Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 301375

1000 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQmedium

You are configuring a route-based IPsec VPN with BGP over the tunnel. After Phase 2 is up, the BGP session does not establish. You run 'diagnose debug ipsec' and see no errors. What should you check next?

A.Disable anti-replay on the tunnel
B.Enable NAT traversal
C.Ensure the tunnel interface is added to the BGP neighbor configuration
D.Check the Phase 1 proposal
AnswerC

BGP needs the interface to form the session; often the tunnel interface must be specified as the update source.

Why this answer

In route-based VPN, the tunnel interface must be included in the BGP configuration as a neighbor update source or the BGP update must be allowed in the firewall policy.

302
MCQhard

A FortiGate admin wants to inspect SSL-encrypted traffic for threats using IPS. The admin creates an SSL inspection profile with 'full SSL inspection' and applies it to the policy. What additional configuration is necessary for the IPS engine to process the decrypted traffic?

A.Enable 'set ssl-ssh-profile' under the IPS sensor
B.Enable 'IPS' under the SSL inspection profile
C.Configure the FortiGate's CA certificate on clients
D.Apply an IPS sensor to the same firewall policy
AnswerD

The IPS sensor is a separate security profile that must be added to the policy to scan decrypted traffic.

Why this answer

IPS inspection requires that the security profile (IPS sensor) is also applied to the same firewall policy. SSL inspection alone only decrypts; the IPS profile inspects the decrypted traffic.

303
MCQeasy

What is the default administrative account on a FortiGate?

A.master
B.root
C.guest
D.admin
AnswerD

Default admin account.

Why this answer

The default administrative account on a FortiGate is 'admin'. This account is created automatically during the initial boot process and has full super-admin privileges, allowing complete access to the device's configuration and management interfaces. It is the only default account with administrative rights, and its password must be set during initial setup.

Exam trap

The trap here is that candidates may confuse the FortiGate default admin account with the default accounts of other operating systems or network devices, such as 'root' on Linux or 'master' on Cisco, leading them to select the wrong option.

How to eliminate wrong answers

Option A is wrong because 'master' is not a default account on FortiGate; it is a common default account on some other network devices like Cisco switches. Option B is wrong because 'root' is the default administrative account on Unix/Linux systems, not on FortiGate, which runs a proprietary FortiOS. Option C is wrong because 'guest' is a default read-only account on FortiGate, not an administrative account; it is intended for limited monitoring access without configuration privileges.

304
MCQmedium

An administrator is troubleshooting a connectivity issue. A ping from the FortiGate to 8.8.8.8 succeeds, but traffic from internal hosts to the internet is failing. The firewall policy allows the traffic. What is the most likely cause?

A.The default route on the FortiGate is missing
B.The internal hosts have the wrong default gateway configured
C.DNS resolution is failing
D.The FortiGate's interface to the internal network is down
AnswerB

If hosts point to a wrong gateway, traffic won't reach the FortiGate.

Why this answer

Since the FortiGate can ping 8.8.8.8, its default route and internet connectivity are working. The issue is that internal hosts cannot reach the internet, which points to a Layer 3 forwarding problem at the host level. The most likely cause is that the internal hosts have the wrong default gateway configured, so their traffic is not being sent to the FortiGate for routing.

Exam trap

The trap here is that candidates assume a successful ping from the FortiGate implies end-to-end connectivity, overlooking that the internal hosts' default gateway configuration is independent of the FortiGate's own routing table.

How to eliminate wrong answers

Option A is wrong because if the default route on the FortiGate were missing, the FortiGate itself would not be able to ping 8.8.8.8, but the ping succeeded. Option C is wrong because DNS resolution failure would prevent name resolution, but the question describes a connectivity issue where traffic to the internet is failing, and the ping to 8.8.8.8 uses an IP address, not a hostname, so DNS is not the bottleneck. Option D is wrong because if the FortiGate's interface to the internal network were down, the FortiGate would not be able to communicate with internal hosts at all, but the firewall policy allows the traffic and the FortiGate can still ping external IPs, indicating the internal interface is operational.

305
MCQmedium

An administrator runs 'diagnose debug application fnbamd -1' on a FortiGate to troubleshoot authentication issues. The output shows that the FortiGate successfully contacts the LDAP server but the user authentication fails. What does this indicate?

A.The user's password is incorrect or the user account is locked
B.The LDAP server is unreachable
C.The LDAP bind user password is incorrect
D.The LDAP schema does not match what FortiGate expects
AnswerA

Successful contact but failed authentication for the user indicates the user's credentials are wrong or the account is disabled/locked.

Why this answer

Option D is correct. The debug output shows successful communication with the LDAP server, meaning the bind user has proper privileges. The authentication failure indicates that the user's credentials are incorrect or the user does not exist in the LDAP database.

306
MCQeasy

Which of the following statements about FortiGate backup is true?

A.The backup includes all current sessions and logs
B.The backup file contains the full configuration and can be encrypted with a password
C.A backup can be restored only on the same hardware model
D.Backup files are saved in plain text format
AnswerB

Backups are encrypted and can have a password for extra security.

Why this answer

Option B is correct because FortiGate backup files contain the full device configuration, including all settings and policies, and can be encrypted with a password using the 'execute backup config' command with the 'password' option. This ensures confidentiality during storage or transfer, as the backup is stored in a binary format that requires the password for decryption during restoration.

Exam trap

The trap here is that candidates often assume backups include all runtime data like sessions and logs, or that backups are model-specific, but FortiGate explicitly separates configuration from volatile state data, and restoration is firmware-version dependent, not hardware-model dependent.

How to eliminate wrong answers

Option A is wrong because FortiGate backups do not include current sessions or logs; sessions are volatile and stored in memory, while logs are typically stored separately on local disk or external storage, and only the configuration is backed up. Option C is wrong because a backup can be restored on any FortiGate model that supports the same firmware version, not just the same hardware model, though some model-specific features may require manual adjustment. Option D is wrong because backup files are saved in a binary, encrypted format (not plain text) when a password is set, and even without a password, the file is not plain text but a proprietary format that cannot be easily read.

307
MCQmedium

A network administrator wants to allow employees to access a specific web application but block all other application traffic. The administrator creates a firewall policy with an application control profile that allows the desired application. However, employees can still access other applications. What is the MOST likely reason?

A.The application control profile is applied to the wrong firewall policy
B.The firewall policy has SSL inspection disabled
C.The application signatures are outdated
D.The application control profile is set to 'Monitor All' rather than 'Block All'
AnswerD

Why this answer

If the application control profile is set to 'Monitor All', it will only log but not block unlisted applications. To block all except allowed, the profile should be set to 'Block All' with exceptions for allowed applications.

308
MCQmedium

An administrator needs to configure a loopback interface on a FortiGate for management purposes. Which of the following is true regarding loopback interfaces?

A.Loopback interfaces are virtual and can be used as source IP for management traffic.
B.Loopback interfaces require a physical port to be associated.
C.Loopback interfaces cannot be used in firewall policies.
D.Loopback interfaces are only available in transparent mode.
AnswerA

Why this answer

Loopback interfaces are virtual interfaces that are always up and do not depend on the physical link state. They can be assigned an IP address and used as the source IP for management traffic (e.g., SNMP, syslog, NTP, or administrative access), ensuring consistent reachability even if physical interfaces fail. This makes option A correct.

Exam trap

The trap here is that candidates often assume loopback interfaces are only for routing protocols or require a physical link, but FortiGate allows them to serve as stable management endpoints independent of physical interface status.

How to eliminate wrong answers

Option B is wrong because loopback interfaces are purely virtual and do not require any physical port association; they exist independently of hardware interfaces. Option C is wrong because loopback interfaces can be used in firewall policies just like any other interface, allowing traffic to be inspected or routed to/from the FortiGate itself. Option D is wrong because loopback interfaces are available in both NAT/Route mode and transparent mode, not exclusively in transparent mode.

309
Multi-Selecteasy

An admin is configuring ECMP (Equal Cost Multi-Path) on a FortiGate with two ISPs. Which TWO conditions must be met for ECMP to load balance traffic across both links? (Choose two.)

Select 2 answers
A.The routes must be configured with the same metric
B.The routes must have the same priority
C.The FortiGate must be in transparent mode
D.The routes must have the same administrative distance
E.The routes must point to different next-hop IP addresses
AnswersB, D

Equal priority ensures both routes are considered.

Why this answer

ECMP requires that multiple routes to the same destination have equal cost. On FortiGate, the cost is determined by administrative distance (AD) and priority (which is the route metric). Both routes must have the same AD and the same priority to be considered equal-cost and eligible for load balancing.

If either value differs, one route will be preferred over the other, and ECMP will not activate.

Exam trap

The trap here is that candidates confuse 'metric' (which is the priority value on FortiGate) with 'administrative distance', or assume ECMP requires different next-hop IPs, when in fact the key condition is equal cost (same AD and same priority).

310
MCQmedium

A FortiGate administrator configures SNMPv2c on the FortiGate to send traps to a monitoring server. However, no traps are received. The monitoring server can ping the FortiGate. What is the MOST likely cause?

A.SNMPv2c is not supported on FortiGate; only v3 is supported.
B.The FortiGate's firewall policy blocks SNMP traffic from the monitoring server.
C.The SNMP community string does not match between FortiGate and server.
D.The monitoring server's IP is not in the SNMP trap receiver list on FortiGate.
AnswerC

SNMPv2c uses community strings; if they differ, the server will reject traps.

Why this answer

SNMPv2c uses community strings as a form of authentication. If the community string configured on the FortiGate does not match the one configured on the monitoring server, the server will reject the trap. Since the server can ping the FortiGate, network connectivity is fine, and the issue is most likely an authentication mismatch.

Exam trap

The trap here is that candidates assume SNMP traps are blocked by a firewall policy, but since traps are initiated by the FortiGate (outbound), the server's ability to ping the FortiGate confirms Layer 3 reachability, shifting the focus to authentication or receiver configuration.

How to eliminate wrong answers

Option A is wrong because FortiGate fully supports SNMPv2c, not just v3. Option B is wrong because SNMP traps are sent from the FortiGate to the server, not initiated by the server, so a firewall policy blocking inbound SNMP from the server would not prevent outbound traps. Option D is wrong because the trap receiver list specifies where traps are sent, not which IPs are allowed to receive them; if the server's IP were missing from the list, the FortiGate would not send traps to it, but the question states the administrator configured traps to be sent to the server, so this is less likely than a community string mismatch.

311
MCQmedium

A company is deploying FortiGate for outbound web filtering. They want to block users from accessing social media sites during business hours, but still allow access to cloud-based productivity tools like Office 365. Which approach should the administrator use to meet this requirement?

A.Create a firewall policy to block all traffic to ports commonly used by social media (e.g., TCP 443).
B.Use a web filter profile to block URLs containing 'facebook' or 'twitter'.
C.Configure an application control profile with rules to block social media applications and allow Office 365 applications.
D.Implement a DNS filter to block DNS queries for social media domains.
AnswerC

Application control profiles can precisely allow or block applications regardless of port/protocol, meeting the requirement exactly.

Why this answer

Application control is the correct approach because it can identify and control applications like social media and Office 365 based on their unique signatures, regardless of the ports or protocols they use. Unlike URL filtering or port blocking, application control can differentiate between Office 365 traffic and social media traffic even when both use HTTPS on TCP 443, allowing the administrator to block social media while permitting cloud productivity tools.

Exam trap

The trap here is that candidates often assume URL filtering or port blocking is sufficient, but the NSE4 exam tests the understanding that application control is required when applications share the same port (e.g., TCP 443) and need to be differentiated based on their behavior, not just their domain or port.

How to eliminate wrong answers

Option A is wrong because blocking TCP 443 would block all HTTPS traffic, including Office 365 and other legitimate web services, not just social media. Option B is wrong because URL filtering based on keywords like 'facebook' or 'twitter' is unreliable—social media sites often use dynamic URLs, CDNs, or IP addresses that do not contain those keywords, and users can bypass it via direct IP access or HTTPS encryption. Option D is wrong because DNS filtering only blocks domain resolution; users could still access social media by using direct IP addresses, cached DNS entries, or alternative DNS servers, making it an incomplete solution.

312
MCQeasy

An administrator wants to allow SSH access from the internet to a server inside the network at 192.168.1.10. Which NAT configuration is needed?

A.Use policy-based routing to forward SSH traffic
B.Create a VIP mapping public IP:22 to private IP:22 and an allow policy from WAN to DMZ
C.Configure source NAT on the outbound policy from DMZ to WAN
D.Enable NAT on the WAN interface
AnswerB

VIP translates the destination address; the policy allows the traffic after translation.

Why this answer

Option B is correct because to allow inbound SSH access from the internet to an internal server, you need a Virtual IP (VIP) that maps a public IP and port (e.g., 203.0.113.5:22) to the private IP and port (192.168.1.10:22), combined with a firewall policy from the WAN zone to the DMZ zone that permits SSH traffic. This is Destination NAT (DNAT), which translates the destination address of incoming packets so they are routed to the internal server.

Exam trap

The trap here is that candidates often confuse source NAT (SNAT) with destination NAT (DNAT), thinking that enabling NAT on the WAN interface alone is sufficient for inbound access, when in fact a VIP (DNAT) and an allow policy are required to translate and permit the traffic.

How to eliminate wrong answers

Option A is wrong because policy-based routing (PBR) controls the path packets take based on criteria like source/destination, but it does not perform address translation; it cannot map a public IP to a private IP for inbound access. Option C is wrong because source NAT (SNAT) translates the source IP of outbound traffic, which is used for internal hosts to access the internet, not for allowing inbound SSH from the internet to an internal server. Option D is wrong because simply enabling NAT on the WAN interface without a specific VIP or DNAT rule does not create a mapping for inbound traffic; it typically applies to outbound traffic (masquerading) or requires additional configuration to handle inbound connections.

313
MCQmedium

The output of 'diagnose debug application ike -1' shows 'no proposal chosen' for a Phase1 negotiation. Which action should the administrator take to resolve this?

A.Increase the Phase1 lifetime on both sides
B.Verify the pre-shared key is correct
C.Check and align the Phase1 encryption, authentication, and DH group settings
D.Change the IKE version from v1 to v2
AnswerC

The negotiation fails because no common proposal exists; matching these parameters is required.

Why this answer

The error 'no proposal chosen' indicates that the local and remote gateways have no common Phase1 parameters (encryption, authentication, DH group, etc.). The administrator must review and match the Phase1 proposal settings.

314
MCQmedium

An administrator wants to back up the FortiGate configuration to a TFTP server at 10.10.10.10. Which CLI command should be used?

A.execute backup config tftp 10.10.10.10
B.backup config tftp 10.10.10.10
C.copy config tftp 10.10.10.10
D.execute save config tftp 10.10.10.10
AnswerA

Why this answer

The correct command to back up a FortiGate configuration to a TFTP server is 'execute backup config tftp <server-ip>'. This is because 'execute' is the FortiOS CLI keyword for initiating operational commands, and 'backup config tftp' specifies the action and protocol. The syntax is case-sensitive and must include the 'execute' prefix to be recognized by the FortiGate CLI.

Exam trap

The trap here is that candidates may forget the 'execute' keyword, which is mandatory for all operational commands in FortiOS, and mistakenly choose a command that looks correct but lacks it, such as 'backup config tftp'.

How to eliminate wrong answers

Option B is wrong because it omits the required 'execute' keyword; FortiOS CLI commands for operational tasks like backup must start with 'execute'. Option C is wrong because 'copy config tftp' is not a valid FortiOS command; the correct verb is 'backup', not 'copy'. Option D is wrong because 'execute save config tftp' uses 'save' instead of 'backup', and 'save config' is used for saving the running configuration to flash memory, not for exporting to a TFTP server.

315
MCQeasy

What is the primary difference between route-based and policy-based IPsec VPNs on a FortiGate?

A.Route-based requires a static route, policy-based uses dynamic routing.
B.Route-based encrypts all traffic, policy-based encrypts only specified services.
C.Route-based supports only IKEv2, policy-based supports both IKEv1 and IKEv2.
D.Route-based uses a tunnel interface, policy-based uses firewall policies to define traffic selectors.
AnswerD

Correct: route-based has a tunnel interface; policy-based defines selectors in Phase 2.

Why this answer

Route-based VPNs create a virtual interface (e.g., 'tunnel') that is used in routing and firewall policies, while policy-based VPNs define the traffic selectors within the Phase 2 configuration itself, without a separate interface.

316
Multi-Selecthard

A FortiGate administrator is designing an SSL VPN solution for 500 remote users. The users need full network access. Which two design considerations are most important?

Select 2 answers
A.Ensure the SSL VPN IP pool has enough addresses for concurrent users.
B.Create firewall policies that allow traffic from the SSL VPN interface to internal networks.
C.Configure split tunneling to reduce load on the FortiGate.
D.Use certificate-based authentication for all users.
E.Enable port forwarding for RDP and SSH.
AnswersA, B

Sufficient IP pool is critical for scalability.

Why this answer

Option A is correct because the SSL VPN IP pool must have enough addresses to assign to all concurrent users. Without a sufficient pool, users will fail to obtain an IP address and cannot access the network. Option B is correct because firewall policies are required to permit traffic from the SSL VPN interface (e.g., ssl.root) to internal networks; without them, traffic is dropped even if the tunnel is established.

Exam trap

The trap here is that candidates often confuse optional features (like split tunneling or certificate authentication) with mandatory design requirements, overlooking the fundamental need for IP pool sizing and firewall policies to enable basic connectivity.

317
Multi-Selectmedium

A FortiGate administrator needs to configure source NAT for a group of internal servers (10.0.1.100-10.0.1.110) so that each server uses a unique public IP from the range 203.0.113.20-203.0.113.30. The requirement is that each internal IP maps to a fixed external IP (one-to-one mapping) and not port overload. Which TWO settings should be configured in the IP Pool? (Choose two.)

Select 2 answers
A.Type: Overload
B.Enable 'Fixed Port Range'
C.External IP Range: 203.0.113.20-203.0.113.30
D.Type: One-to-One
E.Use Central SNAT instead of IP Pool
AnswersC, D

Provides 11 IPs for 11 internal servers.

Why this answer

Option C is correct because the External IP Range must be set to 203.0.113.20-203.0.113.30 to define the pool of public IPs that will be mapped one-to-one to the internal servers. Option D is correct because Type: One-to-One ensures each internal IP is permanently mapped to a unique external IP, without port address translation (PAT), meeting the requirement of fixed one-to-one mapping.

Exam trap

The trap here is that candidates often confuse 'One-to-One' with 'Overload' and select 'Type: Overload' thinking it still provides unique IPs, but Overload always uses PAT and cannot guarantee a fixed external IP per internal host.

318
MCQeasy

Which web filtering feature allows an administrator to force web search engines to filter explicit content in search results, regardless of the user's browser settings?

A.DNS filter
B.URL filter
C.Application control
D.Safe search
AnswerD

Safe search enforces filtering at the search engine level.

Why this answer

Option A is correct. Safe search is a web filtering feature that redirects search engine queries to use safe search mode, blocking explicit content. It can be enforced through FortiGate.

319
MCQeasy

A FortiGate administrator wants to ensure that all firewall policies are backed up before performing a firmware upgrade. Which backup method preserves the configuration in a format that can be restored to the same or different FortiGate model?

A.Use 'execute backup full-config tftp'
B.Copy the configuration from the system config script
C.Backup the configuration via CLI using 'execute backup config tftp'
D.Save the running config from the GUI Dashboard
AnswerC

This backs up the full configuration in text format, which can be restored to any FortiGate.

Why this answer

Option C is correct because 'execute backup config tftp' saves the FortiGate configuration in a plain-text, human-readable format that can be restored to the same or a different FortiGate model. This command backs up only the configuration (not firmware or logs) and is model-agnostic, allowing restoration across different hardware platforms as long as the firmware version is compatible.

Exam trap

The trap here is confusing 'execute backup config tftp' with 'execute backup full-config tftp', where candidates mistakenly think a full backup is safer, not realizing it is model-specific and cannot be restored to a different FortiGate model.

How to eliminate wrong answers

Option A is wrong because 'execute backup full-config tftp' backs up the entire system image including firmware, which is model-specific and cannot be restored to a different FortiGate model. Option B is wrong because copying the configuration from the system config script only provides a read-only view of the current configuration; it does not create a backup file that can be restored via CLI or TFTP. Option D is wrong because saving the running config from the GUI Dashboard exports the configuration in a binary or proprietary format that may not be compatible with different models or CLI restoration methods.

320
MCQmedium

An administrator wants to allow management access to a FortiGate from a specific subnet 10.10.10.0/24 via HTTPS. Which configuration achieves this?

A.config system global set admin-sport 443 set allowaccess https 10.10.10.0/24 end
B.config router policy edit 1 set src 10.10.10.0/24 set dst 10.0.0.0/8 set action accept set protocol https end
C.config system admin edit admin set trustedhost 10.10.10.0/24 set allowaccess https end
D.config system interface edit port1 set allowaccess https set trustedhosts 10.10.10.0 255.255.255.0 end
AnswerD

Why this answer

Option D is correct because management access to a FortiGate interface is controlled via the `config system interface` context, where `set allowaccess https` enables HTTPS management on that interface, and `set trustedhosts` restricts access to the specified subnet 10.10.10.0/24. This configuration ensures only hosts from that subnet can reach the FortiGate's HTTPS management interface on the given port.

Exam trap

The trap here is that candidates often confuse the `config system admin` context (which only controls per-admin trusted hosts for authentication) with the interface-level `trustedhosts` setting, or mistakenly think global settings like `admin-sport` also control access restrictions.

How to eliminate wrong answers

Option A is wrong because `config system global` does not contain `set allowaccess` or `set trustedhosts`; the `set admin-sport` command changes the HTTPS port globally but access control is not configured in system global. Option B is wrong because `config router policy` is used for routing policy-based routing, not for management access control; it does not restrict HTTPS management access to the FortiGate itself. Option C is wrong because while `config system admin` allows setting `trustedhost` per administrator, the `set allowaccess https` command is invalid in that context; `allowaccess` is an interface-level parameter, not an admin-level parameter.

321
MCQeasy

Which SSL/TLS inspection mode only validates the server certificate without decrypting the traffic?

A.Deep inspection
B.Flow-based inspection
C.Certificate inspection
D.Proxy-based inspection
AnswerC

Certificate inspection validates the certificate without decryption.

Why this answer

Certificate inspection checks the certificate chain but does not decrypt the content.

322
MCQhard

An administrator runs 'diagnose sys session list' and sees a session with 'expire=0'. What does this indicate?

A.The session has expired and will be removed soon
B.The session is a long-lived session that does not expire
C.The session has been idle for 0 seconds
D.The session is permanently established and will not expire
AnswerA

expire=0 indicates the session lifetime has ended and it will be cleaned up.

Why this answer

expire=0 means the session TTL has reached zero and the session is eligible for removal in the next cleanup cycle.

323
MCQmedium

An organization has multiple remote sites connected via IPsec VPN. The administrator needs to ensure that traffic from the internal network (10.0.0.0/8) to the VPN destination (10.10.0.0/16) uses a specific interface (port2) instead of the default route. Which feature should be configured?

A.Central NAT
B.Static route with higher distance
C.Policy-based routing
D.Traffic shaping
AnswerC

PBR allows forwarding traffic based on policy criteria, overriding the routing table.

Why this answer

Policy-based routing (PBR) allows you to override the default routing table by matching traffic based on source/destination addresses and directing it to a specific egress interface (port2). This is the correct feature because the requirement is to force traffic from 10.0.0.0/8 to 10.10.0.0/16 out port2, bypassing the default route.

Exam trap

The trap here is confusing policy-based routing with static route manipulation; candidates often think a static route with a higher distance can override the default route, but distance only affects route preference, not the ability to force traffic out a specific interface when a default route with lower distance exists.

How to eliminate wrong answers

Option A is wrong because Central NAT is used for centralized NAT policy management in SD-WAN or hub-and-spoke topologies, not for overriding routing decisions. Option B is wrong because a static route with a higher distance (administrative distance) would only be used as a backup if the primary route fails; it cannot force traffic out a specific interface when a lower-distance default route exists. Option D is wrong because traffic shaping controls bandwidth allocation and QoS, not the path or interface selection for traffic.

324
MCQmedium

An administrator is troubleshooting a loss of connectivity between two sites connected via a VPN tunnel. The FortiGate logs show 'Tunnel: phase 1 negotiation failed'. Which two parameters MUST match on both peers for phase 1 to succeed? (Select two. Not all options are used.)

A.IPsec proposal (encryption and authentication)
B.Pre-shared key
C.IKE version (v1 or v2)
D.Local ID
E.Local and remote IP addresses
AnswerB, C

The PSK must match on both ends.

Why this answer

The pre-shared key (PSK) is a mandatory authentication method for IKE phase 1. Both peers must use an identical PSK string; a mismatch causes the 'phase 1 negotiation failed' error because the IKE SA cannot be authenticated. FortiGate logs this failure when the calculated hash of the PSK does not match between the two endpoints.

Exam trap

The trap here is that candidates often confuse phase 1 and phase 2 parameters, incorrectly selecting the IPsec proposal (which is a phase 2 parameter) instead of the IKE version, which is a critical phase 1 matching requirement.

How to eliminate wrong answers

Option A is wrong because the IPsec proposal (encryption and authentication) is negotiated during phase 2, not phase 1; phase 1 uses its own set of proposals (e.g., encryption, hash, DH group) which are not listed here. Option D is wrong because the Local ID is optional and used for identification purposes (e.g., when using certificates or aggressive mode), but it is not a mandatory parameter that must match for phase 1 success; mismatched Local IDs can still allow phase 1 if the PSK and other core parameters match. Option E is wrong because local and remote IP addresses are the endpoints of the tunnel and must be correctly configured, but they are not 'parameters that must match on both peers' — each peer has its own local and remote IP, and they are complementary, not identical.

325
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is in an error state
B.The session has been idle for 3600 seconds
C.The session is to port 3600
D.The session is about to expire in 3599 seconds
AnswerD

expire=3599 shows remaining session lifetime.

Why this answer

The 'expire=3599' field indicates the session will be removed from the session table in 3599 seconds. The 'duration=3600' shows the session has been active for 3600 seconds, so the total session lifetime is 7200 seconds (3600 + 3599). This is a normal TCP session (proto=6) in state 01 (SYN_SENT), not an error or idle condition.

Exam trap

The trap here is confusing 'duration' (time since session started) with 'expire' (time until session ends), leading candidates to incorrectly interpret the 3600 value as idle time or a port number.

How to eliminate wrong answers

Option A is wrong because 'proto_state=01' indicates a normal TCP SYN_SENT state, not an error state; error states would show different values like 11 (TIME_WAIT) or 0 (CLOSE). Option B is wrong because 'duration=3600' shows the session has been active for 3600 seconds, not idle; idle time is tracked separately via 'idle' field, which is not present here. Option C is wrong because 'dport=443' is the destination port, and 'duration=3600' is the session age in seconds, not a port number.

326
MCQmedium

An administrator needs to store logs for compliance purposes and wants them to be retained even if the FortiGate is reset. Which log storage option should they use?

A.FortiAnalyzer
B.FortiCloud logs
C.Syslog server
D.Local disk logs
AnswerA

FortiAnalyzer is dedicated log storage that can be configured for long-term retention and is independent of FortiGate resets.

Why this answer

Option C is correct. FortiAnalyzer provides centralized log storage that is separate from the FortiGate, ensuring logs are retained even if the FortiGate is reset.

327
MCQmedium

A FortiGate cluster in active-passive HA is configured with two heartbeat interfaces. The primary unit fails completely. The secondary unit detects the failure and becomes primary. After the original primary recovers, it remains in passive mode. What is the most likely reason for this behavior?

A.The heartbeat interfaces are not properly configured
B.The HA override setting is disabled
C.The priority of the original primary is lower than the current primary
D.The HA override setting is enabled
AnswerB

With override disabled, the recovered unit does not preempt the current primary.

Why this answer

When override is disabled (the default), the recovered unit will not preempt the current primary. The cluster stays with the current primary until it fails. This is the expected behavior for graceful recovery.

328
MCQeasy

Which security profile type is used to prevent sensitive data such as credit card numbers from being sent out of the network via email or web traffic?

A.Email filter profile
B.Antivirus profile
C.Web filter profile
D.DLP profile
AnswerD

DLP profiles specifically prevent data leakage.

Why this answer

Option D is correct. Data Leak Prevention (DLP) profiles are designed to detect and block transmission of sensitive data based on patterns or predefined data types.

329
Multi-Selectmedium

An active-passive HA cluster is experiencing frequent failovers. Which TWO factors could cause unnecessary failovers? (Choose two.)

Select 2 answers
A.Using a data interface as the heartbeat interface
B.An unstable network link for the heartbeat
C.Different firmware versions on cluster members
D.Mismatched HA passwords between cluster members
E.Mismatched HA priority values
AnswersA, B

Data interfaces may have fluctuating link status, triggering failover.

Why this answer

Incorrect heartbeat interface configuration (e.g., using a busy data port) can cause false positives. A mismatched HA password prevents proper communication, but may not cause failover; mismatched priority affects role selection, not failover frequency. Unstable heartbeat links cause failover.

330
MCQeasy

Refer to the exhibit. An administrator is troubleshooting why SSL inspection is not working for web traffic. The policy shown is the only policy matching the traffic. What is the most likely reason SSL inspection is failing?

A.The policy is missing the 'set inspection-mode proxy' command.
B.The ssl-ssh-profile is set to 'deep-inspection' but the policy is using flow-based inspection.
C.The source interface is 'wan1' but the traffic is coming from 'internal'.
D.The policy has 'set action deny' instead of 'set action accept'.
AnswerA

Deep inspection requires proxy-based inspection mode.

Why this answer

Option A is correct because the policy is missing the 'set inspection-mode proxy' command. FortiGate requires proxy-based inspection mode to perform SSL/TLS interception; flow-based inspection cannot decrypt or re-encrypt HTTPS traffic. Without this command, the policy defaults to flow-based mode, causing SSL inspection to fail even if the ssl-ssh-profile is set to deep-inspection.

Exam trap

The trap here is that candidates assume setting the ssl-ssh-profile to 'deep-inspection' alone is sufficient, overlooking the mandatory 'set inspection-mode proxy' command required for SSL decryption to function.

How to eliminate wrong answers

Option B is wrong because the ssl-ssh-profile set to 'deep-inspection' is actually correct for SSL inspection; the issue is the inspection mode, not the profile. Option C is wrong because the source interface is 'wan1' and the traffic is coming from 'internal' — this mismatch would cause the policy not to match at all, not just SSL inspection to fail. Option D is wrong because the policy has 'set action deny' which would block all traffic, not specifically cause SSL inspection to fail; the exhibit shows the policy is matching traffic, so action must be accept.

331
Multi-Selectmedium

A FortiGate administrator is troubleshooting why antivirus scanning is not working for HTTPS traffic. Which TWO steps should be verified?

Select 2 answers
A.Ensure the antivirus profile is set to proxy-based inspection
B.Ensure the firewall policy has SSL/TLS deep inspection enabled
C.Confirm that the web filter profile is also applied
D.Verify that the antivirus profile is applied to the policy
E.Check that the FortiSandbox is online for advanced scanning
AnswersB, D

Without deep inspection, HTTPS traffic is encrypted and antivirus cannot see the payload.

Why this answer

For antivirus to scan HTTPS traffic, deep inspection must be enabled on the firewall policy, and the antivirus profile must be configured with the appropriate inspection mode. Both are required.

332
MCQeasy

A FortiGate has two firewall policies: Policy 1 (ID 1) allows HTTP from any to 10.0.0.0/8, and Policy 2 (ID 2) denies all traffic from 192.168.1.0/24 to any. Traffic from 192.168.1.10 to 10.0.0.5 on port 80 is received. Which policy will match first?

A.Policy 1 (ID 1) will match and accept the traffic
B.Both policies will match, and the traffic will be denied
C.Policy 2 (ID 2) will match and deny the traffic
D.Neither policy matches, so the traffic is dropped by default deny
AnswerA

Why this answer

Policy 1 (ID 1) matches first because FortiGate evaluates firewall policies in sequential order from top to bottom (lowest ID to highest ID) until a match is found. The source IP 192.168.1.10 falls within the 'any' source of Policy 1, and the destination 10.0.0.5 is within 10.0.0.0/8, with HTTP (port 80) matching the service. Since Policy 1 matches, it is applied and the traffic is accepted, even though Policy 2 would also match if reached.

Exam trap

The trap here is that candidates assume a more specific source (192.168.1.0/24) will override a broader source (any) due to specificity, but FortiGate uses sequential order, not longest-prefix matching, for policy selection.

How to eliminate wrong answers

Option B is wrong because FortiGate stops at the first matching policy; it does not evaluate or combine multiple policies for the same traffic. Option C is wrong because Policy 2 has a higher ID (2) than Policy 1 (1), so it is evaluated after Policy 1, which already matches and accepts the traffic. Option D is wrong because Policy 1 explicitly matches the traffic, so the implicit default deny is never reached.

333
MCQmedium

A network administrator notices that traffic from the internal network (10.0.1.0/24) to the internet is not being matched by the intended firewall policy (ID 10). The policy uses source address 'internal_subnet' (10.0.1.0/24) and destination address 'all'. There is another policy (ID 5) with source 'all' and destination 'all' that also matches this traffic. What is the most likely reason policy 10 is not being matched?

A.Policy 5 has a higher priority because it is above policy 10 in the policy list
B.Policy 10 is configured with an expired security certificate
C.The source address object 'internal_subnet' is incorrectly configured
D.Policy 10 has a schedule that is not active
AnswerA

Policy order determines matching; first match is used.

Why this answer

FortiGate matches firewall policies from top to bottom. Policy 5 is higher in the policy list order than policy 10, so traffic matches policy 5 first and never reaches policy 10.

334
Matchingmedium

Match each FortiGate NAT type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Translates private source IP to public IP for outbound traffic

Translates public destination IP to private IP for inbound traffic

Assigns a range of ports to a private IP for NAT

Translates IPv6 traffic to IPv4 and vice versa

Translates IPv4 traffic to IPv6

Why these pairings

NAT methods used in FortiGate for address translation.

335
MCQmedium

An administrator configures an IPsec VPN with IKEv1 main mode. The remote peer reports that Phase 1 fails with a 'no proposal chosen' error. The local Phase 1 settings include: encryption AES128, authentication SHA1, DH group 2, lifetime 86400. Which remote peer setting is MOST likely causing the mismatch?

A.Remote peer uses aggressive mode
B.Remote peer uses AES256 instead of AES128
C.Remote peer uses DH group 5 instead of group 2
D.Remote peer uses SHA256 instead of SHA1
AnswerB

AES128 vs AES256 is a common mismatch. Both are valid but different.

Why this answer

Main mode requires both sides to have matching parameters. A mismatch in any parameter causes 'no proposal chosen' error. The remote peer likely has AES256 instead of AES128.

336
MCQeasy

A FortiGate administrator wants to block all traffic to websites that are categorized as 'Malware' and 'Phishing'. Which security profile should be configured to achieve this goal?

A.DNS Filter profile
B.Web Filter profile
C.IPS profile
D.Application Control profile
AnswerB

Web filtering can block categories such as Malware and Phishing.

Why this answer

Option A is correct. Web filtering profiles use FortiGuard categories to block access to malicious websites like malware and phishing sites.

337
MCQmedium

A FortiGate administrator wants to configure ZTNA to secure access to an internal application. Which of the following components is essential for ZTNA to function?

A.FortiCloud
B.FortiClient EMS
C.FortiAnalyzer
D.A VPN tunnel to the client
AnswerB

FortiClient EMS provides endpoint compliance and identity information required for ZTNA.

Why this answer

ZTNA requires FortiGate to verify the user's identity and device posture. The FortiClient EMS provides device posture information and client certificates, which are essential for ZTNA access control.

338
MCQeasy

What is the purpose of the DNS filter security profile on a FortiGate?

A.To block DNS queries to known malicious domains
B.To inspect DNS traffic for virus signatures
C.To filter spam emails based on DNS blacklists
D.To prevent DNS tunneling attacks
AnswerA

DNS filter uses FortiGuard DNS categories and custom domain lists to block malicious DNS queries.

Why this answer

DNS filter inspects DNS queries to block access to malicious or unwanted domains.

339
MCQmedium

A FortiGate admin has configured a firewall policy allowing traffic from the internal network (10.0.1.0/24) to the internet (any). Users report that they cannot access a specific website (203.0.113.5). The admin runs 'diagnose firewall fqdn list' and sees that the FQDN object used in a policy above the allow policy resolves to an IP that includes 203.0.113.5. What is the MOST likely cause?

A.The destination NAT on the allow policy is misconfigured
B.The FortiGate's DNS server is not resolving the FQDN correctly
C.The antivirus profile on the allow policy is blocking the website
D.The FQDN object resolved to the IP after the policy was created, but the policy lookup uses the cached IP and matches before the allow policy
AnswerD

Policy lookup matches the first policy where source/destination conditions are met. Since the FQDN object resolved to the destination IP, a higher-priority policy matches and the intended allow policy is never evaluated.

Why this answer

Firewall policies are matched from top to bottom. If a higher-priority policy (with a lower policy ID) matches the traffic and denies or applies different NAT, it will be processed before the intended allow policy. In this case, an FQDN-based policy above the allow policy matches the destination IP, causing the traffic to be handled by that policy instead.

340
Multi-Selectmedium

A FortiGate administrator is troubleshooting an issue where HTTPS traffic is not being properly inspected by the web filter. The policy has SSL inspection enabled. Which TWO commands would provide the most useful real-time debugging information? (Choose two.)

Select 2 answers
A.diagnose test application ips 1
B.diagnose debug flow filter dport 443 ; diagnose debug flow show function-name ; diagnose debug enable
C.diagnose sys session filter dport 443 ; diagnose sys session list
D.execute log display
E.diagnose sniffer packet any 'port 443' 4
AnswersB, E

This enables flow debugging for HTTPS traffic, showing the inspection stages.

Why this answer

Diagnose debug flow traces the packet through the firewall pipeline, showing each stage. Diagnose sniffer packet captures the actual packets, useful for seeing the SSL handshake. The other options are not real-time for this issue.

341
MCQeasy

Which FortiGate security profile is BEST suited for blocking DNS queries to known malicious domains?

A.Web Filter profile
B.IPS profile
C.Application Control profile
D.DNS Filter profile
AnswerD

DNS filter specifically handles DNS query filtering.

Why this answer

Option D is correct. DNS Filter profile can block DNS queries based on FortiGuard categories or custom domain lists, preventing users from resolving malicious domains.

342
MCQmedium

A FortiGate HA cluster is running in active-passive mode with two units. The administrator notices that the primary unit fails over to the secondary unit every few minutes, causing service disruption. The heartbeat interfaces are configured on port1 and port2. What is the MOST likely cause of the frequent failovers?

A.Session synchronization is consuming too much bandwidth
B.The HA priority is set to 0 on the primary unit
C.The heartbeat interfaces are experiencing high packet loss
D.The HA override setting is enabled, causing the secondary to take over
AnswerC

Unreliable heartbeat links (high packet loss/jitter) cause false failure detection, leading to frequent failovers.

Why this answer

High packet loss or jitter on the heartbeat link can cause the secondary unit to believe the primary is down, triggering unnecessary failovers. Heartbeat interfaces must be reliable.

343
MCQmedium

An administrator configures two FortiGate units in an active-passive HA cluster. After a failover, some existing TCP sessions are dropped. What is the most likely reason for this behavior?

A.Session synchronization is not enabled
B.The failover time is too slow
C.The FortiGate units are running different firmware versions
D.The HA cluster is using a virtual MAC address
AnswerA

Session synchronization must be enabled to maintain TCP sessions across failover.

Why this answer

In an active-passive HA cluster, session synchronization must be explicitly enabled to replicate TCP session state from the primary unit to the backup unit. Without session sync, the backup unit has no knowledge of existing TCP sessions after a failover, causing those sessions to be dropped because the new primary cannot match incoming packets to any session table entry.

Exam trap

The trap here is that candidates often assume HA automatically synchronizes all state information, but FortiGate requires explicit configuration of session synchronization (via 'set session-pickup enable' in the HA settings) to preserve existing TCP sessions after a failover.

How to eliminate wrong answers

Option B is wrong because failover time affects the duration of traffic interruption but does not cause session drops if sessions are synchronized; even a fast failover will drop unsynchronized sessions. Option C is wrong because running different firmware versions is not supported in an HA cluster and would prevent the cluster from forming or operating correctly, but the question states the cluster is configured and failover occurs, so firmware mismatch is not the cause of session drops. Option D is wrong because using a virtual MAC address actually helps maintain session continuity by ensuring the same MAC address is used after failover, preventing ARP cache issues; it does not cause session drops.

344
MCQmedium

An admin configures an aggregate interface on a FortiGate using two physical ports. After configuration, the admin notices that traffic is not load-balancing evenly. What is the MOST likely cause?

A.The aggregate interface is set to active-passive mode
B.The aggregate interface is using the default load-balancing algorithm
C.The physical ports are connected to different switches
D.The MTU size is mismatched on the physical ports
AnswerB

The default hash algorithm (e.g., source-dest-ip) can cause uneven distribution if many sessions share the same source-dest pair.

Why this answer

The default load-balancing algorithm for an aggregate interface (LAG) on FortiGate is based on the source and destination MAC addresses. This algorithm often results in uneven traffic distribution, especially when traffic flows are limited to a small number of MAC pairs. To achieve more even load balancing, the algorithm should be changed to one that considers IP addresses or Layer 4 ports, such as 'src-dst-ip' or 'src-dst-ip-port'.

Exam trap

The trap here is that candidates often assume uneven load balancing is caused by a hardware issue or physical misconfiguration, when in fact the default MAC-based hash algorithm is the root cause in most scenarios.

How to eliminate wrong answers

Option A is wrong because active-passive mode does not cause uneven load balancing; it intentionally uses only one active link, so traffic is not load-balanced at all, but the question states that traffic is load-balancing (just not evenly). Option C is wrong because connecting physical ports to different switches is a valid configuration for an aggregate interface (cross-switch LAG) and does not inherently cause uneven load balancing; it may affect failover behavior but not the distribution algorithm. Option D is wrong because an MTU mismatch on the physical ports would cause packet fragmentation or drops, not uneven load balancing; the aggregate interface would likely fail to pass traffic correctly rather than distribute it unevenly.

345
Multi-Selectmedium

An administrator is setting up SNMP monitoring on a FortiGate. Which two configurations are necessary for a basic SNMP setup? (Choose two.)

Select 2 answers
A.Create a firewall policy to allow SNMP traffic from the monitoring server
B.Configure an SNMP community with read-only access
C.Enable the SNMP agent under System > SNMP
D.Set the SNMP trap destination IP
E.Configure a user for SNMPv3
AnswersB, C

A community is required for authentication (v2c) and to define access.

Why this answer

Option B is correct because an SNMP community with read-only access defines the basic authentication and access control for SNMPv1/v2c queries, which is essential for monitoring. Option C is correct because the SNMP agent must be enabled on the FortiGate to process SNMP requests from the monitoring server.

Exam trap

The trap here is that candidates often confuse optional features like trap destinations or SNMPv3 authentication as mandatory for basic monitoring, when only the agent enablement and a community string are required.

346
Multi-Selecthard

An administrator configures a VLAN interface on a FortiGate trunk port. The VLAN is allowed on the trunk, but the FortiGate cannot ping the default gateway of that VLAN. Which two items must be verified? (Choose two.)

Select 3 answers
A.The VLAN interface has an IP address in the correct subnet.
B.A firewall policy allows ICMP from the FortiGate to the gateway.
C.The VLAN interface is administratively up.
D.The trunk port is set to access mode.
E.The VLAN ID matches the switch configuration.
AnswersA, C, E

The IP must match the VLAN's subnet for communication.

Why this answer

Option A is correct because the VLAN interface must have an IP address in the correct subnet to communicate with the default gateway. Without a matching subnet, the FortiGate cannot route ICMP packets to the gateway, even if the VLAN is allowed on the trunk.

Exam trap

The trap here is that candidates often assume a firewall policy is needed for FortiGate-originated traffic, but local-in policies (not regular policies) control such traffic, and ICMP to the gateway is typically allowed by default unless explicitly blocked.

347
Multi-Selecthard

An administrator needs to ensure that all HTTPS traffic to a critical server is inspected by the IPS. The server uses a valid certificate from a public CA. Which THREE steps are required to achieve this?

Select 3 answers
A.Apply an IPS profile to the same firewall policy
B.Set the Antivirus profile to 'Deep Inspection'
C.Install the FortiGate's CA certificate on client browsers
D.Enable SSL deep inspection on the firewall policy
E.Upload the server's certificate to the FortiGate
AnswersA, C, D

IPS profile must be applied to the policy to inspect decrypted traffic.

Why this answer

Options A, D, and E are correct. SSL deep inspection must be enabled on the policy (A), the IPS profile must be applied in the same policy (D), and the FortiGate's CA certificate must be installed on clients (E) to avoid certificate errors.

348
MCQhard

An administrator plans to upgrade FortiGate firmware from version 6.0 to 7.2. The current version is 6.0.10. Which upgrade path is correct?

A.Upgrade to 6.4 first, then to 7.2
B.It is not possible to upgrade from 6.0 to 7.2
C.Direct upgrade from 6.0.10 to 7.2.0 is supported
D.Upgrade to 6.2, then 6.4, then 7.0, then 7.2
AnswerD

This is the correct sequential upgrade path.

Why this answer

FortiGate firmware upgrades must follow a supported path that does not skip major versions. Upgrading from 6.0.10 to 7.2.0 requires stepping through 6.2, 6.4, and 7.0 because Fortinet only supports upgrades from one major version to the next major version (e.g., 6.0→6.2→6.4→7.0→7.2). Option D correctly lists this sequential path.

Exam trap

The trap here is that candidates assume a direct upgrade is possible because both versions are relatively recent, but Fortinet strictly enforces sequential major version upgrades to prevent configuration and system incompatibilities.

How to eliminate wrong answers

Option A is wrong because upgrading directly from 6.0 to 6.4 skips version 6.2, which is not supported by Fortinet's upgrade path requirements. Option B is wrong because upgrading from 6.0 to 7.2 is possible, but only by following the correct multi-step path through intermediate versions. Option C is wrong because a direct upgrade from 6.0.10 to 7.2.0 is not supported; Fortinet requires upgrading through each major version in sequence.

349
Multi-Selecthard

An organization is implementing two-factor authentication for SSL VPN access using FortiToken. Which THREE components are necessary for this setup?

Select 3 answers
A.An LDAP server for user synchronization
B.A firewall policy that requires authentication and references the user group
C.A FortiToken assigned to the user
D.A user group with two-factor authentication enabled
E.A RADIUS server for token validation
AnswersB, C, D

The policy triggers the authentication process.

Why this answer

FortiToken two-factor requires the FortiToken itself, a user group with two-factor authentication enabled, and a firewall policy that references that user group and requires authentication.

350
MCQeasy

A FortiGate administrator needs to capture packets on the DMZ interface to troubleshoot a connectivity issue. Which CLI command should be used to start a packet capture?

A.diagnose sniffer packet
B.diagnose debug flow
C.diagnose sys session list
D.execute packet-capture start
AnswerA

This is the correct command to capture packets on an interface.

Why this answer

The command 'diagnose sniffer packet' is used for packet capture on FortiGate interfaces.

351
MCQeasy

Which address object type can be used to match traffic based on the source country?

A.Wildcard FQDN
B.FQDN
C.Geography
D.Subnet
AnswerC

Geography objects use country codes to match IP addresses from that country.

Why this answer

Geography address objects allow matching based on country (or region) using the IP geolocation database. This is useful for geo-blocking.

352
MCQmedium

A network administrator notices that some users can access blocked web categories despite a web filter profile applied to the policy. The admin runs 'diagnose debug rating' and sees 'rating not allow' for the category. What is the MOST likely cause?

A.The web filter profile has an 'override' configured for those users
B.The policy is not using the correct web filter profile
C.DNS filter is allowing the domain
D.The FortiGuard web filter database is outdated
AnswerA

An override allows users to bypass the web filter rating. Even if the rating is 'block', the override permits access.

Why this answer

Option B is correct because the override feature can be used to grant users temporary access to blocked categories, bypassing the web filter rating.

353
Multi-Selecthard

An administrator is configuring traffic shaping on a firewall policy to limit bandwidth for YouTube. Which THREE components are required?

Select 3 answers
A.A traffic shaper object that defines bandwidth limits
B.A firewall policy that matches YouTube traffic
C.A static route for the YouTube subnet
D.A schedule object to apply the shaper only during business hours
E.Enable traffic shaping on the firewall policy and assign the traffic shaper
AnswersA, B, E

The shaper specifies max bandwidth, priority, etc.

Why this answer

Traffic shaping requires a shaping policy (or shaping rule) that matches the traffic, a traffic shaper that defines bandwidth limits, and optionally a per-IP shaper for per-user limiting.

354
Matchingmedium

Match each FortiGate security profile component to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Scans files for malware

Controls access to URLs and web categories

Identifies and allows/denies application traffic

Detects and blocks network attacks

Decrypts encrypted traffic for inspection

Why these pairings

These profiles are applied to firewall policies for UTM inspection.

355
MCQeasy

What is the purpose of a schedule object in a firewall policy?

A.To specify the time of day when the policy is effective
B.To set the bandwidth limit for the policy
C.To prioritize traffic based on application
D.To limit the number of concurrent sessions
AnswerA

Correct.

Why this answer

Schedule objects define time ranges during which the policy is active. This allows time-based access control.

356
MCQmedium

A FortiGate is configured with an aggregate interface (link aggregation group) consisting of two physical ports. The administrator notices that traffic is not being distributed evenly across the two links. Which configuration setting should be verified to improve load balancing?

A.Check the LACP mode (active vs passive)
B.Increase the MTU on the aggregate interface
C.Verify the load-balancing algorithm for the aggregate interface
D.Ensure the physical ports are in the same VDOM
AnswerC

The algorithm determines how traffic is hashed to links; changing it can improve distribution.

Why this answer

The aggregate interface uses a load-balancing algorithm to distribute traffic across member links. If traffic is uneven, the algorithm (e.g., source-destination IP, source-destination MAC, or layer 4 port) may not match the traffic pattern, causing hash polarization. Verifying and adjusting this algorithm is the correct step to improve distribution.

Exam trap

The trap here is confusing LACP negotiation settings (active/passive) with the actual traffic distribution mechanism, leading candidates to incorrectly select option A instead of recognizing that the load-balancing algorithm directly controls link utilization.

How to eliminate wrong answers

Option A is wrong because LACP mode (active vs passive) controls link negotiation and aggregation establishment, not traffic distribution across already-aggregated links. Option B is wrong because increasing MTU affects maximum packet size but has no impact on how traffic is hashed or distributed among aggregate members. Option D is wrong because VDOM membership ensures logical separation but does not influence the load-balancing algorithm or per-packet distribution across physical ports in an aggregate.

357
MCQmedium

A company policy requires that all web searches by employees use safe search. Which setting should be configured in the web filtering profile?

A.Enable 'Restrict YouTube Access'
B.Create a URL filter to block URLs with 'safe search'
C.Enable 'Enforce 'Safe Search' on Google, Bing, and Yahoo'
D.Set the 'Action' for FortiGuard categories to 'Warning'
AnswerC

This setting forces safe search for the listed search engines.

Why this answer

Option C is correct because the 'Enforce Safe Search' setting in a FortiGate web filtering profile forces Google, Bing, and Yahoo to use their built-in safe search parameters (e.g., &safe=active for Google). This ensures that all web searches from the network comply with the company policy by appending the required query strings to search URLs, blocking explicit content at the search engine level.

Exam trap

The trap here is that candidates often confuse 'Enforce Safe Search' with URL filtering or category blocking, assuming that blocking or warning on categories like 'Search Engines' would achieve the same result, but safe search enforcement is a specific feature that modifies search queries rather than blocking access.

How to eliminate wrong answers

Option A is wrong because 'Restrict YouTube Access' only controls YouTube content (e.g., enforcing strict or moderate mode), not general web search safe search. Option B is wrong because creating a URL filter to block URLs containing 'safe search' would block access to safe search configuration pages, not enforce safe search on search engines. Option D is wrong because setting the 'Action' for FortiGuard categories to 'Warning' only displays a warning page for categorized sites, it does not modify search engine behavior to enforce safe search.

358
MCQeasy

An administrator needs to allow outbound DNS traffic (UDP port 53) from multiple internal subnets to the internet. Which object type should be used to group the subnets into a single source in the firewall policy?

A.VIP group
B.Schedule group
C.Address group
D.Service group
AnswerC

Address groups combine multiple address objects (subnets, IP ranges, FQDNs) into one object, which can be used as source or destination in a policy.

Why this answer

An address group is the correct object type to group multiple internal subnets into a single source in a firewall policy. In FortiGate, address groups allow you to combine multiple IP addresses or subnets (IPv4 or IPv6) into a logical group, which can then be referenced as the source in a single firewall policy. This simplifies administration by reducing the number of policies needed to allow outbound DNS traffic from multiple subnets.

Exam trap

The trap here is that candidates often confuse address groups with service groups, mistakenly thinking that grouping subnets is done via service objects, but service groups only define protocols and ports, not IP addresses.

How to eliminate wrong answers

Option A is wrong because a VIP group is used to group multiple virtual IP (VIP) objects for destination NAT (port forwarding) or load balancing, not for grouping source subnets. Option B is wrong because a schedule group is used to group time-based schedules (e.g., daily, weekly) to control when a policy is active, not to define source addresses. Option D is wrong because a service group is used to group multiple service definitions (e.g., DNS, HTTP, HTTPS) by protocol/port, not to group source IP subnets.

359
MCQmedium

An administrator needs to ensure that all traffic from the internal network to the internet goes through a web proxy for content filtering. Which configuration is required on the FortiGate?

A.Enable the proxy feature and set the web proxy port to 80.
B.Enable web proxy in the firewall policy and set action to accept.
C.Configure an explicit web proxy and create a proxy policy.
D.Configure a transparent proxy by using an SSL inspection profile.
AnswerC

Why this answer

Option C is correct because to enforce web proxy-based content filtering for all internal-to-internet traffic, the FortiGate must be configured with an explicit web proxy (which listens on a specific IP and port, typically 8080) and a corresponding proxy policy that defines the traffic matching criteria and action. This setup ensures that client browsers are configured to send requests to the proxy, and the proxy policy applies content filtering rules.

Exam trap

The trap here is that candidates often confuse enabling the web proxy feature in a firewall policy (transparent proxy) with the explicit proxy configuration that requires a separate proxy policy, leading them to select option B.

How to eliminate wrong answers

Option A is wrong because simply enabling the proxy feature and setting the web proxy port to 80 does not create a functional proxy policy; without a proxy policy, no traffic is actually processed through the proxy for content filtering. Option B is wrong because enabling web proxy in a firewall policy with action set to accept does not redirect traffic through the proxy; it only allows the traffic to pass without proxy inspection. Option D is wrong because a transparent proxy uses an SSL inspection profile to intercept traffic transparently, but it does not require an explicit proxy configuration or a proxy policy; instead, it relies on firewall policies with web proxy enabled, which is not the same as the explicit proxy approach needed for the described requirement.

360
MCQmedium

An administrator is reviewing log files on a FortiGate and needs to identify events related to a specific user authentication failure. The FortiGate has local disk logging enabled. Which command would the administrator use to search the logs for this event?

A.diagnose debug authd fsrv record
B.show log traffic-log
C.execute log filter
D.get log traffic
AnswerC

This command sets filters for log display; used with 'execute log display' to search logs.

Why this answer

Option D is correct. The 'execute log filter' command allows filtering logs by various criteria (user, type, etc.) before displaying them with 'execute log display'.

361
Multi-Selectmedium

An administrator wants to block all peer-to-peer (P2P) file sharing applications such as BitTorrent and eMule on the network. Which THREE steps should the administrator take?

Select 3 answers
A.Configure a web filter profile to block P2P websites
B.Enable deep inspection on the firewall policy to detect encrypted P2P traffic
C.Create an application control profile with the P2P category blocked
D.Apply the application control profile to a firewall policy allowing internet access
E.Enable antivirus to block P2P protocols
AnswersB, C, D

Why this answer

Blocking P2P requires application control with the P2P category blocked, deep inspection to detect encrypted P2P traffic, and applying the profile to the firewall policy. Web filter only blocks URLs, not the application traffic itself. Antivirus does not block protocols.

362
Multi-Selecthard

A FortiGate configured in transparent mode needs to allow HTTP traffic between two VLANs. The administrator has created a firewall policy. However, traffic is still blocked. Which TWO additional configurations are necessary for transparent mode operation?

Select 2 answers
A.Enable VLAN forwarding on the bridge
B.Configure a management IP address on the FortiGate
C.Create static routes for each VLAN subnet
D.Disable antivirus inspection on the policy
E.Assign IP addresses to the internal interfaces
AnswersA, B

The bridge must be configured to forward VLAN-tagged traffic.

Why this answer

In transparent mode, the FortiGate acts as a Layer 2 bridge, so VLAN tags must be preserved and forwarded across the bridge. Enabling VLAN forwarding on the bridge (option A) allows the FortiGate to pass 802.1Q-tagged frames between VLANs, which is essential for inter-VLAN HTTP traffic. Without this, the bridge will drop VLAN-tagged frames, blocking the traffic even if a firewall policy exists.

Exam trap

The trap here is that candidates often assume transparent mode requires IP addresses on interfaces (like NAT/route mode) or that static routes are needed for inter-VLAN traffic, but the key is understanding that transparent mode is Layer 2 and requires VLAN forwarding and a management IP for policy enforcement.

363
MCQeasy

An administrator needs to back up the full configuration of a FortiGate, including all system settings, policies, and objects. Which CLI command should be used?

A.diagnose debug config-error-log read
B.execute backup config tftp <filename> <server>
C.show full-configuration
D.execute restore config tftp <filename> <server>
AnswerB

This backs up the configuration to a TFTP server.

Why this answer

The correct command is 'execute backup config tftp <filename> <server>' because it explicitly triggers a full configuration backup (including system settings, policies, and objects) to a TFTP server. This is the standard FortiGate CLI command for exporting the entire running configuration to an external TFTP server, ensuring all configuration elements are captured.

Exam trap

The trap here is confusing the 'backup' and 'restore' commands (options B and D) or mistaking a display-only command like 'show full-configuration' for an actual backup operation.

How to eliminate wrong answers

Option A is wrong because 'diagnose debug config-error-log read' is a diagnostic command used to view configuration error logs, not to perform a backup. Option C is wrong because 'show full-configuration' displays the entire configuration on the console but does not save or transfer it to a backup file or server. Option D is wrong because 'execute restore config tftp <filename> <server>' is used to restore a configuration from a TFTP server, not to back it up.

364
MCQhard

You run the following command on a FortiGate: 'diagnose sys session filter dport 443' and see: proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate?

A.The session is in SYN_SENT state and the three-way handshake is not yet complete
B.The session is using UDP and the duration is 3600 seconds
C.The session is being torn down and will expire in 3599 seconds
D.The session is fully established and has been active for 3600 seconds
AnswerA

proto_state=01 for TCP indicates SYN_SENT. The handshake is incomplete.

Why this answer

The output shows `proto=6`, which indicates TCP, and `proto_state=01`, which corresponds to the TCP state SYN_SENT (0x01). This means the session has sent a SYN but has not yet received a SYN-ACK, so the three-way handshake is incomplete. The `duration=3600` and `expire=3599` indicate the session has been tracked for 3600 seconds and will expire in 3599 seconds, but the state confirms it is not yet established.

Exam trap

The trap here is that candidates see `duration=3600` and `expire=3599` and assume the session is established and about to expire, but the `proto_state=01` (SYN_SENT) clearly indicates the handshake is incomplete, not that the session is active or being torn down.

How to eliminate wrong answers

Option B is wrong because `proto=6` indicates TCP, not UDP (UDP is protocol 17). Option C is wrong because the session is in SYN_SENT state (0x01), not being torn down; a teardown would show states like FIN_WAIT or TIME_WAIT. Option D is wrong because a fully established TCP session would show `proto_state=02` (ESTABLISHED), not `01` (SYN_SENT).

365
Multi-Selecthard

A FortiGate admin is troubleshooting an issue where internal users cannot access a specific external service over TCP/443. The admin confirms that the firewall policy allows HTTP/HTTPS. Which TWO CLI commands should the admin use to diagnose? (Choose two.)

Select 2 answers
A.diagnose firewall iprope list
B.diagnose debug flow
C.diagnose sys session filter dport 443
D.get system performance status
E.execute ping 8.8.8.8
AnswersA, B

This shows the policy list and order; useful to verify if the allow policy is before any deny.

Why this answer

Option A is correct because 'diagnose firewall iprope list' displays the kernel's internal firewall rule chains, allowing the admin to verify whether the policy lookup is matching the expected rule for TCP/443 traffic. This command helps confirm that the policy is installed and active in the kernel, which is essential for troubleshooting policy-based access issues.

Exam trap

The trap here is that candidates often choose 'diagnose sys session filter dport 443' thinking it directly shows sessions, but they forget that it only sets a filter and requires an additional command to display results, making it incomplete for immediate diagnosis.

366
MCQmedium

An administrator configures a FortiGate HA cluster in active-active mode. After enabling session synchronization, they notice that new sessions are not being synced to the secondary unit. The cluster is using a dedicated heartbeat interface. What could be the reason?

A.The HA mode is set to active-passive
B.The firewall policy does not have session sync enabled
C.The session TTL is too short
D.The heartbeat interface is not configured with an IP address
AnswerB

For active-active HA, session sync must be enabled per-policy; otherwise sessions are not synced.

Why this answer

In active-active HA, session synchronization requires that the session sync flag is enabled on the firewall policy. Without it, sessions are not synced.

367
Drag & Dropmedium

Drag and drop the steps to capture traffic on a FortiGate interface using the CLI into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The sniffer command syntax is diagnose sniffer packet <interface> <filter> <verbose> <count>.

368
MCQmedium

A FortiGate administrator needs to allow remote management from the internet only from a specific IP address. Which configuration achieves this?

A.Create a local-in policy to allow management access only from the trusted host
B.Change the admin port to a non-standard port
C.Enable HTTPS and restrict admin access via admin host
D.Use a firewall policy with source address restriction
AnswerA

Local-in policies control traffic destined to the FortiGate itself, allowing source IP restriction.

Why this answer

A local-in policy is the correct method to restrict remote management access to a FortiGate from the internet because it operates at the control plane level, filtering traffic destined to the FortiGate itself before it reaches the management daemons. By specifying a source IP address in a local-in policy, you can explicitly allow HTTPS or SSH management only from that trusted host, while implicitly denying all other sources. This is more secure than relying on firewall policies, which apply to traffic passing through the FortiGate, not to traffic destined to the FortiGate's own IP addresses.

Exam trap

The trap here is that candidates often confuse firewall policies (which control traffic passing through the FortiGate) with local-in policies (which control traffic destined to the FortiGate), leading them to incorrectly select option D, thinking a standard firewall policy can restrict management access from the internet.

How to eliminate wrong answers

Option B is wrong because changing the admin port to a non-standard port is a form of security through obscurity and does not restrict access to a specific IP address; it only changes the port number, which can still be scanned and accessed from any source. Option C is wrong because enabling HTTPS and restricting admin access via admin host (the 'admin host' setting) is a legacy method that only works for GUI access and does not apply to SSH or other management protocols; it also does not provide the granularity of a local-in policy. Option D is wrong because a firewall policy with source address restriction applies to traffic transiting through the FortiGate (forwarding plane), not to traffic destined to the FortiGate itself (control plane); management traffic is handled by the control plane and must be filtered using local-in policies or the 'trusted host' feature.

369
MCQmedium

A network administrator is troubleshooting a FortiGate HA cluster that is not failing over as expected. The cluster consists of two units in active-passive mode. The administrator issues the command 'diagnose sys ha status' and sees that both units have the same priority. What is the most likely cause of the failover issue?

A.The HA override setting is disabled
B.The HA mode is set to active-active instead of active-passive
C.The session pickup feature is enabled
D.The HA heartbeat interfaces are not properly connected
AnswerA

With override disabled, a secondary unit with lower priority cannot preempt the primary after a failback. The primary must fail completely for a failover to occur.

Why this answer

In active-passive HA, the unit with the higher priority (lower number) becomes primary. If priorities are equal, the primary is determined by serial number. Equal priorities do not prevent failover; the issue is likely that the override setting is disabled, so a lower-priority unit cannot take over even if the primary fails unless override is enabled.

370
MCQmedium

An administrator wants to configure SNMPv3 on a FortiGate for secure monitoring. Which configuration is required?

A.Create an SNMPv3 user with authentication and privacy protocols.
B.Enable SNMP agent on the WAN interface only.
C.Configure an access control list for SNMP.
D.Set SNMP community string to 'public' and enable SNMPv1/v2c.
AnswerA

Why this answer

SNMPv3 requires a user-based security model (USM) with authentication (e.g., SHA) and privacy (e.g., AES) protocols to provide integrity, authentication, and encryption. Without these, SNMPv3 cannot secure monitoring traffic, making option A the mandatory configuration.

Exam trap

The trap here is that candidates often think enabling SNMP on a specific interface or using ACLs is the primary security requirement, but SNMPv3's security is entirely user-based and requires explicit authentication and privacy protocols.

How to eliminate wrong answers

Option B is wrong because SNMP agent can be enabled on any interface, not only WAN, and the interface selection does not enforce security; SNMPv3 security is user-based, not interface-based. Option C is wrong because while access control lists can restrict SNMP access, they are not required for SNMPv3; the core requirement is the user with authentication and privacy. Option D is wrong because setting the community string to 'public' and enabling SNMPv1/v2c bypasses SNMPv3's security entirely, leaving monitoring unencrypted and unauthenticated.

371
Multi-Selecteasy

An administrator is configuring a dialup IPsec VPN for remote users. Which two settings must be configured on the FortiGate to allow clients to connect?

Select 2 answers
A.Enable XAuth for user authentication.
B.Enable Dead Peer Detection.
C.Enable mode-cfg on the Phase 1 interface.
D.Enable NAT traversal.
E.Create an IP pool for the remote clients.
AnswersC, E

Mode-cfg provides client configuration.

Why this answer

Option C is correct because mode-config (mode-cfg) on the Phase 1 interface is required to push network configuration parameters (such as DNS, WINS, and the virtual IP address) to remote IPsec VPN clients. This setting enables the FortiGate to act as a server in a dialup VPN scenario, dynamically assigning IP addresses and other settings to clients without requiring static configuration on each client.

Exam trap

The trap here is that candidates often assume XAuth or NAT traversal are mandatory for dialup IPsec, but the FortiGate specifically requires mode-cfg and an IP pool to dynamically assign client addresses and complete the tunnel setup.

372
MCQmedium

A school uses FortiGate for web filtering. They want to block social media sites for students during class hours (8 AM to 3 PM) but allow access for teachers at all times. The network has a single internet connection and all users are in the same subnet. The administrator created a firewall policy for students (source IP range 192.168.1.100-200) and another for teachers (source IP range 192.168.1.10-50). The student policy has a web filter profile that blocks social media. However, teachers are also being blocked from social media during class hours. What is the most likely cause?

A.The web filter profile is applied globally.
B.The student policy is placed before the teacher policy in the policy list.
C.The teacher policy has a schedule that restricts access.
D.The student policy is placed after the teacher policy.
AnswerB

Policies are checked in order; first match applies.

Why this answer

FortiGate processes firewall policies in sequential order from top to bottom, and the first matching policy is applied. Since the student policy (source IP range 192.168.1.100-200) is placed before the teacher policy (source IP range 192.168.1.10-50), traffic from teachers whose source IP falls within the student range (e.g., 192.168.1.50) will match the student policy first, causing them to be subject to the web filter profile that blocks social media. This is the most likely cause of teachers being blocked during class hours.

Exam trap

The trap here is that candidates often assume policy order does not matter or that FortiGate evaluates policies based on best match rather than sequential order, leading them to overlook the critical placement of the student policy before the teacher policy.

How to eliminate wrong answers

Option A is wrong because a web filter profile applied globally would affect all traffic regardless of policy order, but the scenario describes separate policies for students and teachers, and the issue is specific to policy matching order, not a global setting. Option C is wrong because the question states that teachers should have access at all times, and a schedule restricting access on the teacher policy would contradict this requirement; the problem is that teachers are being blocked, not that their policy has a restrictive schedule. Option D is wrong because if the student policy were placed after the teacher policy, teachers would match their policy first and not be blocked; the issue is that the student policy is before the teacher policy, not after.

373
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session has been active for 1 hour and will expire in about 1 hour
B.The session is blocked by the firewall
C.The session is using UDP protocol
D.The session is in a half-open state
AnswerA

duration=3600 seconds = 1 hour, expire=3599 seconds ≈ 1 hour. This is a normal established session.

Why this answer

Option D is correct. The output shows a TCP session (proto=6) on port 443 with state 01 (established), duration 3600 seconds, and expire 3599 seconds. This indicates the session has been up for 1 hour and will expire in ~1 hour.

374
MCQmedium

A FortiGate admin is configuring a hub-and-spoke IPsec VPN. The hub has multiple phase 2 configurations for each spoke. The spokes can communicate with the hub but not with each other. The admin wants to allow spoke-to-spoke traffic through the hub. Which configuration change is required on the hub?

A.Change the IPsec mode from policy-based to route-based
B.Modify the Phase 2 selectors on the hub to include both spoke subnets and add firewall policies allowing traffic between the spoke networks
C.Enable 'add-route' on the hub's Phase 1 settings
D.Configure a static route on each spoke pointing to the other spoke's subnet via the tunnel
AnswerB

The hub's Phase 2 selectors must match the traffic it needs to forward between spokes. Additionally, firewall policies must permit the traffic.

Why this answer

Option C is correct. For spoke-to-spoke traffic to pass through the hub, the hub must have firewall policies allowing traffic between the spoke networks, and the Phase 2 selectors on the hub must include both spoke subnets (or use 0.0.0.0/0 to allow all traffic).

375
MCQmedium

A network administrator notices that HTTP traffic is being scanned by the antivirus profile, but HTTPS traffic to the same web server is not being scanned. The firewall policy has the antivirus profile applied and SSL inspection is set to 'certificate-inspection'. What is the most likely reason HTTPS traffic is not being scanned?

A.Certificate inspection does not decrypt the traffic, so the antivirus scanner cannot inspect the payload.
B.The antivirus profile is configured in flow mode, which does not support scanning HTTPS traffic.
C.The web server is not using a cipher supported by the FortiGate.
D.The FortiGate is using proxy-based inspection, which does not support HTTPS scanning.
AnswerA

Certificate inspection only verifies the server certificate; it does not decrypt the TLS session. Without decryption, the antivirus profile cannot scan the encrypted content.

Page 4

Page 5 of 14

Page 6