CCNA Authentication and VPN Questions

36 of 186 questions · Page 3/3 · Authentication and VPN · Answers revealed

151
MCQmedium

A remote user connects via SSL VPN web mode but cannot access internal resources. The SSL VPN portal is configured with the default settings. What is the most likely reason?

A.The user must be authenticated via LDAP
B.The user has not installed the FortiClient VPN plugin
C.Web mode only allows access to specific bookmarks configured in the portal
D.The SSL VPN policy is missing a security profile
AnswerC

Web mode is clientless and limited to pre-configured bookmarks. Without bookmarks, no access is granted.

Why this answer

Web mode provides clientless access only to bookmarked web applications. To access other internal resources, tunnel mode (with a virtual adapter) is required.

152
Multi-Selecthard

A FortiGate is configured with FSSO and Active Directory polling. Users report that they are frequently prompted for authentication even though they are logged into the domain. Which THREE possible causes should the administrator investigate?

Select 3 answers
A.The user's IP address has changed and the FortiGate still has a stale mapping
B.The FortiToken server is overloaded
C.The user's workstation is not sending logon events to the domain controller
D.The captive portal is enabled on the policy
E.The FortiGate is not polling the domain controllers correctly
AnswersA, C, E

IP changes can cause loss of FSSO session.

Why this answer

Polling issues (A), logon event not sent (B), and stale IP mapping (C) are common causes. Option D is about FortiToken, which is not relevant to FSSO. Option E is for captive portal, not FSSO.

153
MCQhard

An administrator configures a dial-up IPsec VPN with IKEv2 to allow remote users to connect. The Phase 1 is set to use certificate-based authentication (PKI). Users can establish Phase 1, but Phase 2 fails with 'no proposal chosen'. The administrator checks the Phase 2 proposal: AES256-SHA256, and the remote network is 10.0.0.0/8 (the corporate LAN). What is the MOST likely cause?

A.The remote network in Phase 2 is set to 10.0.0.0/8
B.The remote network in Phase 2 is set to 0.0.0.0/0
C.The Phase 1 encryption algorithm is mismatched
D.The authentication type requires EAP instead of certificate
AnswerA

The remote network in Phase 2 should be 0.0.0.0/0 for dial-up, because the client's real IP is dynamic. Setting it to 10.0.0.0/8 means the FortiGate expects the client's IP to be in that range, which it is not.

Why this answer

In dial-up VPN, the Phase 2 selector on the FortiGate must be set to 0.0.0.0/0 to accept traffic from any remote IP, or the specific remote subnet must match the user's assigned IP pool. If the remote network is set to anything other than 0.0.0.0/0, it may mismatch the client's proposal.

154
MCQmedium

An administrator wants to enable two-factor authentication for SSL VPN users using FortiToken. Which configuration is required on the FortiGate?

A.Create a RADIUS server pointing to FortiAuthenticator
B.Set the authentication timeout to 60 seconds
C.Configure SSL VPN to use certificate authentication
D.Add the FortiToken to the user's account and enable 'fortitoken' in the user group
AnswerD

The token must be assigned to the user, and the group must require token authentication.

Why this answer

FortiToken two-factor authentication is enforced by enabling 'fortitoken' in the user group settings. The group must be added to the SSL VPN firewall policy.

155
MCQmedium

A FortiGate administrator is configuring a hub-and-spoke IPsec VPN. The hub has multiple Phase 2 selectors for each spoke. What is the recommended way to simplify configuration on the hub when adding new spokes?

A.Use a single Phase 2 selector with 0.0.0.0/0.0.0.0 for both local and remote
B.Configure each spoke in a separate VDOM
C.Use aggressive mode for Phase 1
D.Use policy-based VPN instead of route-based
AnswerA

This accepts any subnet, simplifying configuration.

Why this answer

Using a single Phase 2 with 0.0.0.0/0 as local/remote subnet allows the hub to accept all traffic without needing per-spoke Phase 2 selectors. But security-conscious admins often use specific selectors. The question asks for simplification; dynamic routing (BGP) is even better.

156
Multi-Selecthard

A FortiGate admin is troubleshooting an IPsec VPN that fails to establish. The output of 'diagnose debug application ike -1' shows: 'IKE: No proposal chosen from x.x.x.x'. The admin checks the Phase1 configuration. Which of the following mismatches could cause this error? (Choose three.)

Select 3 answers
A.Diffie-Hellman group mismatch (e.g., group 2 vs group 14)
B.Pre-shared key mismatch
C.Lifetime mismatch (e.g., 86400 vs 3600)
D.Authentication method mismatch (e.g., SHA1 vs SHA256)
E.Encryption algorithm mismatch (e.g., AES128 vs AES256)
AnswersA, D, E

DH group is also part of the proposal.

Why this answer

The error 'no proposal chosen' indicates that the local and remote IKE peers have no common Phase1 proposal. This can be caused by mismatched encryption, authentication, or Diffie-Hellman group. Lifetime mismatch usually results in a different error.

157
MCQhard

You are troubleshooting an SSL VPN connection. The user can reach the SSL VPN portal but cannot ping or access any internal resources. The portal shows the user as authenticated. Which configuration is MOST likely missing?

A.There is no firewall policy allowing traffic from ssl.root to the internal network
B.Client certificate authentication is required but not provided
C.Split tunneling is disabled
D.The SSL VPN realm is not configured correctly
AnswerA

A firewall policy is required to permit traffic from the SSL VPN interface to destination zones.

Why this answer

Even if authentication succeeds, SSL VPN tunnel mode requires a firewall policy to allow traffic from the SSL VPN interface to internal networks. Without it, traffic is dropped.

158
MCQmedium

An administrator wants to use Fortinet Single Sign-On (FSSO) with Active Directory to transparently authenticate users. Which component is responsible for polling Active Directory for user logon events?

A.Active Directory Domain Controller
B.FortiGate directly with NTLM authentication
C.FortiAuthenticator
D.FSSO Collector Agent
AnswerD

The Collector Agent polls AD security logs.

Why this answer

The FSSO Collector Agent (or the FortiGate itself with embedded agent) polls AD for logon events.

159
MCQeasy

An administrator wants to authenticate VPN users against an external LDAP server. Which authentication method should be configured in the user group for the SSL VPN portal?

A.RADIUS
B.FSSO
C.Local
D.LDAP
AnswerD

LDAP authentication allows FortiGate to query the LDAP server for user credentials and group membership.

Why this answer

To authenticate users against an LDAP server, the administrator must create an LDAP server object and then create a user group that references that LDAP server. The group membership is typically based on LDAP group membership.

160
MCQmedium

A FortiGate administrator configures an SSL VPN web mode portal. Users can access internal web applications but cannot access internal file shares via SMB. What is the most likely reason?

A.The SSL VPN policy does not allow SMB traffic
B.The fileserver requires client certificates for authentication
C.The firewall policy for SSL VPN is configured with the wrong interface
D.Web mode does not support the SMB protocol; users must use tunnel mode to access fileshares
AnswerD

Correct. Web mode only supports web-based applications via a browser. SMB requires tunnel mode.

Why this answer

Web mode provides clientless access via a web browser, supporting HTTP/HTTPS, but does not support native protocols like SMB (port 445). To access SMB shares, users need tunnel mode with a VPN client that can route all traffic.

161
MCQmedium

A FortiGate admin has configured FSSO (Fortinet Single Sign-On) using Active Directory polling. Users authenticate to the domain but when accessing the internet through the FortiGate, they are still prompted for credentials. What is the MOST likely cause?

A.The FortiGate is not polling the AD domain controllers
B.The users are using non-Windows machines
C.The firewall policy does not have FSSO authentication enabled
D.The FortiGate is not joined to the domain
AnswerA

Without polling, FSSO cannot map user logins to IP addresses.

Why this answer

FSSO polling requires the FortiGate to monitor domain controller logs. If polling is not working, users won't be detected and will be prompted.

162
MCQmedium

A FortiGate administrator wants to configure a dial-up IPsec VPN where remote users connect using VPN clients with pre-shared key authentication. The company has recently experienced a data breach where the PSK was compromised. What is the best method to improve security without changing all clients immediately?

A.Switch to aggressive mode with a complex PSK
B.Enable XAuth with a second authentication factor using FortiToken
C.Increase the PSK length to 64 characters
D.Migrate to certificate-based authentication for Phase 1
AnswerD

Certificates provide per-peer authentication. Even if one certificate is compromised, others are not affected. This is the best improvement.

Why this answer

Using certificate-based authentication (IKE with certificates) replaces the static PSK with dynamic per-device certificates. This provides stronger authentication and allows revocation of compromised certificates without affecting other clients. PSK is shared, so if compromised, all clients are vulnerable.

163
MCQmedium

A FortiGate admin is troubleshooting an IPsec VPN tunnel that fails to establish. The remote site uses aggressive mode. The local FortiGate is configured for main mode. The admin sees 'no proposal chosen' in the IKE debug. What is the MOST likely cause?

A.The pre-shared key is incorrect
B.The IKE mode (main vs aggressive) does not match between peers
C.The local firewall is blocking UDP port 500
D.The Phase 2 encryption algorithm is not supported
AnswerB

Main mode and aggressive mode use different packet formats. A mismatch causes the peers to reject each other's proposals.

Why this answer

Option D is correct. IKE mode (main vs aggressive) must match between peers. If one side uses main mode and the other aggressive mode, Phase 1 will fail with 'no proposal chosen' because the IKE exchange format differs.

164
MCQmedium

An administrator wants to use ZTNA (Zero Trust Network Access) to secure access to an internal application. Which component is required on the client device to enforce ZTNA policies?

A.FortiManager
B.FortiToken
C.FortiClient
D.FortiAnalyzer
AnswerC

FortiClient provides endpoint compliance and is the agent for ZTNA.

Why this answer

FortiClient is required on the client device to collect endpoint posture information (e.g., antivirus status, OS patches) and enforce ZTNA rules. The FortiGate uses FortiClient telemetry to make access decisions.

165
MCQmedium

A FortiGate administrator has configured a route-based IPsec VPN. After Phase 2 is up, traffic is not passing. The administrator verifies that the firewall policy allows traffic and the routes are correct. What should the administrator check next?

A.The static route uses the VPN interface as the outgoing interface
B.The remote gateway's IP address is reachable
C.The pre-shared key is correct
D.The Phase 2 proposal includes the correct local and remote subnets
AnswerA

For route-based VPN, a static route must point to the virtual IPsec interface for the remote subnet.

Why this answer

In route-based VPN, the VPN interface must have the correct remote IP address or the route must be via the VPN interface. A common issue is that the remote subnet is not correctly learned or the static route points to the correct interface.

166
MCQmedium

A FortiGate administrator configures a captive portal on a VDOM to authenticate users connecting to a guest SSID. The authentication method is set to LDAP. Users can reach the captive portal login page, but after entering valid credentials, they receive an authentication failure. The LDAP server is reachable from the FortiGate. What is the MOST likely cause?

A.The user is not a member of the configured user group
B.The captive portal is using HTTP instead of HTTPS
C.The captive portal interface is not in the same VDOM as the LDAP server
D.The LDAP server requires TLS and FortiGate is using plain LDAP
AnswerA

FortiGate checks membership in the group referenced in the policy. If the user is not in that group, authentication fails.

Why this answer

Captive portal authentication requires the user to be a member of a user group that is referenced in the firewall policy. If the LDAP user is not in the configured group (or the group is not properly mapped to an LDAP query), authentication will fail.

167
Multi-Selecthard

A company has multiple branch offices connected via IPsec VPN in a hub-and-spoke topology. They want to enable direct communication between branch offices without routing traffic through the hub. Which THREE configurations are required on the hub FortiGate? (Choose three.)

Select 3 answers
A.Enable 'forward traffic' in Phase 1 settings
B.Static routes for each branch's subnet pointing to the respective VPN interface
C.Phase 2 selectors that include both branch subnets in one proposal
D.Disable anti-replay on all tunnels
E.A firewall policy allowing traffic between the VPN interfaces
AnswersB, C, E

The hub needs routes to forward traffic between spokes.

Why this answer

To allow spoke-to-spoke communication without hub, the hub must have routes to both spokes, Phase 2 selectors to allow traffic between spokes, and a firewall policy permitting inter-spoke traffic.

168
MCQmedium

An administrator needs to configure two-factor authentication for SSL VPN users using FortiToken. Which configuration is required on the FortiGate?

A.Enable two-factor authentication globally on the FortiGate
B.Enable FortiToken on the user account and configure the authentication scheme to require token
C.Install the FortiToken mobile app on the FortiGate
D.Create a separate firewall policy for token-based authentication
AnswerB

The user must be assigned a token, and the authentication method must enforce two-factor.

Why this answer

FortiToken two-factor authentication requires the user account to have a FortiToken assigned. The user can then be required to enter a token code during authentication. The firewall policy itself must use an authentication scheme that enforces two-factor.

169
MCQhard

An administrator needs to implement two-factor authentication for SSL VPN access using FortiToken. Which configuration steps are required?

A.Assign a FortiToken to the user and set the user's authentication method to two-factor
B.Configure the RADIUS server to send FortiToken challenges
C.Enable FortiToken on the firewall policy
D.Enable two-factor authentication on the SSL VPN portal settings
AnswerA

This is the correct method: user object has two-factor enabled and a token assigned.

Why this answer

FortiToken two-factor requires enabling two-factor authentication on the user object, associating one or more FortiToken tokens with the user, and ensuring the SSL VPN authentication method uses that user group.

170
MCQmedium

During an IPsec VPN troubleshooting, you run 'diagnose vpn ike config' and see the output includes 'peer-id: any'. What does this mean?

A.The FortiGate will accept connections from any remote IP address.
B.The FortiGate will use aggressive mode for IKE negotiation.
C.The Phase 2 selectors are configured for any protocol.
D.The FortiGate will accept any peer identity during IKE authentication.
AnswerD

Peer-id 'any' means identity validation is not enforced.

Why this answer

The peer-id field in the IKE config shows the expected identity of the remote peer. If it's 'any', the FortiGate will accept any peer ID during Phase 1 authentication, which is typically used when the remote peer's IP is dynamic or when using certificates with subject matching disabled.

171
Multi-Selectmedium

An administrator needs to deploy two-factor authentication for SSL VPN users. The company uses FortiTokens. Which two steps are required to enable FortiToken for SSL VPN users? (Choose two.)

Select 2 answers
A.Install the FortiToken mobile app on the administrator's phone
B.Change the SSL VPN authentication scheme to RADIUS
C.Configure two-factor authentication on the SSL VPN portal to require token code
D.Assign the FortiToken to each user in the user database
AnswersC, D

The portal must be set to require token authentication.

Why this answer

FortiToken requires the user account to be associated with a FortiToken serial number, and the authentication method must be set to require token code along with password.

172
Multi-Selectmedium

A FortiGate administrator is configuring a hub-and-spoke IPsec VPN with three spokes. Each spoke has a dial-up connection to the hub. The hub uses a dynamic DNS name. Which THREE settings are necessary on each spoke to establish the VPN?

Select 3 answers
A.A static route on the spoke for the hub's local networks
B.The pre-shared key or certificate for authentication
C.Hub's public IP address or FQDN as remote gateway
D.The Phase 2 proposal (encryption, authentication, etc.)
E.NAT enabled on the spoke tunnel interface
AnswersB, C, D

Authentication credential is required to establish Phase 1.

Why this answer

For a dial-up IPsec VPN, each spoke needs the hub's public IP or FQDN as the remote gateway. Authentication can be via pre-shared key or certificate. The spoke must also have a Phase 2 proposal that matches the hub's configuration.

173
MCQmedium

An administrator wants to use FortiToken two-factor authentication for SSL VPN users. In addition to configuring the user's FortiToken, which setting must be enabled on the firewall policy to force two-factor authentication?

A.Set the 'auth type' to 'token' on the SSL VPN portal
B.Enable 'Two-factor authentication' on the firewall policy
C.Enable 'Two-factor authentication' on the user group that the policy references
D.Configure a FortiToken server object
AnswerC

The user group must have two-factor authentication enabled.

Why this answer

Two-factor authentication is enabled by setting the authentication method to require both password and FortiToken. The 'Two-factor authentication' option must be enabled on the user group or user, not the policy itself.

174
MCQhard

A FortiGate administrator is troubleshooting a dial-up IPsec VPN where remote users can connect but traffic does not pass. The Phase 1 and Phase 2 status show 'up'. The administrator runs 'diagnose vpn tunnel list' and sees the tunnel is up. However, 'diagnose sys session list' shows no sessions for the remote user's IP. What is the MOST likely cause?

A.The Phase 2 proposal uses AES256 but the remote client only supports AES128
B.The FortiGate's routing table does not have a route to the remote user's subnet
C.There is no firewall policy permitting traffic from the dial-up interface to the destination network
D.The remote user's FortiClient is blocking split tunneling
AnswerC

A common issue after VPN establishment is missing firewall policies. Even with the tunnel up, traffic is dropped unless a policy allows it.

Why this answer

Option D is correct. Even though the VPN tunnel is up, if there is no firewall policy allowing traffic from the dial-up interface to the internal network, the traffic will be dropped silently.

175
MCQmedium

A FortiGate administrator is configuring IPsec VPN between two sites. The Phase 1 negotiation fails with the error 'no proposal chosen'. Which two settings must match on both VPN peers?

A.Pre-shared key and local ID
B.Dead peer detection interval and retry count
C.Remote gateway IP and Phase 2 selectors
D.Encryption algorithm and authentication algorithm
AnswerD

Correct. The proposal includes encryption, authentication, and DH group. Mismatch causes 'no proposal chosen'.

Why this answer

The proposal (encryption and authentication algorithms) and the Diffie-Hellman group must match between peers for Phase 1 to succeed. These are the key parameters negotiated during Phase 1.

176
MCQmedium

A company wants to provide remote access to internal resources for employees using laptops that may connect from untrusted networks. The security team requires that all traffic between the remote users and the corporate network be encrypted, and that users must authenticate using a username/password plus a one-time passcode from a hardware token. Which FortiGate VPN solution best meets these requirements?

A.IPsec VPN with certificate-based authentication
B.SSL VPN with local password authentication
C.SSL VPN with FortiToken two-factor authentication
D.L2TP/IPsec VPN with a pre-shared key and user password
AnswerC

SSL VPN encrypts traffic, FortiToken provides required two-factor.

Why this answer

Option C is correct because SSL VPN with FortiToken two-factor authentication meets the requirement for encrypted remote access with username/password plus a one-time passcode from a hardware token. SSL VPN provides encrypted tunnels over HTTPS, and FortiToken adds the required second factor, ensuring strong authentication even from untrusted networks.

Exam trap

The trap here is that candidates may assume any VPN with encryption (like IPsec or L2TP/IPsec) automatically supports two-factor authentication, but FortiGate requires explicit configuration of a second factor like FortiToken, and SSL VPN is the typical solution for this requirement in the NSE4 exam context.

How to eliminate wrong answers

Option A is wrong because IPsec VPN with certificate-based authentication provides encryption but does not inherently support a one-time passcode from a hardware token; it relies on certificates, not two-factor authentication. Option B is wrong because SSL VPN with local password authentication provides encryption but only uses a single factor (password), failing the requirement for a one-time passcode. Option D is wrong because L2TP/IPsec VPN with a pre-shared key and user password provides encryption but uses only a pre-shared key and password, lacking the required two-factor authentication with a hardware token.

177
MCQmedium

In a hub-and-spoke IPsec VPN topology with FortiGate, the spoke sites cannot communicate directly with each other. What configuration change allows direct spoke-to-spoke communication?

A.Set the 'add-route' option to 'enable' on the spoke Phase 1 settings
B.Configure dynamic routing (BGP) on all sites and enable route exchange
C.Add static routes on the hub pointing to each spoke's subnet via the respective tunnels
D.Create a separate IPsec VPN between each spoke pair
AnswerB

Dynamic routing (BGP/OSPF) can advertise spoke subnets to each other, allowing direct tunnels to be established if using ADVPN or additional Phase 2 selectors.

Why this answer

By default, hub-and-spoke only allows communication between spokes via the hub. To enable direct spoke-to-spoke, you need to add Phase 2 selectors with each other's subnets on the hub or configure dynamic routing (BGP/OSPF) to advertise routes between spokes. Another method is to use ADVPN (Auto Discovery VPN).

178
MCQhard

An administrator is troubleshooting an IPsec VPN that fails to establish. The 'diagnose vpn ike log' shows 'initial contact received'. What does this message indicate?

A.The pre-shared key is incorrect
B.The Phase 1 proposal is mismatched
C.The remote peer has restarted and cleared its security associations
D.A network address translation device is altering the IKE packets
AnswerC

'Initial contact' notifies the local peer to delete old SAs and re-establish the tunnel.

Why this answer

'Initial contact' is a notification sent when a peer clears its Phase 1 and Phase 2 SAs. It typically indicates that the remote peer has restarted or its configuration has been reloaded. It is not an error but an informational message.

179
MCQmedium

A FortiGate administrator is troubleshooting an SSL VPN connection issue. Users can connect but cannot access internal resources. The administrator checks the SSL VPN policy and confirms it allows access to the internal subnet. What should the administrator check next?

A.Verify that the firewall policy between the SSL VPN interface and the internal network allows the traffic
B.Check the routing table on the FortiGate for the internal subnet
C.Ensure the users have the correct client software installed
D.Check the FortiGate's DNS settings
AnswerA

Correct. The firewall policy must explicitly permit traffic from the SSL VPN zone to the internal zone.

Why this answer

Even if the SSL VPN policy is correct, the traffic must also be permitted by the firewall policies between the SSL VPN interface and the internal network. A common mistake is not having a firewall policy that allows traffic from the SSL VPN interface (e.g., ssl.root) to the internal network.

180
Multi-Selecteasy

An administrator needs to configure ZTNA (Zero Trust Network Access) on a FortiGate to provide secure remote access to an internal application. Which components are required for a basic ZTNA configuration? (Choose three.)

Select 3 answers
A.IPsec VPN tunnel
B.ZTNA proxy (application gateway)
C.Captive portal
D.ZTNA rule (policy) on the FortiGate
E.Access proxy (or application) configuration
AnswersB, D, E

The proxy acts as a reverse proxy for the application.

Why this answer

ZTNA requires a ZTNA proxy to protect the application, a ZTNA rule (policy) to define access criteria, and an access proxy (or application) that listens for incoming connections. Option A, C, and D are correct.

181
MCQmedium

An administrator has configured an SSL VPN. Remote users can connect and authenticate but cannot access internal resources. The SSL VPN policy allows all traffic from the SSL VPN interface to internal servers. What is the MOST likely missing configuration?

A.The remote user's client does not support split tunneling
B.The firewall policy allowing traffic from SSL VPN interface to internal network is missing
C.The authentication timeout is too short
D.The SSL VPN portal does not have the correct bookmark configured
AnswerB

Even with SSL VPN configured, traffic must be allowed by a firewall policy from the SSL VPN interface to the destination.

Why this answer

For SSL VPN tunnel mode, split-tunneling settings determine which traffic goes through the tunnel. If split-tunneling is not configured, the remote user's traffic may not be routed to the FortiGate properly. However, more commonly, the firewall policy between the SSL VPN interface and the internal network is missing or incorrect.

182
MCQmedium

You are troubleshooting an IPsec VPN between two FortiGates. The Phase 1 is up, but Phase 2 is not coming up. You check the Phase 2 configuration on both sides. What is a common cause of this issue?

A.Mismatch in Phase 2 settings such as encryption algorithm, authentication algorithm, or PFS group
B.Firewall policy not allowing ESP traffic
C.Incorrect local or remote gateway IP
D.Mismatch in Phase 1 pre-shared key
AnswerA

Phase 2 requires identical proposals on both sides.

Why this answer

Phase 2 parameters must match exactly. If there is a mismatch in encryption, authentication, or PFS settings, Phase 2 will fail. Option A is the most common cause.

183
MCQeasy

What is the primary advantage of using route-based IPsec VPN over policy-based IPsec VPN?

A.Route-based VPN allows the use of dynamic routing protocols over the tunnel
B.Route-based VPN requires fewer firewall policies
C.Route-based VPN is easier to configure for hub-and-spoke
D.Route-based VPN supports higher encryption algorithms
AnswerA

Correct. The IPsec interface can participate in OSPF, BGP, etc.

Why this answer

Route-based VPN uses a virtual IPsec interface, allowing dynamic routing protocols to be used. This simplifies configuration and management of complex topologies, whereas policy-based VPN requires static policies for each subnet pair.

184
MCQmedium

An admin wants users to authenticate once via AD and have their network access controlled without repeated logins. Which feature should be used?

A.Local user authentication
B.FSSO with Active Directory polling
C.Captive portal with LDAP
D.SSL VPN with certificate authentication
AnswerB

FSSO provides single sign-on by polling AD for logon events.

Why this answer

FSSO (Fortinet Single Sign-On) captures AD logon events and maps user IP addresses to user identities, allowing transparent authentication without repeated logins.

185
MCQmedium

A FortiGate is configured with an IPsec VPN to a remote site using IKEv1. The VPN tunnel goes down intermittently. The admin runs 'diagnose vpn ike gateway list' and sees 'state=UP' but no Phase2 selectors. What is the most likely cause?

A.The firewall policy allowing IPsec traffic is misconfigured
B.The remote gateway has a different PSK
C.Mismatched Phase2 parameters between the local and remote gateways
D.Dead Peer Detection (DPD) is disabled
AnswerC

Phase2 requires matching proposals; a mismatch prevents establishment.

Why this answer

The command shows the IKE gateway is up (Phase1 complete) but no Phase2 selectors, meaning Phase2 has not been established or has failed. Option A is correct because mismatched Phase2 parameters (e.g., encryption, hash, or proxy IDs) are the most common cause of Phase2 failure.

186
MCQmedium

An admin is configuring a dial-up IPsec VPN for remote users. The users will connect from various public IP addresses. Which Phase 1 configuration is required for the FortiGate to accept connections from unknown remote gateways?

A.Enable aggressive mode
B.Set the remote gateway to 0.0.0.0
C.Configure a static route to the remote users' subnet
D.Set the remote gateway to a specific IP address
AnswerB

0.0.0.0 means any remote gateway is accepted.

Why this answer

The remote gateway IP must be set to 0.0.0.0 to accept connections from any IP address, which is typical for dial-up VPN.

← PreviousPage 3 of 3 · 186 questions total

Ready to test yourself?

Try a timed practice session using only Authentication and VPN questions.