CCNA Authentication and VPN Questions

75 of 186 questions · Page 2/3 · Authentication and VPN · Answers revealed

76
Multi-Selecthard

Which TWO are best practices for configuring IPsec VPN on FortiGate to ensure high availability and security?

Select 2 answers
A.Disable DPD on the phase1 interface to reduce overhead.
B.Enable perfect forward secrecy (PFS) for phase2 to ensure session keys are not compromised if a private key is stolen.
C.Use aggressive mode for faster IKE negotiation.
D.Configure a dead peer detection (DPD) interval to detect tunnel failures.
E.Disable PFS to reduce CPU load on the firewall.
AnswersB, D

PFS ensures that compromise of one key does not affect others.

Why this answer

Perfect Forward Secrecy (PFS) ensures that if an attacker compromises the private key used during IKE phase1, they cannot derive the session keys used in phase2. By requiring a new Diffie-Hellman exchange for each phase2 rekey, PFS isolates the compromise to only the current session, protecting past and future encrypted traffic. This is a critical security best practice for IPsec VPNs on FortiGate.

Exam trap

The trap here is that candidates often confuse DPD with a performance overhead feature and disable it, or they mistakenly believe aggressive mode is faster and therefore better, overlooking the severe security implications of sending identities in cleartext.

77
MCQhard

An administrator has configured an SSL VPN with tunnel mode and split tunneling enabled. However, remote users report that all internet traffic is going through the VPN tunnel. What is the MOST likely cause?

A.The firewall policy allows traffic to the internet
B.The SSL VPN portal has 'split tunneling' disabled
C.The client's routing table is set to route all traffic through the VPN
D.The user has installed a root certificate
AnswerC

Even with split tunneling enabled on the portal, if the client pushes a route for 0.0.0.0/0, all traffic goes through the tunnel.

Why this answer

Split tunneling routes only specific subnets through the tunnel and other traffic directly. If the routing table is set to route all traffic (0.0.0.0/0) via the SSL VPN interface, split tunneling is effectively disabled.

78
MCQeasy

A company uses Fortinet Single Sign-On (FSSO) to authenticate users for firewall policies. The FSSO collector agent is installed on a Windows server and configured with Active Directory polling. What does the collector agent do?

A.It acts as a RADIUS proxy between FortiGate and AD
B.It monitors AD logon events and sends user-IP mappings to the FortiGate
C.It polls the FortiGate for user information
D.It directly authenticates users to the FortiGate
AnswerB

This is the core function of the FSSO collector agent.

Why this answer

The FSSO collector agent monitors Active Directory for user logon events (via NetAPI or security event logs) and sends this information to the FortiGate, allowing it to map users to IP addresses.

79
Multi-Selectmedium

An administrator is configuring Active Directory polling for FSSO. Which two components must be set up correctly for FSSO to work?

Select 2 answers
A.A RADIUS server configured for user authentication
B.An IPsec tunnel between FortiGate and the domain controller
C.FortiToken license for each user
D.A firewall policy that allows LDAP traffic from FortiGate to the domain controller
E.An FSSO collector agent installed on a Windows server in the domain
AnswersD, E

FortiGate uses LDAP to query group membership information.

Why this answer

FSSO requires the FortiGate to have an FSSO agent (or collector agent) that can poll the domain controllers for logon events, and the FortiGate must have LDAP configured to resolve usernames to groups, and the polling must be enabled.

80
MCQhard

An administrator runs 'diagnose vpn ssl stat' and sees 'tun-num: 5, clients: 0'. Users are unable to connect to the SSL VPN. The SSL VPN settings are correct and the certificate is valid. What could be the cause?

A.The FortiGate has reached the maximum number of SSL VPN users allowed by the license
B.The SSL VPN is listening on a non-default port and users are connecting to the default port
C.The SSL VPN certificate is not trusted by the client browsers
D.The SSL VPN portal is configured with 'limit-scan' scanning
AnswerB

If the listening port (e.g., 10443) is different, users connecting to 443 will fail.

Why this answer

The command shows tunnel interface created but no connected clients. Option A is a likely cause: if the SSL VPN portal has limit-scan or if the user group is restricted, users might be denied. But more common: if the firewall policy for SSL VPN is missing or misconfigured, users can't pass traffic.

However, the debug shows no clients, suggesting authentication or network layer issue. Option B is plausible because if the listening port is changed, users might be connecting to the wrong port. Option C is also plausible but less typical.

The most common cause in practice is a missing or misconfigured policy, but the question is tricky. I'll go with Option B as it directly affects connectivity.

81
Multi-Selectmedium

An administrator wants to implement ZTNA (Zero Trust Network Access) on a FortiGate to secure access to an internal application. Which TWO components are essential for a ZTNA configuration?

Select 2 answers
A.A firewall policy using IPsec VPN
B.A FortiGate in transparent mode
C.A policy-based IPsec tunnel
D.A proxy-based firewall policy
E.A ZTNA rule that verifies endpoint identity and posture
AnswersD, E

ZTNA uses proxy-based inspection to apply access rules.

Why this answer

ZTNA requires a proxy-based policy that inspects traffic, and a ZTNA rule that defines the access conditions (tags, endpoint compliance, etc.).

82
MCQeasy

Which of the following best describes the purpose of a captive portal on a FortiGate?

A.To provide secure remote access to internal resources
B.To authenticate users before granting network access
C.To encrypt traffic between sites
D.To block malware from entering the network
AnswerB

Captive portal intercepts HTTP traffic and redirects to a login page.

Why this answer

A captive portal forces unauthenticated users to authenticate before accessing the network.

83
MCQhard

You receive an alert that a user's FortiToken synchronization is off. You need to resynchronize the token. Which CLI command achieves this?

A.diagnose user fortitoken resync <token-serial>
B.config user fortitoken edit <token-serial> set status activate
C.execute fortitoken-update <token-serial>
D.execute fortitoken-resync <token-serial>
AnswerD

Correct. This triggers a resynchronization of the token's OTP sequence.

Why this answer

The command 'execute fortitoken-resync <token-serial>' is used to resynchronize a FortiToken with the FortiGate. This updates the token's seed and counter.

84
Multi-Selectmedium

A FortiGate admin is troubleshooting an IPsec VPN where Phase 1 is up but Phase 2 fails to establish. Which TWO diagnostic commands would provide the most relevant information?

Select 2 answers
A.diagnose debug application ike -1
B.diagnose vpn tunnel list
C.diagnose netlink interface list
D.diagnose sys session list
E.diagnose vpn ike log
AnswersB, E

This lists all VPN tunnels and their status.

Why this answer

'diagnose vpn ike log' shows IKE negotiation details including Phase 2, and 'diagnose vpn tunnel list' shows tunnel status and configuration.

85
MCQeasy

When configuring a route-based IPsec VPN, which of the following must be created to allow traffic to flow through the tunnel?

A.A static route to the remote subnet via the IPsec interface
B.A firewall policy with the VPN interface as source
C.A NAT rule to translate the private IPs
D.A security profile for VPN traffic
AnswerA

The route tells the FortiGate how to reach the remote subnet.

Why this answer

A route-based VPN uses a virtual IPsec interface; a static route must point to that interface for the remote subnet.

86
MCQeasy

An administrator is troubleshooting an SSL VPN connection issue. Users can authenticate but receive 'No available tunnel' error. What is the most likely cause?

A.Split tunneling is misconfigured.
B.The firewall policy does not allow traffic from the SSL VPN interface.
C.The SSL VPN port is blocked on the firewall.
D.The SSL VPN IP pool has run out of addresses.
AnswerD

Exhausted IP pool prevents tunnel assignment.

Why this answer

The 'No available tunnel' error after successful authentication indicates that the SSL VPN daemon cannot assign an IP address to the client. The most likely cause is that the SSL VPN IP pool has exhausted its available addresses, preventing the creation of a virtual tunnel interface. This is a common issue when the pool size is smaller than the number of concurrent users.

Exam trap

The trap here is that candidates often confuse post-authentication issues (like IP pool exhaustion) with pre-authentication issues (like port blocking) or traffic-routing issues (like split tunneling or firewall policies), leading them to select options that would prevent authentication entirely rather than the specific error message given.

How to eliminate wrong answers

Option A is wrong because split tunneling controls which subnets are routed through the VPN tunnel versus the client's local network; it does not affect the ability to establish the tunnel itself. Option B is wrong because the firewall policy on the SSL VPN interface controls traffic forwarding after the tunnel is established, not the tunnel creation process. Option C is wrong because if the SSL VPN port were blocked, users would not be able to authenticate at all; the error occurs after successful authentication.

87
MCQmedium

An administrator receives a report that some users cannot authenticate via captive portal on a FortiGate. The captive portal is configured for firewall authentication. The administrator checks the authentication logs and sees 'Authentication failed: invalid credentials'. However, the users confirm they are entering the correct username and password. What is the MOST likely cause?

A.The captive portal interface is not configured with a valid certificate
B.The users are not including the domain name in the username field
C.The FortiGate's clock is out of sync with the LDAP server
D.The LDAP server is not reachable from the FortiGate
AnswerB

When authenticating against an LDAP/AD server, the FortiGate often requires the username in the format 'domain\username' or user principal name. Omitting the domain results in 'invalid credentials'.

Why this answer

Option C is correct. If the users are in a domain, the FortiGate expects the username in the format 'domain\username' or 'username@domain.com'. Entering just the username without the domain will cause authentication failure.

88
Multi-Selectmedium

An administrator is configuring a FortiGate for ZTNA (Zero Trust Network Access). Which TWO components are essential for ZTNA to function? (Choose two.)

Select 2 answers
A.A firewall policy with ZTNA tags
B.A captive portal
C.FortiClient EMS for endpoint compliance
D.An IPsec VPN tunnel
E.An identity provider (IdP) for user authentication
AnswersC, E

EMS provides device posture information.

Why this answer

ZTNA requires an identity provider (IdP) to authenticate users and a ZTNA gateway (the FortiGate) to enforce access policies based on identity and device posture.

89
Multi-Selectmedium

A company requires two-factor authentication for SSL VPN access. They already have an LDAP server for user credentials. Which TWO components are necessary to implement this?

Select 2 answers
A.FortiAuthenticator
B.FortiToken hardware or mobile tokens
C.RADIUS server
D.Certificate Authority (CA)
E.LDAP server
AnswersB, E

FortiToken provides the one-time password (OTP) required for two-factor authentication.

Why this answer

FortiToken provides the second factor (OTP). The LDAP server provides the first factor (password). The FortiGate acts as the authenticator.

90
Multi-Selecthard

A FortiGate administrator is troubleshooting an IPsec VPN between two FortiGates. The tunnel is established, but traffic is not passing. The administrator runs 'diagnose vpn ike log' and sees the following output: IKE: phase 2 negotiation completed IKE: IPsec SA up What THREE possible causes should the administrator investigate?

Select 3 answers
A.Firewall policies on either FortiGate are not allowing traffic between the local and remote subnets
B.The pre-shared key is incorrect
C.Routing tables on both FortiGates do not have routes pointing to the remote subnets via the VPN interface
D.The IKE mode is set to aggressive mode on one side and main mode on the other
E.NAT is being applied to the VPN traffic before it enters the tunnel, causing IP address mismatch
AnswersA, C, E

Missing or misconfigured firewall policies will drop traffic even if the tunnel is up.

Why this answer

Options A, C, and E are correct. The tunnel is up, so Phase 1 and Phase 2 are fine. Common causes for traffic not passing include incorrect firewall policies, routing issues, or NAT traversal problems if traffic is being NATed before hitting the tunnel.

91
Multi-Selectmedium

An administrator is configuring an IPsec VPN between two FortiGates using IKEv1. The tunnel must use main mode and support multiple subnets behind each gate. Which Phase2 settings are required to allow multiple subnets? (Choose two.)

Select 2 answers
A.Set the Phase2 keylife to a higher value
B.Set the Phase2 proposal to include multiple encryption algorithms
C.Create multiple Phase2 selectors, each with different local and remote subnets
D.Enable NAT traversal on the Phase2
E.Use address objects that contain multiple subnets in the Phase2 definition
AnswersC, E

Each Phase2 selector defines a single traffic pair; multiple selectors cover multiple subnets.

Why this answer

To support multiple subnets, you can either configure multiple Phase2 selectors (one per subnet pair) or define the local/remote subnets in the Phase2 configuration. Modern FortiOS allows multiple subnets in a single Phase2. Option B is correct (multiple Phase2 entries), and Option D (using address objects with multiple addresses) is also correct.

92
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. Phase 1 is up, but Phase 2 fails to establish. The debug command 'diagnose vpn ike log' shows: 'no suitable proposal found'. What is the most likely cause?

A.Phase 2 encryption or authentication algorithms do not match on both sides.
B.The firewall policy allowing IPsec traffic is missing.
C.The remote gateway IP address is unreachable.
D.The pre-shared key is incorrect.
AnswerA

Phase 2 proposals must match; otherwise, the tunnel cannot establish.

Why this answer

This error indicates that the Phase 2 proposals (encryption, authentication, etc.) do not match between the two peers. Phase 1 succeeded, so the IKE parameters are compatible; the issue lies in the Phase 2 settings.

93
MCQmedium

An administrator runs 'diagnose vpn ike config' and sees the output includes 'P2 proposals: aes128-sha256, aes256-sha1'. What does this indicate?

A.The Diffie-Hellman groups for Phase 2
B.The Phase 1 encryption settings
C.The Phase 2 encryption and authentication algorithms
D.The lifetime settings for the VPN tunnel
AnswerC

It shows the Phase 2 proposals.

Why this answer

This output shows the Phase 2 proposals configured on the VPN tunnel. It lists the encryption and authentication algorithms that will be offered to the peer.

94
Multi-Selecthard

An administrator is troubleshooting an SSL VPN connection. Users can connect and authenticate, but they cannot access any internal resources. The firewall policy allows the SSL VPN interface to the internal network. Which THREE commands or configuration checks should the administrator use to diagnose the issue?

Select 3 answers
A.'execute ping from ssl.root to internal IP'
B.'get router info routing-table all' to verify routes
C.'diagnose debug application sslvpn -1' to enable debug logging
D.'diagnose firewall policy list' to confirm the policy is matching
E.'diagnose vpn ssl list' to view active SSL VPN sessions
AnswersB, D, E

If there is no route to the internal network from the SSL VPN interface, traffic will be dropped.

Why this answer

To diagnose SSL VPN issues, the admin should check the routing table to ensure traffic is routed correctly, check the SSL VPN session list to see if sessions are established, and verify that the correct firewall policy is matching traffic.

95
MCQeasy

In Fortinet ZTNA, what is the primary purpose of the ZTNA access proxy component?

A.To act as a forward proxy for web traffic
B.To provide load balancing for multiple FortiGates
C.To proxy connections to internal applications after authentication and device verification
D.To terminate IPsec VPN tunnels
AnswerC

That is the core function of ZTNA access proxy.

Why this answer

The ZTNA access proxy resides on the FortiGate and proxies connections to internal applications after verifying the user's identity and device posture.

96
MCQhard

An administrator configures a dial-up IPsec VPN with IKEv1 main mode. Remote clients can connect successfully, but the administrator notices that the Phase 1 negotiation takes a long time. Which change would most improve the negotiation speed without compromising security?

A.Switch from main mode to aggressive mode
B.Reduce the IKE SA lifetime
C.Increase the number of Phase 1 proposals
D.Enable IKEv2 instead of IKEv1
AnswerD

IKEv2 uses fewer messages (four) and is more robust, providing faster negotiation than IKEv1 main mode.

Why this answer

Main mode uses six messages and protects identities. Aggressive mode uses three messages but is less secure. Switching to IKEv2 reduces negotiation to four messages and is more efficient than aggressive mode while maintaining security.

97
MCQmedium

A network admin configures an IPsec VPN between two FortiGates using IKEv2. Phase 1 completes successfully, but Phase 2 fails to establish. The admin runs 'diagnose vpn ike log' and sees the error 'proposal mismatch'. What is the most likely cause?

A.The IKE version is not compatible
B.The Phase 2 selectors (local and remote subnets) are misconfigured
C.The Phase 2 encryption and authentication algorithms do not match
D.The pre-shared keys do not match
AnswerC

The 'proposal mismatch' error typically means the Phase 2 transform sets (encryption, authentication, PFS) differ between the two FortiGates.

Why this answer

In IKEv2, Phase 2 proposals are negotiated separately from Phase 1. A proposal mismatch error indicates that the Phase 2 parameters (such as encryption algorithm, authentication algorithm, and PFS settings) do not match between the two peers.

98
Multi-Selecthard

A FortiGate administrator is troubleshooting an SSL VPN issue where users can authenticate but cannot access any internal resources. The SSL VPN status shows 'connected'. Which THREE commands or actions should be used to diagnose the problem?

Select 3 answers
A.'execute ping 8.8.8.8'
B.Check the firewall policies that match the SSL VPN interface.
C.'diagnose debug application sslvpn -1'
D.'get router info routing-table'
E.'diagnose vpn ssl stat'
AnswersB, D, E

Policies must permit traffic from the SSL VPN interface to internal networks.

Why this answer

To diagnose SSL VPN connectivity, check the tunnel interface with 'diagnose vpn ssl stat', verify the routing table with 'get router info routing-table', and examine the firewall policies to ensure traffic is allowed. Option A shows VPN stats, Option B shows routing (necessary for tunnel routing), Option D checks policies.

99
MCQmedium

What is the primary advantage of using IKEv2 over IKEv1 for IPsec VPN?

A.IKEv2 has built-in support for NAT traversal and MOBIKE
B.IKEv2 supports only main mode
C.IKEv2 requires aggressive mode
D.IKEv2 is only for route-based VPN
AnswerA

IKEv2 includes NAT-T and MOBIKE as standard.

Why this answer

IKEv2 is more robust with built-in NAT traversal and MOBIKE, and reduces latency by using fewer exchanges.

100
Multi-Selecthard

A company sets up a hub-and-spoke IPsec VPN where all spokes must communicate through the hub. The hub uses policy-based IPsec. Which THREE configurations are required on the hub to allow spoke-to-spoke traffic? (Select three.)

Select 3 answers
A.Configure IKEv2 instead of IKEv1
B.Separate phase2 selectors defining traffic between each pair of spokes
C.Static routes for each spoke's subnet pointing to the respective VPN interface
D.Firewall policies allowing traffic from each spoke's interface to the other spoke's interface
E.Enable NAT on the hub for spoke-to-spoke traffic
AnswersB, C, D

Policy-based VPN requires phase2 selectors for each pair or a broad selector covering all subnets.

Why this answer

For spoke-to-spoke traffic via hub, the hub needs firewall policies to forward traffic between spokes, static routes for spoke networks, and phase2 selectors covering source/destination pairs (or use a broad selector).

101
Multi-Selectmedium

A FortiGate administrator is troubleshooting an SSL VPN issue where remote users cannot access internal resources after successful authentication. Which TWO steps should the admin take to resolve the issue? (Select two.)

Select 2 answers
A.Verify that a firewall policy exists allowing traffic from the SSL VPN interface to the internal network
B.Increase the authentication timeout
C.Check the routing table on the FortiGate to ensure return routes are present
D.Restart the FortiGate
E.Disable the SSL VPN portal
AnswersA, C

A policy is required to permit traffic.

Why this answer

If authentication succeeds but traffic fails, likely causes are missing firewall policy or incorrect routing. Check firewall policies for SSL VPN interface and ensure appropriate routes (e.g., enable split tunneling or add static routes).

102
Multi-Selectmedium

A FortiGate administrator is configuring an SSL VPN tunnel mode for remote users. The administrator wants to ensure that only traffic destined for the corporate network (192.168.1.0/24) goes through the VPN, and all other traffic (e.g., internet) goes directly from the user's device. Which TWO configuration steps are required?

Select 2 answers
A.Set the SSL VPN portal's 'tunnel mode' to 'web-only'
B.Configure the SSL VPN portal to push routes for 192.168.1.0/24 to the client
C.In the SSL VPN settings, enable 'split tunneling' and configure the destination routes to include only 192.168.1.0/24
D.Disable 'tunnel mode' and use 'web mode' instead
E.Create a firewall policy on the FortiGate allowing traffic from the SSL VPN interface to the corporate network
AnswersB, C

Pushing routes ensures the client knows to send traffic for the corporate subnet through the VPN tunnel.

Why this answer

Options B and C are correct. Split tunneling must be enabled to allow direct internet access. Additionally, the routing rules (or destination routes) must specify that only the corporate subnet is routed through the VPN tunnel.

103
MCQmedium

A network administrator configures an IPsec VPN between two FortiGates using IKEv1 main mode. The Phase 1 negotiation fails with the error 'no proposal chosen'. The administrator checks both sides and confirms the IKE version, encryption algorithm (AES256), authentication (SHA256), and Diffie-Hellman group (14) match. Which additional parameter is MOST likely mismatched?

A.Pre-shared key
B.IKE version (IKEv2)
C.Phase 2 encryption algorithm
D.Local and remote identifiers (local ID / remote ID)
AnswerD

In main mode, identifiers are exchanged. A mismatch of local or remote ID can cause 'no proposal chosen'.

Why this answer

Main mode requires the local and remote identifiers to match or be correctly configured. Often the local ID (such as the IP address or FQDN) is mismatched, causing negotiation failure despite other parameters matching.

104
MCQmedium

An administrator is troubleshooting an IPsec VPN that uses aggressive mode. The VPN establishes successfully, but the administrator is concerned about security. Which statement is true regarding aggressive mode?

A.Aggressive mode is more secure than main mode
B.Aggressive mode transmits the identification in clear text
C.Aggressive mode provides perfect forward secrecy (PFS) by default
D.Aggressive mode uses six messages instead of three
AnswerB

The identity (ID) is not encrypted, making it vulnerable to eavesdropping.

Why this answer

In IKEv1 aggressive mode, the pre-shared key is transmitted in a hashed form but the identity is sent in clear text during Phase1. This makes it less secure than main mode, which protects the identity.

105
MCQmedium

A captive portal is configured on a FortiGate to authenticate users before allowing internet access. Users report that after entering credentials, they are redirected to the original website, but then they cannot access other sites. What is the most likely issue?

A.The captive portal is using a self-signed certificate causing browser warnings
B.The user is not a member of the required user group specified in the firewall policy
C.The DNS server is not configured on the FortiGate
D.The session timeout is set too low
AnswerB

Captive portal authenticates the user, but the subsequent firewall policy must include the user group. If the user is not in the group, access is denied.

Why this answer

After authentication, the FortiGate must allow the user's traffic based on the firewall policy. If the policy uses the authenticated user group but the user is not in any group, traffic is blocked. Additionally, the captive portal policy must be separate from the internet access policy.

106
MCQmedium

An administrator configures a route-based IPsec VPN between two FortiGates. The Phase 1 and Phase 2 are up. The administrator adds a static route on each FortiGate pointing to the remote subnet via the virtual tunnel interface (e.g., 'to_remote'). Traffic between the subnets fails. What is the MOST likely missing configuration?

A.NAT must be disabled on the tunnel interface
B.The tunnel interface must be added to a zone
C.The Phase 2 proposal must include the correct local and remote subnets
D.A firewall policy is required to permit traffic between the interfaces
AnswerD

Route-based VPNs require explicit firewall policies to allow traffic through the tunnel.

Why this answer

In a route-based VPN, the tunnel interface is part of a zone or has its own security policy. Without a firewall policy allowing traffic from the local subnet to the remote subnet via the tunnel interface, traffic will be dropped.

107
MCQmedium

A FortiGate is configured with FSSO (Fortinet Single Sign-On) to authenticate users from Active Directory. Users are logging in to their domain-joined computers, but the FortiGate does not see the user sessions. The polling connector is configured correctly. What is the MOST likely reason?

A.The FSSO agent is not installed on the Domain Controller
B.The user group filter is too restrictive
C.The FortiGate is not in the same subnet as the users
D.DNS resolution for the Domain Controller is failing
AnswerD

The FortiGate needs to resolve the DC's hostname to IP. If DNS is not working, polling fails.

Why this answer

FSSO requires the FortiGate to resolve NetBIOS names to IP addresses. If DNS resolution fails, the FortiGate cannot correlate the user's login event with the IP address.

108
Multi-Selectmedium

An administrator is troubleshooting an SSL VPN connection. Users can connect but cannot access internal resources. Which TWO commands would help diagnose the issue?

Select 2 answers
A.get router info routing-table
B.diagnose vpn ssl list
C.diagnose vpn ike status
D.execute ping 8.8.8.8
E.diagnose debug application dnsproxy
AnswersA, B

Shows routing entries for the SSL VPN interface.

Why this answer

Option A checks the SSL VPN session, and option D checks routing for the tunnel interface. Option B is for IPsec, option C is for DNS, and option E is for general routing but not specific to SSL VPN.

109
Multi-Selectmedium

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is established, but traffic is not passing. The administrator runs 'diagnose vpn tunnel list' and sees the tunnel is up. Which two additional diagnostics should the administrator run to isolate the issue?

Select 2 answers
A.diagnose sys session filter and diagnose sys session list
B.diagnose hardware sysinfo memory
C.diagnose debug application ike -1
D.diagnose netlink interface list
E.execute ping-options source and execute ping
AnswersA, C

This allows checking if sessions are being created and whether they match the expected policy.

Why this answer

To isolate traffic issues, check firewall policies that apply to the tunnel interface and verify Phase 2 selectors match the traffic. The routing table is also relevant but diagnostics focus on VPN specifics.

110
MCQeasy

Which IPsec VPN mode is typically used when the VPN peer has a dynamic public IP address?

A.Quick mode
B.IKEv2
C.Aggressive mode
D.Main mode
AnswerC

Correct. Aggressive mode is used for peers with dynamic IPs because it can authenticate without prior IP knowledge.

Why this answer

Aggressive mode allows the initiator to send its identity and proposed parameters in the first packet, which is needed when the responder does not know the initiator's IP address (e.g., dial-up VPN). Main mode requires the responder to know the initiator IP beforehand.

111
Multi-Selecthard

A FortiGate administrator is configuring ZTNA for a web application. Which TWO components are required for a ZTNA configuration to function?

Select 2 answers
A.SSL VPN
B.IPsec VPN
C.ZTNA rules
D.ZTNA tags
E.Firewall policy
AnswersC, D

ZTNA rules define access policies.

Why this answer

ZTNA requires ZTNA rules (to control access) and ZTNA tags (client posture assessment). The ZTNA gateway is part of the FortiGate, but the question asks for components. ZTNA tags are used to verify client compliance before granting access.

112
MCQmedium

An admin needs to configure an SSL VPN for remote users that only provides access to specific internal applications, not full network access. What feature should be configured?

A.Full tunneling
B.Client certificate authentication
C.Split tunneling
D.Web mode portal
AnswerC

Split tunneling allows the admin to define which subnets are accessible via VPN.

Why this answer

Split tunneling with specific routes ensures only traffic destined for internal applications goes through the VPN, and all other traffic goes directly to the internet.

113
MCQmedium

A FortiGate is configured with FSSO to poll Active Directory for user logon events. Users report that their logins are not being detected. What is the FIRST step to troubleshoot?

A.Recreate all firewall policies
B.Run 'diag debug fsso poll' to verify the collector agent status
C.Disable and re-enable FSSO
D.Restart the FortiGate firewall
AnswerB

This command provides real-time debugging of FSSO polling.

Why this answer

The 'diag debug fsso poll' command shows the status of the FSSO collector agent and polling process, helping to identify issues.

114
MCQmedium

A network administrator has configured an IPsec VPN between two FortiGate devices. The Phase 1 proposal includes AES256-SHA256-DH14. The Phase 2 proposal includes AES128-SHA1. The VPN tunnel fails to establish. Which of the following is the MOST likely cause?

A.The Phase 1 proposal is too strong and the remote FortiGate does not support DH14
B.The Phase 2 proposal does not match between the two devices
C.The VPN policy has not been configured on the remote FortiGate
D.The pre-shared key is incorrect
AnswerB

Phase 2 parameters must be identical on both sides. One side may have AES256 or a different lifetime, causing mismatch.

Why this answer

With IKEv1, both Phase 2 proposals must match exactly on both sides. AES128-SHA1 is mismatched if the other side uses a different encryption or authentication algorithm. AES128 is used, not AES256.

115
MCQhard

You run 'diagnose debug application ike -1' and see the following output: 'Initiator: no acceptable proposal'. What is the MOST likely cause of this error?

A.The pre-shared key is incorrect
B.The Phase 1 encryption or hash algorithm is mismatched
C.The remote gateway is not reachable
D.The firewall policy is blocking UDP port 500
AnswerB

Mismatched proposals cause this exact error.

Why this answer

The 'no acceptable proposal' error indicates that the IKE proposal sent by the initiator does not match any proposal configured on the responder. This is a Phase 1 mismatch.

116
MCQmedium

A FortiGate admin is configuring a dial-up IPsec VPN for remote users. The users have dynamic IP addresses. Which Phase 1 configuration is appropriate?

A.Set the remote gateway to 'Dialup User' and enable an IP pool
B.Disable XAuth authentication
C.Set the remote gateway to the user's IP address
D.Use aggressive mode with a group pre-shared key
AnswerA

This allows any remote user to connect and get an IP from the pool.

Why this answer

For dial-up VPN with dynamic remote IPs, set the remote gateway to 'Dialup User' and configure an IP pool to assign addresses to clients.

117
MCQmedium

A FortiGate is configured with FSSO for firewall authentication. Users report they are prompted for credentials every time they access the internet, even though they are logged into the domain. What is the most likely cause?

A.The users are not members of the FSSO group.
B.The firewall policy uses 'All Users' instead of a specific group.
C.The FSSO collector agent service is not running.
D.The FortiGate's LDAP server is unreachable.
AnswerC

Without the collector agent, FortiGate cannot get logon events from AD.

Why this answer

FSSO relies on polling the domain controllers or using a collector agent to capture user logon events. If the DC polling fails or the collector agent is not working, FortiGate cannot correlate the user, so it prompts for authentication.

118
Multi-Selecthard

An administrator is configuring a hub-and-spoke IPsec VPN with a FortiGate as the hub. The spokes must be able to communicate with each other through the hub. Which THREE settings must be enabled on the hub FortiGate?

Select 2 answers
A.Enable 'arp-response' on the phase1 interface
B.Configure static routes on the hub for each spoke's local subnet
C.Set 'mode-cfg' to enable on the hub phase1
D.Enable 'auto-discovery-sender' on the hub
E.Enable 'add-route' on each phase1 interface
AnswersA, B

When the hub receives traffic for a spoke, it needs to respond to ARP requests for the spoke's IP on the phase1 interface; otherwise, the hub won't forward.

Why this answer

For spoke-to-spoke traffic to pass through the hub, the hub must have ARP reply enabled (so it responds for the remote spokes' IPs on its phase1 interface), must add the spoke subnets to its routing table, and must have 'add-route' disabled on the hub's phase1 interfaces to prevent automatic route creation that conflicts with manual routes.

119
MCQeasy

An administrator wants to use Active Directory credentials to authenticate firewall administrators. Which authentication server type should be configured on the FortiGate?

A.TACACS+
B.FSSO
C.LDAP
D.RADIUS
AnswerC

LDAP is the protocol used to query Active Directory for authentication and user attributes.

Why this answer

FortiGate supports LDAP for integration with Active Directory. LDAP is the standard protocol for querying AD user information.

120
MCQhard

You run the command 'diagnose vpn ike log filter name vpn1' and then 'diagnose vpn ike log filter type phase1'. The log shows: 'IKEv1 exchange:f4470f07:00000000: responder: main mode: received IKE_SA_INIT (aggressive mode not allowed)'. What is the problem?

A.The initiator is using IKEv2 while the responder uses IKEv1
B.The responder is configured for main mode only, but the initiator is sending aggressive mode
C.The pre-shared key is wrong
D.The phase1 proposal is incompatible
AnswerB

The responder rejects the aggressive mode init because its configuration only allows main mode.

Why this answer

The log indicates that the initiator sent an IKE_SA_INIT message, which is part of aggressive mode (IKEv1). Since the responder expects main mode, it rejects the aggressive mode proposal.

121
Multi-Selectmedium

A FortiGate administrator is configuring FSSO to authenticate users transparently. The FSSO collector agent is installed on a Windows server in the domain. Which TWO requirements must be met for FSSO to work correctly?

Select 2 answers
A.The FortiGate must be a member of the Active Directory domain
B.The users must authenticate via captive portal at least once
C.The FortiGate must be able to reach the FSSO collector agent on TCP port 8000 (or the configured port)
D.The firewall policies must use FSSO groups directly without any user objects
E.The FSSO collector agent must have network access to the Active Directory domain controllers
AnswersC, E

The collector agent communicates with the FortiGate on a specific port (default 8000) to send login events.

Why this answer

Options A and C are correct. The FortiGate must be able to communicate with the collector agent, and the collector agent must have access to Active Directory to monitor login events. Additionally, the FortiGate's firewall policies must use user groups based on FSSO authentication.

122
MCQhard

A FortiGate is configured with IPsec VPN using IKEv2 and a policy-based tunnel. The remote subnet is 10.0.2.0/24, and the local subnet is 192.168.1.0/24. The tunnel is up, but traffic from 192.168.1.0/24 to 10.0.2.0/24 fails. The administrator checks the firewall policy and sees a policy allowing traffic from the local interface (port1) to the remote interface (virtual ipsec interface) with the action set to IPSEC. What is the most likely missing configuration?

A.IKEv2 does not support policy-based VPNs
B.The tunnel interface is not assigned to the correct VDOM
C.The Phase 2 proposal does not match the remote subnet
D.The firewall policy's source or destination addresses are not correctly set to the local and remote subnets
AnswerD

Policy-based VPNs require the policy to explicitly specify the local and remote subnets in source/destination. If set to 'all', it may work, but the failure suggests mismatch.

Why this answer

Policy-based VPNs require a firewall policy that matches the traffic and has the action set to IPSEC. However, the 'incoming interface' must be the internal interface (port1) and 'outgoing interface' the tunnel interface. The description suggests both are correct, but the missing piece is that the 'source' and 'destination' addresses in the policy must match the local and remote subnets.

The policy likely uses all addresses or incorrect subnets.

123
Multi-Selectmedium

A site-to-site IPsec VPN is configured with IKEv2. The tunnel establishes but traffic does not pass. Which two troubleshooting steps should the administrator perform first?

Select 2 answers
A.Check the Phase 2 selectors.
B.Verify that the Phase 1 proposal matches.
C.Check the firewall policies allowing traffic through the tunnel.
D.Check the routing table for routes pointing to the remote networks.
AnswersC, D

Policies must permit traffic between zones.

Why this answer

Option C is correct because even if the IPsec tunnel is established, traffic will not pass unless firewall policies explicitly permit it. In FortiGate, a Phase 2 tunnel being up does not imply that traffic is allowed; you must have a policy that matches the source/destination and enables the action to forward traffic through the tunnel interface.

Exam trap

The trap here is that candidates assume a 'tunnel up' status guarantees traffic flow, but FortiGate separates tunnel negotiation from firewall policy enforcement, so both a policy and a route are required for traffic to pass.

124
MCQhard

A FortiGate administrator runs 'diagnose vpn tunnel list' and sees the following output for an IPsec tunnel: 'status: up', 'incoming: 0 packets', 'outgoing: 100 packets'. Phase 1 and Phase 2 both show state 'up'. What is the MOST likely cause of zero incoming packets?

A.The remote gateway is using aggressive mode
B.The FortiGate has a static route pointing to the VPN interface
C.The VPN is configured in policy-based mode
D.The Phase 2 proposal includes a mismatched proxy ID
AnswerD

If the remote side expects a different subnet, it may drop incoming packets or not respond.

Why this answer

If outgoing packets are being sent but no incoming packets, the remote side may have a misconfiguration such as a wrong remote subnet in Phase 2 or a firewall policy blocking return traffic.

125
MCQhard

You run the CLI command 'diagnose vpn ike gateway list' and see that an IPsec VPN gateway is in 'up' state with 'initiator' mode, but no Phase 2 selectors are established. What is the most likely cause?

A.The Phase 2 proposal parameters (encryption, authentication) do not match between peers
B.The remote gateway is not responding to IKE packets
C.The local and remote Phase 2 selectors (proxy IDs) do not match
D.The IPsec interface is down
AnswerC

Mismatched proxy IDs prevent Phase 2 negotiation from completing successfully. The Phase 1 can be up but Phase 2 fails to establish.

Why this answer

The Phase 1 shows up, meaning IKE SA is established. But Phase 2 is down. Common causes include mismatched proxy IDs (Phase 2 selectors), firewall policies not matching, or firewall rules blocking IPsec traffic.

The output indicates Phase 1 is up, so the issue is at Phase 2.

126
MCQeasy

A FortiGate administrator wants to authenticate VPN users against an existing LDAP server. The administrator creates an LDAP user group on the FortiGate. What additional configuration is REQUIRED to use this group for IPsec VPN authentication?

A.In the IPsec Phase 1 configuration, set the peer type to 'dialup' and specify the user group under authentication
B.Enable LDAP over TLS (LDAPS) on the FortiGate
C.Assign the LDAP user group to a firewall policy
D.Configure a RADIUS server as an intermediate proxy between FortiGate and LDAP
AnswerA

For dial-up IPsec VPN, the Phase 1 configuration must include the user group to authenticate users against LDAP.

Why this answer

Option B is correct. The user group must be referenced in the IPsec Phase 1 authentication settings, specifically under 'Peer Options' or 'User Authentication' (depending on FortiOS version). Typically, this is done by setting 'xauthtype' to 'auto' or 'psk' and selecting the user group under 'usrgrp'.

127
MCQmedium

A network administrator wants to implement two-factor authentication for SSL VPN users using FortiToken. The users are already authenticated against an LDAP server. Which configuration step is required to enforce two-factor authentication?

A.Create a local user with the same username as the LDAP user and assign a FortiToken to that local user
B.Create a user group that uses LDAP as the authentication server and enable FortiToken two-factor authentication in the group settings
C.Configure the SSL VPN portal to require FortiToken and set the authentication server to LDAP
D.Set the SSL VPN authentication method to 'certificate' and use FortiToken as second factor
AnswerB

Correct. The user group authenticates against LDAP and then requires a FortiToken for two-factor.

Why this answer

For two-factor authentication, FortiGate requires a user group with the LDAP server as the primary authentication, and then enabling FortiToken two-factor authentication on that group. This allows the user to first authenticate via LDAP (password) and then provide a FortiToken code.

128
MCQhard

An administrator configures FSSO (Fortinet Single Sign-On) with Active Directory polling. Users report that their web traffic is being blocked by the firewall even though they are logged into the domain. Which CLI command can the administrator use to verify the FSSO login status for a specific user?

A.diagnose user fsso poll user <username>
B.diagnose wad user list
C.diagnose debug authd fsso list
D.diagnose test authserver ldap <server> <username>
AnswerC

Correct. This command lists all FSSO users with their IP addresses and group memberships.

Why this answer

The command 'diagnose debug authd fsso list' displays all FSSO users currently known to FortiGate, including their IP addresses and login state. This is the primary command to verify if the user is recognized by FSSO.

129
MCQeasy

Which of the following is a characteristic of route-based IPsec VPN compared to policy-based IPsec VPN?

A.Route-based VPN is only supported in IKEv1
B.Route-based VPN requires Phase 2 selectors to match both local and remote subnets
C.Route-based VPN can use dynamic routing protocols like OSPF
D.Route-based VPN uses firewall policies with IPsec action
AnswerC

The tunnel interface can participate in routing protocols.

Why this answer

Route-based VPNs use a virtual tunnel interface (e.g., port1.0) that supports dynamic routing protocols, whereas policy-based VPNs rely on firewall policies with IPSEC action and static selectors.

130
Matchingmedium

Match each FortiGate VPN type to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects two networks over the internet securely

Provides remote access via web browser or client software

Legacy VPN protocol with weaker security

Combines Layer 2 tunneling with IPsec encryption

Auto-discovery VPN that dynamically establishes shortcuts

Why these pairings

Common VPN types supported by FortiGate.

131
MCQeasy

An organization wants to use FortiToken for two-factor authentication on SSL VPN logins. Which authentication method must be enabled on the FortiGate to support this?

A.Two-factor authentication with FortiToken
B.RADIUS authentication
C.PKI authentication
D.LDAP authentication
AnswerA

This is the setting that enables token-based OTP.

Why this answer

FortiToken requires two-factor authentication. On FortiGate, this is configured by enabling 'Two-factor Authentication' under the user group or authentication settings, typically set to 'FortiToken' for token-based OTP.

132
Drag & Dropmedium

Drag and drop the steps to upgrade FortiGate firmware via the web interface into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firmware upgrade requires uploading the image and confirming; the device reboots automatically.

133
MCQeasy

An administrator wants to restrict SSL VPN access to only users who have a valid client certificate issued by the company's internal CA. Which setting should be configured?

A.Configure a firewall policy with identity-based authentication
B.Enable 'certificate-based authentication' in the user group
C.Enable 'require client certificate' in the SSL VPN settings
D.Import the users' public keys into the FortiGate
AnswerC

This setting forces the client to provide a certificate during SSL handshake.

Why this answer

In SSL VPN, client certificate authentication can be enabled to require users to present a certificate. The FortiGate validates the certificate against a CA certificate.

134
MCQeasy

A FortiGate administrator wants to configure a captive portal to authenticate users before granting network access. Which authentication method is used by the captive portal?

A.Form-based authentication
B.IPsec pre-shared key authentication
C.X.509 certificate authentication
D.NTLM authentication
AnswerA

Captive portal presents a web form for user credentials.

Why this answer

Captive portal uses form-based authentication where users enter credentials in a web page. It does not use NTLM or machine authentication by default.

135
MCQeasy

A FortiGate administrator wants to enforce two-factor authentication for SSL VPN users. The organization uses FortiToken mobile tokens. What must be configured on the FortiGate to enable FortiToken authentication?

A.In the user group configuration, enable two-factor authentication and select 'FortiToken'
B.Configure a RADIUS server to forward FortiToken requests
C.Set the SSL VPN portal to require client certificates
D.Install the FortiToken mobile app on the FortiGate
AnswerA

Two-factor authentication must be enabled on the user group using FortiToken as the method.

Why this answer

Option A is correct. FortiToken requires that two-factor authentication is enabled for the user group. This is typically done by setting the 'two-factor' option to 'fortitoken' in the user group configuration or in the authentication rule.

136
MCQeasy

Which of the following FortiGate features allows users to authenticate using a one-time password generated by a mobile app?

A.FSSO
B.LDAP
C.FortiToken
D.Captive portal
AnswerC

FortiToken generates OTPs for two-factor authentication.

Why this answer

FortiToken Mobile is a two-factor authentication solution that generates one-time passwords (OTP) on a smartphone app. FortiToken can be either hardware token or mobile token.

137
Multi-Selectmedium

A FortiGate administrator is configuring RADIUS authentication for firewall users. Which THREE steps are required to complete the configuration? (Select THREE.)

Select 3 answers
A.Import the RADIUS server certificate into FortiGate
B.Configure a firewall policy with the user group set in 'users/groups'
C.Define the RADIUS server under 'config user radius'
D.Create a user group that uses the RADIUS server as the authentication source
E.Enable 'set auth-type radius' on the interface
AnswersB, C, D

The firewall policy enforces authentication for traffic.

Why this answer

To configure RADIUS authentication, you must define the RADIUS server, create a user group that references the RADIUS server, and then configure a firewall policy that uses that user group for authentication. The RADIUS server itself needs to be accessible, but the configuration steps on FortiGate are these three.

138
MCQmedium

A network admin configures a site-to-site IPsec VPN between two FortiGates using IKEv1 main mode. The tunnel establishes successfully, but no traffic passes. What is the MOST likely cause?

A.Aggressive mode should be used instead of main mode
B.The pre-shared key is incorrect
C.There is no firewall policy allowing traffic through the VPN tunnel
D.The phase2 proposal does not match between peers
AnswerC

A firewall policy must explicitly permit traffic from the source to destination zone using the VPN interface.

Why this answer

Main mode IKEv1 uses IP protocol 50 (ESP) and UDP 500/4500. If there is no firewall policy allowing traffic between the source and destination zones, traffic will be dropped even if the tunnel is up.

139
MCQhard

An SSL VPN user connects via web mode but cannot access internal resources. The admin checks the SSL VPN settings: tunnel mode is disabled, split tunneling is enabled, and the user's realm is configured correctly. What is the MOST likely cause?

A.No port forwarding rules are configured in the SSL VPN portal
B.Split tunneling is blocking internal routes
C.The user's browser does not support WebSocket
D.The user's client certificate is expired
AnswerA

Web mode requires port forwarding rules to map internal resources.

Why this answer

In web mode, access to internal resources requires proper port forwarding rules within the SSL VPN portal. Without them, the user can only access resources explicitly listed.

140
MCQeasy

Which IPsec VPN mode uses IP addresses and ports to define interesting traffic, and requires a separate security policy for each tunnel?

A.Hub-and-spoke VPN
B.Policy-based VPN
C.Dial-up VPN
D.Route-based VPN
AnswerB

Policy-based VPNs define traffic via firewall policies with action IPsec.

Why this answer

Policy-based VPNs use firewall policies to define traffic that will be encrypted. They require a security policy per tunnel and do not use route-based selectors.

141
MCQeasy

Which of the following is a benefit of using IKEv2 over IKEv1 for IPsec VPN?

A.IKEv2 supports only main mode
B.IKEv2 requires fewer firewall rules
C.IKEv2 uses a single UDP port 500
D.IKEv2 is more robust to network changes and supports MOBIKE
AnswerD

IKEv2 includes features like MOBIKE for mobility.

Why this answer

IKEv2 is more resilient to network changes and supports MOBIKE, which allows the VPN to survive IP address changes.

142
Multi-Selecthard

A FortiGate is configured for SSL VPN tunnel mode with split tunneling enabled. The administrator wants to ensure that traffic to the corporate DNS server (10.0.1.10) goes through the tunnel while all other traffic goes directly to the internet. Which THREE configuration steps are required?

Select 3 answers
A.Add the DNS server subnet (10.0.1.0/24) to the split tunneling destinations
B.Disable NAT on the tunnel interface
C.Configure the DNS server IP in the SSL VPN settings as a split tunneling destination
D.Enable split tunneling in the SSL VPN portal configuration
E.Configure a static route on the client for 10.0.1.0/24 via the virtual adapter
AnswersA, C, D

This ensures traffic to that subnet is sent through the tunnel.

Why this answer

For split tunneling with specific destinations routed through the VPN, the administrator must configure the SSL VPN settings to include the DNS server subnet in the split tunneling list, enable split tunneling, and ensure the firewall policy allows the traffic.

143
MCQhard

An administrator runs 'diagnose vpn ike gateway list' on a FortiGate and sees the following output for a dial-up IPsec VPN: gateway name: 'dialup' version: IKEv1 mode: aggressive local IP: 203.0.113.1 remote IP: 0.0.0.0 state: up peers: 0 What does 'peers: 0' indicate?

A.The remote IP should be set to a specific address
B.The gateway is in a down state
C.No IPsec clients are currently connected
D.The Phase 2 proposals are mismatched
AnswerC

Peers: 0 indicates zero active connections.

Why this answer

The 'peers' count shows how many clients are currently connected. A value of 0 means no clients have successfully completed Phase 1. The gateway is up (listening) but no peers have connected.

144
MCQhard

After upgrading FortiOS, an IPsec VPN tunnel fails to come up. The diagnose output shows 'negotiation failed: no acceptable proposal'. The remote peer is a third-party device. Which step should you take first?

A.Change the IKE version to IKEv2
B.Disable dead peer detection on the FortiGate
C.Reboot the remote peer
D.Check the phase1 and phase2 proposal settings on both ends to ensure they match
AnswerD

Mismatched parameters like encryption, hash, DH group are common causes.

Why this answer

The log indicates proposal mismatch. Since the remote peer is third-party, the FortiGate should be configured to match the remote peer's proposals. Checking the phase1 and phase2 settings against the remote peer's requirements is the logical first step.

145
MCQmedium

An administrator has configured LDAP authentication on a FortiGate. When testing the LDAP connectivity, the test succeeds. However, users cannot authenticate through the captive portal. What is a possible cause?

A.The captive portal is disabled
B.The user group is not configured to use the LDAP server
C.The LDAP server is not reachable from the captive portal interface
D.The LDAP server's SSL certificate is expired
AnswerB

The user group must include the LDAP server as the authentication source.

Why this answer

Even if LDAP connectivity is successful, the user group must be configured to use the LDAP server. Also, the firewall policy must have the LDAP user group as the allowed user.

146
MCQhard

You run the following CLI command on a FortiGate: 'diagnose vpn ike config list'. The output includes: 'src 10.0.1.0/24:0 dst 192.168.1.0/24:0'. What does this indicate?

A.The firewall policy is allowing traffic from 10.0.1.0/24 to 192.168.1.0/24
B.The Phase 2 configuration is using 10.0.1.0/24 as local subnet and 192.168.1.0/24 as remote subnet
C.The Phase 1 configuration is using 10.0.1.0/24 as local address
D.The tunnel is in dial-up mode with dynamic remote subnet
AnswerB

Phase 2 selectors define the traffic to be encrypted.

Why this answer

The command shows IKE configuration for Phase 2 selectors. The 'src' and 'dst' represent the local and remote subnets that will be protected by the VPN tunnel.

147
MCQeasy

A FortiGate admin wants to authenticate VPN users against an existing Microsoft Active Directory. Which authentication method should be configured on the FortiGate?

A.LDAP
B.RADIUS
C.FSSO
D.TACACS+
AnswerA

LDAP is designed for directory services like Active Directory.

Why this answer

LDAP is the standard protocol for querying Active Directory for user authentication.

148
MCQmedium

A FortiGate administrator is configuring an SSL VPN web mode portal. The administrator wants users to access only a specific internal web application (https://internal-app.company.local) and nothing else. Which SSL VPN setting should be configured to achieve this?

A.In the SSL VPN portal, set the default bookmark to the application URL
B.Configure a firewall policy that allows traffic only to the application's IP address
C.Enable split tunneling under the SSL VPN settings
D.Under the SSL VPN portal, configure 'URL Access' to allow only https://internal-app.company.local
AnswerD

URL Access in the SSL VPN portal restricts which web addresses users can browse. Only the specified URLs are accessible.

Why this answer

Option D is correct. In web mode, 'URL Access' allows the administrator to specify which URLs users can access. By adding only the desired application URL, the administrator restricts access to that application only.

149
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN that is not passing traffic. The Phase 1 and Phase 2 are both up. Which TWO CLI commands can be used to verify the VPN tunnel status and traffic flow? (Choose two.)

Select 2 answers
A.diagnose vpn tunnel list
B.execute ping-options source
C.diagnose vpn ike config
D.diagnose netlink interface list
E.diagnose sys session list
AnswersA, E

Shows the status of IPsec tunnels.

Why this answer

The 'diagnose vpn tunnel list' shows the status of IPsec tunnels. 'diagnose sys session list' with filters shows active sessions that may be using the VPN tunnel.

150
MCQeasy

What is the primary function of Fortinet Single Sign-On (FSSO) in a FortiGate deployment?

A.To provide two-factor authentication using FortiToken
B.To sync FortiGate configuration with Active Directory
C.To authenticate users against a RADIUS server
D.To collect user login events from Active Directory for user-based policies
AnswerD

FSSO polls AD for logon events to map usernames to IPs.

Why this answer

FSSO collects user login information from Active Directory to dynamically associate IP addresses with usernames, enabling user-aware firewall policies without requiring explicit user authentication on the FortiGate.

← PreviousPage 2 of 3 · 186 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Authentication and VPN questions.