A FortiGate has two firewall policies: Policy ID 1 (source: 10.0.1.0/24, destination: 203.0.113.0/24, action: allow, NAT: enabled) and Policy ID 2 (source: 10.0.1.0/24, destination: all, action: allow, NAT: enabled, IP pool: pool1). A user from 10.0.1.10 sends traffic to 203.0.113.5. Which policy will the traffic match and why?
A.Both policies will be applied because the traffic matches both
B.Policy ID 2 because it has a broader destination and is more inclusive
C.Policy ID 1 because it is the first matching policy in the list
D.Neither policy; implicit deny will block the traffic
AnswerC
Policy lookup stops at the first match. Policy ID 1 matches both source and destination.
Why this answer
Firewall policies are evaluated from top to bottom (lowest policy ID first). Policy ID 1 has a more specific destination (203.0.113.0/24) than Policy ID 2 (all). The traffic matches Policy ID 1 because it is the first policy that matches all criteria (source, destination).
Since policy ID 1 is evaluated first and its destination includes 203.0.113.5, it will be used.
An administrator configures a VIP for port forwarding: public IP 203.0.113.10 port 8080 to internal server 10.0.1.10 port 80. External users can connect to http://203.0.113.10:8080 but receive a timeout. The firewall policy allows traffic from any to the VIP on destination port 8080. The internal server is reachable from internal hosts. What is the most likely problem?
A.The internal server is not running a web server
B.The VIP is not associated with the policy
C.The policy destination service is set to HTTP (port 80) instead of port 8080
D.The source NAT is not configured
AnswerC
Before translation, the destination port is 8080; policy must match pre-NAT port.
Why this answer
Option C is correct because the firewall policy must match the destination port of the incoming traffic. External users connect to port 8080 on the VIP, but if the policy's destination service is set to HTTP (port 80), the policy will not match traffic destined for port 8080. Even though the VIP translates the destination to port 80 on the internal server, the firewall policy evaluation occurs before NAT translation, so the policy must match the original destination port (8080).
Exam trap
The trap here is that candidates mistakenly think the policy should match the internal server's port (80) because the VIP translates to that port, but FortiOS policy evaluation occurs before NAT, so the policy must match the original destination port (8080).
How to eliminate wrong answers
Option A is wrong because the internal server is reachable from internal hosts, confirming the web server is running and functional. Option B is wrong because VIPs in FortiOS are automatically associated with firewall policies that reference them; the VIP does not need a separate association step. Option D is wrong because source NAT (SNAT) is not required for inbound port forwarding; the VIP handles destination NAT, and return traffic is automatically handled by the session table without explicit SNAT configuration.
A FortiGate administrator needs to allow inbound SSH access from the internet to a single internal server at IP 10.0.1.10. The public IP on the WAN interface is 203.0.113.5. Which type of object should be configured to map the public IP and port to the internal server?
A.IP Pool
B.Central NAT policy
C.Virtual IP (VIP)
D.Address object
AnswerC
A VIP maps a public IP and port to an internal IP and port for inbound traffic.
Why this answer
A Virtual IP (VIP) object is the correct choice because it specifically maps a public IP and port (203.0.113.5:22) to a private IP and port (10.0.1.10:22) for inbound destination NAT (DNAT). This allows external SSH traffic to reach the internal server by translating the destination address and port at the FortiGate WAN interface.
Exam trap
The trap here is that candidates often confuse IP Pools (used for source NAT) with Virtual IPs (used for destination NAT), leading them to select Option A when the question clearly requires inbound mapping.
How to eliminate wrong answers
Option A is wrong because an IP Pool is used for source NAT (SNAT) to translate the source IP of outbound traffic, not for inbound destination mapping. Option B is wrong because Central NAT policy is a centralized method to define NAT rules, but it still requires a VIP object to specify the destination translation; it is not the object itself. Option D is wrong because an Address object only defines a network or host IP for policy matching, but it does not provide the port mapping or translation functionality needed for inbound access.
An administrator runs 'diagnose firewall iprope list 100000' and sees 'action=deny' entries for traffic that should be allowed. The policy list shows an allow policy with ID 1 for that traffic. What is the most likely cause of the deny?
A.The traffic is being blocked by a local-in policy
B.The implicit deny rule is being triggered because the policy is disabled
C.The firewall policy is not installed in the kernel due to an error
D.A security profile is dropping the traffic after the policy matches
AnswerC
Why this answer
The 'diagnose firewall iprope list 100000' command displays the kernel-level firewall policy list. If the policy list shows an allow policy (ID 1) but the kernel entries show 'action=deny', it indicates that the policy was not successfully installed into the kernel's connection tracking or firewall engine. This typically occurs due to a policy installation error, such as a configuration inconsistency or a failure during the commit process, causing the kernel to fall back to a default deny action for that traffic.
Exam trap
The trap here is that candidates assume the policy list shown in the GUI or CLI always reflects the active kernel state, but Fortinet tests the understanding that a policy may exist in the configuration yet fail to install into the kernel, causing unexpected denies despite an apparent allow rule.
How to eliminate wrong answers
Option A is wrong because local-in policies apply to traffic destined to the FortiGate itself (e.g., management traffic), not to traffic passing through the firewall, and the question describes traffic that should be allowed by a policy, implying transit traffic. Option B is wrong because if the policy were disabled, it would not appear in the policy list as an allow policy with ID 1; a disabled policy is not evaluated, and the implicit deny would only apply if no other policy matches, but here the policy exists and is enabled. Option D is wrong because security profiles (e.g., antivirus, web filter) are applied after a policy match and would not cause a 'deny' action in the kernel iprope list; they would instead log a separate action like 'block' or 'reset' at the application layer, not a kernel-level deny.
An administrator needs to block access to specific websites based on their FQDN (e.g., *.example.com). The FortiGate should match the destination domain regardless of the IP address the domain resolves to. Which type of address object should the admin use in the firewall policy destination?
A.Geography object
B.Subnet object
C.Wildcard FQDN object
D.FQDN object
AnswerC
Wildcard FQDN supports patterns with * to match multiple domains.
Why this answer
Option C is correct because a Wildcard FQDN object allows the FortiGate to match traffic based on the destination domain name pattern (e.g., *.example.com) regardless of the IP address the domain resolves to. This object type performs DNS-based policy enforcement, where the FortiGate inspects the SNI field in the TLS handshake or the Host header in HTTP to match the FQDN pattern, not the destination IP.
Exam trap
The trap here is that candidates often confuse a standard FQDN object with a Wildcard FQDN object, assuming the FQDN object supports wildcard patterns or dynamic IP resolution, when in fact it only resolves to a static IP at policy installation time and cannot match patterns like *.example.com.
How to eliminate wrong answers
Option A is wrong because a Geography object matches traffic based on the source or destination IP address's geographic location (country), not the FQDN. Option B is wrong because a Subnet object matches traffic based on a specific IP address or range (e.g., 10.0.0.0/24), which cannot account for dynamic IP resolution of a domain. Option D is wrong because a standard FQDN object resolves the domain to a single IP address at policy installation time and does not support wildcard patterns like *.example.com; it also cannot match traffic if the domain resolves to multiple IPs or changes over time.
You run 'diagnose sys session filter dport 443' and see the following output:
proto=6 proto_state=01 duration=3600 expire=3599
What does this indicate about the session?
A.The session is a TCP session that has been active for 1 hour and will expire in about 1 hour
B.The session is a TCP session that has been active for 1 hour and will expire immediately
C.The session is a UDP session that has been idle for 3600 seconds
D.The session is an ICMP session with a short timeout
AnswerA
Duration=3600 seconds (1 hour), expire=3599 seconds (1 hour remaining). This is typical for long-lived TCP sessions.
Why this answer
The output shows a TCP session (proto=6) in state 01 (possibly ESTABLISHED or SYN_SENT), duration 3600 seconds, with 3599 seconds until expiry. It is a normal session.
A FortiGate is configured with policy-based NAT and multiple IP pools. The administrator wants traffic from the 192.168.1.0/24 subnet to use IP pool 'POOL1' (203.0.113.1-203.0.113.10) and traffic from 192.168.2.0/24 to use IP pool 'POOL2' (203.0.113.11-203.0.113.20). Which THREE steps are necessary?
Select 3 answers
A.Create two firewall policies, one for each subnet
B.In each policy, enable NAT and select the corresponding IP pool
C.Configure a single firewall policy with both subnets in the source address group
D.Create two IP pool objects, POOL1 and POOL2
E.Enable Central NAT and define two NAT policies
AnswersA, B, D
Each policy will define its source subnet and NAT with the appropriate IP pool.
Why this answer
Option A is correct because policy-based NAT requires separate firewall policies to apply different IP pools to different source subnets. Each firewall policy can have its own NAT settings, including a specific IP pool, allowing traffic from 192.168.1.0/24 to use POOL1 and traffic from 192.168.2.0/24 to use POOL2.
Exam trap
The trap here is that candidates may think a single policy with multiple source addresses can apply different NAT pools, but FortiGate policy-based NAT requires separate policies for distinct NAT configurations.
An organization has a FortiGate with two internet connections (WAN1 and WAN2). They want traffic to a specific web service (203.0.113.50 port 443) to always exit via WAN2. All other internet traffic should use WAN1. Which feature should be used to achieve this?
A.Central NAT policy to force the traffic out of WAN2
B.Static route with a higher priority for WAN2 to 203.0.113.0/24
C.SD-WAN with a strategy of 'Best Quality'
D.Policy-based routing (PBR) configured with a policy matching the destination and service
AnswerD
PBR allows routing decisions based on firewall policy criteria.
Why this answer
Policy-based routing (PBR) allows traffic matching a policy to be routed to a specific next-hop or interface, overriding the regular routing table. This is the correct approach for selective routing.
A FortiGate administrator wants to restrict access to a sensitive server (10.0.0.100) such that only users who authenticate via LDAP can access it. Which firewall policy configuration is required?
A.Policy: source any, destination 10.0.0.100, service any, action accept
B.Policy: source any, destination 10.0.0.100, service any, action accept, enable authentication, set auth-type LDAP
C.Policy: source any, destination 10.0.0.100, service any, action accept, enable authentication, set auth-type LDAP, set groups "LDAP-Users"
This configures authentication with LDAP and specifies the group.
Why this answer
Option C is correct because it combines the required firewall policy elements: enabling authentication, setting the authentication type to LDAP, and restricting access to members of the LDAP group 'LDAP-Users'. This ensures that only users who successfully authenticate via LDAP and belong to the specified group can reach the sensitive server at 10.0.0.100. Without the group restriction, any authenticated LDAP user could access the server, which does not meet the requirement of restricting access to only authenticated users.
Exam trap
The trap here is that candidates often think enabling authentication alone is sufficient, but they overlook the critical need to specify a group to restrict access to only the intended subset of authenticated users.
How to eliminate wrong answers
Option A is wrong because it allows all traffic without any authentication, completely bypassing the requirement to restrict access to authenticated users. Option B is wrong because while it enables authentication and sets the auth-type to LDAP, it does not specify a group; this would allow any user who can authenticate via LDAP to access the server, which is too permissive and does not enforce the intended restriction. Option D is wrong because FSSO (Fortinet Single Sign-On) authentication is used for transparent authentication based on Windows domain logins and is not the same as requiring explicit LDAP authentication; it does not meet the requirement for users to authenticate via LDAP.
An admin notices that a firewall policy allowing inbound HTTPS to a server is not matching traffic. The policy has source set to 'all', destination to the server's IP, and service to HTTPS. The admin checks the policy list and sees that policy ID 1 matches the traffic. What is the MOST likely reason the intended policy (ID 10) is not matching?
A.Policy ID 1 has a higher priority and matches before policy ID 10
B.The firewall policy is disabled
C.The service object for HTTPS is misconfigured in policy ID 10
D.The destination address is incorrect in policy ID 10
AnswerA
Policies are evaluated in order; the first matching policy is applied. Policy ID 1 is before ID 10 and matches the traffic.
Why this answer
Policy ID 1 has a higher priority because FortiGate evaluates firewall policies in sequential order from top to bottom. When policy ID 1 matches the traffic (e.g., it also allows HTTPS to the same destination), the traffic is processed by policy ID 1 and never reaches policy ID 10. This is the most likely reason the intended policy is not matching.
Exam trap
The trap here is that candidates may think policy ID numbers determine priority, but FortiGate uses the sequential order in the policy list, not the ID number, and the default policy ID 1 is often an 'allow all' or 'deny all' rule that matches before any lower-ID policies.
How to eliminate wrong answers
Option B is wrong because if the firewall policy were disabled, it would simply not match traffic, but the admin would see no match for policy ID 10, not a match on policy ID 1. Option C is wrong because a misconfigured service object for HTTPS in policy ID 10 would cause the policy to not match HTTPS traffic, but it would not explain why policy ID 1 matches the traffic. Option D is wrong because an incorrect destination address in policy ID 10 would prevent matching, but again, it does not account for policy ID 1 matching the traffic.
An admin needs to allow outbound HTTP and HTTPS traffic from the internal network to the internet. Which two built-in service objects can be used in a single firewall policy to achieve this?
A.WEB and SSL
B.ANY and HTTPS
C.ALL_TCP and ALL_UDP
D.HTTP and HTTPS
AnswerD
Correct. HTTP and HTTPS are built-in service objects for TCP 80 and 443.
Why this answer
FortiGate provides predefined service objects for common protocols. HTTP (TCP/80) and HTTPS (TCP/443) are separate objects. To allow both, you can either create a service group containing both or add both individually.
The question asks for two built-in service objects that together cover both protocols.
An administrator has configured a firewall policy that allows outbound traffic from a subnet to the internet, with NAT enabled. The external IP is 203.0.113.1. However, the administrator wants all traffic from a specific internal server (10.0.0.10) to appear with source IP 203.0.113.2. What should the administrator do?
A.Create a VIP with the external IP and apply it to the policy
B.Create an IP Pool with 203.0.113.2 and reference it in the policy
C.Configure route-based NAT
D.Set the NAT to 'Use Outgoing Interface Address'
AnswerB
An IP Pool allows selecting a different source NAT IP.
Why this answer
To use a specific source IP for NAT, an IP Pool object must be created with the desired IP (203.0.113.2) and then referenced in the firewall policy. Option C is correct.
A FortiGate administrator is configuring a Virtual IP (VIP) to allow external users to access an internal web server (192.168.1.10) using the public IP 203.0.113.10 on port 80. The admin creates a VIP with mapped IP 192.168.1.10 and port 80. A firewall policy is created from WAN to DMZ with destination set to the VIP. External users report that they can access the web server. What additional step is needed to allow the internal server to respond correctly?
A.No additional step is needed; the FortiGate automatically performs reverse NAT for established sessions
B.Create a second VIP for the return traffic
C.Add a policy from DMZ to WAN allowing the internal server to reply
D.Configure static routing on the internal server to route through the FortiGate
AnswerA
FortiGate tracks the session and translates the response packets back to the VIP address.
Why this answer
When traffic arrives at the VIP, the destination is translated to the internal server IP. The internal server sends its response with source IP 192.168.1.10, which the FortiGate must translate back to the VIP IP (203.0.113.10) before sending to the external user. This reverse translation happens automatically if the policy is correctly configured.
However, if the internal server needs to initiate outbound connections (not just respond), additional policies may be needed. The question asks about the response: no additional step is needed because the FortiGate automatically performs reverse NAT for sessions initiated through the VIP.
An admin configures a VIP to map public IP 203.0.113.10 to internal server 10.0.1.100 on port 80. External users can reach the server via the public IP. However, internal users cannot access the server using the public IP. What is the MOST likely cause?
A.The VIP does not have NAT reflection enabled
B.The server is not responding to internal requests
C.The firewall policy for internal to VIP is missing
D.The VIP is configured on a different interface
AnswerA
NAT reflection allows internal users to access the VIP from inside the network.
Why this answer
Without NAT reflection (also called hairpin NAT), traffic from internal users to the public IP goes out then comes back, but the firewall may not translate it correctly. The solution is to enable NAT reflection on the VIP.
An administrator needs to allow traffic from a guest network (192.168.100.0/24) to the internet only during business hours (Mon-Fri, 08:00-18:00). The administrator creates a schedule object and applies it to the firewall policy. However, guests can still access the internet outside of the schedule. What is the most likely cause?
A.The guest network is also allowed by another policy without a schedule
B.The schedule is not selected in the firewall policy
C.The schedule object is configured as a group but not applied
D.The FortiGate clock is not synchronized with an NTP server
AnswerB
Why this answer
Option D is correct. If the schedule is not properly associated with the firewall policy, it will not be enforced. Common mistakes include not selecting the schedule in the policy configuration or selecting the wrong schedule.
Option A would affect all policies. Option B is irrelevant to schedule enforcement. Option C is incorrect; schedule is a dedicated object, not part of address.
A FortiGate is configured with two policies: Policy A allows traffic from trust to untrust with schedule 'WorkHours' (Mon-Fri 9-17). Policy B allows traffic from trust to untrust with schedule 'Always'. A user sends traffic at 8:00 AM on Saturday. Which policy matches?
A.Policy B because Policy A's schedule is not active
B.Policy A because schedules are evaluated after policy order
C.Both policies match and the first one in order is used
D.No policy matches because Policy A is first but schedule inactive
AnswerA
Policy A's schedule is inactive at that time, so it is skipped.
Why this answer
Policy A's schedule 'WorkHours' is not active (Saturday 8 AM is outside Mon-Fri 9-17). Policy B's schedule 'Always' is always active. Since Policy A does not match due to schedule, Policy B matches and allows the traffic.
An admin configures a central SNAT rule to translate source IP 10.0.0.0/24 to IP pool 203.0.113.1-203.0.113.10 using overload (PAT). A policy-based NAT on a specific policy also translates the same source to the interface IP. Traffic from 10.0.0.0/24 to the internet shows source IP as the interface IP, not from the IP pool. What is the reason?
A.The central SNAT rule is disabled
B.The policy is using fixed port range
C.Policy-based NAT overrides central SNAT rules
D.The IP pool is out of addresses
AnswerC
When both are configured, the per-policy NAT is applied first.
Why this answer
Policy-based NAT takes precedence over central SNAT. Since the policy has NAT enabled (policy-based), it overrides the central SNAT rule.
An admin runs 'diagnose sys session filter dport 443' and sees output showing sessions with 'proto=6' and 'expire=3599'. The admin notices that these sessions are not being cleaned up after the firewall policy that allowed them is deleted. What is the reason?
A.The sessions are using UDP protocol, which has a longer timeout
B.The sessions are protected by a different policy that still exists
C.The sessions are in a different VDOM
D.FortiGate does not delete existing sessions when a policy is removed; sessions must be cleared manually
AnswerD
Correct. Policy changes affect new sessions only. Existing sessions continue until they time out.
Why this answer
FortiGate does not automatically tear down existing sessions when a policy is deleted. Sessions continue until they expire naturally or are explicitly cleared. The admin must use 'diagnose sys session clear' to remove them.
A company has a FortiGate with two ISPs: wan1 (primary) and wan2 (backup). They want all outbound traffic from internal users to use wan1, and if wan1 fails, traffic should automatically fail over to wan2. The administrator configures static routes: default route via wan1 gateway with distance 10 and default route via wan2 gateway with distance 20. They also configure an SD-WAN zone with both interfaces and set a strategy of 'Manual' with 'Best Quality' for wan1. After testing, failover does not occur when wan1 goes down. What is the most likely reason?
A.The SD-WAN zone does not include the backup interface wan2.
B.The SD-WAN strategy is set to Manual, which does not automatically failover; the administrator should use an automatic strategy or configure link health monitoring.
C.The static routes have the same distance, so failover does not occur.
D.The firewall policy does not bind to the SD-WAN zone; it binds to wan1 interface directly.
AnswerB
Manual strategy requires manual intervention or link health monitoring to trigger failover; automatic strategies like Lowest Cost or Best Quality with performance SLA will failover automatically.
Why this answer
Option B is correct because when the SD-WAN strategy is set to 'Manual', the FortiGate does not automatically perform failover based on interface or link health. Manual mode requires explicit administrator action or must be combined with link health monitoring to trigger a switch. Without an automatic strategy or configured health checks, the SD-WAN zone will continue to use wan1 even if it goes down, preventing failover to wan2.
Exam trap
The trap here is that candidates assume static route distance alone handles failover, but when SD-WAN is configured with a Manual strategy, the SD-WAN rule overrides the routing table and prevents automatic failover unless link health monitoring is enabled.
How to eliminate wrong answers
Option A is wrong because the SD-WAN zone includes both wan1 and wan2 as stated in the scenario, so the backup interface is present. Option C is wrong because the static routes have different distances (10 and 20), which is the correct configuration for failover; equal distances would cause ECMP, not prevent failover. Option D is wrong because the firewall policy binding to the SD-WAN zone is not the issue; the policy can bind to the zone, but the failover failure is due to the SD-WAN strategy setting, not the policy binding.
An admin needs to create a firewall policy that allows SMTP traffic (TCP/25) from the internal network (10.0.0.0/24) to a mail server in the DMZ (172.16.1.10). Additionally, the admin wants to ensure that the mail server can only be accessed by the internal network, not from the internet. Which THREE settings must be configured in the firewall policy? (Choose three.)
Select 3 answers
A.Source interface set to 'internal'
B.Set schedule to 'always'
C.Destination interface set to 'dmz'
D.Service set to 'SMTP'
E.Enable NAT to translate source IP
AnswersA, C, D
Defines where traffic originates.
Why this answer
To define the traffic, the policy needs source interface (internal), destination interface (DMZ), source address (internal subnet), and destination address (mail server). Also, the service must be SMTP. Additionally, to block internet access, the policy from DMZ to internet should not exist, but the question asks for settings in the policy for internal traffic.
The three required are source interface, destination interface, and service. Address objects are also required but the question asks for settings, not objects. However, the options include interface and service settings.
A FortiGate admin needs to allow inbound HTTPS traffic to a web server while also applying an application control profile to block certain web applications. The web server has a VIP configured. Which TWO components are necessary for this configuration?
Select 2 answers
A.A central SNAT rule to translate the server's response
B.A VIP configured to map the public IP to the web server's private IP
C.A security profile group containing only the antivirus profile
D.A traffic shaping policy to prioritize HTTPS
E.A firewall policy with destination set to the VIP and application control profile applied
AnswersB, E
The VIP is required for destination NAT to reach the internal server.
Why this answer
Option B is correct because a Virtual IP (VIP) is required to map the public IP address to the web server's private IP, allowing inbound traffic to reach the internal server. Option E is correct because a firewall policy must have the destination set to the VIP and must include an application control profile to enforce blocking of specific web applications on the HTTPS traffic.
Exam trap
The trap here is that candidates often think a central SNAT rule is required for return traffic, but FortiGate automatically handles reverse NAT for VIP traffic, making option A a common distractor.
What is the default action of the implicit deny policy at the end of the firewall policy list?
A.Monitor (log only)
B.Allow
C.Deny
D.Redirect to authentication
AnswerC
The implicit deny policy denies any traffic that does not match an explicit permit policy. It is the default security posture.
Why this answer
In FortiGate firewalls, the implicit deny policy at the end of the firewall policy list has a default action of 'Deny'. This means any traffic that does not match an explicit firewall policy is automatically dropped. This is a fundamental security principle to ensure that only explicitly permitted traffic is allowed through the firewall.
Exam trap
The trap here is that candidates may confuse the implicit deny with the 'deny' action available in explicit policies, or mistakenly think that the implicit deny can be changed to 'allow' or 'monitor' to simplify troubleshooting, but FortiGate's design enforces a strict default-deny stance for unmatched traffic.
How to eliminate wrong answers
Option A is wrong because 'Monitor (log only)' is not a default action for the implicit deny policy; logging is a separate setting that can be enabled on any policy, but the implicit deny itself does not log by default. Option B is wrong because 'Allow' would violate the security model of a firewall, which is designed to block unauthorized traffic by default; allowing all unmatched traffic would create a significant security hole. Option D is wrong because 'Redirect to authentication' is a feature used for captive portal or user authentication policies, not for the implicit deny; the implicit deny simply drops traffic without any redirection.
An admin runs the command 'diagnose firewall iprope list 100000' and sees the following output:
id=2000000000 action=deny flag=0x0 src-interface=any dst-interface=any proto=0 src-addr=0.0.0.0-255.255.255.255 dst-addr=0.0.0.0-255.255.255.255
What does this entry represent?
A.A loopback interface policy
B.The implicit deny policy at the end of the policy list
C.A user-created deny policy that blocks all traffic
D.A NAT policy that translates all addresses
AnswerB
The implicit deny has a fixed ID of 2000000000 and denies all unmatched traffic.
Why this answer
The ID 2000000000 is reserved for the implicit deny policy. It matches all traffic from any interface to any interface and denies. This is the last rule checked.
An administrator runs 'diagnose sys session filter dport 443' and sees the following output:
proto=6 proto_state=01 duration=3600 expire=3599
What does this indicate about the session?
A.The session is experiencing packet loss
B.The session is a UDP connection
C.The session has been active for 3600 seconds and will expire in 3599 seconds
D.The session is blocked by a firewall policy
AnswerC
duration=3600 means 3600 seconds (1 hour) since session start. expire=3599 means the session will be removed in 3599 seconds unless refreshed.
Why this answer
The output shows 'duration=3600' and 'expire=3599', which directly indicate the session has been active for 3600 seconds (1 hour) and will expire in 3599 seconds. The 'proto=6' confirms TCP (protocol 6), and 'proto_state=01' indicates an established TCP session. This is a standard FortiGate session diagnostic display.
Exam trap
The trap here is that candidates may misinterpret 'duration' and 'expire' as packet loss or blocking indicators, or confuse 'proto=6' with UDP, when in fact these fields simply show session age and remaining lifetime for an active TCP session.
How to eliminate wrong answers
Option A is wrong because the output contains no counters or flags indicating packet loss (e.g., no 'drop', 'retransmit', or 'loss' fields). Option B is wrong because 'proto=6' explicitly indicates TCP (protocol 6), not UDP (protocol 17). Option D is wrong because the session is active with a valid state ('proto_state=01') and duration/expire timers, meaning it is passing traffic, not blocked by a firewall policy.
An administrator configures a Central SNAT policy to translate traffic from the internal network (10.0.0.0/8) to the internet using the IP pool 'pool1'. The administrator also has a firewall policy that uses policy-based NAT with an IP pool 'pool2'. Both policies match the same traffic. Which NAT will be applied?
A.Central SNAT using pool1
B.Both NAT rules are applied in sequence
C.The traffic is dropped due to conflicting NAT configurations
D.Policy-based NAT using pool2
AnswerA
Central SNAT takes precedence over policy-based NAT. The central NAT rule will be applied.
Why this answer
When Central SNAT is enabled, it overrides policy-based NAT for matching traffic. The firewall policies are still used for access control, but the NAT is determined by the central NAT rules. Central NAT has higher precedence than policy-based NAT.
An administrator configures a Virtual IP (VIP) to map public IP 203.0.113.10 to internal server 10.0.1.10 on port 443. The firewall policy uses the VIP as the destination address. External users report they cannot connect. The administrator checks the policy and sees the destination interface is 'wan1' and source interface is 'wan1'. What is the most likely issue?
A.The destination interface should be the internal interface, not wan1
B.The policy needs NAT enabled
C.The source interface should be the internal interface
D.The VIP is not associated with the policy
AnswerA
After DNAT, the packet is destined to internal server; the outgoing interface should be internal.
Why this answer
For inbound DNAT, the firewall policy must have the incoming interface as source interface and internal interface as destination interface. If both are set to wan1, the traffic is not forwarded to the internal network.
An administrator wants to allow access to an internal web server from the internet using a public IP address 203.0.113.10. The internal server has IP 10.0.0.5. Which FortiGate feature should be configured to translate the destination IP?
A.Virtual IP (VIP)
B.Central SNAT
C.Policy-based routing
D.IP Pool
AnswerA
VIP translates the destination IP from public to private.
Why this answer
Destination NAT (DNAT) is used to translate the destination IP of incoming traffic. Virtual IP (VIP) is the FortiGate object for DNAT. Option B is correct.
A FortiGate has a policy that allows traffic from 10.0.0.0/8 to any destination with NAT enabled using an IP pool 'Pool1' (203.0.113.10-203.0.113.20). The admin notices that internal servers using fixed ports (e.g., SIP) are failing. What is the likely cause?
A.The policy order is incorrect
B.The IP pool is configured with one-to-one NAT
C.The IP pool uses fixed port range, which should work
D.The IP pool is configured with overload (PAT), which changes source ports
AnswerD
Overload modifies source ports; protocols like SIP need consistent ports.
Why this answer
When an IP pool is configured with overload (PAT), the FortiGate translates the source IP address and also changes the source port to a random high port. For protocols like SIP that rely on fixed source ports (e.g., UDP 5060), this port remapping breaks the application because the SIP server expects traffic from a specific port. Option D correctly identifies this as the root cause.
Exam trap
The trap here is that candidates assume any IP pool will preserve source ports, but overload (PAT) mode explicitly changes them, which breaks applications that require fixed source ports like SIP, DNS, or TFTP.
How to eliminate wrong answers
Option A is wrong because policy order is irrelevant here; the traffic is matching the correct policy, but the NAT behavior is causing the issue. Option B is wrong because one-to-one NAT preserves the source port, so fixed-port protocols like SIP would work; the problem is with overload (PAT) changing ports. Option C is wrong because a fixed port range in the IP pool does not prevent PAT from altering source ports; the pool's overload mode overrides any fixed port configuration.
A FortiGate administrator is troubleshooting why traffic from a specific host (10.0.1.100) to a web server (203.0.113.50) is being denied. The administrator has confirmed that a firewall policy exists that should allow the traffic. Which TWO diagnostic commands would help identify the issue?
Select 2 answers
A.get system performance status
B.diagnose firewall policy list
C.diagnose debug flow
D.execute ping-options source 10.0.1.100
E.diagnose sniffer packet any 'host 203.0.113.50' 4
AnswersB, C
Shows all policies with IDs, allowing verification of policy order and details.
Why this answer
Option B is correct because 'diagnose firewall policy list' displays the effective policy table, including policy IDs, match criteria, and action (accept/deny). This helps verify whether the policy intended for the traffic is actually present and in the correct order. Option C is correct because 'diagnose debug flow' enables real-time packet flow tracing, showing exactly which policy is matched (or not) and why the traffic is denied, such as a policy hit with action 'deny' or a session table lookup failure.
Exam trap
The trap here is that candidates often confuse packet sniffing (which shows raw traffic) with flow debugging (which shows the firewall's internal decision process), leading them to choose 'diagnose sniffer packet' instead of 'diagnose debug flow' for identifying policy-based denials.
A FortiGate has two firewall policies for HTTP traffic to the internet: Policy A (source: 10.0.1.0/24) and Policy B (source: 10.0.2.0/24). Both policies have the same destination and service. The admin wants to apply a traffic shaper to limit bandwidth for Policy B. Which TWO actions are correct? (Choose two.)
Select 2 answers
A.Apply the shaper to both policies and use a different shaper for Policy B
B.Use a QoS queue on the outgoing interface
C.Create a traffic shaping policy that matches Policy B's source and apply the shaper
D.Enable traffic shaping on the VDOM
E.Configure a traffic shaper and apply it directly to Policy B in the firewall policy settings
AnswersC, E
Traffic shaping policies can also be used.
Why this answer
To apply a traffic shaper to a specific policy, you need to either select the shaper in the policy configuration, or use a traffic shaping policy. Also, ensure that the shaping policy is enabled and applied correctly.
Which TWO statements about firewall policy order are true?
Select 2 answers
A.If a packet does not match any policy, it is allowed by default
B.Policies are evaluated in the order they appear (top-down)
C.A more specific policy should be placed below a less specific one to avoid shadowing
D.Once a policy is matched, subsequent policies are still evaluated for logging purposes
E.Policy order can be changed by dragging policies in the GUI or using CLI commands
AnswersB, E
This is the default behavior.
Why this answer
FortiGate firewalls evaluate policies sequentially from top to bottom. The first policy that matches the packet's source, destination, service, and other attributes is applied, and no further policies are checked. This top-down evaluation is fundamental to policy design and troubleshooting.
Exam trap
The trap here is that candidates often confuse the default action (implicit deny) with an allow-all, or they mistakenly think that logging can be performed by multiple policies after a match, when in reality only the matched policy's logging settings apply.
An administrator needs to block traffic from a specific geographic region (e.g., country) from reaching the corporate web server. Which type of address object should be used to define the source?
A.Wildcard FQDN object
B.FQDN object
C.Subnet object
D.Geography object
AnswerD
Geography objects allow selection by country/region using GeoIP, enabling policy enforcement based on geographic location.
Why this answer
Option D is correct because a Geography object in FortiGate is specifically designed to represent traffic based on geographic location (e.g., country, continent). When used in a firewall policy's source field, it allows the administrator to block or allow traffic originating from an entire country without needing to manage individual IP addresses or subnets, leveraging FortiGate's GeoIP database.
Exam trap
The trap here is that candidates may confuse Geography objects with FQDN or Subnet objects, mistakenly thinking they can manually define country IP ranges via subnets, but FortiGate's GeoIP feature automates this with a dedicated object type.
How to eliminate wrong answers
Option A is wrong because a Wildcard FQDN object matches domain names with wildcard patterns (e.g., *.example.com) and is used for web filtering or DNS-based policies, not for blocking traffic based on geographic region. Option B is wrong because an FQDN object resolves to a specific IP address or set of IP addresses via DNS, which cannot represent an entire country's IP range. Option C is wrong because a Subnet object defines a specific IP range (e.g., 192.168.1.0/24) and would require manually aggregating all IP ranges for a country, which is impractical and error-prone.
A FortiGate has a policy that matches traffic from LAN to WAN with NAT enabled and an IP pool. The pool contains IPs 203.0.113.1 to 203.0.113.5. The administrator notices that all traffic appears to come from 203.0.113.1. Which THREE reasons could explain this?
Select 3 answers
A.Only one source IP is generating traffic
B.The IP pool is configured with 'type one-to-one'
C.The IP pool is configured with 'type overload' and all source ports are being used
D.The IP pool is configured with 'type fixed port range'
E.The 'set nat' command is missing from the policy
AnswersA, B, D
If only one client, all traffic will use that client's translation.
Why this answer
If all traffic uses the first IP in the pool, possible reasons: the pool is configured for fixed port range which might allocate only one IP, or the NAT mode is not overload (which uses multiple IPs), or a single session is using all ports.
Refer to the exhibit. A FortiGate has this policy configured. Traffic from 10.0.1.0/24 to 192.168.1.10 on HTTP is being logged as allowed. However, users report that they cannot access the web server. What is the most likely issue?
A.NAT is not enabled on the policy
B.The policy is placed below a deny policy
C.The service is set to HTTP but the server uses HTTPS
D.The policy is disabled
AnswerA
Without NAT, the server may send replies directly to the client's private IP, which is not routable.
Why this answer
The correct answer is A because the policy allows traffic from 10.0.1.0/24 to 192.168.1.10 on HTTP, but without NAT enabled, the return traffic from the web server will be sent directly to the source IP (10.0.1.x) without going through the FortiGate. Since the source is a private IP, the server cannot route back to it unless the FortiGate performs source NAT (SNAT) to translate the source IP to its own interface IP. Without NAT, the session is logged as allowed but the client never receives the server's response, resulting in a connectivity failure.
Exam trap
The trap here is that candidates see 'allowed' in the logs and assume connectivity is working, overlooking the fact that NAT is required for return traffic when the source is a private IP destined for a different subnet or the internet.
How to eliminate wrong answers
Option B is wrong because if a deny policy existed above this allow policy, the traffic would be denied and logged as blocked, not allowed. Option C is wrong because the policy explicitly matches HTTP (TCP port 80), and if the server uses HTTPS (TCP port 443), the traffic would not match this policy at all and would be handled by a different policy or default deny. Option D is wrong because if the policy were disabled, traffic would not match it and would not be logged as allowed; it would either match another policy or be implicitly denied.
An administrator configures Central SNAT for traffic going from internal network (10.0.0.0/8) to the internet. The rule uses an IP Pool with overload (PAT) and the pool address is 203.0.113.10. However, traffic from 10.0.0.10 to a public server is not being NATed; the source IP remains 10.0.0.10. The firewall policy allows the traffic. What is the most likely cause?
A.The firewall policy does not have NAT enabled
B.The IP Pool is configured for one-to-one NAT instead of overload
C.The Central SNAT rule's source interface is set to 'wan1' instead of 'internal'
D.The IP Pool is configured with 'Fixed Port Range' which conflicts with overload
AnswerA
If Central SNAT fails to match, the policy must have NAT enabled for policy-based NAT to apply. Without it, no translation occurs.
Why this answer
Central SNAT rules are evaluated before policy-based NAT. If a Central SNAT rule exists but does not match the traffic (e.g., wrong source interface, destination, or pool), FortiGate falls back to policy-based NAT. If the firewall policy has no NAT enabled, the traffic is not translated.
The admin likely has Central SNAT configured incorrectly or the policy has NAT disabled.
A FortiGate administrator wants to allow traffic from the internal network to a specific external server using its fully qualified domain name (FQDN) rather than an IP address, because the server's IP changes frequently. Which type of address object should the administrator create for the destination?
A.Subnet object
B.Wildcard FQDN object
C.Geography object
D.FQDN object
AnswerD
FQDN object resolves a single domain name to its IP address.
Why this answer
The correct answer is D, FQDN object. FortiGate FQDN objects resolve domain names to IP addresses dynamically, allowing the firewall to update the destination IP automatically when the server's IP changes. This is ideal for scenarios where the external server uses a fully qualified domain name and its IP address is not static.
Exam trap
The trap here is that candidates may confuse Wildcard FQDN objects (used for domain pattern matching) with standard FQDN objects (used for DNS resolution to a single IP), leading them to select Option B incorrectly.
How to eliminate wrong answers
Option A is wrong because a Subnet object defines a range of IP addresses using a network prefix (e.g., 10.0.0.0/24), which cannot accommodate a dynamically changing IP address tied to an FQDN. Option B is wrong because a Wildcard FQDN object is used for matching multiple subdomains (e.g., *.example.com) in firewall policies, not for resolving a single FQDN to its current IP address. Option C is wrong because a Geography object identifies traffic based on geographic location (country or region) using IP geolocation databases, not by domain name resolution.
A FortiGate has a policy that enables NAT with an IP pool that uses overload (port address translation). The administrator notices that some applications are failing because they require a fixed source port range. What should the administrator do to resolve this?
A.Change the IP pool type to 'Fixed Port Range'
B.Disable NAT and use policy-based routing
C.Use Central SNAT instead of policy-based NAT
D.Enable 'Preserve Source Port' in the firewall policy
AnswerA
Fixed Port Range assigns a fixed port range, meeting the application requirement.
Why this answer
The IP pool overload mode uses dynamic port allocation, which can break applications needing a consistent port range. The 'Fixed Port Range' option in the IP pool configuration assigns a fixed port range to each session, preserving the original source port or a fixed range. Option A is correct.
An administrator needs to configure a firewall policy that allows internal users to access a specific web server on the internet using its domain name. The web server's IP address may change. Which type of address object should be used as the destination in the policy?
A.IP Range object that covers the entire public IP space
B.Subnet object with the current IP address
C.FQDN address object
D.Geography object
AnswerC
FQDN objects allow DNS resolution to be used, so the policy works even if the IP changes.
Why this answer
An FQDN address object resolves the domain name to IP addresses dynamically. This allows the policy to adapt to IP changes, unlike a subnet object.
An administrator is configuring policy-based routing (PBR) on a FortiGate to route traffic from a specific subnet (172.16.1.0/24) through a different internet connection (wan2) instead of the default route via wan1. The administrator has created a PBR rule matching source 172.16.1.0/24 and set the gateway to the next-hop IP on wan2. The traffic is still using wan1. Which THREE of the following could be causing the issue? (Choose three.)
Select 3 answers
A.The PBR rule's gateway is not reachable from the FortiGate
B.The PBR rule's priority is set too high (e.g., 100) and a static route with lower priority is used instead
C.The PBR rule is applied to the wrong incoming interface
D.The PBR rule is disabled
E.The PBR rule's destination is set to 'all' but the traffic's destination is not covered
AnswersA, C, D
If the next-hop is unreachable, the rule is not used and traffic falls back to the routing table.
Why this answer
PBR requires the rule to be enabled, the gateway to be reachable, and the rule's priority to be higher (lower number) than other routes. Also, the PBR must be applied to the correct incoming interface. If the interface is wrong, or the gateway is unreachable, or the rule is disabled, PBR will not work.
An administrator runs 'diagnose sys session filter dport 443' and sees the following output:
proto=6 proto_state=01 duration=3600 expire=3599
What does this indicate about the session?
A.The session is in the process of being established and has not completed the TCP three-way handshake
B.The session is a UDP session because the proto_state is 01
C.The session has been closed and is being removed from the session table
D.The session is fully established and has been active for 3600 seconds
AnswerA
proto_state=01 means the first SYN has been sent but no SYN-ACK received, indicating the handshake is incomplete.
Why this answer
The output shows `proto=6` (TCP), `proto_state=01`, `duration=3600`, and `expire=3599`. In FortiGate session diagnostics, `proto_state=01` for TCP indicates the session is in the SYN-SENT state, meaning the initial SYN packet has been sent but the three-way handshake (SYN-ACK) has not yet been received. The session has been active for 3600 seconds but has not yet completed establishment, which is why the correct answer is A.
Exam trap
The trap here is that candidates see `duration=3600` and assume the session is fully established and active, but they overlook that `proto_state=01` indicates the TCP handshake is incomplete, not an established connection.
How to eliminate wrong answers
Option B is wrong because `proto=6` explicitly indicates TCP, not UDP (UDP uses protocol 17), and `proto_state=01` is a TCP state indicator, not a UDP one. Option C is wrong because a closed session being removed would show a `proto_state` of 06 (TIME_WAIT) or 07 (CLOSE_WAIT), and the expire timer would be very low or zero, not 3599 seconds. Option D is wrong because a fully established TCP session would show `proto_state=02` (ESTABLISHED), not `01` (SYN-SENT); the duration of 3600 seconds with an expire of 3599 suggests the session has been waiting for handshake completion for that entire time, which is abnormal.
An admin is configuring a policy-based NAT rule (central NAT) to translate internal users' source IPs to the external IP of the FortiGate interface. However, users complain that some applications fail. The admin notices that the NAT rule is using 'dynamic IP pool' with overload. What is the MOST likely cause of the application failures?
A.The IP pool is exhausted and no more translations are available
B.The route to the destination is missing
C.The applications are sensitive to NAT and require a fixed port range
D.The firewall policy does not have NAT enabled
AnswerC
Some applications (e.g., SIP, FTP) need predictable port mappings; overload can break them.
Why this answer
Applications sensitive to NAT, such as SIP, H.323, or FTP, often require a fixed port range or an explicit NAT rule that preserves the original source port. When a dynamic IP pool with overload (PAT) is used, the FortiGate may change the source port, breaking protocols that embed IP addresses or port information in the payload. This is the most likely cause of application failures in this scenario.
Exam trap
The trap here is that candidates often assume IP pool exhaustion (Option A) is the cause, but the question specifies 'some applications fail' rather than all traffic failing, pointing to application-layer NAT sensitivity rather than resource exhaustion.
How to eliminate wrong answers
Option A is wrong because an exhausted IP pool would cause new sessions to fail, but existing sessions would continue; the complaint is about application failures, not a complete inability to connect. Option B is wrong because a missing route would prevent all traffic to the destination, not just specific applications. Option D is wrong because the question states a policy-based NAT rule is configured, which inherently enables NAT; the firewall policy does not need a separate NAT enable checkbox when central NAT is used.
An admin needs to configure NAT so that internal users (10.0.0.0/24) accessing the internet (any destination) are translated using an IP pool (203.0.113.10-203.0.113.20) with overload. The admin also needs to ensure that traffic from a specific server (10.0.0.100) always uses a fixed source port range (10000-20000) when translated. Which TWO configuration steps are required? (Choose two.)
Select 2 answers
A.Configure the IP pool with one-to-one NAT
B.Create a central SNAT rule for 10.0.0.0/24 using the IP pool with overload enabled
C.Use policy-based NAT instead of central SNAT
D.Disable NAT on the firewall policy for the server
E.Create a central SNAT rule for 10.0.0.100 using the IP pool with fixed port range enabled
AnswersB, E
This translates the subnet with PAT.
Why this answer
To achieve this, the admin must configure a central SNAT rule for the subnet with overload, and a separate central SNAT rule (or fixed port range) for the server using fixed port range. Alternatively, the server could have a policy-based NAT with fixed port range, but central SNAT is specified. The question implies using central SNAT for both.
An administrator wants to apply policy-based routing (PBR) to route traffic from a specific subnet through a different ISP. Which TWO elements must be configured?
Select 2 answers
A.A policy route object with source subnet and gateway
B.A static route with a higher distance
C.A firewall policy that matches the same traffic and allows it
D.An SD-WAN rule
E.A VIP to change the destination
AnswersA, C
The policy route defines the routing decision.
Why this answer
PBR uses policy routes that define a source and destination, and a gateway/interface. A policy route is created, and the traffic must be allowed by a firewall policy (maybe using the same criteria).
An admin configures a firewall policy with a schedule object that restricts access to Monday to Friday from 9:00 to 17:00. A user attempts to connect on Saturday at 10:00. Which of the following best describes what happens?
A.The traffic is allowed because the schedule is only used for logging
B.The traffic is allowed because the schedule is optional
C.The FortiGate skips this policy and tries the next policy; if no match, implicit deny blocks the traffic
D.The traffic is denied because the schedule is not valid
AnswerC
Policy evaluation continues; if no policy matches, traffic is dropped by implicit deny.
Why this answer
If the schedule does not match the current time, the firewall policy is not evaluated for that traffic. The FortiGate continues to check subsequent policies. If no other policy matches, the implicit deny rule blocks the traffic.
A FortiGate administrator observes that traffic from a specific subnet is being denied even though there is an allow policy for that subnet. The administrator checks the policy list and sees an explicit deny policy above the allow policy. What should the administrator do to allow the traffic?
A.Add a new policy with a higher ID
B.Move the allow policy above the deny policy
C.Disable the deny policy
D.Delete the deny policy
AnswerB
Changing order ensures the allow policy matches first.
Why this answer
Since policies are evaluated top-down, the deny policy above the allow policy will match first. The administrator should move the allow policy above the deny policy (or adjust the deny policy to exclude the subnet).
An admin needs to allow traffic from a specific IP to a web server on port 8080. The web server is behind a VIP that forwards port 80 to port 8080. When configuring the security policy, which destination should be used?
A.The virtual IP address of the FortiGate
B.The real server IP address
C.The VIP object
D.Any destination, because the VIP translates automatically
AnswerC
Correct. The VIP object is the destination in the policy, and FortiGate will translate to the real server.
Why this answer
When using VIP, the security policy destination should reference the VIP object, not the real server IP. The VIP handles the translation of destination IP and port.
A FortiGate has multiple VDOMs. The administrator needs to allow traffic from VDOM A (port1) to VDOM B (port2). What type of firewall policy is required?
A.An inter-VDOM policy on the inter-VDOM link interface
B.A policy using a virtual wire pair
C.A regular intra-VDOM policy on VDOM A with destination interface port2
D.A policy on each VDOM with the same source/destination
AnswerA
Inter-VDOM link policies allow traffic between VDOMs.
Why this answer
An inter-VDOM link policy (or simply a policy between VDOMs) must be configured, often using a physical or logical inter-VDOM link. Option D correctly identifies the need for an inter-VDOM policy.
An admin configures an IP Pool with type 'Overload' for outbound traffic from the 192.168.1.0/24 subnet. The pool uses a single public IP 203.0.113.10. After a few hours, users are unable to access external websites. The admin checks the session table and sees many sessions with the same public IP and different source ports. What is the most likely issue?
A.The session helper is misconfigured
B.The IP Pool has run out of available source ports
C.The IP Pool's public IP has been blacklisted by external websites
D.The firewall policy is not referencing the IP Pool
AnswerB
With overload NAT, a single IP can only support a limited number of simultaneous sessions due to port number exhaustion.
Why this answer
The IP Pool is configured with type 'Overload' (Port Address Translation), which maps multiple internal hosts to a single public IP by using unique source ports. With a single public IP (203.0.10.10), the maximum number of concurrent sessions is limited by the available source ports (approximately 65,535 per IP, minus reserved ports). Once all source ports are consumed, new outbound sessions cannot be established, causing users to lose access to external websites.
Exam trap
The trap here is that candidates may confuse 'Overload' with 'Static NAT' or think the issue is policy-related, but the key clue is the session table showing many sessions with the same public IP and different source ports, which directly points to source port exhaustion under PAT.
How to eliminate wrong answers
Option A is wrong because a misconfigured session helper would affect specific application-layer protocols (e.g., FTP, SIP) by failing to translate embedded IP addresses or ports, not cause a complete exhaustion of source ports for all outbound traffic. Option C is wrong because blacklisting by external websites would block traffic to specific destinations, not prevent new sessions from being created due to port exhaustion; the session table would still show active sessions with the same public IP. Option D is wrong because if the firewall policy were not referencing the IP Pool, no NAT would be applied, and sessions would use the egress interface's IP directly, not the pool's IP; the symptom of many sessions with the same public IP and different source ports indicates that the IP Pool is indeed being used.
An administrator configures a policy-based NAT rule to translate traffic from 10.0.0.0/8 to 203.0.113.1 using an IP Pool with overload. Later, they also enable Central SNAT for the same traffic. The traffic is not being NAT'd as expected. What is the MOST likely reason?
A.Both NAT methods are applied, causing double NAT
B.Central SNAT overrides policy-based NAT
C.The IP Pool used in policy-based NAT is also used in Central SNAT, causing a conflict
D.Policy-based NAT always overrides Central SNAT
AnswerB
When Central NAT is enabled, policy-based NAT rules are ignored for the matching traffic.
Why this answer
Central SNAT takes precedence over policy-based NAT when both are configured. The Central SNAT rule might be incorrect or missing, causing unexpected behavior.
A FortiGate has two policies for traffic from port1 to port3: Policy 1 (destination 10.0.1.0/24, schedule always, action accept) and Policy 2 (destination 10.0.2.0/24, schedule 'Weekdays', action accept). A packet destined to 10.0.2.10 arrives on Wednesday at 2 PM. Which policy is applied?
A.Policy 2 because it matches the destination and the schedule is active
B.Both policies are applied sequentially
C.Neither; the implicit deny applies
D.Policy 1 because it is listed first
AnswerA
Policy 2 matches all criteria and the schedule is valid, so it is the first (and only) match.
Why this answer
Policy 2 is applied because it matches the destination IP (10.0.2.10) and the schedule 'Weekdays' is active on Wednesday at 2 PM. FortiGate uses a first-match approach only when multiple policies have the same priority; here, Policy 1 does not match the destination, so Policy 2 is the only matching policy. Since the schedule is valid, the action 'accept' is executed.
Exam trap
The trap here is that candidates assume policy order alone determines matching (Option D), but they overlook that the destination must match first, and schedules must be active for the policy to be considered.
How to eliminate wrong answers
Option B is wrong because FortiGate does not apply multiple policies sequentially to a single session; it uses a first-match model where only the first matching policy is applied. Option C is wrong because the implicit deny only applies when no explicit policy matches the traffic, but Policy 2 matches and is active. Option D is wrong because Policy 1 does not match the destination (10.0.2.10 is not in 10.0.1.0/24), so it is not considered regardless of its order.
An organization wants to authenticate VPN users using an LDAP server. They configure an LDAP server object and a user group. However, users are unable to authenticate. The administrator checks the logs and sees 'authentication failed' errors. What is the most common misconfiguration?
A.The user group is not configured with the correct members
B.The LDAP server uses SSL/TLS but the FortiGate is not configured for it
C.The LDAP server bind DN or password is incorrect
D.The LDAP server is not reachable from the FortiGate
AnswerC
Incorrect bind credentials prevent the FortiGate from querying the directory.
Why this answer
The most common misconfiguration when LDAP authentication fails is an incorrect bind DN or password. The FortiGate uses the bind DN to authenticate to the LDAP server before it can search for users; if these credentials are wrong, the LDAP server rejects the bind request, resulting in an 'authentication failed' log entry. This error occurs even before user credentials are checked, making it a frequent root cause.
Exam trap
The trap here is that candidates assume 'authentication failed' refers to the VPN user's credentials, but it actually indicates the LDAP server rejected the FortiGate's bind request due to incorrect bind DN or password.
How to eliminate wrong answers
Option A is wrong because the user group membership affects authorization (which users are allowed), not the initial LDAP bind authentication; the 'authentication failed' error occurs at the bind stage, not after a successful user lookup. Option B is wrong because if the LDAP server uses SSL/TLS but FortiGate is not configured for it, the error would typically be a connection timeout or TLS handshake failure, not a generic 'authentication failed' message. Option D is wrong because if the LDAP server were unreachable, the log would show a connection error or timeout, not an 'authentication failed' error, which indicates the server was reached but rejected the bind.
An administrator is creating firewall policies for a FortiGate that separates the internal network (10.0.1.0/24) from a DMZ (192.168.1.0/24). The goal is to allow HTTP traffic from the internal network to the DMZ web server (192.168.1.10) but deny all other traffic. What is the recommended security posture for the implicit deny policy?
A.Set the allow policy to also deny all other traffic using security profiles
B.Disable the implicit deny policy and create a catch-all deny policy
C.Create an explicit deny policy with logging enabled before the allow policy
D.Rely on the implicit deny policy at the end of the policy list, which will block all traffic not explicitly allowed
AnswerD
Implicit deny provides a default-deny posture, which aligns with least privilege.
Why this answer
The implicit deny policy is a default, hidden policy at the end of the FortiGate policy list that denies all traffic not explicitly allowed by preceding policies. Since the administrator wants to allow only HTTP traffic from internal to the DMZ web server and deny all other traffic, relying on the implicit deny is the correct and recommended security posture. It automatically blocks everything else without requiring manual configuration, ensuring no unintended traffic is permitted.
Exam trap
The trap here is that candidates may think they need to create an explicit deny policy with logging to block unwanted traffic, not realizing that the implicit deny already performs this function and that placing a deny policy before the allow policy would break the intended traffic flow.
How to eliminate wrong answers
Option A is wrong because setting the allow policy to also deny all other traffic using security profiles is not a valid approach; security profiles inspect allowed traffic but do not deny traffic that is not explicitly permitted. Option B is wrong because disabling the implicit deny policy and creating a catch-all deny policy is unnecessary and introduces risk; the implicit deny already provides the same functionality without manual intervention. Option C is wrong because creating an explicit deny policy with logging enabled before the allow policy would block all traffic, including the desired HTTP traffic, since FortiGate processes policies in sequential order from top to bottom.
An administrator configures a firewall policy allowing traffic from the internal network to the internet with NAT enabled. Users report that some outbound connections fail intermittently. The administrator runs 'diagnose sys session list' and sees many sessions in 'proto_state=01' with a short TTL. What is the most likely cause?
A.The firewall policy has the wrong source interface
B.The destination port is blocked by an implicit deny rule
C.The antivirus profile is blocking the connections
D.The IP pool used for SNAT has exhausted its address range
AnswerD
Why this answer
The 'diagnose sys session list' output showing many sessions in 'proto_state=01' with a short TTL indicates that sessions are failing to establish properly. When the IP pool used for Source NAT (SNAT) exhausts its address range, new outbound connections cannot obtain a translated source IP, causing them to fail intermittently. This matches the symptom of intermittent failures as the pool becomes temporarily depleted.
Exam trap
The trap here is that candidates may misinterpret 'proto_state=01' as a protocol or state machine error, rather than recognizing it as a symptom of NAT resource exhaustion, leading them to incorrectly select options related to policy misconfiguration or security profiles.
How to eliminate wrong answers
Option A is wrong because a wrong source interface would cause all traffic to fail consistently, not intermittently, and the session list would show no matching policy hits rather than specific proto_state values. Option B is wrong because an implicit deny rule would block traffic entirely, not intermittently, and would not produce sessions with a short TTL in the session table. Option C is wrong because an antivirus profile blocking connections would typically show specific virus detection logs or content inspection failures, not a proto_state=01 indicating a NAT resource exhaustion issue.
An administrator needs to ensure that a firewall policy applies only during business hours (Monday to Friday, 9:00 AM to 6:00 PM). What object should be configured and applied to the policy?
A.Service group
B.Address group
C.Schedule object
D.Traffic shaper
AnswerC
Schedule objects define when a policy is active.
Why this answer
A schedule object in FortiGate defines time-based conditions (e.g., recurring weekly windows like Monday–Friday 09:00–18:00) that can be applied directly to a firewall policy. When a schedule is attached, the policy is enforced only during the specified time range, making it the correct object for restricting policy activation to business hours.
Exam trap
The trap here is that candidates confuse a schedule object with a service group or traffic shaper, mistakenly thinking time-based access can be achieved via port grouping or QoS policies, whereas FortiGate explicitly requires a schedule object for time-of-day policy enforcement.
How to eliminate wrong answers
Option A is wrong because a service group is used to group multiple protocol/port definitions (e.g., TCP/80, TCP/443) for application-layer matching, not for time-based enforcement. Option B is wrong because an address group aggregates IP addresses or FQDN objects for source/destination matching, not for controlling when a policy is active. Option D is wrong because a traffic shaper controls bandwidth allocation and QoS (e.g., guaranteed/ maximum bandwidth), not the temporal activation of a firewall policy.
An administrator configures a Virtual IP (VIP) to map the public IP 203.0.113.10 port 8080 to the internal server 192.168.1.100 port 80. External users report they cannot connect. The firewall policy allows inbound traffic to the VIP. What is the MOST likely missing configuration?
A.The destination in the firewall policy is set to the public IP directly instead of the VIP object
B.The VIP is configured with port forwarding disabled
C.The server's default gateway is not set to the FortiGate
D.The source NAT is not configured
AnswerA
Using the raw public IP bypasses the VIP translation. The policy must reference the VIP object.
Why this answer
When a Virtual IP (VIP) is configured, the firewall policy must reference the VIP object as the destination, not the public IP address directly. If the policy uses the public IP (203.0.113.10) as the destination, the FortiGate will not perform the destination NAT translation to the internal server (192.168.1.100). The VIP object contains the mapping logic, so the policy must point to that object for the translation to occur.
Exam trap
The trap here is that candidates assume the firewall policy should use the public IP as the destination, not realizing that the VIP object must be referenced in the policy for the NAT translation to be applied.
How to eliminate wrong answers
Option B is wrong because port forwarding is implicitly enabled when you define a VIP with a specific port mapping (8080 to 80); there is no separate 'port forwarding disabled' toggle that would block this. Option C is wrong because the server's default gateway does not need to be the FortiGate for inbound connections; return traffic can be routed via the FortiGate if the VIP uses source NAT (central NAT) or if the server's gateway points to the FortiGate, but this is not the most likely missing configuration for inbound connectivity failure. Option D is wrong because source NAT is not required for inbound VIP traffic; the VIP handles destination NAT, and source NAT (e.g., for return traffic) is a separate configuration that is not essential for initial inbound connections.
A FortiGate administrator needs to block all traffic from a specific IP address (10.0.0.100) to the internet, but allow all other internal users. The administrator has created a firewall policy with source=10.0.0.100, destination=all, service=all, action=DENY, and placed it at the top of the policy list. Which TWO additional steps should the administrator take to ensure the block is effective? (Choose two.)
Select 2 answers
A.Enable the policy
B.Configure an IP Pool for the deny policy
C.Add a schedule to the policy for business hours
D.Ensure no other policy above this one allows traffic from 10.0.0.100
E.Set the action to ACCEPT
AnswersA, D
Policies are disabled by default; an enabled policy is required for it to take effect.
Why this answer
Option A is correct because a newly created firewall policy in FortiGate is disabled by default. The administrator must explicitly enable the policy for it to be enforced. Without enabling, the deny rule will not process traffic, leaving the block ineffective.
Exam trap
The trap here is that candidates often forget that new policies are disabled by default, and they may overlook the importance of policy order when a deny rule is placed at the top but a previous ACCEPT rule exists for the same source.
You run the following CLI command on a FortiGate:
# diagnose debug flow filter saddr 192.168.1.10
# diagnose debug flow show function enable
# diagnose debug enable
You then initiate a ping from 192.168.1.10 to 8.8.8.8. The output shows 'no matching policy'. What does this indicate?
A.The traffic is being NAT'd but not logged
B.The debug filter is incorrectly configured
C.There is a routing issue preventing the traffic
D.The traffic is dropped by the implicit deny rule
AnswerD
Since no policy matches, the implicit deny at the end drops the traffic.
Why this answer
The 'no matching policy' message indicates that the traffic did not match any firewall policy, likely because there is no policy allowing the traffic from that source to the destination.
You execute 'get firewall policy 5' and see the following output:
policyid=5
name="test"
status=enable
schedule="always"
logtraffic=all
What does 'logtraffic=all' mean?
A.Only the first packet of each session will be logged
B.Only traffic that triggers a security profile will be logged
C.Only traffic that is denied by the policy will be logged
D.All traffic matching the policy will be logged, regardless of action
AnswerD
'logtraffic=all' logs both permitted and denied sessions.
Why this answer
Option D is correct because 'logtraffic=all' in FortiGate firewall policy configuration means that every packet belonging to a session matching this policy will be logged, regardless of whether the action is accept or deny. This is distinct from other log settings like 'logtraffic=utm' or 'logtraffic=disable', and it ensures full audit trail for all traffic handled by the policy.
Exam trap
The trap here is that candidates often confuse 'logtraffic=all' with 'logtraffic=session-start' or think it only logs denied traffic, but FortiGate's granular log options require precise understanding of each keyword's behavior.
How to eliminate wrong answers
Option A is wrong because logging only the first packet of each session is the behavior of 'logtraffic=session-start', not 'logtraffic=all'. Option B is wrong because logging only traffic that triggers a security profile is the behavior of 'logtraffic=utm' (UTM-based logging), not 'logtraffic=all'. Option C is wrong because logging only denied traffic is the behavior of 'logtraffic=deny', not 'logtraffic=all'.
Refer to the exhibit. An administrator configures the policies as shown. Traffic from 10.0.0.0/8 to the internet on HTTP is denied. What is the most likely reason?
A.The Allow-HTTP policy uses service HTTP but the traffic uses HTTPS
B.The Deny-All policy is placed above the Allow-HTTP policy
C.The Allow-HTTP policy has the wrong source interface
D.The Allow-HTTP policy is disabled
AnswerB
Policy ID 0 has lower sequence number and matches first.
Why this answer
In FortiGate firewall policies, the first matching policy is applied to traffic. The Deny-All policy is placed above the Allow-HTTP policy, so traffic from 10.0.0.0/8 to the internet on HTTP matches the Deny-All policy first and is denied before reaching the Allow-HTTP policy. This is a classic policy ordering issue.
Exam trap
The trap here is that candidates often assume policies are evaluated based on a 'most specific match' logic rather than the actual sequential order, leading them to overlook the policy placement as the root cause.
How to eliminate wrong answers
Option A is wrong because the question states traffic uses HTTP, not HTTPS, so the service mismatch is not the reason. Option C is wrong because the source interface is not specified as incorrect in the exhibit; the issue is policy order, not interface mismatch. Option D is wrong because the Allow-HTTP policy is not disabled; it is simply never evaluated due to the higher priority of the Deny-All policy.
A FortiGate administrator runs the following command and sees output:
diagnose sys session filter dport 443
diagnose sys session list
...
proto=6 proto_state=01 duration=3600 expire=3599
What does this output indicate about the session?
A.The session has expired
B.The session is being blocked by a firewall policy
C.The session is an active TCP connection that has been established for 1 hour
D.The session is using UDP
AnswerC
duration=3600 seconds = 1 hour, and expire shows remaining time.
Why this answer
The session is a TCP (proto=6) session, state 01 means TCP SYN sent, duration 3600 seconds indicates it has been up for 1 hour, expire 3599 means it will expire in about 3599 seconds (almost 1 hour from now). Option C is correct.
A FortiGate admin creates a new firewall policy with source address object 'Internal_Net' and destination 'All'. After saving, traffic from 'Internal_Net' is not matching the new policy but instead matches an older policy with a broader source. What is the MOST likely cause?
A.The source address object 'Internal_Net' has an incorrect subnet mask
B.The new policy is placed below the older policy in the policy list
C.The new policy is disabled
D.Traffic shaping is applied to the new policy and is interfering
AnswerB
Policy lookup is sequential from top to bottom. If a broader policy is above, traffic matches it first.
Why this answer
FortiGate evaluates policies from top to bottom. The new policy must be placed above the broader policy to be matched first. By default, new policies are added at the bottom.
An admin wants to block all traffic from the internet to a specific internal server except for the IP address 203.0.113.50. Which firewall policy configuration achieves this using the principle of least privilege?
A.Configure a VIP with restricted source
B.Use a local-in policy to block the server IP
C.Create a deny policy from internet to server with any source, then an allow policy from source 203.0.113.50 to the server above it
D.Create a single allow policy from source 203.0.113.50 to the server and rely on implicit deny for all other traffic
AnswerC
This ensures only the specific IP is allowed, and everything else is denied by the explicit deny policy.
Why this answer
The principle of least privilege dictates blocking all first (implicit deny is last, so explicit deny needed) then allowing only required traffic. Option A does that.
A FortiGate admin configures a VIP to map 203.0.113.10:80 to 10.0.1.10:8080. However, when external users connect to http://203.0.113.10, they receive a connection timeout. The firewall policy allows the traffic. What is the most likely cause?
A.The VIP is configured on the wrong interface
B.The source NAT is not configured
C.The firewall policy's destination is set to the real server IP (10.0.1.10) instead of the VIP object
D.The internal server is not listening on port 8080
AnswerC
The policy must use the VIP as the destination address for the destination NAT to work correctly. If it uses the real server IP, the traffic bypasses the VIP translation.
Why this answer
The most likely cause is that the destination port in the policy is not set to the mapped port (8080) or the VIP is not properly associated. The policy must reference the VIP as the destination address, and if the policy uses the original port 80 instead of the mapped port, it might not match correctly. But the typical issue is that the policy needs to have the VIP as the destination address, not the real server IP.
Alternatively, the VIP configuration might be missing the port mapping. Option A is common: the policy destination is set to the real server IP instead of the VIP object.
An admin runs 'diagnose sys session filter saddr 10.0.1.10' and 'diagnose sys session list' to check sessions from a specific internal host. The output shows multiple sessions with destination IP 203.0.113.50 using source port 12345. The admin then checks the firewall policy and sees that the policy uses an IP pool for source NAT. What does the source port 12345 indicate?
A.The IP pool is configured for one-to-one NAT (no port translation)
B.The IP pool is using port range 12345-12345
C.This is the translated source port after PAT
D.The internal host's original source port is 12345
AnswerC
In PAT, the source port is modified to a unique number to differentiate sessions sharing the same public IP.
Why this answer
When using IP pool with overload (PAT), the FortiGate will perform port translation. The source port in the session list is the translated port (the port number after NAT). The original source port (from the internal host) is not shown in the session list; the output shows the post-NAT source port.
An administrator needs to allow VoIP traffic from a remote branch (192.168.2.0/24) to the main office (10.0.0.0/8) using UDP ports 5060 and 10000-20000. What is the most efficient way to define the service in the firewall policy?
A.Create a service group containing both service objects
B.Use a custom service object with port range 5060-20000
C.Create two separate firewall policies, one for each port range
D.Use the predefined 'VoIP' service object
AnswerA
Why this answer
Option A is correct because creating a service group allows you to combine two separate service objects (one for UDP 5060 and one for UDP 10000-20000) into a single logical group, which can then be applied in one firewall policy. This is the most efficient method as it avoids duplicating policies or using an overly broad port range, and it leverages FortiGate's service group feature for clean, manageable rule sets.
Exam trap
The trap here is that candidates often assume a single port range (5060-20000) is acceptable for efficiency, overlooking the security risk of opening unnecessary ports, or they mistakenly rely on the predefined 'VoIP' service object without verifying its exact port definitions.
How to eliminate wrong answers
Option B is wrong because using a single custom service object with port range 5060-20000 would incorrectly include ports 5061-9999, which are not required for VoIP traffic and could introduce security risks by allowing unintended traffic. Option C is wrong because creating two separate firewall policies for each port range is inefficient and increases administrative overhead; it also violates the principle of least complexity in firewall design. Option D is wrong because the predefined 'VoIP' service object in FortiGate typically includes a broader set of ports and protocols (e.g., SIP over TCP, RTP over UDP) that may not match the exact requirement of UDP ports 5060 and 10000-20000, potentially allowing unwanted traffic or missing necessary ports.
A FortiGate administrator is configuring a firewall policy to allow inbound HTTPS traffic from the internet to an internal web server. The web server has a private IP address 10.0.0.10. The administrator wants to translate the destination IP to the internal server using a Virtual IP (VIP). Which TWO of the following must be configured for the VIP to work correctly? (Choose two.)
Select 2 answers
A.An IP Pool must be configured for the web server's return traffic
B.The VIP must have port forwarding enabled with the external and internal ports set to 443
C.The VIP must have the external IP set to a public IP address assigned to the FortiGate's WAN interface
D.The firewall policy must use the VIP as the destination address object
E.The firewall policy must have NAT enabled
AnswersC, D
The external IP is the destination IP that inbound traffic hits; it must be an IP on the FortiGate's incoming interface.
Why this answer
A VIP requires mapping an external IP/port to an internal IP/port. The firewall policy must reference the VIP as the destination and use the VIP's mapped port if different from the incoming port. The VIP must have the correct external IP (the FortiGate's public IP) and internal IP (10.0.0.10).
Option C is unnecessary if the external and internal ports are the same (443->443). Option E is for source NAT, not destination NAT.
A junior admin is creating firewall policies and wants to ensure that all traffic not explicitly permitted is denied. Which FortiGate mechanism provides this behavior by default?
A.The security profile group
B.The default route
C.The last explicit deny policy in the policy list
D.The implicit deny rule
AnswerD
The implicit deny is automatically applied to all traffic not matching an explicit policy.
Why this answer
The implicit deny rule is a default, hidden policy at the end of the FortiGate firewall policy list that denies all traffic not explicitly permitted by any user-created policy. This behavior is inherent to the FortiGate operating system and ensures a default-deny posture without requiring manual configuration. It is always present and cannot be deleted or moved, providing a safety net that blocks any unmatched traffic.
Exam trap
The trap here is that candidates may think the last explicit deny policy (Option C) is the default mechanism, but FortiGate's implicit deny rule is always present and active by default, whereas an explicit deny policy must be manually added and is not a default behavior.
How to eliminate wrong answers
Option A is wrong because a security profile group is a collection of security profiles (e.g., antivirus, web filter) applied to a firewall policy, not a mechanism that denies traffic by default. Option B is wrong because the default route controls where traffic is forwarded, not whether it is permitted or denied; it does not enforce access control. Option C is wrong because while an explicit deny policy can be added to the policy list, it is not present by default; the implicit deny rule is the built-in mechanism that denies all unmatched traffic without requiring any explicit policy.
A FortiGate administrator configures a Central SNAT policy to translate internal IPs to a single public IP for internet access. However, traffic from a specific internal server (10.0.1.100) must use a different public IP. The administrator also creates a policy-based NAT rule in the firewall policy for that server. Which NAT method takes precedence?
A.Central SNAT takes precedence over policy-based NAT
B.Policy-based NAT takes precedence because it is more specific
C.Central SNAT takes precedence because it is evaluated after policy-based NAT
D.The most recently created rule takes precedence
AnswerA
Central SNAT overrides policy-based NAT when both exist.
Why this answer
In FortiGate, when both Central SNAT and policy-based NAT (configured within a firewall policy) are present, Central SNAT takes precedence. This is because Central SNAT is evaluated before policy-based NAT in the NAT processing order, and once a match is found in Central SNAT, the system applies it and does not proceed to policy-based NAT. The specific server's traffic (10.0.1.100) would still be subject to the Central SNAT rule unless a more specific Central SNAT rule is created for that IP.
Exam trap
The trap here is that candidates often assume policy-based NAT is more specific and thus takes precedence, but FortiGate's NAT evaluation order is fixed and Central SNAT always overrides policy-based NAT regardless of specificity.
How to eliminate wrong answers
Option B is wrong because policy-based NAT does not take precedence over Central SNAT; FortiGate evaluates Central SNAT first, and a match there overrides any policy-based NAT configuration. Option C is wrong because Central SNAT is evaluated before policy-based NAT, not after; the order is Central SNAT → policy-based NAT → VIP/load balancing. Option D is wrong because FortiGate does not use a 'most recently created rule' precedence for NAT; it follows a strict evaluation order based on NAT type, not creation time.
You run 'diagnose sys session filter dport 443' and see the following output:
proto=6 proto_state=01 duration=3600 expire=3599
What does this indicate about the session?
A.The session is in the SYN_SENT state, waiting for a SYN-ACK
B.The session is using UDP protocol
C.The session is fully established and actively transferring data
D.The session is being torn down and will expire soon
AnswerA
proto_state=01 corresponds to TCP SYN_SENT (bit 0 set).
Why this answer
The output shows `proto=6` (TCP) and `proto_state=01`, which in Fortinet's session table corresponds to the TCP state `SYN_SENT` (the session has sent a SYN and is awaiting a SYN-ACK). The `duration=3600` and `expire=3599` indicate the session has been alive for 3600 seconds and will expire in 3599 seconds, but the state itself is not established or closing. Option A is correct because `proto_state=01` specifically maps to the TCP SYN_SENT state in FortiOS session diagnostics.
Exam trap
The trap here is that candidates see `duration=3600` and `expire=3599` and mistakenly assume the session is 'about to expire' (option D), when in fact the expire value is still large and the session is in an early handshake state, not a teardown state.
How to eliminate wrong answers
Option B is wrong because `proto=6` explicitly indicates TCP (protocol number 6), not UDP (protocol 17). Option C is wrong because a fully established TCP session would show `proto_state=06` (ESTABLISHED), not `01` (SYN_SENT). Option D is wrong because the session is not being torn down; a session in teardown would show states like FIN_WAIT or TIME_WAIT (e.g., `proto_state=0B` or `0C`), and the expire timer of 3599 seconds is long, not near zero.
An admin wants to block access to malicious websites using FortiGuard Web Filtering. Which policy configuration is necessary to apply the web filter profile to HTTP/HTTPS traffic?
A.Configure a DNS filter instead of a web filter
B.Create a policy with action DENY and a web filter profile
C.Create an allow policy for HTTP/HTTPS and apply a web filter profile
D.Use an application control profile to block malicious sites
AnswerC
The web filter profile is applied to allowed traffic; the profile will block malicious sites.
Why this answer
Option C is correct because FortiGate requires an explicit allow policy for HTTP/HTTPS traffic to pass through the firewall before a web filter profile can inspect and block malicious URLs. The web filter profile is applied as a security policy feature on an allow policy, not on a deny policy, since deny policies drop traffic before inspection can occur. Without an allow policy, the traffic would be blocked by default, and the web filter would never see the traffic to apply its filtering rules.
Exam trap
The trap here is that candidates often think a deny policy can have a web filter profile applied to block malicious sites, but FortiGate only applies security profiles on allow policies, and deny policies simply drop traffic without inspection.
How to eliminate wrong answers
Option A is wrong because a DNS filter is used to block domains based on DNS queries, not to inspect HTTP/HTTPS content for malicious URLs; FortiGuard Web Filtering requires a web filter profile, not a DNS filter. Option B is wrong because a policy with action DENY drops all traffic before any security profiles, including web filter profiles, can be applied; web filter profiles can only be attached to allow policies where traffic is permitted and then inspected. Option D is wrong because an application control profile is designed to identify and control application traffic (e.g., Facebook, YouTube), not to block malicious websites based on URL categories; that is the function of a web filter profile.
An admin configures a VIP to map public IP 203.0.113.10:80 to internal server 10.0.0.10:8080. Users on the internet can reach the server. However, internal users trying to access the public IP from inside the network fail. What is the MOST likely reason?
A.The VIP is configured with port forwarding only for external interface
B.The firewall policy for internal users does not have NAT disabled
C.The internal server is not configured to respond to requests on port 8080
D.The internal users are using a different DNS server
AnswerB
For internal users accessing the VIP, the source NAT (overload) must be disabled so that the server sees the real client IP; otherwise, FortiGate may attempt to NAT again and break the session. Additionally, a policy from internal to the VIP interface (often a loopback or internal) is needed.
Why this answer
By default, FortiGate does not allow hairpin NAT (internal users accessing the VIP from inside). A policy with source NAT and the VIP as destination is required, and often NAT needs to be disabled on that policy to avoid double NAT. The common solution is to add a policy from internal to internal (or use NAT with source translation) but the core issue is that traffic from internal to VIP is not handled without a specific policy.
An admin needs to create a firewall policy that matches traffic based on the destination being a specific geographic location (e.g., France). Which address object should be used?
A.A geography object
B.An FQDN object
C.A subnet object
D.A wildcard FQDN object
AnswerA
Geography objects use IP geolocation databases to match traffic from/to a country.
Why this answer
A geography object is specifically designed to match traffic based on geographic location (country, continent, or region) using the GeoIP database integrated into FortiOS. When a firewall policy needs to allow or deny traffic to or from a specific country like France, a geography object is the correct address object type because it dynamically resolves IP ranges assigned to that country by IANA/RIRs.
Exam trap
The trap here is that candidates may confuse geography objects with FQDN or wildcard FQDN objects, mistakenly thinking domain-based objects can represent geographic regions, when in fact only geography objects leverage the GeoIP database for location-based matching.
How to eliminate wrong answers
Option B is wrong because an FQDN object matches traffic based on a fully qualified domain name, not geographic location, and relies on DNS resolution to IP addresses. Option C is wrong because a subnet object defines a specific IP range or network prefix, which cannot represent an entire country's dynamic IP allocations. Option D is wrong because a wildcard FQDN object matches multiple domain names using a wildcard pattern (e.g., *.example.com), which has no relation to geographic location.
An administrator wants to allow SSH access from the internet to a server inside the network at 192.168.1.10. Which NAT configuration is needed?
A.Use policy-based routing to forward SSH traffic
B.Create a VIP mapping public IP:22 to private IP:22 and an allow policy from WAN to DMZ
C.Configure source NAT on the outbound policy from DMZ to WAN
D.Enable NAT on the WAN interface
AnswerB
VIP translates the destination address; the policy allows the traffic after translation.
Why this answer
Option B is correct because to allow inbound SSH access from the internet to an internal server, you need a Virtual IP (VIP) that maps a public IP and port (e.g., 203.0.113.5:22) to the private IP and port (192.168.1.10:22), combined with a firewall policy from the WAN zone to the DMZ zone that permits SSH traffic. This is Destination NAT (DNAT), which translates the destination address of incoming packets so they are routed to the internal server.
Exam trap
The trap here is that candidates often confuse source NAT (SNAT) with destination NAT (DNAT), thinking that enabling NAT on the WAN interface alone is sufficient for inbound access, when in fact a VIP (DNAT) and an allow policy are required to translate and permit the traffic.
How to eliminate wrong answers
Option A is wrong because policy-based routing (PBR) controls the path packets take based on criteria like source/destination, but it does not perform address translation; it cannot map a public IP to a private IP for inbound access. Option C is wrong because source NAT (SNAT) translates the source IP of outbound traffic, which is used for internal hosts to access the internet, not for allowing inbound SSH from the internet to an internal server. Option D is wrong because simply enabling NAT on the WAN interface without a specific VIP or DNAT rule does not create a mapping for inbound traffic; it typically applies to outbound traffic (masquerading) or requires additional configuration to handle inbound connections.