Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 526600

1000 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQmedium

An organization uses FortiSandbox to detect advanced threats. The administrator wants to ensure that files downloaded from the internet are sent to FortiSandbox for analysis before being delivered to users. Which Antivirus profile setting should be configured?

A.Enable 'Inline Scan' for FortiSandbox
B.Enable 'FortiSandbox Monitoring'
C.Enable 'FortiSandbox Quarantine'
D.Set 'Scan Mode' to 'Quick'
AnswerA

Inline scanning sends files to FortiSandbox and holds delivery until a verdict is reached.

Why this answer

Option D is correct. The 'FortiSandbox Inline Scan' option sends files to FortiSandbox and waits for verdict before allowing or blocking the file.

527
MCQmedium

A network administrator has configured a firewall policy allowing traffic from the internal network (10.0.0.0/8) to the internet. Users report that some websites are not loading. The administrator runs 'diagnose firewall iprope list 100000' and sees the policy listed with a hit count of zero. What is the MOST likely cause?

A.The source interface or destination interface is incorrectly configured
B.The policy has a schedule that does not match the current time
C.The policy is placed below a more specific or broader policy that matches the same traffic
D.The FortiGate has a routing issue preventing traffic from reaching the internet
AnswerC

Since the hit count is zero, the traffic is being matched by an earlier policy. The policy order determines which policy is used first.

Why this answer

The hit count of zero indicates the policy is not being matched. Policy order matters; if a policy above this one matches the traffic, this policy will never be used. The administrator should check if a policy above is matching the traffic first.

528
MCQmedium

An organization wants to send FortiGate logs to a central log management system for long-term storage and compliance. Which FortiGate feature is specifically designed for collecting and analyzing logs from multiple FortiGate devices?

A.Disk logging
B.FortiGuard
C.FortiCloud
D.FortiAnalyzer
AnswerD

FortiAnalyzer is the dedicated log collector and analyzer for Fortinet devices.

Why this answer

FortiAnalyzer is the central log management and analysis platform for Fortinet devices. It aggregates logs, generates reports, and provides long-term storage.

529
Multi-Selecthard

Which THREE steps are necessary when configuring SSL deep inspection on FortiGate? (Choose three.)

Select 3 answers
A.Add a static route to the internet.
B.Create an SSL inspection profile defining the inspection mode.
C.Configure a forward proxy server.
D.Apply the SSL inspection profile to a firewall policy.
E.Generate or import a CA certificate on FortiGate.
AnswersB, D, E

Profile defines deep inspection settings.

Why this answer

Option B is correct because an SSL inspection profile defines how FortiGate handles encrypted traffic, including the inspection mode (e.g., full or certificate-inspection). This profile is a mandatory component for deep inspection, as it specifies whether to decrypt, re-encrypt, or simply examine certificates.

Exam trap

The trap here is that candidates often confuse general network configuration steps (like static routes) with SSL inspection-specific steps, or mistakenly think a separate forward proxy server must be configured, when in fact FortiGate handles the proxy role internally.

530
Multi-Selecthard

A FortiGate administrator is troubleshooting an SSL VPN issue where users can authenticate but cannot access any internal resources. The SSL VPN status shows 'connected'. Which THREE commands or actions should be used to diagnose the problem?

Select 3 answers
A.'execute ping 8.8.8.8'
B.Check the firewall policies that match the SSL VPN interface.
C.'diagnose debug application sslvpn -1'
D.'get router info routing-table'
E.'diagnose vpn ssl stat'
AnswersB, D, E

Policies must permit traffic from the SSL VPN interface to internal networks.

Why this answer

To diagnose SSL VPN connectivity, check the tunnel interface with 'diagnose vpn ssl stat', verify the routing table with 'get router info routing-table', and examine the firewall policies to ensure traffic is allowed. Option A shows VPN stats, Option B shows routing (necessary for tunnel routing), Option D checks policies.

531
MCQmedium

What is the primary advantage of using IKEv2 over IKEv1 for IPsec VPN?

A.IKEv2 has built-in support for NAT traversal and MOBIKE
B.IKEv2 supports only main mode
C.IKEv2 requires aggressive mode
D.IKEv2 is only for route-based VPN
AnswerA

IKEv2 includes NAT-T and MOBIKE as standard.

Why this answer

IKEv2 is more robust with built-in NAT traversal and MOBIKE, and reduces latency by using fewer exchanges.

532
Multi-Selecthard

A company sets up a hub-and-spoke IPsec VPN where all spokes must communicate through the hub. The hub uses policy-based IPsec. Which THREE configurations are required on the hub to allow spoke-to-spoke traffic? (Select three.)

Select 3 answers
A.Configure IKEv2 instead of IKEv1
B.Separate phase2 selectors defining traffic between each pair of spokes
C.Static routes for each spoke's subnet pointing to the respective VPN interface
D.Firewall policies allowing traffic from each spoke's interface to the other spoke's interface
E.Enable NAT on the hub for spoke-to-spoke traffic
AnswersB, C, D

Policy-based VPN requires phase2 selectors for each pair or a broad selector covering all subnets.

Why this answer

For spoke-to-spoke traffic via hub, the hub needs firewall policies to forward traffic between spokes, static routes for spoke networks, and phase2 selectors covering source/destination pairs (or use a broad selector).

533
MCQmedium

An administrator needs to allow SSH access to the FortiGate's management interface from a specific management subnet (10.0.1.0/24). Which configuration achieves this?

A.Set the administrative access profile to allow SSH from any IP
B.Configure a firewall policy to allow SSH from 10.0.1.0/24 to the FortiGate
C.Under system admin settings, set the trusted host for the administrator to 10.0.1.0/24 and enable SSH access
D.Create a local-in policy to allow SSH from 10.0.1.0/24
AnswerC

Trusted hosts restrict the source IPs allowed to manage the device.

Why this answer

Option C is correct because the trusted host setting under system admin settings restricts administrative access (including SSH) to only the specified source IP or subnet. By setting the trusted host to 10.0.1.0/24 and enabling SSH access, the FortiGate ensures that only SSH connections originating from that management subnet can reach the management interface. This is the standard method for controlling administrative access to the FortiGate's management plane.

Exam trap

The trap here is that candidates often confuse firewall policies (which control transit traffic) with administrative access controls (which control traffic destined to the FortiGate itself), leading them to incorrectly select Option B.

How to eliminate wrong answers

Option A is wrong because setting the administrative access profile to allow SSH from any IP would permit SSH connections from all sources, not just the specific management subnet, violating the requirement. Option B is wrong because firewall policies control traffic passing through the FortiGate between interfaces, not traffic destined to the FortiGate itself; administrative access is governed by administrative access settings and trusted hosts, not firewall policies. Option D is wrong because local-in policies are used to filter traffic destined to the FortiGate's own IP addresses, but they are not the primary or recommended method for restricting administrative access; the trusted host setting is the correct and simpler approach for this purpose.

534
MCQmedium

An administrator wants to ensure that log messages are categorized by severity and that only events with severity 'error' and above are sent to the syslog server. Which configuration should be used?

A.Set 'set severity critical' in syslog config
B.Set 'set severity error' in syslog config
C.Set 'set severity warning' in syslog config
D.Set 'set severity alert' in syslog config
AnswerB

Error sends events with severity error, critical, alert, and emergency.

Why this answer

Option B is correct. In syslog settings, 'set severity' defines the minimum severity level to send. Setting it to 'error' includes error, critical, alert, and emergency messages.

535
MCQmedium

A FortiGate is operating in transparent mode. The admin needs to allow HTTP traffic from users to a web server. Which type of firewall policy is required?

A.A layer 2 firewall policy
B.A policy-based NAT rule
C.A firewall policy using zone-based security
D.A VIP policy to map the web server's public IP
AnswerA

Transparent mode uses layer 2 policies to forward traffic based on VLANs or MAC addresses.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding traffic without routing. To allow HTTP traffic from users to a web server, a Layer 2 firewall policy is required because it filters traffic based on MAC addresses and Layer 2 headers, not IP addresses or routing decisions. This policy type is the only one that works in transparent mode, as it does not involve NAT or routing.

Exam trap

The trap here is that candidates often assume firewall policies always involve IP addresses and routing, but in transparent mode, the FortiGate uses Layer 2 policies that operate at the data link layer, not the network layer.

How to eliminate wrong answers

Option B is wrong because policy-based NAT rules are used in NAT/route mode to translate IP addresses, not in transparent mode where the FortiGate does not perform IP routing or NAT. Option C is wrong because zone-based security policies are applicable in NAT/route mode for grouping interfaces into zones; transparent mode uses Layer 2 policies, not zones. Option D is wrong because VIP policies are used for destination NAT in NAT/route mode to map public IPs to private IPs, which is irrelevant in transparent mode where the FortiGate does not perform IP address translation.

536
MCQmedium

An administrator is configuring a new FortiGate and wants to allow management access from the internal network via HTTPS. The internal interface is port2 with IP 192.168.1.1/24. Which CLI command correctly enables HTTPS administrative access on port2?

A.config firewall policy edit 1 set allowaccess https end
B.config system interface edit port2 set allowaccess https end
C.config system admin edit admin set https enable end
D.config system global set admin-https enable end
AnswerB

This command sequence correctly enters the interface configuration for port2 and enables HTTPS access.

Why this answer

Option B is correct because the `config system interface` command is the proper context to set the `allowaccess` parameter, which controls the administrative protocols (such as HTTPS) permitted on a specific FortiGate interface. By editing port2 and setting `allowaccess https`, the administrator enables HTTPS management access on that interface, allowing internal users to reach the FortiGate's web GUI via 192.168.1.1.

Exam trap

The trap here is that candidates confuse the `allowaccess` parameter (which is set under `config system interface`) with global settings or firewall policies, mistakenly thinking that enabling HTTPS globally or in a policy will grant interface-specific management access.

How to eliminate wrong answers

Option A is wrong because `config firewall policy` is used to define traffic filtering rules between zones, not to enable administrative access on an interface; the `allowaccess` parameter does not exist in firewall policy configuration. Option C is wrong because `config system admin` manages administrator accounts and their permissions, not interface-level protocol access; the `set https enable` command is invalid in this context. Option D is wrong because `config system global` sets global system parameters, and `set admin-https enable` would enable HTTPS for the entire FortiGate, but it does not restrict or allow access on a specific interface like port2; the correct global command for interface-specific access is `set admin-sport` or similar, but the question requires interface-level control.

537
MCQmedium

A network admin receives an alert that the FortiGate disk logs are no longer being written. The admin checks the disk status and sees that the disk is full. However, the admin needs to preserve the logs for compliance purposes. Which action should the admin take to continue logging while preserving the existing logs?

A.Configure log upload to FortiAnalyzer and manually archive current logs, then clear the local disk
B.Increase the log disk quota to allow more logs
C.Delete all logs from the disk and restart logging
D.Compress the existing log files and set a higher compression level for future logs
AnswerA

Uploading existing logs to FortiAnalyzer preserves them off-device, then clearing the local disk frees space for continued logging. This is the proper workflow.

Why this answer

FortiGate allows log rotation and archiving. The admin can configure the log settings to compress old logs or move them to an external location (like FortiAnalyzer or FortiCloud). However, the immediate need is to free space on the disk.

The best practice is to archive existing logs to an external server and then clear the local disk, or enable automatic upload to FortiAnalyzer. The options are evaluated: Option D is the correct action because it preserves logs by uploading them to FortiAnalyzer, then clearing disk space to continue logging.

538
MCQhard

A FortiGate is configured with multiple WAN interfaces and ECMP routing. The administrator notices that traffic to a particular destination is intermittently failing. What is the MOST likely cause?

A.The ECMP routes have different distances.
B.The ECMP load balancing method is set to source-destination IP hash, causing asymmetric routing.
C.The FortiGate's session table is full.
D.The firewall policies are not configured for ECMP.
AnswerB

Asymmetric routing due to hash changes can cause session timeouts if return traffic takes a different path.

Why this answer

When ECMP is configured with the source-destination IP hash load balancing method, traffic for the same session may be sent over different WAN interfaces if the source or destination IP changes mid-session (e.g., due to NAT or asymmetric routing). This causes packets to arrive out of order or be dropped by stateful inspection, leading to intermittent failures. The FortiGate expects all packets in a session to traverse the same interface for proper state tracking.

Exam trap

The trap here is that candidates assume ECMP always works seamlessly with any load balancing method, overlooking that source-destination IP hash can cause asymmetric routing and session disruption when combined with stateful firewalling.

How to eliminate wrong answers

Option A is wrong because ECMP routes must have equal distances to be considered for load balancing; different distances would result in route selection based on distance, not ECMP. Option C is wrong because a full session table would cause all new sessions to fail, not just traffic to a particular destination intermittently. Option D is wrong because firewall policies do not need special ECMP configuration; they apply to traffic regardless of the routing path, and ECMP operates at the routing level, not the policy level.

539
Multi-Selecthard

An admin is troubleshooting why traffic from VLAN 10 to the internet is not being translated by a Central SNAT rule. The Central SNAT rule is configured with source interface 'port2.10', destination interface 'wan1', source address '192.168.10.0/24', and IP pool 'pool1'. The firewall policy for internet access has NAT enabled but no IP pool attached. Which THREE steps should the admin take to resolve the issue? (Choose three.)

Select 3 answers
A.Verify that the firewall policy does not have an IP pool configured
B.Ensure the Central SNAT rule's IP pool is configured with overload enabled
C.Check that the Central SNAT rule's source interface matches the actual incoming interface (port2.10)
D.Disable NAT on the firewall policy to force Central SNAT usage
E.Confirm that the firewall policy's 'NAT' option is enabled
AnswersA, C, E

If an IP pool is attached, it overrides Central SNAT.

Why this answer

Central SNAT rules require that the firewall policy has NAT enabled but no IP pool attached. If the policy has an IP pool, Central SNAT is bypassed. Also, the Central SNAT rule must match the traffic's source interface and destination interface.

Common issues: policy has an IP pool attached, or the policy's NAT is disabled, or the Central SNAT rule's interface is wrong.

540
MCQhard

A FortiGate administrator runs 'diagnose sys session filter dport 443' followed by 'diagnose sys session list' and sees the following output for a session: src=10.0.1.10 dst=192.168.2.20 sport=12345 dport=443 proto=6 vrf=0 What does the 'proto=6' indicate about this session?

A.The session is using UDP
B.The session is using ESP
C.The session is using TCP
D.The session is using ICMP
AnswerC

Protocol number 6 is TCP.

Why this answer

Option D is correct. Protocol number 6 is TCP. The session is a TCP session to port 443 (HTTPS).

541
MCQmedium

A network administrator configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to a web server (172.16.1.10). Users on the 10.0.0.0/8 network cannot access the web server, but other internal users can. The administrator checks the policy list and sees the policy is enabled and in the correct position. What is the most likely cause?

A.The policy is placed below a deny-all policy
B.NAT is not configured on the policy
C.The firewall does not have a route to the 10.0.0.0/8 network
D.The policy is disabled
AnswerC

Without a route, traffic from that network will be dropped.

Why this answer

The most likely cause is that the firewall does not have a route to the 10.0.0.0/8 network. Even though the policy is enabled and correctly positioned, the firewall must have a return route to the source network (10.0.0.0/8) for the web server's response traffic to reach the users. Without this route, the firewall drops the return packets, causing connectivity failure for those specific users.

Exam trap

The trap here is that candidates often focus solely on the policy configuration (order, NAT, enablement) and overlook the fundamental requirement that the firewall must have a route to the source network for return traffic to flow correctly.

How to eliminate wrong answers

Option A is wrong because a deny-all policy below the HTTP policy would not affect traffic matched by the higher-priority allow policy; the firewall processes policies top-down and stops at the first match. Option B is wrong because NAT is not required for HTTP traffic from internal users to an internal web server; NAT is typically used for translating private IPs to public IPs when accessing external networks. Option D is wrong because the question explicitly states the policy is enabled, so a disabled policy cannot be the cause.

542
MCQmedium

A FortiGate administrator notices that the HA cluster is frequently failing over even though no hardware failure has occurred. The heartbeat link shows some packet loss. What is the best action to reduce unnecessary failovers?

A.Lower the heartbeat interval
B.Change HA mode to active-active
C.Increase the failover threshold
D.Disable session synchronization
AnswerC

A higher threshold requires more missed heartbeats to trigger failover, reducing sensitivity to transient packet loss.

Why this answer

Option D is correct. Increasing the failover threshold (the number of missed heartbeats before triggering failover) makes the cluster more tolerant to temporary heartbeat loss, reducing false failovers.

543
Multi-Selectmedium

A FortiGate is configured with an application control profile to allow only 'business-approved' applications. Users are still able to use Skype for Business. The admin wants to ensure that only Skype for Business is allowed and other Skype variants are blocked. Which THREE steps should the admin take? (Choose three.)

Select 3 answers
A.Identify the exact application signatures for Skype for Business
B.Apply the application control profile to the firewall policy
C.Enable logging for all traffic to verify the application being used
D.Create a custom application signature for Skype for Business
E.Block all other Skype-related application signatures
AnswersA, B, E

Needed to allow only the correct application.

Why this answer

Options A, C, and D are correct. The admin should identify the correct application signature for Skype for Business and block other Skype signatures. Creating a custom signature is not necessary as the signatures already exist.

Logging all traffic is not directly needed for blocking.

544
MCQeasy

An administrator needs to back up the FortiGate configuration to a remote server. Which protocol is supported for backup?

A.FTP
B.SNMP
C.HTTP
D.TFTP
AnswerD

TFTP is a supported protocol for backup and restore.

545
MCQhard

A large enterprise is deploying a FortiGate 600F as the perimeter firewall. The security team requires that all administrative access (SSH, HTTPS, and Ping) to the FortiGate must be restricted to a dedicated management network (10.10.10.0/24). Additionally, any failed login attempt from outside the management network should be logged and the source IP should be blocked for 30 minutes. The administrator has configured a local-in policy to deny all administrative access from non-management networks and enabled logging. However, the administrator wants to automatically block the offending IPs. The FortiGate is not connected to any FortiAnalyzer or FortiManager. What should the administrator do to achieve this?

A.Create an automation stitch that triggers on local-in policy logging and adds the source IP to a blocked list via CLI script.
B.Use a FortiAnalyzer to generate alerts and send to SIEM.
C.Configure a firewall policy to block the offending IPs manually based on logs.
D.Enable 'set block-session-ttl' on the local-in policy.
AnswerA

Automation stitch can execute a script to block the IP.

Why this answer

Option A is correct because an automation stitch can directly react to local-in policy log events by executing a CLI script that adds the offending source IP to a local banned user list (e.g., via `diagnose user banned-ip add`). This provides automatic, immediate blocking without requiring external devices like FortiAnalyzer, and the 30-minute duration can be set via the ban-time parameter in the script or the local-in policy's block-session-ttl.

Exam trap

The trap here is that candidates confuse 'block-session-ttl' (which only controls session timeout for already-blocked traffic) with automatic IP banning, or assume external devices like FortiAnalyzer are required when the FortiGate's automation stitch can handle the task locally.

How to eliminate wrong answers

Option B is wrong because the FortiGate is not connected to any FortiAnalyzer or FortiManager, so it cannot rely on external devices to generate alerts or forward logs to a SIEM. Option C is wrong because manually blocking IPs based on logs is not automatic and does not meet the requirement for automatic blocking; it also contradicts the need for a real-time response. Option D is wrong because 'set block-session-ttl' on a local-in policy only controls the session timeout for blocked traffic, not the automatic addition of source IPs to a banned list; it does not trigger a dynamic block action.

546
Multi-Selectmedium

A FortiGate administrator is troubleshooting an SSL VPN issue where remote users cannot access internal resources after successful authentication. Which TWO steps should the admin take to resolve the issue? (Select two.)

Select 2 answers
A.Verify that a firewall policy exists allowing traffic from the SSL VPN interface to the internal network
B.Increase the authentication timeout
C.Check the routing table on the FortiGate to ensure return routes are present
D.Restart the FortiGate
E.Disable the SSL VPN portal
AnswersA, C

A policy is required to permit traffic.

Why this answer

If authentication succeeds but traffic fails, likely causes are missing firewall policy or incorrect routing. Check firewall policies for SSL VPN interface and ensure appropriate routes (e.g., enable split tunneling or add static routes).

547
Drag & Dropmedium

Drag and drop the steps to troubleshoot a user unable to access the internet through FortiGate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting follows a logical flow: policy, NAT, routing, packet capture, then logs.

548
MCQmedium

Refer to the exhibit. The administrator notices that traffic from internal to wan1 is being logged, but the logs do not show the original source IP. What is the most likely reason?

A.The schedule is set to 'always', causing no time-based logging.
B.NAT is enabled, so the source IP is replaced with the public IP.
C.Logging is set to 'all' but only 'utma' events are logged.
D.The policy action is 'accept' without authentication.
AnswerB

NAT hides the original source IP.

Why this answer

When NAT is enabled on a FortiGate policy, the source IP of internal traffic is translated to the public IP of the FortiGate's WAN interface before the packet is logged. Since logging occurs after NAT processing, the log entries will show the translated (public) IP instead of the original internal source IP. This is the most likely reason the administrator sees logs without the original source IP.

Exam trap

The trap here is that candidates may think logging settings or policy actions (like authentication) affect the source IP in logs, when in fact NAT translation is the direct cause of the original source IP being replaced.

How to eliminate wrong answers

Option A is wrong because the schedule being set to 'always' means the policy is always active, but it does not affect whether the original source IP is logged; it only controls when the policy is enforced. Option C is wrong because 'utma' events refer to user authentication events, not traffic logging; setting logging to 'all' would log all sessions, but the source IP would still be replaced if NAT is enabled. Option D is wrong because the policy action being 'accept' without authentication simply allows traffic without requiring user authentication; it does not cause the source IP to be hidden in logs.

549
MCQmedium

An administrator configures a policy route to send all traffic from subnet 172.16.1.0/24 to a specific next-hop 10.0.0.2. However, the traffic is still using the default route. What could be the reason?

A.The policy route has a lower priority than the default route.
B.The policy route does not have a destination interface set.
C.The policy route must be configured before the default route.
D.The source subnet is not correctly defined in the policy route.
AnswerA

Why this answer

Policy routes in FortiGate are evaluated based on their priority value, where a lower number indicates higher priority. If the policy route has a higher priority value (e.g., 10) than the default route (which is implicitly 0), the default route will be preferred. The administrator must ensure the policy route's priority is lower than the default route's priority to override it.

Exam trap

The trap here is that candidates often assume policy routes automatically override static routes, but FortiGate uses a priority-based selection where the default route's implicit priority of 0 can supersede a policy route with a higher priority value.

How to eliminate wrong answers

Option B is wrong because a destination interface is not mandatory for a policy route to function; the route can be matched based on source and next-hop alone. Option C is wrong because FortiGate does not require policy routes to be configured before static routes; they are evaluated independently based on priority, not order of configuration. Option D is wrong because if the source subnet were incorrectly defined, the traffic would not match the policy route at all, but the symptom described is that traffic is using the default route, indicating the policy route exists but is not being selected due to priority.

550
MCQeasy

A network administrator needs to configure a FortiGate to allow HTTPS access to the GUI from the internal network. Which two steps must be performed?

A.Create a firewall policy that permits HTTPS traffic from internal to the FortiGate interface IP.
B.Enable HTTPS administrative access on the internal interface.
C.Disable HTTP administrative access on the internal interface.
D.Enable SSH administrative access on the internal interface.
AnswerA, B

A policy is required to allow the traffic to reach the FortiGate.

Why this answer

Option A is correct because a firewall policy must explicitly permit HTTPS traffic (TCP/443) from the internal network to the FortiGate's interface IP to allow GUI access. Option B is correct because HTTPS administrative access must be enabled on the internal interface via the CLI or GUI; without this, the FortiGate will not listen for HTTPS connections on that interface, even if a firewall policy exists.

Exam trap

The trap here is that candidates often think enabling HTTPS access on the interface alone is sufficient, forgetting that a firewall policy is also required to permit the traffic, or they mistakenly believe disabling HTTP is a prerequisite for HTTPS.

How to eliminate wrong answers

Option C is wrong because disabling HTTP administrative access is not a required step for allowing HTTPS GUI access; it is an optional security hardening step. Option D is wrong because SSH administrative access is used for CLI management, not GUI access, and enabling it does not affect HTTPS GUI connectivity.

551
Multi-Selecteasy

A FortiGate administrator wants to send logs to both a local disk and a remote FortiCloud account. Which two conditions must be met for this to work? (Choose two.)

Select 2 answers
A.The FortiGate must be configured to log to both destinations simultaneously
B.The FortiGate must have a valid FortiCloud subscription
C.The FortiGate must be in NAT mode
D.The FortiGate must have a hard disk or SSD installed
E.The FortiGate must have a policy to allow outbound traffic to FortiCloud
AnswersB, D

FortiCloud logging requires a valid subscription.

Why this answer

The FortiGate must have local storage (disk) to store logs locally. It also must have connectivity to FortiCloud servers, and logging to FortiCloud must be enabled. The local disk logging is a separate configuration.

552
MCQmedium

An administrator wants to allow users to override a blocked category (e.g., Social Networking) by entering an administrator-defined password. Which of the following must be configured?

A.Configure a DNS filter to bypass the block
B.Create a separate firewall policy with a higher priority that permits the traffic
C.Set the web filter profile to 'Monitor' mode instead of 'Block'
D.Enable 'Override' in the Web Filter profile and configure an authentication scheme
AnswerD

Override requires both enabling the feature and setting up authentication (e.g., local password).

Why this answer

Option A is correct. Web filter override allows users to request access to blocked sites by providing a password. The override must be enabled in the web filter profile and a FortiGate authentication scheme must be set up.

553
Multi-Selectmedium

A FortiGate administrator is configuring an SSL VPN tunnel mode for remote users. The administrator wants to ensure that only traffic destined for the corporate network (192.168.1.0/24) goes through the VPN, and all other traffic (e.g., internet) goes directly from the user's device. Which TWO configuration steps are required?

Select 2 answers
A.Set the SSL VPN portal's 'tunnel mode' to 'web-only'
B.Configure the SSL VPN portal to push routes for 192.168.1.0/24 to the client
C.In the SSL VPN settings, enable 'split tunneling' and configure the destination routes to include only 192.168.1.0/24
D.Disable 'tunnel mode' and use 'web mode' instead
E.Create a firewall policy on the FortiGate allowing traffic from the SSL VPN interface to the corporate network
AnswersB, C

Pushing routes ensures the client knows to send traffic for the corporate subnet through the VPN tunnel.

Why this answer

Options B and C are correct. Split tunneling must be enabled to allow direct internet access. Additionally, the routing rules (or destination routes) must specify that only the corporate subnet is routed through the VPN tunnel.

554
MCQeasy

A FortiGate administrator needs to configure a static route to reach a remote network 192.168.100.0/24 via next-hop 10.0.0.1. Which CLI command should be used?

A.config network route edit 1 set ip 192.168.100.0 255.255.255.0 set gateway 10.0.0.1 end
B.config router static edit 1 set dst 192.168.100.0 255.255.255.0 set gateway 10.0.0.1 next end
C.config route static edit 1 set destination 192.168.100.0/24 set next-hop 10.0.0.1 end
D.config router static edit 1 set dst 192.168.100.0/24 set next-hop 10.0.0.1 end
AnswerB

Why this answer

Option B is correct because it uses the proper FortiGate CLI syntax for configuring a static route. The command 'config router static' enters the static route configuration context, and 'set dst' specifies the destination network with a subnet mask (not CIDR notation), while 'set gateway' defines the next-hop IP address. This matches the FortiGate CLI structure for static routes.

Exam trap

The trap here is that candidates familiar with Cisco IOS may use 'set destination' or 'set next-hop' (similar to Cisco's 'ip route' command) or CIDR notation, but FortiGate requires 'set dst' with a subnet mask and 'set gateway' for the next-hop, testing knowledge of vendor-specific CLI syntax.

How to eliminate wrong answers

Option A is wrong because 'config network route' is not a valid FortiGate CLI command; FortiGate uses 'config router static' for static route configuration. Option C is wrong because 'config route static' is incorrect syntax; the correct command is 'config router static', and 'set destination' and 'set next-hop' are not valid parameters (FortiGate uses 'set dst' and 'set gateway'). Option D is wrong because while it uses the correct 'config router static' command, it incorrectly uses CIDR notation '192.168.100.0/24' with 'set dst'; FortiGate requires a subnet mask in dotted decimal format (e.g., 255.255.255.0) for the destination.

555
MCQeasy

Which of the following FortiGate log types records information about user authentication and administrative access?

A.Event logs
B.Traffic logs
C.System logs
D.Security logs
AnswerA

Event logs include authentication and admin access events.

Why this answer

Option A is correct. Event logs record system events such as user authentication, admin logins, and configuration changes.

556
MCQmedium

An administrator needs to allow FTP traffic from the internal network to a specific server on the internet. The FTP server uses passive mode. Which service object should be used in the firewall policy to ensure proper operation?

A.Use a custom service object with TCP/21 and TCP/20
B.Use the predefined 'FTP' service object and also allow a high port range (e.g., TCP/1024-65535)
C.Use the predefined 'FTP' service object
D.Use the 'ALL' service object
AnswerB

Passive FTP requires control on TCP/21 and data on a random high port. Allowing high port range ensures data connections succeed.

Why this answer

FTP uses TCP/21 for control. Passive mode uses a range of high ports for data. A generic FTP service object may include TCP/21 and TCP/20 (active mode).

For passive, a custom service with TCP/21 and the data port range is needed, but the question asks which service object to use. Typically, the predefined 'FTP' service includes TCP/21 only. Many deployments create a custom service for passive.

However, the best answer is to use the FTP service and also allow the ephemeral port range.

557
MCQhard

A FortiGate has two internet connections: port1 (ISP1) and port2 (ISP2). An administrator configures two static default routes with equal distance and priority. Traffic to a specific public IP is observed going out port1, but the admin wants it to go out port2. What should be configured?

A.Use ECMP with source-based hashing
B.Configure a policy route to direct the specific destination to port2
C.Increase the administrative distance of the default route on port1
D.Configure a blackhole route
AnswerB

Policy routing allows granular control.

Why this answer

Policy routes (also called PBR) override the routing table for specific traffic matches. Since both default routes have equal distance and priority, the FortiGate uses ECMP or the route with the lowest cost by default. A policy route can match the specific destination IP and force the traffic out port2, bypassing the routing table lookup.

Exam trap

The trap here is that candidates assume ECMP or route metrics can selectively steer a single destination, but policy routing is the only method that overrides the routing table for specific traffic without affecting other flows.

How to eliminate wrong answers

Option A is wrong because ECMP with source-based hashing distributes traffic across multiple paths based on source IP, not destination; it would not force a specific destination to a single egress. Option C is wrong because increasing the administrative distance of the default route on port1 would make it less preferred for all traffic, not just the specific destination, breaking load balancing. Option D is wrong because a blackhole route discards traffic matching the destination, preventing it from reaching the public IP entirely.

558
Multi-Selecthard

An administrator is troubleshooting an issue where users cannot access an internal web server via the internet through a FortiGate. The FortiGate has a virtual IP (VIP) configured for the web server. The administrator runs 'diagnose debug flow filter daddr <public-ip>' and 'diagnose debug flow trace start 100'. The output shows 'msg: forward to x.x.x.x via intf port2' but then 'msg: policy deny'. Which TWO actions should the administrator take to resolve the issue? (Choose two.)

Select 2 answers
A.Ensure that a static route exists to the internet via the WAN interface
B.Check if the public DNS resolution for the domain is correct
C.Confirm that the firewall policy's destination is set to the internal web server's IP address (or the VIP's mapped IP)
D.Verify that the firewall policy allowing the traffic has the correct source interface (WAN)
E.Recreate the virtual IP object with a different port
AnswersC, D

After DNAT, the destination IP changes to the internal server. The firewall policy must allow traffic to that internal IP. If the policy's destination is set to the VIP's public IP, it may not match post-DNAT. The correct approach is to set the destination to the mapped IP address.

Why this answer

The debug shows that traffic is being forwarded to the internal server (via port2) but then denied by policy. This means the traffic is matching the VIP and being DNATed, but the firewall policy that should allow the traffic is either missing, disabled, or configured incorrectly. The administrator should check the firewall policy that handles the traffic after DNAT.

Common issues: the policy's source interface is not the incoming interface (should be the WAN interface), or the policy's destination is not the internal server's IP (should be the original destination or the VIP destination). Option A and D are correct: ensure the policy has the correct source interface (WAN) and that the destination is set to the VIP's mapped IP (or the VIP itself). Option B is wrong because the issue is not DNS.

Option C is wrong because adding a route to the internet won't help. Option E is wrong because the VIP is already configured.

559
MCQeasy

An admin wants to allow traffic only from specific countries to access a web server. Which type of address object should be used in the firewall policy?

A.Subnet object
B.Geography object
C.FQDN object
D.Wildcard FQDN object
AnswerB

Correct. Geography objects allow matching traffic based on the source IP's country.

Why this answer

FortiGate supports geography-based address objects that allow or deny traffic based on the source IP's country. These are configured using geography objects.

560
MCQeasy

A FortiGate administrator needs to allow SSH management access from a specific IP address 10.0.0.100. Which configuration is required?

A.Enable SSH on the WAN interface and allow all IPs
B.Set the trusted host for the admin account to 10.0.0.100
C.Configure an access list on the upstream router
D.Create a firewall policy allowing SSH from 10.0.0.100 to the FortiGate
AnswerB

Trusted hosts restrict management access to specified IPs.

Why this answer

Option B is correct because FortiGate uses the 'trusted host' feature to restrict administrative access to specific source IP addresses. By setting the trusted host to 10.0.0.100 for the admin account, only that IP can initiate SSH sessions to the FortiGate management interface, regardless of which interface SSH is enabled on.

Exam trap

The trap here is that candidates often confuse firewall policies (which control transit traffic) with administrative access controls (which control traffic destined to the FortiGate itself), leading them to incorrectly select option D.

How to eliminate wrong answers

Option A is wrong because enabling SSH on the WAN interface and allowing all IPs would permit SSH access from any source, violating the requirement to restrict access to 10.0.0.100 only. Option C is wrong because configuring an access list on the upstream router is an external network control and does not enforce FortiGate's own administrative access restrictions; the FortiGate itself must be configured to limit management access. Option D is wrong because firewall policies control traffic passing through the FortiGate, not traffic destined to the FortiGate itself; management access is governed by administrative access settings and trusted hosts, not by firewall policies.

561
MCQeasy

An admin needs to translate the source IP of traffic from multiple internal hosts to a single public IP when accessing the internet, while keeping track of each session. Which NAT method should be used?

A.Fixed port range NAT
B.One-to-one NAT
C.Central SNAT without overload
D.Overload NAT (Port Address Translation)
AnswerD

Overload NAT uses a single public IP and differentiates sessions by source port.

Why this answer

Overload NAT (also known as PAT) allows many internal hosts to share a single public IP by using different source ports.

562
MCQeasy

Which FortiGate operating mode allows the device to act as a transparent layer 2 bridge, forwarding traffic without performing NAT or routing?

A.Transparent mode
B.HA mode
C.VDOM mode
D.NAT/Route mode
AnswerA

Transparent mode acts as a layer 2 bridge.

Why this answer

Transparent mode is the correct answer because in this mode, FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses without performing Network Address Translation (NAT) or routing. The device does not have an IP address on its interfaces for forwarding decisions, making it invisible to the network at Layer 3.

Exam trap

The trap here is that candidates often confuse 'transparent mode' with 'VDOM mode' because VDOMs can be configured in transparent mode, but VDOM mode itself is a virtualization feature, not the operating mode that defines Layer 2 bridging behavior.

How to eliminate wrong answers

Option B (HA mode) is wrong because High Availability mode is a clustering configuration for redundancy and failover, not an operating mode that changes the device's Layer 2 or Layer 3 forwarding behavior. Option C (VDOM mode) is wrong because Virtual Domain mode is a virtualization feature that allows partitioning a single FortiGate into multiple logical firewalls, each operating in its own mode (transparent or NAT/route), but it does not inherently make the device a transparent bridge. Option D (NAT/Route mode) is wrong because this is the default Layer 3 operating mode where the FortiGate performs routing and NAT, acting as a router with IP addresses on interfaces, which is the opposite of transparent bridging.

563
MCQmedium

A network administrator configures an IPsec VPN between two FortiGates using IKEv1 main mode. The Phase 1 negotiation fails with the error 'no proposal chosen'. The administrator checks both sides and confirms the IKE version, encryption algorithm (AES256), authentication (SHA256), and Diffie-Hellman group (14) match. Which additional parameter is MOST likely mismatched?

A.Pre-shared key
B.IKE version (IKEv2)
C.Phase 2 encryption algorithm
D.Local and remote identifiers (local ID / remote ID)
AnswerD

In main mode, identifiers are exchanged. A mismatch of local or remote ID can cause 'no proposal chosen'.

Why this answer

Main mode requires the local and remote identifiers to match or be correctly configured. Often the local ID (such as the IP address or FQDN) is mismatched, causing negotiation failure despite other parameters matching.

564
MCQmedium

You notice that the FortiGate HA cluster is not failing over when the primary unit loses power. The HA configuration shows 'set ha-priority 250' on the primary and 'set ha-priority 200' on the secondary. What is the most likely cause?

A.The secondary unit has a lower priority, so it never takes over
B.The password for HA synchronization is incorrect
C.The session pickup feature is disabled
D.The HA heartbeat interface is not configured correctly or is down
AnswerD

If the heartbeat fails but the primary is still reachable via management, split-brain may occur, but failover requires loss of heartbeat and monitoring.

Why this answer

The most likely cause is that the HA heartbeat interface is not configured correctly or is down (Option D). FortiGate HA relies on heartbeat packets exchanged over dedicated or VLAN interfaces to monitor peer status. If the heartbeat interface fails, the secondary unit cannot detect the primary's loss of power, so no failover occurs regardless of priority settings.

The HA priority values (250 vs. 200) are valid and would normally cause the primary to be elected as the active unit, but a broken heartbeat link prevents failover detection.

Exam trap

The trap here is that candidates often assume priority values alone determine failover behavior, but FortiGate HA failover requires a working heartbeat link to detect peer failure; without it, even a complete power loss goes unnoticed.

How to eliminate wrong answers

Option A is wrong because the secondary unit's lower priority (200) does not prevent it from taking over; in fact, when the primary fails, the secondary with the next highest priority becomes active. Option B is wrong because an incorrect HA synchronization password would cause configuration sync failures, not a failure to detect a power loss and trigger failover. Option C is wrong because session pickup (or session failover) is a feature for preserving active sessions during failover, not a requirement for the failover itself to occur.

565
MCQmedium

An administrator is troubleshooting an IPsec VPN that uses aggressive mode. The VPN establishes successfully, but the administrator is concerned about security. Which statement is true regarding aggressive mode?

A.Aggressive mode is more secure than main mode
B.Aggressive mode transmits the identification in clear text
C.Aggressive mode provides perfect forward secrecy (PFS) by default
D.Aggressive mode uses six messages instead of three
AnswerB

The identity (ID) is not encrypted, making it vulnerable to eavesdropping.

Why this answer

In IKEv1 aggressive mode, the pre-shared key is transmitted in a hashed form but the identity is sent in clear text during Phase1. This makes it less secure than main mode, which protects the identity.

566
Multi-Selectmedium

An administrator is troubleshooting why traffic from a specific subnet (192.168.10.0/24) to the internet is not being matched by the expected firewall policy. The policy list shows an allow policy for this traffic at ID 10, but there is a deny policy at ID 5 for any traffic from 192.168.0.0/16. Which TWO statements are correct?

Select 2 answers
A.The deny policy at ID 5 is matching the traffic before the allow policy at ID 10
B.The allow policy at ID 10 will override the deny policy because it is more specific
C.The traffic will be matched by the implicit deny at the end of the policy list
D.The administrator should enable 'policy override' on the allow policy
E.The administrator should change the deny policy's source to exclude 192.168.10.0/24 or move the allow policy above ID 5
AnswersA, E

Since ID 5 has a lower numeric value, it is evaluated first. The source 192.168.10.0/24 is a subset of 192.168.0.0/16, so deny matches.

Why this answer

Option A is correct because FortiGate firewall policies are evaluated sequentially from top to bottom based on their policy ID. Since policy ID 5 (deny for 192.168.0.0/16) appears before policy ID 10 (allow for 192.168.10.0/24), traffic from 192.168.10.0/24 is matched by the broader deny policy first, and the allow policy is never reached. This is a fundamental behavior of FortiGate's policy lookup order.

Exam trap

The trap here is that candidates often assume firewall policies use a 'most specific match' logic like routing, but FortiGate strictly uses sequential first-match based on policy ID order.

567
MCQmedium

A captive portal is configured on a FortiGate to authenticate users before allowing internet access. Users report that after entering credentials, they are redirected to the original website, but then they cannot access other sites. What is the most likely issue?

A.The captive portal is using a self-signed certificate causing browser warnings
B.The user is not a member of the required user group specified in the firewall policy
C.The DNS server is not configured on the FortiGate
D.The session timeout is set too low
AnswerB

Captive portal authenticates the user, but the subsequent firewall policy must include the user group. If the user is not in the group, access is denied.

Why this answer

After authentication, the FortiGate must allow the user's traffic based on the firewall policy. If the policy uses the authenticated user group but the user is not in any group, traffic is blocked. Additionally, the captive portal policy must be separate from the internet access policy.

568
MCQmedium

An administrator configures an email filter profile to block spam. Despite correct configuration, spam emails still reach users' inboxes. The FortiGate is deployed as a transparent bridge. What is the most likely reason?

A.The FortiGate does not have a valid FortiGuard license
B.The emails are encrypted with TLS and deep inspection is not enabled
C.The email filter profile is set to 'monitor' instead of 'block'
D.The firewall policy is using flow-based inspection, which does not support SMTP proxy
AnswerD

Email filtering for SMTP requires proxy-based inspection to work effectively. Flow-based may not apply the profile properly.

Why this answer

In transparent mode, the FortiGate forwards SMTP traffic without acting as a proxy unless explicitly configured for SMTP proxy. Email filtering requires proxy-based inspection for SMTP.

569
Multi-Selectmedium

A FortiGate is configured with a firewall policy that applies an Application Control profile and a Web Filter profile. The administrator wants to log all traffic blocked by the Web Filter profile. Which TWO configurations are required?

Select 2 answers
A.Enable 'Log All Blocked Sites' in the Web Filter profile
B.Set the global 'Logging' setting to 'Verbose'
C.Configure the Application Control profile to log blocked traffic
D.Enable 'Log All Traffic' or 'Log Violation Traffic' on the firewall policy
E.Enable 'Log All Allowed Sites' in the Web Filter profile
AnswersA, D

This enables logging for blocked web sites in the web filter profile.

Why this answer

Options A and D are correct. Logging of blocked traffic must be enabled in the Web Filter profile (A), and the firewall policy must have logging enabled (D) to capture the logs.

570
MCQmedium

An administrator configures a route-based IPsec VPN between two FortiGates. The Phase 1 and Phase 2 are up. The administrator adds a static route on each FortiGate pointing to the remote subnet via the virtual tunnel interface (e.g., 'to_remote'). Traffic between the subnets fails. What is the MOST likely missing configuration?

A.NAT must be disabled on the tunnel interface
B.The tunnel interface must be added to a zone
C.The Phase 2 proposal must include the correct local and remote subnets
D.A firewall policy is required to permit traffic between the interfaces
AnswerD

Route-based VPNs require explicit firewall policies to allow traffic through the tunnel.

Why this answer

In a route-based VPN, the tunnel interface is part of a zone or has its own security policy. Without a firewall policy allowing traffic from the local subnet to the remote subnet via the tunnel interface, traffic will be dropped.

571
MCQmedium

A FortiGate administrator has configured a firewall policy allowing HTTP traffic from the internal network (10.0.1.0/24) to the DMZ server (192.168.1.10). The policy is placed after a deny-all policy that blocks traffic from internal to DMZ. Even though the allow policy is more specific, traffic is still being denied. What is the most likely cause?

A.The deny-all policy has a higher policy ID than the allow policy
B.The allow policy is configured with the wrong source interface
C.The allow policy uses a schedule that is not active at the current time
D.The deny-all policy is placed above the allow policy in the policy list
AnswerD

FortiGate evaluates policies from top to bottom. The first match applies. If the deny-all is above the allow, all traffic is denied.

Why this answer

FortiGate uses first-match logic for firewall policies. The deny-all policy is placed before the allow policy, so all traffic hits the deny policy first and is dropped. The allow policy never gets evaluated.

572
Multi-Selectmedium

An administrator needs to configure HA on a pair of FortiGates with the following requirements: the cluster must support session failover for TCP, UDP, and ICMP; the management interface should be accessible on both units; and the failover must be triggered if port2 goes down. Which TWO settings must be configured? (Choose two.)

Select 2 answers
A.Enable session pickup
B.Configure a dedicated management interface
C.Add port2 to the monitored interfaces
D.Set the HA mode to active-passive
E.Set the HA override to enabled
AnswersA, C

Session pickup allows synchronization of sessions across protocols.

Why this answer

To support TCP, UDP, and ICMP session failover, the session pickup feature must be enabled. To trigger failover on interface failure, the monitor interface must include port2.

573
MCQmedium

A FortiGate is configured with FSSO (Fortinet Single Sign-On) to authenticate users from Active Directory. Users are logging in to their domain-joined computers, but the FortiGate does not see the user sessions. The polling connector is configured correctly. What is the MOST likely reason?

A.The FSSO agent is not installed on the Domain Controller
B.The user group filter is too restrictive
C.The FortiGate is not in the same subnet as the users
D.DNS resolution for the Domain Controller is failing
AnswerD

The FortiGate needs to resolve the DC's hostname to IP. If DNS is not working, polling fails.

Why this answer

FSSO requires the FortiGate to resolve NetBIOS names to IP addresses. If DNS resolution fails, the FortiGate cannot correlate the user's login event with the IP address.

574
MCQmedium

In an active-active HA cluster, session synchronization is enabled. What is the primary purpose of session synchronization in this mode?

A.To synchronize firewall policies between cluster members
B.To load balance traffic across the cluster
C.To reduce the number of sessions on each unit
D.To ensure that sessions are not lost if a cluster unit fails
AnswerD

Session synchronization copies session information to other units so that if one fails, the session can continue on another unit.

Why this answer

In active-active HA, traffic is distributed across all cluster units. Session synchronization ensures that if a unit fails, other units have the session information to continue processing without interruption. This maintains transparent failover.

575
Multi-Selecthard

A FortiGate administrator is configuring ZTNA (Zero Trust Network Access) to secure access to an internal application. Which two components must be configured to create a ZTNA rule? (Choose two.)

Select 2 answers
A.ZTNA tag
B.ZTNA gateway
C.VPN tunnel
D.ZTNA application
E.SSL certificate
AnswersB, D

The gateway is the FortiGate component that terminates ZTNA connections.

Why this answer

Option C and D are correct. ZTNA rules require a ZTNA gateway (the FortiGate acting as proxy) and a ZTNA application (the internal resource). The rule maps external access to the internal application via the gateway.

576
MCQeasy

Which FortiGate log severity level indicates that a system is unusable and requires immediate attention?

A.Error
B.Critical
C.Emergency
D.Alert
AnswerC

Emergency (severity 0) indicates system is unusable.

Why this answer

Emergency is the highest severity level in syslog/FortiGate, indicating a system is unusable. Critical indicates critical conditions but not necessarily unusable.

577
MCQmedium

An administrator wants to block an application named 'Skype' on the network. They create an application control profile and add a rule to block 'Skype'. However, after applying the profile to the policy, users can still use Skype. What is the most likely reason?

A.The application control profile is not enabled on the firewall policy
B.The application signature for Skype is outdated
C.The application control rule is set to 'monitor' instead of 'block'
D.Skype traffic is encrypted and SSL deep inspection is not enabled
AnswerD

Skype uses encryption. Without SSL deep inspection, the FortiGate cannot inspect the traffic to identify the application.

Why this answer

Application control requires that the traffic be visible to the FortiGate. If Skype is allowed to bypass inspection (e.g., because SSL deep inspection is not enabled, or because the application uses a non-standard port not monitored), the rule may not match.

578
MCQeasy

Which security profile component is specifically designed to prevent data exfiltration by inspecting outgoing traffic for sensitive data patterns?

A.Application Control
B.Data Leak Prevention (DLP)
C.Antivirus
D.Web Filter
AnswerB

DLP is designed to detect and prevent unauthorized transmission of sensitive data.

Why this answer

Data Leak Prevention (DLP) is the security profile that inspects outgoing data for sensitive information like credit card numbers, social security numbers, etc., to prevent data leaks.

579
MCQmedium

An administrator wants to view the current session table on a FortiGate. Which command should they use?

A.diagnose debug flow
B.show full-configuration
C.diagnose sys session list
D.get system performance statistics
AnswerC

This command lists all active sessions.

Why this answer

Option C is correct. 'diagnose sys session list' displays the current session table, showing all active sessions.

580
Multi-Selectmedium

An administrator is troubleshooting an SSL VPN connection. Users can connect but cannot access internal resources. Which TWO commands would help diagnose the issue?

Select 2 answers
A.get router info routing-table
B.diagnose vpn ssl list
C.diagnose vpn ike status
D.execute ping 8.8.8.8
E.diagnose debug application dnsproxy
AnswersA, B

Shows routing entries for the SSL VPN interface.

Why this answer

Option A checks the SSL VPN session, and option D checks routing for the tunnel interface. Option B is for IPsec, option C is for DNS, and option E is for general routing but not specific to SSL VPN.

581
MCQmedium

An organization uses FortiSandbox to analyze suspicious files. The FortiGate is configured to send files to FortiSandbox for analysis when the antivirus scan fails to reach a verdict. Which antivirus inspection mode must be used on the firewall policy for this integration to work?

A.Both flow and proxy modes support FortiSandbox equally
B.Deep inspection
C.Proxy-based inspection
D.Flow-based inspection
AnswerC

Proxy-based inspection allows FortiGate to buffer the file and send it to FortiSandbox while holding the connection for verdict.

Why this answer

Option B is correct. Proxy-based inspection buffers the file and can hold the connection until FortiSandbox returns a verdict. Flow-based does not support this hold-and-wait mechanism.

582
Multi-Selectmedium

A FortiGate administrator wants to block spam emails sent to the company's mail server. The mail server is behind the FortiGate. Which THREE configurations should be applied?

Select 3 answers
A.Enable DLP to filter spam
B.Configure Application Control to block email applications
C.Enable FortiGuard spam filtering in the Email Filter profile
D.Apply the Email Filter profile to the firewall policy that allows SMTP traffic to the mail server
E.Create an Email Filter profile with spam detection enabled
AnswersC, D, E

FortiGuard provides up-to-date spam signatures.

Why this answer

Options B, C, and E are correct. An email filter profile for spam detection (B), a firewall policy that applies the email filter to SMTP traffic (C), and FortiGuard spam filtering enabled (E) are all required.

583
Multi-Selectmedium

A network administrator has two FortiGate units that need to be configured as an HA cluster. Which TWO of the following are prerequisites for HA formation?

Select 2 answers
A.Both units must have the same FortiOS firmware version.
B.Both units must have the same hostname.
C.The HA heartbeat interface must be on the same Layer 2 network.
D.Both units must be in NAT/Route mode.
E.The HA priority must be set to 0 on both units.
AnswersA, C

Why this answer

Option A is correct because FortiGate HA clusters require all members to run the exact same FortiOS firmware version to ensure protocol compatibility and configuration synchronization. Mismatched firmware versions can cause cluster instability, failover failures, or split-brain scenarios, as the HA heartbeat protocol relies on consistent state machine behavior across units.

Exam trap

The trap here is that candidates often assume hostnames must match (Option B) because they confuse HA synchronization with general network device clustering, but FortiGate actually overwrites hostnames during sync, making mismatched hostnames irrelevant as a prerequisite.

584
Multi-Selecthard

An administrator is troubleshooting why traffic from a specific VLAN (192.168.10.0/24) to the internet is not being NATed correctly. The firewall policy allows the traffic with NAT enabled and uses an IP Pool (overload) for the source translation. The IP Pool is configured with the address 203.0.113.10. However, the traffic still shows the original source IP. Which THREE of the following could cause this issue? (Choose three.)

Select 3 answers
A.There is a Central SNAT rule with higher priority that does not match the traffic
B.The firewall policy does not have the IP Pool selected in the NAT section
C.The IP Pool is configured on the wrong outgoing interface
D.The IP Pool uses one-to-one NAT instead of overload
E.Another firewall policy above the current one matches the traffic and either denies it or does not use NAT
AnswersB, C, E

The policy must explicitly reference the IP Pool under 'NAT' -> 'Use IP Pool'.

Why this answer

Possible causes: The policy may not have the IP Pool selected in the NAT settings; the policy order might be incorrect if another policy matches first; the IP Pool might be assigned to the wrong interface or contain a different IP range; or the traffic might be matching a different policy that doesn't use NAT. Central SNAT rules could also override, but the question specifies policy-based NAT.

585
Multi-Selectmedium

An administrator is configuring a loopback interface on a FortiGate for management purposes. Which three statements are true about loopback interfaces? (Choose three.)

Select 3 answers
A.Multiple loopback interfaces can be created.
B.A loopback interface is always up regardless of physical link status.
C.A loopback interface can be used as the source IP for management traffic.
D.Loopback interfaces support VLAN tagging.
E.A loopback interface requires a physical port to be associated.
AnswersA, B, C

FortiGate supports multiple loopback interfaces.

Why this answer

Option A is correct because FortiGate allows the creation of multiple loopback interfaces (up to 16, depending on the model) for various purposes such as management, routing, or VPN termination. Each loopback interface is a virtual interface that does not depend on any physical port, providing flexibility in network design.

Exam trap

The trap here is that candidates may confuse loopback interfaces with sub-interfaces or VLAN interfaces, incorrectly assuming they support VLAN tagging or require a physical port, when in fact loopback interfaces are purely logical and independent of hardware.

586
Multi-Selectmedium

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is established, but traffic is not passing. The administrator runs 'diagnose vpn tunnel list' and sees the tunnel is up. Which two additional diagnostics should the administrator run to isolate the issue?

Select 2 answers
A.diagnose sys session filter and diagnose sys session list
B.diagnose hardware sysinfo memory
C.diagnose debug application ike -1
D.diagnose netlink interface list
E.execute ping-options source and execute ping
AnswersA, C

This allows checking if sessions are being created and whether they match the expected policy.

Why this answer

To isolate traffic issues, check firewall policies that apply to the tunnel interface and verify Phase 2 selectors match the traffic. The routing table is also relevant but diagnostics focus on VPN specifics.

587
MCQeasy

Which IPsec VPN mode is typically used when the VPN peer has a dynamic public IP address?

A.Quick mode
B.IKEv2
C.Aggressive mode
D.Main mode
AnswerC

Correct. Aggressive mode is used for peers with dynamic IPs because it can authenticate without prior IP knowledge.

Why this answer

Aggressive mode allows the initiator to send its identity and proposed parameters in the first packet, which is needed when the responder does not know the initiator's IP address (e.g., dial-up VPN). Main mode requires the responder to know the initiator IP beforehand.

588
MCQeasy

A network administrator notices that a FortiGate IPS sensor is not detecting any attacks, even though there is known malicious traffic on the network. Which initial troubleshooting step should the administrator take?

A.Ensure the firewall policy is set to flow-based inspection.
B.Disable any DoS policies that might be blocking traffic.
C.Verify that the IPS engine is running and signatures are up to date.
D.Check that the FortiGate is configured in NAT mode.
AnswerC

If the engine is down or signatures outdated, detection fails.

Why this answer

Option C is correct because the first step in troubleshooting a non-functional IPS sensor is to verify that the IPS engine is running and that the IPS signatures are up to date. If the engine is stopped or signatures are outdated, the sensor cannot detect known malicious traffic regardless of other configurations. This foundational check ensures the detection mechanism itself is operational before investigating policy or mode settings.

Exam trap

The trap here is that candidates often jump to changing inspection modes or firewall policies, forgetting that the IPS engine must be running and signatures current for any detection to occur, which is the most basic and critical prerequisite.

How to eliminate wrong answers

Option A is wrong because flow-based inspection is not required for IPS; IPS can work with both flow-based and proxy-based inspection, and changing the inspection mode is not the initial troubleshooting step when the sensor is not detecting attacks. Option B is wrong because DoS policies are separate from IPS detection and disabling them would not enable IPS to detect attacks; they might block traffic but do not prevent IPS from analyzing it. Option D is wrong because NAT mode is unrelated to IPS detection; FortiGate can run IPS in both NAT and transparent mode, and the mode does not affect the IPS engine's ability to detect attacks.

589
MCQhard

A FortiGate administrator configures SSL deep inspection on a policy using a self-signed CA certificate. Users report that they see a certificate warning in their browsers when accessing HTTPS sites. What is the most effective solution to eliminate these warnings?

A.Use a publicly trusted CA certificate for the FortiGate
B.Disable deep inspection and use certificate inspection only
C.Add the websites to the exemption list in the SSL/SSH profile
D.Install the FortiGate's CA certificate on all client machines in the trusted root store
AnswerD

When clients trust the CA, they will not show warnings for certificates signed by that CA, which is what FortiGate does.

Why this answer

To avoid certificate warnings, the FortiGate's CA certificate must be trusted by all clients. Deploying the CA certificate via Group Policy ensures that all domain-joined machines trust certificates signed by the FortiGate.

590
MCQhard

A company is implementing SSL/TLS inspection on a FortiGate to monitor encrypted traffic. They want to ensure that traffic to high-risk categories is blocked, while traffic to financial sites is inspected but not blocked. The administrator creates an SSL inspection profile that deep-inspects all traffic except traffic to financial sites. However, users report that they cannot access financial websites. What is the most likely cause?

A.The web filter profile is configured to block financial websites, overriding the SSL inspection exemption.
B.The SSL inspection profile should be set to certificate-inspection instead of deep-inspection for financial sites.
C.The SSL inspection profile must be applied after the web filter profile in the firewall policy.
D.The SSL inspection profile should have deep-inspection disabled for all categories except financial.
AnswerA

The web filter profile is likely blocking the financial category despite the SSL inspection exemption.

Why this answer

The most likely cause is that the web filter profile applied in the same firewall policy is configured to block financial websites. Even though the SSL inspection profile exempts financial sites from deep inspection, the web filter profile operates independently and can block traffic based on URL category. Since the web filter is evaluated after SSL inspection, it will block the decrypted or even non-decrypted traffic to financial sites if the category is set to block, overriding the SSL inspection exemption.

Exam trap

The trap here is that candidates assume the SSL inspection exemption automatically prevents web filtering from blocking the traffic, but FortiGate applies web filter policies independently, so a block action in the web filter profile overrides any SSL inspection exemption.

How to eliminate wrong answers

Option B is wrong because certificate-inspection only validates the certificate without decrypting the payload, which would not allow the web filter to inspect the content; the issue is not about the inspection type but about the web filter blocking the category. Option C is wrong because the order of profiles within a firewall policy does not affect the evaluation; both SSL inspection and web filter profiles are applied in sequence, but the web filter can still block traffic regardless of the SSL inspection profile's exemption. Option D is wrong because disabling deep-inspection for all categories except financial would still allow the web filter to block financial sites if the web filter profile is configured to block them; the exemption in the SSL inspection profile does not prevent the web filter from blocking.

591
MCQeasy

Which command is used to back up the full FortiGate configuration including all settings and objects?

A.execute backup config
B.execute backup full-config
C.config backup tftp
D.system backup configuration
AnswerA

This command backs up the full configuration.

Why this answer

The 'execute backup config' command is the correct method to back up the full FortiGate configuration, including all settings and objects, to a TFTP or FTP server. This command exports the entire running configuration in a text format that can be restored later. It is the standard CLI command for a complete configuration backup.

Exam trap

The trap here is that candidates may confuse the correct command with similar-sounding but invalid options like 'execute backup full-config' or 'config backup tftp', or assume a 'system' subcommand exists for backups, when FortiGate uses the 'execute' command structure for operational tasks.

How to eliminate wrong answers

Option B is wrong because 'execute backup full-config' is not a valid FortiGate CLI command; the correct syntax uses 'config' not 'full-config'. Option C is wrong because 'config backup tftp' is not a valid command; the correct command uses 'execute backup config tftp' to specify the protocol. Option D is wrong because 'system backup configuration' is not a valid CLI command; FortiGate uses 'execute backup config' for configuration backups, not a 'system' subcommand.

592
MCQeasy

Which statement about the implicit deny policy on a FortiGate is true?

A.It is a user-configurable policy that can be deleted
B.It allows traffic that matches no other policy
C.It can be moved to a different position in the policy list
D.It is always at the bottom of the policy list and denies all unmatched traffic
AnswerD

The implicit deny is the last policy and drops all traffic that hasn't matched any preceding policy.

Why this answer

The implicit deny policy is a built-in policy at the end of the policy list that denies all traffic not matching any explicit policy. It cannot be removed or modified.

593
MCQeasy

An administrator needs to back up the FortiGate configuration to a TFTP server at 10.0.0.10. Which command should be used?

A.tftp -p -l mybackup.conf 10.0.0.10
B.execute backup config tftp mybackup.conf 10.0.0.10
C.execute backup config ftp mybackup.conf 10.0.0.10
D.copy config tftp://10.0.0.10/mybackup.conf
AnswerB

This is the correct syntax for TFTP backup.

Why this answer

The correct command to back up a FortiGate configuration to a TFTP server is 'execute backup config tftp <filename> <server-ip>'. This is a standard FortiOS CLI command that uses TFTP (Trivial File Transfer Protocol) to transfer the configuration file to the specified server at 10.0.0.10. Option B matches this syntax exactly.

Exam trap

The trap here is that candidates may confuse the FortiGate CLI syntax with a standard TFTP client command (Option A) or mistakenly use 'ftp' (Option C) instead of 'tftp', overlooking the specific protocol required by the server.

How to eliminate wrong answers

Option A is wrong because 'tftp -p -l mybackup.conf 10.0.0.10' is a client-side TFTP command used on a Linux/Windows host, not a FortiGate CLI command; FortiGate does not support raw TFTP client commands. Option C is wrong because it specifies 'ftp' instead of 'tftp', which would attempt an FTP transfer, not TFTP, and the server at 10.0.0.10 is a TFTP server, not an FTP server. Option D is wrong because 'copy config tftp://10.0.0.10/mybackup.conf' is not a valid FortiOS CLI command; FortiGate uses 'execute backup' for configuration backups, not a 'copy' command with a URI.

594
MCQhard

A FortiGate administrator is troubleshooting a high CPU usage issue. The 'get system performance status' command shows that the CPU usage is consistently above 80% with no traffic. Which of the following is the most likely cause?

A.An interface is in error-disable state causing CPU interrupts.
B.The firewall policy is misconfigured, causing packet drops.
C.A DDoS attack is overwhelming the CPU.
D.A process such as the IPS engine is stuck in an infinite loop.
AnswerD

A runaway process can consume CPU even without traffic.

Why this answer

When CPU usage remains high (above 80%) with no traffic, the most likely cause is a process stuck in an infinite loop, such as the IPS engine. This is a known software bug or process hang that consumes CPU cycles even without network traffic, and it can be verified using 'diagnose sys top' to identify the offending process.

Exam trap

The trap here is that candidates often associate high CPU with external attacks or configuration errors, but the key clue 'with no traffic' eliminates those options, pointing instead to an internal process malfunction.

How to eliminate wrong answers

Option A is wrong because an interface in error-disable state would cause link flaps or port shutdown, generating CPU interrupts only when traffic is present, not with no traffic. Option B is wrong because a misconfigured firewall policy causing packet drops would only consume CPU when packets are being processed, not when there is zero traffic. Option C is wrong because a DDoS attack requires incoming traffic to overwhelm the CPU; with no traffic, there is no attack vector to cause high CPU usage.

595
MCQeasy

Which FortiGate feature allows you to block access to specific URL categories such as 'Social Media' or 'Gambling'?

A.Web Filtering
B.Antivirus
C.Intrusion Prevention System (IPS)
D.Application Control
AnswerA

Web Filtering is used to block or allow based on URL categories.

Why this answer

FortiGate's Web Filtering feature uses URL rating and category databases (e.g., FortiGuard) to block access to entire categories like 'Social Media' or 'Gambling' based on the destination URL. This is distinct from content inspection; it operates at the HTTP/HTTPS request level by matching the requested URL against predefined or custom category lists.

Exam trap

The trap here is confusing Application Control with Web Filtering, as both can block 'Social Media' but Application Control blocks based on application signatures (e.g., Facebook app traffic) while Web Filtering blocks based on URL categories, and candidates often overlook that Application Control cannot block a website accessed via a browser if the URL category is not explicitly blocked.

How to eliminate wrong answers

Option B (Antivirus) is wrong because it scans file content for malware signatures, not URL categories. Option C (IPS) is wrong because it detects and blocks network-based attacks using signatures, not URL categorization. Option D (Application Control) is wrong because it identifies and controls applications based on traffic patterns (e.g., Facebook app), not URL categories, and can be bypassed if the app uses different protocols or ports.

596
Multi-Selecthard

A FortiGate administrator is configuring ZTNA for a web application. Which TWO components are required for a ZTNA configuration to function?

Select 2 answers
A.SSL VPN
B.IPsec VPN
C.ZTNA rules
D.ZTNA tags
E.Firewall policy
AnswersC, D

ZTNA rules define access policies.

Why this answer

ZTNA requires ZTNA rules (to control access) and ZTNA tags (client posture assessment). The ZTNA gateway is part of the FortiGate, but the question asks for components. ZTNA tags are used to verify client compliance before granting access.

597
MCQmedium

An admin needs to configure an SSL VPN for remote users that only provides access to specific internal applications, not full network access. What feature should be configured?

A.Full tunneling
B.Client certificate authentication
C.Split tunneling
D.Web mode portal
AnswerC

Split tunneling allows the admin to define which subnets are accessible via VPN.

Why this answer

Split tunneling with specific routes ensures only traffic destined for internal applications goes through the VPN, and all other traffic goes directly to the internet.

598
Multi-Selecthard

An admin is configuring a policy-based NAT (central SNAT) to translate internal users to a pool of public IPs using overload. The admin wants to ensure that specific applications using non-standard ports are not affected by NAT. Which THREE steps should the admin consider?

Select 3 answers
A.Disable NAT for those applications by adding a policy before the NAT policy with 'set nat disable'
B.Configure a separate IP pool dedicated to those applications
C.Use a fixed port range in the IP pool configuration
D.Use central SNAT with a VIP for source NAT
E.Enable 'set nat enable' on the policy
AnswersA, B, C

This allows the traffic to bypass NAT entirely.

Why this answer

Option A is correct because adding a policy before the central SNAT policy with `set nat disable` explicitly exempts specific traffic from NAT translation. This ensures that applications using non-standard ports are not affected by the overload behavior of the IP pool, which could otherwise cause port conflicts or session failures. The policy-based NAT (central SNAT) processes policies sequentially, so a higher-priority match with NAT disabled overrides any subsequent NAT rules.

Exam trap

The trap here is that candidates often think a separate IP pool (Option B) or fixed port range (Option C) can protect non-standard port applications, but these options only affect the pool behavior, not the NAT decision itself, and they do not prevent the FortiGate from modifying the source port, which is the root cause of the issue.

599
MCQeasy

A network administrator is configuring a FortiGate for the first time and needs to enable administrative access via HTTPS from the internal network. Which configuration step is required?

A.Set the administrative access to HTTPS on the internal interface
B.Enable HTTPS on the system global settings
C.Create a firewall policy allowing inbound HTTPS from internal to the FortiGate
D.Configure a static route for the management subnet
AnswerA

The 'set allowaccess' command on the interface enables HTTPS access.

Why this answer

Option A is correct because administrative access to a FortiGate interface is controlled per-interface under the interface configuration. By default, HTTPS access is disabled on all interfaces. To enable administrative HTTPS access from the internal network, you must set the administrative access to HTTPS on the specific internal interface.

This allows the FortiGate to listen for HTTPS management traffic on that interface's IP address.

Exam trap

The trap here is that candidates confuse firewall policies (which control traffic passing through the FortiGate) with local-in policies (which control traffic destined to the FortiGate), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option B is wrong because HTTPS is not enabled globally; it is enabled per-interface under config system interface. The global settings only control the HTTPS port (default 443) and certificate, not the interface-level access. Option C is wrong because firewall policies control traffic passing through the FortiGate, not traffic destined to the FortiGate itself.

Administrative access is governed by the local-in policy, which is implicitly controlled by the interface's administrative access settings. Option D is wrong because a static route is only needed if the management subnet is not directly connected; for the internal network, the FortiGate already has a directly connected route, so no static route is required.

600
MCQhard

A user reports that a legitimate website is being blocked by FortiGate web filtering. The administrator checks and finds that the URL category is 'Unrated'. What is the most likely cause?

A.The DNS server is not resolving the domain.
B.The website is new and not yet categorized by FortiGuard.
C.The web filter is configured to block all unrated sites.
D.The website is in the 'Blocked' category.
AnswerB

New sites are often 'Unrated' until categorized.

Why this answer

When a website is categorized as 'Unrated' in FortiGate web filtering, it means FortiGuard's web filtering database has not yet assigned a category to that URL. This commonly occurs for newly registered or recently launched websites that have not been crawled and classified by FortiGuard's rating infrastructure. The correct answer is B because the 'Unrated' status directly indicates the site is new and not yet categorized.

Exam trap

The trap here is that candidates may confuse the 'Unrated' category with a configuration setting (like blocking unrated sites) or a network issue (like DNS failure), rather than recognizing it as a FortiGuard rating status indicating the site has not yet been classified.

How to eliminate wrong answers

Option A is wrong because DNS resolution is unrelated to URL categorization; a DNS failure would result in a connection error, not an 'Unrated' category. Option C is wrong because while a web filter policy can be configured to block unrated sites, the question asks for the most likely cause of the 'Unrated' category itself, not the blocking action. Option D is wrong because if the website were in the 'Blocked' category, it would show that specific category in the logs, not 'Unrated'.

Page 7

Page 8 of 14

Page 9