Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 9761000

1000 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
Multi-Selecthard

Which THREE statements about SD-WAN rules are correct?

Select 3 answers
A.SD-WAN rules are evaluated in order of priority.
B.SD-WAN rules must use a 'load balancing' strategy.
C.SD-WAN rules can match based on application, destination, or source.
D.Each SD-WAN rule can only contain one member.
E.If no SD-WAN rule matches, the traffic is processed by the implicit rule.
AnswersA, C, E

Correct; rules have priority and are evaluated top-down.

Why this answer

SD-WAN rules are evaluated in order of priority, meaning the rule with the highest priority (lowest number) is matched first. This sequential evaluation ensures deterministic traffic steering based on the most specific match criteria defined by the administrator.

Exam trap

The trap here is that candidates often assume SD-WAN rules must use load balancing, but Fortinet allows multiple strategies including 'best quality' and 'manual', and they also mistakenly think each rule can only have one member, whereas member groups are supported for redundancy and load distribution.

977
MCQhard

An administrator configures a VLAN interface on a FortiGate's physical port with the IP 192.168.10.1/24. The VLAN ID is 10. The administrator connects a switch port configured as an access port (untagged) in VLAN 10. The devices on the switch cannot ping the FortiGate's VLAN interface. What is the most likely cause?

A.The switch port should be configured as a trunk port allowing VLAN 10
B.The FortiGate's physical port is not set to the same VLAN ID
C.The FortiGate's administrative access is not enabled on the VLAN interface
D.The FortiGate's VLAN interface is not assigned to any VDOM
AnswerA

The switch port must send tagged frames (trunk) for the FortiGate VLAN interface to recognize them.

Why this answer

The switch port is configured as an access port, which sends frames untagged. However, the FortiGate's VLAN interface expects to receive 802.1Q-tagged frames because the VLAN is defined as a subinterface on the physical port. For the FortiGate to process traffic for VLAN 10, the switch port must be configured as a trunk (or tagged) port that sends frames with the VLAN 10 tag.

An access port strips the tag, so the FortiGate never sees the VLAN 10 traffic.

Exam trap

The trap here is that candidates often confuse access/trunk port behavior with VLAN interface configuration on firewalls, mistakenly thinking an access port is sufficient because the VLAN ID matches, when in fact the FortiGate requires tagged frames for subinterfaces.

How to eliminate wrong answers

Option B is wrong because the FortiGate's physical port does not have a VLAN ID setting; VLANs are defined as subinterfaces, and the VLAN ID is set on the VLAN interface itself, not on the physical port. Option C is wrong because administrative access (e.g., HTTPS, SSH, ping) is a separate setting that controls management protocols, not basic IP connectivity; the devices cannot ping due to a Layer 2 tagging mismatch, not because ping is disabled. Option D is wrong because VDOM assignment is only relevant in multi-tenant or virtualized FortiGate configurations; by default, all interfaces belong to the root VDOM, and the VLAN interface would still be reachable if the tagging were correct.

978
MCQmedium

A FortiGate administrator needs to block a specific application using the FortiGuard Application Control service. Which two objects must be correctly configured in the firewall policy to achieve this? (Choose the best single answer describing the required object types.)

A.An antivirus profile and a routing policy
B.An application control profile and a firewall policy
C.A URL filter profile and a NAT policy
D.A web filter profile and an SSL inspection profile
AnswerB

The profile defines which applications to block; the policy applies the profile to traffic.

Why this answer

Application Control requires a security profile and a firewall policy that references it.

979
MCQmedium

You are troubleshooting an IPsec VPN between two FortiGates. The Phase 1 is up, but Phase 2 is not coming up. You check the Phase 2 configuration on both sides. What is a common cause of this issue?

A.Mismatch in Phase 2 settings such as encryption algorithm, authentication algorithm, or PFS group
B.Firewall policy not allowing ESP traffic
C.Incorrect local or remote gateway IP
D.Mismatch in Phase 1 pre-shared key
AnswerA

Phase 2 requires identical proposals on both sides.

Why this answer

Phase 2 parameters must match exactly. If there is a mismatch in encryption, authentication, or PFS settings, Phase 2 will fail. Option A is the most common cause.

980
MCQmedium

An administrator wants to log all traffic that is denied by the implicit deny rule. How can this be achieved?

A.Configure a firewall policy with action ACCEPT and enable logging
B.Enable logging on the implicit deny rule
C.Create a firewall policy with action DENY and enable logging, placed above the implicit deny
D.Use the 'diagnose debug flow' command to capture all traffic
AnswerC

Why this answer

The implicit deny rule at the bottom of the firewall policy list cannot be modified to enable logging. To log traffic denied by the implicit deny, you must create an explicit firewall policy with action DENY and logging enabled, placed above the implicit deny rule. This explicit deny policy will match traffic that would otherwise hit the implicit deny, and because it is an explicit policy, logging can be enabled on it.

Exam trap

The trap here is that candidates assume the implicit deny rule can be modified to enable logging, but FortiOS does not allow any configuration changes to the implicit deny rule, so you must create an explicit deny policy above it to log denied traffic.

How to eliminate wrong answers

Option A is wrong because an ACCEPT action would allow the traffic, not deny it, and logging would only show allowed traffic, not the denied traffic you want to capture. Option B is wrong because the implicit deny rule is a built-in, non-configurable rule; you cannot enable logging on it directly in the FortiGate GUI or CLI. Option D is wrong because 'diagnose debug flow' is a real-time troubleshooting tool that captures packet flow information for a specific session, not a method to log all denied traffic persistently.

981
MCQeasy

What is the primary advantage of using route-based IPsec VPN over policy-based IPsec VPN?

A.Route-based VPN allows the use of dynamic routing protocols over the tunnel
B.Route-based VPN requires fewer firewall policies
C.Route-based VPN is easier to configure for hub-and-spoke
D.Route-based VPN supports higher encryption algorithms
AnswerA

Correct. The IPsec interface can participate in OSPF, BGP, etc.

Why this answer

Route-based VPN uses a virtual IPsec interface, allowing dynamic routing protocols to be used. This simplifies configuration and management of complex topologies, whereas policy-based VPN requires static policies for each subnet pair.

982
MCQhard

A FortiGate administrator configures a policy-based NAT using an IP pool with type 'Fixed Port Range' for internal users accessing a specific external server. Users report that after some time, they cannot establish new connections to the server. 'diagnose ip pool list' shows many entries with 'used_port=65535'. What is the MOST likely cause?

A.The external server is rate-limiting connections
B.The firewall policy has a timeout setting that is too low
C.The IP pool has run out of IP addresses
D.The fixed port range is too small, causing port exhaustion
AnswerD

Fixed port range NAT assigns a block of ports to each source IP. If the range is small (e.g., 1 port), it fills quickly and blocks new sessions. The 'used_port=65535' indicates the last port in a range is in use.

Why this answer

The 'Fixed Port Range' IP pool type allocates a specific range of ports per IP address for NAT translations. When all ports in the range are exhausted (indicated by 'used_port=65535'), no new connections can be established, causing the reported issue. This is classic port exhaustion, making D correct.

Exam trap

The trap here is that candidates may confuse IP address exhaustion (Option C) with port exhaustion, but the diagnostic output clearly shows IP addresses are still available while ports are maxed out, pointing directly to the fixed port range being too small.

How to eliminate wrong answers

Option A is wrong because the external server rate-limiting would affect all users equally and would not cause the specific symptom of 'used_port=65535' entries in the IP pool list. Option B is wrong because a low firewall policy timeout would cause connections to be dropped prematurely, not prevent new connections from being established due to port exhaustion. Option C is wrong because the 'diagnose ip pool list' output shows many entries with 'used_port=65535', indicating that IP addresses are still available but all ports within the fixed range are in use, not that IP addresses have run out.

983
MCQeasy

A FortiGate administrator needs to block all traffic from a specific geographic region (country) from accessing the internal network. Which type of address object should be used in the firewall policy?

A.Geography object
B.FQDN object
C.Wildcard FQDN object
D.Subnet object
AnswerA

Geography objects use GeoIP database to match countries.

Why this answer

Geography-based address objects allow matching traffic based on the source IP's country. Option B is correct.

984
Multi-Selecthard

A FortiGate admin is troubleshooting email filtering. Legitimate emails from a specific external domain are being marked as spam. Which THREE steps should the admin take to resolve this?

Select 3 answers
A.Check the spam filter logs to see why the email was flagged
B.Disable the spam filter entirely
C.Add the sender domain to the email filter allowlist
D.Enable deep inspection for SMTP traffic
E.Verify the sender’s domain reputation on FortiGuard
AnswersA, C, E

Logs provide details on the filtering decision.

Why this answer

Options A, B, and C are correct. Checking the spam filter logs, adding the domain to the allowlist, and verifying the FortiGuard reputation can all help resolve false positives.

985
MCQhard

You are troubleshooting a FortiGate HA cluster (active-passive) and notice that after a failover, some existing TCP sessions are not being maintained. The hbdev heartbeat interfaces are configured correctly, and session synchronization is enabled. What is the MOST likely cause?

A.The secondary unit is in maintenance mode
B.NPU offloading is enabled on the primary FortiGate
C.The HA uptime monitor is not configured
D.Session pickup is not enabled in the HA configuration
AnswerB

NPU offloading can cause sessions to be offloaded to hardware and not fully synced to the backup unit. Disabling NPU offloading ensures all sessions are synced.

Why this answer

In FortiGate HA, session synchronization relies on NPU offloaded sessions being re-synced. If the NPU offloading was enabled on the primary, sessions might not be fully synced to the backup. Disabling NPU offloading on the primary ensures all sessions are handled by the CPU and thus properly synced.

986
MCQmedium

When creating a firewall policy, an admin wants to ensure that traffic from a specific user group is allowed only during business hours (Monday to Friday, 09:00-18:00). Which object type must be configured and applied to the policy?

A.A security profile with time-based filtering
B.A schedule object with a recurring schedule
C.A user group object with time restrictions
D.A traffic shaping policy with a time-based rule
AnswerB

Recurring schedules allow setting days of week and time ranges, which matches the requirement.

Why this answer

Schedule objects define time-based conditions. A recurring schedule can be set for weekdays and specific hours.

987
MCQhard

An administrator is configuring a VIP to map a public IP to an internal server. The server hosts both HTTP and HTTPS services. The admin creates a VIP with port forwarding for port 80 to internal port 80, and another VIP for port 443 to internal port 443. Both VIPs use the same public IP. Users can access HTTP but not HTTPS. What is the most likely issue?

A.The firewall policy for HTTPS traffic is missing or has incorrect destination
B.The server's HTTPS service is not running
C.VIPs cannot share the same public IP address
D.The HTTPS VIP is configured with the wrong internal port
AnswerA

A firewall policy must allow traffic to the VIP. If only HTTP is allowed, HTTPS fails.

Why this answer

VIPs with the same external IP but different ports should work. However, if no policy allows HTTPS traffic to the VIP, it will be dropped. Alternatively, the VIP configuration might be incomplete.

988
MCQmedium

An admin wants users to authenticate once via AD and have their network access controlled without repeated logins. Which feature should be used?

A.Local user authentication
B.FSSO with Active Directory polling
C.Captive portal with LDAP
D.SSL VPN with certificate authentication
AnswerB

FSSO provides single sign-on by polling AD for logon events.

Why this answer

FSSO (Fortinet Single Sign-On) captures AD logon events and maps user IP addresses to user identities, allowing transparent authentication without repeated logins.

989
MCQmedium

A FortiGate is configured with an IPsec VPN to a remote site using IKEv1. The VPN tunnel goes down intermittently. The admin runs 'diagnose vpn ike gateway list' and sees 'state=UP' but no Phase2 selectors. What is the most likely cause?

A.The firewall policy allowing IPsec traffic is misconfigured
B.The remote gateway has a different PSK
C.Mismatched Phase2 parameters between the local and remote gateways
D.Dead Peer Detection (DPD) is disabled
AnswerC

Phase2 requires matching proposals; a mismatch prevents establishment.

Why this answer

The command shows the IKE gateway is up (Phase1 complete) but no Phase2 selectors, meaning Phase2 has not been established or has failed. Option A is correct because mismatched Phase2 parameters (e.g., encryption, hash, or proxy IDs) are the most common cause of Phase2 failure.

990
Multi-Selectmedium

An administrator needs to configure a FortiGate to send logs to a FortiAnalyzer. Which two configurations are required? (Choose two.)

Select 2 answers
A.Configure FortiAnalyzer IP under config system central-management
B.Set log-fortianalyzer to enable under config log setting
C.Enable log transfer under config log fortianalyzer setting
D.Configure a firewall policy to allow logs to leave
E.Create a log filter to send all logs
AnswersA, B

This sets the FortiAnalyzer server address.

Why this answer

Option A is correct because the FortiGate must be configured to know the FortiAnalyzer's IP address under `config system central-management` to establish the logging connection. Option B is correct because the `set log-fortianalyzer enable` command under `config log setting` activates the log transmission to the configured FortiAnalyzer. Without both, the FortiGate will not send logs to the FortiAnalyzer.

Exam trap

The trap here is that candidates mistakenly think a firewall policy is required to allow log traffic out, but FortiGate's log transmission to FortiAnalyzer uses the management VDOM and bypasses regular firewall policies.

991
MCQmedium

An administrator runs 'diagnose sniffer packet any "host 10.0.1.100" 4' and sees packets being sent but no response. The FortiGate has a static route for 10.0.1.0/24 via 192.168.1.1. The administrator checks the routing table and sees the route is present. What is the most likely cause of no response?

A.The outgoing interface in the static route is incorrect or down.
B.The FortiGate has a policy route overriding the static route.
C.The destination host has a firewall blocking ICMP.
D.The static route has a higher administrative distance than a dynamic route.
AnswerA

An incorrect interface would cause packets to be sent out the wrong port, not reaching the destination.

Why this answer

Option B is correct because even if the route exists, the outgoing interface might be incorrectly configured. The sniffer shows packets leaving the FortiGate but the destination might not be reachable via that interface. Option A is incorrect because a missing route would show 'no matching route' in debug.

Options C and D are less likely given the symptom.

992
MCQmedium

An admin is configuring a dial-up IPsec VPN for remote users. The users will connect from various public IP addresses. Which Phase 1 configuration is required for the FortiGate to accept connections from unknown remote gateways?

A.Enable aggressive mode
B.Set the remote gateway to 0.0.0.0
C.Configure a static route to the remote users' subnet
D.Set the remote gateway to a specific IP address
AnswerB

0.0.0.0 means any remote gateway is accepted.

Why this answer

The remote gateway IP must be set to 0.0.0.0 to accept connections from any IP address, which is typical for dial-up VPN.

993
MCQmedium

After upgrading FortiGate firmware from 6.0 to 7.2, an administrator notices that a static route pointing to a next-hop IP 10.0.0.1 is no longer working. The route is present in the configuration but the FortiGate shows it as 'not active'. What is the MOST likely cause?

A.FortiGate now requires a default administrative distance of 10 for static routes
B.The route was deleted during the upgrade and needs to be re-added
C.The next-hop IP is not directly connected to any FortiGate interface
D.The remote gateway is down
AnswerC

FortiGate requires static route next-hop to be directly connected. If the next-hop is not on a directly connected subnet, the route will be inactive.

Why this answer

In FortiOS 7.2, a static route is considered 'active' only if the next-hop IP is reachable via a directly connected interface. If the next-hop IP 10.0.0.1 is not on a directly connected subnet, the route will be present in the configuration but marked as 'not active'. This is a fundamental routing principle: the next hop must be directly reachable (i.e., the router must have an ARP entry for it) for the route to be installed in the routing table.

Exam trap

The trap here is that candidates often assume a static route will be active as long as the configuration is present and the remote gateway is reachable, but FortiGate (and most routers) require the next-hop IP to be directly connected for the route to be installed in the routing table.

How to eliminate wrong answers

Option A is wrong because the default administrative distance for static routes in FortiOS remains 10 (unchanged from 6.0 to 7.2), and administrative distance does not affect whether a route is 'active'—it only influences route selection among multiple routes to the same destination. Option B is wrong because the route is still present in the configuration, so it was not deleted during the upgrade; the issue is that it is not active, not that it is missing. Option D is wrong because the remote gateway being down would cause the route to be present but possibly inactive only if the next hop is directly connected; if the next hop is not directly connected, the route would be inactive regardless of the remote gateway's state.

994
MCQmedium

A network engineer is configuring SD-WAN on a FortiGate with two WAN links: MPLS (port1) and Internet (port2). The MPLS link has lower latency and jitter. The engineer wants to route all VoIP traffic (SIP and RTP) over the MPLS link unless it is unavailable. Which SD-WAN rule configuration should be used?

A.Create an SD-WAN rule for VoIP traffic with strategy 'best quality' and set the SLA target for latency to 10ms on the MPLS link.
B.Create an SD-WAN rule for VoIP traffic with strategy 'load balancing' and assign equal weight to both links.
C.Create an SD-WAN rule for VoIP traffic with strategy 'manual' or 'prefer' and select MPLS as the preferred member, with Internet as backup.
D.Create an SD-WAN rule for VoIP traffic with strategy 'best quality' and set the SLA target to prefer the Internet link.
AnswerC

This ensures MPLS is used primarily and Internet only if MPLS is down.

Why this answer

Option C is correct because the engineer requires a deterministic routing policy where VoIP traffic always uses the MPLS link unless it fails. The 'manual' (or 'prefer') strategy in SD-WAN rules allows you to explicitly set a preferred member (MPLS) and designate the other link (Internet) as a backup, ensuring failover only when the preferred link is unavailable. This matches the requirement of routing all VoIP traffic over MPLS unless it is unavailable, without relying on SLA performance metrics.

Exam trap

The trap here is that candidates often confuse 'best quality' with a manual preference, assuming that setting a low latency SLA target on MPLS will force all traffic to that link, but 'best quality' can still switch to another link if SLA thresholds are not met, even if the preferred link is operational.

How to eliminate wrong answers

Option A is wrong because the 'best quality' strategy dynamically selects the link based on real-time SLA performance metrics (e.g., latency, jitter), not a fixed preference; even if MPLS meets the 10ms latency target, the rule could still switch to the Internet link if MPLS momentarily degrades, violating the requirement to use MPLS unless it is completely unavailable. Option B is wrong because 'load balancing' distributes traffic across both links based on weights or volume, which would send VoIP traffic over the Internet link even when MPLS is healthy, contradicting the requirement to use MPLS exclusively. Option D is wrong because setting the SLA target to prefer the Internet link would actively steer VoIP traffic away from the lower-latency MPLS link, which is the opposite of the desired behavior.

995
Multi-Selecthard

Which THREE conditions must be met for a firewall policy with FSSO authentication to work correctly?

Select 3 answers
A.The FortiGate must be able to communicate with the domain controller
B.The user's IP address must be in the destination address range of the policy
C.The user must be a member of a group that is referenced in the firewall policy
D.The FSSO collector agent must be running and properly configured
E.The user must be authenticated to the FortiGate locally
AnswersA, C, D

FSSO requires communication with the DC to receive login events.

Why this answer

Option A is correct because FSSO (Fortinet Single Sign-On) relies on the FortiGate communicating with the domain controller to retrieve user login events via NetAPI or WMI. Without this communication, the FortiGate cannot map user identities to IP addresses, which is essential for FSSO-based authentication in firewall policies.

Exam trap

The trap here is that candidates often confuse source and destination address fields in the policy, mistakenly thinking the user's IP must be in the destination range, or assume FSSO requires local FortiGate authentication, when in fact it relies on domain authentication and the collector agent.

996
MCQeasy

A FortiGate administrator needs to allow SMTP traffic from the internal network to an external mail server. The internal network uses source NAT to the external interface IP. Which firewall policy configuration is correct?

A.Policy: source internal, destination external, service SMTP, enable NAT
B.Policy: source internal, destination external, service SMTP, disable NAT
C.Policy: source internal, destination external, service SMTP (port 587), enable NAT
D.Policy: source internal, destination external, service SMTP (UDP), enable NAT
AnswerA

SMTP uses TCP port 25 and NAT is needed for outbound traffic.

Why this answer

Option A is correct because SMTP traffic from the internal network to an external mail server requires source NAT (masquerading) to translate private source IPs to the FortiGate's external interface IP. This ensures return traffic is routed back correctly. The default SMTP service uses TCP port 25, and enabling NAT on the policy is the standard configuration for outbound traffic to the internet.

Exam trap

The trap here is that candidates may confuse SMTP ports (25 vs 587) or assume SMTP can use UDP, but the exam tests the fundamental requirement that outbound internet traffic must have NAT enabled and that SMTP is TCP-based.

How to eliminate wrong answers

Option B is wrong because disabling NAT would send packets with private source IPs, which are not routable on the internet, causing the external mail server to drop replies or the packets to be discarded by intermediate routers. Option C is wrong because SMTP typically uses TCP port 25, not port 587 (which is SMTP submission, often used for authenticated client-to-server submission); the question specifies SMTP traffic, not SMTP submission, and the service should match the standard SMTP port. Option D is wrong because SMTP uses TCP, not UDP; SMTP relies on reliable, connection-oriented transport, and UDP would break the protocol's delivery guarantees.

997
MCQhard

An admin configures a VIP to map a public IP to an internal server. The firewall policy uses the VIP as the destination. External users can access the server, but the server's logs show the source IP as the FortiGate's internal interface IP instead of the original client IP. Why is this happening?

A.The VIP is configured with port forwarding and the server is expecting a different port
B.The VIP is using a different public IP than expected
C.The firewall policy has NAT enabled, which changes the source IP to the FortiGate's egress interface IP
D.The server's routing is misconfigured and traffic is returning via a different path
AnswerC

Correct. If NAT is enabled on the policy, FortiGate performs SNAT, hiding the original source.

Why this answer

By default, when using NAT (including VIP), FortiGate performs source NAT (SNAT) for the traffic destined to the VIP unless specifically configured otherwise. To preserve the original source IP, the admin must disable NAT on the policy or use a policy with NAT disabled.

998
MCQeasy

What is the purpose of policy-based routing (PBR) in FortiGate?

A.To load balance traffic across multiple WAN links
B.To filter traffic based on application signatures
C.To route traffic based on source address, destination, or other attributes instead of the routing table
D.To authenticate users before allowing traffic
AnswerC

PBR matches traffic using firewall-like criteria and sends it to a specified gateway or interface, independent of the routing table.

Why this answer

Policy-based routing (PBR) in FortiGate allows you to override the default routing table lookup by forwarding traffic based on criteria such as source IP address, destination IP address, protocol, or even application. This is configured under the 'policy route' feature and is evaluated before the routing table, enabling granular control over traffic paths that static or dynamic routes cannot provide.

Exam trap

The trap here is that candidates often confuse PBR with SD-WAN or load balancing, but PBR is strictly about overriding routing decisions based on packet attributes, not about distributing traffic across multiple links for bandwidth or redundancy.

How to eliminate wrong answers

Option A is wrong because load balancing across multiple WAN links is achieved using ECMP (Equal-Cost Multi-Path) routing or SD-WAN rules, not PBR. Option B is wrong because filtering traffic based on application signatures is the function of Application Control, a feature within firewall policies, not PBR. Option D is wrong because authenticating users before allowing traffic is handled by firewall authentication (e.g., FSSO, LDAP) or captive portal, not by PBR.

999
MCQhard

A company uses FortiGate with firewall policies to control access between internal VLANs. Users in VLAN 10 report they can access internet but cannot reach a server in VLAN 20 on port 443. The server is reachable from other VLANs. The administrator checks the firewall policy configuration: there is a policy from VLAN10 to VLAN20 allowing HTTPS, with NAT disabled and logging enabled. The policy has a schedule set to 'Always'. The administrator also checks that there are no overlapping policies. What is the most likely cause?

A.NAT is disabled, so the server cannot send replies back.
B.The policy order is incorrect; a deny policy above is blocking traffic.
C.A security profile applied to the policy is blocking the HTTPS traffic.
D.The schedule is configured incorrectly and the policy is inactive during the current time.
AnswerC

Security profiles such as SSL inspection or application control can block or interfere with HTTPS traffic, especially if the server certificate is not trusted.

Why this answer

The correct answer is C because security profiles (such as web filtering, application control, or SSL inspection) applied to a firewall policy can inspect and block HTTPS traffic even when the policy itself allows the service. Since the server is reachable from other VLANs and the policy explicitly permits HTTPS with NAT disabled and logging enabled, the most likely cause is that a security profile is dropping or denying the traffic.

Exam trap

The trap here is that candidates often assume a policy allowing a service with NAT disabled is sufficient for reachability, overlooking that security profiles can independently block traffic at a higher layer, especially for HTTPS where inspection is required.

How to eliminate wrong answers

Option A is wrong because NAT is not required for reachability between internal VLANs; the server can send replies directly to the client's private IP address without NAT. Option B is wrong because the administrator has already confirmed there are no overlapping policies, so a deny policy above cannot be blocking traffic. Option D is wrong because the schedule is set to 'Always', meaning the policy is active at all times, and the users can access the internet, confirming the policy is not inactive.

1000
MCQeasy

Which protocol does FortiGate use to synchronize sessions between HA cluster members?

A.HSRP
B.OSPF
C.VRRP
D.FGCP
AnswerD

FGCP is FortiGate's proprietary HA protocol.

Why this answer

FortiGate uses the FortiGate Cluster Protocol (FGCP) to synchronize session tables, configuration, and state information between HA cluster members. FGCP is a proprietary protocol that ensures seamless failover by replicating session data in real time, allowing the backup unit to take over active sessions without interruption.

Exam trap

The trap here is that candidates familiar with Cisco or open-standard redundancy protocols (HSRP, VRRP) may assume FortiGate uses one of those, but FortiGate relies on its proprietary FGCP for HA session synchronization.

How to eliminate wrong answers

Option A is wrong because HSRP (Hot Standby Router Protocol) is a Cisco-proprietary protocol for router redundancy, not used by FortiGate for session synchronization. Option B is wrong because OSPF (Open Shortest Path First) is a dynamic routing protocol for exchanging routing information, not for synchronizing sessions in an HA cluster. Option C is wrong because VRRP (Virtual Router Redundancy Protocol) is an open-standard protocol for default gateway redundancy, but FortiGate does not use it for session synchronization; FGCP is the dedicated HA protocol.

Page 13

Page 14 of 14