear session table
D.Enable session helper for the protocol
AnswerB

The debug clearly states 'Deny by policy', so the solution is to adjust policy.

Why this answer

The debug flow indicates the packet is denied by a firewall policy. The admin should identify which policy is blocking it and adjust accordingly.

858
MCQeasy

A FortiGate administrator receives an alert that the FortiGuard antivirus database on the firewall is outdated. Which subscription service must be active to update the antivirus signatures?

A.FortiGuard IPS Service
B.FortiGuard Application Control Service
C.FortiGuard Antivirus Service
D.FortiGuard Web Filtering Service
AnswerC

This service provides antivirus signature updates.

Why this answer

Option B is correct. The FortiGuard Antivirus Service (AV) provides signature updates for antivirus scanning. Without a valid subscription, updates fail.

859
MCQeasy

A network administrator needs to configure a FortiGate to participate in SNMP monitoring. Which CLI command enables SNMP agent on the FortiGate?

A.config system snmp set status enable
B.set system snmp enable
C.set snmp agent enable
D.enable snmp service
AnswerA

This is the correct command sequence to enable SNMP.

Why this answer

The correct command to enable the SNMP agent on a FortiGate is 'config system snmp' followed by 'set status enable'. This enters the SNMP configuration context and activates the SNMP agent, which is required for the FortiGate to respond to SNMP queries from management systems. Without this command, the SNMP service remains disabled regardless of other SNMP settings.

Exam trap

The trap here is that candidates often confuse the FortiGate CLI syntax with Cisco IOS commands, where 'snmp-server enable' or 'snmp-server community' are used, leading them to select a similarly phrased but incorrect option like 'enable snmp service'.

How to eliminate wrong answers

Option B is wrong because 'set system snmp enable' is not a valid FortiGate CLI command; the correct syntax requires entering the 'config system snmp' context first. Option C is wrong because 'set snmp agent enable' does not exist in FortiGate CLI; the agent is controlled via the 'status' parameter under 'config system snmp'. Option D is wrong because 'enable snmp service' is not a valid FortiGate command; SNMP is managed through the 'config system snmp' hierarchy, not a simple service enable command.

860
MCQmedium

A FortiGate is configured with two ISPs (WAN1 and WAN2) and uses SD-WAN for load balancing. The administrator notices that traffic to a critical SaaS application is being sent over the slower link. What should the administrator do to ensure this traffic uses the faster link?

A.Create an SD-WAN rule to match the SaaS application's destination and set preferred member to the faster link.
B.Remove the slower link from the SD-WAN interface.
C.Increase the bandwidth on the slower link.
D.Configure policy-based routing for the SaaS application.
AnswerA

SD-WAN rules allow traffic steering based on application.

Why this answer

Option A is correct because SD-WAN rules allow you to define traffic steering policies based on application or destination, and setting a preferred member explicitly directs matching traffic to the faster link. This overrides the default load-balancing algorithm, ensuring critical SaaS traffic uses the optimal path without affecting other traffic.

Exam trap

The trap here is that candidates often confuse SD-WAN rules with policy-based routing, thinking PBR can achieve the same result, but PBR lacks SD-WAN's application awareness, SLA monitoring, and seamless failover integration.

How to eliminate wrong answers

Option B is wrong because removing the slower link from the SD-WAN interface would eliminate redundancy and failover capability, not solve the traffic steering issue. Option C is wrong because increasing bandwidth on the slower link does not change the SD-WAN load-balancing decision; the traffic would still be sent to that link based on the current algorithm. Option D is wrong because policy-based routing (PBR) is a static routing mechanism that does not integrate with SD-WAN's dynamic path selection, performance SLA monitoring, or application-based steering, and it can conflict with SD-WAN rules.

861
Multi-Selecthard

A company has multiple branch offices connected via IPsec VPN in a hub-and-spoke topology. They want to enable direct communication between branch offices without routing traffic through the hub. Which THREE configurations are required on the hub FortiGate? (Choose three.)

Select 3 answers
A.Enable 'forward traffic' in Phase 1 settings
B.Static routes for each branch's subnet pointing to the respective VPN interface
C.Phase 2 selectors that include both branch subnets in one proposal
D.Disable anti-replay on all tunnels
E.A firewall policy allowing traffic between the VPN interfaces
AnswersB, C, E

The hub needs routes to forward traffic between spokes.

Why this answer

To allow spoke-to-spoke communication without hub, the hub must have routes to both spokes, Phase 2 selectors to allow traffic between spokes, and a firewall policy permitting inter-spoke traffic.

862
MCQmedium

A FortiGate administrator needs to forward logs to a FortiAnalyzer for centralized management. The FortiAnalyzer is reachable at 10.0.1.100. Which configuration step is required on the FortiGate to send logs to this FortiAnalyzer?

A.Configure a syslog server under Log Setting
B.Add a firewall policy allowing traffic from FortiGate to FortiAnalyzer
C.Configure the FortiAnalyzer in System > FortiAnalyzer
D.Enable logging to FortiCloud instead
AnswerC

The FortiAnalyzer must be configured under System > FortiAnalyzer or via CLI under 'config log fortianalyzer setting'.

Why this answer

To send logs to FortiAnalyzer, the administrator must configure the FortiAnalyzer server under System > FortiAnalyzer or via CLI using 'config log fortianalyzer setting set server 10.0.1.100'. The log forwarding policy is not used for FortiAnalyzer.

863
Multi-Selectmedium

An administrator is configuring a FortiGate to send logs to a FortiAnalyzer. Which TWO of the following are required? (Choose two.)

Select 2 answers
A.Enable local logging on the FortiAnalyzer
B.Create a firewall policy on the FortiGate to allow log traffic
C.Ensure network connectivity between FortiGate and FortiAnalyzer
D.Disable local logging on the FortiGate
E.Configure the FortiGate to send logs to the FortiAnalyzer
AnswersC, E

Essential for log transmission.

Why this answer

Option C is correct because the FortiGate must have IP reachability to the FortiAnalyzer to send logs over the network, typically using TCP port 514 (syslog) or FortiGate's proprietary log forwarding protocol. Without network connectivity, log transmission will fail regardless of configuration.

Exam trap

The trap here is that candidates often think a firewall policy is needed to allow log traffic, but FortiGate's own traffic (including logs) is not subject to firewall policies; only transit traffic requires policies.

864
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is using UDP protocol
B.The session has expired and is being removed
C.The session is in the TCP SYN sent state, not yet fully established
D.The session has completed the three-way handshake and is established
AnswerC

Proto=6 is TCP, proto_state=01 indicates TCP state SYN_SENT. The session is still trying to establish.

Why this answer

The output shows a TCP session (proto=6) in state 01 (TCP SYN sent), duration 3600 seconds, and expire 3599 seconds. This indicates the session is in the initial SYN state and has not completed the three-way handshake.

865
MCQhard

A FortiGate HA cluster is experiencing frequent failovers. The administrator checks the HA event log and sees repeated 'Heartbeat loss' messages. The heartbeat interfaces are connected directly via a crossover cable. What is the MOST likely cause?

A.The session pickup option is enabled
B.The HA uptime monitor is enabled and tracking a failed interface
C.The HA override setting is disabled
D.The heartbeat interface has a duplex mismatch
AnswerD

A duplex mismatch can cause packet loss on the heartbeat link, leading to intermittent heartbeat loss and frequent failovers.

Why this answer

If heartbeat interfaces are directly connected, the expected behavior is stable. Frequent heartbeat loss suggests the heartbeat interval or failover threshold is misconfigured, or there is duplex mismatch.

866
MCQmedium

An administrator needs to configure two-factor authentication for SSL VPN users using FortiToken. Which configuration is required on the FortiGate?

A.Enable two-factor authentication globally on the FortiGate
B.Enable FortiToken on the user account and configure the authentication scheme to require token
C.Install the FortiToken mobile app on the FortiGate
D.Create a separate firewall policy for token-based authentication
AnswerB

The user must be assigned a token, and the authentication method must enforce two-factor.

Why this answer

FortiToken two-factor authentication requires the user account to have a FortiToken assigned. The user can then be required to enter a token code during authentication. The firewall policy itself must use an authentication scheme that enforces two-factor.

867
MCQhard

An administrator needs to implement two-factor authentication for SSL VPN access using FortiToken. Which configuration steps are required?

A.Assign a FortiToken to the user and set the user's authentication method to two-factor
B.Configure the RADIUS server to send FortiToken challenges
C.Enable FortiToken on the firewall policy
D.Enable two-factor authentication on the SSL VPN portal settings
AnswerA

This is the correct method: user object has two-factor enabled and a token assigned.

Why this answer

FortiToken two-factor requires enabling two-factor authentication on the user object, associating one or more FortiToken tokens with the user, and ensuring the SSL VPN authentication method uses that user group.

868
MCQmedium

A network administrator needs to configure a FortiGate to allow administrative access from a specific management subnet only. Which configuration step should be taken?

A.Create a local-in policy to permit traffic from the management subnet.
B.Disable administrative access on all interfaces except the management interface.
C.Configure an inbound firewall policy allowing HTTPS from the management subnet to the FortiGate's interface IP.
D.Under system > admin > settings, restrict administrative access to trusted hosts.
AnswerD

Why this answer

Option D is correct because the 'Trusted Hosts' feature under System > Admin > Settings allows you to restrict administrative access (HTTPS, SSH, Telnet, etc.) to specific source IP addresses or subnets. This is the intended method for limiting management access to a management subnet without affecting other traffic or interface configurations.

Exam trap

The trap here is that candidates often confuse local-in policies with trusted hosts, thinking that a local-in policy is the primary method for restricting management access, when in fact trusted hosts is the simpler and correct approach for source-based restriction.

How to eliminate wrong answers

Option A is wrong because a local-in policy filters traffic destined to the FortiGate itself, but it is typically used for advanced traffic shaping or rate limiting, not for restricting administrative access based on source subnet; using it for this purpose would be overly complex and not the standard practice. Option B is wrong because disabling administrative access on all interfaces except the management interface does not restrict access by source IP; it only limits which interfaces can be used for management, but any host on the management subnet could still access the FortiGate from that interface. Option C is wrong because an inbound firewall policy controls traffic passing through the FortiGate (forward traffic), not traffic destined to the FortiGate itself (local-in traffic); administrative access is governed by local-in policies or trusted hosts, not by standard firewall policies.

869
MCQmedium

During an IPsec VPN troubleshooting, you run 'diagnose vpn ike config' and see the output includes 'peer-id: any'. What does this mean?

A.The FortiGate will accept connections from any remote IP address.
B.The FortiGate will use aggressive mode for IKE negotiation.
C.The Phase 2 selectors are configured for any protocol.
D.The FortiGate will accept any peer identity during IKE authentication.
AnswerD

Peer-id 'any' means identity validation is not enforced.

Why this answer

The peer-id field in the IKE config shows the expected identity of the remote peer. If it's 'any', the FortiGate will accept any peer ID during Phase 1 authentication, which is typically used when the remote peer's IP is dynamic or when using certificates with subject matching disabled.

870
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.The FortiGuard antivirus subscription has expired
B.The web server's certificate is self-signed and FortiGate is rejecting the connection
C.SSL/TLS deep inspection is not enabled on the firewall policy
D.The antivirus profile is configured for flow-based inspection instead of proxy-based
AnswerC

HTTPS traffic is encrypted. Without SSL deep inspection, FortiGate cannot decrypt the TLS session to inspect the payload. The antivirus profile requires the traffic to be decrypted first.

Why this answer

Option B is correct because HTTPS uses TLS encryption. Without SSL deep inspection enabled on the policy, FortiGate cannot decrypt and inspect the content of HTTPS traffic. The antivirus profile will only scan unencrypted traffic or traffic where deep inspection has decrypted it first.

871
MCQhard

A FortiGate admin configures a firewall policy to allow outbound HTTP traffic and applies a web filter profile. The admin notices that some users can access a known malicious URL while others are blocked. All users are in the same source subnet (10.0.1.0/24). What is the MOST likely cause of this inconsistent behavior?

A.The FortiGate is using a proxy server that caches different results for different users
B.The web filter profile is configured to 'allow' but the FortiGuard rating is inconsistent
C.The firewall policy has an FQDN destination that resolves to different IPs for different users due to DNS load balancing
D.Some users have a different web filter profile applied due to a policy ordering issue where a higher-priority policy matches their traffic
AnswerD

If a policy with a lower policy ID does not have the web filter profile, traffic matching that policy will bypass the intended filtering.

Why this answer

Option D is correct because when multiple firewall policies match traffic from the same source subnet, FortiGate uses the first matching policy in order (lowest policy ID). If a higher-priority policy with a different web filter profile matches some users' traffic (e.g., based on source port or application), those users will have different filtering behavior. This is a classic policy ordering issue where the intended web filter profile is not applied consistently to all users in the same subnet.

Exam trap

The trap here is that candidates assume all traffic from the same subnet is treated identically, overlooking that FortiGate policy matching is first-match and can differentiate based on other attributes like source port or user identity, leading to inconsistent profile application.

How to eliminate wrong answers

Option A is wrong because FortiGate does not use an external proxy server for web filtering by default; it uses local proxy-based inspection or flow-based inspection, and caching is not a factor in inconsistent web filter results. Option B is wrong because FortiGuard ratings are consistent per URL and do not vary per user; if the rating is inconsistent, it would affect all users equally, not selectively. Option C is wrong because FQDN resolution in firewall policies is performed by the FortiGate itself, not per user; DNS load balancing would return different IPs to the FortiGate, but the FortiGate resolves the FQDN once and uses that single IP for policy matching, so it cannot cause per-user differences.

872
MCQmedium

An administrator configures a web filter profile with FortiGuard category blocking and URL filter to allow example.com. Users report that example.com is still blocked. What is the most likely cause?

A.The URL filter requires deep inspection to be enabled
B.The URL filter entry is placed after the FortiGuard category in the policy
C.The DNS filter is blocking example.com before the web filter is evaluated
D.The FortiGuard category action is set to 'block' and takes precedence over the URL filter allow rule
AnswerD

In FortiOS, when a category is set to block, it blocks all URLs in that category regardless of individual URL filter entries unless the URL filter uses an allow action and is configured to override categories.

Why this answer

In FortiOS, the FortiGuard category action takes precedence over URL filter exceptions unless the URL filter is configured with an action of 'allow' and a higher priority order. By default, category blocking overrides individual URL allow rules.

873
MCQmedium

A network administrator notices that an IPS sensor is generating excessive false positives for a specific signature. The administrator wants to exclude traffic from a trusted internal server (IP 10.1.1.100) from inspection for that signature only, while keeping other signatures active. Which configuration change should the administrator apply?

A.Set the signature action to 'pass' and use an application control profile to bypass the server.
B.Disable the signature in the IPS sensor configuration.
C.Add the server's IP to the exempt list in the IPS sensor.
D.Create an IPS filter that excludes the server's source IP address from the signature.
AnswerD

An IPS filter with a source address exception allows selective exclusion for a specific signature.

Why this answer

Option D is correct because an IPS filter allows the administrator to define a rule that excludes traffic from a specific source IP address (10.1.1.100) from inspection for a particular signature, while leaving all other signatures active. This granular approach ensures that false positives for that signature are reduced without disabling the signature entirely or affecting other traffic.

Exam trap

The trap here is that candidates often confuse the 'exempt list' (which bypasses all IPS inspection for a host) with an 'IPS filter' (which can exclude traffic from a specific signature only), leading them to choose option C incorrectly.

How to eliminate wrong answers

Option A is wrong because setting the signature action to 'pass' would bypass inspection for that signature globally, not just for the trusted server, and using an application control profile does not apply to IPS signatures. Option B is wrong because disabling the signature entirely would stop all inspection for that signature across all traffic, which is too broad and would miss real threats from other sources. Option C is wrong because the exempt list in an IPS sensor typically excludes traffic from all inspection, not just for a specific signature, which would bypass all IPS signatures for that server.

874
MCQmedium

A FortiGate HA cluster is configured in active-passive mode with two units. The primary unit fails. The secondary unit takes over, but some established TCP sessions are dropped. What is the most likely cause?

A.Session synchronization is not enabled
B.The HA failover threshold is set too high
C.The HA mode is active-passive
D.The heartbeat interface is down
AnswerA

Without session sync, the backup unit has no session table, so TCP sessions are lost on failover.

Why this answer

Option D is correct because session synchronization must be enabled for sessions to be preserved during failover. Without session sync, the backup unit has no knowledge of existing sessions and drops them.

875
MCQeasy

A FortiGate needs to resolve DNS names for outbound traffic. The administrator configures DNS servers under System > DNS. However, internal DNS queries for private domains fail. What additional configuration is required?

A.Create a DNS database entry for the private domain.
B.Add a static route for DNS traffic.
C.Configure a DNS server on the WAN interface.
D.Enable DNS proxy on the FortiGate.
AnswerA

Why this answer

When a FortiGate is configured with DNS servers under System > DNS, it can resolve public DNS names for outbound traffic. However, for private domains (e.g., internal.company.local), the FortiGate cannot resolve these because they are not registered in public DNS. Creating a DNS database entry for the private domain allows the FortiGate to act as an authoritative DNS server for that domain, providing local resolution for internal queries.

Exam trap

The trap here is that candidates often confuse the DNS proxy (which forwards queries) with the DNS database (which provides authoritative answers), leading them to select option D instead of A.

How to eliminate wrong answers

Option B is wrong because static routes are used for network-layer reachability, not for DNS resolution; DNS traffic will already follow the default route if the DNS server is reachable via the WAN. Option C is wrong because configuring a DNS server on the WAN interface is not a standard FortiGate feature; DNS servers are configured globally under System > DNS, and adding a DNS server on the WAN interface does not enable local domain resolution. Option D is wrong because enabling DNS proxy on the FortiGate only forwards DNS queries to configured DNS servers and does not provide local resolution for private domains; it is used for caching or filtering, not for authoritative responses.

876
Multi-Selectmedium

A FortiGate administrator needs to configure NTP to ensure accurate time on the device. Which two steps are required? (Choose two.)

Select 2 answers
A.Enable the 'Sync on Save' option
B.Specify at least one NTP server address
C.Enable NTP under System > Settings
D.Configure a firewall policy to allow NTP traffic (UDP 123)
E.Set the time zone to the local time zone
AnswersB, C

At least one server is required for synchronization.

Why this answer

NTP requires both enabling the NTP service on the FortiGate (System > Settings) and specifying at least one NTP server address so the device can synchronize its clock. Without a server address, the NTP client has no source to query, and without enabling the service, the NTP client process will not run.

Exam trap

The trap here is that candidates often think a firewall policy is required for NTP traffic, but FortiGate's own NTP client uses the management interface and does not need a policy, unlike user traffic destined for NTP servers.

877
MCQhard

An administrator wants to inspect SSL traffic to a specific finance application that uses a custom port (9443) and a self-signed certificate. Which configuration is required?

A.Configure certificate inspection on the policy.
B.Disable SSL inspection for that application.
C.Use deep inspection and add the application's self-signed certificate to the FortiGate's trusted CA list.
D.Use flow-based inspection with certificate inspection.
AnswerC

Deep inspection decrypts and re-encrypts; trusted CA list allows self-signed certs.

Why this answer

Option C is correct because deep inspection is required to decrypt and inspect SSL traffic using a self-signed certificate on a non-standard port. The FortiGate must trust the application's self-signed certificate by adding it to the trusted CA list; otherwise, the deep inspection proxy will fail to validate the certificate and drop the connection. Certificate inspection (Option A) only checks the certificate metadata without decrypting the payload, so it cannot inspect the actual application traffic.

Exam trap

The trap here is that candidates often confuse certificate inspection with deep inspection, assuming certificate inspection can decrypt traffic, when in fact only deep inspection performs full decryption and is required for self-signed certificates on non-standard ports.

How to eliminate wrong answers

Option A is wrong because certificate inspection only validates the certificate chain and does not decrypt the SSL payload, so it cannot inspect the content of the finance application traffic. Option B is wrong because disabling SSL inspection would allow unencrypted traffic to pass without any inspection, defeating the administrator's goal of inspecting SSL traffic. Option D is wrong because flow-based inspection with certificate inspection still does not decrypt the traffic; deep inspection (proxy-based) is required to decrypt and inspect traffic with a self-signed certificate.

878
Multi-Selectmedium

An organization wants to implement data leak prevention (DLP) to detect when credit card numbers are sent via email (SMTP) and webmail (HTTPS). The FortiGate is using proxy-based inspection. Which THREE configurations are necessary? (Choose three.)

Select 3 answers
A.Set the inspection mode to flow-based for better performance.
B.Configure the antivirus profile to scan email attachments.
C.Create a DLP sensor with a rule to match credit card patterns.
D.Apply the DLP sensor to a firewall policy that handles SMTP and HTTPS traffic.
E.Enable SSL/TLS deep inspection on the firewall policy to inspect HTTPS.
AnswersC, D, E

The DLP sensor defines what to detect.

Why this answer

The correct answers are A, B, and C. DLP sensor, SSL inspection for HTTPS, and applying the sensor to the policy are all required.

879
MCQmedium

Which type of log records information about firewall policy matches, such as allowed or denied traffic?

A.Security logs
B.Event logs
C.Traffic logs
D.Audit logs
AnswerC

Traffic logs show policy hits and traffic statistics.

Why this answer

Traffic logs record information about sessions matching firewall policies.

880
MCQmedium

An administrator configures a firewall policy with source address 'internal_net' (10.0.0.0/16) and destination address 'server_farm' (10.10.10.0/24). The action is set to ACCEPT with NAT enabled. However, traffic from 10.0.1.100 to 10.10.10.50 is being denied. What is the most likely cause?

A.The destination address 'server_farm' does not include 10.10.10.50
B.There is a deny policy above this policy that matches the traffic
C.The NAT translation is causing the traffic to be dropped
D.The source address 'internal_net' does not include 10.0.1.100
AnswerB

A higher priority deny policy would block traffic before reaching this allow policy.

Why this answer

Policy order must be checked; another policy higher in the list with a DENY action might match before this policy. Also, the source/destination must match exactly.

881
Multi-Selecthard

An administrator has configured an IPS profile to detect SQL injection attacks. However, some SQL injection attempts are still reaching the web server. Which TWO actions should the administrator take to improve detection?

Select 2 answers
A.Configure anomaly detection for SQL traffic
B.Update the IPS signature database
C.Disable flow-based inspection and use proxy-based only
D.Enable protocol decoders for HTTP and SQL
E.Enable SSL deep inspection on the policy
AnswersB, D

Updated signatures include the latest SQL injection patterns.

Why this answer

Options A and B are correct. Protocol decoders allow IPS to parse database protocols, and updating signatures ensures the latest attacks are detected.

882
MCQhard

A FortiGate is configured with SSL deep inspection using a locally generated CA certificate. A user reports that they cannot access https://www.example.com and receive a certificate error. The administrator checks the firewall policy and sees that the SSL inspection profile is set to 'certificate-inspection' instead of 'deep-inspection'. What is the MOST likely effect?

A.The FortiGate decrypts the traffic but does not re-sign, causing mismatch errors.
B.The FortiGate does not decrypt the traffic, so the original server certificate is presented to the client, which may be valid; the error is unrelated.
C.The FortiGate blocks the connection because certificate-inspection cannot handle deep inspection profiles.
D.The user will see a warning about the certificate but will be able to proceed after accepting it.
AnswerB

Certificate-inspection mode only checks the certificate chain; it does not re-sign. The client sees the original server certificate. If that certificate is valid, there should be no error. The issue likely stems from a different problem.

Why this answer

Option B is correct. Certificate-inspection does not decrypt; it only validates. Therefore, the user sees the original server certificate.

If there is an error, it's likely due to something else.

883
MCQmedium

A FortiGate administrator wants to configure Zero Trust Network Access (ZTNA) to secure access to an internal application. What is required on the FortiGate?

A.A FortiClient EMS subscription
B.A VPN tunnel to the application
C.A ZTNA server and a ZTNA rule
D.A firewall policy with SSL inspection enabled
AnswerC

ZTNA requires configuration of a ZTNA server (application) and a ZTNA rule (access proxy).

Why this answer

ZTNA requires a ZTNA gateway on the FortiGate to proxy and verify access.

884
MCQmedium

A FortiGate administrator wants to block all traffic to a known malicious IP address range using the Intrusion Prevention System (IPS). Which IPS configuration method is most appropriate?

A.Use a predefined IPS signature for known malicious IPs
B.Create a custom IPS signature that matches the IP range
C.Configure an IPS anomaly detection rule to block the IP range
D.Use a local IPS signature database
AnswerB

Custom IPS signatures can match any pattern, including IP addresses. This is a valid method.

Why this answer

Option B is correct. IPS signatures are designed to detect and block specific attack patterns, including traffic to known malicious IPs. The 'IPS sensor' can include signatures that match traffic to specific IP addresses.

Alternatively, a firewall policy with a destination address object is simpler, but the question specifies using IPS.

885
MCQeasy

Which of the following statements about FortiGate policy lookup order is correct?

A.Policies are evaluated from top to bottom, and the first matching policy is used
B.Policies are evaluated based on a priority number assigned to each policy
C.Policies are evaluated from bottom to top, and the last matching policy is used
D.Policies are evaluated randomly to balance load
AnswerA

FortiGate processes policies sequentially from the top of the list. Once a match is found, that policy is applied.

Why this answer

FortiGate uses a top-down sequential search for policy matching. When a packet arrives, the firewall starts at the top of the policy list and evaluates each policy in order until it finds one where all configured criteria (source, destination, service, schedule, etc.) match. The first matching policy is then applied, and no further policies are checked.

This is the fundamental behavior of FortiGate's firewall policy lookup.

Exam trap

The trap here is that candidates often confuse FortiGate's sequential top-down evaluation with other firewall platforms (like Cisco ASA) that use a priority-based or implicit-rule model, leading them to incorrectly select Option B or C.

How to eliminate wrong answers

Option B is wrong because FortiGate does not assign a numeric priority to each policy; the order in the policy list (sequence number) determines the evaluation order, not a separate priority field. Option C is wrong because FortiGate evaluates policies from top to bottom, not bottom to top; the last matching policy would never be used unless it is the first match from the top. Option D is wrong because FortiGate does not use random selection for policy matching; it strictly follows the sequential top-down order to ensure deterministic and predictable traffic handling.

886
MCQhard

Refer to the exhibit. An administrator has configured HA on two FortiGate units. During a failover test, the secondary unit does not take over when the primary fails. What is the most likely cause?

A.Session pickup is enabled but session-pickup-connectionless is also enabled, causing conflict.
B.Override is disabled, so the secondary cannot become primary.
C.The priority on the secondary is set to a higher value than the primary.
D.The heartbeat interface (port3) is down on the secondary unit.
AnswerD

Correct; heartbeat interface must be up for cluster communication.

Why this answer

In an HA cluster, the heartbeat interface is critical for communication between primary and secondary units. If the heartbeat interface (port3) is down on the secondary unit, it cannot receive or send HA heartbeat packets, so the secondary will not detect the primary's failure or negotiate a takeover. This directly prevents the secondary from assuming the primary role, making D the correct answer.

Exam trap

The trap here is that candidates often focus on priority or override settings as the cause of failover failure, but the real issue is usually a broken heartbeat link, which is a fundamental prerequisite for HA operation.

How to eliminate wrong answers

Option A is wrong because session pickup and session-pickup-connectionless are complementary features; enabling both does not cause a conflict that would prevent failover—session pickup is for TCP sessions, and session-pickup-connectionless extends it to UDP/other protocols. Option B is wrong because override controls whether a higher-priority unit can preempt the current primary; it does not affect the ability of a secondary to take over during a failover when the primary fails. Option C is wrong because a higher priority value on the secondary (e.g., 200 vs. 100) actually makes it more likely to become primary, not less; the issue is that the secondary cannot take over at all, which points to a connectivity or configuration problem, not priority.

887
MCQmedium

An administrator runs the CLI command 'diagnose debug rating' and sees that all FortiGuard web filter requests are timing out. What is the most likely cause?

A.The web filter profile has an incorrect action configured
B.The web filter is set to 'monitor all' which causes all requests to timeout
C.The FortiGuard web filtering license has expired
D.The DNS server configured on the FortiGate is not resolving the FortiGuard FQDN
AnswerD

If DNS fails, the FortiGate cannot resolve the FortiGuard server IP, leading to connection timeouts.

Why this answer

If FortiGuard requests time out, the FortiGate cannot reach the FortiGuard servers. This could be due to network connectivity issues, DNS resolution failure, or a proxy configuration problem.

888
MCQeasy

A FortiGate administrator needs to backup the configuration to a remote TFTP server. Which CLI command should be used?

A.copy config tftp <filename> <tftp_server_ip>
B.execute restore config tftp <filename> <tftp_server_ip>
C.execute backup config tftp <filename> <tftp_server_ip>
D.backup configuration to tftp <tftp_server_ip>
AnswerC

Why this answer

Option C is correct because the 'execute backup config tftp' command is the proper CLI syntax in FortiOS for backing up the current configuration to a remote TFTP server. This command triggers an immediate backup operation, and the filename and TFTP server IP are required parameters to specify the destination.

Exam trap

The trap here is that candidates familiar with Cisco IOS may mistakenly choose 'copy config tftp' (Option A) or 'backup configuration to tftp' (Option D), but FortiOS uses the 'execute' command structure and specific syntax 'backup config tftp' for this operation.

How to eliminate wrong answers

Option A is wrong because 'copy config tftp' is not a valid FortiOS command; Fortinet uses the 'execute' prefix for operational commands, and 'copy' is used in Cisco IOS, not FortiOS. Option B is wrong because 'execute restore config tftp' is used to restore a configuration from a TFTP server, not to back up; the keyword 'restore' indicates the opposite direction of data flow. Option D is wrong because 'backup configuration to tftp' is not a valid CLI command in FortiOS; the correct syntax requires the 'execute' keyword and the order 'backup config tftp'.

889
MCQmedium

A FortiGate administrator needs to ensure that traffic from the LAN (192.168.1.0/24) to the DMZ (10.0.0.0/24) uses a specific outbound interface (port3) instead of the default route. Which feature should be configured to achieve this?

A.Static route with a higher distance
B.Virtual IP (VIP) with port forwarding
C.Policy-based routing (PBR) in the firewall policy
D.SD-WAN rule to force traffic to port3
AnswerC

Why this answer

Policy-based routing (PBR) allows the FortiGate to override the routing table for specific traffic based on criteria defined in a firewall policy, such as source and destination addresses. By configuring a PBR rule that matches traffic from 192.168.1.0/24 to 10.0.0.0/24 and setting the outbound interface to port3, the administrator can force this traffic to use port3 instead of the default route. This is the correct feature for interface-based path selection that is not based on destination prefix alone.

Exam trap

The trap here is that candidates often confuse policy-based routing (PBR) with static routes or SD-WAN, assuming that a static route with a higher administrative distance can override the default route for specific source-destination pairs, but static routes are destination-based and cannot match on source IP or other L4 criteria without PBR.

How to eliminate wrong answers

Option A is wrong because a static route with a higher distance would be less preferred than the default route (which typically has a lower distance), so it would not override the default route for the specified traffic. Option B is wrong because a Virtual IP (VIP) with port forwarding is used for destination NAT (port forwarding) to translate public IP addresses to private ones, not to influence routing decisions or outbound interface selection. Option D is wrong because an SD-WAN rule can steer traffic to a specific interface, but SD-WAN requires the interfaces to be members of an SD-WAN zone and is designed for WAN link load balancing, not for simple interface override in a LAN-to-DMZ scenario without SD-WAN being enabled.

890
MCQhard

A FortiGate configured in NAT/Route mode is connected to the internet via port1 with an IP 10.0.0.1/24. The internal network uses 192.168.1.0/24. Users can browse the internet but cannot reach a public server at 203.0.113.5. A static default route exists. What is the most likely cause?

A.The static default route points to the wrong gateway
B.The public server is down
C.The firewall policy for outbound traffic does not have NAT enabled
D.The DNS server is not configured
AnswerC

Without NAT, internal private IPs are sent untranslated and cannot reach the internet.

Why this answer

Option C is correct because in NAT/Route mode, outbound traffic from a private IP (192.168.1.0/24) to a public internet destination requires source NAT (masquerading) to translate the private source IP to the interface IP (10.0.0.1). Without NAT enabled on the firewall policy, the FortiGate forwards the packet with the original private source IP, which is not routable on the public internet, so the return traffic cannot reach the internal host. The static default route exists and users can browse other sites, indicating routing is functional, but the specific public server is unreachable due to missing NAT.

Exam trap

The trap here is that candidates assume a working internet connection implies all outbound policies are correct, but FortiGate requires NAT to be explicitly enabled per policy, and missing NAT can cause selective unreachability while other traffic (e.g., to servers with public IPs that accept private source IPs) might still work.

How to eliminate wrong answers

Option A is wrong because the static default route points to the correct gateway (likely the ISP next-hop) since users can browse the internet successfully; a wrong gateway would break all outbound traffic. Option B is wrong because the public server being down would affect all users trying to reach it, but the question states users can browse the internet, implying other external destinations are reachable, so the server is likely up but unreachable due to a configuration issue. Option D is wrong because DNS is used for name resolution, not for IP connectivity; if DNS were misconfigured, users would fail to resolve domain names but could still reach the server by its IP address (203.0.113.5), and the question does not mention DNS failures.

891
MCQhard

A FortiGate is configured with multiple VDOMs. The administrator creates a firewall policy in VDOM A that allows traffic from VDOM A to VDOM B using inter-VDOM links. Users in VDOM A can initiate traffic, but return traffic from VDOM B is not reaching them. What is the MOST likely cause?

A.The inter-VDOM link is down
B.The session helper is not configured for the application
C.The reverse path forwarding (RPF) check is blocking return traffic
D.A firewall policy is missing in VDOM B to allow return traffic
AnswerD

Inter-VDOM communication requires policies in both VDOMs: one for forward traffic and one for return traffic. Without a policy in VDOM B, return packets are dropped.

Why this answer

In a multi-VDOM FortiGate, inter-VDOM links require firewall policies in both VDOMs to allow bidirectional traffic. The policy in VDOM A permits the outbound session, but return traffic from VDOM B is implicitly denied unless a corresponding policy exists in VDOM B. Without that policy, the FortiGate drops the return packets, preventing communication.

Exam trap

The trap here is that candidates assume a single policy on the initiating VDOM is sufficient for bidirectional traffic, forgetting that inter-VDOM links require explicit policies in both VDOMs to allow return traffic.

How to eliminate wrong answers

Option A is wrong because if the inter-VDOM link were down, no traffic (including the initial outbound traffic) would pass, but the issue is specifically with return traffic. Option B is wrong because session helpers are used for application-layer protocols (e.g., FTP, SIP) to manage dynamic ports; they are not required for basic TCP/UDP return traffic and would not cause a complete lack of return packets. Option C is wrong because reverse path forwarding (RPF) checks are applied to incoming interfaces to verify the source IP route; in inter-VDOM scenarios, the FortiGate does not perform RPF on inter-VDOM links as they are internal virtual interfaces, and the problem is policy-based, not routing-based.

892
MCQmedium

A network admin needs to log all traffic from the sales VLAN to the internet. The firewall policy is configured with logging enabled. However, the admin notices that only session start logs are generated, not detailed traffic logs. What setting must be enabled to capture per-packet or per-session details?

A.Enable 'Log Memory' on the policy
B.Enable security profiles
C.Set the log generation to 'All sessions' in the policy
D.Configure a traffic shaper
AnswerC

This ensures that every session generates log entries, including per-session details.

Why this answer

Option C is correct because in FortiGate, the 'Log Generation' setting on a firewall policy controls whether logs are generated for session start only or for all sessions. By default, a policy may log only session start events; setting it to 'All sessions' ensures that per-session details (including traffic volume, duration, and packet counts) are recorded. This is distinct from enabling security profiles, which inspect traffic but do not change the logging verbosity.

Exam trap

The trap here is that candidates often confuse enabling security profiles (like UTM features) with increasing log verbosity, but security profiles only inspect content and do not change the policy's log generation setting from 'Session start' to 'All sessions'.

How to eliminate wrong answers

Option A is wrong because 'Log Memory' is not a valid setting on a FortiGate firewall policy; memory logging is a global setting for storing logs locally, not a per-policy toggle for detailed logs. Option B is wrong because enabling security profiles (e.g., antivirus, web filter) adds inspection but does not alter the log generation mode from session-start to all-sessions; detailed traffic logs require the policy's log generation setting to be changed. Option D is wrong because a traffic shaper controls bandwidth allocation and QoS, not logging verbosity; it has no effect on whether per-packet or per-session details are captured.

893
MCQhard

A FortiGate receives a file via SMTP that contains a virus. The antivirus profile is set to 'Block' for viruses and the action is set to 'Quarantine'. However, the email is delivered to the user with the infected attachment. What could be the reason?

A.The email filter profile is overriding the antivirus action
B.The antivirus profile is using flow-based inspection and the SMTP scan is not enabled
C.The antivirus signatures are outdated
D.The file is larger than the FortiGate's virus database can handle
AnswerB

Flow-based inspection requires explicit configuration for SMTP; proxy-based inspects all protocols by default.

Why this answer

Option B is correct. If the antivirus profile is configured for flow-based inspection, some email protocols may not be fully inspected unless explicitly configured. Flow-based inspection may skip SMTP depending on the configuration.

894
MCQmedium

A FortiGate admin wants to create a firewall policy that allows traffic from the internal network to the internet. The source is a subnet 192.168.1.0/24, and the destination is 'all'. The admin wants to apply NAT to hide internal IPs. Which NAT configuration is BEST suited for this scenario?

A.Configure a VIP for source NAT
B.Use policy-based routing to send traffic through a NAT device
C.Enable 'NAT' on the firewall policy and use the outgoing interface address
D.Create a one-to-one IP pool and apply it to the policy
AnswerC

Enabling NAT on the policy (policy-based NAT) with interface address is the simplest way to hide internal IPs.

Why this answer

Option C is correct because enabling NAT on the firewall policy with the outgoing interface address is the standard method for source NAT (masquerading) in FortiGate. This configuration translates all internal source IPs (192.168.1.0/24) to the single IP address of the egress interface, hiding the internal subnet from the internet. It is the simplest and most efficient approach for typical internet-bound traffic, requiring no additional objects like IP pools or VIPs.

Exam trap

The trap here is that candidates often confuse VIPs (destination NAT) with source NAT, or assume that a one-to-one IP pool is required for hiding internal IPs, when in fact interface NAT with PAT is the default and best practice for internet-bound traffic in FortiGate.

How to eliminate wrong answers

Option A is wrong because a Virtual IP (VIP) is used for destination NAT (port forwarding), not source NAT; applying a VIP to hide internal IPs would incorrectly translate destination addresses instead of source addresses. Option B is wrong because policy-based routing (PBR) controls the path traffic takes based on routing policies, not NAT; it does not perform address translation and would require a separate NAT device, which is unnecessary in FortiGate. Option D is wrong because a one-to-one IP pool maps each internal IP to a unique external IP, which is overkill and wasteful for hiding a subnet behind a single public IP; dynamic IP pools (overload) or interface NAT are more appropriate for many-to-one masquerading.

895
MCQeasy

Which of the following best describes a Virtual IP (VIP) in FortiGate?

A.A method to translate a public IP/port to a private IP/port for inbound traffic
B.A method to translate private source IPs to a public IP for outbound traffic
C.A method to group multiple firewall policies
D.A method to load balance traffic across multiple WAN interfaces
AnswerA

VIP maps external (public) addresses to internal (private) destinations, enabling inbound access.

Why this answer

A Virtual IP (VIP) in FortiGate is used for Destination NAT (DNAT), translating an incoming public IP address and port to a private IP address and port. This allows external hosts to access internal servers (e.g., web servers) using a public IP, while the server remains on a private RFC 1918 address. The VIP object is referenced in a firewall policy to permit the inbound traffic and perform the translation.

Exam trap

The trap here is confusing Virtual IP (Destination NAT) with IP Pool (Source NAT), as both involve address translation but serve opposite traffic directions; candidates often pick Option B thinking VIP is for outbound translation.

How to eliminate wrong answers

Option B is wrong because it describes Source NAT (SNAT) or IP Pool, not a Virtual IP; SNAT translates private source IPs to a public IP for outbound traffic. Option C is wrong because grouping multiple firewall policies is done using policy packages or policy groups, not a Virtual IP. Option D is wrong because load balancing traffic across multiple WAN interfaces is achieved using SD-WAN or ECMP routing, not a Virtual IP; VIPs can be used for server load balancing (SLB) but not for balancing across WAN interfaces.

896
MCQeasy

What is the difference between certificate inspection and full SSL deep inspection on a FortiGate?

A.Certificate inspection decrypts traffic; deep inspection does not
B.Certificate inspection only validates the server certificate; deep inspection decrypts and inspects the content
C.Deep inspection is faster than certificate inspection
D.Both provide the same level of security
AnswerB

Certificate inspection examines the certificate for validity, while deep inspection performs a man-in-the-middle decryption.

Why this answer

Option B is correct. Certificate inspection checks the server certificate, while deep inspection decrypts and inspects the entire session.

897
MCQhard

A FortiGate has two WAN interfaces (wan1, wan2) configured with ECMP routes to the same destination. The administrator notices that traffic for a single session is being load-balanced across both links, causing performance issues. What should be configured to ensure sessions stick to one link?

A.Set policy routing to use source-based routing.
B.Change ECMP load balancing method to 'source-ip-based' or 'source-dst-ip-based'.
C.Configure SD-WAN rules to enforce per-session stickiness.
D.Disable ECMP and use a single default route.
AnswerB

Why this answer

Option B is correct because changing the ECMP load balancing method to 'source-ip-based' or 'source-dst-ip-based' ensures that all packets belonging to the same session (identified by source IP or source-destination IP pair) are hashed to the same egress interface. This prevents a single session from being split across multiple WAN links, which can cause out-of-order packets and performance degradation. FortiGate’s ECMP hash algorithm uses the configured method to compute a hash value that deterministically selects the outgoing interface for each flow.

Exam trap

The trap here is that candidates often confuse ECMP load balancing methods with SD-WAN stickiness features, assuming SD-WAN is required for session persistence, when in fact ECMP’s hash algorithm can be tuned directly to achieve per-session stickiness.

How to eliminate wrong answers

Option A is wrong because policy routing (PBR) is used to override the routing table based on criteria like source/destination IP or port, but it does not inherently provide per-session stickiness; without careful configuration, PBR can still lead to asymmetric routing or session splitting. Option C is wrong because SD-WAN rules can enforce stickiness via session-based load balancing (e.g., 'source-ip-based' or 'session-based'), but the question specifically asks about ECMP routes, and SD-WAN is a separate feature that requires additional configuration and is not the direct fix for ECMP load balancing. Option D is wrong because disabling ECMP and using a single default route eliminates load balancing entirely, which is an overreaction and does not address the requirement to keep sessions on one link while still allowing load balancing across different sessions.

898
Multi-Selectmedium

An administrator needs to deploy two-factor authentication for SSL VPN users. The company uses FortiTokens. Which two steps are required to enable FortiToken for SSL VPN users? (Choose two.)

Select 2 answers
A.Install the FortiToken mobile app on the administrator's phone
B.Change the SSL VPN authentication scheme to RADIUS
C.Configure two-factor authentication on the SSL VPN portal to require token code
D.Assign the FortiToken to each user in the user database
AnswersC, D

The portal must be set to require token authentication.

Why this answer

FortiToken requires the user account to be associated with a FortiToken serial number, and the authentication method must be set to require token code along with password.

899
MCQhard

An administrator wants to block users from uploading files to cloud storage services like Google Drive via HTTPS. Which security profile combination is required?

A.Application control profile to block cloud storage applications, with deep inspection enabled
B.IPS profile to block file uploads to cloud services
C.DNS filter to block Google Drive domain
D.Web filter profile with URL filter to block Google Drive
AnswerA

Application control can identify and block Google Drive traffic even over HTTPS, but only if deep inspection decrypts the traffic to read application signatures.

Why this answer

To block file uploads to HTTPS sites, deep inspection must be enabled to decrypt traffic. Then, application control can be used to identify cloud storage applications, and a DLP or file filter can block uploads. However, the most direct method is to use an antivirus profile with file pattern blocking, but that requires deep inspection.

Alternatively, use application control to block the application entirely.

900
MCQmedium

Refer to the exhibit. The policy applies deep inspection, but users cannot access any HTTPS websites. The FortiGate CA certificate is installed on clients. What is the most likely cause?

A.The deep inspection profile is misconfigured.
B.The antivirus profile is blocking the traffic.
C.The web filter profile 'strict' is blocking all sites.
D.The service 'HTTPS' only allows TCP 443, but some websites use other ports.
AnswerD

If non-standard ports are used, they are not allowed.

Why this answer

Option D is correct because the policy uses the service 'HTTPS', which by default only matches TCP port 443. If any HTTPS websites are hosted on non-standard ports (e.g., 8443, 9443), the FortiGate will not apply deep inspection to that traffic, causing the connection to fail when deep inspection is required. The FortiGate CA certificate being installed on clients ensures trust, but the service definition must match the actual destination port for inspection to occur.

Exam trap

The trap here is that candidates assume 'HTTPS' covers all secure web traffic, but FortiGate service objects are port-specific, and deep inspection requires the policy to match the exact destination port used by the website.

How to eliminate wrong answers

Option A is wrong because the deep inspection profile being misconfigured would typically cause certificate errors or decryption failures, not a complete inability to access all HTTPS websites; the question states the CA is installed, so profile misconfiguration is less likely. Option B is wrong because the antivirus profile blocking traffic would affect specific files or patterns, not all HTTPS websites, and would generate logs indicating virus detection. Option C is wrong because the web filter profile 'strict' blocking all sites would prevent HTTP as well, and the issue is specific to HTTPS; moreover, web filter profiles do not block at the transport layer but at the URL/content level.

Page 11

Page 12 of 14

Page 13