Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 451525

1000 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
Multi-Selectmedium

An administrator wants to implement ZTNA (Zero Trust Network Access) on a FortiGate to secure access to an internal application. Which TWO components are essential for a ZTNA configuration?

Select 2 answers
A.A firewall policy using IPsec VPN
B.A FortiGate in transparent mode
C.A policy-based IPsec tunnel
D.A proxy-based firewall policy
E.A ZTNA rule that verifies endpoint identity and posture
AnswersD, E

ZTNA uses proxy-based inspection to apply access rules.

Why this answer

ZTNA requires a proxy-based policy that inspects traffic, and a ZTNA rule that defines the access conditions (tags, endpoint compliance, etc.).

452
Multi-Selecthard

An administrator is troubleshooting a VPN tunnel that fails to establish. Which TWO CLI commands would provide the most relevant diagnostic information? (Choose two.)

Select 2 answers
A.show full-configuration vpn ipsec
B.execute ping-options source
C.diagnose debug application ike -1
D.get system performance status
E.diagnose vpn ike log
AnswersC, E

Enables real-time IKE debugging output.

Why this answer

'diagnose vpn ike log' provides detailed IKE negotiation logs; 'diagnose debug application ike -1' enables real-time IKE debugging. Both are essential for VPN troubleshooting.

453
Multi-Selecthard

An administrator receives alerts about a possible data breach. Sensitive data (credit card numbers) might be leaving the network via email. The admin wants to detect and block such emails. Which THREE security profiles should be combined?

Select 3 answers
A.Web filter profile
B.SSL deep inspection profile
C.Email filter profile
D.Data leak prevention (DLP) profile
E.Antivirus profile
AnswersB, C, D

Needed to inspect encrypted email connections.

Why this answer

Options B, D, and E are correct: DLP detects credit card numbers in content; email filter processes SMTP traffic; SSL deep inspection is needed if email uses TLS.

454
MCQmedium

An administrator wants to block users from uploading sensitive documents through webmail. Which security profile should be configured on the FortiGate to achieve this goal?

A.Data Leak Prevention (DLP)
B.Antivirus
C.Application control
D.Web filter
AnswerA

DLP can inspect file content and block uploads containing sensitive data patterns, such as credit card numbers or confidential labels.

Why this answer

Option B is correct because DLP profiles can block data based on content inspection, including file uploads to webmail.

455
MCQmedium

Refer to the exhibit. An SD-WAN rule for voice traffic uses the SLA strategy with sla-match-mode 'any'. SLA 'sla1' measures ping to 8.8.8.8. If wan1 has latency 90 ms and jitter 10 ms, and wan2 has latency 110 ms and jitter 5 ms, which link will be selected for voice traffic?

A.Neither link, because both fail jitter?
B.wan1, because it meets the SLA thresholds.
C.Both links, because sla-match-mode 'any' allows any link that meets SLA.
D.wan2, because it has lower jitter.
AnswerB

Correct; wan1 meets both latency and jitter thresholds.

Why this answer

With sla-match-mode 'any', the SD-WAN rule selects the first link that meets any of the configured SLA thresholds. The SLA for voice traffic measures ping to 8.8.8.8 with thresholds for latency and jitter. wan1 has latency 90 ms and jitter 10 ms, which both fall within typical SLA thresholds (e.g., latency < 150 ms, jitter < 20 ms), so it meets the SLA. wan2 has latency 110 ms, which also meets the latency threshold, but since 'any' mode selects the first qualifying link, wan1 is chosen. Option B is correct because wan1 satisfies the SLA and is selected first.

Exam trap

The trap here is that candidates often assume sla-match-mode 'any' selects all links that meet any SLA, but it actually selects only the first qualifying link in the order, leading to confusion with 'all' mode or load-balancing behavior.

How to eliminate wrong answers

Option A is wrong because both links do not fail jitter; wan1 has jitter 10 ms and wan2 has jitter 5 ms, both within typical thresholds, and the SLA is met by at least one link. Option C is wrong because sla-match-mode 'any' does not select all links that meet SLA; it selects the first link that meets any SLA threshold, not all links. Option D is wrong because the selection is not based on lower jitter; it is based on the first link meeting the SLA thresholds, and wan1 is evaluated first.

456
Multi-Selecthard

An admin wants to ensure that traffic between two internal subnets (10.0.1.0/24 and 10.0.2.0/24) is inspected by the FortiGate but does not have its source IP translated. Which THREE configuration elements are required? (Choose three.)

Select 3 answers
A.NAT disabled on that policy
B.A static route for each subnet on the FortiGate
C.An IP pool for source NAT
D.A firewall policy allowing traffic between the two subnets
E.Security profiles (e.g., antivirus, IPS) applied to the policy
AnswersA, D, E

To avoid source IP translation, NAT must be disabled.

Why this answer

Option A is correct because when traffic between two internal subnets does not require source IP translation, NAT must be explicitly disabled on the firewall policy. By default, FortiGate policies may have NAT enabled (especially on outbound interfaces), so disabling NAT ensures the original source IP (10.0.1.x) is preserved when communicating with 10.0.2.x. This is configured by setting the 'set nat enable' option to 'disable' in the policy or unchecking NAT in the GUI.

Exam trap

The trap here is that candidates often assume static routes are always needed for inter-subnet routing, but FortiGate automatically creates connected routes for directly attached subnets, making static routes unnecessary in this scenario.

457
MCQeasy

Which address object type allows you to match traffic based on the domain name in the HTTPS SNI field?

A.Geography
B.Wildcard FQDN
C.Subnet
D.FQDN
AnswerB

Wildcard FQDN objects match domain names and can be used with SNI.

Why this answer

Wildcard FQDN objects can match domain names (fully qualified domain names) even with wildcards, and FortiGate can use SNI to match HTTPS traffic.

458
MCQhard

Refer to the exhibit. An administrator runs 'diagnose firewall auth list' and sees two authenticated users. The firewall policy requires authentication for HTTP traffic from 10.0.0.0/24 to 192.168.1.10. User 'jsmith' has been idle for 20 minutes, but the authentication session is still active. The idle timeout is set to 30 minutes. What will happen after 30 minutes of inactivity?

A.The authentication session will remain active because the firewall session is still valid
B.The user will be automatically re-authenticated without prompting
C.The firewall session will be torn down immediately
D.The authentication session will expire, and the user must re-authenticate for new traffic
AnswerD

The user will be prompted for credentials again after idle timeout.

Why this answer

Option D is correct because the authentication idle timeout of 30 minutes governs the authentication session, not the firewall session. Once the user 'jsmith' has been idle for 30 minutes, the authentication session expires. Any new HTTP traffic from 10.0.0.0/24 to 192.168.1.10 will then require re-authentication, as the firewall policy enforces authentication for that traffic.

The existing firewall session may persist briefly, but it will not allow new traffic without a valid authentication entry.

Exam trap

The trap here is that candidates confuse the firewall session timeout with the authentication idle timeout, assuming that an active firewall session keeps the authentication session alive, when in fact they are independent timers.

How to eliminate wrong answers

Option A is wrong because the authentication session is independent of the firewall session; the firewall session may remain valid for its own timeout, but the authentication session will expire after the idle timeout, requiring re-authentication for new traffic. Option B is wrong because automatic re-authentication without prompting is not a feature of FortiGate authentication; the user must be prompted or use a pre-authentication method. Option C is wrong because the firewall session is not torn down immediately; it will continue until its own session timeout or until traffic stops, but new traffic will be blocked until re-authentication occurs.

459
MCQeasy

What is the order of evaluation for firewall policies on a FortiGate?

A.Random order
B.From bottom to top
C.From top to bottom, first match
D.By policy ID in ascending order
AnswerC

Correct.

Why this answer

FortiGate evaluates policies from top to bottom in the policy list, and the first match is applied.

460
MCQeasy

A FortiGate policy allows traffic from the internal network to a DMZ server. The admin wants to limit access to only specific hours. Which object type should be used in the policy?

A.Address group
B.Schedule
C.Service group
D.Traffic shaper
AnswerB

Correct. Schedule objects are used to restrict policy to certain times.

Why this answer

Schedule objects define time ranges (recurring or one-time) during which a policy is effective. They are applied directly in the firewall policy.

461
MCQeasy

Which of the following best describes the purpose of a captive portal on a FortiGate?

A.To provide secure remote access to internal resources
B.To authenticate users before granting network access
C.To encrypt traffic between sites
D.To block malware from entering the network
AnswerB

Captive portal intercepts HTTP traffic and redirects to a login page.

Why this answer

A captive portal forces unauthenticated users to authenticate before accessing the network.

462
MCQmedium

A FortiGate administrator notices that the device's disk usage is critically high, causing logging failures. The administrator wants to free up space without losing important logs. Which action should be taken first?

A.Delete all existing log files
B.Configure log compression
C.Disable logging to the local disk
D.Increase the disk retention period
AnswerB

Compression reduces file size without deleting logs.

Why this answer

Log compression reduces the size of existing log files on the disk without deleting any data, directly addressing the critically high disk usage while preserving all important logs. This is the safest first step because it reclaims space immediately without risking data loss or altering logging behavior.

Exam trap

The trap here is that candidates may confuse 'increasing retention period' (which makes the problem worse) with 'decreasing retention period' (which would free space but delete logs), or they may think disabling logging is a quick fix without realizing it stops all logging activity.

How to eliminate wrong answers

Option A is wrong because deleting all existing log files would permanently remove important logs, which contradicts the requirement to not lose them. Option C is wrong because disabling logging to the local disk would stop all future logging to the device, potentially losing critical security events, and does not free up space already used. Option D is wrong because increasing the disk retention period would actually cause logs to be kept longer, worsening the disk usage problem rather than solving it.

463
MCQeasy

Refer to the exhibit. An administrator has created an IPS sensor with two entries. The first entry sets severity 'medium' and action 'block'. The second entry sets severity 'critical' and action 'block'. What will happen when a packet triggers an IPS signature with severity 'low'?

A.The packet will be allowed (pass).
B.The packet will be logged and a session will be created.
C.The packet will be blocked if the signature severity is 'low' or 'high'.
D.The packet will be blocked because the sensor is enabled.
AnswerA

Signatures not matching any entry use the default action 'pass'.

Why this answer

The IPS sensor in the exhibit defines rules only for severity 'medium' and 'critical', both with action 'block'. When a packet triggers a signature with severity 'low', it does not match any entry in the sensor. Therefore, the default action for unmatched signatures is to allow (pass) the traffic.

FortiGate IPS sensors apply actions only to explicitly configured severity levels; unlisted severities are not affected.

Exam trap

The trap here is that candidates assume an enabled IPS sensor blocks all traffic by default, but FortiGate IPS sensors only apply actions to signatures whose severity is explicitly listed in the sensor entries.

How to eliminate wrong answers

Option B is wrong because logging and session creation are not automatic for unmatched severity levels; they only occur if the sensor entry specifies 'log' or if the signature action is triggered. Option C is wrong because the sensor does not block 'low' severity signatures, and 'high' severity is not even listed in the sensor entries. Option D is wrong because simply enabling the sensor does not block all traffic; blocking only happens for signatures that match an entry with a 'block' action.

464
MCQhard

A FortiGate is configured with an IPS profile that includes a signature with a 'Pass' action. The firewall policy uses this IPS profile. What will happen when traffic matching that signature is detected?

A.The traffic is allowed, but the session is reset
B.The traffic is allowed without logging
C.The traffic is blocked and logged
D.The traffic is blocked and the session is reset
AnswerB

Pass action permits traffic and by default does not generate a log (unless logging is separately enabled).

Why this answer

Option C is correct. A 'Pass' action means the traffic is allowed and not logged (unlike 'Allow' which logs). The signature will generate an event but will not drop or reset the session.

465
MCQhard

An administrator configures a FortiGate in transparent mode to be deployed between a router and a switch. After installation, traffic passes through but the administrator cannot access the FortiGate's management IP from the management network. What is the MOST likely reason?

A.The management IP is not in the same subnet as the management network.
B.Transparent mode does not support management access; only NAT/Route mode does.
C.The FortiGate's firewall policy blocks management traffic even in transparent mode.
D.The administrator must configure a management VLAN interface to access the FortiGate.
AnswerA

In transparent mode, the management IP must be in the same subnet as the management network to be reachable; otherwise, the FortiGate will not respond to management traffic.

Why this answer

In transparent mode, the FortiGate acts as a Layer 2 bridge, and its management IP must belong to the same subnet as the management network to be reachable. If the management IP is on a different subnet, the FortiGate will not respond to management traffic because it does not route between subnets in transparent mode; it only forwards traffic at Layer 2.

Exam trap

The trap here is that candidates often assume transparent mode disables all management access or requires special VLANs, when the real issue is simply a subnet mismatch between the management IP and the management network.

How to eliminate wrong answers

Option B is wrong because transparent mode fully supports management access via a dedicated management IP, just like NAT/Route mode, though the IP is used for management only and not for routing. Option C is wrong because by default in transparent mode, there is no firewall policy blocking management traffic; management access is controlled by administrative access settings (e.g., HTTPS, SSH) on the management interface, not by firewall policies. Option D is wrong because a management VLAN interface is not required; the administrator can assign a management IP directly to the FortiGate's management interface (e.g., the internal interface) as long as it is on the same subnet as the management network.

466
MCQmedium

A company uses FSSO (Fortinet Single Sign-On) with a domain controller. Users authenticate to the domain, and the FortiGate retrieves the login events. The firewall policy uses the FSSO group. Some users report that after logging in, they cannot access resources that require authentication. The administrator checks the FSSO status and sees that the FortiGate is receiving login events. What is the most likely cause?

A.The user is not a member of the FSSO group
B.The FSSO collector agent is not running
C.The user's IP address is not in the source address range of the policy
D.The FortiGate is not polling the domain controller
AnswerC

FSSO authenticates the user, but the policy's source address must match the user's IP.

Why this answer

Option C is correct because even though the FortiGate is receiving FSSO login events, the firewall policy also includes a source address restriction. If the user's IP address falls outside the defined source address range, the policy will not match, and the user will be denied access despite being authenticated via FSSO. The FSSO group membership is only one condition; the source IP must also satisfy the policy's source address criteria.

Exam trap

The trap here is that candidates assume receiving FSSO login events guarantees policy match, ignoring that the source address condition in the firewall policy is a separate, independent requirement that must also be satisfied.

How to eliminate wrong answers

Option A is wrong because if the user were not a member of the FSSO group, the FortiGate would not show the user as authenticated, and the administrator would not see the user's login events in the FSSO status. Option B is wrong because the FSSO collector agent is confirmed to be running since the FortiGate is receiving login events; a stopped collector agent would prevent event reception. Option D is wrong because the FortiGate is already receiving login events, which proves it is successfully polling or receiving data from the domain controller; if polling were failing, no events would appear.

467
Multi-Selecthard

A FortiGate administrator is configuring a policy-based routing (PBR) rule to send all traffic from the 'Engineering' VLAN (10.1.0.0/16) to a dedicated internet link through gateway 203.0.113.1. The administrator also wants to apply a traffic shaper to limit bandwidth. Which THREE configuration tasks must be performed?

Select 3 answers
A.Define a traffic shaper object with the desired bandwidth limits
B.Enable SD-WAN on the FortiGate
C.Configure Central NAT to translate the source IP
D.Create a policy-based route with source 10.1.0.0/16 and gateway 203.0.113.1
E.Create a firewall policy allowing traffic from Engineering VLAN to internet and apply the traffic shaper
AnswersA, D, E

The shaper must exist before it can be applied in a firewall policy.

Why this answer

Option A is correct because a traffic shaper object must first be defined with the desired bandwidth limits (e.g., maximum rate, burst size) before it can be applied to a firewall policy. Without this object, the shaper cannot be referenced or enforced.

Exam trap

The trap here is that candidates often think SD-WAN is required for PBR or that Central NAT is mandatory, when in fact PBR and traffic shaping are independent features that can be configured without SD-WAN or Central NAT.

468
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.SSL/TLS deep inspection is not enabled on the firewall policy
B.The antivirus profile is configured for flow-based inspection instead of proxy-based
C.The web server's certificate is self-signed and FortiGate is rejecting the connection
D.The FortiGuard antivirus subscription has expired
AnswerA

HTTPS traffic is encrypted. FortiGate cannot inspect the payload without SSL deep inspection decrypting the TLS session. The antivirus profile requires inspection mode to be enabled.

Why this answer

Option B is correct because HTTPS uses TLS encryption. Without SSL deep inspection enabled on the policy, FortiGate cannot decrypt and inspect the content of HTTPS traffic. The antivirus profile will only scan unencrypted traffic or traffic where deep inspection has decrypted it first.

469
MCQhard

You receive an alert that a user's FortiToken synchronization is off. You need to resynchronize the token. Which CLI command achieves this?

A.diagnose user fortitoken resync <token-serial>
B.config user fortitoken edit <token-serial> set status activate
C.execute fortitoken-update <token-serial>
D.execute fortitoken-resync <token-serial>
AnswerD

Correct. This triggers a resynchronization of the token's OTP sequence.

Why this answer

The command 'execute fortitoken-resync <token-serial>' is used to resynchronize a FortiToken with the FortiGate. This updates the token's seed and counter.

470
MCQmedium

An administrator wants to integrate FortiSandbox with a FortiGate to analyze suspicious files. Which security profile must be configured to send files to FortiSandbox?

A.Application Control profile with FortiSandbox enabled
B.Antivirus profile with FortiSandbox enabled
C.IPS profile with FortiSandbox enabled
D.Web Filter profile with FortiSandbox enabled
AnswerB

Why this answer

FortiSandbox integration is configured within the antivirus profile. When enabled, files that trigger certain conditions are sent to FortiSandbox for advanced analysis. Other profiles do not directly support FortiSandbox submission.

471
MCQmedium

A FortiGate has multiple firewall policies. Policy ID 1 allows HTTP from LAN to WAN. Policy ID 2 allows all traffic from DMZ to WAN. A packet arrives from the DMZ interface destined to a web server on the internet using HTTPS. Which policy is matched?

A.Policy ID 1, because it is first in order
B.Policy ID 2, but only if it has a service allowing HTTPS
C.Implicit deny, because no policy matches HTTPS traffic
D.Policy ID 2, because it matches the source interface and destination
AnswerD

Policy 2 allows all traffic from DMZ to WAN, including HTTPS.

Why this answer

Policy lookup is performed top-down. The first matching policy is used. Policy 1 matches only LAN traffic, not DMZ.

Policy 2 matches all traffic from DMZ to WAN, so it matches the packet.

472
Multi-Selecthard

An administrator notices that VoIP traffic (SIP) is not being inspected by the IPS profile applied to the firewall policy. The administrator suspects the traffic is being accelerated by NPU offloading. Which TWO actions can prevent NPU offloading for SIP traffic to ensure IPS inspection? (Choose two.)

Select 2 answers
A.Change the policy inspection mode to 'Proxy-Based'
B.Disable 'Allow Offload' in the policy advanced options
C.Enable 'Set SNAT' on the policy
D.Enable 'Deep Inspection' on the policy
E.Create a separate VIP for SIP
AnswersA, B

Proxy-based inspection cannot be offloaded.

Why this answer

Disabling NPU offloading per policy can be done by configuring the policy to use 'Proxy-Based' inspection or by disabling 'capwap' and 'offload' options in the firewall policy advanced settings. Also, enabling SSL inspection forces software processing.

473
Multi-Selecthard

An administrator needs to configure destination NAT for multiple internal servers using a single public IP address by differentiating based on destination port. The public IP 203.0.113.10 should map to: (A) 10.0.0.1:80 for HTTP, (B) 10.0.0.2:443 for HTTPS. Which TWO configuration steps are required? (Choose two.)

Select 2 answers
A.Create a VIP for HTTP mapping port 80 to 10.0.0.1
B.Create an IP pool for the public IP
C.Create a VIP for HTTPS mapping port 443 to 10.0.0.2
D.Configure policy-based routing for each server
E.Use Central SNAT with port forwarding
AnswersA, C

VIP defines the mapping.

Why this answer

A VIP group with multiple VIPs each having a different port mapping allows this. Alternatively, separate VIPs with different public ports can be used. Option A and C are correct.

474
MCQmedium

An administrator is configuring a FortiGate HA cluster and wants to ensure that the primary unit is always preferred based on its configuration priority. Which setting should be enabled to allow the primary unit to resume its role after a failover if it regains connectivity?

A.set ha-inherit-priority enable
B.set override enable
C.set session-pickup enable
D.set ha-priority 255
AnswerB

Override enables a higher-priority unit to reclaim the primary role.

Why this answer

Option C is correct. The HA override setting allows a higher-priority unit to take over the primary role when it rejoins the cluster after a failure, even if it was previously secondary.

475
Multi-Selectmedium

A FortiGate admin is troubleshooting an IPsec VPN where Phase 1 is up but Phase 2 fails to establish. Which TWO diagnostic commands would provide the most relevant information?

Select 2 answers
A.diagnose debug application ike -1
B.diagnose vpn tunnel list
C.diagnose netlink interface list
D.diagnose sys session list
E.diagnose vpn ike log
AnswersB, E

This lists all VPN tunnels and their status.

Why this answer

'diagnose vpn ike log' shows IKE negotiation details including Phase 2, and 'diagnose vpn tunnel list' shows tunnel status and configuration.

476
Multi-Selecthard

A FortiGate administrator is troubleshooting a VPN tunnel that is not coming up. The phase 1 parameters match on both sides. Which three configuration items should the administrator verify?

Select 3 answers
A.NAT traversal is enabled on both sides.
B.The phase 2 proposal matches the remote device.
C.The local and remote interface IP addresses are correctly configured.
D.The pre-shared key is identical on both sides.
E.Firewall policies permit the VPN traffic (UDP 500, 4500).
AnswersC, D, E

Incorrect IPs prevent IKE negotiation.

Why this answer

Option C is correct because the local and remote interface IP addresses define the tunnel endpoints. If these are misconfigured, the VPN cannot establish a secure connection even if all other parameters match. The FortiGate uses these addresses to route IKE traffic to the correct peer.

Exam trap

The trap here is that candidates often focus only on phase 1 parameters like encryption and authentication, forgetting that basic connectivity items like interface IPs, pre-shared keys, and firewall rules are equally critical for the tunnel to come up.

477
MCQmedium

An administrator configures a policy route to direct traffic from subnet 10.1.1.0/24 to the internet via ISP1 with a gateway of 203.0.113.1. However, traffic from that subnet is still using the default route via ISP2. What is the MOST likely cause?

A.The source interface is not specified in the policy route
B.The default route has a lower administrative distance
C.The policy route's destination is set to 'all' which conflicts with the default route
D.The policy route is configured after the default route in the routing table
AnswerA

Policy routes require a source interface to match. If not set, the policy route may not apply.

Why this answer

Policy routes in FortiGate are evaluated based on the source interface and source address. If the source interface is not specified, the policy route may not match the incoming traffic because the firewall does not know which interface the traffic is arriving on. Without a matching source interface, the policy route is skipped, and the default route (via ISP2) is used instead.

Exam trap

The trap here is that candidates assume policy routes are evaluated after the routing table or that administrative distance affects policy route matching, when in fact policy routes are processed first and require explicit source interface matching.

How to eliminate wrong answers

Option B is wrong because administrative distance is a property of static routes, not policy routes; policy routes are evaluated before the routing table lookup, so a lower administrative distance on the default route does not override a matching policy route. Option C is wrong because setting the destination to 'all' in a policy route means it matches any destination, which does not conflict with the default route; the issue is the missing source interface, not the destination. Option D is wrong because policy routes are not ordered in the routing table; they are evaluated in the order they appear in the policy route list, and the default route is only consulted if no policy route matches.

478
MCQmedium

An admin is troubleshooting why a user's traffic is not being logged. The firewall policy has logging enabled at 'All Sessions'. The admin checks the traffic log and sees no entries for that user. The admin runs 'diagnose debug flow' and sees the traffic is matching the policy. What could be the issue?

A.The user's traffic is not traversing the FortiGate
B.The log queue is overflowing and logs are being dropped
C.The logging filter is set to only log 'emergency' severity
D.The log disk is full and cannot accept new logs
AnswerB

If the log rate exceeds the ability to write to disk, logs can be dropped. The admin should check 'diagnose log device status' and 'diagnose log test'.

Why this answer

If the traffic is matching the policy but not appearing in logs, the most common reason is that the log buffer is full or logs are being dropped due to high rate. Alternatively, the log device (e.g., disk) might be full or the log queue is overflowing. Another possibility is that the log severity filter is too restrictive, but by default traffic logs are logged at 'information' severity.

The scenario says logging is enabled, so the issue is likely log buffer overflow or disk full. Option D addresses log disk space or buffer overflow.

479
MCQeasy

When configuring a route-based IPsec VPN, which of the following must be created to allow traffic to flow through the tunnel?

A.A static route to the remote subnet via the IPsec interface
B.A firewall policy with the VPN interface as source
C.A NAT rule to translate the private IPs
D.A security profile for VPN traffic
AnswerA

The route tells the FortiGate how to reach the remote subnet.

Why this answer

A route-based VPN uses a virtual IPsec interface; a static route must point to that interface for the remote subnet.

480
MCQhard

A company with 500 employees uses FortiGate as their internet gateway. They recently enabled SSL deep inspection using the built-in CA certificate. After deployment, many users report that they cannot access their online banking websites. The error message in the browser says 'The certificate is not trusted'. The administrator has already pushed the FortiGate CA certificate to all domain-joined computers via Group Policy. However, the problem persists for banking sites. The administrator also notices that banking sites load fine on mobile devices that do not have the CA certificate installed. What is the most likely cause and solution?

A.Disable SSL inspection entirely to avoid certificate issues.
B.The CA certificate is not properly installed on all computers. Re-deploy via Group Policy.
C.Use certificate inspection instead of deep inspection for all traffic.
D.Banking websites use certificate pinning. Exempt them from deep inspection using an SSL inspection exemption list.
AnswerD

Certificate pinning causes errors with re-signed certificates. Exempting prevents decryption.

Why this answer

Banking websites often use HTTP Public Key Pinning (HPKP) or certificate pinning, where the browser expects a specific certificate or public key from the server. When FortiGate performs SSL deep inspection, it re-signs the server's certificate with its own CA, breaking the pinning validation. This causes the 'certificate not trusted' error even when the FortiGate CA is trusted, because the browser detects that the presented certificate does not match the pinned certificate.

The correct solution is to exempt banking sites from deep inspection using an SSL inspection exemption list, allowing the original server certificate to pass through.

Exam trap

The trap here is that candidates assume the issue is always a missing CA certificate deployment, but the real problem is certificate pinning, which causes trust failures even when the CA is trusted, because the browser checks the pinned certificate hash against the presented certificate.

How to eliminate wrong answers

Option A is wrong because disabling SSL inspection entirely would remove security visibility for all HTTPS traffic, which is an overreaction and not necessary; the issue is specific to pinned certificates. Option B is wrong because the problem persists despite the CA certificate being properly deployed via Group Policy, and the error is not due to missing CA trust but due to certificate pinning validation failure. Option C is wrong because certificate inspection (which only inspects the certificate metadata, not the content) would still present the original server certificate to the browser, but it does not address the root cause of pinning; however, the question states deep inspection is enabled, and switching to certificate inspection would not resolve the pinning issue because the browser still sees the original certificate, which is actually correct for pinned sites—but the real fix is exemption, not a global change to certificate inspection.

481
MCQeasy

Which of the following is NOT a valid address object type in FortiGate?

A.Subnet
B.Wildcard FQDN
C.Geography
D.MAC address
AnswerD

MAC addresses are not used in firewall policy address objects; policies use IP addresses.

Why this answer

FortiGate address objects support Subnet, Wildcard FQDN, and Geography types, but MAC addresses are not a valid address object type. MAC addresses are used in other contexts like static ARP entries or DHCP reservations, not as firewall address objects.

Exam trap

The trap here is that candidates may confuse MAC address filtering (available in some security features like device identification) with a valid firewall address object type, leading them to incorrectly select a wrong answer.

How to eliminate wrong answers

Option A is wrong because Subnet is a standard address object type in FortiGate, used to define IPv4 or IPv6 network ranges. Option B is wrong because Wildcard FQDN is a valid address object type that matches multiple FQDNs using wildcard patterns (e.g., *.example.com). Option C is wrong because Geography is a valid address object type that allows matching traffic based on source or destination country using GeoIP databases.

482
MCQeasy

An administrator is troubleshooting an SSL VPN connection issue. Users can authenticate but receive 'No available tunnel' error. What is the most likely cause?

A.Split tunneling is misconfigured.
B.The firewall policy does not allow traffic from the SSL VPN interface.
C.The SSL VPN port is blocked on the firewall.
D.The SSL VPN IP pool has run out of addresses.
AnswerD

Exhausted IP pool prevents tunnel assignment.

Why this answer

The 'No available tunnel' error after successful authentication indicates that the SSL VPN daemon cannot assign an IP address to the client. The most likely cause is that the SSL VPN IP pool has exhausted its available addresses, preventing the creation of a virtual tunnel interface. This is a common issue when the pool size is smaller than the number of concurrent users.

Exam trap

The trap here is that candidates often confuse post-authentication issues (like IP pool exhaustion) with pre-authentication issues (like port blocking) or traffic-routing issues (like split tunneling or firewall policies), leading them to select options that would prevent authentication entirely rather than the specific error message given.

How to eliminate wrong answers

Option A is wrong because split tunneling controls which subnets are routed through the VPN tunnel versus the client's local network; it does not affect the ability to establish the tunnel itself. Option B is wrong because the firewall policy on the SSL VPN interface controls traffic forwarding after the tunnel is established, not the tunnel creation process. Option C is wrong because if the SSL VPN port were blocked, users would not be able to authenticate at all; the error occurs after successful authentication.

483
Drag & Dropmedium

Drag and drop the steps to perform a factory reset on FortiGate via CLI into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Factory reset is done with execute factoryreset, then confirm; device reboots to defaults.

484
MCQmedium

A FortiGate is configured with two equal-cost static default routes via two ISPs. The administrator wants to use both links simultaneously for outbound traffic, distributing sessions per source-destination pair. Which ECMP load balancing method should be configured under config system settings?

A.weighted-round-robin
B.vip-inbound-grpc
C.spillover
D.source-destination-ip
AnswerD

Correct method to distribute sessions per source-destination IP pair.

Why this answer

The source-destination-ip method under ECMP load balancing distributes sessions based on both source and destination IP addresses, ensuring that all packets belonging to the same session (same source-destination pair) are forwarded via the same path. This meets the requirement of using both links simultaneously for outbound traffic while maintaining per-session consistency.

Exam trap

The trap here is that candidates often confuse ECMP load balancing methods with general load balancing techniques, mistakenly selecting weighted-round-robin because it sounds like a standard load balancing algorithm, but it does not guarantee per-source-destination pair distribution in FortiGate's ECMP context.

How to eliminate wrong answers

Option A (weighted-round-robin) is wrong because it distributes sessions in a round-robin fashion based on weights, not per source-destination pair, which can cause session asymmetry. Option B (vip-inbound-grpc) is wrong because it is not an ECMP load balancing method; it relates to gRPC-based VIP configuration for inbound traffic. Option C (spillover) is wrong because it forwards traffic to a secondary link only when the primary link's bandwidth threshold is exceeded, not for simultaneous use of both links.

485
Multi-Selectmedium

An admin is troubleshooting why traffic from a specific host (10.0.1.10) to a web server (203.0.113.50:80) is being denied. The FortiGate has several policies. Which TWO CLI commands should the admin use to identify which policy is matching the traffic? (Choose two.)

Select 2 answers
A.execute ping 203.0.113.50
B.diagnose firewall iprope lookup 10.0.1.10 -> 203.0.113.50 80
C.diagnose debug flow
D.diagnose firewall policy list
E.get firewall policy
AnswersB, D

Simulates the policy lookup for a specific flow, showing which policy matches.

Why this answer

'diagnose firewall policy list' shows the policy list with IDs. 'diagnose firewall iprope' shows the lookup order and matching policy. 'get firewall policy' is a config command, not for real-time traffic. 'execute' commands are for pinging, not policy lookup.

486
MCQhard

Given the above IPS sensor configuration, what will happen when traffic matching a high-severity IPS signature is detected?

A.The traffic will be logged but not blocked.
B.The traffic will be blocked only if the signature is enabled globally.
C.The traffic will be blocked because the sensor has a block action.
D.The traffic will be allowed because no entry exists for high severity.
AnswerD

High-severity signatures are not in the sensor, so they are allowed.

Why this answer

Option D is correct because the IPS sensor configuration shown does not include an entry for high-severity signatures. Without a specific action defined for high severity, the sensor defaults to allowing the traffic while still generating a log entry. This is a common behavior in FortiGate IPS where only explicitly configured severity levels have defined actions.

Exam trap

The trap here is that candidates assume high-severity signatures are automatically blocked by default, but FortiGate requires explicit action configuration per severity level, and the default action is to allow.

How to eliminate wrong answers

Option A is wrong because logging without blocking would require a 'monitor' or 'pass' action explicitly configured for high severity, which is absent. Option B is wrong because global signature enablement does not override the per-severity action configuration; the sensor's action table determines blocking, not global status. Option C is wrong because the sensor does not have a block action for high severity; the block action is only defined for critical and medium severity levels in the provided configuration.

487
MCQmedium

An admin configures a firewall policy to allow SMTP traffic from a mail server to the internet with NAT enabled. External recipients report that the email source IP is the FortiGate's external interface IP. The admin wants the source to be a specific IP from a pool. What should the admin configure?

A.Create a central SNAT policy with the source as the mail server and the translated IP as the desired address
B.Use a VIP with port forwarding to translate the source
C.In the firewall policy, enable NAT and specify the IP pool as a fixed port range or overload
D.Enable NAT on the policy and set the IP pool configuration to use a dynamic IP pool
AnswerC

In policy-based NAT, you can enable NAT and select an IP pool. The pool can be configured for overload (PAT) or fixed port range, but the translated IP is taken from the pool.

Why this answer

Policy-based NAT allows specifying a fixed IP address or IP pool for source NAT. The admin should configure the policy's NAT settings to use a specific IP pool or IP address.

488
MCQhard

An administrator has configured an IPS sensor to block critical-severity attacks. However, after a week, they notice that a known exploit (CVE-2021-44228) is still getting through. Which configuration change should be made to improve detection?

A.Set the IPS sensor severity filter to 'low' and above.
B.Change the IPS sensor action from 'default' to 'block' for all signatures.
C.Create a custom IPS signature for the exploit.
D.Enable the specific IPS signature for the exploit in the sensor.
AnswerD

The signature may be present but disabled; enabling it allows detection.

Why this answer

Option D is correct because the IPS sensor must have the specific signature for CVE-2021-44228 (Log4Shell) enabled to detect and block it. Even if the sensor is set to block critical-severity attacks, the signature for this exploit may be disabled by default in the sensor's signature database. Enabling the specific signature ensures the sensor inspects traffic for the exploit's unique patterns and applies the configured action.

Exam trap

The trap here is that candidates assume setting the severity filter to 'critical' or changing the action to 'block' globally will catch all critical exploits, but they forget that individual signatures must be explicitly enabled in the sensor to be evaluated.

How to eliminate wrong answers

Option A is wrong because lowering the severity filter to 'low' and above would cause the sensor to process more signatures, but it does not enable a disabled signature; the exploit's signature may still be disabled regardless of severity. Option B is wrong because changing the action from 'default' to 'block' for all signatures would override per-signature actions and could cause false positives or performance issues, but it still does not enable a disabled signature. Option C is wrong because creating a custom IPS signature is unnecessary when the vendor (Fortinet) already provides a signature for CVE-2021-44228; the issue is that the signature is disabled, not missing.

489
MCQhard

A company has a FortiGate 100F with two ISPs (ISP1 and ISP2) for load balancing. They use SD-WAN to direct traffic. The firewall has a policy that allows HTTP and HTTPS traffic from internal users (10.0.0.0/8) to the internet. The policy uses FSSO authentication with an Active Directory domain controller. Recently, users on the 10.0.1.0/24 subnet report that they are prompted for authentication repeatedly, even though they are domain-joined and logged in. Users on other subnets do not have this issue. The administrator checks the FSSO configuration and sees that the collector agent is running and the FortiGate is receiving login events. The FortiGate's policy is configured with source address 10.0.0.0/8 and FSSO group 'Domain Users'. The administrator also notices that the FortiGate's SD-WAN rules are configured to use ISP1 for traffic from 10.0.0.0/8 except for traffic from 10.0.1.0/24, which uses ISP2. The FortiGate's FSSO collector agent is configured to listen on the IP address 192.168.1.1, which is the IP of the interface connected to ISP1. What is the most likely cause of the authentication issue?

A.The FSSO group 'Domain Users' does not include the affected users
B.The SD-WAN rule for 10.0.1.0/24 is misconfigured and drops authentication traffic
C.The domain controller is not reachable from the FortiGate
D.The FSSO collector agent is listening on an IP that is not reachable from the 10.0.1.0/24 subnet due to SD-WAN routing
AnswerD

The collector agent's IP is on ISP1 interface, but traffic from 10.0.1.0/24 goes via ISP2, so the domain controller may not be able to send login events to that IP.

Why this answer

The FSSO collector agent listens on 192.168.1.1, which is the IP of the interface connected to ISP1. SD-WAN rules send traffic from 10.0.1.0/24 via ISP2, so authentication packets from these users (e.g., to the collector agent) may be routed through ISP2 and never reach the collector agent at 192.168.1.1, causing repeated authentication prompts. This is a classic SD-WAN routing asymmetry issue where FSSO traffic does not follow the expected path.

Exam trap

The trap here is that candidates assume FSSO authentication failures are always due to misconfigured groups or domain connectivity, overlooking how SD-WAN routing can cause asymmetric traffic flows that break the FSSO communication path.

How to eliminate wrong answers

Option A is wrong because the issue is subnet-specific (10.0.1.0/24) and other subnets work fine, indicating the 'Domain Users' group membership is not the problem. Option B is wrong because SD-WAN rules do not drop traffic; they only influence path selection, and authentication traffic (like FSSO) is not explicitly blocked by the rule. Option C is wrong because the domain controller is reachable from the FortiGate (the collector agent is running and receiving login events), and the issue is isolated to a specific subnet, not a general reachability problem.

490
MCQeasy

Which FortiGate security feature can be used to block outgoing emails that contain specific keywords, such as confidential information?

A.Email Filter
B.Web Filter
C.Application Control
D.Antivirus
AnswerA

Why this answer

Email Filter profiles can scan SMTP, POP3, and IMAP traffic for keywords and patterns in email content. Antivirus scans for malware, web filter for URLs, application control for apps.

491
MCQmedium

An admin needs to ensure that all traffic from the 10.0.1.0/24 network to the internet uses a specific public IP address (203.0.113.10) as the source IP, with port translation enabled. The FortiGate has multiple WAN interfaces. Which NAT configuration should the admin use on the firewall policy?

A.Create an IP pool of type Overload with the range 203.0.113.10 and select it in the policy
B.Enable NAT on the policy and set the IP pool configuration to use the interface address
C.Configure a Central SNAT rule that matches the source subnet and set the translated address to 203.0.113.10
D.Use a VIP to perform destination NAT and set the source IP in the VIP configuration
AnswerA

An Overload IP pool with a single IP (or range) will perform PAT using that public IP as the source.

Why this answer

Option A is correct because an IP Pool of type Overload (Port Block Allocation) allows you to specify a single public IP address (203.0.113.10) as the translated source IP for all traffic from 10.0.1.0/24, with port address translation (PAT) enabled. This ensures that all outbound traffic uses that specific IP as the source, regardless of which WAN interface the traffic egresses, and the 'Overload' type automatically performs port translation to multiplex multiple internal hosts behind that single IP.

Exam trap

The trap here is that candidates often confuse Central SNAT rules (which are applied globally and not tied to a specific firewall policy) with policy-based IP Pool configuration, leading them to select Option C, even though the question explicitly requires the NAT configuration to be set on the firewall policy itself.

How to eliminate wrong answers

Option B is wrong because enabling NAT on the policy and setting the IP pool configuration to use the interface address would use the IP address of the egress interface itself, not the specific public IP 203.0.113.10; this does not allow you to force a different source IP than the interface address. Option C is wrong because a Central SNAT rule can match the source subnet and set the translated address to 203.0.113.10, but Central SNAT rules are applied globally and may conflict with policy-based NAT; the question explicitly asks for NAT configuration on the firewall policy, not a central rule. Option D is wrong because a VIP (Virtual IP) is used for destination NAT (DNAT), translating incoming traffic's destination IP, not for source NAT; setting a source IP in a VIP configuration is not a valid method for outbound source translation.

492
MCQhard

An administrator runs the CLI command: 'diagnose sys session list | grep -i dns' and sees sessions with dst port 53. The administrator has configured a DNS filter profile on the firewall policy. However, DNS requests are not being filtered. What is the MOST likely cause?

A.The DNS filter profile is applied to the wrong policy direction
B.DNS filtering requires proxy-based inspection mode on the policy
C.The DNS filter profile has no rules defined
D.The FortiGate is in transparent mode
AnswerB

Why this answer

DNS filtering in FortiOS requires proxy-based inspection mode. If the policy is set to flow-based, DNS filtering will not work. The administrator should change the inspection mode to proxy.

493
Multi-Selectmedium

A FortiGate administrator is troubleshooting why traffic from a specific internal host is not being allowed through a firewall policy. The policy appears correct and is enabled. Which TWO diagnostic commands could the administrator use to determine if the traffic is matching a different policy?

Select 2 answers
A.get system performance status
B.config system ha
C.execute ping options
D.diagnose firewall iprope list
E.diagnose debug flow
AnswersD, E

This shows hit counts for each policy, indicating which policies are being matched.

Why this answer

Using diagnose debug flow to trace the packet and diagnose firewall iprope list to see policy hit counts are effective ways to identify traffic matching.

494
Multi-Selectmedium

In a FortiGate HA cluster, the administrator wants to reduce failover time when the primary unit fails. Which two adjustments can help achieve this? (Choose two.)

Select 2 answers
A.Decrease the 'set ha-heartbeat-interval' value
B.Increase the 'set session-pickup-delay' value
C.Enable 'set ha-arp-interval'
D.Decrease the 'set ha-failover-threshold' value
E.Increase the 'set ha-heartbeat-interval' value
AnswersA, D

A shorter interval means faster detection of heartbeat loss.

Why this answer

Options A and B are correct. Decreasing the heartbeat interval (how often heartbeats are sent) and decreasing the failover threshold (number of missed heartbeats before failover) both reduce the time to detect failure and trigger failover.

495
MCQhard

An administrator runs the command 'diagnose ips anomaly list' and sees many entries for 'tcp_src_session' with high counts. Users report slow internet. What is the most likely issue?

A.The IPS signature database is corrupted
B.The FortiGate has a hardware failure
C.A host on the network is infected with malware that is generating many outbound connections
D.The FortiGate is under a DDoS attack
AnswerC

A single source with excessive sessions is typical of malware or P2P activity.

Why this answer

High tcp_src_session counts indicate many TCP sessions from a single source, often due to a host generating excessive connections (e.g., malware or P2P).

496
MCQmedium

An administrator receives a report that some users cannot authenticate via captive portal on a FortiGate. The captive portal is configured for firewall authentication. The administrator checks the authentication logs and sees 'Authentication failed: invalid credentials'. However, the users confirm they are entering the correct username and password. What is the MOST likely cause?

A.The captive portal interface is not configured with a valid certificate
B.The users are not including the domain name in the username field
C.The FortiGate's clock is out of sync with the LDAP server
D.The LDAP server is not reachable from the FortiGate
AnswerB

When authenticating against an LDAP/AD server, the FortiGate often requires the username in the format 'domain\username' or user principal name. Omitting the domain results in 'invalid credentials'.

Why this answer

Option C is correct. If the users are in a domain, the FortiGate expects the username in the format 'domain\username' or 'username@domain.com'. Entering just the username without the domain will cause authentication failure.

497
MCQhard

An admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a half-open TCP connection
B.The session is a multicast session
C.The session is a UDP session for DNS over HTTPS
D.The session is an established TCP session for HTTPS traffic
AnswerD

Proto=6 is TCP, proto_state=01 means established, and dport 443 is HTTPS.

Why this answer

The output shows `proto=6` (TCP), `proto_state=01` (TCP established), `dport=443` (HTTPS), and a duration/expire indicating an active session. This confirms an established TCP session for HTTPS traffic, making D correct.

Exam trap

The trap here is that candidates may misinterpret `proto_state=01` as a half-open connection (like SYN_SENT) because they confuse the numeric state value with TCP flags, when in fact 01 specifically means ESTABLISHED in FortiGate's session table.

How to eliminate wrong answers

Option A is wrong because `proto_state=01` indicates a fully established TCP connection (state ESTABLISHED), not a half-open connection (which would show state like SYN_SENT or 02). Option B is wrong because multicast sessions use UDP (proto=17) or IGMP, not TCP (proto=6), and the output shows a unicast TCP session. Option C is wrong because DNS over HTTPS uses TCP port 443 but is a UDP-based protocol (DNS itself is UDP, though DoH uses TCP); the output explicitly shows `proto=6` (TCP), not UDP (proto=17), and the session state indicates TCP, not UDP.

498
Multi-Selectmedium

An administrator wants to prevent sensitive data (e.g., credit card numbers) from being sent out of the network via email. Which THREE components must be configured to achieve this?

Select 3 answers
A.A firewall policy that allows email traffic and applies the email filter profile
B.SSL deep inspection to decrypt email traffic if encrypted
C.An application control profile to block email applications
D.An email filter profile that includes the DLP sensor
E.A DLP sensor with a credit card number pattern
AnswersA, D, E

The policy is where the profile is applied to the traffic.

Why this answer

To block sensitive data via email, you need: a DLP sensor to define the data pattern, an email filter profile to apply the DLP sensor to email traffic, and a firewall policy that applies the email filter profile to SMTP/IMAP traffic.

499
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.The web server's certificate is self-signed and FortiGate is rejecting the connection
B.The antivirus profile is configured for flow-based inspection instead of proxy-based
C.SSL/TLS deep inspection is not enabled on the firewall policy
D.The FortiGuard antivirus subscription has expired
AnswerC

HTTPS traffic is encrypted. FortiGate cannot inspect the payload without SSL deep inspection decrypting the TLS session. The antivirus profile requires inspection mode to be enabled.

Why this answer

HTTPS traffic is encrypted with SSL/TLS, so an antivirus profile cannot inspect the payload unless the firewall can decrypt the traffic. Even with antivirus enabled in the policy, without SSL/TLS deep inspection (also called SSL inspection or HTTPS decryption), FortiGate only sees encrypted packets and cannot scan for malware. Therefore, the most likely reason is that SSL/TLS deep inspection is not enabled on the firewall policy.

Exam trap

The trap here is that candidates often assume antivirus profiles automatically inspect all traffic, forgetting that encrypted HTTPS requires explicit SSL/TLS decryption before any content inspection can occur.

How to eliminate wrong answers

Option A is wrong because a self-signed certificate does not cause FortiGate to reject the connection by default; it may generate a warning or require an SSL inspection policy to handle untrusted certificates, but the traffic would still be forwarded (and remain unscanned) unless a specific action is configured. Option B is wrong because both flow-based and proxy-based inspection modes support antivirus scanning; the inspection mode affects performance and some features but does not prevent scanning of HTTPS traffic if decryption is configured. Option D is wrong because an expired FortiGuard antivirus subscription would prevent signature updates and might disable real-time scanning, but the traffic would still be inspected (with potentially outdated signatures) unless the license is completely expired and the feature is blocked; the question states antivirus is enabled, so the subscription expiry is not the most likely reason for no scanning at all.

500
MCQmedium

A company recently deployed FortiGate with application control to manage cloud application usage. They want to allow Google Drive for business but block personal Google accounts. Which application control configuration approach is most effective?

A.Use web filtering to block the URL of personal Google Drive.
B.Configure IPS to block personal Google Drive traffic.
C.Use application control with specific signatures for 'Google Drive Business' and 'Google Drive Personal' and apply appropriate actions.
D.Create a rule to block all Google Drive applications.
AnswerC

Application control signatures can distinguish between business and personal versions.

Why this answer

Option C is correct because FortiGate's application control uses application signatures to distinguish between different versions of the same application, such as 'Google Drive Business' and 'Google Drive Personal'. By configuring specific signatures with appropriate actions (allow for business, block for personal), you can enforce granular control over cloud application usage without affecting legitimate business traffic.

Exam trap

The trap here is that candidates often confuse web filtering (URL-based) with application control (signature-based), assuming that blocking a URL will effectively block personal accounts, but in reality, both account types use the same URL and only differ in application-layer metadata.

How to eliminate wrong answers

Option A is wrong because web filtering blocks URLs, but personal and business Google Drive often share the same base URL (drive.google.com), making URL-based blocking ineffective for distinguishing between account types. Option B is wrong because IPS is designed to detect and prevent network attacks and exploits, not to enforce application-level access policies based on user account type. Option D is wrong because blocking all Google Drive applications would also block the legitimate business use of Google Drive, which contradicts the requirement to allow business accounts.

501
Multi-Selectmedium

An administrator is configuring a FortiGate for ZTNA (Zero Trust Network Access). Which TWO components are essential for ZTNA to function? (Choose two.)

Select 2 answers
A.A firewall policy with ZTNA tags
B.A captive portal
C.FortiClient EMS for endpoint compliance
D.An IPsec VPN tunnel
E.An identity provider (IdP) for user authentication
AnswersC, E

EMS provides device posture information.

Why this answer

ZTNA requires an identity provider (IdP) to authenticate users and a ZTNA gateway (the FortiGate) to enforce access policies based on identity and device posture.

502
Multi-Selectmedium

A company requires two-factor authentication for SSL VPN access. They already have an LDAP server for user credentials. Which TWO components are necessary to implement this?

Select 2 answers
A.FortiAuthenticator
B.FortiToken hardware or mobile tokens
C.RADIUS server
D.Certificate Authority (CA)
E.LDAP server
AnswersB, E

FortiToken provides the one-time password (OTP) required for two-factor authentication.

Why this answer

FortiToken provides the second factor (OTP). The LDAP server provides the first factor (password). The FortiGate acts as the authenticator.

503
MCQeasy

Which FortiGate diagnostic command allows you to capture packets on an interface for troubleshooting network connectivity issues?

A.diagnose debug flow
B.diagnose sniffer packet
C.diagnose sys session list
D.diagnose test application
AnswerB

This is the packet capture command on FortiGate.

Why this answer

The 'diagnose sniffer packet' command captures packets in real-time on a specified interface, similar to tcpdump. It is the primary tool for packet-level troubleshooting.

504
MCQmedium

An organization wants to prevent users from downloading files with extensions such as .exe and .scr via HTTP and HTTPS. The FortiGate already has a web filter profile applied to the relevant policy. Which web filter feature should be configured to achieve this?

A.FortiGuard category filtering set to block 'Malicious Websites'
B.A static URL filter block rule for the file extensions
C.URL filter with a block rule for *\.exe and *\.scr patterns
D.Content filtering with a block rule for the file extensions
AnswerD

Content filtering can block based on file extension patterns in HTTP responses, including for HTTPS if SSL inspection is enabled.

Why this answer

Option D is correct. Content filtering inspects HTTP response bodies and can block file downloads by extension. For HTTPS, SSL deep inspection must be enabled.

505
Multi-Selecthard

A FortiGate administrator is troubleshooting an IPsec VPN between two FortiGates. The tunnel is established, but traffic is not passing. The administrator runs 'diagnose vpn ike log' and sees the following output: IKE: phase 2 negotiation completed IKE: IPsec SA up What THREE possible causes should the administrator investigate?

Select 3 answers
A.Firewall policies on either FortiGate are not allowing traffic between the local and remote subnets
B.The pre-shared key is incorrect
C.Routing tables on both FortiGates do not have routes pointing to the remote subnets via the VPN interface
D.The IKE mode is set to aggressive mode on one side and main mode on the other
E.NAT is being applied to the VPN traffic before it enters the tunnel, causing IP address mismatch
AnswersA, C, E

Missing or misconfigured firewall policies will drop traffic even if the tunnel is up.

Why this answer

Options A, C, and E are correct. The tunnel is up, so Phase 1 and Phase 2 are fine. Common causes for traffic not passing include incorrect firewall policies, routing issues, or NAT traversal problems if traffic is being NATed before hitting the tunnel.

506
MCQmedium

An admin wants to ensure that VoIP traffic (UDP ports 5060-5061) from the internal network to the internet is prioritized over other traffic when the WAN link is congested. Which feature should be configured on the firewall policy?

A.Enable NAT on the policy
B.QoS marking only (DSCP)
C.Traffic shaping policy with a guaranteed bandwidth allocation and high priority
D.Configure a security profile with QoS settings
AnswerC

Traffic shaping policies can prioritize traffic by assigning a higher priority queue.

Why this answer

Option C is correct because a traffic shaping policy with guaranteed bandwidth allocation and high priority ensures that VoIP traffic (UDP ports 5060-5061) receives the necessary bandwidth and is prioritized over other traffic during WAN congestion. Traffic shaping policies on FortiGate allow you to set guaranteed bandwidth, maximum bandwidth, and priority levels, which directly address congestion by reserving resources for critical traffic like VoIP.

Exam trap

The trap here is that candidates confuse DSCP marking (which only tags packets for external QoS) with local traffic shaping that actually enforces bandwidth guarantees and priority on the FortiGate itself, leading them to choose option B instead of C.

How to eliminate wrong answers

Option A is wrong because enabling NAT on the policy translates source IP addresses but does not provide any traffic prioritization or bandwidth guarantees during congestion. Option B is wrong because QoS marking only (DSCP) sets the Differentiated Services Code Point in the IP header for downstream devices, but on FortiGate, DSCP marking alone does not enforce local queuing or bandwidth allocation; it relies on downstream routers to honor the markings, which is insufficient for guaranteed prioritization on the WAN link. Option D is wrong because a security profile with QoS settings does not exist; security profiles (e.g., antivirus, web filtering) inspect content but do not manage bandwidth allocation or traffic priority, and QoS settings are configured separately in traffic shaping policies.

507
Matchingmedium

Match each FortiGate logging destination to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stored on the FortiGate's internal memory or disk

Centralized log collector and analyzer

Standard protocol to send logs to external servers

Cloud-based log storage and management

Used for monitoring device status and performance

Why these pairings

Different logging and monitoring options on FortiGate.

508
Multi-Selectmedium

An administrator is configuring an IPsec VPN between two FortiGates using IKEv1. The tunnel must use main mode and support multiple subnets behind each gate. Which Phase2 settings are required to allow multiple subnets? (Choose two.)

Select 2 answers
A.Set the Phase2 keylife to a higher value
B.Set the Phase2 proposal to include multiple encryption algorithms
C.Create multiple Phase2 selectors, each with different local and remote subnets
D.Enable NAT traversal on the Phase2
E.Use address objects that contain multiple subnets in the Phase2 definition
AnswersC, E

Each Phase2 selector defines a single traffic pair; multiple selectors cover multiple subnets.

Why this answer

To support multiple subnets, you can either configure multiple Phase2 selectors (one per subnet pair) or define the local/remote subnets in the Phase2 configuration. Modern FortiOS allows multiple subnets in a single Phase2. Option B is correct (multiple Phase2 entries), and Option D (using address objects with multiple addresses) is also correct.

509
MCQmedium

An administrator is troubleshooting a FortiGate HA cluster that is experiencing frequent failovers. The heartbeat interfaces are configured on port1 and port2. Which diagnostic command should the administrator use to check heartbeat packet loss?

A.diagnose sys ha status
B.get system ha status
C.diagnose sys ha heartbeat
D.diagnose sys session list
AnswerC

This command displays heartbeat statistics and can show packet loss.

Why this answer

The 'diagnose sys ha heartbeat' command shows heartbeat statistics, including packet loss, sequence numbers, and latency, which helps diagnose heartbeat issues.

510
Multi-Selecthard

A FortiGate is configured in an A-P HA cluster. The administrator wants to ensure that session failover occurs for UDP-based voice traffic. Which TWO settings must be enabled?

Select 2 answers
A.Enable UDP session synchronization.
B.Set HA override to enabled.
C.Enable configuration synchronization.
D.Enable session pickup.
E.Set failover hold time to 1 second.
AnswersA, D

UDP sessions need explicit synchronization for failover.

Why this answer

Option A is correct because UDP session synchronization must be enabled to replicate UDP session state between HA cluster members, ensuring that active sessions for voice traffic (which typically uses UDP) are seamlessly taken over by the standby unit during a failover. Without this setting, UDP sessions are not synchronized by default, and voice calls would drop.

Exam trap

The trap here is that candidates often confuse configuration synchronization (which replicates config files) with session synchronization (which replicates dynamic session state), leading them to incorrectly select Option C instead of A.

511
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. Phase 1 is up, but Phase 2 fails to establish. The debug command 'diagnose vpn ike log' shows: 'no suitable proposal found'. What is the most likely cause?

A.Phase 2 encryption or authentication algorithms do not match on both sides.
B.The firewall policy allowing IPsec traffic is missing.
C.The remote gateway IP address is unreachable.
D.The pre-shared key is incorrect.
AnswerA

Phase 2 proposals must match; otherwise, the tunnel cannot establish.

Why this answer

This error indicates that the Phase 2 proposals (encryption, authentication, etc.) do not match between the two peers. Phase 1 succeeded, so the IKE parameters are compatible; the issue lies in the Phase 2 settings.

512
MCQhard

A FortiGate has a policy-based NAT rule that translates source IPs from subnet 192.168.1.0/24 to 203.0.113.10 when accessing the internet. The admin also enables Central SNAT with a rule that translates the same subnet to 203.0.113.20. If both are configured, which translation will be applied to traffic from 192.168.1.0/24 to the internet?

A.Both translations will be applied, causing an error
B.Central SNAT because it is a global setting
C.The FortiGate will use the translation from the policy with the highest ID
D.Policy-based NAT because it is evaluated first
AnswerD

Policy-based NAT rules are evaluated before Central SNAT rules.

Why this answer

Policy-based NAT is evaluated before Central SNAT because it is directly tied to the firewall policy that matches the traffic. When a policy-based NAT rule exists for the same traffic, it takes precedence over Central SNAT rules, regardless of any global settings or rule IDs. Therefore, the source IPs from 192.168.1.0/24 will be translated to 203.0.113.10.

Exam trap

The trap here is that candidates often assume Central SNAT, being a centralized feature, overrides all other NAT rules, but FortiGate explicitly gives policy-based NAT higher precedence for traffic matching a firewall policy.

How to eliminate wrong answers

Option A is wrong because FortiGate does not apply both translations simultaneously; it selects one based on precedence, and policy-based NAT is evaluated first, so no error occurs. Option B is wrong because Central SNAT is not a global setting that overrides policy-based NAT; policy-based NAT is tied to a specific firewall policy and takes precedence over Central SNAT for that matched traffic. Option C is wrong because the FortiGate does not use the policy ID to determine NAT precedence between policy-based NAT and Central SNAT; policy-based NAT is always evaluated first regardless of ID.

513
Multi-Selectmedium

Which TWO of the following are required for full SSL inspection to work correctly?

Select 2 answers
A.The private key of each server certificate that will be inspected.
B.The FortiGate's CA certificate installed in the Trusted Root Certification Authorities store on client machines.
C.An intermediate CA certificate imported from the enterprise PKI.
D.A certificate on the FortiGate to generate session certificates.
E.A certificate signed by a public CA installed on the FortiGate.
AnswersB, D

Without this, clients will see certificate errors.

Why this answer

For full SSL inspection, the FortiGate must generate a session certificate on-the-fly for each HTTPS connection after decrypting it. This requires a CA certificate on the FortiGate to sign those session certificates. Additionally, client machines must trust this CA certificate, so it must be installed in their Trusted Root Certification Authorities store; otherwise, browsers will show certificate warnings and block the connection.

Exam trap

The trap here is that candidates often think the FortiGate needs the server's private key (Option A) to decrypt traffic, but in reality, full SSL inspection uses a man-in-the-middle approach where the FortiGate generates its own session certificates, requiring only its own CA certificate and client trust.

514
Multi-Selecthard

An administrator is troubleshooting why an application control profile is not detecting a custom application that uses a non-standard port. The administrator wants to ensure the application is properly identified. Which THREE steps should the administrator take? (Choose three.)

Select 3 answers
A.Set the application control action to 'block' for the application
B.Add a custom application signature based on the traffic pattern
C.Disable flow-based inspection and use proxy-based only
D.Ensure the application control profile is applied to the correct firewall policy
E.Enable SSL deep inspection if the application uses encryption
AnswersB, D, E

If the built-in signatures don't cover the custom app, a custom signature can be created.

Why this answer

Application control relies on signatures that may require specific settings like 'deep inspection' for encrypted traffic, adding custom signatures, or ensuring the traffic is not bypassing the FortiGate. Additionally, using an application group can help organize custom signatures.

515
MCQhard

An admin configures a policy-based NAT rule (central SNAT) to translate source IPs from 10.0.0.0/24 to a dynamic IP pool of 203.0.113.1-203.0.113.10 with overload enabled. Users report that some connections are dropped. What is the MOST likely cause?

A.The port range for each IP in the pool is exhausted
B.The firewall policy has 'set nat enable' disabled
C.The route to the internet is missing
D.The pool does not have enough IPs to cover all users
AnswerA

Each IP has a limited number of ports (around 64,000). Under heavy traffic, ports can be exhausted, causing connection drops.

Why this answer

With overload enabled (Port Address Translation), the firewall translates multiple internal IPs to a single public IP by using unique source ports. Each public IP can handle up to 65,535 ports, but the actual usable port range is often smaller due to reserved ports and system limits. When all ports on all IPs in the pool are consumed, new connections are dropped because no port can be allocated for the translation.

Exam trap

The trap here is that candidates assume the pool must have enough IPs for each user, but overload (PAT) allows many users to share a single IP, so the real bottleneck is port exhaustion, not IP count.

How to eliminate wrong answers

Option B is wrong because 'set nat enable' is a legacy setting for policy-based NAT; central SNAT rules do not require this option to be enabled on the firewall policy. Option C is wrong because a missing internet route would cause all outbound traffic to fail, not just some connections being dropped. Option D is wrong because dynamic IP pools with overload do not require one IP per user; the issue is port exhaustion, not a lack of IP addresses.

516
MCQmedium

An administrator runs 'diagnose vpn ike config' and sees the output includes 'P2 proposals: aes128-sha256, aes256-sha1'. What does this indicate?

A.The Diffie-Hellman groups for Phase 2
B.The Phase 1 encryption settings
C.The Phase 2 encryption and authentication algorithms
D.The lifetime settings for the VPN tunnel
AnswerC

It shows the Phase 2 proposals.

Why this answer

This output shows the Phase 2 proposals configured on the VPN tunnel. It lists the encryption and authentication algorithms that will be offered to the peer.

517
MCQhard

An administrator uses 'diagnose sys session list' and sees the following output for a session: 'proto=6 proto_state=01 duration=3600 expire=3599'. The session is for HTTPS traffic. What does 'proto_state=01' typically indicate in FortiGate?

A.The session is being NATted
B.The session is fully established and active
C.The session is in the initial connection setup phase (SYN_SENT)
D.The session is being inspected by a security profile
AnswerC

proto_state=01 indicates the TCP handshake is in progress or incomplete, suggesting the session is not fully established.

Why this answer

In FortiGate, 'proto_state=01' for TCP (proto=6) indicates the session is in the SYN_SENT phase, meaning the initial SYN packet has been sent but the three-way handshake is not yet complete. For HTTPS traffic, this shows the session is still in the connection setup stage, not fully established. The 'duration' and 'expire' values reflect the time since the session was created and the remaining timeout, which is typical for an incomplete handshake.

Exam trap

The trap here is that candidates often confuse 'proto_state=01' with a fully established session because they see 'duration' and 'expire' values and assume the session is active, but the state code explicitly indicates the handshake is incomplete.

How to eliminate wrong answers

Option A is wrong because NAT status is indicated by the 'nat' field in the session list output, not by 'proto_state'; 'proto_state=01' is a TCP state code, not a NAT indicator. Option B is wrong because a fully established and active TCP session would show 'proto_state=02' (ESTABLISHED), not '01' (SYN_SENT). Option D is wrong because security profile inspection is shown by flags like 'ips', 'av', or 'app' in the session output, not by the TCP state field; 'proto_state' only reflects the TCP handshake phase.

518
MCQhard

During a firmware upgrade, the FortiGate reboots and the administrator cannot access the GUI via HTTPS. The CLI shows the system is running the previous firmware. What is the most likely cause?

A.The firmware image was corrupted during upload.
B.The administrator booted from the wrong partition.
C.The administrator did not perform a factory reset before upgrading.
D.The upgrade failed and the system rolled back to the previous firmware.
AnswerD

FortiGate has a rollback mechanism if the upgrade fails.

Why this answer

Option D is correct because FortiGate firmware upgrades include an automatic rollback mechanism. If the upgrade fails or the new firmware does not boot successfully, the system automatically reverts to the previous firmware partition during the next reboot. The administrator seeing the previous firmware and being unable to access the GUI indicates the upgrade did not complete successfully, triggering this rollback.

Exam trap

The trap here is that candidates may assume a corrupted image (Option A) is the cause, but FortiGate's automatic rollback mechanism masks the corruption by reverting to the previous firmware, making the symptom appear as if the upgrade never took effect.

How to eliminate wrong answers

Option A is wrong because a corrupted firmware image would typically cause the upgrade process to fail before the reboot, or the system would not boot at all; the rollback mechanism is designed to handle such corruption by reverting to the known good partition. Option B is wrong because FortiGate does not have a manual partition selection during boot; the boot process automatically selects the primary partition, and the rollback mechanism controls which partition is active after a failed upgrade. Option C is wrong because a factory reset is not required before a firmware upgrade; upgrades are performed directly on the running configuration, and a factory reset is only recommended for major version jumps or specific scenarios, not as a prerequisite.

519
Multi-Selecthard

An administrator is troubleshooting an SSL VPN connection. Users can connect and authenticate, but they cannot access any internal resources. The firewall policy allows the SSL VPN interface to the internal network. Which THREE commands or configuration checks should the administrator use to diagnose the issue?

Select 3 answers
A.'execute ping from ssl.root to internal IP'
B.'get router info routing-table all' to verify routes
C.'diagnose debug application sslvpn -1' to enable debug logging
D.'diagnose firewall policy list' to confirm the policy is matching
E.'diagnose vpn ssl list' to view active SSL VPN sessions
AnswersB, D, E

If there is no route to the internal network from the SSL VPN interface, traffic will be dropped.

Why this answer

To diagnose SSL VPN issues, the admin should check the routing table to ensure traffic is routed correctly, check the SSL VPN session list to see if sessions are established, and verify that the correct firewall policy is matching traffic.

520
MCQeasy

An administrator needs to configure a FortiGate to allow remote management via HTTPS from the internet. Which configuration step is required?

A.Create a firewall policy from WAN to LAN with HTTPS service and set action to ACCEPT.
B.Enable SSH access on the WAN interface instead of HTTPS.
C.Enable HTTPS access on the WAN interface and create a firewall policy allowing inbound HTTPS from any to the FortiGate's IP.
D.Configure a port forwarding rule to redirect HTTPS from WAN to the internal management IP.
AnswerC

This allows HTTPS management from the internet by enabling the service on the interface and permitting traffic.

Why this answer

Option C is correct because remote HTTPS management of a FortiGate from the internet requires two steps: enabling HTTPS access on the WAN interface (under config system interface) and creating a firewall policy that allows inbound HTTPS traffic (TCP/443) from any source to the FortiGate's own IP address. Without the explicit policy, the traffic is dropped by the implicit deny rule, even if the interface is configured to listen for HTTPS.

Exam trap

The trap here is that candidates assume enabling HTTPS on the interface alone is sufficient, forgetting that FortiGate still requires an explicit firewall policy to permit inbound traffic to its own IP, as the implicit deny rule blocks all traffic not matched by a policy.

How to eliminate wrong answers

Option A is wrong because a firewall policy from WAN to LAN with HTTPS service would forward management traffic to internal LAN hosts, not to the FortiGate itself, and does not enable the WAN interface to accept HTTPS connections. Option B is wrong because enabling SSH instead of HTTPS does not satisfy the requirement to allow remote management via HTTPS; SSH and HTTPS are separate protocols with different purposes. Option D is wrong because port forwarding is used to redirect traffic to internal servers behind the FortiGate, not to the FortiGate's own management interface; the FortiGate's management IP is directly reachable on the WAN interface when HTTPS access is enabled and a policy is in place.

521
MCQeasy

In Fortinet ZTNA, what is the primary purpose of the ZTNA access proxy component?

A.To act as a forward proxy for web traffic
B.To provide load balancing for multiple FortiGates
C.To proxy connections to internal applications after authentication and device verification
D.To terminate IPsec VPN tunnels
AnswerC

That is the core function of ZTNA access proxy.

Why this answer

The ZTNA access proxy resides on the FortiGate and proxies connections to internal applications after verifying the user's identity and device posture.

522
MCQhard

An administrator configures a dial-up IPsec VPN with IKEv1 main mode. Remote clients can connect successfully, but the administrator notices that the Phase 1 negotiation takes a long time. Which change would most improve the negotiation speed without compromising security?

A.Switch from main mode to aggressive mode
B.Reduce the IKE SA lifetime
C.Increase the number of Phase 1 proposals
D.Enable IKEv2 instead of IKEv1
AnswerD

IKEv2 uses fewer messages (four) and is more robust, providing faster negotiation than IKEv1 main mode.

Why this answer

Main mode uses six messages and protects identities. Aggressive mode uses three messages but is less secure. Switching to IKEv2 reduces negotiation to four messages and is more efficient than aggressive mode while maintaining security.

523
MCQmedium

A network admin configures an IPsec VPN between two FortiGates using IKEv2. Phase 1 completes successfully, but Phase 2 fails to establish. The admin runs 'diagnose vpn ike log' and sees the error 'proposal mismatch'. What is the most likely cause?

A.The IKE version is not compatible
B.The Phase 2 selectors (local and remote subnets) are misconfigured
C.The Phase 2 encryption and authentication algorithms do not match
D.The pre-shared keys do not match
AnswerC

The 'proposal mismatch' error typically means the Phase 2 transform sets (encryption, authentication, PFS) differ between the two FortiGates.

Why this answer

In IKEv2, Phase 2 proposals are negotiated separately from Phase 1. A proposal mismatch error indicates that the Phase 2 parameters (such as encryption algorithm, authentication algorithm, and PFS settings) do not match between the two peers.

524
MCQmedium

An administrator wants to view the current session table entries filtered by destination port 443. Which command should be used?

A.diagnose sys session filter dport 443; diagnose sys session list
B.execute session list dport 443
C.diagnose debug flow filter dport 443
D.diagnose sys session list dport 443
AnswerA

This is the correct sequence to filter and then list sessions.

Why this answer

The 'diagnose sys session filter' command sets filters, and 'diagnose sys session list' displays the filtered sessions.

525
MCQeasy

Which log severity level indicates that a device is unusable and requires immediate attention?

A.Error
B.Critical
C.Emergency
D.Alert
AnswerC

Emergency (level 0) indicates the system is unusable.

Why this answer

FortiGate log severity levels are: Emergency (0), Alert (1), Critical (2), Error (3), Warning (4), Notification (5), Information (6), Debug (7). Emergency is the highest severity, indicating the system is unusable.

Page 6

Page 7 of 14

Page 8