BGP needs the interface to form the session; often the tunnel interface must be specified as the update source.
1000 questions total · 14pages · All types, answers revealed
BGP needs the interface to form the session; often the tunnel interface must be specified as the update source.
The IPS sensor is a separate security profile that must be added to the policy to scan decrypted traffic.
What is the default administrative account on a FortiGate?
Default admin account.
Why this answer
The default administrative account on a FortiGate is 'admin'. This account is created automatically during the initial boot process and has full super-admin privileges, allowing complete access to the device's configuration and management interfaces. It is the only default account with administrative rights, and its password must be set during initial setup.
Exam trap
The trap here is that candidates may confuse the FortiGate default admin account with the default accounts of other operating systems or network devices, such as 'root' on Linux or 'master' on Cisco, leading them to select the wrong option.
How to eliminate wrong answers
Option A is wrong because 'master' is not a default account on FortiGate; it is a common default account on some other network devices like Cisco switches. Option B is wrong because 'root' is the default administrative account on Unix/Linux systems, not on FortiGate, which runs a proprietary FortiOS. Option C is wrong because 'guest' is a default read-only account on FortiGate, not an administrative account; it is intended for limited monitoring access without configuration privileges.
An administrator is troubleshooting a connectivity issue. A ping from the FortiGate to 8.8.8.8 succeeds, but traffic from internal hosts to the internet is failing. The firewall policy allows the traffic. What is the most likely cause?
If hosts point to a wrong gateway, traffic won't reach the FortiGate.
Why this answer
Since the FortiGate can ping 8.8.8.8, its default route and internet connectivity are working. The issue is that internal hosts cannot reach the internet, which points to a Layer 3 forwarding problem at the host level. The most likely cause is that the internal hosts have the wrong default gateway configured, so their traffic is not being sent to the FortiGate for routing.
Exam trap
The trap here is that candidates assume a successful ping from the FortiGate implies end-to-end connectivity, overlooking that the internal hosts' default gateway configuration is independent of the FortiGate's own routing table.
How to eliminate wrong answers
Option A is wrong because if the default route on the FortiGate were missing, the FortiGate itself would not be able to ping 8.8.8.8, but the ping succeeded. Option C is wrong because DNS resolution failure would prevent name resolution, but the question describes a connectivity issue where traffic to the internet is failing, and the ping to 8.8.8.8 uses an IP address, not a hostname, so DNS is not the bottleneck. Option D is wrong because if the FortiGate's interface to the internal network were down, the FortiGate would not be able to communicate with internal hosts at all, but the firewall policy allows the traffic and the FortiGate can still ping external IPs, indicating the internal interface is operational.
An administrator runs 'diagnose debug application fnbamd -1' on a FortiGate to troubleshoot authentication issues. The output shows that the FortiGate successfully contacts the LDAP server but the user authentication fails. What does this indicate?
Successful contact but failed authentication for the user indicates the user's credentials are wrong or the account is disabled/locked.
Why this answer
Option D is correct. The debug output shows successful communication with the LDAP server, meaning the bind user has proper privileges. The authentication failure indicates that the user's credentials are incorrect or the user does not exist in the LDAP database.
Which of the following statements about FortiGate backup is true?
Backups are encrypted and can have a password for extra security.
Why this answer
Option B is correct because FortiGate backup files contain the full device configuration, including all settings and policies, and can be encrypted with a password using the 'execute backup config' command with the 'password' option. This ensures confidentiality during storage or transfer, as the backup is stored in a binary format that requires the password for decryption during restoration.
Exam trap
The trap here is that candidates often assume backups include all runtime data like sessions and logs, or that backups are model-specific, but FortiGate explicitly separates configuration from volatile state data, and restoration is firmware-version dependent, not hardware-model dependent.
How to eliminate wrong answers
Option A is wrong because FortiGate backups do not include current sessions or logs; sessions are volatile and stored in memory, while logs are typically stored separately on local disk or external storage, and only the configuration is backed up. Option C is wrong because a backup can be restored on any FortiGate model that supports the same firmware version, not just the same hardware model, though some model-specific features may require manual adjustment. Option D is wrong because backup files are saved in a binary, encrypted format (not plain text) when a password is set, and even without a password, the file is not plain text but a proprietary format that cannot be easily read.
A network administrator wants to allow employees to access a specific web application but block all other application traffic. The administrator creates a firewall policy with an application control profile that allows the desired application. However, employees can still access other applications. What is the MOST likely reason?
Why this answer
If the application control profile is set to 'Monitor All', it will only log but not block unlisted applications. To block all except allowed, the profile should be set to 'Block All' with exceptions for allowed applications.
An administrator needs to configure a loopback interface on a FortiGate for management purposes. Which of the following is true regarding loopback interfaces?
Why this answer
Loopback interfaces are virtual interfaces that are always up and do not depend on the physical link state. They can be assigned an IP address and used as the source IP for management traffic (e.g., SNMP, syslog, NTP, or administrative access), ensuring consistent reachability even if physical interfaces fail. This makes option A correct.
Exam trap
The trap here is that candidates often assume loopback interfaces are only for routing protocols or require a physical link, but FortiGate allows them to serve as stable management endpoints independent of physical interface status.
How to eliminate wrong answers
Option B is wrong because loopback interfaces are purely virtual and do not require any physical port association; they exist independently of hardware interfaces. Option C is wrong because loopback interfaces can be used in firewall policies just like any other interface, allowing traffic to be inspected or routed to/from the FortiGate itself. Option D is wrong because loopback interfaces are available in both NAT/Route mode and transparent mode, not exclusively in transparent mode.
An admin is configuring ECMP (Equal Cost Multi-Path) on a FortiGate with two ISPs. Which TWO conditions must be met for ECMP to load balance traffic across both links? (Choose two.)
Equal priority ensures both routes are considered.
Why this answer
ECMP requires that multiple routes to the same destination have equal cost. On FortiGate, the cost is determined by administrative distance (AD) and priority (which is the route metric). Both routes must have the same AD and the same priority to be considered equal-cost and eligible for load balancing.
If either value differs, one route will be preferred over the other, and ECMP will not activate.
Exam trap
The trap here is that candidates confuse 'metric' (which is the priority value on FortiGate) with 'administrative distance', or assume ECMP requires different next-hop IPs, when in fact the key condition is equal cost (same AD and same priority).
A FortiGate administrator configures SNMPv2c on the FortiGate to send traps to a monitoring server. However, no traps are received. The monitoring server can ping the FortiGate. What is the MOST likely cause?
SNMPv2c uses community strings; if they differ, the server will reject traps.
Why this answer
SNMPv2c uses community strings as a form of authentication. If the community string configured on the FortiGate does not match the one configured on the monitoring server, the server will reject the trap. Since the server can ping the FortiGate, network connectivity is fine, and the issue is most likely an authentication mismatch.
How to eliminate wrong answers
Option A is wrong because FortiGate fully supports SNMPv2c, not just v3. Option B is wrong because SNMP traps are sent from the FortiGate to the server, not initiated by the server, so a firewall policy blocking inbound SNMP from the server would not prevent outbound traps. Option D is wrong because the trap receiver list specifies where traps are sent, not which IPs are allowed to receive them; if the server's IP were missing from the list, the FortiGate would not send traps to it, but the question states the administrator configured traps to be sent to the server, so this is less likely than a community string mismatch.
A company is deploying FortiGate for outbound web filtering. They want to block users from accessing social media sites during business hours, but still allow access to cloud-based productivity tools like Office 365. Which approach should the administrator use to meet this requirement?
Application control profiles can precisely allow or block applications regardless of port/protocol, meeting the requirement exactly.
Why this answer
Application control is the correct approach because it can identify and control applications like social media and Office 365 based on their unique signatures, regardless of the ports or protocols they use. Unlike URL filtering or port blocking, application control can differentiate between Office 365 traffic and social media traffic even when both use HTTPS on TCP 443, allowing the administrator to block social media while permitting cloud productivity tools.
Exam trap
The trap here is that candidates often assume URL filtering or port blocking is sufficient, but the NSE4 exam tests the understanding that application control is required when applications share the same port (e.g., TCP 443) and need to be differentiated based on their behavior, not just their domain or port.
How to eliminate wrong answers
Option A is wrong because blocking TCP 443 would block all HTTPS traffic, including Office 365 and other legitimate web services, not just social media. Option B is wrong because URL filtering based on keywords like 'facebook' or 'twitter' is unreliable—social media sites often use dynamic URLs, CDNs, or IP addresses that do not contain those keywords, and users can bypass it via direct IP access or HTTPS encryption. Option D is wrong because DNS filtering only blocks domain resolution; users could still access social media by using direct IP addresses, cached DNS entries, or alternative DNS servers, making it an incomplete solution.
VIP translates the destination address; the policy allows the traffic after translation.
Why this answer
Option B is correct because to allow inbound SSH access from the internet to an internal server, you need a Virtual IP (VIP) that maps a public IP and port (e.g., 203.0.113.5:22) to the private IP and port (192.168.1.10:22), combined with a firewall policy from the WAN zone to the DMZ zone that permits SSH traffic. This is Destination NAT (DNAT), which translates the destination address of incoming packets so they are routed to the internal server.
Exam trap
The trap here is that candidates often confuse source NAT (SNAT) with destination NAT (DNAT), thinking that enabling NAT on the WAN interface alone is sufficient for inbound access, when in fact a VIP (DNAT) and an allow policy are required to translate and permit the traffic.
How to eliminate wrong answers
Option A is wrong because policy-based routing (PBR) controls the path packets take based on criteria like source/destination, but it does not perform address translation; it cannot map a public IP to a private IP for inbound access. Option C is wrong because source NAT (SNAT) translates the source IP of outbound traffic, which is used for internal hosts to access the internet, not for allowing inbound SSH from the internet to an internal server. Option D is wrong because simply enabling NAT on the WAN interface without a specific VIP or DNAT rule does not create a mapping for inbound traffic; it typically applies to outbound traffic (masquerading) or requires additional configuration to handle inbound connections.
The output of 'diagnose debug application ike -1' shows 'no proposal chosen' for a Phase1 negotiation. Which action should the administrator take to resolve this?
The negotiation fails because no common proposal exists; matching these parameters is required.
Why this answer
The error 'no proposal chosen' indicates that the local and remote gateways have no common Phase1 parameters (encryption, authentication, DH group, etc.). The administrator must review and match the Phase1 proposal settings.
An administrator wants to back up the FortiGate configuration to a TFTP server at 10.10.10.10. Which CLI command should be used?
Why this answer
The correct command to back up a FortiGate configuration to a TFTP server is 'execute backup config tftp <server-ip>'. This is because 'execute' is the FortiOS CLI keyword for initiating operational commands, and 'backup config tftp' specifies the action and protocol. The syntax is case-sensitive and must include the 'execute' prefix to be recognized by the FortiGate CLI.
Exam trap
The trap here is that candidates may forget the 'execute' keyword, which is mandatory for all operational commands in FortiOS, and mistakenly choose a command that looks correct but lacks it, such as 'backup config tftp'.
How to eliminate wrong answers
Option B is wrong because it omits the required 'execute' keyword; FortiOS CLI commands for operational tasks like backup must start with 'execute'. Option C is wrong because 'copy config tftp' is not a valid FortiOS command; the correct verb is 'backup', not 'copy'. Option D is wrong because 'execute save config tftp' uses 'save' instead of 'backup', and 'save config' is used for saving the running configuration to flash memory, not for exporting to a TFTP server.
What is the primary difference between route-based and policy-based IPsec VPNs on a FortiGate?
Correct: route-based has a tunnel interface; policy-based defines selectors in Phase 2.
Why this answer
Route-based VPNs create a virtual interface (e.g., 'tunnel') that is used in routing and firewall policies, while policy-based VPNs define the traffic selectors within the Phase 2 configuration itself, without a separate interface.
Sufficient IP pool is critical for scalability.
Why this answer
Option A is correct because the SSL VPN IP pool must have enough addresses to assign to all concurrent users. Without a sufficient pool, users will fail to obtain an IP address and cannot access the network. Option B is correct because firewall policies are required to permit traffic from the SSL VPN interface (e.g., ssl.root) to internal networks; without them, traffic is dropped even if the tunnel is established.
Exam trap
The trap here is that candidates often confuse optional features (like split tunneling or certificate authentication) with mandatory design requirements, overlooking the fundamental need for IP pool sizing and firewall policies to enable basic connectivity.
A FortiGate administrator needs to configure source NAT for a group of internal servers (10.0.1.100-10.0.1.110) so that each server uses a unique public IP from the range 203.0.113.20-203.0.113.30. The requirement is that each internal IP maps to a fixed external IP (one-to-one mapping) and not port overload. Which TWO settings should be configured in the IP Pool? (Choose two.)
Provides 11 IPs for 11 internal servers.
Why this answer
Option C is correct because the External IP Range must be set to 203.0.113.20-203.0.113.30 to define the pool of public IPs that will be mapped one-to-one to the internal servers. Option D is correct because Type: One-to-One ensures each internal IP is permanently mapped to a unique external IP, without port address translation (PAT), meeting the requirement of fixed one-to-one mapping.
Which web filtering feature allows an administrator to force web search engines to filter explicit content in search results, regardless of the user's browser settings?
Safe search enforces filtering at the search engine level.
Why this answer
Option A is correct. Safe search is a web filtering feature that redirects search engine queries to use safe search mode, blocking explicit content. It can be enforced through FortiGate.
A FortiGate administrator wants to ensure that all firewall policies are backed up before performing a firmware upgrade. Which backup method preserves the configuration in a format that can be restored to the same or different FortiGate model?
This backs up the full configuration in text format, which can be restored to any FortiGate.
Why this answer
Option C is correct because 'execute backup config tftp' saves the FortiGate configuration in a plain-text, human-readable format that can be restored to the same or a different FortiGate model. This command backs up only the configuration (not firmware or logs) and is model-agnostic, allowing restoration across different hardware platforms as long as the firmware version is compatible.
Exam trap
The trap here is confusing 'execute backup config tftp' with 'execute backup full-config tftp', where candidates mistakenly think a full backup is safer, not realizing it is model-specific and cannot be restored to a different FortiGate model.
How to eliminate wrong answers
Option A is wrong because 'execute backup full-config tftp' backs up the entire system image including firmware, which is model-specific and cannot be restored to a different FortiGate model. Option B is wrong because copying the configuration from the system config script only provides a read-only view of the current configuration; it does not create a backup file that can be restored via CLI or TFTP. Option D is wrong because saving the running config from the GUI Dashboard exports the configuration in a binary or proprietary format that may not be compatible with different models or CLI restoration methods.
An administrator wants to allow management access to a FortiGate from a specific subnet 10.10.10.0/24 via HTTPS. Which configuration achieves this?
Why this answer
Option D is correct because management access to a FortiGate interface is controlled via the `config system interface` context, where `set allowaccess https` enables HTTPS management on that interface, and `set trustedhosts` restricts access to the specified subnet 10.10.10.0/24. This configuration ensures only hosts from that subnet can reach the FortiGate's HTTPS management interface on the given port.
Exam trap
The trap here is that candidates often confuse the `config system admin` context (which only controls per-admin trusted hosts for authentication) with the interface-level `trustedhosts` setting, or mistakenly think global settings like `admin-sport` also control access restrictions.
How to eliminate wrong answers
Option A is wrong because `config system global` does not contain `set allowaccess` or `set trustedhosts`; the `set admin-sport` command changes the HTTPS port globally but access control is not configured in system global. Option B is wrong because `config router policy` is used for routing policy-based routing, not for management access control; it does not restrict HTTPS management access to the FortiGate itself. Option C is wrong because while `config system admin` allows setting `trustedhost` per administrator, the `set allowaccess https` command is invalid in that context; `allowaccess` is an interface-level parameter, not an admin-level parameter.
Which SSL/TLS inspection mode only validates the server certificate without decrypting the traffic?
Certificate inspection validates the certificate without decryption.
Why this answer
Certificate inspection checks the certificate chain but does not decrypt the content.
An administrator runs 'diagnose sys session list' and sees a session with 'expire=0'. What does this indicate?
expire=0 indicates the session lifetime has ended and it will be cleaned up.
Why this answer
expire=0 means the session TTL has reached zero and the session is eligible for removal in the next cleanup cycle.
An organization has multiple remote sites connected via IPsec VPN. The administrator needs to ensure that traffic from the internal network (10.0.0.0/8) to the VPN destination (10.10.0.0/16) uses a specific interface (port2) instead of the default route. Which feature should be configured?
PBR allows forwarding traffic based on policy criteria, overriding the routing table.
Why this answer
Policy-based routing (PBR) allows you to override the default routing table by matching traffic based on source/destination addresses and directing it to a specific egress interface (port2). This is the correct feature because the requirement is to force traffic from 10.0.0.0/8 to 10.10.0.0/16 out port2, bypassing the default route.
Exam trap
The trap here is confusing policy-based routing with static route manipulation; candidates often think a static route with a higher distance can override the default route, but distance only affects route preference, not the ability to force traffic out a specific interface when a default route with lower distance exists.
How to eliminate wrong answers
Option A is wrong because Central NAT is used for centralized NAT policy management in SD-WAN or hub-and-spoke topologies, not for overriding routing decisions. Option B is wrong because a static route with a higher distance (administrative distance) would only be used as a backup if the primary route fails; it cannot force traffic out a specific interface when a lower-distance default route exists. Option D is wrong because traffic shaping controls bandwidth allocation and QoS, not the path or interface selection for traffic.
An administrator is troubleshooting a loss of connectivity between two sites connected via a VPN tunnel. The FortiGate logs show 'Tunnel: phase 1 negotiation failed'. Which two parameters MUST match on both peers for phase 1 to succeed? (Select two. Not all options are used.)
The PSK must match on both ends.
Why this answer
The pre-shared key (PSK) is a mandatory authentication method for IKE phase 1. Both peers must use an identical PSK string; a mismatch causes the 'phase 1 negotiation failed' error because the IKE SA cannot be authenticated. FortiGate logs this failure when the calculated hash of the PSK does not match between the two endpoints.
Exam trap
The trap here is that candidates often confuse phase 1 and phase 2 parameters, incorrectly selecting the IPsec proposal (which is a phase 2 parameter) instead of the IKE version, which is a critical phase 1 matching requirement.
How to eliminate wrong answers
Option A is wrong because the IPsec proposal (encryption and authentication) is negotiated during phase 2, not phase 1; phase 1 uses its own set of proposals (e.g., encryption, hash, DH group) which are not listed here. Option D is wrong because the Local ID is optional and used for identification purposes (e.g., when using certificates or aggressive mode), but it is not a mandatory parameter that must match for phase 1 success; mismatched Local IDs can still allow phase 1 if the PSK and other core parameters match. Option E is wrong because local and remote IP addresses are the endpoints of the tunnel and must be correctly configured, but they are not 'parameters that must match on both peers' — each peer has its own local and remote IP, and they are complementary, not identical.
You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?
expire=3599 shows remaining session lifetime.
Why this answer
The 'expire=3599' field indicates the session will be removed from the session table in 3599 seconds. The 'duration=3600' shows the session has been active for 3600 seconds, so the total session lifetime is 7200 seconds (3600 + 3599). This is a normal TCP session (proto=6) in state 01 (SYN_SENT), not an error or idle condition.
Exam trap
The trap here is confusing 'duration' (time since session started) with 'expire' (time until session ends), leading candidates to incorrectly interpret the 3600 value as idle time or a port number.
How to eliminate wrong answers
Option A is wrong because 'proto_state=01' indicates a normal TCP SYN_SENT state, not an error state; error states would show different values like 11 (TIME_WAIT) or 0 (CLOSE). Option B is wrong because 'duration=3600' shows the session has been active for 3600 seconds, not idle; idle time is tracked separately via 'idle' field, which is not present here. Option C is wrong because 'dport=443' is the destination port, and 'duration=3600' is the session age in seconds, not a port number.
An administrator needs to store logs for compliance purposes and wants them to be retained even if the FortiGate is reset. Which log storage option should they use?
FortiAnalyzer is dedicated log storage that can be configured for long-term retention and is independent of FortiGate resets.
Why this answer
Option C is correct. FortiAnalyzer provides centralized log storage that is separate from the FortiGate, ensuring logs are retained even if the FortiGate is reset.
A FortiGate cluster in active-passive HA is configured with two heartbeat interfaces. The primary unit fails completely. The secondary unit detects the failure and becomes primary. After the original primary recovers, it remains in passive mode. What is the most likely reason for this behavior?
With override disabled, the recovered unit does not preempt the current primary.
Why this answer
When override is disabled (the default), the recovered unit will not preempt the current primary. The cluster stays with the current primary until it fails. This is the expected behavior for graceful recovery.
Which security profile type is used to prevent sensitive data such as credit card numbers from being sent out of the network via email or web traffic?
DLP profiles specifically prevent data leakage.
Why this answer
Option D is correct. Data Leak Prevention (DLP) profiles are designed to detect and block transmission of sensitive data based on patterns or predefined data types.
An active-passive HA cluster is experiencing frequent failovers. Which TWO factors could cause unnecessary failovers? (Choose two.)
Data interfaces may have fluctuating link status, triggering failover.
Why this answer
Incorrect heartbeat interface configuration (e.g., using a busy data port) can cause false positives. A mismatched HA password prevents proper communication, but may not cause failover; mismatched priority affects role selection, not failover frequency. Unstable heartbeat links cause failover.
Refer to the exhibit. An administrator is troubleshooting why SSL inspection is not working for web traffic. The policy shown is the only policy matching the traffic. What is the most likely reason SSL inspection is failing?
Deep inspection requires proxy-based inspection mode.
Why this answer
Option A is correct because the policy is missing the 'set inspection-mode proxy' command. FortiGate requires proxy-based inspection mode to perform SSL/TLS interception; flow-based inspection cannot decrypt or re-encrypt HTTPS traffic. Without this command, the policy defaults to flow-based mode, causing SSL inspection to fail even if the ssl-ssh-profile is set to deep-inspection.
How to eliminate wrong answers
Option B is wrong because the ssl-ssh-profile set to 'deep-inspection' is actually correct for SSL inspection; the issue is the inspection mode, not the profile. Option C is wrong because the source interface is 'wan1' and the traffic is coming from 'internal' — this mismatch would cause the policy not to match at all, not just SSL inspection to fail. Option D is wrong because the policy has 'set action deny' which would block all traffic, not specifically cause SSL inspection to fail; the exhibit shows the policy is matching traffic, so action must be accept.
A FortiGate administrator is troubleshooting why antivirus scanning is not working for HTTPS traffic. Which TWO steps should be verified?
Without deep inspection, HTTPS traffic is encrypted and antivirus cannot see the payload.
Why this answer
Policy 1 (ID 1) matches first because FortiGate evaluates firewall policies in sequential order from top to bottom (lowest ID to highest ID) until a match is found. The source IP 192.168.1.10 falls within the 'any' source of Policy 1, and the destination 10.0.0.5 is within 10.0.0.0/8, with HTTP (port 80) matching the service. Since Policy 1 matches, it is applied and the traffic is accepted, even though Policy 2 would also match if reached.
Exam trap
The trap here is that candidates assume a more specific source (192.168.1.0/24) will override a broader source (any) due to specificity, but FortiGate uses sequential order, not longest-prefix matching, for policy selection.
How to eliminate wrong answers
Option B is wrong because FortiGate stops at the first matching policy; it does not evaluate or combine multiple policies for the same traffic. Option C is wrong because Policy 2 has a higher ID (2) than Policy 1 (1), so it is evaluated after Policy 1, which already matches and accepts the traffic. Option D is wrong because Policy 1 explicitly matches the traffic, so the implicit default deny is never reached.
A network administrator notices that traffic from the internal network (10.0.1.0/24) to the internet is not being matched by the intended firewall policy (ID 10). The policy uses source address 'internal_subnet' (10.0.1.0/24) and destination address 'all'. There is another policy (ID 5) with source 'all' and destination 'all' that also matches this traffic. What is the most likely reason policy 10 is not being matched?
Policy order determines matching; first match is used.
Why this answer
FortiGate matches firewall policies from top to bottom. Policy 5 is higher in the policy list order than policy 10, so traffic matches policy 5 first and never reaches policy 10.
Match each FortiGate NAT type to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Translates private source IP to public IP for outbound traffic
Translates public destination IP to private IP for inbound traffic
Assigns a range of ports to a private IP for NAT
Translates IPv6 traffic to IPv4 and vice versa
Translates IPv4 traffic to IPv6
Why these pairings
NAT methods used in FortiGate for address translation.
An administrator configures an IPsec VPN with IKEv1 main mode. The remote peer reports that Phase 1 fails with a 'no proposal chosen' error. The local Phase 1 settings include: encryption AES128, authentication SHA1, DH group 2, lifetime 86400. Which remote peer setting is MOST likely causing the mismatch?
AES128 vs AES256 is a common mismatch. Both are valid but different.
Why this answer
Main mode requires both sides to have matching parameters. A mismatch in any parameter causes 'no proposal chosen' error. The remote peer likely has AES256 instead of AES128.
A FortiGate administrator wants to block all traffic to websites that are categorized as 'Malware' and 'Phishing'. Which security profile should be configured to achieve this goal?
Web filtering can block categories such as Malware and Phishing.
Why this answer
Option A is correct. Web filtering profiles use FortiGuard categories to block access to malicious websites like malware and phishing sites.
A FortiGate administrator wants to configure ZTNA to secure access to an internal application. Which of the following components is essential for ZTNA to function?
FortiClient EMS provides endpoint compliance and identity information required for ZTNA.
Why this answer
ZTNA requires FortiGate to verify the user's identity and device posture. The FortiClient EMS provides device posture information and client certificates, which are essential for ZTNA access control.
What is the purpose of the DNS filter security profile on a FortiGate?
DNS filter uses FortiGuard DNS categories and custom domain lists to block malicious DNS queries.
Why this answer
DNS filter inspects DNS queries to block access to malicious or unwanted domains.
A FortiGate admin has configured a firewall policy allowing traffic from the internal network (10.0.1.0/24) to the internet (any). Users report that they cannot access a specific website (203.0.113.5). The admin runs 'diagnose firewall fqdn list' and sees that the FQDN object used in a policy above the allow policy resolves to an IP that includes 203.0.113.5. What is the MOST likely cause?
Policy lookup matches the first policy where source/destination conditions are met. Since the FQDN object resolved to the destination IP, a higher-priority policy matches and the intended allow policy is never evaluated.
Why this answer
Firewall policies are matched from top to bottom. If a higher-priority policy (with a lower policy ID) matches the traffic and denies or applies different NAT, it will be processed before the intended allow policy. In this case, an FQDN-based policy above the allow policy matches the destination IP, causing the traffic to be handled by that policy instead.
This enables flow debugging for HTTPS traffic, showing the inspection stages.
Which FortiGate security profile is BEST suited for blocking DNS queries to known malicious domains?
DNS filter specifically handles DNS query filtering.
Why this answer
Option D is correct. DNS Filter profile can block DNS queries based on FortiGuard categories or custom domain lists, preventing users from resolving malicious domains.
A FortiGate HA cluster is running in active-passive mode with two units. The administrator notices that the primary unit fails over to the secondary unit every few minutes, causing service disruption. The heartbeat interfaces are configured on port1 and port2. What is the MOST likely cause of the frequent failovers?
Unreliable heartbeat links (high packet loss/jitter) cause false failure detection, leading to frequent failovers.
Why this answer
High packet loss or jitter on the heartbeat link can cause the secondary unit to believe the primary is down, triggering unnecessary failovers. Heartbeat interfaces must be reliable.
An administrator configures two FortiGate units in an active-passive HA cluster. After a failover, some existing TCP sessions are dropped. What is the most likely reason for this behavior?
Session synchronization must be enabled to maintain TCP sessions across failover.
Why this answer
In an active-passive HA cluster, session synchronization must be explicitly enabled to replicate TCP session state from the primary unit to the backup unit. Without session sync, the backup unit has no knowledge of existing TCP sessions after a failover, causing those sessions to be dropped because the new primary cannot match incoming packets to any session table entry.
Exam trap
The trap here is that candidates often assume HA automatically synchronizes all state information, but FortiGate requires explicit configuration of session synchronization (via 'set session-pickup enable' in the HA settings) to preserve existing TCP sessions after a failover.
How to eliminate wrong answers
Option B is wrong because failover time affects the duration of traffic interruption but does not cause session drops if sessions are synchronized; even a fast failover will drop unsynchronized sessions. Option C is wrong because running different firmware versions is not supported in an HA cluster and would prevent the cluster from forming or operating correctly, but the question states the cluster is configured and failover occurs, so firmware mismatch is not the cause of session drops. Option D is wrong because using a virtual MAC address actually helps maintain session continuity by ensuring the same MAC address is used after failover, preventing ARP cache issues; it does not cause session drops.
An admin configures an aggregate interface on a FortiGate using two physical ports. After configuration, the admin notices that traffic is not load-balancing evenly. What is the MOST likely cause?
The default hash algorithm (e.g., source-dest-ip) can cause uneven distribution if many sessions share the same source-dest pair.
Why this answer
The default load-balancing algorithm for an aggregate interface (LAG) on FortiGate is based on the source and destination MAC addresses. This algorithm often results in uneven traffic distribution, especially when traffic flows are limited to a small number of MAC pairs. To achieve more even load balancing, the algorithm should be changed to one that considers IP addresses or Layer 4 ports, such as 'src-dst-ip' or 'src-dst-ip-port'.
Exam trap
The trap here is that candidates often assume uneven load balancing is caused by a hardware issue or physical misconfiguration, when in fact the default MAC-based hash algorithm is the root cause in most scenarios.
How to eliminate wrong answers
Option A is wrong because active-passive mode does not cause uneven load balancing; it intentionally uses only one active link, so traffic is not load-balanced at all, but the question states that traffic is load-balancing (just not evenly). Option C is wrong because connecting physical ports to different switches is a valid configuration for an aggregate interface (cross-switch LAG) and does not inherently cause uneven load balancing; it may affect failover behavior but not the distribution algorithm. Option D is wrong because an MTU mismatch on the physical ports would cause packet fragmentation or drops, not uneven load balancing; the aggregate interface would likely fail to pass traffic correctly rather than distribute it unevenly.
An administrator is setting up SNMP monitoring on a FortiGate. Which two configurations are necessary for a basic SNMP setup? (Choose two.)
A community is required for authentication (v2c) and to define access.
Why this answer
Option B is correct because an SNMP community with read-only access defines the basic authentication and access control for SNMPv1/v2c queries, which is essential for monitoring. Option C is correct because the SNMP agent must be enabled on the FortiGate to process SNMP requests from the monitoring server.
Exam trap
The trap here is that candidates often confuse optional features like trap destinations or SNMPv3 authentication as mandatory for basic monitoring, when only the agent enablement and a community string are required.
An administrator configures a VLAN interface on a FortiGate trunk port. The VLAN is allowed on the trunk, but the FortiGate cannot ping the default gateway of that VLAN. Which two items must be verified? (Choose two.)
The IP must match the VLAN's subnet for communication.
Why this answer
Option A is correct because the VLAN interface must have an IP address in the correct subnet to communicate with the default gateway. Without a matching subnet, the FortiGate cannot route ICMP packets to the gateway, even if the VLAN is allowed on the trunk.
IPS profile must be applied to the policy to inspect decrypted traffic.
An administrator plans to upgrade FortiGate firmware from version 6.0 to 7.2. The current version is 6.0.10. Which upgrade path is correct?
This is the correct sequential upgrade path.
Why this answer
FortiGate firmware upgrades must follow a supported path that does not skip major versions. Upgrading from 6.0.10 to 7.2.0 requires stepping through 6.2, 6.4, and 7.0 because Fortinet only supports upgrades from one major version to the next major version (e.g., 6.0→6.2→6.4→7.0→7.2). Option D correctly lists this sequential path.
Exam trap
The trap here is that candidates assume a direct upgrade is possible because both versions are relatively recent, but Fortinet strictly enforces sequential major version upgrades to prevent configuration and system incompatibilities.
How to eliminate wrong answers
Option A is wrong because upgrading directly from 6.0 to 6.4 skips version 6.2, which is not supported by Fortinet's upgrade path requirements. Option B is wrong because upgrading from 6.0 to 7.2 is possible, but only by following the correct multi-step path through intermediate versions. Option C is wrong because a direct upgrade from 6.0.10 to 7.2.0 is not supported; Fortinet requires upgrading through each major version in sequence.
An organization is implementing two-factor authentication for SSL VPN access using FortiToken. Which THREE components are necessary for this setup?
The policy triggers the authentication process.
Why this answer
FortiToken two-factor requires the FortiToken itself, a user group with two-factor authentication enabled, and a firewall policy that references that user group and requires authentication.
A FortiGate administrator needs to capture packets on the DMZ interface to troubleshoot a connectivity issue. Which CLI command should be used to start a packet capture?
This is the correct command to capture packets on an interface.
Why this answer
The command 'diagnose sniffer packet' is used for packet capture on FortiGate interfaces.
Which address object type can be used to match traffic based on the source country?
Geography objects use country codes to match IP addresses from that country.
Why this answer
Geography address objects allow matching based on country (or region) using the IP geolocation database. This is useful for geo-blocking.
A network administrator notices that some users can access blocked web categories despite a web filter profile applied to the policy. The admin runs 'diagnose debug rating' and sees 'rating not allow' for the category. What is the MOST likely cause?
An override allows users to bypass the web filter rating. Even if the rating is 'block', the override permits access.
Why this answer
Option B is correct because the override feature can be used to grant users temporary access to blocked categories, bypassing the web filter rating.
An administrator is configuring traffic shaping on a firewall policy to limit bandwidth for YouTube. Which THREE components are required?
The shaper specifies max bandwidth, priority, etc.
Why this answer
Traffic shaping requires a shaping policy (or shaping rule) that matches the traffic, a traffic shaper that defines bandwidth limits, and optionally a per-IP shaper for per-user limiting.
Match each FortiGate security profile component to its purpose.
Drag a concept onto its matching description — or click a concept then click the description.
Scans files for malware
Controls access to URLs and web categories
Identifies and allows/denies application traffic
Detects and blocks network attacks
Decrypts encrypted traffic for inspection
Why these pairings
These profiles are applied to firewall policies for UTM inspection.
What is the purpose of a schedule object in a firewall policy?
Correct.
Why this answer
Schedule objects define time ranges during which the policy is active. This allows time-based access control.
A FortiGate is configured with an aggregate interface (link aggregation group) consisting of two physical ports. The administrator notices that traffic is not being distributed evenly across the two links. Which configuration setting should be verified to improve load balancing?
The algorithm determines how traffic is hashed to links; changing it can improve distribution.
Why this answer
The aggregate interface uses a load-balancing algorithm to distribute traffic across member links. If traffic is uneven, the algorithm (e.g., source-destination IP, source-destination MAC, or layer 4 port) may not match the traffic pattern, causing hash polarization. Verifying and adjusting this algorithm is the correct step to improve distribution.
Exam trap
The trap here is confusing LACP negotiation settings (active/passive) with the actual traffic distribution mechanism, leading candidates to incorrectly select option A instead of recognizing that the load-balancing algorithm directly controls link utilization.
How to eliminate wrong answers
Option A is wrong because LACP mode (active vs passive) controls link negotiation and aggregation establishment, not traffic distribution across already-aggregated links. Option B is wrong because increasing MTU affects maximum packet size but has no impact on how traffic is hashed or distributed among aggregate members. Option D is wrong because VDOM membership ensures logical separation but does not influence the load-balancing algorithm or per-packet distribution across physical ports in an aggregate.
A company policy requires that all web searches by employees use safe search. Which setting should be configured in the web filtering profile?
This setting forces safe search for the listed search engines.
Why this answer
Option C is correct because the 'Enforce Safe Search' setting in a FortiGate web filtering profile forces Google, Bing, and Yahoo to use their built-in safe search parameters (e.g., &safe=active for Google). This ensures that all web searches from the network comply with the company policy by appending the required query strings to search URLs, blocking explicit content at the search engine level.
Exam trap
The trap here is that candidates often confuse 'Enforce Safe Search' with URL filtering or category blocking, assuming that blocking or warning on categories like 'Search Engines' would achieve the same result, but safe search enforcement is a specific feature that modifies search queries rather than blocking access.
How to eliminate wrong answers
Option A is wrong because 'Restrict YouTube Access' only controls YouTube content (e.g., enforcing strict or moderate mode), not general web search safe search. Option B is wrong because creating a URL filter to block URLs containing 'safe search' would block access to safe search configuration pages, not enforce safe search on search engines. Option D is wrong because setting the 'Action' for FortiGuard categories to 'Warning' only displays a warning page for categorized sites, it does not modify search engine behavior to enforce safe search.
Address groups combine multiple address objects (subnets, IP ranges, FQDNs) into one object, which can be used as source or destination in a policy.
Why this answer
An address group is the correct object type to group multiple internal subnets into a single source in a firewall policy. In FortiGate, address groups allow you to combine multiple IP addresses or subnets (IPv4 or IPv6) into a logical group, which can then be referenced as the source in a single firewall policy. This simplifies administration by reducing the number of policies needed to allow outbound DNS traffic from multiple subnets.
Exam trap
The trap here is that candidates often confuse address groups with service groups, mistakenly thinking that grouping subnets is done via service objects, but service groups only define protocols and ports, not IP addresses.
How to eliminate wrong answers
Option A is wrong because a VIP group is used to group multiple virtual IP (VIP) objects for destination NAT (port forwarding) or load balancing, not for grouping source subnets. Option B is wrong because a schedule group is used to group time-based schedules (e.g., daily, weekly) to control when a policy is active, not to define source addresses. Option D is wrong because a service group is used to group multiple service definitions (e.g., DNS, HTTP, HTTPS) by protocol/port, not to group source IP subnets.
An administrator needs to ensure that all traffic from the internal network to the internet goes through a web proxy for content filtering. Which configuration is required on the FortiGate?
Why this answer
Option C is correct because to enforce web proxy-based content filtering for all internal-to-internet traffic, the FortiGate must be configured with an explicit web proxy (which listens on a specific IP and port, typically 8080) and a corresponding proxy policy that defines the traffic matching criteria and action. This setup ensures that client browsers are configured to send requests to the proxy, and the proxy policy applies content filtering rules.
Exam trap
The trap here is that candidates often confuse enabling the web proxy feature in a firewall policy (transparent proxy) with the explicit proxy configuration that requires a separate proxy policy, leading them to select option B.
How to eliminate wrong answers
Option A is wrong because simply enabling the proxy feature and setting the web proxy port to 80 does not create a functional proxy policy; without a proxy policy, no traffic is actually processed through the proxy for content filtering. Option B is wrong because enabling web proxy in a firewall policy with action set to accept does not redirect traffic through the proxy; it only allows the traffic to pass without proxy inspection. Option D is wrong because a transparent proxy uses an SSL inspection profile to intercept traffic transparently, but it does not require an explicit proxy configuration or a proxy policy; instead, it relies on firewall policies with web proxy enabled, which is not the same as the explicit proxy approach needed for the described requirement.
An administrator is reviewing log files on a FortiGate and needs to identify events related to a specific user authentication failure. The FortiGate has local disk logging enabled. Which command would the administrator use to search the logs for this event?
This command sets filters for log display; used with 'execute log display' to search logs.
Why this answer
Option D is correct. The 'execute log filter' command allows filtering logs by various criteria (user, type, etc.) before displaying them with 'execute log display'.
An administrator wants to block all peer-to-peer (P2P) file sharing applications such as BitTorrent and eMule on the network. Which THREE steps should the administrator take?
Why this answer
Blocking P2P requires application control with the P2P category blocked, deep inspection to detect encrypted P2P traffic, and applying the profile to the firewall policy. Web filter only blocks URLs, not the application traffic itself. Antivirus does not block protocols.
The bridge must be configured to forward VLAN-tagged traffic.
Why this answer
In transparent mode, the FortiGate acts as a Layer 2 bridge, so VLAN tags must be preserved and forwarded across the bridge. Enabling VLAN forwarding on the bridge (option A) allows the FortiGate to pass 802.1Q-tagged frames between VLANs, which is essential for inter-VLAN HTTP traffic. Without this, the bridge will drop VLAN-tagged frames, blocking the traffic even if a firewall policy exists.
Exam trap
The trap here is that candidates often assume transparent mode requires IP addresses on interfaces (like NAT/route mode) or that static routes are needed for inter-VLAN traffic, but the key is understanding that transparent mode is Layer 2 and requires VLAN forwarding and a management IP for policy enforcement.
An administrator needs to back up the full configuration of a FortiGate, including all system settings, policies, and objects. Which CLI command should be used?
This backs up the configuration to a TFTP server.
Why this answer
The correct command is 'execute backup config tftp <filename> <server>' because it explicitly triggers a full configuration backup (including system settings, policies, and objects) to a TFTP server. This is the standard FortiGate CLI command for exporting the entire running configuration to an external TFTP server, ensuring all configuration elements are captured.
Exam trap
The trap here is confusing the 'backup' and 'restore' commands (options B and D) or mistaking a display-only command like 'show full-configuration' for an actual backup operation.
How to eliminate wrong answers
Option A is wrong because 'diagnose debug config-error-log read' is a diagnostic command used to view configuration error logs, not to perform a backup. Option C is wrong because 'show full-configuration' displays the entire configuration on the console but does not save or transfer it to a backup file or server. Option D is wrong because 'execute restore config tftp <filename> <server>' is used to restore a configuration from a TFTP server, not to back it up.
You run the following command on a FortiGate: 'diagnose sys session filter dport 443' and see: proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate?
proto_state=01 for TCP indicates SYN_SENT. The handshake is incomplete.
Why this answer
The output shows `proto=6`, which indicates TCP, and `proto_state=01`, which corresponds to the TCP state SYN_SENT (0x01). This means the session has sent a SYN but has not yet received a SYN-ACK, so the three-way handshake is incomplete. The `duration=3600` and `expire=3599` indicate the session has been tracked for 3600 seconds and will expire in 3599 seconds, but the state confirms it is not yet established.
Exam trap
The trap here is that candidates see `duration=3600` and `expire=3599` and assume the session is established and about to expire, but the `proto_state=01` (SYN_SENT) clearly indicates the handshake is incomplete, not that the session is active or being torn down.
How to eliminate wrong answers
Option B is wrong because `proto=6` indicates TCP, not UDP (UDP is protocol 17). Option C is wrong because the session is in SYN_SENT state (0x01), not being torn down; a teardown would show states like FIN_WAIT or TIME_WAIT. Option D is wrong because a fully established TCP session would show `proto_state=02` (ESTABLISHED), not `01` (SYN_SENT).
This shows the policy list and order; useful to verify if the allow policy is before any deny.
Why this answer
Option A is correct because 'diagnose firewall iprope list' displays the kernel's internal firewall rule chains, allowing the admin to verify whether the policy lookup is matching the expected rule for TCP/443 traffic. This command helps confirm that the policy is installed and active in the kernel, which is essential for troubleshooting policy-based access issues.
Exam trap
The trap here is that candidates often choose 'diagnose sys session filter dport 443' thinking it directly shows sessions, but they forget that it only sets a filter and requires an additional command to display results, making it incomplete for immediate diagnosis.
An administrator configures a FortiGate HA cluster in active-active mode. After enabling session synchronization, they notice that new sessions are not being synced to the secondary unit. The cluster is using a dedicated heartbeat interface. What could be the reason?
For active-active HA, session sync must be enabled per-policy; otherwise sessions are not synced.
Why this answer
In active-active HA, session synchronization requires that the session sync flag is enabled on the firewall policy. Without it, sessions are not synced.
Drag and drop the steps to capture traffic on a FortiGate interface using the CLI into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The sniffer command syntax is diagnose sniffer packet <interface> <filter> <verbose> <count>.
A FortiGate administrator needs to allow remote management from the internet only from a specific IP address. Which configuration achieves this?
Local-in policies control traffic destined to the FortiGate itself, allowing source IP restriction.
Why this answer
A local-in policy is the correct method to restrict remote management access to a FortiGate from the internet because it operates at the control plane level, filtering traffic destined to the FortiGate itself before it reaches the management daemons. By specifying a source IP address in a local-in policy, you can explicitly allow HTTPS or SSH management only from that trusted host, while implicitly denying all other sources. This is more secure than relying on firewall policies, which apply to traffic passing through the FortiGate, not to traffic destined to the FortiGate's own IP addresses.
Exam trap
The trap here is that candidates often confuse firewall policies (which control traffic passing through the FortiGate) with local-in policies (which control traffic destined to the FortiGate), leading them to incorrectly select option D, thinking a standard firewall policy can restrict management access from the internet.
How to eliminate wrong answers
Option B is wrong because changing the admin port to a non-standard port is a form of security through obscurity and does not restrict access to a specific IP address; it only changes the port number, which can still be scanned and accessed from any source. Option C is wrong because enabling HTTPS and restricting admin access via admin host (the 'admin host' setting) is a legacy method that only works for GUI access and does not apply to SSH or other management protocols; it also does not provide the granularity of a local-in policy. Option D is wrong because a firewall policy with source address restriction applies to traffic transiting through the FortiGate (forwarding plane), not to traffic destined to the FortiGate itself (control plane); management traffic is handled by the control plane and must be filtered using local-in policies or the 'trusted host' feature.
A network administrator is troubleshooting a FortiGate HA cluster that is not failing over as expected. The cluster consists of two units in active-passive mode. The administrator issues the command 'diagnose sys ha status' and sees that both units have the same priority. What is the most likely cause of the failover issue?
With override disabled, a secondary unit with lower priority cannot preempt the primary after a failback. The primary must fail completely for a failover to occur.
Why this answer
In active-passive HA, the unit with the higher priority (lower number) becomes primary. If priorities are equal, the primary is determined by serial number. Equal priorities do not prevent failover; the issue is likely that the override setting is disabled, so a lower-priority unit cannot take over even if the primary fails unless override is enabled.
An administrator wants to configure SNMPv3 on a FortiGate for secure monitoring. Which configuration is required?
Why this answer
SNMPv3 requires a user-based security model (USM) with authentication (e.g., SHA) and privacy (e.g., AES) protocols to provide integrity, authentication, and encryption. Without these, SNMPv3 cannot secure monitoring traffic, making option A the mandatory configuration.
Exam trap
The trap here is that candidates often think enabling SNMP on a specific interface or using ACLs is the primary security requirement, but SNMPv3's security is entirely user-based and requires explicit authentication and privacy protocols.
How to eliminate wrong answers
Option B is wrong because SNMP agent can be enabled on any interface, not only WAN, and the interface selection does not enforce security; SNMPv3 security is user-based, not interface-based. Option C is wrong because while access control lists can restrict SNMP access, they are not required for SNMPv3; the core requirement is the user with authentication and privacy. Option D is wrong because setting the community string to 'public' and enabling SNMPv1/v2c bypasses SNMPv3's security entirely, leaving monitoring unencrypted and unauthenticated.
Mode-cfg provides client configuration.
Why this answer
Option C is correct because mode-config (mode-cfg) on the Phase 1 interface is required to push network configuration parameters (such as DNS, WINS, and the virtual IP address) to remote IPsec VPN clients. This setting enables the FortiGate to act as a server in a dialup VPN scenario, dynamically assigning IP addresses and other settings to clients without requiring static configuration on each client.
A school uses FortiGate for web filtering. They want to block social media sites for students during class hours (8 AM to 3 PM) but allow access for teachers at all times. The network has a single internet connection and all users are in the same subnet. The administrator created a firewall policy for students (source IP range 192.168.1.100-200) and another for teachers (source IP range 192.168.1.10-50). The student policy has a web filter profile that blocks social media. However, teachers are also being blocked from social media during class hours. What is the most likely cause?
Policies are checked in order; first match applies.
Why this answer
FortiGate processes firewall policies in sequential order from top to bottom, and the first matching policy is applied. Since the student policy (source IP range 192.168.1.100-200) is placed before the teacher policy (source IP range 192.168.1.10-50), traffic from teachers whose source IP falls within the student range (e.g., 192.168.1.50) will match the student policy first, causing them to be subject to the web filter profile that blocks social media. This is the most likely cause of teachers being blocked during class hours.
Exam trap
The trap here is that candidates often assume policy order does not matter or that FortiGate evaluates policies based on best match rather than sequential order, leading them to overlook the critical placement of the student policy before the teacher policy.
How to eliminate wrong answers
Option A is wrong because a web filter profile applied globally would affect all traffic regardless of policy order, but the scenario describes separate policies for students and teachers, and the issue is specific to policy matching order, not a global setting. Option C is wrong because the question states that teachers should have access at all times, and a schedule restricting access on the teacher policy would contradict this requirement; the problem is that teachers are being blocked, not that their policy has a restrictive schedule. Option D is wrong because if the student policy were placed after the teacher policy, teachers would match their policy first and not be blocked; the issue is that the student policy is before the teacher policy, not after.
You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?
duration=3600 seconds = 1 hour, expire=3599 seconds ≈ 1 hour. This is a normal established session.
Why this answer
Option D is correct. The output shows a TCP session (proto=6) on port 443 with state 01 (established), duration 3600 seconds, and expire 3599 seconds. This indicates the session has been up for 1 hour and will expire in ~1 hour.
A FortiGate admin is configuring a hub-and-spoke IPsec VPN. The hub has multiple phase 2 configurations for each spoke. The spokes can communicate with the hub but not with each other. The admin wants to allow spoke-to-spoke traffic through the hub. Which configuration change is required on the hub?
The hub's Phase 2 selectors must match the traffic it needs to forward between spokes. Additionally, firewall policies must permit the traffic.
Why this answer
Option C is correct. For spoke-to-spoke traffic to pass through the hub, the hub must have firewall policies allowing traffic between the spoke networks, and the Phase 2 selectors on the hub must include both spoke subnets (or use 0.0.0.0/0 to allow all traffic).
A network administrator notices that HTTP traffic is being scanned by the antivirus profile, but HTTPS traffic to the same web server is not being scanned. The firewall policy has the antivirus profile applied and SSL inspection is set to 'certificate-inspection'. What is the most likely reason HTTPS traffic is not being scanned?
Certificate inspection only verifies the server certificate; it does not decrypt the TLS session. Without decryption, the antivirus profile cannot scan the encrypted content.
Practice NSE4 by domain
Target a specific domain to shore up weak areas.