CCNA Authentication and VPN Questions

75 of 186 questions · Page 1/3 · Authentication and VPN · Answers revealed

1
MCQmedium

A FortiGate with multiple VDOMs is configured for FSSO with Active Directory polling. Users in VDOM1 are authenticated correctly, but users in VDOM2 are not. What should be checked FIRST?

A.The DNS resolution for the domain controller in VDOM2
B.The firewall policy ordering in VDOM2
C.The FSSO collector agent settings for VDOM2
D.The LDAP server configuration in VDOM2
AnswerC

Each VDOM needs its own FSSO collector agent configuration to poll AD.

Why this answer

FSSO collector agents must be configured per VDOM. If VDOM2 does not have a collector agent or the poll interval is not set, user authentication will fail.

2
MCQhard

An administrator is troubleshooting an IPsec VPN that fails to establish Phase 2. The Phase 1 is up. The administrator runs 'diagnose vpn ike log' and sees the message 'no matching phase2 proposal found'. What is the MOST likely cause?

A.Pre-shared key mismatch
B.IKE version mismatch (IKEv1 vs IKEv2)
C.Phase 1 encryption algorithm mismatch
D.Phase 2 proxy ID mismatch
AnswerD

Phase 2 proposes the local and remote subnets; mismatch causes failure.

Why this answer

Phase 2 uses the proxy IDs (local/remote subnets) to match proposals. If the remote peer expects different subnets, Phase 2 will fail.

3
MCQhard

A FortiGate is configured in an HA active-passive cluster. When the active unit fails, the passive unit takes over, but IPsec VPN tunnels fail to re-establish. The configuration is synchronized. What is the most likely cause?

A.The pre-shared key is different on the two units.
B.The firewall policies for VPN traffic are not synchronized.
C.The HA heartbeat interface is down.
D.The IPsec VPN is using the physical interface IP instead of a virtual IP (VIP) or floating IP.
AnswerD

After failover, the new active unit has a different physical IP, breaking the tunnel. Using a floating IP ensures continuity.

Why this answer

In HA, IPsec tunnels require synchronized states. If the session synchronization is not enabled for IPsec, or if the tunnel is not configured to use floating IP addresses, the standby unit cannot inherit the tunnel state. However, the most common cause is that the tunnel configuration relies on the physical IP of the active unit, which changes after failover.

Using virtual IP (VIP) or floating IPs for the VPN endpoint resolves this.

4
Multi-Selecthard

A company wants to implement SSL VPN split tunneling to allow remote users to access both internal resources and the internet directly. Which three configurations are required on the FortiGate?

Select 3 answers
A.Assign a public IP address to the SSL VPN interface
B.Configure a firewall policy allowing the SSL VPN interface to the internet interface with NAT enabled
C.Create a routing policy on the SSL VPN settings to define which subnets are tunneled
D.Configure a static route on the FortiGate to send all traffic through the SSL VPN tunnel
E.Set the SSL VPN tunnel mode client configuration to enable split tunneling
AnswersB, C, E

This allows internet-bound traffic from VPN clients to exit directly.

Why this answer

Split tunneling requires a routing policy to push specific routes to the client, a firewall policy that permits traffic from the SSL VPN interface to the internet (with appropriate NAT if needed), and the tunnel mode client configuration must have split tunneling enabled.

5
MCQmedium

You run the following command on a FortiGate: diagnose vpn ike gateway list. The output shows a gateway with state=DOWN. What is the most likely cause?

A.The remote peer is not reachable or is blocking IKE traffic
B.The pre-shared key is correct but expired
C.The IPsec Phase 2 parameters are mismatched
D.The local certificate is not trusted by the remote peer
AnswerA

If the remote peer is unreachable, IKE cannot establish. Check connectivity and firewall rules.

Why this answer

State=DOWN indicates the IKE gateway is not established. Common causes include mismatched PSK, but the most common is that the remote peer is unreachable due to firewall rules or routing issues.

6
MCQhard

A company has a FortiGate at headquarters running FortiOS 7.2 and a remote office with a FortiGate 60F running FortiOS 7.0. They have an IPsec VPN tunnel between them for site-to-site connectivity. Recently, the remote office upgraded their FortiGate from 6.4 to 7.0. After the upgrade, the VPN tunnel is down. The Phase 1 status shows 'negotiating' but never completes. The administrator has verified that the pre-shared key, IKE version (IKEv2), and authentication method are the same on both sides. The Phase 1 proposal on the headquarters is: encryption: AES256, SHA256, DH group 14, lifetime 86400. The remote office uses: encryption: AES256, SHA1, DH group 14, lifetime 86400. What is the most likely cause of the failure?

A.The DH group is different; headquarters uses group 14, remote uses group 5.
B.The Phase 1 hash algorithm differs; headquarters uses SHA256, remote uses SHA1.
C.The IKE version is mismatched; headquarters uses IKEv2 and remote uses IKEv1.
D.The pre-shared key is incorrect after the upgrade.
AnswerB

Hash algorithm must match.

Why this answer

The Phase 1 proposal mismatch on the hash algorithm (SHA256 vs. SHA1) prevents the IKEv2 peers from agreeing on a common transform set. Even though all other parameters match, the hash algorithm must be identical on both sides for the IKE SA to be established.

The 'negotiating' state that never completes is a classic symptom of a proposal mismatch.

Exam trap

The trap here is that candidates assume all Phase 1 parameters are correct because the pre-shared key, IKE version, and authentication method match, overlooking the critical requirement that the hash algorithm must also be identical for the IKE SA to be established.

How to eliminate wrong answers

Option A is wrong because the DH group is explicitly stated as group 14 on both sides, so there is no mismatch. Option C is wrong because the administrator verified that IKEv2 is used on both sides, and the question states the IKE version is the same. Option D is wrong because the administrator has verified that the pre-shared key is the same after the upgrade, and an incorrect PSK would typically result in a different Phase 1 status (e.g., 'down' with authentication failures) rather than indefinite 'negotiating'.

7
MCQmedium

A company uses Active Directory for user authentication. They want users to automatically authenticate to the FortiGate without entering credentials when accessing the internet. Which authentication method should the administrator configure?

A.LDAP authentication with captive portal
B.RADIUS authentication with PAP
C.Local user authentication
D.FSSO with Active Directory polling
AnswerD

FSSO polls AD to get user logon events and provides transparent authentication.

Why this answer

FSSO (Fortinet Single Sign-On) polls Active Directory for user logon events and maps users to IP addresses, allowing transparent authentication without prompting for credentials.

8
MCQeasy

Which authentication server type can be used with FortiGate to authenticate remote VPN users with two-factor authentication using FortiTokens?

A.POP3
B.LDAP
C.RADIUS
D.TACACS+
AnswerC

FortiGate can be configured to authenticate users via RADIUS and use FortiToken as the two-factor method.

Why this answer

FortiToken two-factor authentication can be used with local users or with remote authentication servers like RADIUS. However, FortiToken is natively supported by FortiGate local users and can also be used with RADIUS if the FortiGate acts as the RADIUS client forwarding tokens.

9
MCQmedium

You have a hub-and-spoke IPsec VPN with 10 spokes. The central FortiGate (hub) has 10 phase2 selectors, one for each spoke. You need to add a new spoke. What is the MOST efficient way to configure the hub?

A.Configure a route-based VPN and use dynamic routing protocols to advertise routes
B.Add another phase2 selector for the new spoke
C.Replace all phase2 selectors with a single policy-based VPN
D.Use a single phase2 selector with 0.0.0.0/0.0.0.0 for all spokes
AnswerA

Route-based VPN with dynamic routing scales automatically as new spokes are added.

Why this answer

Using a route-based VPN with dynamic routing (e.g., BGP or OSPF) eliminates the need for multiple phase2 selectors. The hub only needs one phase2 selector for each spoke or can use a wildcard. Route-based VPN is more scalable.

10
Multi-Selectmedium

A network admin is configuring a hub-and-spoke VPN with three spokes. Which TWO statements are correct about route-based VPN in this topology?

Select 2 answers
A.Each spoke must have a route-based VPN interface configured to the hub
B.A single firewall policy can control traffic to all spokes
C.BGP can be used to exchange routes between the hub and spokes
D.Aggressive mode must be enabled for the hub to accept multiple spokes
E.All spokes can share the same Phase 1 configuration
AnswersA, C

Route-based VPN uses tunnel interfaces.

Why this answer

Option A is correct: each spoke needs a route-based tunnel to the hub. Option D is correct: BGP can be used for dynamic routing. Option B is wrong because aggressive mode is not required.

Option C is wrong because each spoke needs a separate tunnel. Option E is wrong because route-based uses tunnel interfaces, not policy per tunnel.

11
MCQhard

A company with multiple remote sites uses IPsec VPNs. One site reports intermittent connectivity. The administrator checks the logs and sees 'IPsec phase 2 negotiation failed' messages. Which configuration change is most likely to resolve the issue?

A.Enable Dead Peer Detection (DPD) on the Phase 1 interface.
B.Change the encryption algorithm from AES256 to 3DES.
C.Increase the Phase 2 lifetime.
D.Enable NAT traversal.
AnswerA

DPD detects peer failure and triggers renegotiation.

Why this answer

Intermittent IPsec phase 2 negotiation failures often occur when one peer's Phase 2 security association (SA) expires while the other peer still considers it valid, causing a mismatch. Enabling Dead Peer Detection (DPD) on the Phase 1 interface allows the FortiGate to actively probe the peer's liveness and renegotiate Phase 1 and Phase 2 SAs before they expire, preventing the state mismatch that leads to intermittent failures.

Exam trap

The trap here is that candidates often mistake intermittent phase 2 failures for a cryptographic or NAT issue, but the real cause is typically a mismatch in SA state between peers, which DPD is specifically designed to detect and recover from.

How to eliminate wrong answers

Option B is wrong because changing the encryption algorithm from AES256 to 3DES would weaken security and does not address the root cause of intermittent phase 2 negotiation failures; the issue is not about algorithm strength or compatibility. Option C is wrong because increasing the Phase 2 lifetime would only delay the SA expiration, not prevent the mismatch that occurs when one peer's SA expires before the other's; it may even mask the problem temporarily. Option D is wrong because NAT traversal is used to allow IPsec traffic to pass through NAT devices, and the problem described is intermittent connectivity due to SA state mismatch, not NAT-related packet drops.

12
MCQhard

During an SSL VPN tunnel mode connection, the client reports that they cannot access any internal resources, but the VPN connection is established. The FortiGate debug shows 'no matching policy'. The administrator has configured a policy allowing the SSL VPN interface to internal. What else must be configured?

A.Ensure the incoming interface of the policy is set to 'ssl.root' (or the SSL VPN interface)
B.Add the client's assigned IP to a local user group
C.Configure a static route on the FortiGate for the client's tunnel IP
D.Enable split tunneling on the SSL VPN portal
AnswerA

The policy must have the correct source interface to match traffic from the SSL VPN.

Why this answer

For SSL VPN tunnel mode, the FortiGate assigns an IP to the client from a tunnel IP pool. The policy must use the SSL VPN interface (e.g., ssl.root) as the source interface. If the policy uses a different interface, traffic will not match.

Option C is correct.

13
MCQeasy

An admin needs to authenticate remote users connecting via SSL VPN. The users are in an Active Directory domain. Which authentication method should be configured on the FortiGate to allow users to log in with their domain credentials?

A.LDAP server
B.Local user database
C.RADIUS server
D.FSSO
AnswerA

LDAP is the standard protocol for authenticating against an AD domain.

Why this answer

LDAP is the protocol used to authenticate against Active Directory. FortiGate can query AD via LDAP to validate user credentials.

14
MCQeasy

Which authentication method allows FortiGate to authenticate users against an Active Directory domain without storing domain credentials locally?

A.FSSO polling
B.RADIUS authentication
C.LDAP authentication
D.Local user database
AnswerC

LDAP allows FortiGate to query the AD server for authentication without local storage.

Why this answer

LDAP authentication requires the FortiGate to contact the domain controller using the LDAP protocol, verifying credentials without storing them locally. Local users store credentials on the FortiGate itself.

15
MCQhard

A FortiGate is configured with FSSO using a DC agent. Users authenticate to the domain, but the firewall policy using FSSO groups is not matching traffic. The admin runs 'diagnose debug authd fsso list' and sees user entries. However, the traffic is being denied by the default deny policy. What is the most likely issue?

A.The FSSO session timeout is too short
B.The session was established before the user logged in and is not updated with the user identity
C.The firewall policy has the wrong schedule applied
D.The user is not a member of the correct FSSO group in Active Directory
AnswerB

FSSO only applies to new sessions after the user is identified. Existing sessions do not acquire the user identity unless re-matched or the session table is cleared.

Why this answer

FSSO collects user login events but does not automatically update existing sessions. If a session was established before the user logged in (or before FSSO learned the user), the session will not be associated with the user until the session is refreshed or re-established. The default deny policy catches unmatched traffic.

16
Multi-Selectmedium

An administrator needs to configure a hub-and-spoke IPsec VPN topology. Which TWO settings must be configured on the hub FortiGate to allow spokes to communicate with each other through the hub?

Select 2 answers
A.Enable NAT on the hub's tunnel interface.
B.Set Phase 2 selectors to 0.0.0.0/0 on the hub's side.
C.Configure the hub as a DNS server for the spokes.
D.Configure IKEv2 instead of IKEv1 on all tunnels.
E.Create firewall policies on the hub that allow traffic between the spoke networks.
AnswersB, E

This allows traffic to any destination, including other spokes.

Why this answer

In hub-and-spoke, to allow spoke-to-spoke traffic via the hub, the hub must have Phase 2 selectors that cover the spoke subnets (0.0.0.0/0.0.0.0 or specific ranges) and the firewall policies must permit traffic between the spoke interfaces. Option B (Phase 2 with 0.0.0.0/0) allows any destination, and Option D (firewall policies allowing inter-spoke traffic) enables forwarding.

17
MCQmedium

A company wants to use captive portal authentication on a guest Wi-Fi network. The FortiGate is connected to the switchport of the access point. Which firewall configuration is required to redirect unauthenticated users to the captive portal?

A.Set the 'Guest Management' feature in the FortiGate dashboard.
B.Create a policy with source interface 'guest', destination 'any', and action 'ACCEPT' with 'Authentication' set to 'Captive Portal'.
C.Configure a 'Landing Page' under SSL-VPN settings.
D.Enable 'Captive Portal' on the interface under System > Network > Interface.
AnswerB

This policy catches unauthenticated traffic and redirects to the captive portal.

Why this answer

Captive portal works by configuring a firewall policy that matches the user's traffic with 'Authentication' set to 'Captive Portal' or by enabling it directly on the interface. Typically, a policy with 'Security Mode' 'Captive Portal' forces redirect.

18
MCQmedium

An administrator needs to configure a site-to-site IPsec VPN where both sites have dynamic public IP addresses. Which IKE mode should be used?

A.IKEv2 without mode
B.Dial-up mode
C.Main mode
D.Aggressive mode
AnswerD

Aggressive mode can be used with dynamic IP addresses and uses fewer exchanges.

Why this answer

Aggressive mode is used when one or both peers have dynamic IP addresses because it uses fewer exchanges and can work with dynamic IPs. Main mode requires fixed IPs and is more secure.

19
MCQmedium

A network administrator configured an IPsec VPN between two FortiGates. Phase 1 is up, but Phase 2 fails to establish. The diagnose output shows 'no matching proposal'. What is the MOST likely cause?

A.The firewall policy allowing the VPN traffic is missing
B.The Phase 2 encryption and authentication algorithms do not match between peers
C.The pre-shared keys do not match
D.The remote gateway IP address is incorrect
AnswerB

Phase 2 proposals must match on both sides for the tunnel to establish.

Why this answer

Phase 2 failure with 'no matching proposal' indicates that the Phase 2 parameters (such as encryption, authentication, or PFS) do not match between the two peers.

20
MCQeasy

What is the primary advantage of using IKEv2 over IKEv1 for IPsec VPN?

A.IKEv2 requires less CPU resources
B.IKEv2 provides built-in NAT traversal
C.IKEv2 supports MOBIKE to handle IP address changes
D.IKEv2 supports only certificate authentication
AnswerC

MOBIKE is unique to IKEv2 and allows the VPN to continue after IP change.

Why this answer

IKEv2 is more resilient to network changes and supports MOBIKE (Mobility and Multihoming), which allows the VPN to survive IP address changes during a session, e.g., when a mobile client switches from Wi-Fi to cellular.

21
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN between two FortiGates. Phase 1 is up but Phase 2 is down. The admin runs 'diagnose vpn ike log' and sees 'no matching proposal'. To resolve this issue, which TWO settings should be checked on both ends?

Select 2 answers
A.Phase 2 PFS (Perfect Forward Secrecy) group
B.Phase 1 authentication method
C.Phase 2 local and remote subnets
D.Phase 2 encryption algorithm (e.g., AES128, AES256)
E.Phase 1 encryption algorithm
AnswersA, D

PFS group must match; if one peer has PFS disabled and the other has it enabled, Phase 2 will fail.

Why this answer

Phase 2 parameters must match exactly, especially encryption algorithm and PFS settings. The proposal mismatch can also be caused by mismatched selectors (subnets), but the question asks for the two settings most directly related to the 'no matching proposal' error.

22
MCQmedium

An administrator configures a captive portal on the FortiGate to authenticate guest users via a local user database. Users can connect to the SSID, but after entering credentials on the captive portal, they are not redirected to the internet. What is the most likely missing configuration?

A.A firewall policy allowing traffic from the captive portal interface to the internet with the user group
B.The DNS server is not configured on the FortiGate
C.The captive portal timeout is set too low
D.The SSID is not configured with the captive portal security mode
AnswerA

After authentication, traffic must match a policy. If missing, traffic is dropped.

Why this answer

Captive portal requires a firewall policy that permits traffic from the interface where the captive portal is enabled to the destination (internet), with authentication enabled. Option A is correct because without a policy allowing the traffic, the authentication succeeds but traffic is blocked.

23
MCQmedium

A network administrator configures an IPsec VPN between two FortiGate devices. Phase 1 completes successfully, but Phase 2 fails to establish. The administrator runs 'diagnose vpn ike log' and sees the error 'proposal mismatch'. What is the MOST likely cause?

A.The IKE version is mismatched (IKEv1 vs IKEv2)
B.The pre-shared key is incorrect
C.The firewall policies are blocking IKE traffic on UDP port 500
D.The Phase 2 local and remote subnets do not match on both ends
AnswerD

Phase 2 proposal mismatch typically occurs when the subnets defined in the Phase 2 selectors or the encryption/authentication parameters do not match between the peers.

Why this answer

Option C is correct. A proposal mismatch in Phase 2 indicates that the Phase 2 selectors (local/remote subnets, protocol, port) or the SA proposal parameters (encryption, authentication, PFS) do not match between the two peers.

24
MCQmedium

You run 'diagnose debug application sslvpn -1' and see the following output: sslvpn: SSL VPN tunnel mode connection from 10.0.0.5:12345 to 192.168.1.100:443 sslvpn: User 'john' authenticated successfully sslvpn: Error: no matching policy for the request. What does this indicate?

A.There is no SSL VPN policy that allows the user to access the destination IP/port
B.The user's password has expired
C.The SSL VPN interface is administratively down
D.The FortiGate is not licensed for SSL VPN
AnswerA

The error 'no matching policy' indicates missing access policy for the destination.

Why this answer

The user authenticated successfully, but no SSL VPN policy matches the traffic. In SSL VPN, after authentication (tunnel mode), the FortiGate checks SSL VPN policies to allow access to resources. If no policy matches, traffic is dropped.

25
MCQhard

A FortiGate administrator is configuring ZTNA to secure access to an internal application. The administrator creates a ZTNA access proxy and a ZTNA rule. However, users connecting from the internet receive a 403 Forbidden error. The administrator verifies that the users are authenticated and the application is reachable. What is the MOST likely cause?

A.The firewall policy allowing traffic to the application is placed after a deny-all policy
B.The application's IP address is not included in the ZTNA access proxy's destination
C.The ZTNA access proxy does not have a valid SSL certificate
D.The ZTNA rule requires a specific client posture tag that the users' devices do not have
AnswerD

ZTNA checks client posture via FortiClient. If devices lack required posture tags, access is denied with 403.

Why this answer

Option B is correct. ZTNA rules evaluate the client's posture (e.g., antivirus, OS patch level). If the client does not meet the required posture tags, the connection is denied with a 403 error.

26
Multi-Selecteasy

An organization wants to implement ZTNA (Zero Trust Network Access) on their FortiGate. Which TWO components are essential for ZTNA? (Select two.)

Select 2 answers
A.Client certificates for device posture verification
B.Identity Provider (IdP) for user authentication
C.A dedicated VPN tunnel
D.A static IP address for the client
E.A RADIUS server for two-factor authentication
AnswersA, B

Device trust is established via certificates.

Why this answer

ZTNA requires an identity provider (IdP) for user authentication and client certificates for device verification. Access proxy is also needed, but the question asks for two essential components; IdP and client certificates are core.

27
MCQmedium

A FortiGate admin configures a remote user for SSL VPN tunnel mode. The user can connect but cannot access resources on the internal network. The admin checks the SSL VPN settings: tunnel mode enabled, split tunneling disabled. What is the issue?

A.The user's FortiClient is outdated
B.The SSL certificate is expired
C.The firewall policy from the SSL VPN interface to the internal network is missing or incorrectly configured
D.The user's client software is not configured to route all traffic through the tunnel
AnswerC

Traffic from the tunnel interface must be allowed by a policy to reach internal resources.

Why this answer

When split tunneling is disabled, all traffic goes through the tunnel. The internal resources may not be reachable if the VPN interface's IP pool addresses are not routed correctly or if firewall policies on the FortiGate do not allow traffic from the tunnel interface.

28
MCQhard

An administrator is configuring ZTNA on a FortiGate. The goal is to allow access to an internal web server only if the client device has a specific security posture (e.g., antivirus running). Which ZTNA component is responsible for verifying the client's security posture?

A.ZTNA access proxy
B.IPsec VPN interface
C.SSL VPN portal
D.FortiClient EMS
AnswerD

EMS collects and reports endpoint posture to the FortiGate.

Why this answer

ZTNA uses an EMS (Endpoint Management Server) to collect endpoint posture information. The FortiGate queries the EMS for the client's compliance status before granting access.

29
MCQhard

A FortiGate administrator has configured a hub-and-spoke IPsec VPN. The hub FortiGate has two Phase 2 selectors with spokes, but traffic between spokes is not routed via the hub. What must be configured on the hub to allow spoke-to-spoke communication?

A.Set the hub as the default gateway on each spoke
B.Use policy-based VPN instead of route-based
C.Configure NAT on the hub
D.Enable 'add-route' on the hub Phase 2
AnswerD

When 'add-route' is enabled, the hub automatically installs routes for the remote subnets, allowing spoke-to-spoke traffic to be routed via the hub.

Why this answer

In hub-and-spoke, the hub needs Phase 2 selectors that cover the spoke subnets, and the spokes need static routes pointing to the hub for other spoke subnets. Additionally, enabling 'add-route' on the hub can help, but the key is proper Phase 2 configuration.

30
MCQeasy

A network administrator wants to authenticate VPN users against an existing LDAP server. Which authentication method should be configured on the FortiGate?

A.FSSO
B.LDAP
C.RADIUS
D.Local
AnswerB

LDAP authentication queries the LDAP server for user credentials.

Why this answer

LDAP is the correct protocol for authenticating against an LDAP server. Local is for local users, RADIUS for RADIUS servers, and FSSO for SSO with Active Directory.

31
MCQeasy

A FortiGate administrator needs to authenticate VPN users against an LDAP server. What is the primary purpose of the 'CN=,OU=,DC=' distinguished name (DN) configured in the LDAP server settings?

A.It is used to encrypt LDAP communication
B.It defines the IP address of the LDAP server
C.It specifies the base DN for searching users
D.It specifies the bind user credentials to connect to the LDAP server
AnswerD

The DN and password are used to authenticate the FortiGate to the LDAP server.

Why this answer

The DN is used to bind to the LDAP server for user authentication and to search for users. It identifies the user object that FortiGate uses to authenticate.

32
MCQmedium

An administrator is configuring a site-to-site IPsec VPN between two FortiGates. After applying the configuration, the VPN status shows 'down'. Phase 1 parameters are identical on both sides. What is the most likely cause of the failure?

A.The Phase 2 selectors (local and remote subnets) are mismatched.
B.The pre-shared keys do not match.
C.The firewall policies are not configured.
D.NAT traversal is disabled but both FortiGates are behind NAT.
AnswerA

Phase 2 requires matching proxy IDs.

Why this answer

When Phase 1 parameters are identical and the VPN is down, the most common cause is a mismatch in Phase 2 selectors (local and remote subnets). Phase 2 uses these selectors to negotiate the IPsec security associations (SAs); if they do not match exactly on both sides, the IKEv1/v2 Quick Mode or Child SA exchange will fail, leaving the tunnel in a 'down' state even though Phase 1 (IKE SA) may be up.

Exam trap

The trap here is that candidates often assume a Phase 1 mismatch (like pre-shared keys) is the cause when the VPN is down, but the question explicitly states Phase 1 parameters are identical, forcing the focus to Phase 2 selector mismatches, which is a classic NSE4 exam trick.

How to eliminate wrong answers

Option B is wrong because if the pre-shared keys did not match, Phase 1 authentication would fail, and the VPN status would show 'down' with a Phase 1 error, but the question states Phase 1 parameters are identical, implying the pre-shared keys match. Option C is wrong because firewall policies are required to permit traffic through the tunnel, but their absence does not cause the VPN tunnel itself to be 'down'; the tunnel can be up even without policies, but traffic will not pass. Option D is wrong because NAT traversal (NAT-T) being disabled while both FortiGates are behind NAT would cause Phase 1 to fail due to encapsulation issues, but the question states Phase 1 parameters are identical and does not indicate a Phase 1 failure; NAT-T mismatch typically manifests in Phase 1, not Phase 2.

33
MCQeasy

A remote user reports that they can connect to the FortiGate SSL VPN portal but cannot access internal resources. The administrator checks the SSL VPN settings and sees that the tunnel mode is enabled with split tunneling. What is the most likely cause?

A.The IP pool is exhausted and no IP address was assigned.
B.The firewall policy allowing SSL VPN traffic to internal resources is missing.
C.The routing table on the client is missing the internal network routes.
D.The SSL VPN authentication timeout is too short.
AnswerC

Split tunneling requires proper routes to internal networks.

Why this answer

With split tunneling enabled, the FortiGate SSL VPN portal connection succeeds, but the client's routing table does not automatically include routes for the internal network. Without those routes, traffic to internal resources is sent to the default gateway instead of through the VPN tunnel, causing access failure. This is the most likely cause because the user can authenticate and establish the tunnel but cannot reach internal subnets.

Exam trap

The trap here is that candidates assume split tunneling automatically includes all internal routes, but in FortiGate SSL VPN, split tunneling requires explicit route configuration to direct internal traffic through the tunnel.

How to eliminate wrong answers

Option A is wrong because an exhausted IP pool would prevent the tunnel from establishing entirely, not just block resource access while the portal connects. Option B is wrong because a missing firewall policy would block all SSL VPN traffic, including portal access, not just internal resource access. Option D is wrong because an authentication timeout would cause disconnection or reauthentication prompts, not a persistent inability to access internal resources while remaining connected.

34
MCQhard

A FortiGate administrator notices that the IPsec VPN tunnel is established but traffic is not passing. The firewall policy allowing traffic from the remote subnet to the local subnet is in place. What is the MOST likely cause?

A.The VPN tunnel is a policy-based VPN and the policy is incorrectly configured
B.The Phase 2 proposal includes PFS, but the remote side does not
C.The local firewall is blocking ICMP
D.There is no static route on the FortiGate for the remote subnet pointing to the tunnel interface
AnswerD

Without a route, the FortiGate does not know how to forward traffic to the remote subnet even if the tunnel is up.

Why this answer

If the tunnel is up but no traffic passes, it could be due to routing misconfiguration, such as missing static routes for the remote subnet pointing to the VPN tunnel interface.

35
MCQeasy

Which authentication method allows a FortiGate to transparently authenticate users based on their Active Directory login events without prompting for credentials?

A.RADIUS authentication
B.FSSO (Fortinet Single Sign-On)
C.Local database authentication
D.LDAP authentication
AnswerB

FSSO uses Active Directory login events to automatically authenticate users without prompting.

Why this answer

Option B is correct. Fortinet Single Sign-On (FSSO) captures AD login events (via polling or agent) and maps them to users on the FortiGate, enabling transparent authentication for firewall policies.

36
Multi-Selecthard

A FortiGate administrator is troubleshooting an IPsec VPN that is dropping traffic intermittently. The administrator runs 'diagnose vpn ike log' and sees many 'DPD' messages. Which THREE conditions could cause frequent DPD (Dead Peer Detection) retransmissions? (Choose three.)

Select 3 answers
A.High network latency causing DPD timeouts
B.The remote peer is rebooting or unstable
C.Mismatched IKE version
D.Incorrect Phase 2 proxy IDs
E.A firewall between the peers dropping UDP port 500 packets
AnswersA, B, E

Latency can cause DPD to time out.

Why this answer

DPD failures indicate the remote peer is not responding. Common causes: network congestion, a firewall blocking IKE packets, or the remote peer going down.

37
MCQhard

An administrator runs 'diagnose debug application ike -1' and sees the following output: ike 0:come to x.x.x.x:500, IKEv1, cookie 123456789abcdef0 ike 0:incoming IKE packet: src y.y.y.y:500, dst x.x.x.x:500, len 456 ike 0:send IKE packet: src x.x.x.x:500, dst y.y.y.y:500, len 456 ike 0:phase 1 negotiation failed due to time out. What is the likely cause?

A.The remote FortiGate's Phase 1 proposal does not match
B.A firewall rule is blocking UDP 500/4500 between the peers
C.The pre-shared key is incorrect
D.The local FortiGate's external interface is down
AnswerB

Timeout indicates no response from the remote peer, typical of a firewall blocking the IKE traffic.

Why this answer

The debug shows Phase 1 negotiation failing due to timeout. This typically indicates that the remote peer is not responding. The most common reason is that the remote firewall is not reachable due to a firewall rule blocking UDP 500 or 4500, or the remote peer is not configured.

38
MCQhard

A FortiGate in a hub-and-spoke VPN topology is configured with a single IPsec tunnel to each spoke. The hub has a route-based VPN with a tunnel interface for each spoke. After a reboot, traffic between spoke A and spoke B fails, although each spoke can reach the hub. What is the likely cause?

A.The hub is missing static routes to the spoke networks via the respective tunnel interfaces
B.The firewall policies on the hub do not allow traffic between the spoke networks
C.The spokes have mismatched IKE versions
D.The hub's IPsec Phase1 is not configured for DPD
AnswerA

Route-based VPNs require explicit routes; without them, traffic cannot be forwarded between spokes.

Why this answer

In route-based VPNs, routes determine traffic flow. After a reboot, the hub may lose routes to the remote spoke networks unless they are statically configured or learned via dynamic routing. Option B is correct because static routes are needed on the hub to direct inter-spoke traffic through the appropriate tunnel interfaces.

39
Multi-Selectmedium

An organization uses LDAP authentication for firewall policies. Users complain that they are frequently prompted for credentials. Which TWO settings can reduce the frequency of authentication prompts?

Select 2 answers
A.Increase the authentication timeout on the firewall policy.
B.Increase the idle timeout on the LDAP server.
C.Enable single sign-on (SSO) authentication method.
D.Disable captive portal on the interface.
E.Use a longer password for LDAP accounts.
AnswersA, C

This extends how long a user's authentication is valid.

Why this answer

To reduce re-authentication prompts, increase the authentication timeout (Option C) so that users remain authenticated longer, and enable single sign-on (SSO) (Option D) so that once authenticated, they are not prompted again for other services.

40
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN tunnel that is not establishing. The Phase 1 status shows 'down'. Which TWO commands can help diagnose the issue? (Choose TWO.)

Select 2 answers
A.diagnose npu np6 ipsec-sa list
B.diagnose sys session clear
C.diagnose debug application ike -1
D.diagnose vpn tunnel list
E.diagnose vpn ike log-filter
AnswersC, E

Enables IKE debugging at the highest level.

Why this answer

The commands 'diagnose vpn ike log-filter' filters IKE logs, and 'diagnose debug application ike -1' enables detailed IKE debug output. These are standard for troubleshooting IPsec VPN issues.

41
MCQeasy

An administrator wants to allow remote users to access internal resources using a web browser without installing any client software. Which VPN type should be configured on the FortiGate?

A.ZTNA access proxy
B.IPsec VPN with dial-up mode
C.SSL VPN tunnel mode
D.SSL VPN web mode
AnswerD

Web mode allows browser-based access to internal web resources without client software.

Why this answer

SSL VPN web mode allows users to access web-based internal resources through a web portal without any client installation. Tunnel mode requires installation of FortiClient.

42
Multi-Selecthard

A FortiGate administrator is troubleshooting an IPsec VPN that fails to establish. The Phase 1 status shows 'init' and then resets. The administrator runs 'diagnose debug application ike -1' and sees the message 'no acceptable proposal'. Which TWO parameters are MOST likely mismatched?

Select 2 answers
A.Pre-shared key
B.Phase 2 local and remote networks
C.IKE version (IKEv1 vs IKEv2)
D.Encryption algorithm (e.g., AES256 vs AES128)
E.Diffie-Hellman group (e.g., group 14 vs group 2)
AnswersD, E

Mismatched encryption algorithms cause proposal mismatch.

Why this answer

The 'no acceptable proposal' error in Phase 1 indicates that the local and remote peers cannot agree on a set of parameters. The encryption algorithm and Diffie-Hellman group are common mismatched parameters.

43
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is fully established and has been active for 3600 seconds.
B.The session is in SYN_SENT state and might be stuck due to no response from the server.
C.The session has been idle for 3599 seconds and will expire soon.
D.The session is in FIN_WAIT state and is being closed.
AnswerB

State 01 means SYN_SENT; a long duration indicates the three-way handshake is not completing.

Why this answer

The session state '01' indicates TCP SYN_SENT, meaning the session is still in the handshake phase. The duration is 3600 seconds, which is unusually long for a TCP handshake, suggesting the session is stuck or the server is not responding.

44
MCQmedium

A FortiGate admin configures a captive portal for guest users on a wireless network. Users can connect to the SSID but cannot access the internet. The admin verifies the firewall policy permits traffic from the captive portal interface to the internet. What is missing?

A.The firewall policy must have 'Enable Captive Portal' selected
B.A DNS server must be configured on the FortiGate
C.The users must be added to the local user database
D.The wireless controller must be configured with a RADIUS server
AnswerA

Without enabling captive portal on the policy, the portal page will not be presented.

Why this answer

Captive portal requires that the firewall policy has authentication enabled or the captive portal feature enabled under the policy's security features. A common issue is that the policy does not have 'Enable Captive Portal' checked.

45
MCQhard

An administrator configures a dial-up IPsec VPN using IKEv2 with certificates. Remote users can connect, but traffic is not routed through the tunnel. The Phase 1 status shows 'up', but Phase 2 shows 'down'. What is the most likely issue?

A.The firewall policy for the VPN traffic is missing.
B.The Phase 2 proposals do not match between the FortiGate and the client.
C.The pre-shared key for Phase 2 is incorrect.
D.The remote user's client does not support IKEv2.
AnswerB

IKEv2 Phase 2 requires matching proposals; otherwise, it fails.

Why this answer

IKEv2 requires a valid proposal match for Phase 2. If the Phase 2 parameters (encryption, authentication, etc.) do not match between the peer and the FortiGate, Phase 2 fails. Also, with IKEv2, the tunnel mode and proxy IDs must be correctly configured.

46
Multi-Selectmedium

A FortiGate admin wants to implement ZTNA to secure access to an internal application. Which TWO components are required for a basic ZTNA configuration?

Select 2 answers
A.A FortiClient EMS server
B.An IPsec VPN tunnel to the client
C.A ZTNA rule (policy) that specifies access conditions
D.A ZTNA application gateway
E.A static route to the application server
AnswersC, D

The rule defines who can access the application.

Why this answer

ZTNA requires a ZTNA rule (policy) that defines access criteria and a proxy policy that intercepts and forwards traffic to the internal application.

47
MCQmedium

A FortiGate administrator is setting up a dial-up IPsec VPN for remote employees. Each employee uses a FortiClient. Which authentication method should be used to allow individual user identities?

A.Pre-shared key (PSK) for each user
B.Certificate-based authentication using local or CA-issued certificates
C.IKEv2 with EAP
D.Aggressive mode with PSK
AnswerB

Certificates provide unique identity per user and are scalable.

Why this answer

Dial-up VPNs typically use x.509 certificates for device authentication, but for individual user identity, user-based authentication (like LDAP or RADIUS) is common. However, the question asks for a method that provides individual identities; using a pre-shared key per user is impractical. Certificate authentication is scalable and provides strong identity.

48
MCQmedium

An administrator configures an LDAP user group for firewall authentication. Users are able to authenticate, but the FortiGate does not retrieve group membership information. What is likely misconfigured?

A.The LDAP server's IP address is incorrect
B.SSL is not enabled for LDAP
C.The LDAP bind account does not have permission to read group attributes
D.The FortiGate is not joined to the domain
AnswerC

Group membership retrieval requires read access to group objects.

Why this answer

The LDAP server must be configured with the correct bind credentials and search filter to retrieve group memberships. The 'cn' or 'member' attribute mapping is also critical.

49
MCQmedium

An administrator configures an SSL VPN portal with web mode and split tunneling enabled. Remote users can access internal web applications but cannot reach the internet through the VPN. What needs to be checked?

A.The remote user's browser does not support SSL VPN.
B.The firewall policy allowing internet traffic from the SSL VPN interface is missing or incorrect.
C.The split tunneling setting is disabled.
D.The SSL VPN portal is configured in web mode only; tunnel mode is required for internet access.
AnswerB

Even with split tunneling, internet traffic goes out through the FortiGate's WAN; a policy must allow this.

Why this answer

Split tunneling allows internet-bound traffic to bypass the VPN. If users cannot reach the internet, it could be because the split tunneling exclusion list includes internet destinations, or the DNS resolution is not working. However, the most common cause is that the firewall policy for internet traffic is missing or blocking.

50
MCQmedium

A FortiGate is configured as a hub in a hub-and-spoke IPsec VPN. The spokes are remote branches. The hub has a Phase 2 selector set to 0.0.0.0/0 for both local and remote subnets. What is the advantage of this configuration?

A.It reduces the number of IPsec SAs needed
B.It simplifies configuration by not needing specific subnet definitions per spoke
C.It allows direct spoke-to-spoke communication without passing through the hub
D.It enables dynamic routing protocols over the VPN
AnswerB

Using 0.0.0.0/0 in Phase 2 means the hub will accept any subnet from the spoke, eliminating the need to update selectors when spoke subnets change.

Why this answer

Setting Phase 2 selectors to 0.0.0.0/0 allows the hub to accept any subnet from the spokes, simplifying configuration when spokes have different subnets. However, traffic between spokes must route through the hub.

51
MCQeasy

What is the purpose of a 'realm' in FortiGate SSL VPN configuration?

A.To enable two-factor authentication.
B.To specify the authentication server for the VPN.
C.To create distinct portals with separate authentication and access policies.
D.To define the encryption algorithm for SSL VPN.
AnswerC

Realms provide multiple virtual SSL VPN portals.

Why this answer

A realm allows splitting the SSL VPN portal into multiple virtual portals, each with different authentication settings, landing pages, and access rights. This is useful when serving different user groups (e.g., employees vs. partners) on the same FortiGate.

52
MCQeasy

Refer to the exhibit. A network administrator configured an IPsec VPN between the main office and a branch office. Remote users at the branch office report that they cannot access resources in the main office. The tunnel status shows up on both sides. What is the most likely cause of the connectivity issue?

A.The phase1 keylife is longer than the phase2 keylife, causing rekey issues.
B.The 'set net-device disable' prevents the tunnel from being used for routing.
C.The phase2 configuration does not specify the local and remote subnets to protect.
D.The phase2 proposal does not match the phase1 proposal.
AnswerC

Without 'set src-addr-type' and 'set dst-addr-type', the tunnel does not know which traffic to encrypt.

Why this answer

Option C is correct because the phase2 configuration in an IPsec VPN must explicitly define the local and remote subnets (proxy IDs) that the tunnel is meant to protect. Without these subnets, the IPsec security associations (SAs) cannot be established for the actual traffic, even if the tunnel status shows as up (phase1 is complete). The tunnel status only indicates that IKE phase1 negotiation succeeded, but without phase2 proxy IDs, no traffic will be encrypted or routed through the tunnel, causing connectivity failures.

Exam trap

The trap here is that candidates assume a tunnel status of 'up' means the VPN is fully functional, but in reality, phase1 success alone does not guarantee that phase2 has been negotiated with the correct proxy IDs, and traffic will still fail without proper subnet definitions.

How to eliminate wrong answers

Option A is wrong because phase1 keylife being longer than phase2 keylife is not inherently problematic; phase2 keylife is typically shorter and rekey events are independent, so this does not prevent traffic flow. Option B is wrong because 'set net-device disable' is a FortiGate command that disables the virtual IPsec interface, which would prevent the tunnel from being used for routing, but the exhibit (not shown) does not indicate this command is present, and the tunnel status shows up, which would not be possible if net-device were disabled. Option D is wrong because phase2 proposals do not need to match phase1 proposals; phase1 and phase2 are separate negotiation phases with different parameters (encryption, authentication, DH groups) and mismatches between them do not cause phase2 to fail as long as each phase's proposals are consistent within themselves.

53
Multi-Selectmedium

An administrator is configuring a dial-up IPsec VPN for remote users. Which TWO settings are required on the FortiGate for the dial-up server? (Choose two.)

Select 2 answers
A.Set 'mode-cfg' to enable on Phase 1
B.Set 'peer type' to 'any' on Phase 1
C.Set 'aggressive mode' on Phase 1
D.Set 'auto-negotiate' to enable on Phase 2
E.Set 'pfs' to enable on Phase 2
AnswersA, B

Mode-config is used to assign IP addresses to clients.

Why this answer

A dial-up server must have a Phase 1 configuration that allows multiple peers (mode-cfg or aggressive mode) and a Phase 2 that uses 0.0.0.0/0 or dynamic selectors. Additionally, an IP pool is often used to assign addresses.

54
MCQeasy

What is the primary purpose of configuring split tunneling on an SSL VPN?

A.To provide two-factor authentication for the VPN connection
B.To encrypt all traffic from the remote client, including Internet traffic
C.To enable the use of client certificates for authentication
D.To allow the remote client to access both the corporate network and the Internet simultaneously without routing all traffic through the VPN
AnswerD

Correct. Split tunneling separates corporate traffic (via VPN) from Internet traffic (direct).

Why this answer

Split tunneling allows the remote client to route only traffic destined for the corporate network through the VPN tunnel, while Internet-bound traffic goes directly to the Internet. This reduces bandwidth load on the VPN and improves performance.

55
MCQeasy

What is the purpose of a ZTNA (Zero Trust Network Access) tag on a FortiGate?

A.To enable SNMP monitoring on the device
B.To assign static IP addresses to clients
C.To mark devices or users with attributes used in security policies
D.To tag firewall policies for logging purposes
AnswerC

ZTNA tags carry attributes like device posture, user identity, etc., used to enforce access.

Why this answer

ZTNA tags are used to identify devices and users based on compliance and trust level, allowing dynamic access control policies beyond traditional IP addresses.

56
MCQeasy

Which mode of SSL VPN provides full network-layer access to the remote network, allowing any application to function as if the client is directly connected?

A.Tunnel mode
B.Web mode
C.Split tunneling mode
D.Clientless mode
AnswerA

Tunnel mode gives the client a virtual IP and routes all (or split) traffic through the VPN, providing full network access.

Why this answer

Tunnel mode creates a virtual interface on the client that provides full network access, similar to an IPsec VPN. Web mode only provides access to specific web applications through a browser portal.

57
MCQhard

An administrator runs 'diagnose debug application sslvpn -1' on a FortiGate and sees the following output: 'SSLVPN_ERROR:ERR_AUTH_FAIL' for a user. The user is in an LDAP group and has the correct password. What is the MOST likely cause?

A.The SSL VPN certificate is expired
B.The user is not a member of the required LDAP group
C.The LDAP server is unreachable
D.The user account is locked out
AnswerB

Group membership is often checked; if the user is not in the group, authentication fails.

Why this answer

ERR_AUTH_FAIL indicates authentication failure despite correct credentials. The group membership is likely the issue; the user may not be a member of the required group, or the group filter is misconfigured.

58
MCQmedium

You are configuring a route-based IPsec VPN with BGP over the tunnel. After Phase 2 is up, the BGP session does not establish. You run 'diagnose debug ipsec' and see no errors. What should you check next?

A.Disable anti-replay on the tunnel
B.Enable NAT traversal
C.Ensure the tunnel interface is added to the BGP neighbor configuration
D.Check the Phase 1 proposal
AnswerC

BGP needs the interface to form the session; often the tunnel interface must be specified as the update source.

Why this answer

In route-based VPN, the tunnel interface must be included in the BGP configuration as a neighbor update source or the BGP update must be allowed in the firewall policy.

59
MCQmedium

An administrator runs 'diagnose debug application fnbamd -1' on a FortiGate to troubleshoot authentication issues. The output shows that the FortiGate successfully contacts the LDAP server but the user authentication fails. What does this indicate?

A.The user's password is incorrect or the user account is locked
B.The LDAP server is unreachable
C.The LDAP bind user password is incorrect
D.The LDAP schema does not match what FortiGate expects
AnswerA

Successful contact but failed authentication for the user indicates the user's credentials are wrong or the account is disabled/locked.

Why this answer

Option D is correct. The debug output shows successful communication with the LDAP server, meaning the bind user has proper privileges. The authentication failure indicates that the user's credentials are incorrect or the user does not exist in the LDAP database.

60
MCQmedium

The output of 'diagnose debug application ike -1' shows 'no proposal chosen' for a Phase1 negotiation. Which action should the administrator take to resolve this?

A.Increase the Phase1 lifetime on both sides
B.Verify the pre-shared key is correct
C.Check and align the Phase1 encryption, authentication, and DH group settings
D.Change the IKE version from v1 to v2
AnswerC

The negotiation fails because no common proposal exists; matching these parameters is required.

Why this answer

The error 'no proposal chosen' indicates that the local and remote gateways have no common Phase1 parameters (encryption, authentication, DH group, etc.). The administrator must review and match the Phase1 proposal settings.

61
MCQeasy

What is the primary difference between route-based and policy-based IPsec VPNs on a FortiGate?

A.Route-based requires a static route, policy-based uses dynamic routing.
B.Route-based encrypts all traffic, policy-based encrypts only specified services.
C.Route-based supports only IKEv2, policy-based supports both IKEv1 and IKEv2.
D.Route-based uses a tunnel interface, policy-based uses firewall policies to define traffic selectors.
AnswerD

Correct: route-based has a tunnel interface; policy-based defines selectors in Phase 2.

Why this answer

Route-based VPNs create a virtual interface (e.g., 'tunnel') that is used in routing and firewall policies, while policy-based VPNs define the traffic selectors within the Phase 2 configuration itself, without a separate interface.

62
Multi-Selecthard

A FortiGate administrator is designing an SSL VPN solution for 500 remote users. The users need full network access. Which two design considerations are most important?

Select 2 answers
A.Ensure the SSL VPN IP pool has enough addresses for concurrent users.
B.Create firewall policies that allow traffic from the SSL VPN interface to internal networks.
C.Configure split tunneling to reduce load on the FortiGate.
D.Use certificate-based authentication for all users.
E.Enable port forwarding for RDP and SSH.
AnswersA, B

Sufficient IP pool is critical for scalability.

Why this answer

Option A is correct because the SSL VPN IP pool must have enough addresses to assign to all concurrent users. Without a sufficient pool, users will fail to obtain an IP address and cannot access the network. Option B is correct because firewall policies are required to permit traffic from the SSL VPN interface (e.g., ssl.root) to internal networks; without them, traffic is dropped even if the tunnel is established.

Exam trap

The trap here is that candidates often confuse optional features (like split tunneling or certificate authentication) with mandatory design requirements, overlooking the fundamental need for IP pool sizing and firewall policies to enable basic connectivity.

63
MCQmedium

An administrator configures an IPsec VPN with IKEv1 main mode. The remote peer reports that Phase 1 fails with a 'no proposal chosen' error. The local Phase 1 settings include: encryption AES128, authentication SHA1, DH group 2, lifetime 86400. Which remote peer setting is MOST likely causing the mismatch?

A.Remote peer uses aggressive mode
B.Remote peer uses AES256 instead of AES128
C.Remote peer uses DH group 5 instead of group 2
D.Remote peer uses SHA256 instead of SHA1
AnswerB

AES128 vs AES256 is a common mismatch. Both are valid but different.

Why this answer

Main mode requires both sides to have matching parameters. A mismatch in any parameter causes 'no proposal chosen' error. The remote peer likely has AES256 instead of AES128.

64
Multi-Selecthard

An organization is implementing two-factor authentication for SSL VPN access using FortiToken. Which THREE components are necessary for this setup?

Select 3 answers
A.An LDAP server for user synchronization
B.A firewall policy that requires authentication and references the user group
C.A FortiToken assigned to the user
D.A user group with two-factor authentication enabled
E.A RADIUS server for token validation
AnswersB, C, D

The policy triggers the authentication process.

Why this answer

FortiToken two-factor requires the FortiToken itself, a user group with two-factor authentication enabled, and a firewall policy that references that user group and requires authentication.

65
Multi-Selecteasy

An administrator is configuring a dialup IPsec VPN for remote users. Which two settings must be configured on the FortiGate to allow clients to connect?

Select 2 answers
A.Enable XAuth for user authentication.
B.Enable Dead Peer Detection.
C.Enable mode-cfg on the Phase 1 interface.
D.Enable NAT traversal.
E.Create an IP pool for the remote clients.
AnswersC, E

Mode-cfg provides client configuration.

Why this answer

Option C is correct because mode-config (mode-cfg) on the Phase 1 interface is required to push network configuration parameters (such as DNS, WINS, and the virtual IP address) to remote IPsec VPN clients. This setting enables the FortiGate to act as a server in a dialup VPN scenario, dynamically assigning IP addresses and other settings to clients without requiring static configuration on each client.

Exam trap

The trap here is that candidates often assume XAuth or NAT traversal are mandatory for dialup IPsec, but the FortiGate specifically requires mode-cfg and an IP pool to dynamically assign client addresses and complete the tunnel setup.

66
MCQmedium

A FortiGate admin is configuring a hub-and-spoke IPsec VPN. The hub has multiple phase 2 configurations for each spoke. The spokes can communicate with the hub but not with each other. The admin wants to allow spoke-to-spoke traffic through the hub. Which configuration change is required on the hub?

A.Change the IPsec mode from policy-based to route-based
B.Modify the Phase 2 selectors on the hub to include both spoke subnets and add firewall policies allowing traffic between the spoke networks
C.Enable 'add-route' on the hub's Phase 1 settings
D.Configure a static route on each spoke pointing to the other spoke's subnet via the tunnel
AnswerB

The hub's Phase 2 selectors must match the traffic it needs to forward between spokes. Additionally, firewall policies must permit the traffic.

Why this answer

Option C is correct. For spoke-to-spoke traffic to pass through the hub, the hub must have firewall policies allowing traffic between the spoke networks, and the Phase 2 selectors on the hub must include both spoke subnets (or use 0.0.0.0/0 to allow all traffic).

67
MCQeasy

What is the primary purpose of the captive portal feature on a FortiGate?

A.To monitor bandwidth usage per user
B.To block all traffic from unknown IP addresses
C.To enable SSL VPN connections
D.To provide a web-based authentication interface for users connecting through a firewall policy
AnswerD

Captive portal redirects unauthenticated users to a login page.

Why this answer

Captive portal is used to authenticate users before allowing network access. It presents a login page to users who are not yet authenticated.

68
Multi-Selecteasy

An administrator needs to authenticate users on a FortiGate using RADIUS. Which TWO of the following are required to configure RADIUS authentication?

Select 2 answers
A.A PKI certificate for the RADIUS server
B.A RADIUS server object with IP address and shared secret
C.An FSSO connector
D.A user group that references the RADIUS server
E.A local user account for each RADIUS user
AnswersB, D

This defines the connection to the RADIUS server.

Why this answer

To use RADIUS, the FortiGate must define the RADIUS server with its IP and secret, and then create a user group that references that RADIUS server.

69
Multi-Selecteasy

An administrator wants to configure two-factor authentication for SSL VPN users. Which TWO components must be configured? (Choose two.)

Select 2 answers
A.SSL VPN portal configured with 'require two-factor authentication'
B.Captive portal enabled
C.FortiToken assigned to the user
D.RADIUS server configured for one-time passwords
E.IPsec Phase 1 authentication set to 'signature'
AnswersA, C

The SSL VPN settings must require two-factor authentication.

Why this answer

FortiToken must be assigned to the user, and the user group must require two-factor authentication. The authentication server (LDAP/RADIUS) handles the first factor, FortiToken the second.

70
MCQhard

A FortiGate in a hub-and-spoke VPN topology has multiple spoke sites connecting via IPsec. The hub administrator wants to enable direct spoke-to-spoke communication without routing traffic through the hub. What technology should be used?

A.ADVPN (Auto-Discovery VPN)
B.Site-to-site VPN between each spoke pair manually
C.Policy-based VPN with multiple Phase 2 selectors
D.SSL VPN tunnel mode
AnswerA

ADVPN enables dynamic direct tunnels between spokes.

Why this answer

ADVPN (Auto-Discovery VPN) allows spokes to dynamically establish direct tunnels between each other, reducing hub load and latency.

71
MCQeasy

An administrator wants to configure SSL VPN web mode to allow remote users to access a specific internal web application without installing any client software. Which authentication method is required?

A.Certificate-based authentication only
B.No authentication is required for web mode
C.Two-factor authentication with FortiToken is mandatory
D.Any supported authentication method (local, LDAP, RADIUS, certificates)
AnswerD

FortiGate supports multiple authentication methods for SSL VPN web mode.

Why this answer

SSL VPN web mode requires user authentication to grant access. The local database or remote authentication server (LDAP, RADIUS) must be used to authenticate users before they can access the web portal.

72
MCQhard

A FortiGate administrator is configuring a route-based IPsec VPN between two FortiGate devices. After setting up the tunnel and firewall policies, traffic does not flow. The administrator runs 'diagnose vpn tunnel list' and sees the tunnel is up. 'get router info routing-table all' shows routes on both sides. However, pings from the local network to the remote network fail. What is the MOST likely cause?

A.The pre-shared key is incorrect
B.The firewall policy allowing traffic to the remote subnet has the source and destination interfaces reversed
C.The remote FortiGate's static route points to the wrong local subnet
D.The Phase 2 proposal uses different encryption algorithms on each side
AnswerB

In a route-based VPN, the policy must be configured with the VPN interface as the destination interface (if traffic flows from internal to VPN) or source interface (if from VPN to internal). Misconfiguration here causes traffic to be dropped.

Why this answer

Option A is correct. For route-based VPN, traffic must be allowed by the policy that has the VPN interface as the destination interface. If the policy's source and destination are reversed (e.g., source internal, destination internal instead of source internal, destination VPN), traffic will be dropped.

73
MCQeasy

A FortiGate administrator wants to authenticate VPN users against an existing Active Directory server. The administrator creates a user group referencing a remote LDAP server and configures the firewall policy to authenticate using that group. However, users report authentication failures. What is the FIRST step to troubleshoot?

A.Run 'diag test authserver ldap <server> <username> <password>'
B.Verify the user group configuration
C.Restart the FortiGate
D.Check the LDAP server's firewall rules
AnswerA

This command tests LDAP authentication directly. It isolates the issue quickly.

Why this answer

The LDAP connectivity must be verified before any user authentication can work. The diagnose test command is the quickest way to validate the LDAP server connection.

74
MCQmedium

A client connects to a FortiGate SSL VPN in web mode. The user can access internal web applications but cannot ping or RDP to servers. The administrator wants to allow these services. What must be changed?

A.Enable split tunneling on the SSL VPN portal
B.Change the SSL VPN type from web mode to tunnel mode
C.Add the server IP addresses to the portal's bookmarks
D.Configure a firewall policy allowing the client's IP to the servers
AnswerB

Tunnel mode supports all IP traffic, not just web, by creating a virtual network interface.

Why this answer

Web mode only provides access to web-based applications through a portal. To allow non-web traffic like ping or RDP, the VPN type must be changed to tunnel mode, which creates a virtual interface and routes all traffic.

75
MCQeasy

Which IPsec VPN mode is typically used for site-to-site VPNs and is more secure because it negotiates Phase 1 in six messages?

A.Quick mode
B.Aggressive mode
C.IKEv2
D.Main mode
AnswerD

Main mode is the default and more secure for site-to-site VPNs.

Why this answer

Main mode uses six messages to negotiate IKE Phase 1, providing identity protection and higher security.

Page 1 of 3 · 186 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Authentication and VPN questions.