Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 226300

1000 questions total · 14pages · All types, answers revealed

Page 3

Page 4 of 14

Page 5
226
MCQmedium

An administrator needs to ensure that a firewall policy applies only during business hours (Monday to Friday, 9:00 AM to 6:00 PM). What object should be configured and applied to the policy?

A.Service group
B.Address group
C.Schedule object
D.Traffic shaper
AnswerC

Schedule objects define when a policy is active.

Why this answer

A schedule object in FortiGate defines time-based conditions (e.g., recurring weekly windows like Monday–Friday 09:00–18:00) that can be applied directly to a firewall policy. When a schedule is attached, the policy is enforced only during the specified time range, making it the correct object for restricting policy activation to business hours.

Exam trap

The trap here is that candidates confuse a schedule object with a service group or traffic shaper, mistakenly thinking time-based access can be achieved via port grouping or QoS policies, whereas FortiGate explicitly requires a schedule object for time-of-day policy enforcement.

How to eliminate wrong answers

Option A is wrong because a service group is used to group multiple protocol/port definitions (e.g., TCP/80, TCP/443) for application-layer matching, not for time-based enforcement. Option B is wrong because an address group aggregates IP addresses or FQDN objects for source/destination matching, not for controlling when a policy is active. Option D is wrong because a traffic shaper controls bandwidth allocation and QoS (e.g., guaranteed/ maximum bandwidth), not the temporal activation of a firewall policy.

227
MCQmedium

An administrator configures an application control profile to block 'BitTorrent'. Users are still able to download files using BitTorrent. The administrator has enabled deep inspection and the policy is set to proxy-based. What is the most likely reason the application is not being blocked?

A.BitTorrent uses randomized ports that bypass application control
B.The application control profile is not applied to the correct policy
C.The application signatures are out of date
D.The policy is set to flow-based instead of proxy-based
AnswerC

Outdated signatures may not detect newer versions of BitTorrent. The FortiGate must have up-to-date application control signatures to identify the latest applications.

Why this answer

Application control uses application signatures to identify traffic. If the signatures are not up to date, new versions of BitTorrent may not be recognized. Also, if the traffic is encrypted and uses non-standard ports, application control may not detect it if the signatures are not comprehensive.

228
Multi-Selecthard

A FortiGate is configured in an HA cluster with two units. The cluster is working, but the administrator wants to ensure that configuration changes made on the primary unit are automatically synchronized to the secondary unit. Which two conditions must be met? (Choose TWO.)

Select 2 answers
A.The HA configuration must be properly set with a valid group ID and password
B.Both units must have the same firmware version and license
C.The heartbeat interface must be operational and configured correctly
D.The HA cluster must be configured with a virtual MAC address
E.VDOM mode must be enabled on both units
AnswersA, C

A valid HA configuration is necessary for cluster formation and synchronization.

Why this answer

Option A is correct because the HA group ID and password are essential for the cluster to identify and authenticate members. Without a matching group ID and password, the secondary unit will not accept configuration synchronization from the primary, as these parameters ensure that only authorized units participate in the cluster and receive configuration updates.

Exam trap

The trap here is that candidates often assume firmware and license matching (Option B) is required for config sync, but FortiGate HA only requires same firmware version for cluster formation, not for the sync process itself, and licenses do not affect synchronization.

229
MCQeasy

An administrator wants to allow remote users to access internal resources using a web browser without installing any client software. Which VPN type should be configured on the FortiGate?

A.ZTNA access proxy
B.IPsec VPN with dial-up mode
C.SSL VPN tunnel mode
D.SSL VPN web mode
AnswerD

Web mode allows browser-based access to internal web resources without client software.

Why this answer

SSL VPN web mode allows users to access web-based internal resources through a web portal without any client installation. Tunnel mode requires installation of FortiClient.

230
MCQmedium

An administrator configures a Virtual IP (VIP) to map the public IP 203.0.113.10 port 8080 to the internal server 192.168.1.100 port 80. External users report they cannot connect. The firewall policy allows inbound traffic to the VIP. What is the MOST likely missing configuration?

A.The destination in the firewall policy is set to the public IP directly instead of the VIP object
B.The VIP is configured with port forwarding disabled
C.The server's default gateway is not set to the FortiGate
D.The source NAT is not configured
AnswerA

Using the raw public IP bypasses the VIP translation. The policy must reference the VIP object.

Why this answer

When a Virtual IP (VIP) is configured, the firewall policy must reference the VIP object as the destination, not the public IP address directly. If the policy uses the public IP (203.0.113.10) as the destination, the FortiGate will not perform the destination NAT translation to the internal server (192.168.1.100). The VIP object contains the mapping logic, so the policy must point to that object for the translation to occur.

Exam trap

The trap here is that candidates assume the firewall policy should use the public IP as the destination, not realizing that the VIP object must be referenced in the policy for the NAT translation to be applied.

How to eliminate wrong answers

Option B is wrong because port forwarding is implicitly enabled when you define a VIP with a specific port mapping (8080 to 80); there is no separate 'port forwarding disabled' toggle that would block this. Option C is wrong because the server's default gateway does not need to be the FortiGate for inbound connections; return traffic can be routed via the FortiGate if the VIP uses source NAT (central NAT) or if the server's gateway points to the FortiGate, but this is not the most likely missing configuration for inbound connectivity failure. Option D is wrong because source NAT is not required for inbound VIP traffic; the VIP handles destination NAT, and source NAT (e.g., for return traffic) is a separate configuration that is not essential for initial inbound connections.

231
MCQhard

A FortiGate administrator has configured an active-passive HA cluster. After a failover event, the former primary unit comes back online and immediately takes over as primary again, causing another failover. The administrator wants the original primary to stay in standby until the current primary fails. Which setting should be configured?

A.Enable HA override on both units
B.Set the HA mode to active-active
C.Disable HA override on both units
D.Increase the HA priority on the primary unit
AnswerC

Disabling override prevents a unit from preempting the current primary when it comes back online.

Why this answer

HA override (set ha-override enable) causes a device to resume primary role when it becomes available with higher priority. Disabling override prevents this preemptive behavior.

232
Multi-Selecthard

A FortiGate administrator is troubleshooting an IPsec VPN that fails to establish. The Phase 1 status shows 'init' and then resets. The administrator runs 'diagnose debug application ike -1' and sees the message 'no acceptable proposal'. Which TWO parameters are MOST likely mismatched?

Select 2 answers
A.Pre-shared key
B.Phase 2 local and remote networks
C.IKE version (IKEv1 vs IKEv2)
D.Encryption algorithm (e.g., AES256 vs AES128)
E.Diffie-Hellman group (e.g., group 14 vs group 2)
AnswersD, E

Mismatched encryption algorithms cause proposal mismatch.

Why this answer

The 'no acceptable proposal' error in Phase 1 indicates that the local and remote peers cannot agree on a set of parameters. The encryption algorithm and Diffie-Hellman group are common mismatched parameters.

233
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is fully established and has been active for 3600 seconds.
B.The session is in SYN_SENT state and might be stuck due to no response from the server.
C.The session has been idle for 3599 seconds and will expire soon.
D.The session is in FIN_WAIT state and is being closed.
AnswerB

State 01 means SYN_SENT; a long duration indicates the three-way handshake is not completing.

Why this answer

The session state '01' indicates TCP SYN_SENT, meaning the session is still in the handshake phase. The duration is 3600 seconds, which is unusually long for a TCP handshake, suggesting the session is stuck or the server is not responding.

234
MCQeasy

What is the purpose of the 'safe search' option in a FortiGate web filter profile?

A.It enforces Google SafeSearch, Bing SafeSearch, and YouTube Restricted Mode on supported search engines.
B.It logs all search queries made by users.
C.It blocks access to all search engines except Google.
D.It redirects search queries to a secure HTTPS connection.
AnswerA

Safe search forces the search engine to filter explicit content from search results.

Why this answer

Option B is correct. Safe search enforces content filtering on supported search engines like Google, Bing, and YouTube to block explicit results.

235
Multi-Selecteasy

A FortiGate administrator needs to block all traffic from a specific IP address (10.0.0.100) to the internet, but allow all other internal users. The administrator has created a firewall policy with source=10.0.0.100, destination=all, service=all, action=DENY, and placed it at the top of the policy list. Which TWO additional steps should the administrator take to ensure the block is effective? (Choose two.)

Select 2 answers
A.Enable the policy
B.Configure an IP Pool for the deny policy
C.Add a schedule to the policy for business hours
D.Ensure no other policy above this one allows traffic from 10.0.0.100
E.Set the action to ACCEPT
AnswersA, D

Policies are disabled by default; an enabled policy is required for it to take effect.

Why this answer

Option A is correct because a newly created firewall policy in FortiGate is disabled by default. The administrator must explicitly enable the policy for it to be enforced. Without enabling, the deny rule will not process traffic, leaving the block ineffective.

Exam trap

The trap here is that candidates often forget that new policies are disabled by default, and they may overlook the importance of policy order when a deny rule is placed at the top but a previous ACCEPT rule exists for the same source.

236
MCQmedium

A company uses deep SSL inspection to filter traffic. Users report that some HTTPS sites are not loading. The administrator checks the FortiGate and sees that the certificate for the sites is not trusted on the client machines. What is the most likely cause?

A.The FortiGate's CA certificate is not installed in the Trusted Root Certification Authorities store on the clients.
B.The FortiGate is using a self-signed certificate for the SSL inspection policy.
C.The SSL inspection policy is set to 'no-inspection' for the affected sites.
D.The FortiGate's web filter profile is blocking the certificate.
AnswerA

Without the CA certificate, the browser cannot verify the inspection certificate.

Why this answer

When deep SSL inspection is enabled, the FortiGate acts as a man-in-the-middle by decrypting HTTPS traffic using a local CA certificate. For clients to trust the decrypted connections, the FortiGate's CA certificate must be installed in the Trusted Root Certification Authorities store on each client machine. If it is missing, the browser will display a certificate trust error and may block the site, causing the reported loading failures.

Exam trap

The trap here is that candidates may confuse the FortiGate's self-signed certificate used for its own web interface with the CA certificate required for deep inspection, or assume that 'no-inspection' would cause loading failures rather than bypassing inspection entirely.

How to eliminate wrong answers

Option A is correct because the root cause is the missing CA certificate on clients. Option B is wrong because a self-signed certificate in the SSL inspection policy is used for the FortiGate's own management interface or for certificate re-signing, but the core issue is the CA certificate not being trusted by clients, not the type of certificate used in the policy. Option C is wrong because setting the policy to 'no-inspection' would bypass SSL inspection entirely, allowing HTTPS sites to load normally without certificate errors.

Option D is wrong because a web filter profile blocks URLs or categories based on policy, not certificates; certificate trust is handled by the SSL inspection configuration, not the web filter.

237
MCQmedium

An administrator has configured an active-passive HA cluster. During a failover test, the standby unit becomes active but existing user sessions are lost, requiring users to re-establish connections. Which configuration change would prevent this behavior?

A.Lower HA priority on the primary
B.Enable session pickup
C.Set HA override to enabled
D.Increase the heartbeat interval
AnswerB

Session pickup is a FortiOS HA feature that synchronizes sessions to the standby unit for stateful failover.

Why this answer

Session synchronization (session sync) replicates active sessions to the standby unit so that sessions survive a failover.

238
MCQeasy

Which FortiGate operating mode is used when the device acts as a Layer 2 bridge without performing NAT?

A.HA mode
B.Transparent mode
C.VPN mode
D.NAT/Route mode
AnswerB

Transparent mode acts as a Layer 2 bridge.

Why this answer

Transparent mode (Option B) is correct because in this mode the FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses without performing any NAT or routing. The device is invisible to the network, and all interfaces share the same IP subnet, allowing it to inspect and filter traffic at the application layer while remaining transparent to connected devices.

Exam trap

The trap here is that candidates often confuse Transparent mode with NAT/Route mode, assuming that a firewall must always route or perform NAT, when in fact Transparent mode allows Layer 2 inspection without altering the IP path.

How to eliminate wrong answers

Option A is wrong because HA mode (High Availability) is a clustering configuration for redundancy and failover, not an operating mode that determines Layer 2 bridging or NAT behavior. Option C is wrong because VPN mode is not a standard FortiGate operating mode; VPNs are configured as features within either NAT/Route or Transparent mode. Option D is wrong because NAT/Route mode operates at Layer 3, performing routing and NAT by default, which contradicts the requirement of acting as a Layer 2 bridge without NAT.

239
MCQhard

A FortiGate administrator is troubleshooting an issue where users cannot access a legitimate website that is categorized as 'Pornography' by FortiGuard. The web filter profile is configured to block that category. The administrator wants to allow access for a specific user group without modifying the global web filter profile. What is the BEST approach?

A.Change the FortiGuard category rating for the website to 'Unrated'
B.Create a separate firewall policy for that user group with a web filter profile that allows the category
C.Create a URL filter exemption for the website in the same web filter profile
D.Disable web filtering for that website in the global settings
AnswerB

Why this answer

Using a separate firewall policy with a different web filter profile allows granular control for specific user groups. URL filter exemption would apply to all users using that profile, not just the specific group.

240
MCQmedium

You run the following CLI command on a FortiGate: # diagnose debug flow filter saddr 192.168.1.10 # diagnose debug flow show function enable # diagnose debug enable You then initiate a ping from 192.168.1.10 to 8.8.8.8. The output shows 'no matching policy'. What does this indicate?

A.The traffic is being NAT'd but not logged
B.The debug filter is incorrectly configured
C.There is a routing issue preventing the traffic
D.The traffic is dropped by the implicit deny rule
AnswerD

Since no policy matches, the implicit deny at the end drops the traffic.

Why this answer

The 'no matching policy' message indicates that the traffic did not match any firewall policy, likely because there is no policy allowing the traffic from that source to the destination.

241
MCQmedium

A FortiGate admin configures a captive portal for guest users on a wireless network. Users can connect to the SSID but cannot access the internet. The admin verifies the firewall policy permits traffic from the captive portal interface to the internet. What is missing?

A.The firewall policy must have 'Enable Captive Portal' selected
B.A DNS server must be configured on the FortiGate
C.The users must be added to the local user database
D.The wireless controller must be configured with a RADIUS server
AnswerA

Without enabling captive portal on the policy, the portal page will not be presented.

Why this answer

Captive portal requires that the firewall policy has authentication enabled or the captive portal feature enabled under the policy's security features. A common issue is that the policy does not have 'Enable Captive Portal' checked.

242
MCQeasy

An administrator wants to capture HTTP traffic on port1 for troubleshooting. Which CLI command should be used?

A.diagnose debug flow
B.execute sniffer packet
C.diagnose sys session filter
D.diagnose sniffer packet port1 'tcp port 80'
AnswerD

This is the correct command to capture HTTP traffic on interface port1.

Why this answer

The 'diagnose sniffer packet' command is used to capture packets in FortiGate CLI.

243
MCQhard

You execute 'get firewall policy 5' and see the following output: policyid=5 name="test" status=enable schedule="always" logtraffic=all What does 'logtraffic=all' mean?

A.Only the first packet of each session will be logged
B.Only traffic that triggers a security profile will be logged
C.Only traffic that is denied by the policy will be logged
D.All traffic matching the policy will be logged, regardless of action
AnswerD

'logtraffic=all' logs both permitted and denied sessions.

Why this answer

Option D is correct because 'logtraffic=all' in FortiGate firewall policy configuration means that every packet belonging to a session matching this policy will be logged, regardless of whether the action is accept or deny. This is distinct from other log settings like 'logtraffic=utm' or 'logtraffic=disable', and it ensures full audit trail for all traffic handled by the policy.

Exam trap

The trap here is that candidates often confuse 'logtraffic=all' with 'logtraffic=session-start' or think it only logs denied traffic, but FortiGate's granular log options require precise understanding of each keyword's behavior.

How to eliminate wrong answers

Option A is wrong because logging only the first packet of each session is the behavior of 'logtraffic=session-start', not 'logtraffic=all'. Option B is wrong because logging only traffic that triggers a security profile is the behavior of 'logtraffic=utm' (UTM-based logging), not 'logtraffic=all'. Option C is wrong because logging only denied traffic is the behavior of 'logtraffic=deny', not 'logtraffic=all'.

244
MCQhard

An administrator configures a dial-up IPsec VPN using IKEv2 with certificates. Remote users can connect, but traffic is not routed through the tunnel. The Phase 1 status shows 'up', but Phase 2 shows 'down'. What is the most likely issue?

A.The firewall policy for the VPN traffic is missing.
B.The Phase 2 proposals do not match between the FortiGate and the client.
C.The pre-shared key for Phase 2 is incorrect.
D.The remote user's client does not support IKEv2.
AnswerB

IKEv2 Phase 2 requires matching proposals; otherwise, it fails.

Why this answer

IKEv2 requires a valid proposal match for Phase 2. If the Phase 2 parameters (encryption, authentication, etc.) do not match between the peer and the FortiGate, Phase 2 fails. Also, with IKEv2, the tunnel mode and proxy IDs must be correctly configured.

245
Drag & Dropmedium

Drag and drop the steps to configure SSL VPN on FortiGate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SSL VPN requires user group, portal, settings, firewall policy, and enabling the service.

246
MCQhard

Refer to the exhibit. An administrator configures the policies as shown. Traffic from 10.0.0.0/8 to the internet on HTTP is denied. What is the most likely reason?

A.The Allow-HTTP policy uses service HTTP but the traffic uses HTTPS
B.The Deny-All policy is placed above the Allow-HTTP policy
C.The Allow-HTTP policy has the wrong source interface
D.The Allow-HTTP policy is disabled
AnswerB

Policy ID 0 has lower sequence number and matches first.

Why this answer

In FortiGate firewall policies, the first matching policy is applied to traffic. The Deny-All policy is placed above the Allow-HTTP policy, so traffic from 10.0.0.0/8 to the internet on HTTP matches the Deny-All policy first and is denied before reaching the Allow-HTTP policy. This is a classic policy ordering issue.

Exam trap

The trap here is that candidates often assume policies are evaluated based on a 'most specific match' logic rather than the actual sequential order, leading them to overlook the policy placement as the root cause.

How to eliminate wrong answers

Option A is wrong because the question states traffic uses HTTP, not HTTPS, so the service mismatch is not the reason. Option C is wrong because the source interface is not specified as incorrect in the exhibit; the issue is policy order, not interface mismatch. Option D is wrong because the Allow-HTTP policy is not disabled; it is simply never evaluated due to the higher priority of the Deny-All policy.

247
MCQmedium

An administrator configures an antivirus profile in proxy-based inspection mode on a FortiGate. However, SMTP traffic is not being scanned for viruses. The firewall policy includes the antivirus profile and the FortiGate has a valid FortiGuard subscription. What is the most likely cause?

A.Flow-based inspection is required for SMTP scanning
B.The SMTP protocol is not enabled in the proxy options of the security profile
C.The FortiGate does not have a valid SSL certificate for SMTP inspection
D.The antivirus profile is configured to scan only HTTP traffic
AnswerB

Proxy-based inspection requires explicit protocol enablement. If SMTP is not enabled in the proxy options, the traffic is not inspected.

Why this answer

In proxy-based inspection, the FortiGate acts as a proxy for the protocol. If SMTP inspection is not enabled in the proxy options, the traffic bypasses scanning.

248
MCQeasy

A network administrator needs to allow SSH access to the FortiGate from a management subnet 10.0.1.0/24. Which configuration step is required on the interface connected to that subnet?

A.Enable HTTPS administrative access only
B.Set the administrative access to 'any'
C.Enable SSH administrative access on the interface
D.Configure a firewall policy allowing SSH from the subnet
AnswerC

SSH must be enabled on the interface for SSH connections to be accepted.

Why this answer

Option C is correct because to allow SSH access to the FortiGate from a specific subnet, you must enable SSH administrative access on the interface connected to that subnet. This setting controls which management protocols are permitted to reach the FortiGate itself at the interface level, independent of firewall policies. Without enabling SSH on the interface, the FortiGate will drop SSH packets at Layer 3 before any policy lookup occurs.

Exam trap

The trap here is that candidates often assume a firewall policy is sufficient to allow management traffic, forgetting that administrative access must be explicitly enabled on the interface for protocols like SSH, HTTPS, or Telnet.

How to eliminate wrong answers

Option A is wrong because enabling only HTTPS administrative access would allow HTTPS but not SSH; SSH requires its own administrative access toggle on the interface. Option B is wrong because there is no 'any' administrative access setting; administrative access is configured per protocol (e.g., HTTPS, SSH, PING) and cannot be set to a wildcard value. Option D is wrong because a firewall policy allowing SSH from the subnet is not sufficient; the interface-level administrative access must first permit SSH management traffic, otherwise the FortiGate discards the packets before they reach the firewall engine.

249
MCQmedium

A FortiGate administrator runs the following command and sees output: diagnose sys session filter dport 443 diagnose sys session list ... proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate about the session?

A.The session has expired
B.The session is being blocked by a firewall policy
C.The session is an active TCP connection that has been established for 1 hour
D.The session is using UDP
AnswerC

duration=3600 seconds = 1 hour, and expire shows remaining time.

Why this answer

The session is a TCP (proto=6) session, state 01 means TCP SYN sent, duration 3600 seconds indicates it has been up for 1 hour, expire 3599 means it will expire in about 3599 seconds (almost 1 hour from now). Option C is correct.

250
MCQhard

A FortiGate administrator is setting up an HA cluster with two FortiGates. The heartbeat interfaces are connected via a dedicated switch. The administrator wants to ensure that the management IP is always accessible through the active unit. Which configuration is required?

A.Configure 'set management-ip' under the HA interface configuration
B.Configure a virtual IP address for the management interface
C.Set the management IP on each unit separately
D.Use the same IP address on both units
AnswerA

This assigns a floating management IP that follows the active unit.

Why this answer

Option C is correct. In HA, the management interface IP must be configured on the HA interface or as a dedicated management interface. Setting 'set management-ip' on the HA interface ensures the management IP is always on the active unit.

251
MCQeasy

A company wants to block all peer-to-peer file sharing applications on the network. Which FortiGate feature should be used to achieve this goal?

A.Application Control
B.Web Filter
C.DNS Filter
D.Intrusion Prevention System (IPS)
AnswerA

Application control identifies and manages application traffic based on signatures.

Why this answer

Application Control is the correct feature because it is specifically designed to identify and block peer-to-peer (P2P) file-sharing applications by inspecting traffic patterns and signatures, regardless of the port or protocol used. Unlike port-based blocking, Application Control uses deep packet inspection (DPI) to recognize P2P protocols such as BitTorrent, eDonkey, and Gnutella, even when they attempt to evade detection by using non-standard ports or encryption.

Exam trap

The trap here is that candidates often confuse Application Control with IPS, assuming that IPS can block any unwanted traffic, but IPS focuses on threats and exploits, not on enforcing acceptable use policies for specific applications like P2P file sharing.

How to eliminate wrong answers

Option B (Web Filter) is wrong because it controls access to URLs and web content categories, not the application-layer protocols used by P2P file-sharing software. Option C (DNS Filter) is wrong because it blocks or redirects DNS queries to specific domains, but P2P applications often use hardcoded IP addresses or peer discovery mechanisms that bypass DNS entirely. Option D (Intrusion Prevention System) is wrong because IPS is designed to detect and block network-based attacks and vulnerabilities, not to enforce application usage policies like blocking P2P file sharing.

252
MCQmedium

A FortiGate administrator wants to integrate the FortiGate with a FortiAnalyzer for centralized logging. Which configuration step is required on the FortiGate?

A.Create a firewall policy allowing traffic from FortiAnalyzer to the FortiGate
B.Configure a syslog server pointing to the FortiAnalyzer IP
C.Enable 'Send Logs to FortiAnalyzer' under Log Settings and specify the FortiAnalyzer IP
D.Configure an SNMP community on the FortiAnalyzer
AnswerC

This is the correct method to integrate with FortiAnalyzer.

Why this answer

Option C is correct because FortiGate integrates natively with FortiAnalyzer via the 'Send Logs to FortiAnalyzer' setting under Log Settings. This uses FortiGate's proprietary logging protocol (not syslog) to securely forward logs to the FortiAnalyzer IP, enabling centralized log management and analysis without additional firewall policies for inbound traffic.

Exam trap

The trap here is that candidates confuse native FortiAnalyzer logging with syslog, selecting Option B because they assume all log forwarding uses syslog, but FortiGate uses a proprietary protocol for FortiAnalyzer integration.

How to eliminate wrong answers

Option A is wrong because FortiGate initiates outbound log connections to FortiAnalyzer, so no inbound firewall policy is required; the traffic flows from FortiGate to FortiAnalyzer, not the reverse. Option B is wrong because FortiAnalyzer integration uses FortiGate's native FortiAnalyzer logging protocol, not syslog; configuring a syslog server would send logs in syslog format, which FortiAnalyzer can receive but is not the required step for native integration. Option D is wrong because SNMP is used for monitoring and traps, not for centralized logging; FortiAnalyzer does not require an SNMP community for log reception.

253
MCQhard

During a security audit, an administrator finds that an IPS sensor configured with a 'block' action for a critical vulnerability signature is not blocking the associated traffic. The traffic matches the signature, but the action appears as 'pass' in the logs. The IPS sensor is applied to a firewall policy that also has application control enabled. What is the most likely cause?

A.Application control profile is set to 'allow' for the application associated with the traffic, overriding the IPS block action.
B.The IPS engine is bypassed because the traffic matches a fast-path rule.
C.The IPS sensor is not enabled in the firewall policy.
D.The IPS sensor is configured with 'monitor' action instead of 'block'.
AnswerA

Application control can override IPS if it allows the application, as it is evaluated after IPS in the policy flow.

Why this answer

When an IPS sensor with a 'block' action logs 'pass' for matching traffic, it indicates that another security profile is overriding the IPS action. In FortiOS, if an application control profile is set to 'allow' for the application, it can bypass the IPS block because application control processing occurs before IPS inspection. The traffic is permitted by the application control profile, so the IPS engine does not enforce the block action, resulting in a 'pass' log entry.

Exam trap

The trap here is that candidates assume IPS block actions are absolute and independent of other security profiles, but FortiOS applies profiles in a strict sequence where application control can override IPS actions, causing the 'pass' log entry even when the signature matches.

How to eliminate wrong answers

Option B is wrong because fast-path rules are used for traffic that matches session helpers or specific protocols to accelerate processing, but they do not cause IPS to log 'pass' when a block action is configured; fast-path bypasses inspection entirely, not just the block action. Option C is wrong because if the IPS sensor were not enabled in the firewall policy, the traffic would not be inspected by IPS at all, and the log would not show an IPS action of 'pass'—it would simply not appear in IPS logs. Option D is wrong because if the IPS sensor were configured with 'monitor' action, the logs would show 'monitor' or 'detect', not 'pass'; 'pass' specifically indicates the traffic was allowed through, not that the action was changed to monitoring.

254
Multi-Selectmedium

A FortiGate admin wants to implement ZTNA to secure access to an internal application. Which TWO components are required for a basic ZTNA configuration?

Select 2 answers
A.A FortiClient EMS server
B.An IPsec VPN tunnel to the client
C.A ZTNA rule (policy) that specifies access conditions
D.A ZTNA application gateway
E.A static route to the application server
AnswersC, D

The rule defines who can access the application.

Why this answer

ZTNA requires a ZTNA rule (policy) that defines access criteria and a proxy policy that intercepts and forwards traffic to the internal application.

255
MCQmedium

A FortiGate receives log messages with severity 'warning'. What is the log severity level number for 'warning' according to FortiGate's log severity levels?

A.3
B.6
C.4
D.5
AnswerC

Warning is severity level 4.

Why this answer

FortiGate severity levels: Emergency=0, Alert=1, Critical=2, Error=3, Warning=4, Notification=5, Information=6, Debug=7.

256
Multi-Selectmedium

An administrator needs to block access to a specific website using FQDN address objects. Which TWO steps are necessary?

Select 2 answers
A.Create an FQDN address object for the website
B.Add a firewall policy with destination set to the FQDN object and action DENY
C.Create a wildcard FQDN address object
D.Configure a DNS filter to block the FQDN
E.Create a VIP for the website
AnswersA, B

The FQDN object resolves to IP addresses.

Why this answer

To block by FQDN, you create an address object with the FQDN, then use it in a firewall policy with action DENY.

257
MCQmedium

A FortiGate administrator is setting up a dial-up IPsec VPN for remote employees. Each employee uses a FortiClient. Which authentication method should be used to allow individual user identities?

A.Pre-shared key (PSK) for each user
B.Certificate-based authentication using local or CA-issued certificates
C.IKEv2 with EAP
D.Aggressive mode with PSK
AnswerB

Certificates provide unique identity per user and are scalable.

Why this answer

Dial-up VPNs typically use x.509 certificates for device authentication, but for individual user identity, user-based authentication (like LDAP or RADIUS) is common. However, the question asks for a method that provides individual identities; using a pre-shared key per user is impractical. Certificate authentication is scalable and provides strong identity.

258
MCQeasy

What is the primary purpose of configuring a loopback interface on a FortiGate?

A.To provide a stable IP address for management and routing protocols
B.To aggregate bandwidth from multiple physical interfaces
C.To enable NAT for internal networks
D.To increase the number of available physical ports
AnswerA

Loopback interfaces are always up and provide a consistent IP for management and routing.

Why this answer

A loopback interface on a FortiGate is a virtual interface that is always up, independent of physical link states. It provides a stable and reachable IP address for management access (e.g., HTTPS, SSH) and for routing protocols like OSPF or BGP to use as the router ID or source interface, ensuring consistent connectivity even if physical interfaces fail.

Exam trap

The trap here is that candidates often confuse a loopback interface with a physical interface used for link aggregation or NAT, not realizing its primary role is to provide a stable, always-up logical endpoint for management and routing protocol stability.

How to eliminate wrong answers

Option B is wrong because aggregating bandwidth from multiple physical interfaces is achieved through link aggregation (LACP or static aggregation), not a loopback interface. Option C is wrong because NAT for internal networks is configured using policies and IP pools, not by creating a loopback interface. Option D is wrong because a loopback interface is virtual and does not increase the number of physical ports; it only provides a logical addressing endpoint.

259
MCQmedium

A FortiGate admin creates a new firewall policy with source address object 'Internal_Net' and destination 'All'. After saving, traffic from 'Internal_Net' is not matching the new policy but instead matches an older policy with a broader source. What is the MOST likely cause?

A.The source address object 'Internal_Net' has an incorrect subnet mask
B.The new policy is placed below the older policy in the policy list
C.The new policy is disabled
D.Traffic shaping is applied to the new policy and is interfering
AnswerB

Policy lookup is sequential from top to bottom. If a broader policy is above, traffic matches it first.

Why this answer

FortiGate evaluates policies from top to bottom. The new policy must be placed above the broader policy to be matched first. By default, new policies are added at the bottom.

260
MCQmedium

A FortiGate is configured to use a DNS filter profile to block access to malicious domains. However, users can still reach a known malicious domain. The DNS filter profile is applied to the firewall policy. Which step should the admin take FIRST to troubleshoot?

A.Enable DNS inspection logging to see if the domain is being flagged
B.Check if the FortiGuard DNS filter database is up to date
C.Verify that the domain is in the FortiGuard DNS category list
D.Check if DNS traffic is matching the correct firewall policy
AnswerD

If DNS traffic is going through a different policy without the DNS filter, it won't be filtered.

Why this answer

Option D is correct. The admin should verify that DNS traffic (port 53) is matching the firewall policy with the DNS filter applied. If DNS queries bypass the policy (e.g., they are allowed by a different policy), the DNS filter will not be applied.

261
MCQmedium

A FortiGate administrator wants to synchronize the system time with an external NTP server. Which CLI command should be used to configure the NTP server?

A.execute date
B.diagnose ntp status
C.config system ntp
D.config system global
AnswerC

This enters NTP configuration mode to add servers.

Why this answer

Option C is correct because the `config system ntp` command enters the NTP configuration context in FortiOS, where you can specify NTP servers, authentication, and synchronization settings. This is the standard CLI path for configuring NTP on FortiGate devices, as opposed to other commands that only display status or set the date manually.

Exam trap

The trap here is that candidates confuse `config system ntp` with `config system global` because both are under the `config system` hierarchy, but NTP configuration has its own dedicated subcommand and is not a global setting.

How to eliminate wrong answers

Option A is wrong because `execute date` is used to manually set the system date and time, not to configure an NTP server for automatic synchronization. Option B is wrong because `diagnose ntp status` is a diagnostic command that shows the current NTP synchronization status, not a configuration command. Option D is wrong because `config system global` is used for global system settings like hostname and admin password, not for NTP server configuration.

262
MCQmedium

An administrator configures an LDAP user group for firewall authentication. Users are able to authenticate, but the FortiGate does not retrieve group membership information. What is likely misconfigured?

A.The LDAP server's IP address is incorrect
B.SSL is not enabled for LDAP
C.The LDAP bind account does not have permission to read group attributes
D.The FortiGate is not joined to the domain
AnswerC

Group membership retrieval requires read access to group objects.

Why this answer

The LDAP server must be configured with the correct bind credentials and search filter to retrieve group memberships. The 'cn' or 'member' attribute mapping is also critical.

263
MCQmedium

An administrator configures an SSL VPN portal with web mode and split tunneling enabled. Remote users can access internal web applications but cannot reach the internet through the VPN. What needs to be checked?

A.The remote user's browser does not support SSL VPN.
B.The firewall policy allowing internet traffic from the SSL VPN interface is missing or incorrect.
C.The split tunneling setting is disabled.
D.The SSL VPN portal is configured in web mode only; tunnel mode is required for internet access.
AnswerB

Even with split tunneling, internet traffic goes out through the FortiGate's WAN; a policy must allow this.

Why this answer

Split tunneling allows internet-bound traffic to bypass the VPN. If users cannot reach the internet, it could be because the split tunneling exclusion list includes internet destinations, or the DNS resolution is not working. However, the most common cause is that the firewall policy for internet traffic is missing or blocking.

264
MCQmedium

A FortiGate is configured to integrate with FortiSandbox for advanced threat detection. The antivirus profile is set to send files to FortiSandbox when a virus is detected. What action does FortiGate take on the file while it is being analyzed by FortiSandbox?

A.Quarantines the file on the FortiGate
B.Blocks the file until a verdict is received from FortiSandbox
C.Immediately blocks the file and logs the event
D.Allows the file to pass through and logs the event
AnswerB

When using FortiSandbox integration, the administrator can configure the action to 'block' while the file is being analyzed.

Why this answer

Option D is correct. While FortiSandbox analyzes a file, the default action is to 'monitor' or 'allow' the file to pass through temporarily, but the FortiGate can also be configured to block the file until verdict. Typically, the configuration includes 'quarantine' or 'block' options.

The most common behavior is to allow the file with monitoring, but many administrators block. The question is ambiguous; however, based on standard FortiGate behavior, the action is usually 'monitor' unless specified. But the answer should be 'block until verdict' if configured.

Given the options, D is the most accurate.

265
MCQmedium

An administrator wants to synchronize the FortiGate's time with a reliable NTP server. After configuring the NTP server, they notice the time is still incorrect. What could be the issue?

A.The FortiGate does not have a firewall policy allowing NTP traffic from the FortiGate itself
B.The NTP server is not reachable due to a missing route
C.The FortiGate does not support NTP
D.The NTP server is not configured correctly
AnswerA

Traffic from the FortiGate to the NTP server must be allowed by a policy.

Why this answer

By default, FortiGate does not allow traffic sourced from its own IP addresses, including NTP queries, to pass through its interfaces unless an explicit firewall policy permits it. Even if the NTP server is reachable via routing, the FortiGate's own NTP client traffic is subject to the same policy enforcement as any other traffic. Therefore, a firewall policy must be created with the source set to the FortiGate's interface IP and the destination set to the NTP server to allow NTP (UDP port 123) traffic outbound.

Exam trap

The trap here is that candidates assume NTP traffic is automatically allowed for management purposes, but FortiGate treats all traffic, including its own, as subject to firewall policies, so a missing explicit policy is a common oversight.

How to eliminate wrong answers

Option B is wrong because a missing route would cause the NTP server to be unreachable, but the question states the administrator configured the NTP server and noticed the time is still incorrect, implying the server is reachable at the network layer; the issue is policy-based, not routing. Option C is wrong because FortiGate fully supports NTP (RFC 1305) for time synchronization, and this is a standard feature in FortiOS. Option D is wrong because the NTP server configuration (IP address or hostname) may be correct, but without a firewall policy to permit the outbound NTP traffic from the FortiGate itself, the synchronization will fail regardless of server correctness.

266
MCQhard

A FortiGate in an active-active HA cluster is experiencing asymmetric routing. The administrator runs 'diagnose debug flow' on a packet from a client to a server. The flow trace shows the packet is allowed by policy, but the response is dropped. What is the most likely cause?

A.The TTL of the packet is too low
B.The HA mode should be changed to active-passive
C.The policy on the secondary unit has a different schedule
D.The session synchronization is not enabled between cluster members
AnswerD

Session sync ensures all cluster members share session state, preventing drops due to asymmetric routing.

Why this answer

In active-active HA, asymmetric routing can cause session state issues because each unit may see only one direction of traffic. Without session synchronization and strict session pickup, the unit receiving the response may not have the session and drops it.

267
MCQeasy

An admin wants to block all traffic from the internet to a specific internal server except for the IP address 203.0.113.50. Which firewall policy configuration achieves this using the principle of least privilege?

A.Configure a VIP with restricted source
B.Use a local-in policy to block the server IP
C.Create a deny policy from internet to server with any source, then an allow policy from source 203.0.113.50 to the server above it
D.Create a single allow policy from source 203.0.113.50 to the server and rely on implicit deny for all other traffic
AnswerC

This ensures only the specific IP is allowed, and everything else is denied by the explicit deny policy.

Why this answer

The principle of least privilege dictates blocking all first (implicit deny is last, so explicit deny needed) then allowing only required traffic. Option A does that.

268
MCQmedium

A FortiGate admin configures a VIP to map 203.0.113.10:80 to 10.0.1.10:8080. However, when external users connect to http://203.0.113.10, they receive a connection timeout. The firewall policy allows the traffic. What is the most likely cause?

A.The VIP is configured on the wrong interface
B.The source NAT is not configured
C.The firewall policy's destination is set to the real server IP (10.0.1.10) instead of the VIP object
D.The internal server is not listening on port 8080
AnswerC

The policy must use the VIP as the destination address for the destination NAT to work correctly. If it uses the real server IP, the traffic bypasses the VIP translation.

Why this answer

The most likely cause is that the destination port in the policy is not set to the mapped port (8080) or the VIP is not properly associated. The policy must reference the VIP as the destination address, and if the policy uses the original port 80 instead of the mapped port, it might not match correctly. But the typical issue is that the policy needs to have the VIP as the destination address, not the real server IP.

Alternatively, the VIP configuration might be missing the port mapping. Option A is common: the policy destination is set to the real server IP instead of the VIP object.

269
MCQmedium

An admin runs 'diagnose sys session filter saddr 10.0.1.10' and 'diagnose sys session list' to check sessions from a specific internal host. The output shows multiple sessions with destination IP 203.0.113.50 using source port 12345. The admin then checks the firewall policy and sees that the policy uses an IP pool for source NAT. What does the source port 12345 indicate?

A.The IP pool is configured for one-to-one NAT (no port translation)
B.The IP pool is using port range 12345-12345
C.This is the translated source port after PAT
D.The internal host's original source port is 12345
AnswerC

In PAT, the source port is modified to a unique number to differentiate sessions sharing the same public IP.

Why this answer

When using IP pool with overload (PAT), the FortiGate will perform port translation. The source port in the session list is the translated port (the port number after NAT). The original source port (from the internal host) is not shown in the session list; the output shows the post-NAT source port.

270
Multi-Selectmedium

An administrator is configuring a new FortiGate and wants to ensure it can be managed centrally via FortiManager. Which TWO steps are required?

Select 2 answers
A.Enable HTTPS access on the management interface.
B.Configure SNMP community for FortiManager to poll.
C.Enable FortiManager on the interface used for management.
D.Set the FortiManager IP address under 'config system central-management'.
E.Create a firewall policy allowing FortiManager access from the management subnet.
AnswersC, D

Why this answer

Option C is correct because FortiGate requires the 'FortiManager' feature to be explicitly enabled on the management interface to allow FortiManager to establish a connection. Option D is correct because the FortiManager IP address must be set under 'config system central-management' to define the central management server. Without these two steps, FortiManager cannot discover or manage the FortiGate.

Exam trap

The trap here is that candidates often think a firewall policy is needed for FortiManager traffic, but FortiManager uses an outbound-initiated FGFM tunnel that bypasses normal firewall policies, making option E a common distractor.

271
MCQmedium

A FortiGate is configured as a hub in a hub-and-spoke IPsec VPN. The spokes are remote branches. The hub has a Phase 2 selector set to 0.0.0.0/0 for both local and remote subnets. What is the advantage of this configuration?

A.It reduces the number of IPsec SAs needed
B.It simplifies configuration by not needing specific subnet definitions per spoke
C.It allows direct spoke-to-spoke communication without passing through the hub
D.It enables dynamic routing protocols over the VPN
AnswerB

Using 0.0.0.0/0 in Phase 2 means the hub will accept any subnet from the spoke, eliminating the need to update selectors when spoke subnets change.

Why this answer

Setting Phase 2 selectors to 0.0.0.0/0 allows the hub to accept any subnet from the spokes, simplifying configuration when spokes have different subnets. However, traffic between spokes must route through the hub.

272
MCQhard

A company has two FortiGate 100F units in an active-passive HA cluster with firmware version 7.2.5. The cluster is configured with session pickup and all interfaces are monitored. The network consists of three VLANs: VLAN10 (Users), VLAN20 (Servers), and VLAN30 (DMZ). The cluster is connected to two ISPs: ISP1 (port1) and ISP2 (port2). The internal network uses a single aggregated link (port3 and port4) as a LAG to the core switch. One day, the primary FortiGate experiences a hardware failure and the secondary takes over. After the primary is replaced and rejoins the cluster, the administrator notices that traffic passing through the cluster is intermittently dropping for a few seconds every minute. The administrator checks the cluster status and sees that the new primary (previously secondary) is in 'primary' state and the old primary (newly replaced) is in 'secondary' state. What is the most likely cause of the intermittent traffic drops?

A.The LAG configuration on the new FortiGate does not match the active cluster configuration.
B.Session pickup is not enabled on the new FortiGate.
C.The HA cluster is in split-brain state.
D.The heartbeat interface is configured on the LAG, causing HA instability.
AnswerA

Correct; mismatched LAG configuration can cause interface instability and traffic drops.

Why this answer

The most likely cause is that the LAG configuration on the newly replaced FortiGate does not match the active cluster configuration. In an HA cluster, all LAG member interfaces (port3 and port4) must have identical settings—including LACP mode, speed, duplex, and VLAN membership—on both units. When the secondary FortiGate became primary and the replaced unit rejoined as secondary, any mismatch in the LAG configuration would cause the cluster to continuously renegotiate or flap the aggregated link, leading to intermittent traffic drops every few seconds as the HA cluster attempts to synchronize and stabilize the interface state.

Exam trap

The trap here is that candidates often attribute intermittent traffic drops to session pickup or split-brain issues, but the key clue is the periodic nature of the drops (every minute), which points to a configuration mismatch on the aggregated link rather than a session synchronization or HA state problem.

How to eliminate wrong answers

Option B is wrong because session pickup is a feature that synchronizes existing sessions between HA members to prevent traffic loss during failover; it does not cause intermittent drops after the cluster is stable, and it is already enabled on the cluster per the scenario. Option C is wrong because a split-brain state would cause both units to claim primary status and actively forward traffic, leading to duplicate packets and network loops, not intermittent drops every minute, and the cluster status shows one primary and one secondary. Option D is wrong because the heartbeat interface is typically a dedicated interface (e.g., port5 or a separate management port) and is not configured on the LAG; even if it were, HA instability would manifest as constant failovers or loss of heartbeat, not as periodic traffic drops of a few seconds every minute.

273
MCQmedium

An administrator needs to allow VoIP traffic from a remote branch (192.168.2.0/24) to the main office (10.0.0.0/8) using UDP ports 5060 and 10000-20000. What is the most efficient way to define the service in the firewall policy?

A.Create a service group containing both service objects
B.Use a custom service object with port range 5060-20000
C.Create two separate firewall policies, one for each port range
D.Use the predefined 'VoIP' service object
AnswerA

Why this answer

Option A is correct because creating a service group allows you to combine two separate service objects (one for UDP 5060 and one for UDP 10000-20000) into a single logical group, which can then be applied in one firewall policy. This is the most efficient method as it avoids duplicating policies or using an overly broad port range, and it leverages FortiGate's service group feature for clean, manageable rule sets.

Exam trap

The trap here is that candidates often assume a single port range (5060-20000) is acceptable for efficiency, overlooking the security risk of opening unnecessary ports, or they mistakenly rely on the predefined 'VoIP' service object without verifying its exact port definitions.

How to eliminate wrong answers

Option B is wrong because using a single custom service object with port range 5060-20000 would incorrectly include ports 5061-9999, which are not required for VoIP traffic and could introduce security risks by allowing unintended traffic. Option C is wrong because creating two separate firewall policies for each port range is inefficient and increases administrative overhead; it also violates the principle of least complexity in firewall design. Option D is wrong because the predefined 'VoIP' service object in FortiGate typically includes a broader set of ports and protocols (e.g., SIP over TCP, RTP over UDP) that may not match the exact requirement of UDP ports 5060 and 10000-20000, potentially allowing unwanted traffic or missing necessary ports.

274
MCQeasy

What is the purpose of a 'realm' in FortiGate SSL VPN configuration?

A.To enable two-factor authentication.
B.To specify the authentication server for the VPN.
C.To create distinct portals with separate authentication and access policies.
D.To define the encryption algorithm for SSL VPN.
AnswerC

Realms provide multiple virtual SSL VPN portals.

Why this answer

A realm allows splitting the SSL VPN portal into multiple virtual portals, each with different authentication settings, landing pages, and access rights. This is useful when serving different user groups (e.g., employees vs. partners) on the same FortiGate.

275
Multi-Selectmedium

A FortiGate administrator is configuring a firewall policy to allow inbound HTTPS traffic from the internet to an internal web server. The web server has a private IP address 10.0.0.10. The administrator wants to translate the destination IP to the internal server using a Virtual IP (VIP). Which TWO of the following must be configured for the VIP to work correctly? (Choose two.)

Select 2 answers
A.An IP Pool must be configured for the web server's return traffic
B.The VIP must have port forwarding enabled with the external and internal ports set to 443
C.The VIP must have the external IP set to a public IP address assigned to the FortiGate's WAN interface
D.The firewall policy must use the VIP as the destination address object
E.The firewall policy must have NAT enabled
AnswersC, D

The external IP is the destination IP that inbound traffic hits; it must be an IP on the FortiGate's incoming interface.

Why this answer

A VIP requires mapping an external IP/port to an internal IP/port. The firewall policy must reference the VIP as the destination and use the VIP's mapped port if different from the incoming port. The VIP must have the correct external IP (the FortiGate's public IP) and internal IP (10.0.0.10).

Option C is unnecessary if the external and internal ports are the same (443->443). Option E is for source NAT, not destination NAT.

276
MCQeasy

Refer to the exhibit. A network administrator configured an IPsec VPN between the main office and a branch office. Remote users at the branch office report that they cannot access resources in the main office. The tunnel status shows up on both sides. What is the most likely cause of the connectivity issue?

A.The phase1 keylife is longer than the phase2 keylife, causing rekey issues.
B.The 'set net-device disable' prevents the tunnel from being used for routing.
C.The phase2 configuration does not specify the local and remote subnets to protect.
D.The phase2 proposal does not match the phase1 proposal.
AnswerC

Without 'set src-addr-type' and 'set dst-addr-type', the tunnel does not know which traffic to encrypt.

Why this answer

Option C is correct because the phase2 configuration in an IPsec VPN must explicitly define the local and remote subnets (proxy IDs) that the tunnel is meant to protect. Without these subnets, the IPsec security associations (SAs) cannot be established for the actual traffic, even if the tunnel status shows as up (phase1 is complete). The tunnel status only indicates that IKE phase1 negotiation succeeded, but without phase2 proxy IDs, no traffic will be encrypted or routed through the tunnel, causing connectivity failures.

Exam trap

The trap here is that candidates assume a tunnel status of 'up' means the VPN is fully functional, but in reality, phase1 success alone does not guarantee that phase2 has been negotiated with the correct proxy IDs, and traffic will still fail without proper subnet definitions.

How to eliminate wrong answers

Option A is wrong because phase1 keylife being longer than phase2 keylife is not inherently problematic; phase2 keylife is typically shorter and rekey events are independent, so this does not prevent traffic flow. Option B is wrong because 'set net-device disable' is a FortiGate command that disables the virtual IPsec interface, which would prevent the tunnel from being used for routing, but the exhibit (not shown) does not indicate this command is present, and the tunnel status shows up, which would not be possible if net-device were disabled. Option D is wrong because phase2 proposals do not need to match phase1 proposals; phase1 and phase2 are separate negotiation phases with different parameters (encryption, authentication, DH groups) and mismatches between them do not cause phase2 to fail as long as each phase's proposals are consistent within themselves.

277
MCQeasy

A junior admin is creating firewall policies and wants to ensure that all traffic not explicitly permitted is denied. Which FortiGate mechanism provides this behavior by default?

A.The security profile group
B.The default route
C.The last explicit deny policy in the policy list
D.The implicit deny rule
AnswerD

The implicit deny is automatically applied to all traffic not matching an explicit policy.

Why this answer

The implicit deny rule is a default, hidden policy at the end of the FortiGate firewall policy list that denies all traffic not explicitly permitted by any user-created policy. This behavior is inherent to the FortiGate operating system and ensures a default-deny posture without requiring manual configuration. It is always present and cannot be deleted or moved, providing a safety net that blocks any unmatched traffic.

Exam trap

The trap here is that candidates may think the last explicit deny policy (Option C) is the default mechanism, but FortiGate's implicit deny rule is always present and active by default, whereas an explicit deny policy must be manually added and is not a default behavior.

How to eliminate wrong answers

Option A is wrong because a security profile group is a collection of security profiles (e.g., antivirus, web filter) applied to a firewall policy, not a mechanism that denies traffic by default. Option B is wrong because the default route controls where traffic is forwarded, not whether it is permitted or denied; it does not enforce access control. Option C is wrong because while an explicit deny policy can be added to the policy list, it is not present by default; the implicit deny rule is the built-in mechanism that denies all unmatched traffic without requiring any explicit policy.

278
Multi-Selectmedium

An administrator is configuring a dial-up IPsec VPN for remote users. Which TWO settings are required on the FortiGate for the dial-up server? (Choose two.)

Select 2 answers
A.Set 'mode-cfg' to enable on Phase 1
B.Set 'peer type' to 'any' on Phase 1
C.Set 'aggressive mode' on Phase 1
D.Set 'auto-negotiate' to enable on Phase 2
E.Set 'pfs' to enable on Phase 2
AnswersA, B

Mode-config is used to assign IP addresses to clients.

Why this answer

A dial-up server must have a Phase 1 configuration that allows multiple peers (mode-cfg or aggressive mode) and a Phase 2 that uses 0.0.0.0/0 or dynamic selectors. Additionally, an IP pool is often used to assign addresses.

279
MCQmedium

You run the following CLI command on a FortiGate: diagnose sys session filter dport 443 diagnose sys session list And you see the output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a UDP session to port 443
B.The session is in a CLOSE state
C.The session is a TCP connection to port 443 that was just established and will expire in about 1 hour
D.The session has been active for 1 hour and has 1 second remaining before expiry
AnswerC

Duration 3600 seconds (1 hour) and expire 3599 seconds (almost 1 hour left) indicates a new session.

Why this answer

The command `diagnose sys session filter dport 443` filters sessions to destination port 443, and `diagnose sys session list` displays matching sessions. The output shows `proto=6`, which is the protocol number for TCP, and `expire=3599` seconds, indicating the session will expire in about 1 hour (3600 seconds total). The `proto_state=01` corresponds to TCP state ESTABLISHED, meaning the session is active and just established, not closing.

Therefore, option C is correct.

Exam trap

The trap here is that candidates confuse `duration` (time since session started) with `expire` (time remaining), or misinterpret `proto=6` as UDP because port 443 is commonly associated with HTTPS/TLS, but the protocol field explicitly shows TCP.

How to eliminate wrong answers

Option A is wrong because `proto=6` indicates TCP, not UDP (UDP is protocol 17). Option B is wrong because `proto_state=01` represents TCP ESTABLISHED state, not CLOSE (which would be state 07 or 08). Option D is wrong because `duration=3600` means the session has been active for 1 hour, but `expire=3599` means there are 3599 seconds (about 1 hour) remaining before expiry, not 1 second.

280
MCQmedium

A FortiGate administrator needs to send logs to a FortiAnalyzer device for long-term storage and analysis. Which log configuration must be set up?

A.Configure an IPsec tunnel to FortiAnalyzer
B.Add the FortiAnalyzer as a logging destination in Log Settings
C.Enable disk logging on the FortiGate
D.Configure syslog server pointing to FortiAnalyzer IP
AnswerB

FortiAnalyzer is configured under Log & Report > Log Setting as a logging destination.

Why this answer

Logs are sent to FortiAnalyzer by configuring the Log Settings > Log Forwarding or the Log & Report > Log Setting to send logs to FortiAnalyzer.

281
MCQhard

A FortiGate administrator configures a Central SNAT policy to translate internal IPs to a single public IP for internet access. However, traffic from a specific internal server (10.0.1.100) must use a different public IP. The administrator also creates a policy-based NAT rule in the firewall policy for that server. Which NAT method takes precedence?

A.Central SNAT takes precedence over policy-based NAT
B.Policy-based NAT takes precedence because it is more specific
C.Central SNAT takes precedence because it is evaluated after policy-based NAT
D.The most recently created rule takes precedence
AnswerA

Central SNAT overrides policy-based NAT when both exist.

Why this answer

In FortiGate, when both Central SNAT and policy-based NAT (configured within a firewall policy) are present, Central SNAT takes precedence. This is because Central SNAT is evaluated before policy-based NAT in the NAT processing order, and once a match is found in Central SNAT, the system applies it and does not proceed to policy-based NAT. The specific server's traffic (10.0.1.100) would still be subject to the Central SNAT rule unless a more specific Central SNAT rule is created for that IP.

Exam trap

The trap here is that candidates often assume policy-based NAT is more specific and thus takes precedence, but FortiGate's NAT evaluation order is fixed and Central SNAT always overrides policy-based NAT regardless of specificity.

How to eliminate wrong answers

Option B is wrong because policy-based NAT does not take precedence over Central SNAT; FortiGate evaluates Central SNAT first, and a match there overrides any policy-based NAT configuration. Option C is wrong because Central SNAT is evaluated before policy-based NAT, not after; the order is Central SNAT → policy-based NAT → VIP/load balancing. Option D is wrong because FortiGate does not use a 'most recently created rule' precedence for NAT; it follows a strict evaluation order based on NAT type, not creation time.

282
Multi-Selecthard

An administrator is troubleshooting a FortiGate that is not passing traffic. The policy allows traffic, but the session table shows no sessions. Which THREE steps should the administrator take to diagnose the issue? (Choose three.)

Select 3 answers
A.Verify the interface status and link state.
B.Run 'diagnose npu np6 show' to check offloading.
C.Check the ARP table to ensure the next-hop MAC is resolved.
D.Examine the routing table for the destination network.
E.Disable the firewall policy and check if traffic flows.
AnswersA, C, D

Interface down would stop traffic.

Why this answer

Option A is correct because if the interface is down or has a link issue, the FortiGate cannot send or receive any traffic, resulting in no sessions being created even if the policy allows traffic. Verifying interface status and link state is a fundamental first step in troubleshooting connectivity issues, as it ensures the physical or logical layer is operational before checking higher-layer configurations.

Exam trap

The trap here is that candidates may assume a policy allowing traffic guarantees session creation, but they overlook that the FortiGate must first be able to physically receive and forward the traffic, which depends on interface, ARP, and routing being correctly configured.

283
MCQmedium

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is in the SYN_SENT state, waiting for a SYN-ACK
B.The session is using UDP protocol
C.The session is fully established and actively transferring data
D.The session is being torn down and will expire soon
AnswerA

proto_state=01 corresponds to TCP SYN_SENT (bit 0 set).

Why this answer

The output shows `proto=6` (TCP) and `proto_state=01`, which in Fortinet's session table corresponds to the TCP state `SYN_SENT` (the session has sent a SYN and is awaiting a SYN-ACK). The `duration=3600` and `expire=3599` indicate the session has been alive for 3600 seconds and will expire in 3599 seconds, but the state itself is not established or closing. Option A is correct because `proto_state=01` specifically maps to the TCP SYN_SENT state in FortiOS session diagnostics.

Exam trap

The trap here is that candidates see `duration=3600` and `expire=3599` and mistakenly assume the session is 'about to expire' (option D), when in fact the expire value is still large and the session is in an early handshake state, not a teardown state.

How to eliminate wrong answers

Option B is wrong because `proto=6` explicitly indicates TCP (protocol number 6), not UDP (protocol 17). Option C is wrong because a fully established TCP session would show `proto_state=06` (ESTABLISHED), not `01` (SYN_SENT). Option D is wrong because the session is not being torn down; a session in teardown would show states like FIN_WAIT or TIME_WAIT (e.g., `proto_state=0B` or `0C`), and the expire timer of 3599 seconds is long, not near zero.

284
MCQhard

A FortiGate in HA active-passive cluster is experiencing failover events. The administrator runs 'get system ha status' and sees that the 'sync status' is 'out of sync'. What is the most likely cause?

A.The HA mode is set to active-active.
B.The session synchronization is disabled.
C.The passive unit has a different firmware version.
D.The heartbeat interface is down.
AnswerC

Why this answer

In an HA active-passive cluster, the 'sync status' indicates whether configuration and session data are synchronized between the primary and secondary units. When the passive unit has a different firmware version, the FortiGate cannot synchronize its configuration or sessions because the data structures and features may differ between versions, leading to an 'out of sync' status. This is a common prerequisite: both units must run the exact same firmware image for HA synchronization to function.

Exam trap

The trap here is that candidates often confuse 'session synchronization' with 'configuration synchronization' and assume that disabling session sync (Option B) would cause the 'sync status' to show 'out of sync', but the command output specifically reflects configuration sync status, not session sync.

How to eliminate wrong answers

Option A is wrong because setting the HA mode to active-active does not directly cause an 'out of sync' status; active-active mode still requires synchronization between units, and the sync status would reflect issues like version mismatch or heartbeat failure, not the mode itself. Option B is wrong because disabling session synchronization would only affect session failover capability, not the configuration sync status; the 'sync status' field primarily reflects configuration synchronization, and even with session sync disabled, configuration sync can still be 'in sync'. Option D is wrong because if the heartbeat interface is down, the HA cluster would likely detect a link failure and trigger a failover or show 'heartbeat lost' rather than 'out of sync'; the 'sync status' specifically tracks data synchronization, not heartbeat connectivity.

285
MCQhard

An administrator is troubleshooting a FortiGate that is not sending logs to FortiAnalyzer. The FortiAnalyzer is reachable from the FortiGate. Which command should the administrator use to test the connectivity and log forwarding?

A.execute log send
B.execute log fortianalyzer test
C.ping <FortiAnalyzer IP>
D.diagnose debug application fortianalyzer
AnswerB

This command sends a test log message to FortiAnalyzer and reports success/failure.

Why this answer

Option D is correct. 'execute log fortianalyzer test' sends a test log to FortiAnalyzer to verify connectivity and configuration.

286
MCQmedium

An admin wants to block access to malicious websites using FortiGuard Web Filtering. Which policy configuration is necessary to apply the web filter profile to HTTP/HTTPS traffic?

A.Configure a DNS filter instead of a web filter
B.Create a policy with action DENY and a web filter profile
C.Create an allow policy for HTTP/HTTPS and apply a web filter profile
D.Use an application control profile to block malicious sites
AnswerC

The web filter profile is applied to allowed traffic; the profile will block malicious sites.

Why this answer

Option C is correct because FortiGate requires an explicit allow policy for HTTP/HTTPS traffic to pass through the firewall before a web filter profile can inspect and block malicious URLs. The web filter profile is applied as a security policy feature on an allow policy, not on a deny policy, since deny policies drop traffic before inspection can occur. Without an allow policy, the traffic would be blocked by default, and the web filter would never see the traffic to apply its filtering rules.

Exam trap

The trap here is that candidates often think a deny policy can have a web filter profile applied to block malicious sites, but FortiGate only applies security profiles on allow policies, and deny policies simply drop traffic without inspection.

How to eliminate wrong answers

Option A is wrong because a DNS filter is used to block domains based on DNS queries, not to inspect HTTP/HTTPS content for malicious URLs; FortiGuard Web Filtering requires a web filter profile, not a DNS filter. Option B is wrong because a policy with action DENY drops all traffic before any security profiles, including web filter profiles, can be applied; web filter profiles can only be attached to allow policies where traffic is permitted and then inspected. Option D is wrong because an application control profile is designed to identify and control application traffic (e.g., Facebook, YouTube), not to block malicious websites based on URL categories; that is the function of a web filter profile.

287
Multi-Selecthard

An administrator receives reports that some internal users can access Facebook despite a web filtering profile that blocks the 'Social Networking' category. The policy is configured with deep inspection. Which THREE checks should the administrator perform to troubleshoot this issue?

Select 4 answers
A.Check if the users are using HTTPS and if the SSL inspection profile has an exemption for Facebook
B.Ensure that the antivirus profile is enabled on the policy
C.Check if the users are accessing Facebook via an SSL VPN tunnel that bypasses the policy
D.Verify that the web filtering profile is applied to the correct policy and that the policy order is correct
E.Confirm that the 'Social Networking' category is not set to 'Monitor' instead of 'Block'
AnswersA, C, D, E

If Facebook is exempted from deep inspection, the web filtering may not see the HTTP content.

Why this answer

The issue could be due to policy order, category not being blocked for that specific user, or SSL inspection exemptions.

288
MCQmedium

A FortiGate with antivirus in flow-based inspection mode is not detecting a known virus in HTTP traffic. The same virus is detected when using proxy-based inspection. What is the most likely reason?

A.Flow-based inspection does not reassemble files or unpack archives, so it misses some viruses
B.Flow-based inspection requires FortiSandbox integration to detect viruses
C.The antivirus signature database is outdated for flow-based inspection
D.Flow-based inspection only scans on explicit proxy policies
AnswerA

Proxy-based reassembles and unpacks, providing deeper inspection.

Why this answer

Option B is correct: Flow-based inspection uses less resources and may not perform full file reassembly or unpacking that proxy-based does, allowing some viruses to evade detection.

289
MCQeasy

What is the primary purpose of configuring split tunneling on an SSL VPN?

A.To provide two-factor authentication for the VPN connection
B.To encrypt all traffic from the remote client, including Internet traffic
C.To enable the use of client certificates for authentication
D.To allow the remote client to access both the corporate network and the Internet simultaneously without routing all traffic through the VPN
AnswerD

Correct. Split tunneling separates corporate traffic (via VPN) from Internet traffic (direct).

Why this answer

Split tunneling allows the remote client to route only traffic destined for the corporate network through the VPN tunnel, while Internet-bound traffic goes directly to the Internet. This reduces bandwidth load on the VPN and improves performance.

290
MCQmedium

An admin configures a VIP to map public IP 203.0.113.10:80 to internal server 10.0.0.10:8080. Users on the internet can reach the server. However, internal users trying to access the public IP from inside the network fail. What is the MOST likely reason?

A.The VIP is configured with port forwarding only for external interface
B.The firewall policy for internal users does not have NAT disabled
C.The internal server is not configured to respond to requests on port 8080
D.The internal users are using a different DNS server
AnswerB

For internal users accessing the VIP, the source NAT (overload) must be disabled so that the server sees the real client IP; otherwise, FortiGate may attempt to NAT again and break the session. Additionally, a policy from internal to the VIP interface (often a loopback or internal) is needed.

Why this answer

By default, FortiGate does not allow hairpin NAT (internal users accessing the VIP from inside). A policy with source NAT and the VIP as destination is required, and often NAT needs to be disabled on that policy to avoid double NAT. The common solution is to add a policy from internal to internal (or use NAT with source translation) but the core issue is that traffic from internal to VIP is not handled without a specific policy.

291
MCQmedium

An administrator wants to aggregate two physical interfaces (port1 and port2) on a FortiGate to increase bandwidth and provide redundancy. Which interface type should be created?

A.Aggregate interface
B.Loopback interface
C.VLAN interface
D.Software switch interface
AnswerA

Aggregate interfaces (LAG) provide increased bandwidth and redundancy.

Why this answer

An aggregate interface (also known as a Link Aggregation Group or LAG) combines multiple physical interfaces into a single logical link, increasing bandwidth and providing redundancy. This is the correct choice because it directly supports the administrator's goal of aggregating port1 and port2 on a FortiGate, using the IEEE 802.3ad standard (LACP) or static aggregation.

Exam trap

The trap here is that candidates often confuse a software switch interface with link aggregation, but a software switch simply bridges ports at Layer 2 without the load-balancing and failover mechanisms of an aggregate interface.

How to eliminate wrong answers

Option B is wrong because a loopback interface is a virtual interface used for management or routing protocol stability, not for aggregating physical links. Option C is wrong because a VLAN interface is a logical interface for 802.1Q VLAN tagging on a single physical or aggregate interface, not a method to combine multiple physical ports. Option D is wrong because a software switch interface creates a Layer 2 bridge between ports, but it does not provide link aggregation for increased bandwidth or redundancy in the same way as an aggregate interface.

292
MCQeasy

What is the purpose of a ZTNA (Zero Trust Network Access) tag on a FortiGate?

A.To enable SNMP monitoring on the device
B.To assign static IP addresses to clients
C.To mark devices or users with attributes used in security policies
D.To tag firewall policies for logging purposes
AnswerC

ZTNA tags carry attributes like device posture, user identity, etc., used to enforce access.

Why this answer

ZTNA tags are used to identify devices and users based on compliance and trust level, allowing dynamic access control policies beyond traditional IP addresses.

293
MCQmedium

An admin needs to create a firewall policy that matches traffic based on the destination being a specific geographic location (e.g., France). Which address object should be used?

A.A geography object
B.An FQDN object
C.A subnet object
D.A wildcard FQDN object
AnswerA

Geography objects use IP geolocation databases to match traffic from/to a country.

Why this answer

A geography object is specifically designed to match traffic based on geographic location (country, continent, or region) using the GeoIP database integrated into FortiOS. When a firewall policy needs to allow or deny traffic to or from a specific country like France, a geography object is the correct address object type because it dynamically resolves IP ranges assigned to that country by IANA/RIRs.

Exam trap

The trap here is that candidates may confuse geography objects with FQDN or wildcard FQDN objects, mistakenly thinking domain-based objects can represent geographic regions, when in fact only geography objects leverage the GeoIP database for location-based matching.

How to eliminate wrong answers

Option B is wrong because an FQDN object matches traffic based on a fully qualified domain name, not geographic location, and relies on DNS resolution to IP addresses. Option C is wrong because a subnet object defines a specific IP range or network prefix, which cannot represent an entire country's dynamic IP allocations. Option D is wrong because a wildcard FQDN object matches multiple domain names using a wildcard pattern (e.g., *.example.com), which has no relation to geographic location.

294
Multi-Selectmedium

An administrator needs to integrate a FortiGate with FortiManager for centralized management. Which two steps are required? (Choose two.)

Select 2 answers
A.Enable SNMP on the FortiGate to allow FortiManager to monitor.
B.Configure a firewall policy allowing traffic from FortiGate to FortiManager on port 541 (FGFM).
C.Configure a VPN tunnel between FortiGate and FortiManager.
D.Configure the FortiGate to connect to FortiManager using the 'execute fortimanager register' command.
E.Set the FortiGate's operation mode to transparent.
AnswersB, D

FortiGate-FortiManager communication uses port 541 (FGFM) and must be allowed.

Why this answer

Option B is correct because FortiGate and FortiManager communicate using the FortiGate-to-FortiManager (FGFM) protocol over TCP port 541. A firewall policy must be configured on the FortiGate to allow outbound traffic to the FortiManager on this port, enabling registration and ongoing management. Option D is correct because the 'execute fortimanager register' command is the standard CLI method to initiate the registration process, providing the FortiManager IP address and optional registration code.

Exam trap

The trap here is that candidates often confuse SNMP (monitoring) or VPN (tunneling) as requirements for FortiManager integration, when in fact the FGFM protocol on TCP 541 and the registration command are the only mandatory steps.

295
MCQeasy

Which mode of SSL VPN provides full network-layer access to the remote network, allowing any application to function as if the client is directly connected?

A.Tunnel mode
B.Web mode
C.Split tunneling mode
D.Clientless mode
AnswerA

Tunnel mode gives the client a virtual IP and routes all (or split) traffic through the VPN, providing full network access.

Why this answer

Tunnel mode creates a virtual interface on the client that provides full network access, similar to an IPsec VPN. Web mode only provides access to specific web applications through a browser portal.

296
MCQhard

An administrator runs 'diagnose debug application sslvpn -1' on a FortiGate and sees the following output: 'SSLVPN_ERROR:ERR_AUTH_FAIL' for a user. The user is in an LDAP group and has the correct password. What is the MOST likely cause?

A.The SSL VPN certificate is expired
B.The user is not a member of the required LDAP group
C.The LDAP server is unreachable
D.The user account is locked out
AnswerB

Group membership is often checked; if the user is not in the group, authentication fails.

Why this answer

ERR_AUTH_FAIL indicates authentication failure despite correct credentials. The group membership is likely the issue; the user may not be a member of the required group, or the group filter is misconfigured.

297
MCQeasy

A company wants to block all HTTP traffic but allow HTTPS. Which SSL inspection method should be used on the firewall policy?

A.No inspection
B.Deep inspection
C.Full SSL inspection
D.Certificate inspection
AnswerA

No inspection allows HTTPS to pass through without decryption.

Why this answer

To block HTTP (port 80) while allowing HTTPS (port 443), no SSL inspection is needed because the firewall can distinguish traffic by port number alone. SSL inspection is only required when you need to examine the encrypted payload of HTTPS traffic, not to permit or deny it based on the protocol. Therefore, 'No inspection' is correct for this access control requirement.

Exam trap

The trap here is that candidates assume HTTPS traffic must be inspected to be allowed, but the firewall can permit or deny based on the destination port without any SSL inspection at all.

How to eliminate wrong answers

Option B (Deep inspection) is wrong because deep inspection decrypts HTTPS traffic to inspect the payload, which is unnecessary and adds overhead when the goal is simply to allow HTTPS and block HTTP based on port. Option C (Full SSL inspection) is wrong because it also involves decrypting all SSL/TLS traffic, which is not required for port-based allow/deny decisions. Option D (Certificate inspection) is wrong because certificate inspection only validates the server certificate without decrypting the traffic, but it is still an SSL inspection method that is not needed for simple port-based filtering.

298
MCQhard

A FortiGate administrator runs the following command and sees: 'diagnose ips anomaly list' returns no entries, but the IPS sensor is configured with anomaly signatures. What is the MOST likely reason the signatures are not appearing?

A.The IPS sensor is configured in 'passive' mode, which suppresses anomaly detection.
B.The anomaly signatures have not triggered any events yet because traffic thresholds have not been exceeded.
C.Anomaly signatures are not displayed by 'diagnose ips anomaly list'; they require a different command.
D.The IPS sensor is not enabled on any firewall policy.
AnswerB

Anomaly detection is rate-based; signatures only appear when the configured threshold is exceeded. If no traffic has triggered them, the list will be empty.

Why this answer

Option C is correct. Anomaly signatures are dynamic; they only appear in the anomaly list when traffic triggers them. Empty output means no thresholds have been exceeded.

299
Multi-Selecthard

A FortiGate administrator notices that some users can bypass the web filter to access prohibited categories. The web filter profile is applied to the firewall policy. Which TWO actions should the admin take to determine why the filter is being bypassed? (Choose two.)

Select 2 answers
A.Ensure that the FortiGate has connectivity to FortiGuard
B.Check if the firewall policy that the traffic matches has the web filter profile applied
C.Verify that the DNS filter is also applied to the same policy
D.Check if SSL deep inspection is enabled on the policy
E.Examine the client's browser proxy settings
AnswersB, D

If the policy does not have the profile, it will not be filtered.

Why this answer

Options A and D are correct. Verifying that the web filter profile is correctly applied to the policy is fundamental. Checking if HTTPS traffic is being inspected is critical because without SSL deep inspection, web filter cannot see the hostnames in encrypted traffic.

Options B and C are not directly relevant; option E is about client-side, not the cause.

300
MCQmedium

An administrator configures a FortiGate HA cluster in active-passive mode. After a failover, some UDP-based sessions are lost. What is the MOST likely reason?

A.The heartbeat interface failed
B.UDP session synchronization is not enabled by default
C.The failover triggered a routing table change
D.The HA priority was set too low on the backup unit
AnswerB

In active-passive HA, only TCP sessions are synchronized. UDP sessions are not synced unless 'set session-sync-udp' is configured.

Why this answer

UDP is stateless and not synchronized by default in active-passive HA unless session synchronization is configured. TCP sessions are synchronized by default.

Page 3

Page 4 of 14

Page 5