Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 151225

1000 questions total · 14pages · All types, answers revealed

Page 2

Page 3 of 14

Page 4
151
MCQhard

An administrator is configuring ZTNA on a FortiGate. The goal is to allow access to an internal web server only if the client device has a specific security posture (e.g., antivirus running). Which ZTNA component is responsible for verifying the client's security posture?

A.ZTNA access proxy
B.IPsec VPN interface
C.SSL VPN portal
D.FortiClient EMS
AnswerD

EMS collects and reports endpoint posture to the FortiGate.

Why this answer

ZTNA uses an EMS (Endpoint Management Server) to collect endpoint posture information. The FortiGate queries the EMS for the client's compliance status before granting access.

152
MCQmedium

A company wants to ensure that administrative access to FortiGate is only allowed from the internal trusted network (192.168.1.0/24) and that all other access attempts are blocked. Which CLI command should the administrator configure first?

A.config system admin; edit admin; set trusthost 192.168.1.0 255.255.255.0; end
B.config system interface; edit port1; set allowaccess ping https ssh; end
C.config system global; set admin-http-redirect enable; end
D.set admin-sport 443
AnswerA

Trusted hosts restrict administrative access to specified source IPs.

Why this answer

Option A is correct because the `config system admin` command with `set trusthost` restricts administrative login attempts to only the specified source IP address or subnet. By setting `trusthost 192.168.1.0 255.255.255.0`, the FortiGate will only allow admin access from the 192.168.1.0/24 network, blocking all other sources. This is the foundational step to enforce source-based access control for administrative interfaces.

Exam trap

The trap here is that candidates often confuse `set allowaccess` (which enables protocols on an interface) with `set trusthost` (which restricts source IPs for admin login), leading them to select Option B thinking it controls who can access the device.

How to eliminate wrong answers

Option B is wrong because `config system interface` with `set allowaccess` controls which administrative protocols (e.g., HTTPS, SSH, PING) are enabled on a specific interface, not the source IP addresses allowed to connect. Option C is wrong because `config system global` with `set admin-http-redirect enable` only redirects HTTP admin traffic to HTTPS for encryption, it does not restrict the source network of admin access. Option D is wrong because `set admin-sport 443` changes the administrative HTTPS port to 443 (or another port), but it does not filter which source IPs can reach that port.

153
MCQhard

An administrator is configuring HA on two FortiGates. Both units have the same model and firmware. When they are connected, neither unit becomes active. The admin checks the HA status and sees that the cluster is not formed. What is the MOST likely cause?

A.The heartbeat interface is not configured
B.The management interface is used as a heartbeat
C.The HA password is incorrect
D.The HA group-id does not match
AnswerA

Heartbeat interfaces are mandatory for HA cluster formation.

Why this answer

HA requires at least one heartbeat interface configured on both units. Without it, they cannot communicate.

154
Multi-Selectmedium

An administrator is configuring web filtering on a FortiGate. Which TWO statements about web filtering profiles are correct?

Select 2 answers
A.Web filtering profiles can be used together with application control profiles.
B.Web filtering profiles can only be applied to users who are authenticated.
C.Web filtering profiles can block access to websites based on URL categories and ratings.
D.Web filtering profiles are applied globally by default.
E.Web filtering profiles are used to configure SSL certificate inspection.
AnswersA, C

Correct; they can be applied to the same firewall policy.

Why this answer

Option A is correct because web filtering profiles and application control profiles operate independently at different layers of the FortiGate security fabric. Web filtering inspects HTTP/HTTPS traffic against URL categories and ratings, while application control identifies and controls application-level traffic (e.g., Facebook, Skype) using deep packet inspection. They can be applied together in a single security policy to provide layered protection without conflict.

Exam trap

The trap here is that candidates often confuse the scope of web filtering profiles, assuming they require authentication (B) or are global by default (D), or they mistakenly think SSL inspection is configured within the web filtering profile (E) instead of as a separate inspection profile.

155
MCQhard

A FortiGate administrator is diagnosing a performance issue. They notice that the CPU usage is consistently high. Which command can provide a real-time view of the processes consuming CPU?

A.get system performance status
B.diagnose sys session stat
C.diagnose debug flow
D.diagnose sys top
AnswerD

This command displays real-time process list with CPU/memory consumption.

Why this answer

Option D is correct. 'diagnose sys top' provides a real-time top-like view of processes and their CPU/memory usage, helpful for identifying resource hogs.

156
MCQeasy

Refer to the exhibit. An administrator has configured the SSL/SSH profile shown. However, users are unable to access HTTPS websites. What is the most likely cause?

A.The 'untrusted-caname' should be set to a trusted CA certificate to handle untrusted server certificates.
B.The port is set to 443, but HTTPS also uses port 8443.
C.The 'caname' is set to 'Fortinet_CA_SSL', which is not a valid certificate name.
D.The 'whitelist-mode' is disabled, which prevents inspection.
AnswerA

Without a trusted CA for untrusted certificates, clients will see certificate warnings.

Why this answer

Option A is correct because when the SSL/SSH profile has 'untrusted-caname' set to 'Fortinet_CA_SSL' (an untrusted CA), the FortiGate cannot re-sign certificates from untrusted servers with a trusted CA. This causes HTTPS websites to fail as the client receives an untrusted certificate warning or connection error. Setting 'untrusted-caname' to a trusted CA certificate ensures that even untrusted server certificates are re-signed with a certificate the client trusts.

Exam trap

The trap here is that candidates confuse the 'caname' and 'untrusted-caname' fields, assuming any CA name is sufficient, without understanding that the CA must be trusted by the client for the re-signed certificate to be accepted.

How to eliminate wrong answers

Option B is wrong because HTTPS uses port 443 by default, and the profile is configured for port 443; port 8443 is an alternative HTTPS port but not required for standard HTTPS access. Option C is wrong because 'Fortinet_CA_SSL' is a valid default certificate name used by FortiGate for SSL inspection; the issue is not the name but its trust status. Option D is wrong because 'whitelist-mode' being disabled is the default and does not prevent inspection; it simply means all traffic is inspected unless explicitly whitelisted.

157
MCQhard

An administrator configures Central SNAT for traffic going from internal network (10.0.0.0/8) to the internet. The rule uses an IP Pool with overload (PAT) and the pool address is 203.0.113.10. However, traffic from 10.0.0.10 to a public server is not being NATed; the source IP remains 10.0.0.10. The firewall policy allows the traffic. What is the most likely cause?

A.The firewall policy does not have NAT enabled
B.The IP Pool is configured for one-to-one NAT instead of overload
C.The Central SNAT rule's source interface is set to 'wan1' instead of 'internal'
D.The IP Pool is configured with 'Fixed Port Range' which conflicts with overload
AnswerA

If Central SNAT fails to match, the policy must have NAT enabled for policy-based NAT to apply. Without it, no translation occurs.

Why this answer

Central SNAT rules are evaluated before policy-based NAT. If a Central SNAT rule exists but does not match the traffic (e.g., wrong source interface, destination, or pool), FortiGate falls back to policy-based NAT. If the firewall policy has no NAT enabled, the traffic is not translated.

The admin likely has Central SNAT configured incorrectly or the policy has NAT disabled.

158
MCQmedium

A network administrator is troubleshooting why certain web-based applications are not being identified by application control. The applications are accessed over HTTPS. What is the most likely missing configuration?

A.Web filter profile is not applied to the firewall policy.
B.SSL inspection is not configured and applied to the firewall policy.
C.Deep packet inspection is not enabled on the firewall policy.
D.IPS is not enabled on the firewall policy.
AnswerB

SSL inspection is required to decrypt HTTPS for application control to work.

Why this answer

Application control relies on inspecting the content of traffic to identify applications. When traffic is encrypted with HTTPS, the firewall cannot inspect the payload without decrypting it first. Therefore, SSL inspection must be configured and applied to the firewall policy to allow the FortiGate to decrypt the traffic and match it against application control signatures.

Exam trap

The trap here is that candidates confuse 'deep packet inspection' with 'SSL inspection,' but DPI is a broader concept that includes many inspection types, and the specific missing piece for HTTPS application identification is SSL inspection, not DPI as a whole.

How to eliminate wrong answers

Option A is wrong because a web filter profile controls access to URLs and categories, not the identification of applications; application control is a separate feature. Option C is wrong because deep packet inspection (DPI) is a general term that includes SSL inspection, but the specific missing configuration for encrypted traffic is SSL inspection, not DPI in general. Option D is wrong because IPS is an intrusion prevention system that detects and blocks threats, not a mechanism for identifying applications; it does not decrypt HTTPS traffic.

159
MCQeasy

A FortiGate administrator wants to allow traffic from the internal network to a specific external server using its fully qualified domain name (FQDN) rather than an IP address, because the server's IP changes frequently. Which type of address object should the administrator create for the destination?

A.Subnet object
B.Wildcard FQDN object
C.Geography object
D.FQDN object
AnswerD

FQDN object resolves a single domain name to its IP address.

Why this answer

The correct answer is D, FQDN object. FortiGate FQDN objects resolve domain names to IP addresses dynamically, allowing the firewall to update the destination IP automatically when the server's IP changes. This is ideal for scenarios where the external server uses a fully qualified domain name and its IP address is not static.

Exam trap

The trap here is that candidates may confuse Wildcard FQDN objects (used for domain pattern matching) with standard FQDN objects (used for DNS resolution to a single IP), leading them to select Option B incorrectly.

How to eliminate wrong answers

Option A is wrong because a Subnet object defines a range of IP addresses using a network prefix (e.g., 10.0.0.0/24), which cannot accommodate a dynamically changing IP address tied to an FQDN. Option B is wrong because a Wildcard FQDN object is used for matching multiple subdomains (e.g., *.example.com) in firewall policies, not for resolving a single FQDN to its current IP address. Option C is wrong because a Geography object identifies traffic based on geographic location (country or region) using IP geolocation databases, not by domain name resolution.

160
MCQhard

A FortiGate administrator has configured a hub-and-spoke IPsec VPN. The hub FortiGate has two Phase 2 selectors with spokes, but traffic between spokes is not routed via the hub. What must be configured on the hub to allow spoke-to-spoke communication?

A.Set the hub as the default gateway on each spoke
B.Use policy-based VPN instead of route-based
C.Configure NAT on the hub
D.Enable 'add-route' on the hub Phase 2
AnswerD

When 'add-route' is enabled, the hub automatically installs routes for the remote subnets, allowing spoke-to-spoke traffic to be routed via the hub.

Why this answer

In hub-and-spoke, the hub needs Phase 2 selectors that cover the spoke subnets, and the spokes need static routes pointing to the hub for other spoke subnets. Additionally, enabling 'add-route' on the hub can help, but the key is proper Phase 2 configuration.

161
Multi-Selectmedium

Which TWO of the following are valid methods to upgrade the FortiGate firmware? (Choose two.)

Select 2 answers
A.Use the GUI under System > Firmware.
B.Use the command 'execute upgrade image tftp <ip> <filename>'.
C.Use the command 'execute backup config tftp'.
D.Use the command 'execute reboot'.
E.Use the command 'execute restore config tftp'.
AnswersA, B

GUI provides a firmware upgrade option.

Why this answer

Option A is correct because the FortiGate GUI provides a dedicated interface under System > Firmware to upload and install firmware images, which is a standard and supported upgrade method. This method allows administrators to select a local or remote firmware file and apply it with minimal disruption when proper procedures are followed.

Exam trap

The trap here is that candidates may confuse backup/restore or reboot commands with firmware upgrade commands, or incorrectly assume that only GUI-based methods are valid, while the TFTP upgrade command is also a legitimate and commonly tested method.

162
MCQhard

A FortiGate has a policy that enables NAT with an IP pool that uses overload (port address translation). The administrator notices that some applications are failing because they require a fixed source port range. What should the administrator do to resolve this?

A.Change the IP pool type to 'Fixed Port Range'
B.Disable NAT and use policy-based routing
C.Use Central SNAT instead of policy-based NAT
D.Enable 'Preserve Source Port' in the firewall policy
AnswerA

Fixed Port Range assigns a fixed port range, meeting the application requirement.

Why this answer

The IP pool overload mode uses dynamic port allocation, which can break applications needing a consistent port range. The 'Fixed Port Range' option in the IP pool configuration assigns a fixed port range to each session, preserving the original source port or a fixed range. Option A is correct.

163
MCQmedium

An administrator needs to integrate a FortiGate with FortiAnalyzer for centralized logging. After configuring the FortiAnalyzer IP and enabling logging, the FortiGate shows 'connection refused' for FortiAnalyzer. What is the most likely cause?

A.The FortiAnalyzer is not registered with the FortiGate.
B.The FortiGate is not generating any logs.
C.The FortiAnalyzer SNMP community string is incorrect.
D.A firewall is blocking the required ports between FortiGate and FortiAnalyzer.
AnswerD

Ports 514/443 must be open.

Why this answer

The 'connection refused' error indicates that the FortiGate is attempting to establish a TCP connection to the FortiAnalyzer, but the FortiAnalyzer is actively rejecting the connection attempt. This is most commonly caused by a firewall (either on the network path or on the FortiAnalyzer itself) blocking the required ports, such as TCP 514 (syslog) or TCP 443/8443 (FortiGate-FortiAnalyzer protocol). Without proper port access, the TCP handshake fails, resulting in a connection refused message.

Exam trap

The trap here is that candidates often confuse 'connection refused' with 'no route to host' or 'timeout', and may incorrectly attribute the issue to registration or log generation rather than recognizing that a TCP-level rejection points to a firewall or port blocking issue.

How to eliminate wrong answers

Option A is wrong because the FortiAnalyzer does not need to be registered with the FortiGate; registration is the opposite direction (FortiGate registers with FortiAnalyzer) and a missing registration would cause an authentication or authorization failure, not a TCP-level 'connection refused'. Option B is wrong because the FortiGate not generating logs would not cause a connection refused error; the error occurs during the initial connection setup, before any log data is transmitted. Option C is wrong because SNMP community strings are used for SNMP-based monitoring, not for FortiGate-FortiAnalyzer logging communication, which uses TCP-based protocols like syslog or FortiGate-FortiAnalyzer proprietary protocol.

164
MCQhard

A FortiGate is configured in an HA active-passive cluster. The primary unit fails. After the secondary takes over, a policy route configured on the primary is not working. What is the MOST likely reason?

A.The secondary unit does not support policy routes
B.The policy route configuration is not synchronized in HA
C.The HA cluster requires a reboot after failover
D.The policy route references an interface that does not exist on the new primary
AnswerD

If the secondary has different interface names or the policy route uses a specific interface index, it may not be valid.

Why this answer

When a FortiGate HA cluster fails over, the new primary unit assumes the configuration synchronized from the original primary. However, if a policy route references a specific interface (e.g., port1 or a VLAN subinterface) that is physically present on the failed unit but not on the new primary (or has a different name/index), the policy route will fail because the kernel cannot resolve the egress interface. FortiGate HA synchronizes the configuration, but interface mappings must match across cluster members for policy routes to work after failover.

Exam trap

The trap here is that candidates assume HA synchronizes everything perfectly, but they overlook that interface-dependent objects like policy routes can break if the physical interface mapping differs between cluster members.

How to eliminate wrong answers

Option A is wrong because FortiGate secondary units in an active-passive HA cluster fully support policy routes; there is no feature restriction based on role. Option B is wrong because HA synchronization includes policy route configuration by default (via the HA configuration synchronization mechanism), so the configuration is present on the secondary. Option C is wrong because HA failover does not require a reboot; the secondary takes over seamlessly without a reboot, and a reboot would only be needed if the cluster is recovering from a split-brain or other severe error.

165
MCQmedium

An administrator configures an application control profile to block 'Facebook' and 'Twitter' using application signatures. Users can still access Facebook via HTTPS. The administrator has enabled deep inspection. What is missing?

A.The application control profile must be applied to both ingress and egress policies
B.The firewall policy must have inspection mode set to 'proxy-based' for application control to work with HTTPS
C.The application signatures need to be updated to the latest version
D.The web filter profile must be set to 'authenticate' for the connection
AnswerB

Application control for HTTPS requires proxy-based inspection mode because it needs to reassemble the SSL stream. Flow-based mode may not apply application control to encrypted traffic.

Why this answer

Application control requires the firewall policy to be set to 'proxy-based inspection' for HTTPS traffic. Even with deep inspection enabled, if the policy is flow-based, application control may not inspect HTTPS traffic correctly.

166
MCQmedium

An administrator needs to configure a firewall policy that allows internal users to access a specific web server on the internet using its domain name. The web server's IP address may change. Which type of address object should be used as the destination in the policy?

A.IP Range object that covers the entire public IP space
B.Subnet object with the current IP address
C.FQDN address object
D.Geography object
AnswerC

FQDN objects allow DNS resolution to be used, so the policy works even if the IP changes.

Why this answer

An FQDN address object resolves the domain name to IP addresses dynamically. This allows the policy to adapt to IP changes, unlike a subnet object.

167
MCQeasy

A network administrator wants to authenticate VPN users against an existing LDAP server. Which authentication method should be configured on the FortiGate?

A.FSSO
B.LDAP
C.RADIUS
D.Local
AnswerB

LDAP authentication queries the LDAP server for user credentials.

Why this answer

LDAP is the correct protocol for authenticating against an LDAP server. Local is for local users, RADIUS for RADIUS servers, and FSSO for SSO with Active Directory.

168
Multi-Selectmedium

A security administrator wants to ensure that all DNS queries from internal users are filtered to block access to known malicious domains. Which TWO configurations must be applied?

Select 2 answers
A.Enable deep inspection on the firewall policy
B.Apply the DNS Filter profile to the firewall policy that allows DNS traffic
C.Enable DNS inspection on the SSL/SSH inspection profile
D.Create a DNS Filter profile to block malicious domains
E.Configure a DNS server on the FortiGate
AnswersB, D

The profile must be attached to the policy to be enforced.

Why this answer

Options A and C are correct. A DNS filter profile must be created with categories, and the firewall policy for DNS traffic must reference that profile.

169
MCQmedium

A FortiGate is configured with an IPS profile to protect a web server. The administrator notices that some attacks are not being detected. The IPS signature database is up to date. What should the administrator check first?

A.Increase the severity level of the IPS sensor.
B.Ensure the IPS profile is applied to the firewall policy that handles traffic to the web server.
C.Disable flow-based inspection and enable proxy-based inspection.
D.Change the IPS signature action from 'default' to 'block'.
AnswerB

If the IPS profile is not applied to the correct policy, traffic will not be inspected. This is a common misconfiguration.

170
Multi-Selectmedium

An administrator is configuring policy-based routing (PBR) on a FortiGate to route traffic from a specific subnet (172.16.1.0/24) through a different internet connection (wan2) instead of the default route via wan1. The administrator has created a PBR rule matching source 172.16.1.0/24 and set the gateway to the next-hop IP on wan2. The traffic is still using wan1. Which THREE of the following could be causing the issue? (Choose three.)

Select 3 answers
A.The PBR rule's gateway is not reachable from the FortiGate
B.The PBR rule's priority is set too high (e.g., 100) and a static route with lower priority is used instead
C.The PBR rule is applied to the wrong incoming interface
D.The PBR rule is disabled
E.The PBR rule's destination is set to 'all' but the traffic's destination is not covered
AnswersA, C, D

If the next-hop is unreachable, the rule is not used and traffic falls back to the routing table.

Why this answer

PBR requires the rule to be enabled, the gateway to be reachable, and the rule's priority to be higher (lower number) than other routes. Also, the PBR must be applied to the correct incoming interface. If the interface is wrong, or the gateway is unreachable, or the rule is disabled, PBR will not work.

171
MCQmedium

A FortiGate administrator needs to integrate with FortiAnalyzer for centralized logging. After configuring the FortiAnalyzer IP and enabling logging, the FortiGate shows 'connection status: disconnected'. What is the most likely cause?

A.The FortiGate is in transparent mode.
B.The FortiAnalyzer firmware version is newer than the FortiGate's.
C.The administrator forgot to enable HTTPS for log upload.
D.The FortiGate does not have a route to the FortiAnalyzer.
AnswerD

Why this answer

The most likely cause is that the FortiGate does not have a route to the FortiAnalyzer. Even with the correct IP and logging enabled, the FortiGate must be able to reach the FortiAnalyzer over the network; without a valid route, the TCP connection (typically on port 514 for syslog or port 443/541 for FortiGate-FortiAnalyzer protocol) will fail, resulting in a 'disconnected' status.

Exam trap

The trap here is that candidates often assume a configuration or protocol mismatch (like HTTPS or firmware version) is the cause, when the fundamental issue is simple network reachability—FortiGate cannot connect to FortiAnalyzer without a valid route.

How to eliminate wrong answers

Option A is wrong because transparent mode does not inherently prevent connectivity to FortiAnalyzer; the FortiGate can still send logs as long as it has a management IP and a route. Option B is wrong because firmware version differences do not cause a 'disconnected' status; FortiAnalyzer and FortiGate can interoperate across versions, though some features may be limited. Option C is wrong because HTTPS is not required for log upload; FortiGate typically uses syslog (UDP/TCP 514) or the FortiGate-FortiAnalyzer protocol (TCP 541) for logging, and HTTPS is used for web management, not log transport.

172
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is in the process of being established and has not completed the TCP three-way handshake
B.The session is a UDP session because the proto_state is 01
C.The session has been closed and is being removed from the session table
D.The session is fully established and has been active for 3600 seconds
AnswerA

proto_state=01 means the first SYN has been sent but no SYN-ACK received, indicating the handshake is incomplete.

Why this answer

The output shows `proto=6` (TCP), `proto_state=01`, `duration=3600`, and `expire=3599`. In FortiGate session diagnostics, `proto_state=01` for TCP indicates the session is in the SYN-SENT state, meaning the initial SYN packet has been sent but the three-way handshake (SYN-ACK) has not yet been received. The session has been active for 3600 seconds but has not yet completed establishment, which is why the correct answer is A.

Exam trap

The trap here is that candidates see `duration=3600` and assume the session is fully established and active, but they overlook that `proto_state=01` indicates the TCP handshake is incomplete, not an established connection.

How to eliminate wrong answers

Option B is wrong because `proto=6` explicitly indicates TCP, not UDP (UDP uses protocol 17), and `proto_state=01` is a TCP state indicator, not a UDP one. Option C is wrong because a closed session being removed would show a `proto_state` of 06 (TIME_WAIT) or 07 (CLOSE_WAIT), and the expire timer would be very low or zero, not 3599 seconds. Option D is wrong because a fully established TCP session would show `proto_state=02` (ESTABLISHED), not `01` (SYN-SENT); the duration of 3600 seconds with an expire of 3599 suggests the session has been waiting for handshake completion for that entire time, which is abnormal.

173
MCQeasy

A FortiGate is configured in transparent mode. Which of the following statements is true?

A.The FortiGate can have multiple routing tables
B.The FortiGate supports VLAN sub-interfaces
C.The FortiGate acts as a router and performs NAT
D.The FortiGate interfaces have IP addresses for management only
AnswerD

Interfaces are in bridge mode; a management IP is assigned to the bridge.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses rather than IP addresses. Interfaces do not require IP addresses for data forwarding; they only need IP addresses for management access (e.g., HTTPS, SSH, or SNMP). This makes option D correct.

Exam trap

The trap here is that candidates often assume transparent mode still supports routing or NAT because they confuse it with NAT/route mode, but transparent mode explicitly disables routing and NAT, focusing solely on Layer 2 bridging and firewall inspection.

How to eliminate wrong answers

Option A is wrong because transparent mode uses a single routing table (the management VDOM's routing table) and does not support multiple routing tables, which are a feature of NAT/route mode. Option B is wrong because VLAN sub-interfaces are not supported in transparent mode; the FortiGate treats VLANs as separate interfaces but cannot create sub-interfaces on physical ports. Option C is wrong because transparent mode does not perform routing or NAT; it acts as a transparent bridge, forwarding frames without modifying IP headers.

174
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is using UDP protocol
B.The session is blocked by the firewall policy
C.The session is in SYN-SENT state
D.The session has been established for 3600 seconds and will expire in 3599 seconds
AnswerD

Duration and expire fields show ages.

Why this answer

Option C is correct: The session has been active for 3600 seconds and will expire in 3599 seconds (almost fresh start). 'proto_state=01' indicates TCP three-way handshake completion.

175
MCQhard

An admin is configuring a policy-based NAT rule (central NAT) to translate internal users' source IPs to the external IP of the FortiGate interface. However, users complain that some applications fail. The admin notices that the NAT rule is using 'dynamic IP pool' with overload. What is the MOST likely cause of the application failures?

A.The IP pool is exhausted and no more translations are available
B.The route to the destination is missing
C.The applications are sensitive to NAT and require a fixed port range
D.The firewall policy does not have NAT enabled
AnswerC

Some applications (e.g., SIP, FTP) need predictable port mappings; overload can break them.

Why this answer

Applications sensitive to NAT, such as SIP, H.323, or FTP, often require a fixed port range or an explicit NAT rule that preserves the original source port. When a dynamic IP pool with overload (PAT) is used, the FortiGate may change the source port, breaking protocols that embed IP addresses or port information in the payload. This is the most likely cause of application failures in this scenario.

Exam trap

The trap here is that candidates often assume IP pool exhaustion (Option A) is the cause, but the question specifies 'some applications fail' rather than all traffic failing, pointing to application-layer NAT sensitivity rather than resource exhaustion.

How to eliminate wrong answers

Option A is wrong because an exhausted IP pool would cause new sessions to fail, but existing sessions would continue; the complaint is about application failures, not a complete inability to connect. Option B is wrong because a missing route would prevent all traffic to the destination, not just specific applications. Option D is wrong because the question states a policy-based NAT rule is configured, which inherently enables NAT; the firewall policy does not need a separate NAT enable checkbox when central NAT is used.

176
MCQeasy

A FortiGate administrator needs to authenticate VPN users against an LDAP server. What is the primary purpose of the 'CN=,OU=,DC=' distinguished name (DN) configured in the LDAP server settings?

A.It is used to encrypt LDAP communication
B.It defines the IP address of the LDAP server
C.It specifies the base DN for searching users
D.It specifies the bind user credentials to connect to the LDAP server
AnswerD

The DN and password are used to authenticate the FortiGate to the LDAP server.

Why this answer

The DN is used to bind to the LDAP server for user authentication and to search for users. It identifies the user object that FortiGate uses to authenticate.

177
MCQmedium

An administrator is configuring a site-to-site IPsec VPN between two FortiGates. After applying the configuration, the VPN status shows 'down'. Phase 1 parameters are identical on both sides. What is the most likely cause of the failure?

A.The Phase 2 selectors (local and remote subnets) are mismatched.
B.The pre-shared keys do not match.
C.The firewall policies are not configured.
D.NAT traversal is disabled but both FortiGates are behind NAT.
AnswerA

Phase 2 requires matching proxy IDs.

Why this answer

When Phase 1 parameters are identical and the VPN is down, the most common cause is a mismatch in Phase 2 selectors (local and remote subnets). Phase 2 uses these selectors to negotiate the IPsec security associations (SAs); if they do not match exactly on both sides, the IKEv1/v2 Quick Mode or Child SA exchange will fail, leaving the tunnel in a 'down' state even though Phase 1 (IKE SA) may be up.

Exam trap

The trap here is that candidates often assume a Phase 1 mismatch (like pre-shared keys) is the cause when the VPN is down, but the question explicitly states Phase 1 parameters are identical, forcing the focus to Phase 2 selector mismatches, which is a classic NSE4 exam trick.

How to eliminate wrong answers

Option B is wrong because if the pre-shared keys did not match, Phase 1 authentication would fail, and the VPN status would show 'down' with a Phase 1 error, but the question states Phase 1 parameters are identical, implying the pre-shared keys match. Option C is wrong because firewall policies are required to permit traffic through the tunnel, but their absence does not cause the VPN tunnel itself to be 'down'; the tunnel can be up even without policies, but traffic will not pass. Option D is wrong because NAT traversal (NAT-T) being disabled while both FortiGates are behind NAT would cause Phase 1 to fail due to encapsulation issues, but the question states Phase 1 parameters are identical and does not indicate a Phase 1 failure; NAT-T mismatch typically manifests in Phase 1, not Phase 2.

178
MCQmedium

A FortiGate administrator has configured a firewall policy with SSL deep inspection using a forward trust CA certificate. When users access an HTTPS website with a valid certificate, they still receive a certificate warning. What is the MOST likely reason?

A.The website certificate is expired
B.The forward trust CA certificate is not installed on the users' devices
C.The firewall policy is set to certificate inspection instead of deep inspection
D.The FortiGate's CA certificate is not trusted by the browser
AnswerB

Why this answer

For deep inspection, the FortiGate's CA certificate must be installed and trusted on client devices. Otherwise, browsers will show a warning that the connection is not private because the certificate is issued by an untrusted authority.

179
MCQeasy

A remote user reports that they can connect to the FortiGate SSL VPN portal but cannot access internal resources. The administrator checks the SSL VPN settings and sees that the tunnel mode is enabled with split tunneling. What is the most likely cause?

A.The IP pool is exhausted and no IP address was assigned.
B.The firewall policy allowing SSL VPN traffic to internal resources is missing.
C.The routing table on the client is missing the internal network routes.
D.The SSL VPN authentication timeout is too short.
AnswerC

Split tunneling requires proper routes to internal networks.

Why this answer

With split tunneling enabled, the FortiGate SSL VPN portal connection succeeds, but the client's routing table does not automatically include routes for the internal network. Without those routes, traffic to internal resources is sent to the default gateway instead of through the VPN tunnel, causing access failure. This is the most likely cause because the user can authenticate and establish the tunnel but cannot reach internal subnets.

Exam trap

The trap here is that candidates assume split tunneling automatically includes all internal routes, but in FortiGate SSL VPN, split tunneling requires explicit route configuration to direct internal traffic through the tunnel.

How to eliminate wrong answers

Option A is wrong because an exhausted IP pool would prevent the tunnel from establishing entirely, not just block resource access while the portal connects. Option B is wrong because a missing firewall policy would block all SSL VPN traffic, including portal access, not just internal resource access. Option D is wrong because an authentication timeout would cause disconnection or reauthentication prompts, not a persistent inability to access internal resources while remaining connected.

180
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session has expired and will be removed in 1 second
B.The session is closing and has 3599 seconds until the entry is removed
C.The session is initiating a TCP connection and has not yet completed the handshake
D.The session is fully established and has been active for 3600 seconds
AnswerC

proto_state=01 indicates SYN_SENT, meaning the session is still in the handshake phase.

Why this answer

proto_state=01 means TCP SYN_SENT state, meaning the three-way handshake is incomplete. The session is still establishing.

181
MCQhard

A FortiGate administrator notices that the IPsec VPN tunnel is established but traffic is not passing. The firewall policy allowing traffic from the remote subnet to the local subnet is in place. What is the MOST likely cause?

A.The VPN tunnel is a policy-based VPN and the policy is incorrectly configured
B.The Phase 2 proposal includes PFS, but the remote side does not
C.The local firewall is blocking ICMP
D.There is no static route on the FortiGate for the remote subnet pointing to the tunnel interface
AnswerD

Without a route, the FortiGate does not know how to forward traffic to the remote subnet even if the tunnel is up.

Why this answer

If the tunnel is up but no traffic passes, it could be due to routing misconfiguration, such as missing static routes for the remote subnet pointing to the VPN tunnel interface.

182
MCQmedium

An administrator needs to configure a FortiGate to send logs to an external FortiAnalyzer. Which setting is required?

A.Setting the log disk quota
B.Configuring syslog server
C.Enabling FortiCloud logging
D.Configuring FortiAnalyzer under Log Settings
AnswerD

Under Log & Report > Log Config, you can add a FortiAnalyzer device.

Why this answer

FortiGate uses the 'Log Device' or 'FortiAnalyzer' configuration to send logs to an external FortiAnalyzer.

183
MCQhard

You run the following CLI command on a FortiGate: 'diagnose sys session filter dport 443' and see this output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a TCP connection that has been active for 1 hour and will expire in 3599 seconds
B.The session is using TCP and has been open for 3600 seconds with a remaining lifetime of 3599 seconds, indicating it is a long-lived session
C.The session is UDP (proto=6 is TCP? Actually proto=6 is TCP) and the output indicates an ICMP error
D.There is a problem because the session duration equals the expire time, meaning it will be removed immediately
AnswerB

The output shows duration 3600 (seconds since session created) and expire 3599 (seconds until session removal). This is normal for a persistent HTTPS session.

Why this answer

Option B is correct because the output shows a TCP session (proto=6) with a duration of 3600 seconds (1 hour) and an expire value of 3599 seconds, meaning the session has been active for 3600 seconds and will be removed in 3599 seconds if no further traffic is seen. This indicates a long-lived session, typical for persistent connections like HTTPS, where the session timer resets with each packet.

Exam trap

The trap here is that candidates misinterpret 'duration' and 'expire' as being equal or see the large numbers and assume a problem, when in fact the values indicate a normal long-lived session with the TCP timeout nearly reached but not expired.

How to eliminate wrong answers

Option A is wrong because it states the session has been active for 1 hour and will expire in 3599 seconds, which is factually correct but does not address the key implication that this is a long-lived session, making it incomplete rather than technically incorrect; however, the question asks what the output indicates, and B provides the full interpretation. Option C is wrong because proto=6 is TCP (not UDP), and the output shows a TCP state (proto_state=01, which is TCP_ESTABLISHED), not an ICMP error. Option D is wrong because the duration (3600) and expire (3599) are not equal; they differ by 1 second, and the session is not being removed immediately—expire indicates remaining lifetime, not a problem.

184
MCQeasy

Which authentication method allows a FortiGate to transparently authenticate users based on their Active Directory login events without prompting for credentials?

A.RADIUS authentication
B.FSSO (Fortinet Single Sign-On)
C.Local database authentication
D.LDAP authentication
AnswerB

FSSO uses Active Directory login events to automatically authenticate users without prompting.

Why this answer

Option B is correct. Fortinet Single Sign-On (FSSO) captures AD login events (via polling or agent) and maps them to users on the FortiGate, enabling transparent authentication for firewall policies.

185
Multi-Selectmedium

An administrator configures a DLP profile to detect Social Security numbers in outbound traffic. The profile is applied to an outbound HTTP policy. Which TWO additional configurations are necessary for the DLP to inspect HTTPS traffic?

Select 2 answers
A.Set the firewall policy inspection mode to proxy-based
B.Add an SSL exemption for the destination servers
C.Enable SSL/TLS deep inspection on the firewall policy
D.Create a DLP sensor with the correct pattern and apply it to the policy
E.Configure a web filter profile to allow the traffic
AnswersC, D

Without deep inspection, the DLP engine cannot see the content of HTTPS traffic.

Why this answer

DLP scanning of HTTPS traffic requires SSL deep inspection to decrypt the traffic. Additionally, the firewall policy must have deep inspection enabled and the DLP profile must be applied. The inspection mode (flow vs proxy) may affect performance but both can work.

186
MCQhard

A FortiGate admin is troubleshooting intermittent VPN disconnections. The admin enables debug flow with 'diagnose debug flow filter daddr 10.0.0.1' and 'diagnose debug flow trace start 10'. The output shows 'msg: send to x.x.x.x via intf port1' but then immediately 'msg: no matching policy'. However, the firewall policy list shows a policy that should match. What is the most likely cause?

A.The policy's source interface is not the incoming interface
B.The firewall policy is disabled
C.The VPN tunnel is down
D.A static route is missing or incorrect, causing the traffic to exit the wrong interface
AnswerD

The traffic should be routed into the VPN tunnel (e.g., interface ssl.root or vpn-interface). Instead, it is routed out port1 (the internet interface). This is a routing problem. The policy lookup then fails because there is no policy on port1 for that destination (or the policy on port1 has different source/destination).

Why this answer

The 'no matching policy' message indicates that the traffic did not match any policy. Since the debug shows the traffic is going out via port1, but the policy might be configured on a different interface (e.g., the VPN interface). In a VPN scenario, traffic destined for the remote subnet must match a policy from the VPN tunnel interface to the destination.

If the traffic is being routed out port1 (the physical WAN) instead of through the VPN tunnel, the policy check fails. This is often due to missing or incorrect routing. Alternatively, the policy might be correctly configured but the traffic is being processed on the wrong VDOM, but the routing issue is more common.

187
MCQeasy

An administrator wants to troubleshoot a traffic flow issue on a FortiGate. They suspect packets are being dropped. Which command should they use to perform a real-time packet capture on an interface?

A.diagnose sniffer packet
B.get system performance status
C.diagnose sys session list
D.diagnose debug flow
AnswerA

This is the standard command for packet capture on FortiGate.

Why this answer

Option A is correct. The 'diagnose sniffer packet' command is used to capture packets in real time on FortiGate interfaces.

188
Matchingmedium

Match each Fortinet security feature to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Detects and prevents network intrusions

Identifies and controls application traffic

Blocks access to malicious or unauthorized websites

Scans and removes malware from traffic

Decrypts and inspects encrypted traffic

Why these pairings

These are core UTM features of FortiGate.

189
Drag & Dropmedium

Drag and drop the steps to configure IPsec VPN phase 1 settings on FortiGate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Phase 1 establishes the secure channel; key parameters include remote gateway, PSK, IKE version, and encryption.

190
MCQmedium

A network administrator has configured a static route on a FortiGate with a distance of 10 and a priority of 0. Later, they add another static route to the same destination with a distance of 15 and priority of 0. Which route will be used for traffic forwarding?

A.The route with distance 15 because it has a higher priority
B.Both routes will be used for ECMP load balancing
C.The route with distance 15 will be used because it was added last
D.The route with distance 10 because it has a lower administrative distance
AnswerD

Correct. FortiGate selects the route with the lowest administrative distance. If distances are equal, then priority is used as a tiebreaker.

Why this answer

The correct answer is D because the FortiGate uses administrative distance as the primary metric for route selection when multiple static routes exist to the same destination. A lower administrative distance (10) is preferred over a higher one (15), regardless of the order in which the routes were added. Priority (0 in both cases) is a tie-breaker only when distances are equal, so it does not affect this decision.

Exam trap

The trap here is that candidates often confuse administrative distance with priority or assume that the most recently added route takes precedence, but FortiGate strictly follows the lower administrative distance rule for route selection.

How to eliminate wrong answers

Option A is wrong because a higher distance value indicates lower preference, not higher priority; administrative distance is the primary metric, and lower is better. Option B is wrong because ECMP (Equal-Cost Multi-Path) requires routes to have the same administrative distance and metric; here distances differ (10 vs 15), so ECMP does not apply. Option C is wrong because the FortiGate does not use the order of addition as a routing decision factor; the route with the lower administrative distance is always preferred, regardless of which was added last.

191
Multi-Selectmedium

An admin needs to configure NAT so that internal users (10.0.0.0/24) accessing the internet (any destination) are translated using an IP pool (203.0.113.10-203.0.113.20) with overload. The admin also needs to ensure that traffic from a specific server (10.0.0.100) always uses a fixed source port range (10000-20000) when translated. Which TWO configuration steps are required? (Choose two.)

Select 2 answers
A.Configure the IP pool with one-to-one NAT
B.Create a central SNAT rule for 10.0.0.0/24 using the IP pool with overload enabled
C.Use policy-based NAT instead of central SNAT
D.Disable NAT on the firewall policy for the server
E.Create a central SNAT rule for 10.0.0.100 using the IP pool with fixed port range enabled
AnswersB, E

This translates the subnet with PAT.

Why this answer

To achieve this, the admin must configure a central SNAT rule for the subnet with overload, and a separate central SNAT rule (or fixed port range) for the server using fixed port range. Alternatively, the server could have a policy-based NAT with fixed port range, but central SNAT is specified. The question implies using central SNAT for both.

192
MCQhard

An admin runs the following command on a FortiGate: 'diagnose sys session filter dport 443' and sees output: 'proto=6 proto_state=01 duration=3600 expire=3599'. What does this indicate?

A.The session is stuck in a half-open state due to a firewall policy misconfiguration
B.The session is in the SYN_SENT state and is not yet fully established
C.The session is fully established and has been active for 3600 seconds
D.The session is using UDP protocol
AnswerB

proto_state=01 corresponds to TCP SYN_SENT, meaning the three-way handshake is not complete.

Why this answer

Option D is correct. The session state '01' indicates a TCP session in the SYN_SENT state, meaning the session is still in the process of being established. The short duration and expire time suggest it is a new session.

193
MCQeasy

Which log severity level indicates a failure that requires immediate attention?

A.Debug
B.Emergency
C.Warning
D.Information
AnswerB

Emergency indicates a system-level failure requiring immediate action.

Why this answer

In Fortinet's FortiOS, log severity levels follow the standard syslog protocol (RFC 5424). The 'Emergency' level (severity 0) indicates a system is unusable or has experienced a critical failure that requires immediate administrator intervention, such as a hardware failure or a security breach. This is the highest severity level, designed to alert for urgent action.

Exam trap

The trap here is that candidates often confuse 'Warning' with a critical failure, but 'Warning' only indicates a potential problem, while 'Emergency' is the only level that signifies a system-wide failure requiring immediate attention.

How to eliminate wrong answers

Option A is wrong because 'Debug' (severity 7) is the lowest severity level, used for detailed troubleshooting information and does not indicate any failure. Option C is wrong because 'Warning' (severity 4) indicates a potential issue that might require attention but does not denote an immediate failure requiring urgent action. Option D is wrong because 'Information' (severity 6) is a normal operational message, such as a successful login or configuration change, and does not represent any failure.

194
MCQmedium

A FortiGate is configured with two WAN interfaces in an active-passive HA cluster. The administrator notices that the passive unit is not synchronizing configuration changes from the active unit. What is the MOST likely cause?

A.The HA heartbeat interface is not configured or is down.
B.The passive unit has a different firmware version.
C.The HA mode is set to active-active instead of active-passive.
D.The administrator must manually trigger a sync from the active unit.
AnswerA

Configuration synchronization occurs over the heartbeat link. If it's not working, sync fails.

Why this answer

In an HA cluster, the heartbeat interface is responsible for synchronizing configuration changes and monitoring peer status between the active and passive units. If the heartbeat interface is not configured or is down, the passive unit cannot receive configuration updates from the active unit, leading to a synchronization failure. This is the most likely cause because without a functional heartbeat link, the cluster cannot maintain state or configuration consistency.

Exam trap

The trap here is that candidates often assume synchronization is triggered manually or that HA mode affects sync behavior, but FortiGate HA relies entirely on a functional heartbeat link for automatic configuration replication, regardless of the active-passive or active-active mode.

How to eliminate wrong answers

Option B is wrong because while different firmware versions can cause compatibility issues, the HA cluster typically prevents formation or logs a version mismatch error, but the passive unit would not even join the cluster; the question states the passive unit is present but not synchronizing, so a missing or down heartbeat is more likely. Option C is wrong because the HA mode (active-active vs. active-passive) affects failover behavior and load sharing, not the synchronization mechanism itself; both modes use the heartbeat interface for sync, so changing the mode would not prevent sync if the heartbeat is functional. Option D is wrong because configuration synchronization in FortiGate HA is automatic and continuous via the heartbeat link; there is no manual trigger required from the active unit—if the heartbeat is up, sync happens automatically.

195
MCQhard

A FortiGate is configured with two equal-cost default routes to different ISPs. The administrator notices that traffic for a specific destination is load-balanced across both links as expected. However, they want all traffic from a specific source IP to use only ISP1, while other traffic remains load-balanced. Which configuration should be applied?

A.Increase the administrative distance of the ISP2 default route to 20
B.Create a policy route with source address set to the specific IP and set the gateway to ISP1
C.Configure SD-WAN rules to steer the traffic
D.Add a static host route for the specific source IP via ISP1
AnswerB

Policy routes match before the routing table and can steer traffic to a specific gateway.

Why this answer

Policy routing allows you to override the routing table for specific traffic based on criteria such as source IP. By creating a policy route that matches the specific source IP and sets the next-hop gateway to ISP1, you ensure that traffic from that source always uses ISP1, while all other traffic continues to be load-balanced across both equal-cost default routes. This is the most direct and flexible method for source-based path selection without altering the global routing behavior.

Exam trap

The trap here is that candidates often confuse policy routing with static routing or administrative distance changes, mistakenly thinking that modifying route preference or adding a host route for the source IP will achieve source-based forwarding, when in fact policy routing is the only method that allows traffic selection based on source IP without affecting other traffic.

How to eliminate wrong answers

Option A is wrong because increasing the administrative distance of the ISP2 default route to 20 would make it less preferred than the ISP1 route (default AD 10), causing all traffic to use ISP1 only, not just traffic from the specific source IP. Option C is wrong because SD-WAN rules are designed for advanced traffic steering and load balancing across multiple WAN links, but they require SD-WAN to be enabled and configured, which is an unnecessary complexity for this simple source-based policy requirement; a policy route is the standard and simpler solution. Option D is wrong because a static host route is used for a specific destination IP, not a source IP; adding a static host route for the source IP would be syntactically incorrect and would not achieve the desired behavior.

196
Multi-Selecthard

A FortiGate administrator is troubleshooting an IPsec VPN that is dropping traffic intermittently. The administrator runs 'diagnose vpn ike log' and sees many 'DPD' messages. Which THREE conditions could cause frequent DPD (Dead Peer Detection) retransmissions? (Choose three.)

Select 3 answers
A.High network latency causing DPD timeouts
B.The remote peer is rebooting or unstable
C.Mismatched IKE version
D.Incorrect Phase 2 proxy IDs
E.A firewall between the peers dropping UDP port 500 packets
AnswersA, B, E

Latency can cause DPD to time out.

Why this answer

DPD failures indicate the remote peer is not responding. Common causes: network congestion, a firewall blocking IKE packets, or the remote peer going down.

197
MCQeasy

In an active-active HA cluster, which of the following must be identical on both FortiGate units?

A.HA priority
B.Management IP address
C.Virtual cluster ID
D.Hostname
AnswerC

Correct; virtual cluster ID must match.

Why this answer

In an active-active HA cluster, the virtual cluster ID must be identical on both FortiGate units because it defines the cluster group and ensures that only units with the same ID can form an HA cluster. This ID is used in heartbeat packets to verify cluster membership and prevent accidental merging of separate clusters. Without a matching virtual cluster ID, the units will not recognize each other as part of the same HA group.

Exam trap

The trap here is that candidates often confuse 'must be identical' with configuration values that are typically synchronized (like priority or hostname), but the virtual cluster ID is the only parameter that must match before cluster formation can occur, while others can differ or are overwritten during synchronization.

How to eliminate wrong answers

Option A is wrong because HA priority determines the role (primary or secondary) within the cluster and can differ between units to establish a preferred leader; it does not need to be identical. Option B is wrong because the management IP address is a unique per-unit setting used for individual administrative access, and in an HA cluster, a separate virtual management IP (or floating IP) is used for cluster management, not the individual unit's management IP. Option D is wrong because the hostname is a local identifier for each FortiGate and can be different; it does not affect HA cluster formation or operation.

198
Multi-Selectmedium

An administrator wants to apply policy-based routing (PBR) to route traffic from a specific subnet through a different ISP. Which TWO elements must be configured?

Select 2 answers
A.A policy route object with source subnet and gateway
B.A static route with a higher distance
C.A firewall policy that matches the same traffic and allows it
D.An SD-WAN rule
E.A VIP to change the destination
AnswersA, C

The policy route defines the routing decision.

Why this answer

PBR uses policy routes that define a source and destination, and a gateway/interface. A policy route is created, and the traffic must be allowed by a firewall policy (maybe using the same criteria).

199
MCQmedium

An admin configures a firewall policy with a schedule object that restricts access to Monday to Friday from 9:00 to 17:00. A user attempts to connect on Saturday at 10:00. Which of the following best describes what happens?

A.The traffic is allowed because the schedule is only used for logging
B.The traffic is allowed because the schedule is optional
C.The FortiGate skips this policy and tries the next policy; if no match, implicit deny blocks the traffic
D.The traffic is denied because the schedule is not valid
AnswerC

Policy evaluation continues; if no policy matches, traffic is dropped by implicit deny.

Why this answer

If the schedule does not match the current time, the firewall policy is not evaluated for that traffic. The FortiGate continues to check subsequent policies. If no other policy matches, the implicit deny rule blocks the traffic.

200
MCQmedium

A FortiGate administrator observes that traffic from a specific subnet is being denied even though there is an allow policy for that subnet. The administrator checks the policy list and sees an explicit deny policy above the allow policy. What should the administrator do to allow the traffic?

A.Add a new policy with a higher ID
B.Move the allow policy above the deny policy
C.Disable the deny policy
D.Delete the deny policy
AnswerB

Changing order ensures the allow policy matches first.

Why this answer

Since policies are evaluated top-down, the deny policy above the allow policy will match first. The administrator should move the allow policy above the deny policy (or adjust the deny policy to exclude the subnet).

201
MCQmedium

An admin needs to allow traffic from a specific IP to a web server on port 8080. The web server is behind a VIP that forwards port 80 to port 8080. When configuring the security policy, which destination should be used?

A.The virtual IP address of the FortiGate
B.The real server IP address
C.The VIP object
D.Any destination, because the VIP translates automatically
AnswerC

Correct. The VIP object is the destination in the policy, and FortiGate will translate to the real server.

Why this answer

When using VIP, the security policy destination should reference the VIP object, not the real server IP. The VIP handles the translation of destination IP and port.

202
MCQeasy

What is the purpose of the heartbeat interface in a FortiGate HA cluster?

A.To exchange HA heartbeat messages for health monitoring
B.To synchronize session tables and configuration
C.To provide out-of-band management access
D.To forward user traffic between cluster members
AnswerA

Heartbeat interfaces detect peer status; loss of heartbeat triggers failover.

Why this answer

The heartbeat interface in a FortiGate HA cluster is dedicated to exchanging HA heartbeat messages between cluster members. These messages are used to monitor the health and availability of each unit, enabling failover detection and ensuring cluster stability. It does not handle session synchronization, management access, or user traffic forwarding.

Exam trap

The trap here is that candidates often confuse the heartbeat interface with the HA sync interface, assuming it handles session synchronization or configuration replication, when in fact it only performs health monitoring.

How to eliminate wrong answers

Option B is wrong because session table and configuration synchronization is performed over the dedicated HA sync interface, not the heartbeat interface. Option C is wrong because out-of-band management access is typically provided by a dedicated management interface or VLAN, not the heartbeat interface. Option D is wrong because forwarding user traffic between cluster members is the role of the cluster link or inter-chassis links, while the heartbeat interface only carries health-check messages.

203
MCQmedium

A FortiGate has multiple VDOMs. The administrator needs to allow traffic from VDOM A (port1) to VDOM B (port2). What type of firewall policy is required?

A.An inter-VDOM policy on the inter-VDOM link interface
B.A policy using a virtual wire pair
C.A regular intra-VDOM policy on VDOM A with destination interface port2
D.A policy on each VDOM with the same source/destination
AnswerA

Inter-VDOM link policies allow traffic between VDOMs.

Why this answer

An inter-VDOM link policy (or simply a policy between VDOMs) must be configured, often using a physical or logical inter-VDOM link. Option D correctly identifies the need for an inter-VDOM policy.

204
MCQhard

An administrator runs 'diagnose debug flow' for a specific policy and sees the following output: id=20085 trace_id=10 func=vf_ip_route_in msg='No matching interface to route packet' What does this indicate?

A.The packet is being blocked by a firewall policy
B.The source interface is down
C.The destination IP address has no matching route in the routing table
D.The session table is full
AnswerC

The message clearly states no matching interface to route the packet.

Why this answer

The trace indicates that FortiGate cannot find a route to forward the packet, meaning the destination is unreachable.

205
MCQhard

An administrator runs 'diagnose debug application ike -1' and sees the following output: ike 0:come to x.x.x.x:500, IKEv1, cookie 123456789abcdef0 ike 0:incoming IKE packet: src y.y.y.y:500, dst x.x.x.x:500, len 456 ike 0:send IKE packet: src x.x.x.x:500, dst y.y.y.y:500, len 456 ike 0:phase 1 negotiation failed due to time out. What is the likely cause?

A.The remote FortiGate's Phase 1 proposal does not match
B.A firewall rule is blocking UDP 500/4500 between the peers
C.The pre-shared key is incorrect
D.The local FortiGate's external interface is down
AnswerB

Timeout indicates no response from the remote peer, typical of a firewall blocking the IKE traffic.

Why this answer

The debug shows Phase 1 negotiation failing due to timeout. This typically indicates that the remote peer is not responding. The most common reason is that the remote firewall is not reachable due to a firewall rule blocking UDP 500 or 4500, or the remote peer is not configured.

206
MCQhard

An admin configures an IP Pool with type 'Overload' for outbound traffic from the 192.168.1.0/24 subnet. The pool uses a single public IP 203.0.113.10. After a few hours, users are unable to access external websites. The admin checks the session table and sees many sessions with the same public IP and different source ports. What is the most likely issue?

A.The session helper is misconfigured
B.The IP Pool has run out of available source ports
C.The IP Pool's public IP has been blacklisted by external websites
D.The firewall policy is not referencing the IP Pool
AnswerB

With overload NAT, a single IP can only support a limited number of simultaneous sessions due to port number exhaustion.

Why this answer

The IP Pool is configured with type 'Overload' (Port Address Translation), which maps multiple internal hosts to a single public IP by using unique source ports. With a single public IP (203.0.10.10), the maximum number of concurrent sessions is limited by the available source ports (approximately 65,535 per IP, minus reserved ports). Once all source ports are consumed, new outbound sessions cannot be established, causing users to lose access to external websites.

Exam trap

The trap here is that candidates may confuse 'Overload' with 'Static NAT' or think the issue is policy-related, but the key clue is the session table showing many sessions with the same public IP and different source ports, which directly points to source port exhaustion under PAT.

How to eliminate wrong answers

Option A is wrong because a misconfigured session helper would affect specific application-layer protocols (e.g., FTP, SIP) by failing to translate embedded IP addresses or ports, not cause a complete exhaustion of source ports for all outbound traffic. Option C is wrong because blacklisting by external websites would block traffic to specific destinations, not prevent new sessions from being created due to port exhaustion; the session table would still show active sessions with the same public IP. Option D is wrong because if the firewall policy were not referencing the IP Pool, no NAT would be applied, and sessions would use the egress interface's IP directly, not the pool's IP; the symptom of many sessions with the same public IP and different source ports indicates that the IP Pool is indeed being used.

207
MCQhard

An administrator configures a policy-based NAT rule to translate traffic from 10.0.0.0/8 to 203.0.113.1 using an IP Pool with overload. Later, they also enable Central SNAT for the same traffic. The traffic is not being NAT'd as expected. What is the MOST likely reason?

A.Both NAT methods are applied, causing double NAT
B.Central SNAT overrides policy-based NAT
C.The IP Pool used in policy-based NAT is also used in Central SNAT, causing a conflict
D.Policy-based NAT always overrides Central SNAT
AnswerB

When Central NAT is enabled, policy-based NAT rules are ignored for the matching traffic.

Why this answer

Central SNAT takes precedence over policy-based NAT when both are configured. The Central SNAT rule might be incorrect or missing, causing unexpected behavior.

208
Multi-Selectmedium

An administrator needs to block users from uploading files containing credit card numbers to external websites. Which TWO actions must be configured? (Choose two.)

Select 2 answers
A.Apply an antivirus profile to the policy
B.Enable SSL deep inspection on the firewall policy
C.Create a DLP profile with a credit card number sensor set to block
D.Configure application control to block file transfer applications
E.Use a web filter to block all upload websites
AnswersB, C

To inspect HTTPS uploads, SSL deep inspection is required to decrypt traffic.

Why this answer

Option B is correct because SSL deep inspection is required to decrypt HTTPS traffic so the firewall can inspect the content of encrypted uploads for sensitive data like credit card numbers. Without decryption, the DLP profile cannot see the payload of encrypted sessions, rendering the DLP sensor ineffective.

Exam trap

The trap here is that candidates often forget that DLP requires SSL inspection to see the content of encrypted traffic, and mistakenly think a DLP profile alone is sufficient to block credit card numbers in HTTPS uploads.

209
Multi-Selectmedium

An administrator is configuring an active-passive HA pair. Which THREE of the following must be identical on both units for the cluster to form? (Choose three.)

Select 3 answers
A.HA priority
B.Hostname
C.HA password
D.Firmware version
E.Operation mode (NAT/Transparent)
AnswersC, D, E

If configured, must match.

Why this answer

Operation mode, firmware version, and HA password (if set) must match. Priority can differ. Hostname is not required to match.

210
MCQmedium

A FortiGate has two policies for traffic from port1 to port3: Policy 1 (destination 10.0.1.0/24, schedule always, action accept) and Policy 2 (destination 10.0.2.0/24, schedule 'Weekdays', action accept). A packet destined to 10.0.2.10 arrives on Wednesday at 2 PM. Which policy is applied?

A.Policy 2 because it matches the destination and the schedule is active
B.Both policies are applied sequentially
C.Neither; the implicit deny applies
D.Policy 1 because it is listed first
AnswerA

Policy 2 matches all criteria and the schedule is valid, so it is the first (and only) match.

Why this answer

Policy 2 is applied because it matches the destination IP (10.0.2.10) and the schedule 'Weekdays' is active on Wednesday at 2 PM. FortiGate uses a first-match approach only when multiple policies have the same priority; here, Policy 1 does not match the destination, so Policy 2 is the only matching policy. Since the schedule is valid, the action 'accept' is executed.

Exam trap

The trap here is that candidates assume policy order alone determines matching (Option D), but they overlook that the destination must match first, and schedules must be active for the policy to be considered.

How to eliminate wrong answers

Option B is wrong because FortiGate does not apply multiple policies sequentially to a single session; it uses a first-match model where only the first matching policy is applied. Option C is wrong because the implicit deny only applies when no explicit policy matches the traffic, but Policy 2 matches and is active. Option D is wrong because Policy 1 does not match the destination (10.0.2.10 is not in 10.0.1.0/24), so it is not considered regardless of its order.

211
Multi-Selecthard

An administrator is configuring a FortiGate in transparent mode and needs to forward traffic between two VLANs. Which three configurations are required? (Choose three.)

Select 3 answers
A.Enable NAT on the policies to translate addresses between VLANs
B.Assign an IP address to each VLAN subinterface for management
C.Create VLAN subinterfaces on the physical interface for each VLAN
D.Create firewall policies to allow traffic between the VLANs
E.Configure static routes to route between VLANs
AnswersB, C, D

In transparent mode, each VLAN subinterface typically gets an IP for management, but for traffic forwarding, the FortiGate needs to be in the VLANs. Actually, a management IP is required for the VDOM, but not necessarily on each VLAN? In transparent mode, you set a management IP for the VDOM, but traffic forwarding between VLANs requires the FortiGate to have interfaces in both VLANs. So subinterfaces are needed, and they usually have IPs assigned for management, but forwarding itself uses layer 2. However, to perform any layer 3 inspection, the FortiGate needs IPs on the subnets. So likely needed.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge, so VLAN subinterfaces must be created on the physical interface to tag and separate traffic for each VLAN (Option C). An IP address must be assigned to each VLAN subinterface for management access (Option B), as the FortiGate does not route between VLANs at Layer 3 but still needs an IP to be reachable for administration. Firewall policies are required to control and allow traffic between VLANs (Option D), even in transparent mode, because the FortiGate applies security rules to Layer 2 forwarded frames.

Exam trap

The trap here is that candidates assume transparent mode requires routing or NAT for inter-VLAN communication, but FortiGate in transparent mode bridges VLANs at Layer 2, relying on an external router for Layer 3 forwarding.

212
MCQhard

A FortiGate in a hub-and-spoke VPN topology is configured with a single IPsec tunnel to each spoke. The hub has a route-based VPN with a tunnel interface for each spoke. After a reboot, traffic between spoke A and spoke B fails, although each spoke can reach the hub. What is the likely cause?

A.The hub is missing static routes to the spoke networks via the respective tunnel interfaces
B.The firewall policies on the hub do not allow traffic between the spoke networks
C.The spokes have mismatched IKE versions
D.The hub's IPsec Phase1 is not configured for DPD
AnswerA

Route-based VPNs require explicit routes; without them, traffic cannot be forwarded between spokes.

Why this answer

In route-based VPNs, routes determine traffic flow. After a reboot, the hub may lose routes to the remote spoke networks unless they are statically configured or learned via dynamic routing. Option B is correct because static routes are needed on the hub to direct inter-spoke traffic through the appropriate tunnel interfaces.

213
MCQhard

A security engineer is designing an application control policy for a corporate network. The goal is to allow Microsoft Teams for business use but block personal use of other collaboration apps like Zoom and Slack. The engineer configures an application control profile with a rule to 'monitor' Microsoft Teams and 'block' Zoom and Slack. However, users report that Zoom is still working. What is the most likely reason?

A.Application control profiles can only have one rule.
B.There is an implicit allow rule or a higher-priority rule that allows Zoom before the block rule is evaluated.
C.The 'monitor' rule for Teams overrides the 'block' rule for Zoom.
D.Application control uses port-based inspection and Zoom uses a non-standard port.
AnswerB

If a rule allows all traffic or a broad category, it may match Zoom before the specific block rule.

Why this answer

Option B is correct because FortiGate application control policies are evaluated in order, and the first matching rule is applied. If a higher-priority rule (or an implicit allow rule) permits Zoom traffic before the block rule is reached, Zoom will be allowed. The engineer likely placed the block rule after an allow rule or the default implicit allow policy is permitting Zoom traffic.

Exam trap

The trap here is that candidates often assume a block rule will always take effect regardless of rule order, forgetting that FortiGate processes policies sequentially and a preceding allow rule will override a later block rule.

How to eliminate wrong answers

Option A is wrong because application control profiles can contain multiple rules, each with different actions and conditions. Option C is wrong because a 'monitor' rule for Teams does not override a 'block' rule for Zoom; each application is evaluated independently based on its own rule. Option D is wrong because application control uses signature-based inspection (not port-based) to identify applications, and Zoom uses standard HTTPS ports (443) which are still subject to application-level inspection.

214
MCQmedium

A FortiGate administrator wants to send logs to a FortiAnalyzer. The FortiAnalyzer IP is 192.168.1.100, and logging is configured under Log & Report. However, no logs are being received. Which command should the administrator use on the FortiGate to verify connectivity to the FortiAnalyzer?

A.diagnose log device status
B.execute ping 192.168.1.100
C.show full-configuration log fortianalyzer
D.get system ha status
AnswerA

This command shows the status of log devices, including connection state and last log time.

Why this answer

Option A is correct because the 'diagnose log device status' command specifically checks the connectivity status and last-acknowledged sequence number between the FortiGate and the configured FortiAnalyzer. This command verifies whether the FortiGate can reach the FortiAnalyzer at the logging protocol level (FGFM), which is essential for log transmission, unlike a basic ICMP ping that only tests network-layer reachability.

Exam trap

The trap here is that candidates assume a successful ping (Option B) proves log connectivity, but the NSE4 exam tests the distinction between network-layer reachability and application-layer log protocol status, making the diagnostic command the only correct verification method.

How to eliminate wrong answers

Option B is wrong because 'execute ping 192.168.1.100' only tests basic ICMP reachability at the network layer; it does not verify that the FortiAnalyzer is accepting logs or that the FGFM (FortiGate-to-FortiAnalyzer) tunnel is established. Option C is wrong because 'show full-configuration log fortianalyzer' displays the current logging configuration (e.g., IP, encryption settings) but does not test live connectivity or the status of the log transmission channel. Option D is wrong because 'get system ha status' shows High Availability cluster state and has no relevance to FortiAnalyzer connectivity or log forwarding.

215
Multi-Selectmedium

Which TWO actions can cause SSL inspection to fail with certificate errors on client browsers? (Choose two.)

Select 2 answers
A.The FortiGate's CA certificate has expired.
B.The firewall policy allows the traffic.
C.The web server's certificate is signed by a public CA.
D.The client browser has the FortiGate CA certificate installed.
E.The FortiGate's generated server certificate does not match the requested domain name.
AnswersA, E

Expired CA certs cause trust errors.

Why this answer

Option A is correct because the FortiGate acts as a certificate authority (CA) for SSL inspection. If the FortiGate's CA certificate has expired, any server certificate it generates and signs for intercepted HTTPS sessions will be considered invalid by client browsers. Browsers will display a certificate error because the signing CA (the FortiGate) is no longer trusted due to expiration, even if the client has the CA certificate installed.

Exam trap

The trap here is that candidates often assume a public CA-signed server certificate is always trusted during inspection, forgetting that the FortiGate re-signs the certificate with its own CA, so the browser only sees the FortiGate's CA certificate and the generated server certificate, not the original public CA certificate.

216
MCQhard

An administrator needs to configure a FortiGate to send logs to two different syslog servers for redundancy. Which configuration method should be used?

A.Under 'config log syslogd setting', set 'status enable' and then add multiple servers using 'set server <ip1> <ip2>'.
B.Configure two separate log settings for each server.
C.Configure one syslog server and use a load balancer.
D.Use a FortiAnalyzer to forward logs to syslog servers.
AnswerA

Multiple servers can be added in a space-separated list.

Why this answer

Option A is correct because FortiGate's syslog configuration allows you to specify multiple syslog servers in a single 'config log syslogd setting' block by using the 'set server' command with a space-separated list of IP addresses. This enables redundant log delivery without requiring separate configuration blocks or external devices. The FortiGate will attempt to send logs to the first server; if it fails, it automatically fails over to the next server in the list.

Exam trap

The trap here is that candidates mistakenly think they need to create separate syslog configuration blocks (Option B) or use external devices (Option C), when FortiGate's native 'set server' command with multiple IPs provides built-in redundancy without additional configuration complexity.

How to eliminate wrong answers

Option B is wrong because FortiGate does not support configuring two separate 'log syslogd setting' blocks; you can only have one syslogd setting per VDOM, and attempting to create a second would overwrite the first. Option C is wrong because using an external load balancer introduces unnecessary complexity and a single point of failure, whereas FortiGate natively supports multiple syslog servers for redundancy without additional hardware. Option D is wrong because FortiAnalyzer is a log management and analysis tool, not a syslog forwarder; while it can forward logs to syslog servers, this adds an extra hop and is not the direct, native method for sending logs to two syslog servers from the FortiGate itself.

217
MCQmedium

After enabling SSL inspection, a user receives a warning 'The certificate is not trusted' in the browser. The administrator has installed the CA certificate on the client. What else could be the cause?

A.The firewall policy denies the traffic.
B.The CA certificate is not added to the browser's trusted root store.
C.The FortiGate is not decrypting the traffic.
D.The web server's certificate has expired.
AnswerB

The CA must be trusted by the browser.

Why this answer

Even though the administrator installed the CA certificate on the client, the browser uses its own trusted root store, which is separate from the operating system's certificate store. If the CA certificate is not specifically added to the browser's trusted root store (e.g., Chrome uses the system store but Firefox maintains its own), the browser will still flag the certificate as untrusted. This is a common misconfiguration when deploying SSL inspection with FortiGate.

Exam trap

The trap here is that candidates assume installing the CA certificate on the client OS is sufficient for all browsers, but browsers like Firefox maintain their own certificate trust store, and even Chrome on some platforms may require the certificate to be in the correct store (e.g., the 'Trusted Root Certification Authorities' store) for the warning to disappear.

How to eliminate wrong answers

Option A is wrong because a firewall policy denying traffic would block the connection entirely, not generate a certificate trust warning in the browser. Option C is wrong because if FortiGate were not decrypting the traffic, the browser would receive the original web server certificate, which would be trusted (assuming it is a valid public CA), so no untrusted warning would appear. Option D is wrong because an expired web server certificate would cause a different error (e.g., 'expired certificate'), not specifically 'The certificate is not trusted' — and the FortiGate's re-signed certificate would be the one presented to the client, not the original server certificate.

218
MCQhard

An organization wants to authenticate VPN users using an LDAP server. They configure an LDAP server object and a user group. However, users are unable to authenticate. The administrator checks the logs and sees 'authentication failed' errors. What is the most common misconfiguration?

A.The user group is not configured with the correct members
B.The LDAP server uses SSL/TLS but the FortiGate is not configured for it
C.The LDAP server bind DN or password is incorrect
D.The LDAP server is not reachable from the FortiGate
AnswerC

Incorrect bind credentials prevent the FortiGate from querying the directory.

Why this answer

The most common misconfiguration when LDAP authentication fails is an incorrect bind DN or password. The FortiGate uses the bind DN to authenticate to the LDAP server before it can search for users; if these credentials are wrong, the LDAP server rejects the bind request, resulting in an 'authentication failed' log entry. This error occurs even before user credentials are checked, making it a frequent root cause.

Exam trap

The trap here is that candidates assume 'authentication failed' refers to the VPN user's credentials, but it actually indicates the LDAP server rejected the FortiGate's bind request due to incorrect bind DN or password.

How to eliminate wrong answers

Option A is wrong because the user group membership affects authorization (which users are allowed), not the initial LDAP bind authentication; the 'authentication failed' error occurs at the bind stage, not after a successful user lookup. Option B is wrong because if the LDAP server uses SSL/TLS but FortiGate is not configured for it, the error would typically be a connection timeout or TLS handshake failure, not a generic 'authentication failed' message. Option D is wrong because if the LDAP server were unreachable, the log would show a connection error or timeout, not an 'authentication failed' error, which indicates the server was reached but rejected the bind.

219
Multi-Selectmedium

An organization uses LDAP authentication for firewall policies. Users complain that they are frequently prompted for credentials. Which TWO settings can reduce the frequency of authentication prompts?

Select 2 answers
A.Increase the authentication timeout on the firewall policy.
B.Increase the idle timeout on the LDAP server.
C.Enable single sign-on (SSO) authentication method.
D.Disable captive portal on the interface.
E.Use a longer password for LDAP accounts.
AnswersA, C

This extends how long a user's authentication is valid.

Why this answer

To reduce re-authentication prompts, increase the authentication timeout (Option C) so that users remain authenticated longer, and enable single sign-on (SSO) (Option D) so that once authenticated, they are not prompted again for other services.

220
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN tunnel that is not establishing. The Phase 1 status shows 'down'. Which TWO commands can help diagnose the issue? (Choose TWO.)

Select 2 answers
A.diagnose npu np6 ipsec-sa list
B.diagnose sys session clear
C.diagnose debug application ike -1
D.diagnose vpn tunnel list
E.diagnose vpn ike log-filter
AnswersC, E

Enables IKE debugging at the highest level.

Why this answer

The commands 'diagnose vpn ike log-filter' filters IKE logs, and 'diagnose debug application ike -1' enables detailed IKE debug output. These are standard for troubleshooting IPsec VPN issues.

221
MCQmedium

A FortiGate administrator needs to send logs to an external FortiAnalyzer for centralized monitoring. Which log configuration step is required?

A.Configure syslog server
B.Add the FortiAnalyzer as a logging device in System > FortiAnalyzer
C.Enable FortiCloud logging
D.Enable disk logging on the FortiGate
AnswerB

FortiAnalyzer is configured under System > FortiAnalyzer to enable log forwarding.

Why this answer

To send logs from a FortiGate to an external FortiAnalyzer for centralized monitoring, the administrator must add the FortiAnalyzer as a logging device under System > FortiAnalyzer. This step establishes the secure, authenticated connection (typically using FortiGate's proprietary protocol over TCP/514 or TCP/3000) and enables log forwarding to the FortiAnalyzer. Without this configuration, the FortiGate will not send logs to the FortiAnalyzer, even if other logging methods are enabled.

Exam trap

The trap here is that candidates often confuse the FortiAnalyzer configuration with a generic syslog server setup, assuming any external logging destination works the same way, but FortiAnalyzer requires a specific device registration and protocol that differs from standard syslog.

How to eliminate wrong answers

Option A is wrong because configuring a syslog server sends logs in standard syslog format (RFC 3164/5424) to a generic syslog collector, not to a FortiAnalyzer, which uses a proprietary protocol for enhanced features like log correlation and reporting. Option C is wrong because enabling FortiCloud logging sends logs to FortiGate Cloud, not to an on-premises FortiAnalyzer, and is a separate service requiring a different subscription. Option D is wrong because enabling disk logging on the FortiGate stores logs locally on the FortiGate's hard disk or SSD, which does not forward logs to an external FortiAnalyzer; it only retains logs for local viewing and troubleshooting.

222
MCQeasy

An administrator is creating firewall policies for a FortiGate that separates the internal network (10.0.1.0/24) from a DMZ (192.168.1.0/24). The goal is to allow HTTP traffic from the internal network to the DMZ web server (192.168.1.10) but deny all other traffic. What is the recommended security posture for the implicit deny policy?

A.Set the allow policy to also deny all other traffic using security profiles
B.Disable the implicit deny policy and create a catch-all deny policy
C.Create an explicit deny policy with logging enabled before the allow policy
D.Rely on the implicit deny policy at the end of the policy list, which will block all traffic not explicitly allowed
AnswerD

Implicit deny provides a default-deny posture, which aligns with least privilege.

Why this answer

The implicit deny policy is a default, hidden policy at the end of the FortiGate policy list that denies all traffic not explicitly allowed by preceding policies. Since the administrator wants to allow only HTTP traffic from internal to the DMZ web server and deny all other traffic, relying on the implicit deny is the correct and recommended security posture. It automatically blocks everything else without requiring manual configuration, ensuring no unintended traffic is permitted.

Exam trap

The trap here is that candidates may think they need to create an explicit deny policy with logging to block unwanted traffic, not realizing that the implicit deny already performs this function and that placing a deny policy before the allow policy would break the intended traffic flow.

How to eliminate wrong answers

Option A is wrong because setting the allow policy to also deny all other traffic using security profiles is not a valid approach; security profiles inspect allowed traffic but do not deny traffic that is not explicitly permitted. Option B is wrong because disabling the implicit deny policy and creating a catch-all deny policy is unnecessary and introduces risk; the implicit deny already provides the same functionality without manual intervention. Option C is wrong because creating an explicit deny policy with logging enabled before the allow policy would block all traffic, including the desired HTTP traffic, since FortiGate processes policies in sequential order from top to bottom.

223
MCQhard

An administrator configured SSL inspection with 'deep-inspection' profile. Users report that some websites fail to load with certificate errors. The firewall policy is correct. What is the most likely reason?

A.The CA certificate has expired.
B.The web server uses a cipher that the FortiGate cannot re-encrypt.
C.The user's browser is outdated.
D.The firewall needs a policy to allow DNS traffic.
AnswerB

Some ciphers may not be supported for re-encryption, causing errors.

Why this answer

When deep-inspection is used, the FortiGate decrypts the client-to-server traffic, inspects the content, and then re-encrypts it before forwarding to the client. If the web server uses a cipher suite that the FortiGate does not support for re-encryption (e.g., an obsolete or non-standard cipher), the FortiGate cannot complete the SSL handshake with the client, causing certificate errors or connection failures. This is the most likely reason because the firewall policy is correct and the CA certificate is valid.

Exam trap

The trap here is that candidates often assume certificate errors are always due to an expired CA certificate, but the question specifies that only some websites fail, which points to a cipher mismatch during re-encryption rather than a global CA issue.

How to eliminate wrong answers

Option A is wrong because if the CA certificate had expired, the FortiGate would not be able to generate valid signed certificates for any inspected site, causing all deep-inspection sessions to fail, not just some websites. Option C is wrong because an outdated browser might cause compatibility issues with modern ciphers, but the error described is a certificate error specifically from the FortiGate's re-encryption process, not a browser-side cipher mismatch. Option D is wrong because DNS traffic is typically allowed by default in the implicit allow policy or a separate DNS policy; a missing DNS policy would prevent name resolution entirely, not cause certificate errors on specific websites.

224
MCQeasy

Which command is used to display the current FortiGate firmware version?

A.get system statistics
B.get hardware status
C.get system status
D.get system performance status
AnswerC

Displays firmware version and other system info.

Why this answer

The 'get system status' command is the correct way to display the current FortiGate firmware version. This command outputs a comprehensive summary of the system state, including the firmware version (e.g., FortiOS v7.4.0), the system uptime, serial number, and HA status. It is the standard CLI command for verifying the exact build and patch level of the FortiGate.

Exam trap

The trap here is that candidates often confuse 'get system status' with 'get system statistics' because both commands start with 'get system', but only 'get system status' provides the firmware version, while 'get system statistics' focuses on performance counters.

How to eliminate wrong answers

Option A is wrong because 'get system statistics' displays real-time traffic statistics such as CPU and memory usage, session counts, and packet rates, not the firmware version. Option B is wrong because 'get hardware status' shows hardware-related information like chassis temperature, fan speed, and power supply status, not the firmware version. Option D is wrong because 'get system performance status' provides a snapshot of system performance metrics (e.g., CPU load, memory utilization, disk usage) but does not include the firmware version.

225
MCQmedium

An administrator configures a firewall policy allowing traffic from the internal network to the internet with NAT enabled. Users report that some outbound connections fail intermittently. The administrator runs 'diagnose sys session list' and sees many sessions in 'proto_state=01' with a short TTL. What is the most likely cause?

A.The firewall policy has the wrong source interface
B.The destination port is blocked by an implicit deny rule
C.The antivirus profile is blocking the connections
D.The IP pool used for SNAT has exhausted its address range
AnswerD

Why this answer

The 'diagnose sys session list' output showing many sessions in 'proto_state=01' with a short TTL indicates that sessions are failing to establish properly. When the IP pool used for Source NAT (SNAT) exhausts its address range, new outbound connections cannot obtain a translated source IP, causing them to fail intermittently. This matches the symptom of intermittent failures as the pool becomes temporarily depleted.

Exam trap

The trap here is that candidates may misinterpret 'proto_state=01' as a protocol or state machine error, rather than recognizing it as a symptom of NAT resource exhaustion, leading them to incorrectly select options related to policy misconfiguration or security profiles.

How to eliminate wrong answers

Option A is wrong because a wrong source interface would cause all traffic to fail consistently, not intermittently, and the session list would show no matching policy hits rather than specific proto_state values. Option B is wrong because an implicit deny rule would block traffic entirely, not intermittently, and would not produce sessions with a short TTL in the session table. Option C is wrong because an antivirus profile blocking connections would typically show specific virus detection logs or content inspection failures, not a proto_state=01 indicating a NAT resource exhaustion issue.

Page 2

Page 3 of 14

Page 4