Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 76150

1000 questions total · 14pages · All types, answers revealed

Page 1

Page 2 of 14

Page 3
76
MCQmedium

A FortiGate administrator needs to upgrade the firmware from FortiOS 6.4 to 7.0. The administrator downloads the upgrade image but when uploading via the GUI, the FortiGate reboots and comes back with the same firmware version. What is the most likely cause?

A.The firmware image was corrupted during download.
B.The FortiGate does not support firmware upgrade via GUI; CLI must be used.
C.The administrator uploaded the wrong image (e.g., for a different FortiGate model).
D.The administrator must first upgrade to an intermediate version before 7.0.
AnswerC

If the image is for a different platform, FortiGate will reject it and reboot without upgrading.

Why this answer

Option C is correct because uploading a firmware image intended for a different FortiGate model will cause the upgrade to fail silently. The FortiGate validates the image against its hardware platform; if the image does not match, the device rejects it and reboots with the existing firmware. This is a common issue when administrators accidentally download the image for a different series (e.g., FortiGate 100F vs. 200F).

Exam trap

The trap here is that candidates may assume a reboot with unchanged firmware always indicates corruption or a need for intermediate upgrades, overlooking the critical platform validation that rejects mismatched images.

How to eliminate wrong answers

Option A is wrong because a corrupted image would typically cause a checksum error or fail to upload, not result in a reboot with the same firmware version. Option B is wrong because FortiGate fully supports firmware upgrades via the GUI; CLI is an alternative but not a requirement. Option D is wrong because FortiGate 6.4 to 7.0 is a direct upgrade path supported by Fortinet; no intermediate version is required for this jump.

77
MCQhard

An administrator runs the following CLI command on a FortiGate: 'diagnose sys session filter dport 443' and sees output indicating sessions with proto_state=01 and duration=3600. What does this indicate about the sessions?

A.The sessions are UDP-based and have been active for 3600 seconds.
B.The sessions are TCP connections in SYN state and have a timeout of 3600 seconds.
C.The sessions are TCP connections in established state with a duration of 3600 seconds.
D.The sessions are ICMP packets with a TTL of 3600.
AnswerC

Why this answer

The CLI command 'diagnose sys session filter dport 443' filters sessions with destination port 443, which is the default HTTPS port. The output shows 'proto_state=01' and 'duration=3600'. In FortiGate session diagnostics, 'proto_state=01' indicates a TCP session in the established state (state 1), and 'duration' is the time in seconds since the session was created, so 3600 seconds means the session has been active for one hour.

Option C correctly identifies this.

Exam trap

The trap here is confusing the 'duration' field (elapsed time since session creation) with a timeout or TTL value, and misinterpreting 'proto_state=01' as a generic protocol indicator rather than a TCP state code.

How to eliminate wrong answers

Option A is wrong because 'proto_state=01' is specific to TCP, not UDP; UDP sessions use different state codes (e.g., 00 for no state). Option B is wrong because 'proto_state=01' represents the established state, not the SYN state (which would be state 0x02 or similar), and 'duration' is the elapsed time, not a timeout value. Option D is wrong because ICMP packets do not use TCP port numbers like 443, and 'duration' is not related to TTL (Time To Live).

78
MCQmedium

A FortiGate administrator has configured an active-passive HA cluster with two units. During a failover test, they notice that existing TCP sessions are dropped and must be re-established. What configuration change should the administrator make to ensure sessions are preserved during failover?

A.Enable session synchronization between the cluster members
B.Configure a dedicated heartbeat interface
C.Enable HA override
D.Increase the HA priority on the primary unit
AnswerA

Session sync ensures session state is shared, preserving TCP sessions during failover.

Why this answer

Session synchronization (session sync) allows the active unit to share session table entries with the passive unit. During failover, the new active unit has the session table pre-populated, so existing sessions continue without interruption.

79
MCQhard

An admin configures a central SNAT rule to translate source IP 10.0.0.0/24 to IP pool 203.0.113.1-203.0.113.10 using overload (PAT). A policy-based NAT on a specific policy also translates the same source to the interface IP. Traffic from 10.0.0.0/24 to the internet shows source IP as the interface IP, not from the IP pool. What is the reason?

A.The central SNAT rule is disabled
B.The policy is using fixed port range
C.Policy-based NAT overrides central SNAT rules
D.The IP pool is out of addresses
AnswerC

When both are configured, the per-policy NAT is applied first.

Why this answer

Policy-based NAT takes precedence over central SNAT. Since the policy has NAT enabled (policy-based), it overrides the central SNAT rule.

80
MCQmedium

A mid-sized company has a FortiGate 100F running FortiOS 7.2. They have two internal networks: Trusted (10.1.1.0/24) for employees and Guest (10.2.2.0/24) for visitors. The Guest network has a firewall policy that allows internet access only, with an application control profile that blocks all peer-to-peer and gaming applications. Recently, users on the Guest network have been able to play online games (e.g., Fortnite) despite the block. The administrator checks the application control profile and confirms that 'Fortnite' is listed as blocked. There are no other policies allowing Guest traffic. The administrator also notices that the Guest policy has 'set utm-status enable' and the application control profile is applied. What is the most likely reason that Fortnite is not being blocked?

A.The firewall policy is missing 'set deep-inspection enable' for application control to work.
B.SSL inspection is required to block encrypted game traffic, and it is not enabled.
C.The application control profile is not applied to the correct policy.
D.The application control signatures are outdated and do not include the latest Fortnite signatures.
AnswerD

Outdated signatures may miss new application traffic.

Why this answer

Option D is correct because if the Application Control signatures are outdated, the FortiGate may not recognize the latest Fortnite traffic patterns or encrypted handshakes, allowing the game to bypass the block. Even though the policy has UTM enabled and the profile is applied, stale signatures cannot match new application variants or updates. Regularly updating the IPS/Application Control database via FortiGuard is essential to maintain effective blocking.

Exam trap

The trap here is that candidates often assume SSL inspection is mandatory for blocking encrypted applications, but the real issue is that outdated signatures fail to recognize the latest application variants, even when the profile is correctly applied and UTM is enabled.

How to eliminate wrong answers

Option A is wrong because 'set deep-inspection enable' is not a valid command for firewall policies; deep inspection is configured via SSL/SSH inspection profiles, not a direct policy flag, and Application Control can work without full SSL inspection if the game uses non-encrypted or partially encrypted traffic. Option B is wrong because while SSL inspection can help identify encrypted game traffic, it is not strictly required for Application Control to block applications; many games use plaintext or proprietary protocols that signatures can match without decryption, and the question states the profile already blocks Fortnite, indicating the issue is signature freshness, not inspection depth. Option C is wrong because the administrator already confirmed the Application Control profile is applied to the Guest policy, and there are no other policies allowing Guest traffic, so the profile is correctly attached.

81
MCQhard

An administrator configures an HA cluster of two FortiGates in active-passive mode. The cluster is synchronized, but after a failover, some existing TCP sessions are dropped. What is the most likely cause?

A.The heartbeat interface is configured as a dedicated management interface
B.Session synchronization (session-pickup) is disabled
C.The cluster is operating in NAT mode
D.The cluster is using a virtual MAC address for the HA interface
AnswerB

Session synchronization ensures sessions are replicated to the standby unit; without it, sessions are lost on failover.

Why this answer

Session synchronization (session-pickup) is required for active-passive HA clusters to replicate TCP session state from the primary FortiGate to the secondary. When disabled, the backup unit has no knowledge of existing sessions after a failover, causing those sessions to be dropped because the new primary cannot match incoming packets to any session table entry.

Exam trap

The trap here is that candidates often confuse virtual MAC addressing or heartbeat configuration with session state replication, but the core requirement for session persistence after failover is session-pickup being enabled.

How to eliminate wrong answers

Option A is wrong because a dedicated management heartbeat interface does not affect session synchronization; it only separates management traffic from HA traffic. Option C is wrong because NAT mode does not inherently cause session drops after failover; session-pickup is still required regardless of the operation mode. Option D is wrong because using a virtual MAC address for the HA interface ensures seamless Layer 2 failover but does not impact session state replication; session-pickup is the mechanism that preserves TCP sessions.

82
MCQmedium

An administrator runs 'diagnose debug flow' and sees the output 'no matching policy'. What does this indicate?

A.The packet is being processed by a policy with the correct source/destination
B.There is no firewall policy that allows the traffic from the source to the destination
C.The packet was dropped due to an antivirus signature match
D.The packet is being routed through a blackhole route
AnswerB

'No matching policy' indicates the packet did not match any configured firewall policy.

Why this answer

The debug flow trace shows packets flowing through the firewall policy evaluation. 'No matching policy' means the packet did not match any firewall policy.

83
Multi-Selectmedium

An administrator needs to configure a hub-and-spoke IPsec VPN topology. Which TWO settings must be configured on the hub FortiGate to allow spokes to communicate with each other through the hub?

Select 2 answers
A.Enable NAT on the hub's tunnel interface.
B.Set Phase 2 selectors to 0.0.0.0/0 on the hub's side.
C.Configure the hub as a DNS server for the spokes.
D.Configure IKEv2 instead of IKEv1 on all tunnels.
E.Create firewall policies on the hub that allow traffic between the spoke networks.
AnswersB, E

This allows traffic to any destination, including other spokes.

Why this answer

In hub-and-spoke, to allow spoke-to-spoke traffic via the hub, the hub must have Phase 2 selectors that cover the spoke subnets (0.0.0.0/0.0.0.0 or specific ranges) and the firewall policies must permit traffic between the spoke interfaces. Option B (Phase 2 with 0.0.0.0/0) allows any destination, and Option D (firewall policies allowing inter-spoke traffic) enables forwarding.

84
MCQmedium

An admin runs 'diagnose sys session filter dport 443' and sees output showing sessions with 'proto=6' and 'expire=3599'. The admin notices that these sessions are not being cleaned up after the firewall policy that allowed them is deleted. What is the reason?

A.The sessions are using UDP protocol, which has a longer timeout
B.The sessions are protected by a different policy that still exists
C.The sessions are in a different VDOM
D.FortiGate does not delete existing sessions when a policy is removed; sessions must be cleared manually
AnswerD

Correct. Policy changes affect new sessions only. Existing sessions continue until they time out.

Why this answer

FortiGate does not automatically tear down existing sessions when a policy is deleted. Sessions continue until they expire naturally or are explicitly cleared. The admin must use 'diagnose sys session clear' to remove them.

85
MCQmedium

A FortiGate administrator wants to block spam emails destined for internal users. The FortiGate receives SMTP traffic on port 25. What is the most effective way to filter spam using the email filter profile?

A.Enable spam filtering in the antivirus profile
B.Apply an email filter profile to a firewall policy that allows SMTP traffic
C.Use a DNS filter to block spam domains
D.Configure a web filter to block webmail
AnswerB

The email filter profile is designed to be applied to a policy handling email traffic (SMTP, POP3, IMAP). This is the standard method.

Why this answer

The email filter profile is applied to a firewall policy that matches SMTP traffic. It can perform spam filtering based on FortiGuard IP reputation and other heuristics.

86
MCQeasy

A company has a FortiGate with two ISPs: wan1 (primary) and wan2 (backup). They want all outbound traffic from internal users to use wan1, and if wan1 fails, traffic should automatically fail over to wan2. The administrator configures static routes: default route via wan1 gateway with distance 10 and default route via wan2 gateway with distance 20. They also configure an SD-WAN zone with both interfaces and set a strategy of 'Manual' with 'Best Quality' for wan1. After testing, failover does not occur when wan1 goes down. What is the most likely reason?

A.The SD-WAN zone does not include the backup interface wan2.
B.The SD-WAN strategy is set to Manual, which does not automatically failover; the administrator should use an automatic strategy or configure link health monitoring.
C.The static routes have the same distance, so failover does not occur.
D.The firewall policy does not bind to the SD-WAN zone; it binds to wan1 interface directly.
AnswerB

Manual strategy requires manual intervention or link health monitoring to trigger failover; automatic strategies like Lowest Cost or Best Quality with performance SLA will failover automatically.

Why this answer

Option B is correct because when the SD-WAN strategy is set to 'Manual', the FortiGate does not automatically perform failover based on interface or link health. Manual mode requires explicit administrator action or must be combined with link health monitoring to trigger a switch. Without an automatic strategy or configured health checks, the SD-WAN zone will continue to use wan1 even if it goes down, preventing failover to wan2.

Exam trap

The trap here is that candidates assume static route distance alone handles failover, but when SD-WAN is configured with a Manual strategy, the SD-WAN rule overrides the routing table and prevents automatic failover unless link health monitoring is enabled.

How to eliminate wrong answers

Option A is wrong because the SD-WAN zone includes both wan1 and wan2 as stated in the scenario, so the backup interface is present. Option C is wrong because the static routes have different distances (10 and 20), which is the correct configuration for failover; equal distances would cause ECMP, not prevent failover. Option D is wrong because the firewall policy binding to the SD-WAN zone is not the issue; the policy can bind to the zone, but the failover failure is due to the SD-WAN strategy setting, not the policy binding.

87
Matchingmedium

Match each FortiGate firewall policy action to its result.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Allows traffic matching the policy

Blocks traffic and sends a reset or ICMP unreachable

Routes traffic into an IPsec VPN tunnel

Routes traffic into an SSL VPN tunnel

Logs traffic without enforcing action (used for learning)

Why these pairings

Policy actions determine how FortiGate handles matching traffic.

88
Multi-Selectmedium

An admin needs to create a firewall policy that allows SMTP traffic (TCP/25) from the internal network (10.0.0.0/24) to a mail server in the DMZ (172.16.1.10). Additionally, the admin wants to ensure that the mail server can only be accessed by the internal network, not from the internet. Which THREE settings must be configured in the firewall policy? (Choose three.)

Select 3 answers
A.Source interface set to 'internal'
B.Set schedule to 'always'
C.Destination interface set to 'dmz'
D.Service set to 'SMTP'
E.Enable NAT to translate source IP
AnswersA, C, D

Defines where traffic originates.

Why this answer

To define the traffic, the policy needs source interface (internal), destination interface (DMZ), source address (internal subnet), and destination address (mail server). Also, the service must be SMTP. Additionally, to block internet access, the policy from DMZ to internet should not exist, but the question asks for settings in the policy for internal traffic.

The three required are source interface, destination interface, and service. Address objects are also required but the question asks for settings, not objects. However, the options include interface and service settings.

89
MCQmedium

A company wants to use captive portal authentication on a guest Wi-Fi network. The FortiGate is connected to the switchport of the access point. Which firewall configuration is required to redirect unauthenticated users to the captive portal?

A.Set the 'Guest Management' feature in the FortiGate dashboard.
B.Create a policy with source interface 'guest', destination 'any', and action 'ACCEPT' with 'Authentication' set to 'Captive Portal'.
C.Configure a 'Landing Page' under SSL-VPN settings.
D.Enable 'Captive Portal' on the interface under System > Network > Interface.
AnswerB

This policy catches unauthenticated traffic and redirects to the captive portal.

Why this answer

Captive portal works by configuring a firewall policy that matches the user's traffic with 'Authentication' set to 'Captive Portal' or by enabling it directly on the interface. Typically, a policy with 'Security Mode' 'Captive Portal' forces redirect.

90
MCQhard

A FortiGate administrator runs 'diagnose debug flow' and sees the output 'FW-6: packet is allowed by policy' but the packet is still dropped. What additional debug information should the administrator check to determine why the packet is dropped after being allowed?

A.Check the traffic log for the session
B.Enable 'diagnose debug flow show function-name' to see more detailed stages
C.Check the session table for the packet
D.Run 'diagnose sniffer packet' to capture the packet
AnswerB

This shows the internal processing stages, which can reveal where the drop occurs.

Why this answer

After policy lookup, further processing like security profiles, NAT, or routing may drop the packet. The 'function-name' parameter in debug flow shows deeper inspection stages.

91
Multi-Selectmedium

An administrator is troubleshooting why traffic from a specific source IP is not being matched by a policy route. Which THREE steps should the administrator take to diagnose the issue?

Select 3 answers
A.Disable all firewall policies to test routing.
B.Change the administrative distance of the default route to 0.
C.Verify the source address object in the policy route matches the traffic's source IP.
D.Check the policy route list order and ensure the matching condition is above the default route.
E.Use the 'diagnose debug flow' command to trace packet flow.
AnswersC, D, E

Why this answer

Option C is correct because the most fundamental step in troubleshooting a policy route mismatch is to verify that the source address object defined in the policy route exactly matches the source IP of the traffic. If the object is misconfigured (e.g., wrong subnet mask, incorrect IP range, or a typo), the traffic will never hit the policy route, regardless of other settings.

Exam trap

The trap here is that candidates often jump to modifying routing or firewall policies (Options A and B) instead of first verifying the policy route's matching criteria and order, which are the most common root causes of policy route mismatches.

92
Multi-Selecthard

A FortiGate administrator is troubleshooting an issue where a user receives a certificate error when accessing a web server. The administrator has configured SSL deep inspection with a custom CA certificate. The error indicates the certificate is not trusted. Which THREE actions could resolve this issue? (Choose three.)

Select 3 answers
A.Install the FortiGate's CA certificate on the client devices.
B.Disable SSL inspection on the firewall policy entirely.
C.Update the FortiGate firmware to the latest version.
D.Change the SSL inspection profile to 'certificate-inspection' instead of 'deep-inspection'.
E.Add the web server to the SSL exemption list in the SSL inspection profile.
AnswersA, D, E

Clients need to trust the CA that signs the re-issued certificate.

Why this answer

The correct answers are A, B, and C. Installing the CA, exempting the server, or switching to certificate-inspection can all resolve certificate errors.

93
Multi-Selectmedium

A FortiGate admin needs to allow inbound HTTPS traffic to a web server while also applying an application control profile to block certain web applications. The web server has a VIP configured. Which TWO components are necessary for this configuration?

Select 2 answers
A.A central SNAT rule to translate the server's response
B.A VIP configured to map the public IP to the web server's private IP
C.A security profile group containing only the antivirus profile
D.A traffic shaping policy to prioritize HTTPS
E.A firewall policy with destination set to the VIP and application control profile applied
AnswersB, E

The VIP is required for destination NAT to reach the internal server.

Why this answer

Option B is correct because a Virtual IP (VIP) is required to map the public IP address to the web server's private IP, allowing inbound traffic to reach the internal server. Option E is correct because a firewall policy must have the destination set to the VIP and must include an application control profile to enforce blocking of specific web applications on the HTTPS traffic.

Exam trap

The trap here is that candidates often think a central SNAT rule is required for return traffic, but FortiGate automatically handles reverse NAT for VIP traffic, making option A a common distractor.

94
MCQhard

An organization has two FortiGate units in an HA cluster. They need to perform a firmware upgrade on the primary unit without causing a failover. Which procedure should be followed?

A.Upgrade the primary unit first, then the secondary will automatically synchronize
B.Upgrade both units simultaneously using the GUI
C.Disable HA, upgrade both, then re-enable HA
D.Upgrade the secondary unit first, then perform a graceful failover, then upgrade the original primary
AnswerD

This minimizes downtime as the secondary takes over before the primary is upgraded.

Why this answer

Option D is correct because in an HA cluster, upgrading the secondary unit first ensures that the primary remains active and can take over if the upgrade fails. After the secondary is upgraded and stable, a graceful failover is performed to make it the new primary, allowing the original primary to be upgraded without causing an unplanned failover or service interruption.

Exam trap

The trap here is that candidates assume upgrading the primary first is safe because the secondary will synchronize, but they overlook that the primary reboot triggers an automatic failover, which is not a 'graceful' upgrade path.

How to eliminate wrong answers

Option A is wrong because upgrading the primary first would cause it to reboot, triggering an automatic failover to the secondary, which is not desired. Option B is wrong because upgrading both units simultaneously can lead to a split-brain scenario or both units rebooting at the same time, causing a complete outage. Option C is wrong because disabling HA breaks the cluster state and requires re-synchronization, which is disruptive and not recommended for a controlled upgrade.

95
MCQmedium

An administrator is configuring email filtering on FortiGate to block spam. Which of the following is required for FortiGate to filter inbound email directly?

A.FortiMail must be deployed as a separate appliance
B.The FortiGate must be configured as an SMTP proxy
C.SSL deep inspection must be enabled for SMTP traffic
D.The email filtering profile must be applied to a policy covering port 110
AnswerB

FortiGate can act as an SMTP proxy to filter email traffic on port 25.

Why this answer

Option A is correct. FortiGate can be configured as an SMTP proxy in the email filter profile to intercept and filter email.

96
MCQeasy

An administrator is configuring an active-passive HA cluster and wants to ensure that the secondary unit can be monitored and managed directly via HTTPS even when it is not the primary. Which setting must be enabled?

A.Use the same IP address for both units with different ports
B.Enable 'set management-ip' on the HA configuration
C.Configure a virtual IP address for management in the firewall policy
D.Set 'ha-mgmt-status enable' on the interface
AnswerB

The 'set management-ip' command assigns a separate IP address to each unit in the cluster, allowing direct HTTPS access to the secondary unit even when it is not active.

Why this answer

In active-passive HA, the management interface allows individual management of each unit. Enabling 'management interface' on a dedicated interface (or a VLAN) gives each unit its own IP address for out-of-band management, independent of the HA cluster IP.

97
MCQeasy

Which log severity level indicates that a log message is for informational purposes and does not require immediate action?

A.Notice
B.Debug
C.Information
D.Warning
AnswerC

Information logs are for informational messages that do not require action.

Why this answer

Option B is correct. In FortiGate, log severity levels follow the standard syslog severity: 0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=informational, 7=debug. Informational is level 6.

98
MCQmedium

An administrator notices that traffic to a particular subnet is being load-balanced across two WAN links, but they want all traffic to that subnet to use a single link. Which feature should be configured?

A.Policy routing
B.ECMP routing
C.Static route with higher distance
D.Route summarization
AnswerA

Policy routing can direct specific traffic to a particular interface.

Why this answer

Policy routing (also called PBR) allows you to override the routing table based on criteria such as source/destination IP, protocol, or port. By configuring a policy route that matches traffic to the specific subnet and sets the output interface to a single WAN link, you can force all that traffic to use one link instead of being load-balanced.

Exam trap

The trap here is that candidates often confuse ECMP load-balancing with the ability to pin traffic to a single link, mistakenly thinking that adjusting ECMP weights or distances will achieve the same result as policy routing.

How to eliminate wrong answers

Option B is wrong because ECMP (Equal-Cost Multi-Path) routing is exactly what causes load-balancing across multiple equal-cost routes; disabling or not using ECMP would not selectively force traffic to a single link without affecting other traffic. Option C is wrong because a static route with a higher distance would only be used as a backup if the primary route fails, but it does not prevent load-balancing when multiple equal-cost routes exist. Option D is wrong because route summarization aggregates multiple subnets into a single prefix to reduce routing table size, but it does not control which link is used for traffic to a specific subnet.

99
MCQeasy

What is the default action of the implicit deny policy at the end of the firewall policy list?

A.Monitor (log only)
B.Allow
C.Deny
D.Redirect to authentication
AnswerC

The implicit deny policy denies any traffic that does not match an explicit permit policy. It is the default security posture.

Why this answer

In FortiGate firewalls, the implicit deny policy at the end of the firewall policy list has a default action of 'Deny'. This means any traffic that does not match an explicit firewall policy is automatically dropped. This is a fundamental security principle to ensure that only explicitly permitted traffic is allowed through the firewall.

Exam trap

The trap here is that candidates may confuse the implicit deny with the 'deny' action available in explicit policies, or mistakenly think that the implicit deny can be changed to 'allow' or 'monitor' to simplify troubleshooting, but FortiGate's design enforces a strict default-deny stance for unmatched traffic.

How to eliminate wrong answers

Option A is wrong because 'Monitor (log only)' is not a default action for the implicit deny policy; logging is a separate setting that can be enabled on any policy, but the implicit deny itself does not log by default. Option B is wrong because 'Allow' would violate the security model of a firewall, which is designed to block unauthorized traffic by default; allowing all unmatched traffic would create a significant security hole. Option D is wrong because 'Redirect to authentication' is a feature used for captive portal or user authentication policies, not for the implicit deny; the implicit deny simply drops traffic without any redirection.

100
Multi-Selectmedium

Which TWO are valid actions for an application control rule?

Select 2 answers
A.quarantine
B.redirect
C.block
D.allow
E.monitor
AnswersC, D

'block' denies the application traffic.

Why this answer

Application control rules in FortiGate use actions to determine how matched traffic is handled. 'Block' is a valid action that drops the application traffic and can optionally send a reset or log the event. 'Allow' is also a valid action that permits the application traffic to pass through the firewall.

Exam trap

The trap here is that candidates often confuse 'quarantine' as an application control action because it appears in other FortiGate security features (like IPS or antivirus), but it is not a valid action for application control rules themselves.

101
MCQmedium

A FortiGate administrator has configured an Application Control profile to block 'P2P' applications. However, users are still able to use BitTorrent. What is the MOST likely reason?

A.The firewall policy does not have SSL deep inspection enabled, and BitTorrent is using encryption
B.The Application Control profile is configured in 'Monitor' mode instead of 'Block'
C.The BitTorrent signatures are not included in the FortiGate firmware
D.The Application Control profile is applied to the wrong direction
AnswerA

Many P2P applications use encryption. Without deep inspection, App Control cannot see the traffic signatures.

Why this answer

Option A is correct. If the Firewall policy does not have 'Deep Inspection' enabled for HTTPS, encrypted P2P traffic cannot be inspected by Application Control, and the application may not be detected.

102
Multi-Selecthard

An administrator configures an IPS sensor with a signature that is triggered by traffic to a specific server. The signature is set to 'Block' but the traffic is not being blocked. The administrator verifies that the IPS sensor is applied to the correct firewall policy and that the signature is enabled. Which TWO additional checks should the administrator perform? (Choose two.)

Select 2 answers
A.Ensure that the antivirus profile is not interfering with IPS.
B.Verify that the signature's 'Action' is not overridden by a higher-priority rule in the IPS sensor.
C.Check if the firewall policy is using 'flow-based' or 'proxy-based' inspection mode. Some IPS signatures require proxy mode.
D.Check if the destination server is in the 'Local-in' policy, which may bypass IPS.
E.Confirm that the signature has a valid CVE ID.
AnswersB, C

If multiple rules match the same traffic, the highest priority rule's action takes effect. An override with 'Monitor' could prevent blocking.

103
MCQhard

A FortiGate administrator runs the command 'diagnose application urlfilter 0 status' and sees 'status: enable' but users report that some malicious URLs are not blocked. The web filter profile uses FortiGuard categories with 'block' action. What should the administrator check next?

A.The antivirus profile is blocking URL filtering
B.The FortiGuard web filter rating service is reachable
C.The DNS filter is overriding the web filter
D.The firewall policy is set to 'accept' without inspection
AnswerB

If the FortiGate cannot reach the FortiGuard rating servers, it may allow all URLs or use local rating only.

Why this answer

Option A is correct. The FortiGate needs connectivity to FortiGuard servers for real-time rating; without it, blocking may fail.

104
MCQhard

An admin runs the command 'diagnose firewall iprope list 100000' and sees the following output: id=2000000000 action=deny flag=0x0 src-interface=any dst-interface=any proto=0 src-addr=0.0.0.0-255.255.255.255 dst-addr=0.0.0.0-255.255.255.255 What does this entry represent?

A.A loopback interface policy
B.The implicit deny policy at the end of the policy list
C.A user-created deny policy that blocks all traffic
D.A NAT policy that translates all addresses
AnswerB

The implicit deny has a fixed ID of 2000000000 and denies all unmatched traffic.

Why this answer

The ID 2000000000 is reserved for the implicit deny policy. It matches all traffic from any interface to any interface and denies. This is the last rule checked.

105
Multi-Selecthard

An administrator is configuring a FortiGate HA cluster in active-passive mode with two units. Which three conditions must be met for failover to occur? (Choose three.)

Select 3 answers
A.A monitored interface on the primary unit goes down
B.The primary unit loses all heartbeat communication with the secondary unit
C.The secondary unit receives a higher priority configuration
D.The primary unit's CPU usage exceeds 90%
E.The primary unit stops sending session synchronization packets
AnswersA, B, E

Monitored interface failure triggers failover.

Why this answer

Option A is correct because in an active-passive HA cluster, a monitored interface going down on the primary unit triggers a failover. The FortiGate HA daemon detects the link failure and, if the interface is configured as a monitored interface, the primary unit will relinquish its active role, allowing the secondary unit to take over.

Exam trap

The trap here is that candidates often confuse high CPU or memory usage as a failover trigger, but FortiGate HA does not use resource thresholds for failover unless explicitly configured via custom scripts or SNMP traps.

106
MCQeasy

An administrator has two FortiGate units in an active-passive HA cluster. The cluster is configured to use the heartbeat interface port3. During a failover test, the primary unit fails but the secondary does not take over. What is the most likely cause?

A.The secondary unit has an override enabled.
B.The heartbeat interface (port3) is down on the secondary unit.
C.Session pickup is disabled on the cluster.
D.The HA uptime on the secondary is less than the primary.
AnswerB

Correct; heartbeat loss prevents failover.

Why this answer

In an active-passive HA cluster, the secondary unit monitors the primary's health via the heartbeat interface. If the heartbeat interface (port3) is down on the secondary, it cannot receive or send heartbeat packets, so it will not detect the primary's failure and will not initiate a failover. This is the most direct cause of the secondary not taking over.

Exam trap

The trap here is that candidates often assume session pickup or override settings are responsible for failover behavior, when in fact the heartbeat interface status is the fundamental prerequisite for any failover to occur.

How to eliminate wrong answers

Option A is wrong because override is a feature used in active-active clusters to force a unit to become primary, not a cause for a secondary failing to take over in active-passive. Option C is wrong because session pickup (or session synchronization) affects whether existing sessions are preserved after failover, not whether the failover itself occurs. Option D is wrong because HA uptime comparison is used for tie-breaking when both units have equal priority; if the secondary has lower uptime, it would still take over if the primary fails, as long as heartbeat communication is intact.

107
MCQeasy

Which security profile type requires a FortiSandbox license to enable advanced detection features?

A.Application Control
B.DNS Filter
C.Antivirus
D.Web Filter
AnswerC

The Antivirus profile can send files to FortiSandbox for advanced malware detection when licensed.

Why this answer

FortiSandbox integration is configured within the Antivirus profile (and optionally with other profiles) to submit suspicious files for behavioral analysis. The license enables the FortiSandbox connection.

108
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is experiencing packet loss
B.The session is a UDP connection
C.The session has been active for 3600 seconds and will expire in 3599 seconds
D.The session is blocked by a firewall policy
AnswerC

duration=3600 means 3600 seconds (1 hour) since session start. expire=3599 means the session will be removed in 3599 seconds unless refreshed.

Why this answer

The output shows 'duration=3600' and 'expire=3599', which directly indicate the session has been active for 3600 seconds (1 hour) and will expire in 3599 seconds. The 'proto=6' confirms TCP (protocol 6), and 'proto_state=01' indicates an established TCP session. This is a standard FortiGate session diagnostic display.

Exam trap

The trap here is that candidates may misinterpret 'duration' and 'expire' as packet loss or blocking indicators, or confuse 'proto=6' with UDP, when in fact these fields simply show session age and remaining lifetime for an active TCP session.

How to eliminate wrong answers

Option A is wrong because the output contains no counters or flags indicating packet loss (e.g., no 'drop', 'retransmit', or 'loss' fields). Option B is wrong because 'proto=6' explicitly indicates TCP (protocol 6), not UDP (protocol 17). Option D is wrong because the session is active with a valid state ('proto_state=01') and duration/expire timers, meaning it is passing traffic, not blocked by a firewall policy.

109
MCQmedium

A FortiGate administrator wants to ensure that in an active-passive HA cluster, a specific unit becomes the primary (active) unit after a reboot. Which configuration parameter should be set to a higher value on that unit?

A.HA session pickup delay
B.HA override
C.HA priority
D.HA group-id
AnswerC

The unit with higher priority becomes active.

Why this answer

The HA priority determines the active unit in active-passive mode; higher priority wins.

110
MCQhard

A FortiGate is configured with SSL inspection and web filtering. The administrator notices that some HTTPS traffic is being blocked even though the URL is in an allowed category. What could be the cause?

A.The FortiGate's DNS server is not resolving the domain correctly.
B.The web filter's 'allow' list is misconfigured.
C.The web filter profile has 'safe-search' enabled.
D.The SSL inspection profile has 'certificate-validation-failed' action set to 'block'.
AnswerD

A certificate mismatch triggers validation failure, which can block traffic.

Why this answer

When SSL inspection is enabled, the FortiGate acts as a man-in-the-middle and validates the server's certificate. If the certificate is invalid (e.g., expired, self-signed, or mismatched), the FortiGate can block the session based on the 'certificate-validation-failed' action in the SSL inspection profile. Even if the URL belongs to an allowed web filter category, a failed certificate validation will cause the traffic to be blocked before the web filter policy is applied.

Exam trap

The trap here is that candidates often assume web filtering categories alone control HTTPS traffic, forgetting that SSL inspection's certificate validation can preemptively block sessions even for allowed URLs.

How to eliminate wrong answers

Option A is wrong because DNS resolution issues would prevent the FortiGate from reaching the server at all, but the symptom here is that HTTPS traffic is blocked specifically, not that the domain is unreachable. Option B is wrong because the 'allow' list being misconfigured would affect all traffic, not just HTTPS, and the question states the URL is in an allowed category, so the web filter should permit it. Option C is wrong because 'safe-search' enforces search engine restrictions (e.g., Google SafeSearch) and does not block entire HTTPS sessions; it modifies search queries, not certificate validation.

111
MCQeasy

What is the purpose of the 'override' setting in FortiGate HA?

A.It enables the higher-priority unit to reclaim the primary role after recovery
B.It allows management access to the cluster via a virtual IP
C.It disables HA failover during maintenance windows
D.It forces the secondary unit to become primary immediately
AnswerA

When override is enabled, a device with higher priority will become primary after it recovers from a failure.

Why this answer

HA override allows a device with higher priority to take over as primary after it recovers from a failure.

112
MCQhard

You run the following diagnose command on a FortiGate and see the output: diagnose sys session filter dport 443 diagnose sys session list ... proto=6 proto_state=01 duration=3600 expire=3599 ... What does the 'proto_state=01' indicate?

A.The session is UDP, indicated by proto_state 01
B.The session is in a half-open state (SYN_SENT)
C.The session has been fully established
D.The session is being terminated
AnswerB

Correct. proto_state=01 corresponds to TCP SYN_SENT.

Why this answer

In FortiGate session diagnostics, 'proto_state=01' for a TCP session (proto=6) indicates the session is in a half-open state, specifically SYN_SENT, meaning the initial SYN packet has been sent but the three-way handshake has not yet completed. This is a transient state before the session becomes fully established (proto_state=02).

Exam trap

The trap here is that candidates confuse 'proto_state=01' with a fully established session because they see 'duration' and 'expire' values that look normal, not realizing that a half-open TCP session can still have a duration counter if the initial SYN was sent.

How to eliminate wrong answers

Option A is wrong because proto_state=01 is a TCP state indicator, not UDP; UDP sessions do not use proto_state values in the same way and proto=6 explicitly indicates TCP. Option C is wrong because a fully established TCP session is indicated by proto_state=02 (ESTABLISHED), not 01. Option D is wrong because a session being terminated would show a state like FIN_WAIT or TIME_WAIT, not proto_state=01 which represents an incomplete handshake.

113
MCQhard

An administrator configures a Central SNAT policy to translate traffic from the internal network (10.0.0.0/8) to the internet using the IP pool 'pool1'. The administrator also has a firewall policy that uses policy-based NAT with an IP pool 'pool2'. Both policies match the same traffic. Which NAT will be applied?

A.Central SNAT using pool1
B.Both NAT rules are applied in sequence
C.The traffic is dropped due to conflicting NAT configurations
D.Policy-based NAT using pool2
AnswerA

Central SNAT takes precedence over policy-based NAT. The central NAT rule will be applied.

Why this answer

When Central SNAT is enabled, it overrides policy-based NAT for matching traffic. The firewall policies are still used for access control, but the NAT is determined by the central NAT rules. Central NAT has higher precedence than policy-based NAT.

114
MCQeasy

Which of the following log types on FortiGate records traffic that is denied by a firewall policy?

A.HA logs
B.Event logs
C.Traffic logs
D.Security logs
AnswerC

Traffic logs log all permitted and denied session attempts.

Why this answer

Traffic logs record both allowed and denied traffic based on firewall policies. Security logs record detection events (antivirus, IPS). Event logs record system events.

115
MCQhard

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is in established state and has been active for 1 hour
B.The session is in FIN_WAIT state
C.The session is in TIME_WAIT state and will close soon
D.The session is in SYN_SENT state waiting for a SYN-ACK
AnswerA

proto_state=01 means established, duration=3600 seconds = 1 hour.

Why this answer

Option A is correct because the output shows `proto=6` (TCP), `proto_state=01` (ESTABLISHED state per Fortinet's session state encoding), `duration=3600` seconds (1 hour), and `expire=3599` seconds (nearly full lifetime remaining). This indicates the session is actively established and has been ongoing for one hour, matching the description of an established state session.

Exam trap

The trap here is that candidates misinterpret `proto_state=01` as a generic 'active' state without knowing Fortinet's specific numeric encoding, leading them to confuse it with FIN_WAIT or TIME_WAIT states that have different numeric values and shorter expire times.

How to eliminate wrong answers

Option B is wrong because `proto_state=01` corresponds to TCP ESTABLISHED, not FIN_WAIT (which would be state 05 or 06 in Fortinet's session table). Option C is wrong because TIME_WAIT state (state 09) would show a short expire value near zero, not 3599 seconds, and the session is not closing soon. Option D is wrong because SYN_SENT state (state 02) would show `proto_state=02` and a very short duration, not 3600 seconds of activity.

116
MCQhard

An administrator configures a Virtual IP (VIP) to map public IP 203.0.113.10 to internal server 10.0.1.10 on port 443. The firewall policy uses the VIP as the destination address. External users report they cannot connect. The administrator checks the policy and sees the destination interface is 'wan1' and source interface is 'wan1'. What is the most likely issue?

A.The destination interface should be the internal interface, not wan1
B.The policy needs NAT enabled
C.The source interface should be the internal interface
D.The VIP is not associated with the policy
AnswerA

After DNAT, the packet is destined to internal server; the outgoing interface should be internal.

Why this answer

For inbound DNAT, the firewall policy must have the incoming interface as source interface and internal interface as destination interface. If both are set to wan1, the traffic is not forwarded to the internal network.

117
MCQeasy

An administrator wants to allow access to an internal web server from the internet using a public IP address 203.0.113.10. The internal server has IP 10.0.0.5. Which FortiGate feature should be configured to translate the destination IP?

A.Virtual IP (VIP)
B.Central SNAT
C.Policy-based routing
D.IP Pool
AnswerA

VIP translates the destination IP from public to private.

Why this answer

Destination NAT (DNAT) is used to translate the destination IP of incoming traffic. Virtual IP (VIP) is the FortiGate object for DNAT. Option B is correct.

118
MCQmedium

An administrator needs to configure a site-to-site IPsec VPN where both sites have dynamic public IP addresses. Which IKE mode should be used?

A.IKEv2 without mode
B.Dial-up mode
C.Main mode
D.Aggressive mode
AnswerD

Aggressive mode can be used with dynamic IP addresses and uses fewer exchanges.

Why this answer

Aggressive mode is used when one or both peers have dynamic IP addresses because it uses fewer exchanges and can work with dynamic IPs. Main mode requires fixed IPs and is more secure.

119
Multi-Selecthard

A FortiGate administrator is configuring a data leak prevention (DLP) profile to prevent the leakage of social security numbers (SSNs) via email. Which TWO settings must be configured in the DLP profile?

Select 2 answers
A.Set the email filter to quarantine
B.Configure IPS to block SSN patterns
C.Enable SSL deep inspection on the firewall policy
D.Enable FortiSandbox integration
E.Create a DLP sensor that uses a custom pattern for SSNs
AnswersC, E

Why this answer

A DLP sensor with a custom pattern for SSNs is needed to detect the data. SSL deep inspection is required to decrypt email traffic (SMTP over TLS) so DLP can inspect the content. FortiSandbox and IPS do not directly handle DLP.

120
MCQhard

A FortiGate has a policy that allows traffic from 10.0.0.0/8 to any destination with NAT enabled using an IP pool 'Pool1' (203.0.113.10-203.0.113.20). The admin notices that internal servers using fixed ports (e.g., SIP) are failing. What is the likely cause?

A.The policy order is incorrect
B.The IP pool is configured with one-to-one NAT
C.The IP pool uses fixed port range, which should work
D.The IP pool is configured with overload (PAT), which changes source ports
AnswerD

Overload modifies source ports; protocols like SIP need consistent ports.

Why this answer

When an IP pool is configured with overload (PAT), the FortiGate translates the source IP address and also changes the source port to a random high port. For protocols like SIP that rely on fixed source ports (e.g., UDP 5060), this port remapping breaks the application because the SIP server expects traffic from a specific port. Option D correctly identifies this as the root cause.

Exam trap

The trap here is that candidates assume any IP pool will preserve source ports, but overload (PAT) mode explicitly changes them, which breaks applications that require fixed source ports like SIP, DNS, or TFTP.

How to eliminate wrong answers

Option A is wrong because policy order is irrelevant here; the traffic is matching the correct policy, but the NAT behavior is causing the issue. Option B is wrong because one-to-one NAT preserves the source port, so fixed-port protocols like SIP would work; the problem is with overload (PAT) changing ports. Option C is wrong because a fixed port range in the IP pool does not prevent PAT from altering source ports; the pool's overload mode overrides any fixed port configuration.

121
MCQmedium

An administrator configured a DLP profile to detect credit card numbers in outgoing emails. The profile is applied to an outbound SMTP policy. Users report that emails with credit card numbers are still being sent successfully. What is the most likely cause?

A.The DLP profile is set to 'monitor' instead of 'block'
B.The DLP profile is not applied to the correct policy
C.The credit card number pattern is not correctly defined
D.The SMTP traffic is encrypted and deep inspection is not enabled
AnswerD

If SMTP over TLS is used, the FortiGate cannot inspect the email content without SSL deep inspection decrypting the traffic. DLP will not detect the credit card numbers.

Why this answer

DLP scanning requires deep inspection if the traffic is encrypted. If SMTP traffic is encrypted with TLS (SMTPS), the FortiGate needs SSL deep inspection to decrypt and inspect the content. Without it, DLP cannot see the credit card numbers.

122
MCQmedium

A network administrator notices that users cannot access HTTPS websites after enabling SSL inspection. The firewall policy allows the traffic, and the certificate is trusted on the clients. What is the most likely cause?

A.The CA certificate used for SSL inspection is not trusted by the clients.
B.The client's browser has a proxy configured incorrectly.
C.The firewall policy has SSL inspection disabled.
D.The DNS server is not resolving the domain names.
AnswerA

If the CA certificate is not trusted, clients will block HTTPS connections.

Why this answer

Option A is correct because the most likely cause is that the CA certificate used for SSL inspection is not trusted by the clients. Even if the firewall policy allows the traffic and the certificate is trusted on the clients, if the CA certificate used to generate the inspection certificate is not trusted, the clients will not trust the certificate presented by the firewall, resulting in HTTPS access failures.

Exam trap

The trap here is that candidates may assume that if the firewall policy allows traffic and the certificate is trusted, SSL inspection should work, but they overlook that the CA certificate used for inspection must be trusted by the clients, not just the server certificate.

How to eliminate wrong answers

Option B is wrong because an incorrectly configured proxy in the client's browser would cause issues with all HTTP/HTTPS traffic, not just HTTPS after enabling SSL inspection, and the scenario specifically states the issue occurs after enabling SSL inspection. Option C is wrong because the firewall policy has SSL inspection enabled (the administrator enabled SSL inspection), and the policy allows the traffic, so disabling SSL inspection would not be the cause. Option D is wrong because DNS resolution issues would prevent access to all websites, not just HTTPS, and the scenario specifically states users cannot access HTTPS websites after enabling SSL inspection.

123
MCQmedium

A network administrator configured an IPsec VPN between two FortiGates. Phase 1 is up, but Phase 2 fails to establish. The diagnose output shows 'no matching proposal'. What is the MOST likely cause?

A.The firewall policy allowing the VPN traffic is missing
B.The Phase 2 encryption and authentication algorithms do not match between peers
C.The pre-shared keys do not match
D.The remote gateway IP address is incorrect
AnswerB

Phase 2 proposals must match on both sides for the tunnel to establish.

Why this answer

Phase 2 failure with 'no matching proposal' indicates that the Phase 2 parameters (such as encryption, authentication, or PFS) do not match between the two peers.

124
Multi-Selectmedium

A FortiGate administrator is troubleshooting why traffic from a specific host (10.0.1.100) to a web server (203.0.113.50) is being denied. The administrator has confirmed that a firewall policy exists that should allow the traffic. Which TWO diagnostic commands would help identify the issue?

Select 2 answers
A.get system performance status
B.diagnose firewall policy list
C.diagnose debug flow
D.execute ping-options source 10.0.1.100
E.diagnose sniffer packet any 'host 203.0.113.50' 4
AnswersB, C

Shows all policies with IDs, allowing verification of policy order and details.

Why this answer

Option B is correct because 'diagnose firewall policy list' displays the effective policy table, including policy IDs, match criteria, and action (accept/deny). This helps verify whether the policy intended for the traffic is actually present and in the correct order. Option C is correct because 'diagnose debug flow' enables real-time packet flow tracing, showing exactly which policy is matched (or not) and why the traffic is denied, such as a policy hit with action 'deny' or a session table lookup failure.

Exam trap

The trap here is that candidates often confuse packet sniffing (which shows raw traffic) with flow debugging (which shows the firewall's internal decision process), leading them to choose 'diagnose sniffer packet' instead of 'diagnose debug flow' for identifying policy-based denials.

125
MCQeasy

What is the primary advantage of using IKEv2 over IKEv1 for IPsec VPN?

A.IKEv2 requires less CPU resources
B.IKEv2 provides built-in NAT traversal
C.IKEv2 supports MOBIKE to handle IP address changes
D.IKEv2 supports only certificate authentication
AnswerC

MOBIKE is unique to IKEv2 and allows the VPN to continue after IP change.

Why this answer

IKEv2 is more resilient to network changes and supports MOBIKE (Mobility and Multihoming), which allows the VPN to survive IP address changes during a session, e.g., when a mobile client switches from Wi-Fi to cellular.

126
MCQeasy

An administrator wants to send logs from a FortiGate to an external syslog server. Which log forwarding method should they configure?

A.Syslog
B.SMTP
C.NetFlow
D.SNMP
AnswerA

Syslog is the standard protocol for log forwarding.

Why this answer

Option A is correct. FortiGate supports sending logs to an external syslog server via 'config log syslogd setting'.

127
MCQeasy

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is in a half-closed state
B.The session is about to expire
C.The session is a UDP session
D.The session is active and established
AnswerD

proto=6 (TCP), proto_state=01 (established), duration shows normal active session.

Why this answer

The output shows `proto=6` (TCP), `proto_state=01` (TCP ESTABLISHED), `duration=3600` seconds, and `expire=3599` seconds remaining. This indicates a fully established TCP session that has been active for one hour and still has nearly a full hour of idle timeout remaining. Therefore, the session is active and established, making option D correct.

Exam trap

The trap here is that candidates misinterpret `expire=3599` as 'about to expire' because they confuse the remaining idle timeout with the total session duration, or they misread `proto=6` as UDP due to common port 443 association with QUIC (UDP).

How to eliminate wrong answers

Option A is wrong because `proto_state=01` corresponds to TCP state ESTABLISHED, not a half-closed state (which would be `proto_state=09` or `0A` for FIN_WAIT or CLOSE_WAIT). Option B is wrong because `expire=3599` means the session still has 3599 seconds left before timeout, so it is not about to expire. Option C is wrong because `proto=6` indicates TCP, not UDP (which would be `proto=17`).

128
Multi-Selectmedium

A FortiGate has two firewall policies for HTTP traffic to the internet: Policy A (source: 10.0.1.0/24) and Policy B (source: 10.0.2.0/24). Both policies have the same destination and service. The admin wants to apply a traffic shaper to limit bandwidth for Policy B. Which TWO actions are correct? (Choose two.)

Select 2 answers
A.Apply the shaper to both policies and use a different shaper for Policy B
B.Use a QoS queue on the outgoing interface
C.Create a traffic shaping policy that matches Policy B's source and apply the shaper
D.Enable traffic shaping on the VDOM
E.Configure a traffic shaper and apply it directly to Policy B in the firewall policy settings
AnswersC, E

Traffic shaping policies can also be used.

Why this answer

To apply a traffic shaper to a specific policy, you need to either select the shaper in the policy configuration, or use a traffic shaping policy. Also, ensure that the shaping policy is enabled and applied correctly.

129
MCQhard

An administrator configures an aggregate interface (port1 and port2) on a FortiGate. After connecting the switch ports, the aggregate interface shows 'down'. The individual member ports are up. What is the MOST likely cause?

A.The member ports are set to different speeds
B.The switch ports are not configured for LACP or static aggregation
C.The aggregate interface IP address is in the same subnet as the management interface
D.The FortiGate needs a reboot after creating an aggregate interface
AnswerB

The switch must have the corresponding ports in an aggregate group with matching LACP settings; otherwise, the FortiGate will not see the aggregation and the interface stays down.

Why this answer

The aggregate interface remains down because the switch ports are not configured for LACP or static aggregation. For a FortiGate aggregate interface to come up, both the FortiGate member ports and the corresponding switch ports must be configured with the same aggregation protocol (LACP active/passive or static). Without this, the switch treats the ports as individual links, causing a mismatch that keeps the aggregate interface down.

Exam trap

The trap here is that candidates assume the aggregate interface will come up automatically if the member ports are physically up, overlooking the requirement for matching aggregation configuration on the switch side.

How to eliminate wrong answers

Option A is wrong because different speeds on member ports would cause the aggregate interface to fail to form or degrade performance, but the individual ports would still show up; the aggregate interface would not necessarily show 'down' due to speed mismatch alone, as FortiGate can still form an aggregate with speed differences in some configurations. Option C is wrong because an IP address conflict between the aggregate interface and the management interface would cause routing or connectivity issues, not prevent the aggregate interface from coming up at Layer 1/2. Option D is wrong because a reboot is not required after creating an aggregate interface; the interface state updates dynamically once the configuration and physical connections are correct.

130
MCQeasy

What is the purpose of enabling 'Safe Search' in a web filter profile on a FortiGate?

A.It blocks all searches containing the word 'safe'.
B.It redirects users to a safe landing page when a blocked site is accessed.
C.It forces search engines to filter explicit content from search results.
D.It encrypts search queries to protect user privacy.
AnswerC

Safe Search enforces strict filtering on supported search engines (Google, Bing, Yahoo) to block adult content from search results.

131
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN between two FortiGates. Phase 1 is up but Phase 2 is down. The admin runs 'diagnose vpn ike log' and sees 'no matching proposal'. To resolve this issue, which TWO settings should be checked on both ends?

Select 2 answers
A.Phase 2 PFS (Perfect Forward Secrecy) group
B.Phase 1 authentication method
C.Phase 2 local and remote subnets
D.Phase 2 encryption algorithm (e.g., AES128, AES256)
E.Phase 1 encryption algorithm
AnswersA, D

PFS group must match; if one peer has PFS disabled and the other has it enabled, Phase 2 will fail.

Why this answer

Phase 2 parameters must match exactly, especially encryption algorithm and PFS settings. The proposal mismatch can also be caused by mismatched selectors (subnets), but the question asks for the two settings most directly related to the 'no matching proposal' error.

132
Multi-Selecteasy

Which TWO statements about firewall policy order are true?

Select 2 answers
A.If a packet does not match any policy, it is allowed by default
B.Policies are evaluated in the order they appear (top-down)
C.A more specific policy should be placed below a less specific one to avoid shadowing
D.Once a policy is matched, subsequent policies are still evaluated for logging purposes
E.Policy order can be changed by dragging policies in the GUI or using CLI commands
AnswersB, E

This is the default behavior.

Why this answer

FortiGate firewalls evaluate policies sequentially from top to bottom. The first policy that matches the packet's source, destination, service, and other attributes is applied, and no further policies are checked. This top-down evaluation is fundamental to policy design and troubleshooting.

Exam trap

The trap here is that candidates often confuse the default action (implicit deny) with an allow-all, or they mistakenly think that logging can be performed by multiple policies after a match, when in reality only the matched policy's logging settings apply.

133
MCQmedium

An administrator is configuring a FortiGate in a transparent mode. Which of the following features is NOT available in transparent mode?

A.Source NAT
B.VLAN tagging
C.Intrusion Prevention System (IPS)
D.Security profiles (AV, web filter)
AnswerA

NAT is not available because transparent mode does not route IP packets.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge without routing capabilities, meaning it cannot perform Source NAT (SNAT) because SNAT requires Layer 3 routing to translate source IP addresses. Transparent mode does not have an IP address on its interfaces for routing, so features dependent on Layer 3 forwarding, such as NAT, are unavailable.

Exam trap

The trap here is that candidates often assume security features like IPS or AV require Layer 3 routing, but they actually operate at higher layers and work in transparent mode, while NAT is the only option that explicitly depends on Layer 3 functionality.

How to eliminate wrong answers

Option B is wrong because VLAN tagging is fully supported in transparent mode; the FortiGate can pass and even tag/untag VLAN frames as a Layer 2 device. Option C is wrong because IPS operates at Layer 2-7 and inspects traffic passing through the bridge, so it works in transparent mode without requiring Layer 3 routing. Option D is wrong because security profiles like antivirus and web filtering inspect application-layer content and are independent of Layer 3 routing, making them available in transparent mode.

134
MCQmedium

An administrator needs to block traffic from a specific geographic region (e.g., country) from reaching the corporate web server. Which type of address object should be used to define the source?

A.Wildcard FQDN object
B.FQDN object
C.Subnet object
D.Geography object
AnswerD

Geography objects allow selection by country/region using GeoIP, enabling policy enforcement based on geographic location.

Why this answer

Option D is correct because a Geography object in FortiGate is specifically designed to represent traffic based on geographic location (e.g., country, continent). When used in a firewall policy's source field, it allows the administrator to block or allow traffic originating from an entire country without needing to manage individual IP addresses or subnets, leveraging FortiGate's GeoIP database.

Exam trap

The trap here is that candidates may confuse Geography objects with FQDN or Subnet objects, mistakenly thinking they can manually define country IP ranges via subnets, but FortiGate's GeoIP feature automates this with a dedicated object type.

How to eliminate wrong answers

Option A is wrong because a Wildcard FQDN object matches domain names with wildcard patterns (e.g., *.example.com) and is used for web filtering or DNS-based policies, not for blocking traffic based on geographic region. Option B is wrong because an FQDN object resolves to a specific IP address or set of IP addresses via DNS, which cannot represent an entire country's IP range. Option C is wrong because a Subnet object defines a specific IP range (e.g., 192.168.1.0/24) and would require manually aggregating all IP ranges for a country, which is impractical and error-prone.

135
MCQmedium

An administrator configures a captive portal on the FortiGate to authenticate guest users via a local user database. Users can connect to the SSID, but after entering credentials on the captive portal, they are not redirected to the internet. What is the most likely missing configuration?

A.A firewall policy allowing traffic from the captive portal interface to the internet with the user group
B.The DNS server is not configured on the FortiGate
C.The captive portal timeout is set too low
D.The SSID is not configured with the captive portal security mode
AnswerA

After authentication, traffic must match a policy. If missing, traffic is dropped.

Why this answer

Captive portal requires a firewall policy that permits traffic from the interface where the captive portal is enabled to the destination (internet), with authentication enabled. Option A is correct because without a policy allowing the traffic, the authentication succeeds but traffic is blocked.

136
MCQmedium

A network administrator configures an IPsec VPN between two FortiGate devices. Phase 1 completes successfully, but Phase 2 fails to establish. The administrator runs 'diagnose vpn ike log' and sees the error 'proposal mismatch'. What is the MOST likely cause?

A.The IKE version is mismatched (IKEv1 vs IKEv2)
B.The pre-shared key is incorrect
C.The firewall policies are blocking IKE traffic on UDP port 500
D.The Phase 2 local and remote subnets do not match on both ends
AnswerD

Phase 2 proposal mismatch typically occurs when the subnets defined in the Phase 2 selectors or the encryption/authentication parameters do not match between the peers.

Why this answer

Option C is correct. A proposal mismatch in Phase 2 indicates that the Phase 2 selectors (local/remote subnets, protocol, port) or the SA proposal parameters (encryption, authentication, PFS) do not match between the two peers.

137
MCQeasy

Which security profile is used to detect and prevent spam email messages?

A.DLP profile
B.Web filter profile
C.Email filter profile
D.Antivirus profile
AnswerC

Email filter is specifically designed for spam and email-specific threats.

Why this answer

Option B is correct: Email filter profile provides anti-spam capabilities using FortiGuard, custom rules, and integration with FortiMail.

138
Multi-Selecthard

A FortiGate has a policy that matches traffic from LAN to WAN with NAT enabled and an IP pool. The pool contains IPs 203.0.113.1 to 203.0.113.5. The administrator notices that all traffic appears to come from 203.0.113.1. Which THREE reasons could explain this?

Select 3 answers
A.Only one source IP is generating traffic
B.The IP pool is configured with 'type one-to-one'
C.The IP pool is configured with 'type overload' and all source ports are being used
D.The IP pool is configured with 'type fixed port range'
E.The 'set nat' command is missing from the policy
AnswersA, B, D

If only one client, all traffic will use that client's translation.

Why this answer

If all traffic uses the first IP in the pool, possible reasons: the pool is configured for fixed port range which might allocate only one IP, or the NAT mode is not overload (which uses multiple IPs), or a single session is using all ports.

139
Multi-Selectmedium

A FortiGate administrator wants to ensure that logs are retained even after a power outage. Which THREE storage options provide persistent log storage? (Choose three.)

Select 3 answers
A.Local disk logs
B.FortiAnalyzer
C.FortiCloud
D.Syslog server
E.Memory buffer logs
AnswersA, B, C

Stored on local hard drive, persistent.

Why this answer

Local disk logs are stored on the FortiGate's hard drive, FortiAnalyzer is an external logging appliance, and FortiCloud provides cloud-based log storage. Syslog servers typically do not guarantee retention on the FortiGate side.

140
Multi-Selectmedium

A FortiGate administrator wants to create a web filter profile that blocks access to social networking sites during work hours but allows them during lunch breaks. Additionally, the administrator wants to ensure that HTTPS social networking sites are blocked. Which TWO configurations are required? (Choose two.)

Select 2 answers
A.Create a web filter profile with a FortiGuard category filter that blocks the 'Social Networking' category and set a time-based schedule.
B.Apply the web filter profile to a firewall policy that uses a schedule for work hours.
C.Enable SSL deep inspection to decrypt HTTPS traffic to social networking sites.
D.Use a URL filter to manually list all social networking sites.
E.Configure DNS filter to block social networking domains.
AnswersA, C

The web filter profile can use time-based schedules to apply different actions during different times of day.

141
MCQmedium

Refer to the exhibit. A FortiGate has this policy configured. Traffic from 10.0.1.0/24 to 192.168.1.10 on HTTP is being logged as allowed. However, users report that they cannot access the web server. What is the most likely issue?

A.NAT is not enabled on the policy
B.The policy is placed below a deny policy
C.The service is set to HTTP but the server uses HTTPS
D.The policy is disabled
AnswerA

Without NAT, the server may send replies directly to the client's private IP, which is not routable.

Why this answer

The correct answer is A because the policy allows traffic from 10.0.1.0/24 to 192.168.1.10 on HTTP, but without NAT enabled, the return traffic from the web server will be sent directly to the source IP (10.0.1.x) without going through the FortiGate. Since the source is a private IP, the server cannot route back to it unless the FortiGate performs source NAT (SNAT) to translate the source IP to its own interface IP. Without NAT, the session is logged as allowed but the client never receives the server's response, resulting in a connectivity failure.

Exam trap

The trap here is that candidates see 'allowed' in the logs and assume connectivity is working, overlooking the fact that NAT is required for return traffic when the source is a private IP destined for a different subnet or the internet.

How to eliminate wrong answers

Option B is wrong because if a deny policy existed above this allow policy, the traffic would be denied and logged as blocked, not allowed. Option C is wrong because the policy explicitly matches HTTP (TCP port 80), and if the server uses HTTPS (TCP port 443), the traffic would not match this policy at all and would be handled by a different policy or default deny. Option D is wrong because if the policy were disabled, traffic would not match it and would not be logged as allowed; it would either match another policy or be implicitly denied.

142
MCQmedium

A FortiGate administrator needs to prevent employees from using peer-to-peer file sharing applications such as BitTorrent. The administrator creates an application control profile with a rule to block the 'Peer-to-Peer' application category. After applying the profile to the firewall policy, users can still use BitTorrent. What is the most likely cause?

A.The application control profile is applied to the outbound policy but not to the inbound policy.
B.The application control profile is set to 'Monitor' instead of 'Block' for the Peer-to-Peer category.
C.BitTorrent is not a recognized application in the FortiGuard application control database.
D.The firewall policy has SSL inspection set to certificate inspection, so the FortiGate cannot see the application.
AnswerB

If the action is monitor, traffic is logged but not blocked. The profile must be set to block.

143
MCQmedium

You run 'diagnose debug application sslvpn -1' and see the following output: sslvpn: SSL VPN tunnel mode connection from 10.0.0.5:12345 to 192.168.1.100:443 sslvpn: User 'john' authenticated successfully sslvpn: Error: no matching policy for the request. What does this indicate?

A.There is no SSL VPN policy that allows the user to access the destination IP/port
B.The user's password has expired
C.The SSL VPN interface is administratively down
D.The FortiGate is not licensed for SSL VPN
AnswerA

The error 'no matching policy' indicates missing access policy for the destination.

Why this answer

The user authenticated successfully, but no SSL VPN policy matches the traffic. In SSL VPN, after authentication (tunnel mode), the FortiGate checks SSL VPN policies to allow access to resources. If no policy matches, traffic is dropped.

144
MCQmedium

A network administrator configures a web filtering profile to block access to the 'Social Networking' FortiGuard category. However, users can still access Facebook. The firewall policy has web filtering enabled. What is the MOST likely reason?

A.The Facebook URL is cached in the user's browser
B.The FortiGuard web filter database is outdated
C.The web filter options are not set to use FortiGuard rating lookup
D.The firewall policy does not have SSL deep inspection enabled
AnswerC

Without FortiGuard rating enabled, the filter won't check categories.

Why this answer

Option A is correct because the web filter must have the rating lookup set to 'FortiGuard' to use the cloud-based category database. If it's set to 'Local' or disabled, FortiGuard categories won't be enforced.

145
MCQmedium

An SD-WAN rule is configured with a 'manual' strategy and multiple members. The engineer wants to ensure that voice traffic always uses the MPLS link as long as it meets the SLA, otherwise use the broadband link. Which configuration is required?

A.Set the strategy to 'volume' and configure MPLS as preferred.
B.Set the manual strategy with MPLS as first member and enable SLA check.
C.Use 'load balancing' strategy and assign MPLS a higher weight.
D.Set the strategy to 'best quality' and set MPLS with highest priority.
AnswerB

Correct; manual strategy with SLA check will use the first member if SLA is met, otherwise the next.

Why this answer

Option B is correct because a manual strategy with ordered members and an SLA check allows the SD-WAN rule to first attempt the MPLS link; if the SLA is met, traffic uses MPLS, and if the SLA fails, the rule automatically fails over to the next member (broadband). This directly implements the engineer's requirement of 'MPLS if SLA met, otherwise broadband.'

Exam trap

The trap here is that candidates often confuse 'manual strategy' with 'best quality' strategy, assuming 'best quality' will always pick MPLS, but 'best quality' dynamically selects the best-performing link at any moment, which may not be MPLS if broadband has better SLA metrics.

How to eliminate wrong answers

Option A is wrong because the 'volume' strategy distributes traffic based on volume ratios, not on SLA compliance or preferred link selection. Option C is wrong because 'load balancing' strategy distributes traffic across members based on weights, not on SLA-based failover; a higher weight does not guarantee exclusive use of MPLS when SLA is met. Option D is wrong because 'best quality' strategy selects the link with the best SLA performance dynamically, but it does not enforce a strict preference for MPLS first; it may choose broadband if it has better metrics at that moment.

146
MCQmedium

A FortiGate administrator is troubleshooting a VPN tunnel that is not establishing. The administrator wants to view the IKE debug output in real time. Which command should they use?

A.diagnose debug application ike -1
B.diagnose debug flow filter dport 500
C.diagnose sniffer packet any "udp port 500"
D.diagnose debug application ipsec -1
AnswerA

This enables IKE debug output at maximum verbosity.

Why this answer

Option A is correct. 'diagnose debug application ike -1' enables IKE debug with verbosity level -1 (all messages). This is the standard command for debugging IPsec IKE negotiations.

147
MCQhard

A FortiGate administrator is configuring ZTNA to secure access to an internal application. The administrator creates a ZTNA access proxy and a ZTNA rule. However, users connecting from the internet receive a 403 Forbidden error. The administrator verifies that the users are authenticated and the application is reachable. What is the MOST likely cause?

A.The firewall policy allowing traffic to the application is placed after a deny-all policy
B.The application's IP address is not included in the ZTNA access proxy's destination
C.The ZTNA access proxy does not have a valid SSL certificate
D.The ZTNA rule requires a specific client posture tag that the users' devices do not have
AnswerD

ZTNA checks client posture via FortiClient. If devices lack required posture tags, access is denied with 403.

Why this answer

Option B is correct. ZTNA rules evaluate the client's posture (e.g., antivirus, OS patch level). If the client does not meet the required posture tags, the connection is denied with a 403 error.

148
Multi-Selecteasy

An organization wants to implement ZTNA (Zero Trust Network Access) on their FortiGate. Which TWO components are essential for ZTNA? (Select two.)

Select 2 answers
A.Client certificates for device posture verification
B.Identity Provider (IdP) for user authentication
C.A dedicated VPN tunnel
D.A static IP address for the client
E.A RADIUS server for two-factor authentication
AnswersA, B

Device trust is established via certificates.

Why this answer

ZTNA requires an identity provider (IdP) for user authentication and client certificates for device verification. Access proxy is also needed, but the question asks for two essential components; IdP and client certificates are core.

149
MCQmedium

A network administrator configures a new FortiGate as the default gateway for a subnet. The FortiGate has two WAN interfaces (port1 and port2) connected to different ISPs. The admin wants to load-balance outbound traffic across both links. Which configuration method will achieve this goal?

A.Configure a single default gateway and rely on ARP for failover
B.Configure a policy route for each subnet directing traffic to a different ISP
C.Configure two static default routes with different distances
D.Configure two static default routes with the same distance and metric
AnswerD

ECMP uses routes with equal administrative distance and metric to distribute traffic across multiple paths.

Why this answer

Option D is correct because configuring two static default routes with the same distance and metric enables ECMP (Equal-Cost Multi-Path) routing on FortiGate. This allows the FortiGate to load-balance outbound traffic across both WAN interfaces (port1 and port2) using a per-flow or per-packet algorithm, distributing sessions between the two ISPs.

Exam trap

The trap here is that candidates often confuse ECMP (same distance/metric) with floating static routes (different distances), mistakenly thinking that multiple default routes with different distances will load-balance, when in fact they only provide failover.

How to eliminate wrong answers

Option A is wrong because relying on a single default gateway with ARP failover does not provide load balancing; it only offers failover if the gateway becomes unreachable, and ARP is not a load-balancing mechanism. Option B is wrong because policy routes direct traffic based on source/destination criteria, not for general load balancing of all outbound traffic; they are used for selective routing, not equal distribution across two default paths. Option C is wrong because configuring two static default routes with different distances creates a primary/backup scenario (floating static route), where only the route with the lower distance is active, and the other is used only if the primary fails—no load balancing occurs.

150
MCQmedium

A FortiGate admin configures a remote user for SSL VPN tunnel mode. The user can connect but cannot access resources on the internal network. The admin checks the SSL VPN settings: tunnel mode enabled, split tunneling disabled. What is the issue?

A.The user's FortiClient is outdated
B.The SSL certificate is expired
C.The firewall policy from the SSL VPN interface to the internal network is missing or incorrectly configured
D.The user's client software is not configured to route all traffic through the tunnel
AnswerC

Traffic from the tunnel interface must be allowed by a policy to reach internal resources.

Why this answer

When split tunneling is disabled, all traffic goes through the tunnel. The internal resources may not be reachable if the VPN interface's IP pool addresses are not routed correctly or if firewall policies on the FortiGate do not allow traffic from the tunnel interface.

Page 1

Page 2 of 14

Page 3