Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 376450

1000 questions total · 14pages · All types, answers revealed

Page 5

Page 6 of 14

Page 7
376
MCQmedium

A company has two FortiGate units in an active-active HA cluster. They want to ensure that sessions initiated from the internet through a virtual IP are synchronized to the peer unit in case of failover. Which HA setting is required?

A.Enable 'set ha-mgmt-status enable' on the WAN interface
B.Set 'set schedule' to 'round-robin' for the VIP
C.Configure the same virtual IP on both units
D.Enable 'session-pickup' under config system ha
AnswerD

Session pickup enables synchronization of all sessions, including those from VIPs, to the standby unit. Without it, sessions are not synced.

Why this answer

In active-active HA, session synchronization is enabled by default for TCP sessions, but for UDP and other protocols, session sync needs to be explicitly enabled. However, the question is about ensuring sessions are synchronized. The key setting is 'session-pickup' which enables session synchronization for all protocols.

Also, for active-active, 'session-pickup-connectionless' should be enabled for UDP and ICMP. But the most direct answer is to enable session-pickup globally.

377
MCQmedium

A FortiGate administrator needs to upgrade the firmware from 7.0.5 to 7.2.0. The current firmware is 7.0.5. What is the recommended upgrade path?

A.Upgrade to 7.0.6 first, then to 7.2.0
B.Upgrade to 7.2.0 directly after downgrading to 7.0.0
C.Upgrade to 7.4.0 first, then downgrade to 7.2.0
D.Upgrade directly from 7.0.5 to 7.2.0
AnswerA

First upgrade to the latest 7.0.x, then to 7.2.0.

Why this answer

Fortinet firmware upgrades must follow a supported upgrade path to avoid configuration incompatibility or system instability. The recommended path from 7.0.5 to 7.2.0 is to first upgrade to the latest 7.0.x release (7.0.6) and then to 7.2.0, as direct jumps across major versions (e.g., 7.0.x to 7.2.0) are not supported and may cause upgrade failures or data loss.

Exam trap

The trap here is that candidates assume any direct upgrade between consecutive major versions is allowed, but Fortinet enforces a strict path that requires upgrading to the latest patch of the current major branch first.

How to eliminate wrong answers

Option B is wrong because downgrading to 7.0.0 before upgrading to 7.2.0 is unnecessary and introduces risk; the correct path is to upgrade within the 7.0.x branch first. Option C is wrong because upgrading to 7.4.0 (a later major version) and then downgrading to 7.2.0 is not a supported upgrade path and may cause configuration corruption or boot issues. Option D is wrong because directly upgrading from 7.0.5 to 7.2.0 is not supported; Fortinet requires an intermediate upgrade to the latest 7.0.x release to ensure compatibility of the firmware image and configuration database.

378
MCQhard

During a failover in an active-passive HA cluster, the newly active unit does not have the same session table as the previous primary, causing all existing sessions to drop. Which setting should the administrator verify?

A.HA override is enabled on both units
B.The heartbeat interface is configured as a dedicated management interface
C.The session pickup setting is enabled
D.The cluster is operating in active-active mode
AnswerC

Session pickup synchronizes session tables; if disabled, sessions are lost on failover.

Why this answer

Session synchronization must be enabled and properly configured to replicate sessions to the standby unit.

379
MCQeasy

What is the primary purpose of the captive portal feature on a FortiGate?

A.To monitor bandwidth usage per user
B.To block all traffic from unknown IP addresses
C.To enable SSL VPN connections
D.To provide a web-based authentication interface for users connecting through a firewall policy
AnswerD

Captive portal redirects unauthenticated users to a login page.

Why this answer

Captive portal is used to authenticate users before allowing network access. It presents a login page to users who are not yet authenticated.

380
MCQmedium

A FortiGate admin configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to the internet. Users report that they cannot access web pages. The admin runs 'diagnose debug flow' and sees packets hitting the policy but being dropped. What is the MOST likely cause?

A.The interface is not configured as a WAN interface
B.The policy is disabled
C.The firewall policy action is set to DENY
D.The traffic is being processed by a higher priority deny policy
AnswerC

If the policy action is set to DENY, even though the traffic matches the source/destination/service, it will be dropped. This is a common misconfiguration.

Why this answer

The implicit deny policy at the end of the policy list will drop traffic that does not match any explicit policy. If the policy is not the last matching policy or if there is a deny policy above it, traffic could be denied. But the most common issue is that the policy is not correctly ordered, and a deny policy above it is matching.

However, the stem says packets hit the policy but are dropped. This typically indicates that the policy matched but another factor (like security profile action) dropped it, or the policy's action is set to DENY by mistake. Given the options, the admin likely set the policy action to DENY.

381
MCQeasy

A FortiGate is configured in NAT/Route mode. Which statement is correct about this mode?

A.Only one interface can be used for traffic.
B.The FortiGate routes traffic between different subnets and can perform NAT.
C.VLAN interfaces are not supported in this mode.
D.The FortiGate acts as a Layer 2 bridge.
AnswerB

NAT/Route mode is the default, routing Layer 3 traffic.

Why this answer

In NAT/Route mode, the FortiGate operates as a Layer 3 router, forwarding traffic between different subnets while also performing Network Address Translation (NAT) when configured. This is the default operational mode for most FortiGate deployments, enabling both routing and NAT capabilities on the same device.

Exam trap

The trap here is that candidates often confuse NAT/Route mode with Transparent mode, assuming that NAT implies bridging or that only one interface can be used, but FortiGate explicitly supports multiple routed interfaces and VLANs in this mode.

How to eliminate wrong answers

Option A is wrong because NAT/Route mode supports multiple interfaces for traffic forwarding, not just one; each interface can belong to a different subnet. Option C is wrong because VLAN interfaces are fully supported in NAT/Route mode, allowing segmentation of traffic on the same physical port. Option D is wrong because the FortiGate acts as a Layer 3 router in this mode, not a Layer 2 bridge; Layer 2 bridging is associated with Transparent mode.

382
MCQeasy

Which inspection mode in the antivirus profile processes traffic by buffering the entire file before scanning, allowing more thorough detection but potentially increasing latency?

A.Proxy-based inspection
B.Deep inspection
C.DNS inspection
D.Flow-based inspection
AnswerA

Proxy-based inspection buffers the entire file before scanning, enabling thorough analysis.

Why this answer

Option C is correct. Proxy-based inspection buffers the entire file for scanning, which can detect threats more accurately but introduces latency. Flow-based inspection scans packets as they pass through without full buffering.

383
Multi-Selectmedium

A FortiGate administrator wants to block access to Facebook for all internal users. However, the administrator must ensure that the CEO's computer (IP 10.0.0.100) is exempted. Which TWO steps should the administrator take? (Choose two.)

Select 2 answers
A.Add the CEO's IP to the application control profile's 'exempt IP' list.
B.Configure an IP exemption in the application control profile.
C.Create an application control profile with a rule to block 'Facebook' and apply it to the firewall policy for all users.
D.Create a firewall policy above the blocking policy that allows traffic from the CEO's IP to Facebook, with no application control profile.
E.Use a web filter profile with a URL block for 'facebook.com' instead of application control.
AnswersC, D

This blocks Facebook for general users.

Why this answer

The correct answers are A and B. Create a blocking profile and apply to a policy for general users, then create a higher priority policy that allows the CEO's traffic without the blocking profile.

384
Multi-Selectmedium

An administrator wants to detect and prevent malware outbreaks. The FortiGate is integrated with FortiSandbox. Which TWO actions should be taken to ensure files are sent to FortiSandbox for analysis?

Select 2 answers
A.Set the firewall policy inspection mode to flow-based
B.Enable FortiSandbox in the antivirus profile settings
C.Enable deep inspection for HTTPS traffic
D.Disable the antivirus profile on the policy
E.Configure the firewall policy inspection mode to proxy-based
AnswersB, E

The antivirus profile has an option to send files to FortiSandbox.

Why this answer

To leverage FortiSandbox, the antivirus profile must be configured to send files to FortiSandbox, and the inspection mode must be proxy-based for file submission.

385
MCQmedium

A company wants to block all peer-to-peer (P2P) traffic using Application Control on their FortiGate. They have enabled the application control profile, but users can still download files via BitTorrent. What is the most likely reason?

A.The application control profile does not have SSL inspection enabled.
B.The FortiGate is operating in Transparent mode.
C.The application control profile is applied to the outgoing policy, but BitTorrent traffic is incoming.
D.The default application signatures do not include BitTorrent.
AnswerA

Without SSL inspection, encrypted BitTorrent traffic cannot be inspected and matched.

Why this answer

BitTorrent traffic is often encrypted, so without SSL inspection, the FortiGate cannot inspect the payload of the encrypted sessions to identify the application. Application Control relies on deep packet inspection (DPI) to match traffic against application signatures; if SSL inspection is not enabled, the FortiGate only sees encrypted packets and cannot detect BitTorrent, allowing the traffic to pass unchecked.

Exam trap

The trap here is that candidates often assume application control works on all traffic regardless of encryption, but FortiGate requires SSL inspection to identify applications that use encryption, such as BitTorrent.

How to eliminate wrong answers

Option B is wrong because Transparent mode does not affect the ability to perform application control; the FortiGate can still inspect traffic and apply profiles in Transparent mode. Option C is wrong because BitTorrent traffic can be both incoming and outgoing; application control policies apply to the direction specified, and blocking outgoing P2P traffic is standard, so the direction is not the issue. Option D is wrong because FortiGate's default application signatures do include BitTorrent; the problem is that the signatures cannot match encrypted traffic without SSL inspection.

386
MCQmedium

A FortiGate administrator is configuring SSL deep inspection for a firewall policy that handles traffic to multiple internal servers. Some servers have self-signed certificates. The administrator wants to avoid certificate errors for users. What configuration is recommended?

A.Configure the firewall policy to accept invalid certificates
B.Use certificate inspection instead of deep inspection
C.Add the server certificates to the FortiGate's trusted CA store
D.Disable deep inspection for those servers
AnswerC

Why this answer

Adding the self-signed server certificates to the FortiGate's trusted CA store allows the FortiGate to trust them during deep inspection, preventing certificate errors for users. Disabling deep inspection or using certificate inspection would not inspect payloads.

387
Multi-Selecteasy

An administrator needs to authenticate users on a FortiGate using RADIUS. Which TWO of the following are required to configure RADIUS authentication?

Select 2 answers
A.A PKI certificate for the RADIUS server
B.A RADIUS server object with IP address and shared secret
C.An FSSO connector
D.A user group that references the RADIUS server
E.A local user account for each RADIUS user
AnswersB, D

This defines the connection to the RADIUS server.

Why this answer

To use RADIUS, the FortiGate must define the RADIUS server with its IP and secret, and then create a user group that references that RADIUS server.

388
Multi-Selectmedium

An administrator needs to allow inbound SSH access from the internet to a specific internal server (10.0.1.10) on port 22. The WAN IP is 203.0.113.10. Which THREE configuration steps are required?

Select 3 answers
A.Ensure the firewall policy allows the SSH service (port 22)
B.Create a firewall policy from WAN to internal interface with destination set to the VIP
C.Configure a source NAT IP pool for outbound traffic
D.Create a Virtual IP (VIP) mapping 203.0.113.10:22 to 10.0.1.10:22
E.Enable SSL inspection on the policy
AnswersA, B, D

The policy must explicitly permit the service (SSH) to match the traffic.

Why this answer

Option A is correct because the firewall policy must explicitly permit the SSH service (TCP port 22) from the WAN to the internal server. Without a policy allowing the traffic, the FortiGate will drop the packets even if the VIP is configured correctly. The policy acts as the security gatekeeper, and the service object for SSH ensures only port 22 traffic is allowed.

Exam trap

The trap here is that candidates often assume configuring a VIP alone is sufficient, forgetting that a firewall policy must also be created to permit the translated traffic, and they may confuse source NAT (Option C) with destination NAT required for inbound access.

389
MCQhard

An administrator has configured DLP sensors to detect credit card numbers in outgoing traffic. However, the administrator notices that traffic containing credit card numbers is still passing through undetected. The firewall policy uses flow-based inspection. What is the MOST likely reason DLP is not detecting the data?

A.DLP requires proxy-based inspection to perform data leakage detection.
B.The DLP sensor is not applied to the correct firewall policy.
C.The DLP sensor is configured with the wrong regular expression.
D.The credit card numbers are encrypted by SSL and deep inspection is not enabled.
AnswerA

DLP scanning requires proxy-based inspection because it needs to buffer the content for pattern matching.

Why this answer

Option A is correct. DLP requires proxy-based inspection to buffer and analyze the content. Flow-based inspection does not support DLP.

390
MCQmedium

A FortiGate administrator needs to configure a policy route to send all traffic destined to 10.10.10.0/24 out through interface port3 instead of the default route. Which configuration steps are necessary?

A.Add a firewall policy with source interface any, destination 10.10.10.0/24, and set the egress interface to port3
B.Create a static route for 10.10.10.0/24 with a lower distance pointing to port3
C.Set the default gateway to port3 and remove the existing default route
D.Configure a policy route under 'config router policy' with destination 10.10.10.0/24 and output interface port3
AnswerD

Policy routes are configured under 'config router policy' and allow routing decisions based on source/destination.

Why this answer

Policy routes override the routing table for specific traffic based on criteria like source, destination, or protocol. Option D correctly configures a policy route under 'config router policy' to match destination 10.10.10.0/24 and set the output interface to port3, ensuring that traffic is forwarded out port3 regardless of the default route.

Exam trap

The trap here is confusing firewall policies (which control access and NAT) with policy routes (which control forwarding decisions), leading candidates to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because firewall policies control access and NAT, not routing; they cannot override the routing table to force traffic out a specific interface. Option B is wrong because a static route for 10.10.10.0/24 with a lower distance would still be subject to the routing table's longest-match rule and could be overridden by a more specific route or dynamic routing, whereas a policy route takes precedence over the routing table. Option C is wrong because changing the default gateway to port3 would affect all traffic, not just traffic to 10.10.10.0/24, and removing the existing default route would break connectivity for other destinations.

391
MCQeasy

An administrator needs to back up the FortiGate configuration to a remote server using SCP. Which command is correct?

A.execute backup config copy <server> <filename>
B.execute backup config scp <server> <filename>
C.execute backup config tftp <server> <filename>
D.execute backup config ftp <server> <filename>
AnswerB

SCP is used for secure copy.

Why this answer

The correct command is 'execute backup config scp <server> <filename>' because SCP (Secure Copy Protocol) is the only option listed that provides encrypted file transfer over SSH, which is required for securely backing up the FortiGate configuration to a remote server. FortiGate uses this CLI command to initiate an SCP session to the specified server and save the configuration file with the given filename.

Exam trap

The trap here is that candidates often confuse 'scp' with 'ftp' or 'tftp' because they all transfer files, but only SCP provides encryption, which is the key requirement for a secure remote backup.

How to eliminate wrong answers

Option A is wrong because 'execute backup config copy' is not a valid FortiGate command; the syntax uses 'copy' incorrectly, and there is no such subcommand for backup operations. Option C is wrong because 'execute backup config tftp' uses TFTP (Trivial File Transfer Protocol), which is unencrypted and lacks authentication, making it unsuitable for secure backups to a remote server. Option D is wrong because 'execute backup config ftp' uses FTP (File Transfer Protocol), which transmits data in cleartext including credentials, and is not the secure method specified in the question (SCP).

392
MCQmedium

A company with 500 users has a FortiGate 1000D running FortiOS 7.2. They have configured full SSL inspection and web filtering to block malware and phishing sites. The administrator receives complaints that some users cannot access a legitimate business website (https://vendor.example.com). The administrator checks the FortiGate logs and sees that the connection is allowed by the firewall policy and web filter. However, the user's browser shows 'ERR_CERT_AUTHORITY_INVALID'. The administrator verifies that the FortiGate's CA certificate is installed on all client machines. Further investigation reveals that the vendor's website uses a certificate signed by a private CA that is not trusted by the FortiGate. The administrator wants to resolve the issue without disabling SSL inspection for the whole website or compromising security. What should the administrator do?

A.Create an SSL exemption for the vendor's domain in the SSL inspection profile.
B.Import the vendor's private CA certificate into the FortiGate's trusted root CA store.
C.Change the SSL inspection profile to certificate inspection only.
D.Install the vendor's CA certificate on the client machines.
AnswerB

This allows the FortiGate to validate the vendor's certificate and issue a trusted session certificate.

Why this answer

The FortiGate cannot validate the vendor's certificate because its private CA is not in the FortiGate's trusted root store. By importing that CA certificate into the FortiGate's trusted root CA store, the FortiGate will trust the vendor's certificate chain, allowing full SSL inspection to proceed without errors. This resolves the ERR_CERT_AUTHORITY_INVALID error while maintaining security inspection for the domain.

Exam trap

The trap here is that candidates often assume the client-side CA certificate installation is sufficient, but the FortiGate itself must also trust the server's issuing CA to perform full SSL inspection without errors.

How to eliminate wrong answers

Option A is wrong because creating an SSL exemption bypasses inspection entirely for the domain, which compromises security by allowing encrypted traffic to pass without inspection. Option C is wrong because changing to certificate inspection only would disable deep packet inspection for all traffic, reducing security posture and not specifically addressing the untrusted CA issue. Option D is wrong because the client machines already have the FortiGate's CA certificate installed; the issue is that the FortiGate itself does not trust the vendor's private CA, so installing it on clients does not fix the server-side validation failure.

393
MCQeasy

A FortiGate administrator wants to ensure that traffic from the internal network to the internet is translated to a single public IP address. Which NAT method should be used?

A.Central SNAT
B.One-to-one NAT
C.Fixed port range NAT
D.Overload NAT
AnswerD

Overload NAT uses PAT to allow many-to-one translation.

Why this answer

Overload NAT (Port Address Translation) allows many internal IPs to share one public IP by using unique source ports.

394
MCQmedium

An administrator wants to limit the bandwidth for a specific application (e.g., YouTube) across all users. The administrator creates a traffic shaper and applies it to the firewall policy. What additional configuration is needed to identify YouTube traffic?

A.Enable deep inspection and create a URL filter
B.Create a custom service object for YouTube
C.Use a geography object to block non-local traffic
D.Apply an Application Control profile to the policy
AnswerD

Application Control identifies applications and allows traffic shaping.

Why this answer

Application control profiles identify applications by signature. After identification, traffic shapers can be applied to limit bandwidth.

395
MCQhard

In an active-active HA cluster, what is the purpose of the 'session sync' configuration?

A.To synchronize configuration changes between cluster members
B.To balance the number of sessions across cluster members
C.To replicate session state so that if one unit fails, another can take over without interruption
D.To synchronize the time between cluster members
AnswerC

Session sync maintains state for seamless failover.

Why this answer

Session sync ensures that sessions are shared between cluster units so that any unit can handle traffic for a given session.

396
Multi-Selecteasy

An administrator wants to configure two-factor authentication for SSL VPN users. Which TWO components must be configured? (Choose two.)

Select 2 answers
A.SSL VPN portal configured with 'require two-factor authentication'
B.Captive portal enabled
C.FortiToken assigned to the user
D.RADIUS server configured for one-time passwords
E.IPsec Phase 1 authentication set to 'signature'
AnswersA, C

The SSL VPN settings must require two-factor authentication.

Why this answer

FortiToken must be assigned to the user, and the user group must require two-factor authentication. The authentication server (LDAP/RADIUS) handles the first factor, FortiToken the second.

397
MCQhard

A FortiGate in a hub-and-spoke VPN topology has multiple spoke sites connecting via IPsec. The hub administrator wants to enable direct spoke-to-spoke communication without routing traffic through the hub. What technology should be used?

A.ADVPN (Auto-Discovery VPN)
B.Site-to-site VPN between each spoke pair manually
C.Policy-based VPN with multiple Phase 2 selectors
D.SSL VPN tunnel mode
AnswerA

ADVPN enables dynamic direct tunnels between spokes.

Why this answer

ADVPN (Auto-Discovery VPN) allows spokes to dynamically establish direct tunnels between each other, reducing hub load and latency.

398
MCQmedium

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The TCP handshake is incomplete; the SYN-ACK has not been received
B.The session is a UDP session
C.The session has been idle for 3600 seconds
D.The session is fully established and will expire in 3599 seconds
AnswerA

State 01 is SYN_SENT, meaning the SYN has been sent but no SYN-ACK received yet.

Why this answer

The output shows a TCP session (proto=6) with proto_state=01, which in Fortinet's session table indicates the session is in the SYN-SENT state (TCP state 1). This means the initial SYN has been sent but the SYN-ACK has not yet been received, so the TCP three-way handshake is incomplete. The duration and expire values reflect the session's age and remaining lifetime, not its establishment status.

Exam trap

The trap here is that candidates see 'expire=3599' and assume the session is established and about to expire, but Fortinet's proto_state field directly reveals the TCP handshake phase, and state 01 specifically means the handshake is incomplete.

How to eliminate wrong answers

Option B is wrong because proto=6 explicitly indicates TCP (not UDP, which would be proto=17). Option C is wrong because duration=3600 shows the session has been active for 3600 seconds, not idle; idle time is tracked separately in the session table. Option D is wrong because proto_state=01 (SYN-SENT) means the session is not fully established; a fully established TCP session would show proto_state=02 (ESTABLISHED) or higher.

399
MCQmedium

A FortiGate administrator configures an IPS sensor with a signature that has a 'pass' action. The sensor is applied to a firewall policy. When traffic matches this signature, what will happen?

A.The traffic is allowed without any logging.
B.The traffic is reset and a log is generated.
C.The traffic is allowed but a log message is generated.
D.The traffic is blocked and logged.
AnswerC

Pass action allows the traffic and logs the event.

Why this answer

Option B is correct. 'Pass' action in IPS means the traffic is allowed to pass, but an event is logged.

400
MCQhard

An administrator runs 'diagnose sys session filter dport 443' and then 'diagnose sys session list'. The output shows many sessions with 'proto_state=01' and 'expire=3599'. What does 'expire=3599' indicate?

A.The session has 3599 packets
B.The session has been alive for 3599 seconds
C.The session has 3599 bytes of data transferred
D.The session will timeout in 3599 seconds
AnswerD

Expire shows remaining time before the session is removed due to inactivity.

Why this answer

In FortiGate diagnostics, the 'expire' field in the session list output indicates the remaining time in seconds before the session times out. A value of 3599 seconds means the session will be removed from the session table after that many seconds of inactivity, assuming no further traffic matches the session. This is a key metric for understanding session lifecycle and timeout behavior.

Exam trap

The trap here is confusing 'expire' (remaining time until timeout) with 'duration' (time since session creation), leading candidates to incorrectly select option B.

How to eliminate wrong answers

Option A is wrong because 'expire' does not represent a packet count; packet counts are shown in separate fields like 'packets' or 'pkt_in/pkt_out'. Option B is wrong because 'expire' is the remaining time until timeout, not the elapsed time since the session was created; the 'duration' field tracks how long the session has been alive. Option C is wrong because 'expire' is unrelated to data transfer size; byte counts are displayed in fields such as 'bytes' or 'total_bytes'.

401
MCQhard

An administrator sees the following CLI output when checking an IPS sensor: 'config ips sensor edit test config entries edit 1 set severity medium set action block set target default end'. However, attacks with severity medium are still passing. The IPS sensor is applied to a policy with flow-based inspection. What is the likely issue?

A.The IPS sensor is not enabled in the policy
B.The IPS sensor rule has 'target' set to 'default' which may not apply to the traffic direction
C.The FortiGate needs a FortiSandbox for IPS to work
D.The severity level is set too high
AnswerB

For flow-based inspection, target must be 'client' or 'server' to match direction. 'default' may not work as expected.

Why this answer

In flow-based inspection, the IPS sensor rules may require that the protocol decoder be enabled or that the traffic matches the rule's target (client, server, default). The output shows 'target default' which might not match the traffic flow.

402
MCQmedium

A company wants to block downloads of executable files via HTTP and HTTPS while allowing other content. Which combination of security profiles should be applied to the firewall policy?

A.Web Filtering and Antivirus
B.Application Control and Antivirus
C.Web Filtering and IPS
D.DNS Filtering and Web Filtering
AnswerA

Web filtering blocks file types, antivirus scans for malware.

Why this answer

To block executable file downloads over HTTP and HTTPS while allowing other content, a Web Filtering profile is required to filter based on URL category or content type, and an Antivirus profile is needed to scan and block files (such as .exe) within the HTTP/HTTPS stream. The Antivirus profile can detect and block executable files by file signature or MIME type, while Web Filtering controls access to download sites or file types. Together, they provide layered defense against malicious executable downloads without affecting other web content.

Exam trap

The trap here is that candidates often think Application Control can block file downloads, but Application Control only identifies applications, not file types within allowed protocols, while Antivirus is required for file-level blocking.

How to eliminate wrong answers

Option B is wrong because Application Control identifies and controls applications (e.g., Skype, Dropbox) but does not filter file types within HTTP/HTTPS traffic; it cannot block .exe downloads specifically. Option C is wrong because IPS (Intrusion Prevention System) detects and blocks network-based attacks and exploits, not file-type filtering; it cannot prevent executable downloads unless they contain a known exploit signature. Option D is wrong because DNS Filtering blocks access to domains based on DNS queries, but it does not inspect or block specific file types within allowed HTTP/HTTPS traffic; it only prevents resolution of malicious domains.

403
MCQeasy

An administrator wants to configure SSL VPN web mode to allow remote users to access a specific internal web application without installing any client software. Which authentication method is required?

A.Certificate-based authentication only
B.No authentication is required for web mode
C.Two-factor authentication with FortiToken is mandatory
D.Any supported authentication method (local, LDAP, RADIUS, certificates)
AnswerD

FortiGate supports multiple authentication methods for SSL VPN web mode.

Why this answer

SSL VPN web mode requires user authentication to grant access. The local database or remote authentication server (LDAP, RADIUS) must be used to authenticate users before they can access the web portal.

404
MCQhard

A FortiGate administrator is configuring a route-based IPsec VPN between two FortiGate devices. After setting up the tunnel and firewall policies, traffic does not flow. The administrator runs 'diagnose vpn tunnel list' and sees the tunnel is up. 'get router info routing-table all' shows routes on both sides. However, pings from the local network to the remote network fail. What is the MOST likely cause?

A.The pre-shared key is incorrect
B.The firewall policy allowing traffic to the remote subnet has the source and destination interfaces reversed
C.The remote FortiGate's static route points to the wrong local subnet
D.The Phase 2 proposal uses different encryption algorithms on each side
AnswerB

In a route-based VPN, the policy must be configured with the VPN interface as the destination interface (if traffic flows from internal to VPN) or source interface (if from VPN to internal). Misconfiguration here causes traffic to be dropped.

Why this answer

Option A is correct. For route-based VPN, traffic must be allowed by the policy that has the VPN interface as the destination interface. If the policy's source and destination are reversed (e.g., source internal, destination internal instead of source internal, destination VPN), traffic will be dropped.

405
MCQhard

An administrator enables deep inspection for HTTPS traffic. Users report that they cannot access some websites because of certificate errors. The administrator wants to override these errors and allow access. What should be configured?

A.Disable certificate verification in the deep inspection profile
B.Add the websites to the 'FortiGuard category' allow list
C.Configure the web filter to allow these websites
D.Add the websites to the 'SSL/SSH exemption' list in the deep inspection profile
AnswerD

The SSL/SSH exemption list allows specific domains to bypass deep inspection, thus avoiding certificate errors while still protecting other traffic.

Why this answer

In FortiOS, deep inspection can generate certificate errors for sites with self-signed or mismatched certificates. To allow access despite errors, the administrator can add the affected domains to the 'SSL/SSH exemption' list in the deep inspection profile. This exempts those sites from deep inspection, avoiding the certificate error.

406
MCQeasy

Which of the following is the correct way to upgrade the firmware on a FortiGate from the CLI?

A.execute upgrade tftp
B.execute update firmware tftp
C.config system firmware upgrade tftp
D.execute firmware upgrade tftp
AnswerA

Why this answer

The correct CLI command to upgrade firmware on a FortiGate is 'execute upgrade tftp'. This command triggers the TFTP-based firmware upgrade process, where the FortiGate acts as a TFTP client to download the firmware image from a TFTP server. The 'execute' keyword is used for operational commands in FortiOS, and 'upgrade' is the specific action for firmware updates, with 'tftp' specifying the transfer protocol.

Exam trap

The trap here is that candidates confuse the 'execute upgrade tftp' command with similar-sounding but incorrect variations like 'execute update firmware tftp' or 'execute firmware upgrade tftp', often misremembering the verb-noun order or mixing up firmware updates with FortiGuard updates.

How to eliminate wrong answers

Option B is wrong because 'execute update firmware tftp' uses 'update' instead of 'upgrade'; 'update' is used for FortiGuard services (e.g., antivirus signatures), not firmware. Option C is wrong because 'config system firmware upgrade tftp' incorrectly uses 'config' mode; firmware upgrades are operational commands, not configuration commands, and must be run from the root CLI prompt. Option D is wrong because 'execute firmware upgrade tftp' reverses the verb and noun order; the correct syntax is 'execute upgrade tftp', where 'upgrade' is the action and 'tftp' is the protocol.

407
MCQmedium

A company has a FortiGate with two WAN interfaces (port1 and port2) connected to different ISPs. The admin wants to ensure that traffic from a specific internal server (10.0.1.100) destined to the internet always exits via port2, while all other traffic uses port1. Which feature should the admin configure on the firewall policy for that server?

A.Create a VIP to redirect the traffic to port2
B.Enable policy-based routing on the policy and specify port2 as the egress interface
C.Configure a static route with a higher distance for port2
D.Set the outgoing interface to port2 in the firewall policy
AnswerB

Policy-based routing overrides the routing table for traffic matching that policy.

Why this answer

Policy-based routing (PBR) allows you to override the routing table for specific traffic based on criteria such as source IP, destination, or application. By enabling PBR on the firewall policy for server 10.0.1.100 and specifying port2 as the egress interface, the admin ensures that all traffic from that server exits via port2, while the routing table continues to direct all other traffic via port1. This is the correct approach because PBR operates at the policy level, not the routing table level, giving granular control over traffic path selection.

Exam trap

The trap here is that candidates often confuse the 'outgoing interface' field in a firewall policy as a configurable option, when in fact it is automatically derived from the routing table unless policy-based routing is explicitly enabled.

How to eliminate wrong answers

Option A is wrong because a Virtual IP (VIP) is used for destination NAT (port forwarding) to map external IPs to internal servers, not to control egress interface selection; it does not influence which WAN port traffic leaves from. Option C is wrong because configuring a static route with a higher distance for port2 would make port2 a less preferred route, so traffic would still use port1 unless the primary route fails; this does not force server traffic out port2 while keeping other traffic on port1. Option D is wrong because the outgoing interface in a firewall policy is a read-only field that displays the interface determined by the routing table; you cannot directly set it to port2 in the policy without PBR or a matching route.

408
MCQeasy

A FortiGate administrator wants to authenticate VPN users against an existing Active Directory server. The administrator creates a user group referencing a remote LDAP server and configures the firewall policy to authenticate using that group. However, users report authentication failures. What is the FIRST step to troubleshoot?

A.Run 'diag test authserver ldap <server> <username> <password>'
B.Verify the user group configuration
C.Restart the FortiGate
D.Check the LDAP server's firewall rules
AnswerA

This command tests LDAP authentication directly. It isolates the issue quickly.

Why this answer

The LDAP connectivity must be verified before any user authentication can work. The diagnose test command is the quickest way to validate the LDAP server connection.

409
MCQmedium

A client connects to a FortiGate SSL VPN in web mode. The user can access internal web applications but cannot ping or RDP to servers. The administrator wants to allow these services. What must be changed?

A.Enable split tunneling on the SSL VPN portal
B.Change the SSL VPN type from web mode to tunnel mode
C.Add the server IP addresses to the portal's bookmarks
D.Configure a firewall policy allowing the client's IP to the servers
AnswerB

Tunnel mode supports all IP traffic, not just web, by creating a virtual network interface.

Why this answer

Web mode only provides access to web-based applications through a portal. To allow non-web traffic like ping or RDP, the VPN type must be changed to tunnel mode, which creates a virtual interface and routes all traffic.

410
MCQeasy

What is the purpose of enabling 'DNS filter' in a security profile?

A.To cache DNS responses for faster browsing
B.To prevent DNS tunneling attacks
C.To enforce safe search on search engines
D.To block DNS queries to known malicious domains
AnswerD

DNS filter inspects DNS traffic and blocks resolution of malicious domains.

Why this answer

Option A is correct: DNS filter blocks malicious domains based on FortiGuard category or custom lists by inspecting DNS queries and responses.

411
MCQeasy

Which IPsec VPN mode is typically used for site-to-site VPNs and is more secure because it negotiates Phase 1 in six messages?

A.Quick mode
B.Aggressive mode
C.IKEv2
D.Main mode
AnswerD

Main mode is the default and more secure for site-to-site VPNs.

Why this answer

Main mode uses six messages to negotiate IKE Phase 1, providing identity protection and higher security.

412
MCQhard

An admin configures a Central SNAT rule to translate internal 192.168.1.0/24 to 203.0.113.10 when accessing the internet. However, traffic from 192.168.1.100 to 8.8.8.8 shows source IP 192.168.1.100 in logs. What is the MOST likely cause?

A.The Central SNAT rule is disabled
B.The Central SNAT rule is applied to the wrong outgoing interface
C.The firewall policy has an IP pool configured, overriding Central SNAT
D.The destination address in the Central SNAT rule is incorrect
AnswerC

Policy-based NAT (IP pool attached to policy) takes precedence over Central SNAT rules.

Why this answer

Central SNAT rules are only used when the firewall policy has NAT enabled but no specific IP pool configured. If the policy uses Policy-based NAT (i.e., an IP pool is attached), Central SNAT is bypassed. Also, Central SNAT can be overridden by policy-based NAT.

413
MCQmedium

A company has a web server in the DMZ that must be accessible from the internet on both HTTP and HTTPS. The admin configures a VIP to map the public IP to the server's private IP. However, external users can only reach HTTP. What is the MOST likely cause?

A.The VIP is configured for port forwarding only for HTTP (port 80)
B.The web server is not listening on HTTPS
C.The VIP is using overload mode instead of one-to-one
D.The firewall policy allowing traffic to the VIP only permits HTTP
AnswerA

VIP port forwarding must specify each port; HTTPS (443) is not included.

Why this answer

The VIP (Virtual IP) configuration on a FortiGate maps a public IP and port to a private IP and port. If the VIP is configured only for port forwarding on TCP 80 (HTTP), it will not translate traffic for TCP 443 (HTTPS). This is the most likely cause because external users can reach HTTP but not HTTPS, indicating the VIP itself is not handling HTTPS traffic.

Exam trap

The trap here is that candidates often assume the firewall policy is the issue, but the VIP itself must be configured to forward the specific ports; a policy allowing all traffic is useless if the VIP does not translate the destination port for HTTPS.

How to eliminate wrong answers

Option B is wrong because if the web server were not listening on HTTPS, the connection would still be attempted and fail at the server level, but the symptom is that external users cannot reach HTTPS at all, which points to a VIP or policy issue, not server configuration. Option C is wrong because overload mode (PAT) and one-to-one mode (DNAT) both can handle multiple ports; the mode does not restrict which ports are forwarded. Option D is wrong because the firewall policy allowing traffic to the VIP only permits HTTP would block HTTPS, but the question states the VIP is configured for port forwarding only for HTTP, making the VIP itself the root cause; a policy issue would be secondary and less likely given the VIP configuration.

414
MCQmedium

A FortiGate administrator runs 'diagnose sys session filter dport 443' and then 'diagnose sys session list'. The output shows many sessions with 'proto_state=01' and 'expire=0'. What does this indicate about these sessions?

A.The sessions are for UDP traffic
B.The sessions are in the process of being established
C.The sessions are fully established and active
D.The sessions have expired and are being removed from the session table
AnswerD

expire=0 means the session timer has expired, and the session is being cleaned up.

Why this answer

In FortiGate session table, 'expire=0' means the session has expired (or is being cleaned up). 'proto_state=01' often indicates TCP SYN sent state. Sessions with expire=0 are not fully established or are closing.

415
Multi-Selecthard

Which TWO are best practices for configuring IPsec VPN on FortiGate to ensure high availability and security?

Select 2 answers
A.Disable DPD on the phase1 interface to reduce overhead.
B.Enable perfect forward secrecy (PFS) for phase2 to ensure session keys are not compromised if a private key is stolen.
C.Use aggressive mode for faster IKE negotiation.
D.Configure a dead peer detection (DPD) interval to detect tunnel failures.
E.Disable PFS to reduce CPU load on the firewall.
AnswersB, D

PFS ensures that compromise of one key does not affect others.

Why this answer

Perfect Forward Secrecy (PFS) ensures that if an attacker compromises the private key used during IKE phase1, they cannot derive the session keys used in phase2. By requiring a new Diffie-Hellman exchange for each phase2 rekey, PFS isolates the compromise to only the current session, protecting past and future encrypted traffic. This is a critical security best practice for IPsec VPNs on FortiGate.

Exam trap

The trap here is that candidates often confuse DPD with a performance overhead feature and disable it, or they mistakenly believe aggressive mode is faster and therefore better, overlooking the severe security implications of sending identities in cleartext.

416
MCQeasy

Which FortiGate log type records information about firewall policy matches and traffic statistics?

A.Event logs
B.Traffic logs
C.Audit logs
D.Security logs
AnswerB

Traffic logs are generated when traffic matches a firewall policy and record session details.

Why this answer

Traffic logs record information about every session that matches a firewall policy, including source/destination, ports, bytes, and duration. Security logs record IPS, antivirus, web filtering events. Event logs record system events.

417
Multi-Selectmedium

A FortiGate administrator needs to allow inbound HTTPS traffic to a web server located at 192.168.1.10. The public IP is 203.0.113.5. The administrator wants to translate the destination to the internal server and also translate the source port to a fixed range for logging purposes. Which TWO configuration elements are required?

Select 2 answers
A.Create a Virtual IP (VIP) mapping 203.0.113.5 to 192.168.1.10
B.Create a firewall policy from WAN to DMZ allowing HTTPS and referencing the VIP as destination
C.Configure Central SNAT to translate the server's source IP for return traffic
D.Create an IP pool with fixed port range for source translation
E.Enable 'allow source port translation' on the VIP
AnswersA, B

A VIP is necessary for destination NAT (DNAT) to forward public IP to internal server.

Why this answer

A Virtual IP (VIP) is required to map the public IP (203.0.113.5) to the internal server IP (192.168.1.10) for destination NAT. This allows inbound HTTPS traffic to be translated to the private server. Additionally, a firewall policy from WAN to DMZ must reference the VIP as the destination and allow HTTPS to permit the traffic and apply the NAT translation.

Exam trap

The trap here is that candidates often confuse VIPs (destination NAT) with IP pools (source NAT) or Central SNAT, mistakenly thinking source translation is needed for inbound traffic, when the question specifically requires destination translation and fixed port mapping for logging.

418
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a UDP connection to port 443
B.The session will expire in 3600 seconds
C.The session has been established for 3600 seconds
D.The TCP three-way handshake is incomplete; only SYN was sent
AnswerD

TCP state SYN_SENT (01) indicates the initial SYN was sent but no SYN-ACK received yet.

Why this answer

protocol 6 is TCP. proto_state=01 means TCP SYN_SENT. The session duration is 3600 seconds, expire 3599 seconds left.

419
MCQmedium

An administrator wants to allow access to a specific website that is blocked by the FortiGuard web filter category 'Social Networking'. The administrator creates a URL filter override to allow the site. After applying, the site is still blocked. What should the administrator check?

A.Ensure the URL filter rule is placed above the FortiGuard category block in the web filter profile
B.Disable the FortiGuard category rating for Social Networking
C.Ensure the URL filter rule is set to 'exempt' instead of 'allow'
D.Set the web filter profile to use 'monitor' for the Social Networking category
AnswerA

URL filter rules are processed in order. If a later rule (e.g., FortiGuard category) blocks, the earlier allow may not take effect unless it's an 'exempt' action.

Why this answer

URL filter overrides take precedence over FortiGuard categories only if the URL filter action is set appropriately and the override is applied before the FortiGuard check. Additionally, the order of rules matters: URL filter rules are evaluated before FortiGuard categories, but the action must be 'allow' and the override must be enabled.

420
MCQmedium

An administrator configures a data leak prevention (DLP) profile to detect credit card numbers in outgoing emails. However, no violations are logged. The email filter profile is applied with the DLP profile on the same policy. What is the most likely cause?

A.The credit card numbers are being sent in PDF attachments, which are not scanned
B.The DLP profile is not applied to SMTP traffic
C.The FortiGate needs a FortiSandbox license for DLP to work
D.The SSL inspection profile on the policy is set to 'certificate-inspection' only
AnswerD

Email traffic may be encrypted via TLS. Certificate inspection does not decrypt traffic, so DLP cannot scan the content.

Why this answer

DLP scanning requires that the traffic be inspected. If the traffic is encrypted and not decrypted, DLP cannot see the content.

421
MCQhard

An administrator has configured an SSL VPN with tunnel mode and split tunneling enabled. However, remote users report that all internet traffic is going through the VPN tunnel. What is the MOST likely cause?

A.The firewall policy allows traffic to the internet
B.The SSL VPN portal has 'split tunneling' disabled
C.The client's routing table is set to route all traffic through the VPN
D.The user has installed a root certificate
AnswerC

Even with split tunneling enabled on the portal, if the client pushes a route for 0.0.0.0/0, all traffic goes through the tunnel.

Why this answer

Split tunneling routes only specific subnets through the tunnel and other traffic directly. If the routing table is set to route all traffic (0.0.0.0/0) via the SSL VPN interface, split tunneling is effectively disabled.

422
Multi-Selectmedium

An admin is configuring a firewall policy to allow FTP traffic from a client to a server. The server is behind a VIP that translates public IP 203.0.113.10 port 21 to private IP 10.0.0.10 port 21. The admin wants to ensure the FTP data channel works correctly. Which TWO additional configurations are required? (Choose two.)

Select 2 answers
A.Enable FTP ALG on the firewall policy
B.Enable NAT on the policy for return traffic
C.Create a separate policy for the data channel
D.Configure a service object for FTP data port (TCP 20)
E.Ensure the policy allows both control and data connections by using the predefined FTP service
AnswersA, E

FTP ALG inspects FTP traffic and manages data connections.

Why this answer

FTP uses separate control and data connections. FortiGate's FTP ALG (application layer gateway) or session helper is needed to inspect FTP traffic and handle dynamic data ports. Additionally, for VIP, the policy must allow the appropriate services, and the ALG must be enabled.

423
MCQmedium

An administrator needs to ensure that in an active-passive HA cluster, the primary unit always remains the preferred master unless it fails, regardless of other factors. The administrator sets the primary's HA priority to 200 and the secondary to 100. However, after a reboot of the primary, the secondary becomes the primary. What additional step is required?

A.Set 'set ha-mgmt-status enable' on the primary
B.Reduce the secondary priority to 0
C.Increase the primary priority to 255
D.Set 'set override enable' under config system ha
AnswerD

Enabling override tells HA to actively switch back to the highest priority unit when it recovers. Without override, the cluster does not preempt.

Why this answer

In HA, the 'override' setting (or 'set override enable') ensures that when the primary recovers, it will preempt the current primary and become active again. Without override, the cluster uses a non-preemptive mode: once a unit becomes primary, it stays primary even if a higher-priority unit comes back online.

424
MCQmedium

A network admin has configured a firewall policy allowing traffic from the 'internal' zone to the 'external' zone. The policy uses a service object 'HTTP' (TCP/80). Users report they can access HTTP websites but not HTTPS. The admin confirms no other policies block HTTPS. What is the most likely cause?

A.The FortiGate needs to perform SSL inspection on HTTPS traffic
B.There is a policy ordering issue; a later policy might block HTTPS
C.HTTPS traffic is being dropped by implicit deny because no policy matches it
D.The service object 'HTTP' also includes TCP/443 by default
AnswerC

Since the policy only allows HTTP, HTTPS falls through to the implicit deny rule and is dropped.

Why this answer

The policy only permits HTTP (TCP/80). HTTPS uses TCP/443, which is not allowed unless a separate service is defined.

425
MCQeasy

What is the purpose of the 'DNS Filter' feature on a FortiGate?

A.To block DNS queries to malicious domains based on FortiGuard category and allow/block lists.
B.To cache DNS queries for faster resolution.
C.To encrypt DNS traffic to prevent eavesdropping.
D.To filter the content of DNS responses from legitimate servers.
AnswerA

DNS Filter inspects DNS queries and can block those to malicious or unwanted domains, preventing users from reaching those sites even if the IP is known.

426
MCQeasy

What is the purpose of configuring a loopback interface on a FortiGate?

A.To create a logical interface that remains up regardless of physical link status
B.To provide a virtual IP address for NAT
C.To connect to a VLAN
D.To aggregate multiple physical interfaces for increased bandwidth
AnswerA

A loopback is always up unless administratively shut down, making it ideal for management and routing.

Why this answer

A loopback interface is a logical interface that is not tied to any physical port, so it remains operational (up/up) as long as the FortiGate itself is running. This makes it ideal for management access, BGP peering, and other services that require a stable IP address independent of physical link failures.

Exam trap

The trap here is that candidates confuse a loopback interface with a virtual IP (VIP) for NAT or with a VLAN sub-interface, because both are 'virtual' constructs, but they serve entirely different purposes in the FortiGate architecture.

How to eliminate wrong answers

Option B is wrong because a loopback interface is not used for NAT; virtual IPs (VIPs) or IP pools are used for NAT purposes. Option C is wrong because VLANs are created as sub-interfaces on physical or aggregate interfaces, not on a loopback interface. Option D is wrong because aggregating multiple physical interfaces for increased bandwidth is achieved via Link Aggregation (LAG) or 802.3ad, not a loopback interface.

427
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is an ICMP session with state 01 and expires in 1 second.
B.The session is a UDP session to port 443 and has been active for 3600 seconds.
C.The session is a TCP session to port 443 that has been active for 3600 seconds and will expire in 3599 seconds.
D.The session is a TCP session that has timed out and will be removed in 3599 seconds.
AnswerC

Why this answer

Option C is correct because the output shows 'proto=6', which is the protocol number for TCP, and 'dport=443' indicates the destination port is HTTPS. The 'duration=3600' means the session has been active for 3600 seconds, and 'expire=3599' means it will expire in 3599 seconds. The 'proto_state=01' is a TCP state code, confirming this is a TCP session.

Exam trap

The trap here is that candidates often confuse protocol numbers (e.g., thinking '6' is UDP or ICMP) or misinterpret 'expire' as the time since expiration rather than the remaining time until expiration.

How to eliminate wrong answers

Option A is wrong because 'proto=6' is TCP, not ICMP (which uses protocol number 1), and 'dport=443' specifies a port, which is not applicable to ICMP. Option B is wrong because 'proto=6' is TCP, not UDP (which uses protocol number 17), and the session is to port 443, not from it. Option D is wrong because the session has not timed out; 'expire=3599' indicates it is still active and will expire in 3599 seconds, not that it has already timed out.

428
MCQeasy

What is the PRIMARY purpose of enabling 'Safe Search' in a web filter profile?

A.To block all search engines
B.To prevent users from using HTTPS search engines
C.To enforce safe search settings on supported search engines like Google and Bing
D.To log all search queries
AnswerC

Why this answer

Safe Search enforces the safe search feature of popular search engines (e.g., Google, Bing) to filter explicit content from search results. It does not block search engines or HTTPS.

429
MCQmedium

An admin wants to apply different QoS markings to traffic from two different departments. The admin creates two firewall policies: one for Sales (policy ID 1) and one for Engineering (policy ID 2). Both policies have traffic shaping enabled. However, traffic from both departments receives the same QoS marking. What is the MOST likely mistake?

A.The policies are in the wrong order
B.QoS marking is only applied at the interface level
C.The traffic shaping policy is applied globally
D.The admin applied the same traffic shaper to both policies
AnswerD

To differentiate, different shapers must be used.

Why this answer

The traffic shaping policy must be associated with the firewall policy. If the same traffic shaper is applied to both policies, they will get the same markings. The question implies different markings are desired, so the admin likely used the same shaper.

430
MCQmedium

A network admin configures a firewall policy allowing HTTP traffic from internal users to an external web server. The policy uses a service object 'HTTP' defined as TCP/80. However, users cannot reach the server. What is the MOST likely cause?

A.The external web server is using HTTPS (TCP/443) instead of HTTP
B.The source address object does not include the users' subnet
C.The policy order is wrong; the policy is placed after a deny-all policy
D.The interface is set to the wrong zone
AnswerA

The service object allows only TCP/80; if the server expects TCP/443, the traffic is blocked by implicit deny.

Why this answer

The service object 'HTTP' is defined as TCP/80, but HTTPS uses TCP/443. The web server is likely expecting HTTPS on TCP/443. The policy should allow TCP/443.

431
Multi-Selectmedium

A FortiGate administrator needs to ensure that a specific traffic flow is fully inspected by the antivirus and IPS profiles. The traffic is HTTPS. Which THREE configuration items are required? (Select three.)

Select 3 answers
A.Enable flow-based inspection mode globally
B.Apply an IPS profile to the firewall policy
C.Apply an antivirus profile to the firewall policy
D.Enable SSL/TSL deep inspection on the firewall policy
E.Configure a DNS filter profile
AnswersB, C, D

IPS profile is needed to detect and prevent intrusions.

Why this answer

SSL inspection is required to decrypt HTTPS; then antivirus and IPS profiles can inspect the decrypted traffic. The firewall policy must include these profiles.

432
MCQmedium

An admin wants to monitor CPU and memory usage on a FortiGate using SNMP. Which configuration is required?

A.Configure a performance SLA monitor
B.Enable SNMP agent and configure an SNMP community
C.Enable SNMP on the interface and set administrative access to SNMP
D.Configure an SNMP v3 user and enable SNMP traps
AnswerB

Enabling SNMP agent and a community allows SNMP managers to poll OIDs for CPU/memory.

Why this answer

To monitor CPU and memory usage via SNMP, the FortiGate must first have the SNMP agent enabled and an SNMP community configured. The community string acts as a password for SNMPv1/v2c queries, allowing an NMS to poll the device for OIDs like CPU usage (1.3.6.1.4.1.12356.101.4.1.1) and memory usage (1.3.6.1.4.1.12356.101.4.1.4). Without enabling the agent and defining a community, the FortiGate will not respond to SNMP GET requests.

Exam trap

The trap here is that candidates confuse enabling SNMP on an interface (administrative access) with enabling the SNMP agent itself, leading them to select option C, which only allows SNMP traffic to reach the FortiGate but does not activate the SNMP service or community required for polling.

How to eliminate wrong answers

Option A is wrong because a performance SLA monitor is used for link health checks and failover decisions (e.g., SD-WAN), not for exposing CPU/memory metrics via SNMP. Option C is wrong because enabling SNMP on an interface and setting administrative access to SNMP only allows SNMP traffic to reach the FortiGate through that interface; it does not enable the SNMP agent itself or define a community for authentication. Option D is wrong because configuring an SNMP v3 user and enabling traps is for sending unsolicited notifications (traps) to an NMS, not for responding to polled queries for CPU and memory usage; polling requires the SNMP agent and community (or user for v3) to be active.

433
MCQhard

An admin configures a one-to-one IP Pool to map 10.0.1.0/28 to 203.0.113.16/28. A host with IP 10.0.1.5 initiates a connection to the internet. Which source IP will be used for the translated packet?

A.203.0.113.20
B.203.0.113.21
C.203.0.113.5
D.203.0.113.16
AnswerB

The internal .5 maps to external .21 (16+5).

Why this answer

In a one-to-one IP Pool NAT configuration, the mapping is based on the subnet offset. The internal subnet 10.0.1.0/28 has 16 addresses (10.0.1.0–10.0.1.15), and the external pool 203.0.113.16/28 also has 16 addresses (203.0.113.16–203.0.113.31). The host 10.0.1.5 is the 6th usable IP (offset 5 from the network address), so it maps to the 6th IP in the external pool: 203.0.113.16 + 5 = 203.0.113.21.

Exam trap

The trap here is that candidates often mistakenly add the host portion of the internal IP (e.g., .5) directly to the external network address (e.g., 203.0.113.16 + .5 = 203.0.113.21) but then incorrectly select 203.0.113.20 due to off-by-one errors, or they confuse the mapping with dynamic PAT where the source port is translated instead of the IP.

How to eliminate wrong answers

Option A (203.0.113.20) is wrong because it corresponds to offset 4 (10.0.1.4), not offset 5. Option C (203.0.113.5) is wrong because it incorrectly uses the host portion of the internal IP as the last octet of the external IP, ignoring the pool base address. Option D (203.0.113.16) is wrong because it is the first address in the pool (network address), which is typically reserved and not assigned to hosts; the mapping starts from the first usable IP, which is 203.0.113.17 for 10.0.1.1.

434
Multi-Selectmedium

A FortiGate admin needs to configure source NAT for traffic from the internal network (10.0.0.0/8) to the internet. The requirement is to translate all internal IPs to a range of public IPs (203.0.113.1-203.0.113.10) while preserving the source port for specific applications. Which TWO configurations can achieve this? (Choose two.)

Select 2 answers
A.Use a One-to-One IP Pool
B.Use a Dynamic IP Pool with Overload
C.Enable NAT on the policy without an IP pool
D.Configure Central SNAT with Overload
E.Use a Fixed Port Range IP Pool
AnswersA, E

One-to-one maps each internal IP to a unique public IP, preserving ports.

Why this answer

Option A is correct because a One-to-One IP Pool maps each internal IP to a unique public IP from the range 203.0.113.1-203.0.113.10, preserving the original source port for each session. This meets the requirement to translate all internal IPs while keeping the source port unchanged for specific applications. The pool size (10 IPs) must be sufficient for the number of concurrent internal hosts.

Exam trap

The trap here is that candidates often confuse 'preserving the source port' with PAT (overload) behavior, assuming any dynamic pool will work, but only One-to-One and Fixed Port Range pools avoid port translation and keep the original port intact.

435
MCQeasy

A company uses Fortinet Single Sign-On (FSSO) to authenticate users for firewall policies. The FSSO collector agent is installed on a Windows server and configured with Active Directory polling. What does the collector agent do?

A.It acts as a RADIUS proxy between FortiGate and AD
B.It monitors AD logon events and sends user-IP mappings to the FortiGate
C.It polls the FortiGate for user information
D.It directly authenticates users to the FortiGate
AnswerB

This is the core function of the FSSO collector agent.

Why this answer

The FSSO collector agent monitors Active Directory for user logon events (via NetAPI or security event logs) and sends this information to the FortiGate, allowing it to map users to IP addresses.

436
MCQeasy

What is the purpose of configuring an NTP server on a FortiGate?

A.To enable time-based firewall policies.
B.To synchronize the FortiGate's system clock with a reliable time source.
C.To allow the FortiGate to act as an NTP server for the network.
D.To authenticate with FortiGuard services.
AnswerB

Why this answer

Configuring an NTP server on a FortiGate synchronizes the system clock with a reliable time source, which is essential for accurate logging, certificate validation, and time-based operations. While time-based firewall policies depend on an accurate clock, NTP itself is the mechanism to achieve that accuracy, not the policy feature itself.

Exam trap

The trap here is that candidates confuse the purpose of NTP (time synchronization) with the features that depend on accurate time, such as time-based policies or FortiGuard authentication, leading them to select those as the primary purpose.

How to eliminate wrong answers

Option A is wrong because time-based firewall policies are a feature that uses the system clock, but the purpose of NTP configuration is to synchronize that clock, not to directly enable the policies. Option C is wrong because while a FortiGate can be configured as an NTP server for the network, that is an optional role, not the primary purpose of configuring an NTP server on the device. Option D is wrong because FortiGuard services use the system clock for authentication and license validation, but NTP configuration is not a direct authentication method; it merely ensures the clock is accurate for those services.

437
MCQmedium

An administrator needs to upgrade the firmware on a FortiGate from version 6.4.10 to 7.0.1. The device currently runs FortiOS 6.4.10. Which upgrade path should be followed?

A.Downgrade to 6.2.0 then upgrade to 7.0.1
B.Upgrade to 7.0.0 first, then to 7.0.1
C.Upgrade directly from 6.4.10 to 7.0.1 via the GUI
D.Upgrade to 6.4.99 (if exists) then to 7.0.1
AnswerB

Upgrade to the first release of the next major branch, then to the target patch.

Why this answer

Fortinet requires a sequential upgrade path for major version jumps. FortiOS 6.4.10 can upgrade directly to 7.0.0, and then to 7.0.1, because 7.0.0 is the first release in the 7.0 branch. Upgrading directly from 6.4.10 to 7.0.1 is not supported as it skips the required intermediate version.

Exam trap

The trap here is that candidates assume GUI or direct upgrades are always safe, but Fortinet strictly enforces sequential version upgrades to prevent configuration and system incompatibilities.

How to eliminate wrong answers

Option A is wrong because downgrading to 6.2.0 is unnecessary and not a valid upgrade path; Fortinet does not support downgrading as a step to upgrade. Option C is wrong because upgrading directly from 6.4.10 to 7.0.1 via the GUI is not supported; the upgrade must go through 7.0.0 first. Option D is wrong because 6.4.99 does not exist as a release; Fortinet uses specific build numbers, not arbitrary patch versions, and the correct intermediate is 7.0.0.

438
Multi-Selectmedium

A FortiGate administrator is troubleshooting a traffic issue where users cannot access a specific website. The administrator runs 'diagnose debug flow' and sees the output indicating that traffic is being denied by a firewall policy. Which two actions should the administrator take to identify the specific policy denying the traffic? (Choose two.)

Select 2 answers
A.Run 'diagnose debug enable' and then reproduce the issue
B.Use 'diagnose sys session list' to find the policy ID
C.Review the policy list and look for the policy ID shown in the debug output
D.Check the traffic log for the session to see the policy ID
E.Disable all firewall policies temporarily
AnswersC, D

The debug flow output typically includes the policy ID that applied. The admin can then review that specific policy.

Why this answer

The debug flow output includes the policy ID that denied the traffic. The administrator can check the policy details using 'show firewall policy <id>' or check the traffic log for the session to see which policy was matched.

439
MCQmedium

An administrator wants to send FortiGate logs to a FortiAnalyzer for centralized logging and reporting. Which configuration step is required on the FortiGate?

A.Enable SNMP traps to the FortiAnalyzer
B.Create a firewall policy to allow traffic to the FortiAnalyzer
C.Under Log & Report, configure the FortiAnalyzer settings and set the log forwarding
D.Configure a syslog server under System > Settings
AnswerC

FortiGate has dedicated FortiAnalyzer settings under Log & Report.

Why this answer

Option C is correct because FortiGate uses the Log & Report section to configure FortiAnalyzer settings, specifically under 'Log Settings' or 'Log Forwarding'. This enables the FortiGate to forward logs to a FortiAnalyzer device for centralized logging and reporting, using the FortiGate-FortiAnalyzer protocol (based on syslog over TCP with Fortinet extensions).

Exam trap

The trap here is that candidates often confuse the generic syslog server configuration (Option D) with the FortiAnalyzer-specific log forwarding setup, or they mistakenly think a firewall policy (Option B) is the primary step rather than the log forwarding configuration itself.

How to eliminate wrong answers

Option A is wrong because SNMP traps are used for sending network management alerts (e.g., interface down) to an SNMP manager, not for forwarding logs to FortiAnalyzer. Option B is wrong because while a firewall policy may be needed to allow outbound traffic to the FortiAnalyzer IP, it is not the primary configuration step for log forwarding; the log forwarding settings themselves are configured under Log & Report. Option D is wrong because configuring a syslog server under System > Settings is for sending logs to a generic syslog server, not for the FortiAnalyzer-specific integration which requires the dedicated FortiAnalyzer configuration under Log & Report.

440
Multi-Selectmedium

An administrator is configuring a FortiGate to use FortiManager for centralized management. Which three steps are required?

Select 3 answers
A.Enable VDOMs on the FortiGate.
B.Authorize the FortiGate in the FortiManager GUI.
C.Register the FortiGate to the FortiManager using the registration code.
D.Create a local admin account on the FortiGate for FortiManager to use.
E.Ensure network connectivity between FortiGate and FortiManager on TCP port 541.
AnswersB, C, E

Authorization is needed to accept management.

Why this answer

Option B is correct because after the FortiGate is discovered by FortiManager (via FGFM protocol), the administrator must explicitly authorize the device in the FortiManager GUI under 'Device Manager > Unregistered Devices'. This step is mandatory to establish a trusted management relationship; without authorization, the FortiGate remains in an unmanaged state and cannot receive configuration or policy updates.

Exam trap

The trap here is that candidates often confuse 'registration' (step C) with 'authorization' (step B), thinking one step suffices, when in fact both are required sequentially, and they may also incorrectly assume a local admin account (step D) is needed for authentication.

441
MCQmedium

An administrator creates a firewall policy to allow outbound HTTP and HTTPS traffic from the internal network to the internet. The policy uses a dynamic IP pool for SNAT. Users report that some websites load slowly or fail to load intermittently. The administrator checks the firewall logs and sees 'session helper' warnings. What is the most likely cause?

A.The policy has traffic shaping enabled that is throttling the bandwidth
B.The firewall policy is configured for proxy-based inspection, causing high latency
C.The IP pool is configured with fixed port range, limiting the number of available ports
D.The DNS server on the internal network is misconfigured
AnswerC

Fixed port range restricts the port range used for NAT, causing quicker port exhaustion and intermittent failures for many connections.

Why this answer

The 'session helper' warnings indicate that the firewall is struggling to allocate NAT sessions for the dynamic IP pool. When the IP pool uses a fixed port range, the number of available source ports per IP is limited, leading to port exhaustion under heavy HTTP/HTTPS traffic. This causes intermittent failures and slow loads as new connections are dropped or queued.

Exam trap

The trap here is that candidates confuse 'session helper' warnings with application-layer issues (like proxy latency or DNS) instead of recognizing it as a NAT resource exhaustion symptom tied to port range limitations in the IP pool configuration.

How to eliminate wrong answers

Option A is wrong because traffic shaping throttles bandwidth but does not generate 'session helper' warnings; those are related to NAT resource exhaustion, not rate limiting. Option B is wrong because proxy-based inspection can add latency but would not cause intermittent failures tied to port availability; 'session helper' warnings are specific to NAT session allocation, not inspection mode. Option D is wrong because a misconfigured DNS server would cause consistent name resolution failures, not intermittent loading issues with 'session helper' warnings in the firewall logs.

442
MCQmedium

An administrator notices that the FortiGate HA cluster has two units, but only one is shown as 'primary' and the other as 'standby'. The administrator did not configure any load balancing. Which HA mode is in use?

A.Active-passive
B.Load-balanced cluster
C.Standalone
D.Active-active
AnswerA

Active-passive uses primary/standby roles.

Why this answer

In active-passive HA, one unit is primary (active) and the other is standby (passive).

443
Multi-Selectmedium

An administrator is configuring Active Directory polling for FSSO. Which two components must be set up correctly for FSSO to work?

Select 2 answers
A.A RADIUS server configured for user authentication
B.An IPsec tunnel between FortiGate and the domain controller
C.FortiToken license for each user
D.A firewall policy that allows LDAP traffic from FortiGate to the domain controller
E.An FSSO collector agent installed on a Windows server in the domain
AnswersD, E

FortiGate uses LDAP to query group membership information.

Why this answer

FSSO requires the FortiGate to have an FSSO agent (or collector agent) that can poll the domain controllers for logon events, and the FortiGate must have LDAP configured to resolve usernames to groups, and the polling must be enabled.

444
Multi-Selectmedium

A network administrator is configuring SNMP on a FortiGate for monitoring. Which three pieces of information are required to complete the SNMPv2c configuration? (Choose THREE.)

Select 3 answers
A.SNMPv3 authentication protocol (MD5/SHA)
B.SNMP manager IP address (allowed hosts)
C.SNMP trap receiver IP and community
D.SNMP community string
E.SNMP interface (the interface that will respond to SNMP queries)
AnswersB, D, E

Restricts which management stations can query the device.

Why this answer

SNMPv2c uses community-based security, so the SNMP community string (Option D) is required for authentication. The SNMP manager IP address (Option B) is needed to define which hosts are allowed to query the FortiGate. The SNMP interface (Option E) specifies which network interface will listen for and respond to SNMP queries.

These three pieces are mandatory for SNMPv2c configuration on a FortiGate.

Exam trap

The trap here is that candidates often confuse SNMPv2c requirements with SNMPv3 requirements, selecting authentication protocols (Option A) which are irrelevant for v2c, or they assume trap configuration is mandatory for basic monitoring, when it is actually optional.

445
MCQeasy

Which IPS detection method uses a baseline of normal traffic and alerts when deviations exceed a threshold?

A.Anomaly detection
B.Rate-based detection
C.Signature-based detection
D.Protocol decode-based detection
AnswerA

Anomaly detection establishes a baseline and flags abnormal traffic.

Why this answer

Anomaly detection learns normal traffic patterns and triggers when traffic deviates significantly.

446
MCQmedium

A FortiGate HA cluster is set to active-active mode. The administrator notices that session synchronization is enabled but some sessions are not being synced between cluster units. Which of the following is a likely cause for incomplete session synchronization in active-active mode?

A.The cluster is using unicast heartbeat
B.The 'set session-sync-id' is not configured or mismatched between cluster units
C.The heartbeat interface speed is set to 1 Gbps
D.The HA override is enabled
AnswerB

Active-active requires a session synchronization ID to be set; if it's missing or mismatched, sessions are not synced properly.

Why this answer

Option A is correct. In active-active HA, session synchronization must be set to 'all' or 'group' to sync sessions; the default may only sync specific sessions. The 'session-sync-id' must match on all units.

447
MCQmedium

An administrator wants to upgrade the FortiGate firmware from version 6.4.9 to 7.0.1. What is the most important consideration before proceeding?

A.Verify the upgrade path and check for any required intermediate versions
B.Upgrade to the latest 7.0.x directly without intermediate steps
C.Disable all firewall policies before upgrading
D.Ensure the configuration is backed up
AnswerA

Fortinet recommends following the upgrade path to avoid incompatibilities.

Why this answer

FortiGate firmware upgrades must follow a validated upgrade path to avoid configuration incompatibilities or boot failures. Version 6.4.9 to 7.0.1 requires an intermediate upgrade to 7.0.0 first, as direct jumps across major versions or skipping required intermediate releases can corrupt the firmware image or render the device unbootable. Fortinet publishes explicit upgrade paths in the release notes, and ignoring them is the most common cause of failed upgrades.

Exam trap

The trap here is that candidates assume a configuration backup is the most critical step, but Fortinet specifically tests that verifying the upgrade path is the primary consideration to prevent a non-bootable device.

How to eliminate wrong answers

Option B is wrong because upgrading directly to the latest 7.0.x without intermediate steps violates Fortinet's required upgrade path; 6.4.9 must first go to 7.0.0 before reaching 7.0.1. Option C is wrong because disabling firewall policies is not a prerequisite for firmware upgrades; the upgrade process preserves the configuration, and policies remain intact. Option D is wrong because while backing up the configuration is a best practice, it is not the most important consideration; the upgrade path is critical to avoid a bricked device, whereas a backup only protects against data loss after a failure.

448
MCQeasy

Which of the following best describes the function of FortiGuard web filtering categories?

A.They are used to quarantine infected files
B.They block specific IP addresses known for hosting malware
C.They provide a list of allowed websites only
D.They categorize websites to allow granular control over access based on content type
AnswerD

This is the primary purpose: to enable policy-based control by website category.

Why this answer

FortiGuard categories classify websites into groups (e.g., Social Networking, Pornography) so administrators can define actions (allow, block, monitor) for each group in the web filter profile.

449
Matchingmedium

Match each Fortinet product to its primary role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall

Security information and event management

Centralized logging and analytics

Centralized management and policy orchestration

Advanced threat detection and analysis

Why these pairings

These products are part of the Fortinet Security Fabric.

450
MCQhard

An administrator runs 'diagnose vpn ssl stat' and sees 'tun-num: 5, clients: 0'. Users are unable to connect to the SSL VPN. The SSL VPN settings are correct and the certificate is valid. What could be the cause?

A.The FortiGate has reached the maximum number of SSL VPN users allowed by the license
B.The SSL VPN is listening on a non-default port and users are connecting to the default port
C.The SSL VPN certificate is not trusted by the client browsers
D.The SSL VPN portal is configured with 'limit-scan' scanning
AnswerB

If the listening port (e.g., 10443) is different, users connecting to 443 will fail.

Why this answer

The command shows tunnel interface created but no connected clients. Option A is a likely cause: if the SSL VPN portal has limit-scan or if the user group is restricted, users might be denied. But more common: if the firewall policy for SSL VPN is missing or misconfigured, users can't pass traffic.

However, the debug shows no clients, suggesting authentication or network layer issue. Option B is plausible because if the listening port is changed, users might be connecting to the wrong port. Option C is also plausible but less typical.

The most common cause in practice is a missing or misconfigured policy, but the question is tricky. I'll go with Option B as it directly affects connectivity.

Page 5

Page 6 of 14

Page 7