Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 601675

1000 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQmedium

A FortiGate is configured with FSSO to poll Active Directory for user logon events. Users report that their logins are not being detected. What is the FIRST step to troubleshoot?

A.Recreate all firewall policies
B.Run 'diag debug fsso poll' to verify the collector agent status
C.Disable and re-enable FSSO
D.Restart the FortiGate firewall
AnswerB

This command provides real-time debugging of FSSO polling.

Why this answer

The 'diag debug fsso poll' command shows the status of the FSSO collector agent and polling process, helping to identify issues.

602
MCQhard

A FortiGate administrator is upgrading firmware from version 6.0 to 7.0. The upgrade path requires multiple steps. Which of the following is the recommended method to ensure a successful upgrade?

A.Upgrade to 6.2, then to 6.4, then to 7.0, following the official upgrade path
B.Perform a factory reset after upgrading to 7.0
C.Use the 'execute upgrade-version' command to automatically determine the path
D.Upload and install the 7.0 firmware directly, then restore configuration from backup
AnswerA

Stepwise upgrades ensure compatibility and prevent issues.

Why this answer

FortiGate firmware upgrades must follow a specific path to ensure compatibility of the firmware image, configuration database, and bootloader. Skipping intermediate versions (e.g., 6.2 and 6.4) can cause configuration corruption or boot failure because each major version may change the internal data structures or require a specific bootloader version. The official upgrade path from 6.0 to 7.0 is 6.0 → 6.2 → 6.4 → 7.0, as documented in Fortinet's release notes.

Exam trap

The trap here is that candidates may think a direct upgrade is acceptable because they assume firmware is backward-compatible, or they confuse the 'execute update-now' command with an automatic path resolver, when in fact Fortinet requires strict adherence to the documented upgrade path to prevent bootloader and configuration schema mismatches.

How to eliminate wrong answers

Option B is wrong because performing a factory reset after upgrading to 7.0 does not address the need for a correct upgrade path; it only resets the configuration, but the firmware itself must still be upgraded in the correct sequence to avoid bootloader or database incompatibilities. Option C is wrong because the 'execute upgrade-version' command does not exist; FortiGate uses 'execute update-now' for firmware updates, but there is no automatic path determination command—the administrator must manually follow the documented upgrade path. Option D is wrong because directly uploading and installing 7.0 firmware from 6.0 is not supported; it can result in a failed upgrade or a non-booting unit due to incompatible firmware structures, and restoring a configuration from backup after a direct upgrade may also fail if the configuration format has changed.

603
MCQmedium

A network administrator has configured an IPsec VPN between two FortiGate devices. The Phase 1 proposal includes AES256-SHA256-DH14. The Phase 2 proposal includes AES128-SHA1. The VPN tunnel fails to establish. Which of the following is the MOST likely cause?

A.The Phase 1 proposal is too strong and the remote FortiGate does not support DH14
B.The Phase 2 proposal does not match between the two devices
C.The VPN policy has not been configured on the remote FortiGate
D.The pre-shared key is incorrect
AnswerB

Phase 2 parameters must be identical on both sides. One side may have AES256 or a different lifetime, causing mismatch.

Why this answer

With IKEv1, both Phase 2 proposals must match exactly on both sides. AES128-SHA1 is mismatched if the other side uses a different encryption or authentication algorithm. AES128 is used, not AES256.

604
MCQmedium

A network admin runs 'diag sys session filter proto 6' and 'diag sys session list' and sees many sessions with state 'SYN_SENT' to a public web server. The firewall policy allows TCP/443. What is the MOST likely cause?

A.The web server is overloaded and dropping connections
B.The policy is in proxy mode but should be flow mode
C.The destination NAT (VIP) for the web server is not configured
D.The firewall policy has session TTL set too low
AnswerC

Without a VIP, the firewall does not translate the destination IP to the internal server, so the server never receives the request.

Why this answer

SYN_SENT indicates that the FortiGate has sent a SYN but not received a SYN-ACK, suggesting the server is not responding, possibly due to a missing DNAT or VIP configuration for inbound traffic.

605
Multi-Selectmedium

A FortiGate in NAT/Route mode has multiple internal networks. The administrator wants to configure a loopback interface for management access. Which THREE statements about loopback interfaces are correct? (Choose three.)

Select 3 answers
A.The loopback interface must be assigned to a physical port
B.The loopback interface is always up regardless of physical link status
C.The loopback interface can be used as a source IP for management traffic
D.The loopback interface cannot be used for firewall policies
E.The loopback interface participates in routing protocols
AnswersB, C, E

Loopback interfaces are virtual and remain up as long as the FortiGate is running.

Why this answer

Option B is correct because a loopback interface is a logical interface that is not tied to any physical link. It remains in an 'up' state as long as the FortiGate is operational, making it ideal for management access that must be available even if physical ports fail.

Exam trap

The trap here is that candidates often assume loopback interfaces cannot be used in firewall policies or must be tied to a physical port, but FortiGate treats them as fully functional interfaces for both routing and policy enforcement.

606
MCQeasy

Which FortiGate log type records user authentication events, such as successful logins and failed login attempts?

A.ZTNA logs
B.Event logs
C.Traffic logs
D.Security logs
AnswerB

Event logs record administrative and system events.

Why this answer

Event logs include audit events like authentication successes and failures.

607
Multi-Selectmedium

A company has two internet connections (WAN1 and WAN2). The administrator wants to route HTTP traffic from the internal network through WAN1, and all other traffic through WAN2. Which TWO configurations are needed?

Select 2 answers
A.Define an SD-WAN rule that matches HTTP and sets WAN1 as preferred
B.Apply NAT with IP pool on the firewall policy
C.Add a static route with a lower priority to WAN1
D.Create a policy-based routing rule to send HTTP traffic to WAN1
E.Configure load balancing between WAN1 and WAN2
AnswersA, D

Why this answer

Option A is correct because SD-WAN rules allow you to define application-based routing policies. By creating an SD-WAN rule that matches HTTP traffic and sets WAN1 as the preferred interface, the FortiGate will automatically steer HTTP sessions out through WAN1 while using the default routing table (which points to WAN2) for all other traffic. This leverages the SD-WAN feature's ability to perform per-application load balancing and failover without requiring policy-based routing.

Exam trap

The trap here is that candidates often confuse policy-based routing (Option D) with SD-WAN rules (Option A), not realizing that both are valid methods for application-based routing on FortiGate, and the question asks for TWO configurations needed, so both A and D are correct.

608
MCQeasy

Which of the following is a characteristic of policy-based NAT on a FortiGate?

A.NAT is configured directly in the firewall policy using the 'set nat' option
B.NAT is configured separately from firewall policies using Central NAT rules
C.NAT is applied to all traffic regardless of policy
D.NAT can only be used with IP pools
AnswerA

Policy-based NAT is configured per-policy.

Why this answer

Policy-based NAT uses the 'set nat' command in a firewall policy to enable source NAT, while Central NAT uses a separate NAT policy table.

609
Multi-Selecthard

Which THREE factors should be considered when tuning IPS to reduce false positives?

Select 3 answers
A.Excluding trusted source IP addresses from certain signatures.
B.Enabling hardware acceleration for IPS processing.
C.Increasing the sensitivity of signatures to catch more attacks.
D.Adjusting the severity threshold for which signatures generate alerts.
E.Creating IPS filters to whitelist specific traffic patterns.
AnswersA, D, E

Excluding known good traffic reduces false positives.

Why this answer

Option A is correct because excluding trusted source IP addresses from certain signatures prevents the IPS from generating alerts for traffic that is known to be legitimate, directly reducing false positives. This is a common tuning technique in FortiGate IPS where you can create exceptions for specific sources or destinations to avoid unnecessary alerts from benign traffic.

Exam trap

The trap here is that candidates often confuse performance optimization (hardware acceleration) with accuracy tuning, or mistakenly think that increasing sensitivity reduces false positives, when in fact it does the opposite.

610
MCQhard

You run 'diagnose debug application ike -1' and see the following output: 'Initiator: no acceptable proposal'. What is the MOST likely cause of this error?

A.The pre-shared key is incorrect
B.The Phase 1 encryption or hash algorithm is mismatched
C.The remote gateway is not reachable
D.The firewall policy is blocking UDP port 500
AnswerB

Mismatched proposals cause this exact error.

Why this answer

The 'no acceptable proposal' error indicates that the IKE proposal sent by the initiator does not match any proposal configured on the responder. This is a Phase 1 mismatch.

611
MCQmedium

A FortiGate admin is configuring a dial-up IPsec VPN for remote users. The users have dynamic IP addresses. Which Phase 1 configuration is appropriate?

A.Set the remote gateway to 'Dialup User' and enable an IP pool
B.Disable XAuth authentication
C.Set the remote gateway to the user's IP address
D.Use aggressive mode with a group pre-shared key
AnswerA

This allows any remote user to connect and get an IP from the pool.

Why this answer

For dial-up VPN with dynamic remote IPs, set the remote gateway to 'Dialup User' and configure an IP pool to assign addresses to clients.

612
MCQeasy

Which statement best describes the 'implicit deny' policy on a FortiGate?

A.It can be moved to a different position in the policy list
B.It is automatically applied to all traffic that does not match any explicit policy
C.It is a configurable policy that denies all traffic
D.It logs all denied traffic by default
AnswerB

Any traffic not matched by a higher-priority allow policy is denied by the implicit deny.

Why this answer

The 'implicit deny' policy on a FortiGate is a built-in, last-resort rule that automatically denies any traffic not matching an explicit firewall policy. It is not visible in the policy list and cannot be moved, modified, or deleted; it is always applied as the final rule to ensure that only explicitly permitted traffic is allowed through the FortiGate.

Exam trap

The trap here is that candidates often confuse the implicit deny with a configurable policy, thinking it can be moved, logged, or modified, when in fact it is a fixed, non-configurable default rule that is always present and never logs traffic by default.

How to eliminate wrong answers

Option A is wrong because the implicit deny policy is not a movable entry in the policy list; it is a fixed, invisible rule that always resides at the bottom of the policy evaluation order. Option C is wrong because the implicit deny is not configurable — it is a hardcoded default behavior that cannot be edited or removed. Option D is wrong because the implicit deny does not log denied traffic by default; logging must be explicitly enabled on an explicit deny policy or via global logging settings.

613
MCQmedium

An administrator has configured an SSL deep inspection profile with 'certificate inspection' for a firewall policy. Users report that they receive certificate errors when accessing HTTPS sites. What is the MOST likely reason?

A.The certificate installed on the FortiGate for SSL inspection is expired
B.The web server uses a self-signed certificate which is blocked by the inspection profile
C.The users' browsers do not trust the FortiGate's CA certificate
D.The FortiGate is not configured to re-sign certificates with its own CA certificate
AnswerD

With certificate inspection, the FortiGate does not decrypt or re-sign; it only inspects the certificate. Certificate errors would not be caused by this. Actually, this answer might be incorrect. Let me re-evaluate.

Why this answer

Option A is correct. Certificate inspection only checks the server certificate but does not re-sign it. Since FortiGate does not re-issue a certificate, clients see the original server certificate, which may be valid, but if the FortiGate is performing a man-in-the-middle, the client should see the FortiGate's CA certificate.

Actually, with certificate inspection, the FortiGate does not decrypt the traffic, so it cannot inspect the content; it only checks the certificate. The question might be tricky: certificate inspection does not modify the certificate chain, so users should not see certificate errors unless the FortiGate is intercepting. However, the typical cause of errors is when using full deep inspection without proper CA deployment.

For certificate inspection, errors can occur if the server certificate is invalid. But the best answer is that the FortiGate is not properly configured to re-sign certificates.

614
MCQmedium

A FortiGate is configured with FSSO for firewall authentication. Users report they are prompted for credentials every time they access the internet, even though they are logged into the domain. What is the most likely cause?

A.The users are not members of the FSSO group.
B.The firewall policy uses 'All Users' instead of a specific group.
C.The FSSO collector agent service is not running.
D.The FortiGate's LDAP server is unreachable.
AnswerC

Without the collector agent, FortiGate cannot get logon events from AD.

Why this answer

FSSO relies on polling the domain controllers or using a collector agent to capture user logon events. If the DC polling fails or the collector agent is not working, FortiGate cannot correlate the user, so it prompts for authentication.

615
Multi-Selecthard

An administrator is configuring a hub-and-spoke IPsec VPN with a FortiGate as the hub. The spokes must be able to communicate with each other through the hub. Which THREE settings must be enabled on the hub FortiGate?

Select 2 answers
A.Enable 'arp-response' on the phase1 interface
B.Configure static routes on the hub for each spoke's local subnet
C.Set 'mode-cfg' to enable on the hub phase1
D.Enable 'auto-discovery-sender' on the hub
E.Enable 'add-route' on each phase1 interface
AnswersA, B

When the hub receives traffic for a spoke, it needs to respond to ARP requests for the spoke's IP on the phase1 interface; otherwise, the hub won't forward.

Why this answer

For spoke-to-spoke traffic to pass through the hub, the hub must have ARP reply enabled (so it responds for the remote spokes' IPs on its phase1 interface), must add the spoke subnets to its routing table, and must have 'add-route' disabled on the hub's phase1 interfaces to prevent automatic route creation that conflicts with manual routes.

616
MCQeasy

An administrator wants to use Active Directory credentials to authenticate firewall administrators. Which authentication server type should be configured on the FortiGate?

A.TACACS+
B.FSSO
C.LDAP
D.RADIUS
AnswerC

LDAP is the protocol used to query Active Directory for authentication and user attributes.

Why this answer

FortiGate supports LDAP for integration with Active Directory. LDAP is the standard protocol for querying AD user information.

617
MCQeasy

A network administrator wants to prevent users from downloading files with .exe extensions via HTTP and HTTPS. Which security profile feature should be used?

A.Web filter profile with URL filter to block .exe sites
B.Application control profile to block file transfer applications
C.Antivirus profile with 'block' action for file pattern matching .exe
D.IPS profile to block executable file transfers
AnswerC

Antivirus profiles can block files by extension using the 'File Pattern' feature. This works for HTTP and, with deep inspection, for HTTPS.

Why this answer

An antivirus profile can block files by file extension for both HTTP and HTTPS traffic, but only if SSL deep inspection is enabled for HTTPS. The file pattern filter is part of the antivirus profile.

618
MCQhard

A FortiGate with multiple WAN interfaces uses policy-based routing (PBR) to route traffic from subnet 10.0.0.0/24 through port1 and 10.0.1.0/24 through port2. However, traffic from 10.0.0.0/24 is still using port2. The PBR rule appears correctly configured. What is the MOST likely issue?

A.The source subnet in the PBR rule is incorrectly specified as 10.0.1.0/24
B.The firewall policy for that traffic has a route override setting that bypasses PBR
C.The static route for 0.0.0.0/0 has a higher administrative distance than the PBR rule
D.The PBR rule has a higher priority number than other rules
AnswerB

If the policy has an explicit route override (like setting the outgoing interface), it will bypass PBR. Disabling route override allows PBR to work.

Why this answer

PBR rules are evaluated before routing table lookups. But if a firewall policy is matching the traffic before PBR (depending on configuration), the policy's route may override PBR. Also, PBR requires that the policy does not have a route override.

Another common issue is that the policy's destination interface is set to auto or the wrong interface, causing the route table decision to take precedence. However, the most common mistake is that the policy created for that traffic has its 'policy-based routing' option disabled or is using a different routing method.

619
Multi-Selectmedium

An administrator wants to configure HA on two FortiGate units. Which TWO of the following must match on both units for the cluster to form? (Choose two.)

Select 2 answers
A.HA heartbeat interface configuration
B.License type
C.Management IP addresses
D.Hostname
E.HA mode (active-passive or active-active) and group ID
AnswersA, E

Heartbeat interfaces must be configured consistently.

Why this answer

The HA heartbeat interface configuration must match on both FortiGate units because the heartbeat interface is used for cluster communication, synchronization, and failure detection. If the interfaces designated for heartbeat traffic differ between units, they cannot establish the required Layer 2 adjacency or exchange HA control packets, preventing cluster formation.

Exam trap

The trap here is that candidates often confuse 'must match' with 'must be identical' for management IP addresses or hostnames, but FortiGate HA only requires matching for heartbeat interface configuration and HA mode/group ID, not for administrative identifiers.

620
MCQmedium

A network admin has configured a firewall policy allowing HTTPS traffic from the internal network to a DMZ web server. Users report that the web pages load slowly. The admin checks the policy and notices traffic shaping is not applied. What is the BEST action to ensure fair bandwidth distribution for HTTPS traffic?

A.Create a traffic shaping policy and apply it to the firewall policy
B.Increase the bandwidth of the internet link
C.Configure policy-based routing for HTTPS traffic
D.Enable QoS on the outgoing interface
AnswerA

Traffic shapers are applied directly to firewall policies to control bandwidth for matching traffic.

Why this answer

Traffic shaping is the correct mechanism to enforce fair bandwidth distribution for HTTPS traffic. By creating a traffic shaping policy and applying it to the firewall policy, the admin can allocate a specific bandwidth guarantee or limit for HTTPS sessions, preventing them from starving other traffic. Without shaping, HTTPS traffic can consume all available bandwidth, causing slow performance for other users.

Exam trap

The trap here is that candidates often confuse QoS (which prioritizes packets) with traffic shaping (which controls bandwidth allocation), leading them to select option D, but QoS alone does not enforce fair distribution of bandwidth across multiple sessions.

How to eliminate wrong answers

Option B is wrong because increasing the internet link bandwidth does not enforce fair distribution; it only adds more capacity, which can still be monopolized by aggressive HTTPS traffic. Option C is wrong because policy-based routing controls the path traffic takes, not bandwidth allocation; it does not shape or limit traffic. Option D is wrong because QoS on the outgoing interface is a lower-level mechanism that typically prioritizes packets based on DSCP or CoS values, but it does not provide the per-policy bandwidth control that traffic shaping offers in FortiGate.

621
MCQhard

You run the command 'diagnose vpn ike log filter name vpn1' and then 'diagnose vpn ike log filter type phase1'. The log shows: 'IKEv1 exchange:f4470f07:00000000: responder: main mode: received IKE_SA_INIT (aggressive mode not allowed)'. What is the problem?

A.The initiator is using IKEv2 while the responder uses IKEv1
B.The responder is configured for main mode only, but the initiator is sending aggressive mode
C.The pre-shared key is wrong
D.The phase1 proposal is incompatible
AnswerB

The responder rejects the aggressive mode init because its configuration only allows main mode.

Why this answer

The log indicates that the initiator sent an IKE_SA_INIT message, which is part of aggressive mode (IKEv1). Since the responder expects main mode, it rejects the aggressive mode proposal.

622
MCQeasy

A FortiGate administrator configures a firewall policy to allow HTTP traffic from internal users to the internet. The policy uses source address 'internal_subnet', destination address 'all', and service 'HTTP'. After applying the policy, users report they cannot access websites. What is the most likely cause?

A.The source interface is misconfigured
B.The destination address object 'all' is incorrect
C.The policy order is incorrect and a deny policy above is blocking the traffic
D.The policy only allows HTTP (port 80), but users are likely accessing HTTPS (port 443)
AnswerD

A common oversight: the policy only permits port 80, but most websites use HTTPS on port 443.

Why this answer

The policy explicitly allows HTTP (TCP port 80), but modern web traffic predominantly uses HTTPS (TCP port 443). Since the service object does not include HTTPS, the firewall will drop HTTPS packets by default unless a separate policy or rule permits them. This is the most likely reason users cannot access websites, as most sites redirect HTTP to HTTPS or require HTTPS for secure connections.

Exam trap

The trap here is that candidates assume 'HTTP' covers all web traffic, but FortiGate treats HTTP and HTTPS as distinct services based on port numbers, and the implicit deny will block any unmatched traffic.

How to eliminate wrong answers

Option A is wrong because the source interface misconfiguration would typically cause a complete lack of connectivity for all traffic from that interface, not just web browsing, and the policy would not match at all. Option B is wrong because the destination address object 'all' is a valid FortiGate object that represents any destination IP address, and it is correct for allowing traffic to the internet. Option C is wrong because while policy order can affect traffic matching, the question states the policy was applied and there is no indication of a deny policy above; the most direct and common cause is the service mismatch.

623
MCQmedium

An administrator wants to ensure that search engine results from Google, Bing, and Yahoo are filtered to exclude explicit content when users perform searches. Which feature should the administrator configure in the web filter profile?

A.FortiGuard category filter
B.URL filter
C.Safe search
D.DNS filter
AnswerC

Safe search is a dedicated feature to enforce safe search on supported search engines.

Why this answer

Safe search enforces the search engine's built-in safe search settings (like Google SafeSearch) by appending parameters to the search URL, ensuring explicit content is filtered.

624
Multi-Selectmedium

A FortiGate administrator is configuring FSSO to authenticate users transparently. The FSSO collector agent is installed on a Windows server in the domain. Which TWO requirements must be met for FSSO to work correctly?

Select 2 answers
A.The FortiGate must be a member of the Active Directory domain
B.The users must authenticate via captive portal at least once
C.The FortiGate must be able to reach the FSSO collector agent on TCP port 8000 (or the configured port)
D.The firewall policies must use FSSO groups directly without any user objects
E.The FSSO collector agent must have network access to the Active Directory domain controllers
AnswersC, E

The collector agent communicates with the FortiGate on a specific port (default 8000) to send login events.

Why this answer

Options A and C are correct. The FortiGate must be able to communicate with the collector agent, and the collector agent must have access to Active Directory to monitor login events. Additionally, the FortiGate's firewall policies must use user groups based on FSSO authentication.

625
MCQhard

A FortiGate is configured with IPsec VPN using IKEv2 and a policy-based tunnel. The remote subnet is 10.0.2.0/24, and the local subnet is 192.168.1.0/24. The tunnel is up, but traffic from 192.168.1.0/24 to 10.0.2.0/24 fails. The administrator checks the firewall policy and sees a policy allowing traffic from the local interface (port1) to the remote interface (virtual ipsec interface) with the action set to IPSEC. What is the most likely missing configuration?

A.IKEv2 does not support policy-based VPNs
B.The tunnel interface is not assigned to the correct VDOM
C.The Phase 2 proposal does not match the remote subnet
D.The firewall policy's source or destination addresses are not correctly set to the local and remote subnets
AnswerD

Policy-based VPNs require the policy to explicitly specify the local and remote subnets in source/destination. If set to 'all', it may work, but the failure suggests mismatch.

Why this answer

Policy-based VPNs require a firewall policy that matches the traffic and has the action set to IPSEC. However, the 'incoming interface' must be the internal interface (port1) and 'outgoing interface' the tunnel interface. The description suggests both are correct, but the missing piece is that the 'source' and 'destination' addresses in the policy must match the local and remote subnets.

The policy likely uses all addresses or incorrect subnets.

626
MCQhard

An administrator has configured an IPS profile with an anomaly detection sensor for 'tcp_syn_flood'. After applying the profile to a firewall policy, users report intermittent connectivity issues. The administrator runs 'diagnose ips anomaly list' and sees entries for 'tcp_syn_flood' with action 'pass'. What is the MOST likely cause of the connectivity issues?

A.The anomaly sensor is set to 'block' but the action is overridden by the policy
B.The anomaly sensor is using a different action than expected; it might be set to 'block' for some other sensor
C.The anomaly sensor is not actually applied; the list shows default entries
D.The anomaly sensor is set to 'pass' but the threshold is too low, causing false positives
AnswerC

Why this answer

The 'diagnose ips anomaly list' output shows default anomaly entries. If the sensor were properly applied, the action would be 'block' as configured. The connectivity issues may be unrelated to IPS; the administrator should verify the sensor is attached to the policy.

627
Multi-Selectmedium

A FortiGate administrator needs to allow SMTP traffic (TCP port 25) from the internal network (10.0.0.0/8) to a mail server in the DMZ (172.16.0.10). The administrator wants to apply an antivirus profile and log all sessions. Which THREE configuration steps are required?

Select 3 answers
A.Create a schedule object and apply it to the policy
B.Create a firewall policy with source: 10.0.0.0/8, destination: 172.16.0.10, service: SMTP, action: ACCEPT
C.Create an antivirus profile and apply it to the policy
D.Configure NAT on the policy to translate source IPs
E.Enable logging on the firewall policy
AnswersB, C, E

Why this answer

Option B is correct because a firewall policy must be created to allow SMTP traffic from the internal network (10.0.0.0/8) to the DMZ mail server (172.16.0.10) on TCP port 25. The policy must specify the source, destination, service (SMTP), and action (ACCEPT) to permit the traffic. Without this policy, the traffic would be blocked by default.

Exam trap

The trap here is that candidates often assume NAT is required for any traffic leaving a private network, but in FortiGate, NAT is only needed when the destination is on a different network segment that requires source address translation, such as the internet, not for internal-to-DMZ traffic.

628
MCQhard

A FortiGate is configured with two WAN links (port1 and port2) and uses ECMP routing. The administrator wants to ensure that traffic from a specific internal subnet (192.168.10.0/24) always uses port1, while all other traffic uses ECMP. Which configuration should be applied?

A.Create a separate VDOM for 192.168.10.0/24 and route it through port1
B.Create two static routes with equal distances to use ECMP, and add a policy route for 192.168.10.0/24 with outgoing interface port1
C.Configure a VIP to translate 192.168.10.0/24 to an IP on port1
D.Use a firewall policy to change the route based on source
AnswerB

Policy routes can match source IP and force a specific egress interface.

Why this answer

Policy routes override the routing table for matching traffic, allowing you to force traffic from 192.168.10.0/24 out port1 while ECMP handles all other traffic. ECMP distributes traffic across multiple equal-cost routes, but a policy route takes precedence over the routing table for specified traffic. This meets the requirement without disrupting ECMP for other traffic.

Exam trap

The trap here is confusing firewall policies with routing decisions; candidates often think a firewall policy can change the outgoing interface, but it only controls access, not the path traffic takes through the network.

How to eliminate wrong answers

Option A is wrong because creating a separate VDOM for a single subnet is overkill and introduces administrative overhead; VDOMs are for multi-tenant isolation, not simple source-based routing. Option C is wrong because a VIP translates destination IPs, not source subnets, and does not control outbound interface selection. Option D is wrong because firewall policies do not change routes; they match traffic and apply actions like allow/deny, but routing decisions are made by the routing table or policy routes.

629
Multi-Selectmedium

A site-to-site IPsec VPN is configured with IKEv2. The tunnel establishes but traffic does not pass. Which two troubleshooting steps should the administrator perform first?

Select 2 answers
A.Check the Phase 2 selectors.
B.Verify that the Phase 1 proposal matches.
C.Check the firewall policies allowing traffic through the tunnel.
D.Check the routing table for routes pointing to the remote networks.
AnswersC, D

Policies must permit traffic between zones.

Why this answer

Option C is correct because even if the IPsec tunnel is established, traffic will not pass unless firewall policies explicitly permit it. In FortiGate, a Phase 2 tunnel being up does not imply that traffic is allowed; you must have a policy that matches the source/destination and enables the action to forward traffic through the tunnel interface.

Exam trap

The trap here is that candidates assume a 'tunnel up' status guarantees traffic flow, but FortiGate separates tunnel negotiation from firewall policy enforcement, so both a policy and a route are required for traffic to pass.

630
MCQmedium

An administrator wants to back up the FortiGate configuration to a remote FTP server. Which command should be used?

A.execute restore config ftp <filename> <server>
B.copy running-config startup-config
C.execute backup system ftp <filename> <server>
D.execute backup config ftp <filename> <server>
AnswerD

This is the correct syntax.

Why this answer

Option D is correct because the `execute backup config ftp` command is the specific FortiGate CLI command designed to back up the configuration file to a remote FTP server. This command directly initiates an FTP transfer of the current system configuration, ensuring the backup is stored externally for disaster recovery.

Exam trap

The trap here is confusing the `backup` and `restore` commands, or using a Cisco-style command like `copy running-config startup-config`, which is not valid on FortiGate devices.

How to eliminate wrong answers

Option A is wrong because `execute restore config ftp` is used to restore a configuration from an FTP server, not to back up. Option B is wrong because `copy running-config startup-config` is a Cisco IOS command for saving the running configuration to NVRAM, not a FortiGate command for backing up to an FTP server. Option C is wrong because `execute backup system ftp` is not a valid FortiGate command; the correct syntax uses `config` to specify the configuration file, not `system`.

631
Multi-Selectmedium

A FortiGate administrator needs to allow SNMP monitoring from a management station at 10.10.10.50. Which TWO configuration steps are required? (Choose two.)

Select 2 answers
A.Enable SNMP agent globally
B.Configure an SNMP community with read-only access and restrict access to 10.10.10.50
C.Configure an SNMP trap to send alerts to 10.10.10.50
D.Enable SNMP on the interface connected to the management station
E.Configure a firewall policy allowing SNMP from the management station
AnswersA, B

The SNMP agent must be enabled to respond to queries.

Why this answer

Option A is correct because the SNMP agent must be globally enabled on the FortiGate before any SNMP queries can be processed. Option B is correct because an SNMP community with read-only access defines the authentication and access control parameters, and restricting it to 10.10.10.50 ensures only that management station can poll the device.

Exam trap

The trap here is that candidates often confuse SNMP monitoring (polling) with SNMP traps, or mistakenly think a firewall policy is needed for local management traffic, when in fact SNMP agent access is controlled entirely by the community configuration and the global enable setting.

632
Multi-Selectmedium

A FortiGate admin wants to ensure that traffic from the internal network (192.168.1.0/24) to the internet uses a specific public IP (203.0.113.10) for source NAT, and that the same public IP is also used for inbound connections to an internal web server (10.0.1.10) on port 443. Which TWO configurations are required? (Choose two.)

Select 2 answers
A.Configure an IP Pool with type Overload using 203.0.113.10
B.Configure a Virtual IP mapping 203.0.113.10:443 to 10.0.1.10:443
C.Create a firewall policy with source NAT enabled and the IP Pool selected
D.Configure Central SNAT with the same public IP
AnswersA, B

This provides source NAT for outbound traffic using the required public IP.

Why this answer

Option A is correct because an IP Pool with type Overload allows multiple internal hosts to share a single public IP (203.0.113.10) for source NAT when traffic goes to the internet. This is the standard method for PAT (Port Address Translation) in FortiGate, enabling many-to-one NAT.

Exam trap

The trap here is that candidates often confuse IP Pools (for source NAT) with Virtual IPs (for destination NAT), or think that enabling source NAT in a policy alone is enough without configuring the IP Pool object.

633
MCQhard

A FortiGate administrator runs 'diagnose vpn tunnel list' and sees the following output for an IPsec tunnel: 'status: up', 'incoming: 0 packets', 'outgoing: 100 packets'. Phase 1 and Phase 2 both show state 'up'. What is the MOST likely cause of zero incoming packets?

A.The remote gateway is using aggressive mode
B.The FortiGate has a static route pointing to the VPN interface
C.The VPN is configured in policy-based mode
D.The Phase 2 proposal includes a mismatched proxy ID
AnswerD

If the remote side expects a different subnet, it may drop incoming packets or not respond.

Why this answer

If outgoing packets are being sent but no incoming packets, the remote side may have a misconfiguration such as a wrong remote subnet in Phase 2 or a firewall policy blocking return traffic.

634
MCQmedium

An administrator needs to apply traffic shaping to limit bandwidth for video streaming traffic on a firewall policy. Which configuration step is required?

A.Use an application control profile to restrict video streaming
B.Configure policy-based routing to shape traffic
C.Enable QoS on the interface and set the bandwidth limit
D.Create a traffic shaper and reference it in the firewall policy
AnswerD

Traffic shapers define bandwidth limits and are applied via policies.

Why this answer

To apply traffic shaping, a traffic shaper must be created and then referenced in the firewall policy. Option A is correct.

635
Multi-Selecthard

You are troubleshooting a FortiGate HA cluster that is not failing over correctly. The cluster has two units in active-passive mode. You check the HA status and see both units are in 'standalone' mode. Which THREE configurations could cause this? (Choose three.)

Select 3 answers
A.The FortiGate is configured in transparent mode
B.The HA group ID is different on each unit
C.The firmware versions are different but both are 7.0.x
D.The HA heartbeat interface is down on one unit
E.The HA password is different on each unit
AnswersB, D, E

Group ID must match for cluster formation.

Why this answer

Option B is correct because the HA group ID must match on all cluster members for them to recognize each other as part of the same cluster. If the group IDs differ, each unit will operate independently in standalone mode, as they cannot form a common HA session.

Exam trap

The trap here is that candidates often overlook the HA password requirement or assume transparent mode disables HA, but FortiGate supports HA in all operational modes, and password mismatches are a common misconfiguration.

636
Multi-Selectmedium

An administrator is configuring ECMP (Equal-Cost Multi-Path) on a FortiGate. Which TWO conditions are required for ECMP to load balance traffic across multiple routes?

Select 2 answers
A.Routes must use different next-hop IP addresses
B.Routes must have the same priority setting
C.Routes must have the same administrative distance
D.Routes must be static routes only
E.Routes must be through different interfaces
AnswersB, C

Priority must also be equal.

Why this answer

Option B is correct because ECMP requires that multiple routes have the same priority (also known as 'distance' in some contexts) to be considered equal-cost. In FortiGate, priority is a metric that determines route preference; only routes with identical priority can be used simultaneously for load balancing. Option C is also correct because administrative distance must be the same for routes to be considered equal; if administrative distances differ, the route with the lower distance is preferred, and ECMP will not apply.

Exam trap

The trap here is that candidates often confuse 'priority' with 'administrative distance' or assume ECMP requires different next-hop IPs, but FortiGate actually requires both priority and administrative distance to be identical, and next-hop IPs can be the same if interfaces differ.

637
MCQmedium

An administrator configures a DLP sensor to detect credit card numbers in traffic. However, the sensor is not detecting any credit card numbers even though they are present in emails. What could be the reason?

A.Email traffic is encrypted and SSL deep inspection is not enabled
B.The DLP sensor is applied to the wrong policy
C.The credit card regular expression is incorrect
D.The DLP sensor is in 'Monitor' mode
AnswerA

DLP cannot inspect encrypted payloads. Deep inspection must be enabled to decrypt and scan.

Why this answer

DLP sensors inspect traffic content. If the traffic is encrypted (e.g., via TLS), the sensor cannot see the plaintext unless SSL deep inspection is enabled to decrypt the traffic first.

638
MCQeasy

An administrator wants to restrict access to a web server from only specific countries. The FortiGate is located at the network edge. Which address object type should be used in the source field of the firewall policy?

A.FQDN address object
B.Wildcard FQDN address object
C.Geography address object
D.Subnet address object
AnswerC

Allows country-based filtering.

Why this answer

Option C is correct because a Geography address object allows the FortiGate to match traffic based on the source IP's country of origin, using the built-in GeoIP database. This is the only address object type that can restrict access by country without requiring manual IP range updates.

Exam trap

The trap here is that candidates may confuse Geography address objects with FQDN or Subnet objects, mistakenly thinking that a wildcard or domain-based object can filter by geographic location, when in fact only the Geography object leverages the FortiGate's GeoIP database for country-level matching.

How to eliminate wrong answers

Option A is wrong because an FQDN address object resolves to a specific IP address or set of IP addresses, not to a country or geographic region. Option B is wrong because a Wildcard FQDN address object matches domain names with wildcards (e.g., *.example.com) and is used for web filtering or DNS-based policies, not for geographic restrictions. Option D is wrong because a Subnet address object defines a specific IP range or network segment, which cannot dynamically represent all IPs from a particular country.

639
Multi-Selecthard

A company needs to allow inbound HTTPS traffic from the internet to a web server behind the FortiGate. The public IP is 203.0.113.10, and the internal server is 192.168.1.10. The server must receive the original source IP of the client. Which THREE configurations are required to achieve this?

Select 3 answers
A.A firewall policy from WAN to DMZ allowing HTTPS traffic to the VIP
B.Disabling source NAT on the firewall policy (set nat enable disable)
C.A static route for 203.0.113.10 pointing to the ISP gateway
D.A Central SNAT policy to translate the source to the FortiGate's IP
E.A Virtual IP (VIP) mapping 203.0.113.10:443 to 192.168.1.10:443
AnswersA, B, E

The policy must permit the traffic to the VIP destination.

Why this answer

To allow inbound HTTPS and preserve the source IP, you need a VIP to translate destination, a firewall policy allowing the traffic, and no source NAT (or use a policy that does not SNAT). SNAT would hide the original source IP.

640
MCQhard

You run the CLI command 'diagnose vpn ike gateway list' and see that an IPsec VPN gateway is in 'up' state with 'initiator' mode, but no Phase 2 selectors are established. What is the most likely cause?

A.The Phase 2 proposal parameters (encryption, authentication) do not match between peers
B.The remote gateway is not responding to IKE packets
C.The local and remote Phase 2 selectors (proxy IDs) do not match
D.The IPsec interface is down
AnswerC

Mismatched proxy IDs prevent Phase 2 negotiation from completing successfully. The Phase 1 can be up but Phase 2 fails to establish.

Why this answer

The Phase 1 shows up, meaning IKE SA is established. But Phase 2 is down. Common causes include mismatched proxy IDs (Phase 2 selectors), firewall policies not matching, or firewall rules blocking IPsec traffic.

The output indicates Phase 1 is up, so the issue is at Phase 2.

641
MCQhard

A FortiGate in flow-based mode is configured with an antivirus profile to block infected files. A user downloads a .zip file containing a known virus, but the download is allowed and the file is not quarantined. What is the MOST likely reason?

A.The antivirus profile is not set to 'block' for virus outbreaks
B.The virus definition database is outdated
C.Flow-based inspection does not support antivirus for .zip archives
D.Flow-based inspection does not decompress archives by default
AnswerD

In flow mode, FortiGate scans files in a streaming fashion and does not buffer them to decompress archives. The virus inside the zip may not be detected.

Why this answer

Option C is correct because flow-based inspection does not buffer files for decompression, so viruses inside archives may be missed.

642
MCQeasy

Which of the following is a prerequisite for SSL deep inspection to work correctly on FortiGate?

A.A dedicated HTTPS firewall policy.
B.A firewall policy that has SSL inspection enabled.
C.The FortiGate must be operating in proxy mode.
D.An active FortiCare license.
AnswerB

The policy must have SSL inspection profile applied.

Why this answer

SSL deep inspection requires a firewall policy with SSL inspection enabled to intercept and decrypt HTTPS traffic. Without such a policy, the FortiGate cannot apply the CA certificate to re-encrypt traffic for inspection, making deep inspection non-functional.

Exam trap

The trap here is that candidates often confuse the need for a firewall policy with SSL inspection enabled with the misconception that a separate HTTPS-only policy or proxy mode is mandatory, when in fact any policy matching HTTPS traffic can be configured for deep inspection.

How to eliminate wrong answers

Option A is wrong because a dedicated HTTPS firewall policy is not required; any firewall policy with the appropriate SSL inspection profile can handle HTTPS traffic. Option C is wrong because FortiGate supports SSL inspection in both proxy-based and flow-based modes, not exclusively proxy mode. Option D is wrong because an active FortiCare license is not a prerequisite for SSL deep inspection; it is required for FortiGuard services like web filtering but not for the inspection mechanism itself.

643
Multi-Selectmedium

A FortiGate administrator is implementing a policy to allow outbound traffic from the internal network to the internet. The requirements are: (1) all traffic from internal users must be source NATed to the external interface IP, (2) traffic from a specific server must use a different public IP, (3) HTTP traffic must be shaped to 10 Mbps. Which THREE configuration elements should the administrator create? (Choose three.)

Select 3 answers
A.A traffic shaper for HTTP traffic
B.A VIP for the server
C.A firewall policy with NAT enabled and the IP pool referenced
D.An IP Pool for the specific server's public IP
E.A policy-based routing rule for the server
AnswersA, C, D

Traffic shaper limits bandwidth.

Why this answer

An IP pool for the specific server, a traffic shaper for HTTP, and firewall policies to apply them. Option B, C, and D are correct.

644
MCQeasy

Which FortiGate feature allows administrators to verify if a specific IP address is being blocked by a security policy?

A.diagnose sys session list
B.get system ha status
C.diagnose debug flow
D.diagnose sniffer packet
AnswerC

Debug flow shows policy matches and actions for a given flow.

Why this answer

Option B is correct. 'diagnose debug flow' can trace a packet from a specific source IP and show whether it is allowed or denied by a firewall policy.

645
MCQmedium

An administrator needs to forward logs from a FortiGate to a FortiAnalyzer for centralized logging. The FortiAnalyzer IP is 10.10.10.10. Which configuration is required on the FortiGate?

A.config system central-management set type fortianalyzer set ip 10.10.10.10 end
B.config log setting set fortianalyzer ip 10.10.10.10 end
C.config log syslogd setting set server 10.10.10.10 end
D.config log fortianalyzer setting set status enable set server 10.10.10.10 end
AnswerD

This correctly enables FortiAnalyzer logging and sets the server IP.

Why this answer

Option D is correct because the FortiGate uses the `config log fortianalyzer setting` command to configure direct logging to a FortiAnalyzer. This command enables the log forwarding feature (`set status enable`) and specifies the FortiAnalyzer's IP address (`set server 10.10.10.10`). The other options either use incorrect command paths or are intended for different logging destinations (e.g., syslog or central management).

Exam trap

The trap here is that candidates confuse the `config log fortianalyzer setting` command with the `config system central-management` command (used for FortiManager) or the syslog configuration, leading them to select options that configure the wrong service or miss the required `set status enable` step.

How to eliminate wrong answers

Option A is wrong because `config system central-management` is used for centralized management (e.g., FortiManager), not for log forwarding to FortiAnalyzer. Option B is wrong because `config log setting` is a global log configuration context, but the correct subcommand for FortiAnalyzer is `config log fortianalyzer setting`, not a direct `set fortianalyzer ip` syntax. Option C is wrong because `config log syslogd setting` configures syslog forwarding, which uses a different protocol (UDP/TCP syslog) and is not the native FortiAnalyzer logging method.

646
MCQeasy

A FortiGate administrator wants to authenticate VPN users against an existing LDAP server. The administrator creates an LDAP user group on the FortiGate. What additional configuration is REQUIRED to use this group for IPsec VPN authentication?

A.In the IPsec Phase 1 configuration, set the peer type to 'dialup' and specify the user group under authentication
B.Enable LDAP over TLS (LDAPS) on the FortiGate
C.Assign the LDAP user group to a firewall policy
D.Configure a RADIUS server as an intermediate proxy between FortiGate and LDAP
AnswerA

For dial-up IPsec VPN, the Phase 1 configuration must include the user group to authenticate users against LDAP.

Why this answer

Option B is correct. The user group must be referenced in the IPsec Phase 1 authentication settings, specifically under 'Peer Options' or 'User Authentication' (depending on FortiOS version). Typically, this is done by setting 'xauthtype' to 'auto' or 'psk' and selecting the user group under 'usrgrp'.

647
Multi-Selectmedium

A network admin wants to block all traffic from the BitTorrent application. The admin has enabled application control on the firewall policy. Which TWO steps are necessary to achieve this?

Select 2 answers
A.Add a DNS filter profile to block BitTorrent tracker domains
B.Add the BitTorrent application signature to the application control profile and set action to block
C.Set the application control inspection mode to proxy-based
D.Enable 'deep inspection' in the application control profile
E.Enable SSL deep inspection on the firewall policy
AnswersB, E

This defines what to block.

Why this answer

Option A and C are correct: The application control profile must include the BitTorrent signature and be configured to block it. Additionally, if BitTorrent uses random high ports or encryption, SSL deep inspection may be needed to identify the traffic.

648
Multi-Selectmedium

An admin needs to configure a FortiGate to send logs to a FortiAnalyzer. Which TWO steps must be performed? (Choose two.)

Select 2 answers
A.Set the log aggregation interval
B.Configure SNMP trap destinations
C.Create a firewall policy to allow traffic to FortiAnalyzer
D.Configure the FortiAnalyzer IP under config system log-fortianalyzer
E.Enable logging to FortiAnalyzer using the 'set status enable' command under the same configuration
AnswersD, E

This is where the FortiAnalyzer server address is set.

Why this answer

Option D is correct because the FortiGate must be configured with the FortiAnalyzer IP address under the `config system log-fortianalyzer` hierarchy to establish the logging destination. Option E is correct because after setting the IP, the `set status enable` command must be issued to activate log forwarding to that FortiAnalyzer; without this, no logs are sent even if the IP is configured.

Exam trap

The trap here is that candidates often think a firewall policy is required to allow outbound log traffic, but FortiGate management traffic (including logs to FortiAnalyzer) bypasses the firewall policy engine and is controlled solely by the management VDOM or system settings.

649
MCQmedium

A network administrator wants to implement two-factor authentication for SSL VPN users using FortiToken. The users are already authenticated against an LDAP server. Which configuration step is required to enforce two-factor authentication?

A.Create a local user with the same username as the LDAP user and assign a FortiToken to that local user
B.Create a user group that uses LDAP as the authentication server and enable FortiToken two-factor authentication in the group settings
C.Configure the SSL VPN portal to require FortiToken and set the authentication server to LDAP
D.Set the SSL VPN authentication method to 'certificate' and use FortiToken as second factor
AnswerB

Correct. The user group authenticates against LDAP and then requires a FortiToken for two-factor.

Why this answer

For two-factor authentication, FortiGate requires a user group with the LDAP server as the primary authentication, and then enabling FortiToken two-factor authentication on that group. This allows the user to first authenticate via LDAP (password) and then provide a FortiToken code.

650
MCQeasy

An administrator has configured two FortiGate units in an active-passive HA cluster. The primary unit fails. How does the secondary unit become active?

A.The secondary unit detects loss of heartbeat from the primary and takes over
B.The administrator must manually reboot the secondary unit
C.The secondary unit becomes active only if the heartbeat link is also down
D.The secondary unit waits for a configuration change before becoming active
AnswerA

Heartbeat monitoring triggers failover when primary is unreachable.

Why this answer

In an active-passive HA cluster, the secondary unit monitors the primary unit's health via heartbeat messages. When the primary fails and stops sending heartbeats, the secondary unit detects the loss of heartbeat and initiates a failover, transitioning to the active role. This is the default behavior in FortiGate HA, where the secondary unit does not require manual intervention or additional conditions to become active.

Exam trap

The trap here is that candidates may think the secondary unit requires the heartbeat link to be down or manual intervention to become active, but FortiGate HA automatically promotes the secondary unit upon detecting the primary's failure via heartbeat loss.

How to eliminate wrong answers

Option B is wrong because FortiGate HA is designed for automatic failover; the administrator does not need to manually reboot the secondary unit, as that would defeat the purpose of high availability. Option C is wrong because the secondary unit becomes active when the primary fails, regardless of whether the heartbeat link is also down; the heartbeat link being down alone would not trigger a failover if the primary is still active. Option D is wrong because the secondary unit does not wait for a configuration change; it becomes active based on the failure detection, and configuration synchronization occurs after the failover.

651
MCQhard

An administrator configures FSSO (Fortinet Single Sign-On) with Active Directory polling. Users report that their web traffic is being blocked by the firewall even though they are logged into the domain. Which CLI command can the administrator use to verify the FSSO login status for a specific user?

A.diagnose user fsso poll user <username>
B.diagnose wad user list
C.diagnose debug authd fsso list
D.diagnose test authserver ldap <server> <username>
AnswerC

Correct. This command lists all FSSO users with their IP addresses and group memberships.

Why this answer

The command 'diagnose debug authd fsso list' displays all FSSO users currently known to FortiGate, including their IP addresses and login state. This is the primary command to verify if the user is recognized by FSSO.

652
Multi-Selecthard

A FortiGate administrator is troubleshooting why traffic from a specific source IP is not being logged. The traffic is allowed by a firewall policy with logging enabled. Which TWO commands could the administrator use to verify if the traffic is hitting the expected policy? (Choose two.)

Select 2 answers
A.get system performance status
B.diagnose debug flow
C.diagnose sniffer packet any 'host 10.0.0.1'
D.diagnose sys session filter src 10.0.0.1
E.diagnose debug application fnbamd
AnswersB, D

Shows policy matching in real-time.

Why this answer

Diagnose debug flow traces traffic through the policy lookup. Diagnose sys session filter can show active sessions for that source IP. Sniffer packet captures packets but doesn't directly show policy match.

653
MCQeasy

Which of the following is a characteristic of route-based IPsec VPN compared to policy-based IPsec VPN?

A.Route-based VPN is only supported in IKEv1
B.Route-based VPN requires Phase 2 selectors to match both local and remote subnets
C.Route-based VPN can use dynamic routing protocols like OSPF
D.Route-based VPN uses firewall policies with IPsec action
AnswerC

The tunnel interface can participate in routing protocols.

Why this answer

Route-based VPNs use a virtual tunnel interface (e.g., port1.0) that supports dynamic routing protocols, whereas policy-based VPNs rely on firewall policies with IPSEC action and static selectors.

654
Matchingmedium

Match each FortiGate VPN type to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects two networks over the internet securely

Provides remote access via web browser or client software

Legacy VPN protocol with weaker security

Combines Layer 2 tunneling with IPsec encryption

Auto-discovery VPN that dynamically establishes shortcuts

Why these pairings

Common VPN types supported by FortiGate.

655
Multi-Selecthard

An organization uses FortiMail for email filtering and FortiGate for web filtering. The administrator wants to ensure that email traffic is filtered for spam and malware before reaching the internal mail server. Which TWO steps should be taken? (Choose two.)

Select 2 answers
A.Configure FortiMail to scan incoming emails and then forward them to the internal mail server.
B.Apply an antivirus profile to the firewall policy that handles SMTP traffic.
C.Apply an email filter profile to the firewall policy that handles SMTP traffic.
D.Configure the FortiGate to route SMTP traffic through FortiMail using a policy-based routing or VIP.
E.Disable SMTP inspection on the FortiGate to avoid double scanning.
AnswersA, D

FortiMail should perform spam and virus scanning before delivering to the internal mail server.

656
MCQmedium

In a FortiGate HA cluster, the administrator needs to perform a firmware upgrade without causing a full service outage. Which procedure should be followed?

A.Upgrade the primary unit first, then the secondary unit
B.Upgrade the secondary unit first, then perform a failover, then upgrade the primary unit
C.Disable HA and upgrade each unit separately
D.Upgrade both units simultaneously
AnswerB

This ensures one unit is always handling traffic during the upgrade process.

Why this answer

Option A is correct. The recommended procedure to upgrade with minimal downtime is to upgrade the secondary unit first, then force a failover to make it primary, and then upgrade the former primary unit.

657
MCQeasy

An administrator wants to apply a safe search policy to enforce strict search results on Google, Bing, and Yahoo. Which security profile feature should be used?

A.Web filter safe search enforcement
B.Application control to block search engines
C.DNS filter to block search engine domains
D.Web filter URL filter with keyword blocking
AnswerA

Safe search is a built-in web filter feature that forces search engines to use strict filtering.

Why this answer

Web filter safe search enforcement is the correct feature because it directly integrates with search engines (Google, Bing, Yahoo) to force the use of their built-in safe search parameters (e.g., Google's 'safe=active' parameter appended to URLs). This ensures that explicit content is filtered at the source, regardless of the user's browser settings or search engine choice.

Exam trap

The trap here is that candidates may confuse 'blocking search engines' (application control or DNS filter) with 'enforcing safe search within search engines' (web filter safe search enforcement), leading them to select an option that prevents access rather than controlling content.

How to eliminate wrong answers

Option B is wrong because application control blocks or allows applications (e.g., blocking all search engine traffic), but it cannot enforce safe search parameters within allowed search engines. Option C is wrong because a DNS filter blocks entire domains (e.g., blocking google.com), which would prevent access to search engines entirely, not enforce safe search. Option D is wrong because a URL filter with keyword blocking can block specific URLs or keywords in the URL, but it cannot dynamically inject safe search parameters into search engine queries, which is required for strict safe search enforcement.

658
MCQeasy

An organization wants to use FortiToken for two-factor authentication on SSL VPN logins. Which authentication method must be enabled on the FortiGate to support this?

A.Two-factor authentication with FortiToken
B.RADIUS authentication
C.PKI authentication
D.LDAP authentication
AnswerA

This is the setting that enables token-based OTP.

Why this answer

FortiToken requires two-factor authentication. On FortiGate, this is configured by enabling 'Two-factor Authentication' under the user group or authentication settings, typically set to 'FortiToken' for token-based OTP.

659
Drag & Dropmedium

Drag and drop the steps to upgrade FortiGate firmware via the web interface into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firmware upgrade requires uploading the image and confirming; the device reboots automatically.

660
MCQmedium

A FortiGate administrator wants to ensure that traffic from the 192.168.1.0/24 network to the internet is translated to a single public IP address using overload (PAT). Which NAT configuration should be used?

A.Policy-based NAT with a fixed port range
B.One-to-one NAT IP Pool
C.Virtual IP (VIP) with port forwarding
D.Central SNAT with a dynamic IP pool using overload
AnswerD

Central SNAT using an IP Pool with overload enables PAT for many-to-one translation.

Why this answer

IP Pool with Overload (PAT) allows many private IPs to be translated to a single public IP using port address translation. This is the most common configuration for internet access.

661
MCQmedium

Given the exhibit, a user in the internal network tries to SSH to a public server (203.0.113.10). What will happen and why?

A.The SSH connection will succeed because policy 1 allows all services before policy 2 is evaluated.
B.The SSH connection will succeed because policy 2 is evaluated first.
C.The SSH connection will be blocked because policy 2 explicitly denies SSH.
D.The SSH connection will be blocked because policy 1 does not include SSH service specifically.
AnswerA

Policy 1 matches all traffic from internal to wan1, so SSH is allowed before reaching the deny policy.

Why this answer

Policy 1 is an implicit allow-all rule that matches all traffic before policy 2 is evaluated. Since FortiGate processes policies in sequential order from top to bottom, the SSH connection to 203.0.113.10 matches policy 1 first, which permits all services, including SSH. Therefore, the connection succeeds without ever reaching policy 2.

Exam trap

The trap here is that candidates assume a deny rule later in the policy list will block traffic, forgetting that FortiGate uses first-match logic, so an earlier allow-all rule takes precedence.

How to eliminate wrong answers

Option B is wrong because policy 2 is not evaluated first; FortiGate evaluates policies in sequential order from top to bottom, so policy 1 is checked before policy 2. Option C is wrong because although policy 2 explicitly denies SSH, it is never reached due to the earlier match with policy 1. Option D is wrong because policy 1 does not need to include SSH specifically; it allows all services, which inherently includes SSH.

662
Multi-Selectmedium

An administrator wants to configure a DNS filter to block access to known malicious domains and also enforce safe search on search engines. Which THREE settings are required in the DNS filter profile? (Choose three.)

Select 3 answers
A.Add entries to the static domain blocklist
B.Select 'Redirect to safe search' for search engines
C.Configure a DNS sinkhole IP address
D.Specify external DNS servers for resolution
E.Enable DNS filtering based on FortiGuard categories
AnswersA, B, E

Custom blocklist allows blocking specific domains not in FortiGuard categories.

Why this answer

Options A, B, and D are correct. The DNS filter must have FortiGuard DNS filtering enabled for malicious domain blocking. 'Redirect to safe search' enforces safe search. A custom domain blocklist can be used to block additional domains.

Option C is for DNS sinkhole, which is optional. Option E is for external DNS servers, not part of the profile.

663
MCQhard

An administrator configures a policy route to send all traffic from a specific subnet to a different next-hop. However, traffic from that subnet is still using the default route. Which configuration could be causing this?

A.The firewall policy denies the traffic before policy routing
B.The policy route is applied to the wrong incoming interface
C.The default route has a higher administrative distance
D.The policy route destination is set to all
AnswerB

If the source interface does not match the incoming interface of the traffic, the policy route will not apply.

Why this answer

Policy routes are evaluated based on the incoming interface of the traffic. If the policy route is applied to the wrong incoming interface, traffic from the specified subnet arriving on a different interface will not match the policy and will instead follow the default route. This is a common misconfiguration where the administrator assumes the policy applies globally rather than per-interface.

Exam trap

The trap here is that candidates often assume policy routes apply globally to all traffic matching the source/destination, forgetting that FortiGate requires the incoming interface to be explicitly specified for policy routes to be evaluated.

How to eliminate wrong answers

Option A is wrong because firewall policies are evaluated after policy routing in FortiGate's processing order; if policy routing matches, the traffic is forwarded to the policy route's next-hop before any firewall policy is checked, so a deny firewall policy would not cause the traffic to use the default route. Option C is wrong because a higher administrative distance makes a route less preferred, so if the default route had a higher administrative distance, it would be less likely to be used, not more; the issue is that the policy route is not being matched at all. Option D is wrong because setting the policy route destination to 'all' would match all destinations, which would actually increase the likelihood of the policy route being applied, not cause it to be ignored; the problem is the interface mismatch, not the destination setting.

664
MCQeasy

A FortiGate administrator needs to capture packets on interface port2 for 10 seconds to diagnose a connectivity issue. Which command should the administrator use?

A.diagnose sys session list port2 10
B.diagnose sniffer packet port2 '' 4 10
C.diagnose debug flow port2 10
D.execute sniffer port2 10
AnswerB

This command captures packets on port2 with level 4 (full hex dump) for 10 seconds.

Why this answer

The 'diagnose sniffer packet' command is used to capture packets on a FortiGate. The syntax 'diagnose sniffer packet any "" 4 10' captures on all interfaces for 10 seconds with verbose output.

665
MCQmedium

An administrator runs the following CLI command and sees the output: 'diagnose sys session list | grep -A 5 10.1.1.100' and finds a session with 'proto=6 proto_state=01 duration=3600 expire=3599'. What does this indicate about the session?

A.The session is about to expire
B.The session has been active for approximately 1 second
C.The session has been active for 3600 seconds
D.The session is using UDP protocol
AnswerB

duration minus expire gives the actual session age, which is 1 second.

Why this answer

The duration is 3600 seconds and expire is 3599 seconds, meaning the session has been active for only about 1 second out of a 3600-second lifetime. The session is new.

666
MCQhard

An administrator runs 'diagnose ips anomaly list' and sees the following output: List of anomaly events: ID: 1, Type: tcp_syn_flood, Status: triggered, Count: 1500, Threshold: 1000 What does this indicate?

A.The IPS anomaly sensor is configured to block all TCP traffic.
B.The FortiGate has detected a single TCP SYN packet and is logging it.
C.The FortiGate is experiencing a TCP SYN flood attack and has triggered rate-based detection.
D.The FortiGate is performing a TCP SYN flood attack.
AnswerC

The output shows an anomaly event of type tcp_syn_flood that has been triggered, indicating the number of SYN packets exceeded the threshold.

667
MCQmedium

A FortiGate administrator wants to ensure that traffic from the internal network to an external FTP server uses a specific source IP address (203.0.113.10). The internal network uses RFC 1918 addresses. Which NAT configuration should be used?

A.Policy-based NAT using an IP pool set to 'Fixed Port Range'
B.Virtual IP (VIP) mapping the internal server to 203.0.113.10
C.Central SNAT with dynamic IP pool
D.Policy-based NAT using an IP pool with type 'Overload' and the IP address 203.0.113.10
AnswerD

An IP pool with type 'Overload' (PAT) using a single IP will translate all matching sessions to that IP address. This meets the requirement.

Why this answer

Option D is correct because policy-based NAT with an IP pool type 'Overload' (PAT) allows multiple internal hosts to share the single public IP 203.0.113.10 for outbound traffic. This meets the requirement to translate RFC 1918 source addresses to a specific source IP when accessing an external FTP server, while preserving port multiplexing.

Exam trap

The trap here is confusing VIP (inbound destination NAT) with source NAT (SNAT), leading candidates to select Option B, even though the requirement is for outbound traffic from internal clients to use a specific source IP.

How to eliminate wrong answers

Option A is wrong because 'Fixed Port Range' IP pools are used for static port allocation, typically for protocols that require predictable ports (e.g., SIP), not for general outbound source NAT with a single IP. Option B is wrong because a Virtual IP (VIP) is used for inbound destination NAT (port forwarding) to map an external IP to an internal server, not for outbound source NAT from internal clients. Option C is wrong because Central SNAT with a dynamic IP pool would select from a range of IPs, not guarantee the specific source IP 203.0.113.10.

668
MCQeasy

An administrator wants to restrict SSL VPN access to only users who have a valid client certificate issued by the company's internal CA. Which setting should be configured?

A.Configure a firewall policy with identity-based authentication
B.Enable 'certificate-based authentication' in the user group
C.Enable 'require client certificate' in the SSL VPN settings
D.Import the users' public keys into the FortiGate
AnswerC

This setting forces the client to provide a certificate during SSL handshake.

Why this answer

In SSL VPN, client certificate authentication can be enabled to require users to present a certificate. The FortiGate validates the certificate against a CA certificate.

669
MCQmedium

An administrator creates a firewall policy with a traffic shaper to limit bandwidth for guest wireless users. After applying the policy, users can still consume high bandwidth. The administrator confirms the policy is matching. What is the MOST likely reason the traffic shaper is not effective?

A.The traffic shaper's maximum bandwidth is set too high
B.The traffic shaper is applied to the wrong direction (egress vs ingress)
C.The traffic shaper is configured but not applied to the policy's 'Traffic Shaper' field
D.The traffic shaper is a per-IP shaper but the policy applies to a subnet
AnswerC

Even if a shaper is defined, it must be explicitly assigned in the policy's 'Traffic Shaper' or 'Per-IP Shaper' field. If left as 'None', no shaping occurs.

Why this answer

Option C is correct because in FortiGate, a traffic shaper must be explicitly selected in the 'Traffic Shaper' field of the firewall policy to be applied. Simply creating a shaper and configuring it is insufficient; the policy's shaper field links the shaper to the traffic. Without this link, the shaper is not enforced, even if the policy matches.

Exam trap

The trap here is that candidates assume creating a traffic shaper automatically applies it to all matching traffic, but FortiGate requires explicit assignment in the firewall policy's shaper field to enforce the limit.

How to eliminate wrong answers

Option A is wrong because setting the maximum bandwidth too high would still limit bandwidth, just at a higher threshold; it would not cause the shaper to be completely ineffective. Option B is wrong because traffic shapers in FortiGate are applied per policy and control both ingress and egress directions based on the shaper type (e.g., per-policy shaper applies to both directions); direction misconfiguration would not render the shaper entirely ineffective. Option D is wrong because a per-IP shaper applied to a subnet is valid and would limit each individual IP's bandwidth; it would not cause the shaper to be ineffective.

670
MCQmedium

Which of the following best describes the difference between flow-based and proxy-based inspection for antivirus scanning?

A.Flow-based inspection reassembles the entire file before scanning, while proxy-based scans packets on the fly
B.Flow-based inspection scans first packet and allows, while proxy-based buffers the entire session
C.Flow-based inspection requires SSL deep inspection, while proxy-based does not
D.Flow-based inspection uses pattern matching and anomaly detection with low latency, while proxy-based provides full content reassembly and higher detection rates
AnswerD

Why this answer

Flow-based inspection is faster using pattern matching and anomaly detection, while proxy-based provides full content reassembly and can detect more sophisticated threats. Both can use SSL inspection.

671
MCQeasy

A network administrator wants to prevent users from accessing known malicious websites using FortiGate. Which security profile should be applied to the firewall policy to achieve this goal?

A.Antivirus profile
B.Application control profile
C.IPS profile
D.Web filtering profile
AnswerD

Web filtering profiles are specifically designed to control web access using FortiGuard categories, URL filters, and DNS filters.

Why this answer

Web filtering profiles allow administrators to control access to websites based on FortiGuard categories, URL filtering, and DNS filtering.

672
MCQmedium

An organization needs to restrict internet access for employees to business hours only (Monday to Friday, 8:00 to 18:00). Which object should the admin use in the firewall policy?

A.A schedule object with recurring time
B.A time-range object
C.An on-time schedule
D.A calendar object
AnswerA

Schedule objects can be one-time or recurring; recurring fits this requirement.

Why this answer

Schedule objects define time ranges. The admin should create a recurring schedule for weekdays during business hours and apply it to the policy.

673
MCQmedium

A FortiGate is operating in transparent mode. The administrator needs to configure a new VLAN interface for segmenting traffic. Which statement about VLAN interfaces in transparent mode is correct?

A.VLAN interfaces require IP addresses and act as routed interfaces in transparent mode.
B.VLAN interfaces can be created on physical interfaces and are layer-2 only, requiring no IP addresses for traffic forwarding.
C.VLAN interfaces can only be created on physical interfaces, and each VLAN requires a separate IP address in the management VDOM.
D.VLAN interfaces are not supported in transparent mode; the administrator must switch to NAT/Route mode.
AnswerB

Why this answer

In transparent mode, FortiGate acts as a layer-2 bridge, forwarding traffic based on MAC addresses. VLAN interfaces can be created on physical interfaces to segment traffic at layer 2, and they do not require IP addresses for forwarding; IP addresses are only needed for management access if desired.

Exam trap

The trap here is that candidates often assume VLAN interfaces always require IP addresses for operation, confusing transparent mode's layer-2 behavior with NAT/Route mode's layer-3 routing requirements.

How to eliminate wrong answers

Option A is wrong because VLAN interfaces in transparent mode are layer-2 only and do not require IP addresses for traffic forwarding; they are not routed interfaces. Option C is wrong because VLAN interfaces do not require a separate IP address in the management VDOM; IP addresses are optional and only for management. Option D is wrong because VLAN interfaces are fully supported in transparent mode; the administrator does not need to switch to NAT/Route mode.

674
MCQeasy

A FortiGate administrator wants to configure a captive portal to authenticate users before granting network access. Which authentication method is used by the captive portal?

A.Form-based authentication
B.IPsec pre-shared key authentication
C.X.509 certificate authentication
D.NTLM authentication
AnswerA

Captive portal presents a web form for user credentials.

Why this answer

Captive portal uses form-based authentication where users enter credentials in a web page. It does not use NTLM or machine authentication by default.

675
MCQeasy

A FortiGate administrator wants to enforce two-factor authentication for SSL VPN users. The organization uses FortiToken mobile tokens. What must be configured on the FortiGate to enable FortiToken authentication?

A.In the user group configuration, enable two-factor authentication and select 'FortiToken'
B.Configure a RADIUS server to forward FortiToken requests
C.Set the SSL VPN portal to require client certificates
D.Install the FortiToken mobile app on the FortiGate
AnswerA

Two-factor authentication must be enabled on the user group using FortiToken as the method.

Why this answer

Option A is correct. FortiToken requires that two-factor authentication is enabled for the user group. This is typically done by setting the 'two-factor' option to 'fortitoken' in the user group configuration or in the authentication rule.

Page 8

Page 9 of 14

Page 10