CCNA Firewall Policies and NAT Questions

75 of 237 questions · Page 2/4 · Firewall Policies and NAT · Answers revealed

76
Multi-Selectmedium

A FortiGate administrator needs to configure source NAT for a group of internal servers (10.0.1.100-10.0.1.110) so that each server uses a unique public IP from the range 203.0.113.20-203.0.113.30. The requirement is that each internal IP maps to a fixed external IP (one-to-one mapping) and not port overload. Which TWO settings should be configured in the IP Pool? (Choose two.)

Select 2 answers
A.Type: Overload
B.Enable 'Fixed Port Range'
C.External IP Range: 203.0.113.20-203.0.113.30
D.Type: One-to-One
E.Use Central SNAT instead of IP Pool
AnswersC, D

Provides 11 IPs for 11 internal servers.

Why this answer

Option C is correct because the External IP Range must be set to 203.0.113.20-203.0.113.30 to define the pool of public IPs that will be mapped one-to-one to the internal servers. Option D is correct because Type: One-to-One ensures each internal IP is permanently mapped to a unique external IP, without port address translation (PAT), meeting the requirement of fixed one-to-one mapping.

Exam trap

The trap here is that candidates often confuse 'One-to-One' with 'Overload' and select 'Type: Overload' thinking it still provides unique IPs, but Overload always uses PAT and cannot guarantee a fixed external IP per internal host.

77
MCQmedium

An organization has multiple remote sites connected via IPsec VPN. The administrator needs to ensure that traffic from the internal network (10.0.0.0/8) to the VPN destination (10.10.0.0/16) uses a specific interface (port2) instead of the default route. Which feature should be configured?

A.Central NAT
B.Static route with higher distance
C.Policy-based routing
D.Traffic shaping
AnswerC

PBR allows forwarding traffic based on policy criteria, overriding the routing table.

Why this answer

Policy-based routing (PBR) allows you to override the default routing table by matching traffic based on source/destination addresses and directing it to a specific egress interface (port2). This is the correct feature because the requirement is to force traffic from 10.0.0.0/8 to 10.10.0.0/16 out port2, bypassing the default route.

Exam trap

The trap here is confusing policy-based routing with static route manipulation; candidates often think a static route with a higher distance can override the default route, but distance only affects route preference, not the ability to force traffic out a specific interface when a default route with lower distance exists.

How to eliminate wrong answers

Option A is wrong because Central NAT is used for centralized NAT policy management in SD-WAN or hub-and-spoke topologies, not for overriding routing decisions. Option B is wrong because a static route with a higher distance (administrative distance) would only be used as a backup if the primary route fails; it cannot force traffic out a specific interface when a lower-distance default route exists. Option D is wrong because traffic shaping controls bandwidth allocation and QoS, not the path or interface selection for traffic.

78
MCQeasy

A FortiGate has two firewall policies: Policy 1 (ID 1) allows HTTP from any to 10.0.0.0/8, and Policy 2 (ID 2) denies all traffic from 192.168.1.0/24 to any. Traffic from 192.168.1.10 to 10.0.0.5 on port 80 is received. Which policy will match first?

A.Policy 1 (ID 1) will match and accept the traffic
B.Both policies will match, and the traffic will be denied
C.Policy 2 (ID 2) will match and deny the traffic
D.Neither policy matches, so the traffic is dropped by default deny
AnswerA

Why this answer

Policy 1 (ID 1) matches first because FortiGate evaluates firewall policies in sequential order from top to bottom (lowest ID to highest ID) until a match is found. The source IP 192.168.1.10 falls within the 'any' source of Policy 1, and the destination 10.0.0.5 is within 10.0.0.0/8, with HTTP (port 80) matching the service. Since Policy 1 matches, it is applied and the traffic is accepted, even though Policy 2 would also match if reached.

Exam trap

The trap here is that candidates assume a more specific source (192.168.1.0/24) will override a broader source (any) due to specificity, but FortiGate uses sequential order, not longest-prefix matching, for policy selection.

How to eliminate wrong answers

Option B is wrong because FortiGate stops at the first matching policy; it does not evaluate or combine multiple policies for the same traffic. Option C is wrong because Policy 2 has a higher ID (2) than Policy 1 (1), so it is evaluated after Policy 1, which already matches and accepts the traffic. Option D is wrong because Policy 1 explicitly matches the traffic, so the implicit default deny is never reached.

79
MCQmedium

A network administrator notices that traffic from the internal network (10.0.1.0/24) to the internet is not being matched by the intended firewall policy (ID 10). The policy uses source address 'internal_subnet' (10.0.1.0/24) and destination address 'all'. There is another policy (ID 5) with source 'all' and destination 'all' that also matches this traffic. What is the most likely reason policy 10 is not being matched?

A.Policy 5 has a higher priority because it is above policy 10 in the policy list
B.Policy 10 is configured with an expired security certificate
C.The source address object 'internal_subnet' is incorrectly configured
D.Policy 10 has a schedule that is not active
AnswerA

Policy order determines matching; first match is used.

Why this answer

FortiGate matches firewall policies from top to bottom. Policy 5 is higher in the policy list order than policy 10, so traffic matches policy 5 first and never reaches policy 10.

80
MCQmedium

A FortiGate admin has configured a firewall policy allowing traffic from the internal network (10.0.1.0/24) to the internet (any). Users report that they cannot access a specific website (203.0.113.5). The admin runs 'diagnose firewall fqdn list' and sees that the FQDN object used in a policy above the allow policy resolves to an IP that includes 203.0.113.5. What is the MOST likely cause?

A.The destination NAT on the allow policy is misconfigured
B.The FortiGate's DNS server is not resolving the FQDN correctly
C.The antivirus profile on the allow policy is blocking the website
D.The FQDN object resolved to the IP after the policy was created, but the policy lookup uses the cached IP and matches before the allow policy
AnswerD

Policy lookup matches the first policy where source/destination conditions are met. Since the FQDN object resolved to the destination IP, a higher-priority policy matches and the intended allow policy is never evaluated.

Why this answer

Firewall policies are matched from top to bottom. If a higher-priority policy (with a lower policy ID) matches the traffic and denies or applies different NAT, it will be processed before the intended allow policy. In this case, an FQDN-based policy above the allow policy matches the destination IP, causing the traffic to be handled by that policy instead.

81
MCQeasy

Which address object type can be used to match traffic based on the source country?

A.Wildcard FQDN
B.FQDN
C.Geography
D.Subnet
AnswerC

Geography objects use country codes to match IP addresses from that country.

Why this answer

Geography address objects allow matching based on country (or region) using the IP geolocation database. This is useful for geo-blocking.

82
Multi-Selecthard

An administrator is configuring traffic shaping on a firewall policy to limit bandwidth for YouTube. Which THREE components are required?

Select 3 answers
A.A traffic shaper object that defines bandwidth limits
B.A firewall policy that matches YouTube traffic
C.A static route for the YouTube subnet
D.A schedule object to apply the shaper only during business hours
E.Enable traffic shaping on the firewall policy and assign the traffic shaper
AnswersA, B, E

The shaper specifies max bandwidth, priority, etc.

Why this answer

Traffic shaping requires a shaping policy (or shaping rule) that matches the traffic, a traffic shaper that defines bandwidth limits, and optionally a per-IP shaper for per-user limiting.

83
MCQeasy

What is the purpose of a schedule object in a firewall policy?

A.To specify the time of day when the policy is effective
B.To set the bandwidth limit for the policy
C.To prioritize traffic based on application
D.To limit the number of concurrent sessions
AnswerA

Correct.

Why this answer

Schedule objects define time ranges during which the policy is active. This allows time-based access control.

84
MCQeasy

An administrator needs to allow outbound DNS traffic (UDP port 53) from multiple internal subnets to the internet. Which object type should be used to group the subnets into a single source in the firewall policy?

A.VIP group
B.Schedule group
C.Address group
D.Service group
AnswerC

Address groups combine multiple address objects (subnets, IP ranges, FQDNs) into one object, which can be used as source or destination in a policy.

Why this answer

An address group is the correct object type to group multiple internal subnets into a single source in a firewall policy. In FortiGate, address groups allow you to combine multiple IP addresses or subnets (IPv4 or IPv6) into a logical group, which can then be referenced as the source in a single firewall policy. This simplifies administration by reducing the number of policies needed to allow outbound DNS traffic from multiple subnets.

Exam trap

The trap here is that candidates often confuse address groups with service groups, mistakenly thinking that grouping subnets is done via service objects, but service groups only define protocols and ports, not IP addresses.

How to eliminate wrong answers

Option A is wrong because a VIP group is used to group multiple virtual IP (VIP) objects for destination NAT (port forwarding) or load balancing, not for grouping source subnets. Option B is wrong because a schedule group is used to group time-based schedules (e.g., daily, weekly) to control when a policy is active, not to define source addresses. Option D is wrong because a service group is used to group multiple service definitions (e.g., DNS, HTTP, HTTPS) by protocol/port, not to group source IP subnets.

85
MCQhard

You run the following command on a FortiGate: 'diagnose sys session filter dport 443' and see: proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate?

A.The session is in SYN_SENT state and the three-way handshake is not yet complete
B.The session is using UDP and the duration is 3600 seconds
C.The session is being torn down and will expire in 3599 seconds
D.The session is fully established and has been active for 3600 seconds
AnswerA

proto_state=01 for TCP indicates SYN_SENT. The handshake is incomplete.

Why this answer

The output shows `proto=6`, which indicates TCP, and `proto_state=01`, which corresponds to the TCP state SYN_SENT (0x01). This means the session has sent a SYN but has not yet received a SYN-ACK, so the three-way handshake is incomplete. The `duration=3600` and `expire=3599` indicate the session has been tracked for 3600 seconds and will expire in 3599 seconds, but the state confirms it is not yet established.

Exam trap

The trap here is that candidates see `duration=3600` and `expire=3599` and assume the session is established and about to expire, but the `proto_state=01` (SYN_SENT) clearly indicates the handshake is incomplete, not that the session is active or being torn down.

How to eliminate wrong answers

Option B is wrong because `proto=6` indicates TCP, not UDP (UDP is protocol 17). Option C is wrong because the session is in SYN_SENT state (0x01), not being torn down; a teardown would show states like FIN_WAIT or TIME_WAIT. Option D is wrong because a fully established TCP session would show `proto_state=02` (ESTABLISHED), not `01` (SYN_SENT).

86
Multi-Selecthard

A FortiGate admin is troubleshooting an issue where internal users cannot access a specific external service over TCP/443. The admin confirms that the firewall policy allows HTTP/HTTPS. Which TWO CLI commands should the admin use to diagnose? (Choose two.)

Select 2 answers
A.diagnose firewall iprope list
B.diagnose debug flow
C.diagnose sys session filter dport 443
D.get system performance status
E.execute ping 8.8.8.8
AnswersA, B

This shows the policy list and order; useful to verify if the allow policy is before any deny.

Why this answer

Option A is correct because 'diagnose firewall iprope list' displays the kernel's internal firewall rule chains, allowing the admin to verify whether the policy lookup is matching the expected rule for TCP/443 traffic. This command helps confirm that the policy is installed and active in the kernel, which is essential for troubleshooting policy-based access issues.

Exam trap

The trap here is that candidates often choose 'diagnose sys session filter dport 443' thinking it directly shows sessions, but they forget that it only sets a filter and requires an additional command to display results, making it incomplete for immediate diagnosis.

87
MCQmedium

A FortiGate admin configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to the internet. Users report that they cannot access web pages. The admin runs 'diagnose debug flow' and sees packets hitting the policy but being dropped. What is the MOST likely cause?

A.The interface is not configured as a WAN interface
B.The policy is disabled
C.The firewall policy action is set to DENY
D.The traffic is being processed by a higher priority deny policy
AnswerC

If the policy action is set to DENY, even though the traffic matches the source/destination/service, it will be dropped. This is a common misconfiguration.

Why this answer

The implicit deny policy at the end of the policy list will drop traffic that does not match any explicit policy. If the policy is not the last matching policy or if there is a deny policy above it, traffic could be denied. But the most common issue is that the policy is not correctly ordered, and a deny policy above it is matching.

However, the stem says packets hit the policy but are dropped. This typically indicates that the policy matched but another factor (like security profile action) dropped it, or the policy's action is set to DENY by mistake. Given the options, the admin likely set the policy action to DENY.

88
Multi-Selectmedium

An administrator needs to allow inbound SSH access from the internet to a specific internal server (10.0.1.10) on port 22. The WAN IP is 203.0.113.10. Which THREE configuration steps are required?

Select 3 answers
A.Ensure the firewall policy allows the SSH service (port 22)
B.Create a firewall policy from WAN to internal interface with destination set to the VIP
C.Configure a source NAT IP pool for outbound traffic
D.Create a Virtual IP (VIP) mapping 203.0.113.10:22 to 10.0.1.10:22
E.Enable SSL inspection on the policy
AnswersA, B, D

The policy must explicitly permit the service (SSH) to match the traffic.

Why this answer

Option A is correct because the firewall policy must explicitly permit the SSH service (TCP port 22) from the WAN to the internal server. Without a policy allowing the traffic, the FortiGate will drop the packets even if the VIP is configured correctly. The policy acts as the security gatekeeper, and the service object for SSH ensures only port 22 traffic is allowed.

Exam trap

The trap here is that candidates often assume configuring a VIP alone is sufficient, forgetting that a firewall policy must also be created to permit the translated traffic, and they may confuse source NAT (Option C) with destination NAT required for inbound access.

89
MCQeasy

A FortiGate administrator wants to ensure that traffic from the internal network to the internet is translated to a single public IP address. Which NAT method should be used?

A.Central SNAT
B.One-to-one NAT
C.Fixed port range NAT
D.Overload NAT
AnswerD

Overload NAT uses PAT to allow many-to-one translation.

Why this answer

Overload NAT (Port Address Translation) allows many internal IPs to share one public IP by using unique source ports.

90
MCQmedium

An administrator wants to limit the bandwidth for a specific application (e.g., YouTube) across all users. The administrator creates a traffic shaper and applies it to the firewall policy. What additional configuration is needed to identify YouTube traffic?

A.Enable deep inspection and create a URL filter
B.Create a custom service object for YouTube
C.Use a geography object to block non-local traffic
D.Apply an Application Control profile to the policy
AnswerD

Application Control identifies applications and allows traffic shaping.

Why this answer

Application control profiles identify applications by signature. After identification, traffic shapers can be applied to limit bandwidth.

91
MCQmedium

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The TCP handshake is incomplete; the SYN-ACK has not been received
B.The session is a UDP session
C.The session has been idle for 3600 seconds
D.The session is fully established and will expire in 3599 seconds
AnswerA

State 01 is SYN_SENT, meaning the SYN has been sent but no SYN-ACK received yet.

Why this answer

The output shows a TCP session (proto=6) with proto_state=01, which in Fortinet's session table indicates the session is in the SYN-SENT state (TCP state 1). This means the initial SYN has been sent but the SYN-ACK has not yet been received, so the TCP three-way handshake is incomplete. The duration and expire values reflect the session's age and remaining lifetime, not its establishment status.

Exam trap

The trap here is that candidates see 'expire=3599' and assume the session is established and about to expire, but Fortinet's proto_state field directly reveals the TCP handshake phase, and state 01 specifically means the handshake is incomplete.

How to eliminate wrong answers

Option B is wrong because proto=6 explicitly indicates TCP (not UDP, which would be proto=17). Option C is wrong because duration=3600 shows the session has been active for 3600 seconds, not idle; idle time is tracked separately in the session table. Option D is wrong because proto_state=01 (SYN-SENT) means the session is not fully established; a fully established TCP session would show proto_state=02 (ESTABLISHED) or higher.

92
MCQmedium

A company has a FortiGate with two WAN interfaces (port1 and port2) connected to different ISPs. The admin wants to ensure that traffic from a specific internal server (10.0.1.100) destined to the internet always exits via port2, while all other traffic uses port1. Which feature should the admin configure on the firewall policy for that server?

A.Create a VIP to redirect the traffic to port2
B.Enable policy-based routing on the policy and specify port2 as the egress interface
C.Configure a static route with a higher distance for port2
D.Set the outgoing interface to port2 in the firewall policy
AnswerB

Policy-based routing overrides the routing table for traffic matching that policy.

Why this answer

Policy-based routing (PBR) allows you to override the routing table for specific traffic based on criteria such as source IP, destination, or application. By enabling PBR on the firewall policy for server 10.0.1.100 and specifying port2 as the egress interface, the admin ensures that all traffic from that server exits via port2, while the routing table continues to direct all other traffic via port1. This is the correct approach because PBR operates at the policy level, not the routing table level, giving granular control over traffic path selection.

Exam trap

The trap here is that candidates often confuse the 'outgoing interface' field in a firewall policy as a configurable option, when in fact it is automatically derived from the routing table unless policy-based routing is explicitly enabled.

How to eliminate wrong answers

Option A is wrong because a Virtual IP (VIP) is used for destination NAT (port forwarding) to map external IPs to internal servers, not to control egress interface selection; it does not influence which WAN port traffic leaves from. Option C is wrong because configuring a static route with a higher distance for port2 would make port2 a less preferred route, so traffic would still use port1 unless the primary route fails; this does not force server traffic out port2 while keeping other traffic on port1. Option D is wrong because the outgoing interface in a firewall policy is a read-only field that displays the interface determined by the routing table; you cannot directly set it to port2 in the policy without PBR or a matching route.

93
MCQhard

An admin configures a Central SNAT rule to translate internal 192.168.1.0/24 to 203.0.113.10 when accessing the internet. However, traffic from 192.168.1.100 to 8.8.8.8 shows source IP 192.168.1.100 in logs. What is the MOST likely cause?

A.The Central SNAT rule is disabled
B.The Central SNAT rule is applied to the wrong outgoing interface
C.The firewall policy has an IP pool configured, overriding Central SNAT
D.The destination address in the Central SNAT rule is incorrect
AnswerC

Policy-based NAT (IP pool attached to policy) takes precedence over Central SNAT rules.

Why this answer

Central SNAT rules are only used when the firewall policy has NAT enabled but no specific IP pool configured. If the policy uses Policy-based NAT (i.e., an IP pool is attached), Central SNAT is bypassed. Also, Central SNAT can be overridden by policy-based NAT.

94
MCQmedium

A company has a web server in the DMZ that must be accessible from the internet on both HTTP and HTTPS. The admin configures a VIP to map the public IP to the server's private IP. However, external users can only reach HTTP. What is the MOST likely cause?

A.The VIP is configured for port forwarding only for HTTP (port 80)
B.The web server is not listening on HTTPS
C.The VIP is using overload mode instead of one-to-one
D.The firewall policy allowing traffic to the VIP only permits HTTP
AnswerA

VIP port forwarding must specify each port; HTTPS (443) is not included.

Why this answer

The VIP (Virtual IP) configuration on a FortiGate maps a public IP and port to a private IP and port. If the VIP is configured only for port forwarding on TCP 80 (HTTP), it will not translate traffic for TCP 443 (HTTPS). This is the most likely cause because external users can reach HTTP but not HTTPS, indicating the VIP itself is not handling HTTPS traffic.

Exam trap

The trap here is that candidates often assume the firewall policy is the issue, but the VIP itself must be configured to forward the specific ports; a policy allowing all traffic is useless if the VIP does not translate the destination port for HTTPS.

How to eliminate wrong answers

Option B is wrong because if the web server were not listening on HTTPS, the connection would still be attempted and fail at the server level, but the symptom is that external users cannot reach HTTPS at all, which points to a VIP or policy issue, not server configuration. Option C is wrong because overload mode (PAT) and one-to-one mode (DNAT) both can handle multiple ports; the mode does not restrict which ports are forwarded. Option D is wrong because the firewall policy allowing traffic to the VIP only permits HTTP would block HTTPS, but the question states the VIP is configured for port forwarding only for HTTP, making the VIP itself the root cause; a policy issue would be secondary and less likely given the VIP configuration.

95
Multi-Selectmedium

A FortiGate administrator needs to allow inbound HTTPS traffic to a web server located at 192.168.1.10. The public IP is 203.0.113.5. The administrator wants to translate the destination to the internal server and also translate the source port to a fixed range for logging purposes. Which TWO configuration elements are required?

Select 2 answers
A.Create a Virtual IP (VIP) mapping 203.0.113.5 to 192.168.1.10
B.Create a firewall policy from WAN to DMZ allowing HTTPS and referencing the VIP as destination
C.Configure Central SNAT to translate the server's source IP for return traffic
D.Create an IP pool with fixed port range for source translation
E.Enable 'allow source port translation' on the VIP
AnswersA, B

A VIP is necessary for destination NAT (DNAT) to forward public IP to internal server.

Why this answer

A Virtual IP (VIP) is required to map the public IP (203.0.113.5) to the internal server IP (192.168.1.10) for destination NAT. This allows inbound HTTPS traffic to be translated to the private server. Additionally, a firewall policy from WAN to DMZ must reference the VIP as the destination and allow HTTPS to permit the traffic and apply the NAT translation.

Exam trap

The trap here is that candidates often confuse VIPs (destination NAT) with IP pools (source NAT) or Central SNAT, mistakenly thinking source translation is needed for inbound traffic, when the question specifically requires destination translation and fixed port mapping for logging.

96
Multi-Selectmedium

An admin is configuring a firewall policy to allow FTP traffic from a client to a server. The server is behind a VIP that translates public IP 203.0.113.10 port 21 to private IP 10.0.0.10 port 21. The admin wants to ensure the FTP data channel works correctly. Which TWO additional configurations are required? (Choose two.)

Select 2 answers
A.Enable FTP ALG on the firewall policy
B.Enable NAT on the policy for return traffic
C.Create a separate policy for the data channel
D.Configure a service object for FTP data port (TCP 20)
E.Ensure the policy allows both control and data connections by using the predefined FTP service
AnswersA, E

FTP ALG inspects FTP traffic and manages data connections.

Why this answer

FTP uses separate control and data connections. FortiGate's FTP ALG (application layer gateway) or session helper is needed to inspect FTP traffic and handle dynamic data ports. Additionally, for VIP, the policy must allow the appropriate services, and the ALG must be enabled.

97
MCQmedium

A network admin has configured a firewall policy allowing traffic from the 'internal' zone to the 'external' zone. The policy uses a service object 'HTTP' (TCP/80). Users report they can access HTTP websites but not HTTPS. The admin confirms no other policies block HTTPS. What is the most likely cause?

A.The FortiGate needs to perform SSL inspection on HTTPS traffic
B.There is a policy ordering issue; a later policy might block HTTPS
C.HTTPS traffic is being dropped by implicit deny because no policy matches it
D.The service object 'HTTP' also includes TCP/443 by default
AnswerC

Since the policy only allows HTTP, HTTPS falls through to the implicit deny rule and is dropped.

Why this answer

The policy only permits HTTP (TCP/80). HTTPS uses TCP/443, which is not allowed unless a separate service is defined.

98
MCQmedium

An admin wants to apply different QoS markings to traffic from two different departments. The admin creates two firewall policies: one for Sales (policy ID 1) and one for Engineering (policy ID 2). Both policies have traffic shaping enabled. However, traffic from both departments receives the same QoS marking. What is the MOST likely mistake?

A.The policies are in the wrong order
B.QoS marking is only applied at the interface level
C.The traffic shaping policy is applied globally
D.The admin applied the same traffic shaper to both policies
AnswerD

To differentiate, different shapers must be used.

Why this answer

The traffic shaping policy must be associated with the firewall policy. If the same traffic shaper is applied to both policies, they will get the same markings. The question implies different markings are desired, so the admin likely used the same shaper.

99
MCQmedium

A network admin configures a firewall policy allowing HTTP traffic from internal users to an external web server. The policy uses a service object 'HTTP' defined as TCP/80. However, users cannot reach the server. What is the MOST likely cause?

A.The external web server is using HTTPS (TCP/443) instead of HTTP
B.The source address object does not include the users' subnet
C.The policy order is wrong; the policy is placed after a deny-all policy
D.The interface is set to the wrong zone
AnswerA

The service object allows only TCP/80; if the server expects TCP/443, the traffic is blocked by implicit deny.

Why this answer

The service object 'HTTP' is defined as TCP/80, but HTTPS uses TCP/443. The web server is likely expecting HTTPS on TCP/443. The policy should allow TCP/443.

100
MCQhard

An admin configures a one-to-one IP Pool to map 10.0.1.0/28 to 203.0.113.16/28. A host with IP 10.0.1.5 initiates a connection to the internet. Which source IP will be used for the translated packet?

A.203.0.113.20
B.203.0.113.21
C.203.0.113.5
D.203.0.113.16
AnswerB

The internal .5 maps to external .21 (16+5).

Why this answer

In a one-to-one IP Pool NAT configuration, the mapping is based on the subnet offset. The internal subnet 10.0.1.0/28 has 16 addresses (10.0.1.0–10.0.1.15), and the external pool 203.0.113.16/28 also has 16 addresses (203.0.113.16–203.0.113.31). The host 10.0.1.5 is the 6th usable IP (offset 5 from the network address), so it maps to the 6th IP in the external pool: 203.0.113.16 + 5 = 203.0.113.21.

Exam trap

The trap here is that candidates often mistakenly add the host portion of the internal IP (e.g., .5) directly to the external network address (e.g., 203.0.113.16 + .5 = 203.0.113.21) but then incorrectly select 203.0.113.20 due to off-by-one errors, or they confuse the mapping with dynamic PAT where the source port is translated instead of the IP.

How to eliminate wrong answers

Option A (203.0.113.20) is wrong because it corresponds to offset 4 (10.0.1.4), not offset 5. Option C (203.0.113.5) is wrong because it incorrectly uses the host portion of the internal IP as the last octet of the external IP, ignoring the pool base address. Option D (203.0.113.16) is wrong because it is the first address in the pool (network address), which is typically reserved and not assigned to hosts; the mapping starts from the first usable IP, which is 203.0.113.17 for 10.0.1.1.

101
Multi-Selectmedium

A FortiGate admin needs to configure source NAT for traffic from the internal network (10.0.0.0/8) to the internet. The requirement is to translate all internal IPs to a range of public IPs (203.0.113.1-203.0.113.10) while preserving the source port for specific applications. Which TWO configurations can achieve this? (Choose two.)

Select 2 answers
A.Use a One-to-One IP Pool
B.Use a Dynamic IP Pool with Overload
C.Enable NAT on the policy without an IP pool
D.Configure Central SNAT with Overload
E.Use a Fixed Port Range IP Pool
AnswersA, E

One-to-one maps each internal IP to a unique public IP, preserving ports.

Why this answer

Option A is correct because a One-to-One IP Pool maps each internal IP to a unique public IP from the range 203.0.113.1-203.0.113.10, preserving the original source port for each session. This meets the requirement to translate all internal IPs while keeping the source port unchanged for specific applications. The pool size (10 IPs) must be sufficient for the number of concurrent internal hosts.

Exam trap

The trap here is that candidates often confuse 'preserving the source port' with PAT (overload) behavior, assuming any dynamic pool will work, but only One-to-One and Fixed Port Range pools avoid port translation and keep the original port intact.

102
MCQmedium

An administrator creates a firewall policy to allow outbound HTTP and HTTPS traffic from the internal network to the internet. The policy uses a dynamic IP pool for SNAT. Users report that some websites load slowly or fail to load intermittently. The administrator checks the firewall logs and sees 'session helper' warnings. What is the most likely cause?

A.The policy has traffic shaping enabled that is throttling the bandwidth
B.The firewall policy is configured for proxy-based inspection, causing high latency
C.The IP pool is configured with fixed port range, limiting the number of available ports
D.The DNS server on the internal network is misconfigured
AnswerC

Fixed port range restricts the port range used for NAT, causing quicker port exhaustion and intermittent failures for many connections.

Why this answer

The 'session helper' warnings indicate that the firewall is struggling to allocate NAT sessions for the dynamic IP pool. When the IP pool uses a fixed port range, the number of available source ports per IP is limited, leading to port exhaustion under heavy HTTP/HTTPS traffic. This causes intermittent failures and slow loads as new connections are dropped or queued.

Exam trap

The trap here is that candidates confuse 'session helper' warnings with application-layer issues (like proxy latency or DNS) instead of recognizing it as a NAT resource exhaustion symptom tied to port range limitations in the IP pool configuration.

How to eliminate wrong answers

Option A is wrong because traffic shaping throttles bandwidth but does not generate 'session helper' warnings; those are related to NAT resource exhaustion, not rate limiting. Option B is wrong because proxy-based inspection can add latency but would not cause intermittent failures tied to port availability; 'session helper' warnings are specific to NAT session allocation, not inspection mode. Option D is wrong because a misconfigured DNS server would cause consistent name resolution failures, not intermittent loading issues with 'session helper' warnings in the firewall logs.

103
Matchingmedium

Match each Fortinet product to its primary role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall

Security information and event management

Centralized logging and analytics

Centralized management and policy orchestration

Advanced threat detection and analysis

Why these pairings

These products are part of the Fortinet Security Fabric.

104
MCQeasy

Which address object type allows you to match traffic based on the domain name in the HTTPS SNI field?

A.Geography
B.Wildcard FQDN
C.Subnet
D.FQDN
AnswerB

Wildcard FQDN objects match domain names and can be used with SNI.

Why this answer

Wildcard FQDN objects can match domain names (fully qualified domain names) even with wildcards, and FortiGate can use SNI to match HTTPS traffic.

105
MCQhard

Refer to the exhibit. An administrator runs 'diagnose firewall auth list' and sees two authenticated users. The firewall policy requires authentication for HTTP traffic from 10.0.0.0/24 to 192.168.1.10. User 'jsmith' has been idle for 20 minutes, but the authentication session is still active. The idle timeout is set to 30 minutes. What will happen after 30 minutes of inactivity?

A.The authentication session will remain active because the firewall session is still valid
B.The user will be automatically re-authenticated without prompting
C.The firewall session will be torn down immediately
D.The authentication session will expire, and the user must re-authenticate for new traffic
AnswerD

The user will be prompted for credentials again after idle timeout.

Why this answer

Option D is correct because the authentication idle timeout of 30 minutes governs the authentication session, not the firewall session. Once the user 'jsmith' has been idle for 30 minutes, the authentication session expires. Any new HTTP traffic from 10.0.0.0/24 to 192.168.1.10 will then require re-authentication, as the firewall policy enforces authentication for that traffic.

The existing firewall session may persist briefly, but it will not allow new traffic without a valid authentication entry.

Exam trap

The trap here is that candidates confuse the firewall session timeout with the authentication idle timeout, assuming that an active firewall session keeps the authentication session alive, when in fact they are independent timers.

How to eliminate wrong answers

Option A is wrong because the authentication session is independent of the firewall session; the firewall session may remain valid for its own timeout, but the authentication session will expire after the idle timeout, requiring re-authentication for new traffic. Option B is wrong because automatic re-authentication without prompting is not a feature of FortiGate authentication; the user must be prompted or use a pre-authentication method. Option C is wrong because the firewall session is not torn down immediately; it will continue until its own session timeout or until traffic stops, but new traffic will be blocked until re-authentication occurs.

106
MCQeasy

What is the order of evaluation for firewall policies on a FortiGate?

A.Random order
B.From bottom to top
C.From top to bottom, first match
D.By policy ID in ascending order
AnswerC

Correct.

Why this answer

FortiGate evaluates policies from top to bottom in the policy list, and the first match is applied.

107
MCQeasy

A FortiGate policy allows traffic from the internal network to a DMZ server. The admin wants to limit access to only specific hours. Which object type should be used in the policy?

A.Address group
B.Schedule
C.Service group
D.Traffic shaper
AnswerB

Correct. Schedule objects are used to restrict policy to certain times.

Why this answer

Schedule objects define time ranges (recurring or one-time) during which a policy is effective. They are applied directly in the firewall policy.

108
MCQmedium

A company uses FSSO (Fortinet Single Sign-On) with a domain controller. Users authenticate to the domain, and the FortiGate retrieves the login events. The firewall policy uses the FSSO group. Some users report that after logging in, they cannot access resources that require authentication. The administrator checks the FSSO status and sees that the FortiGate is receiving login events. What is the most likely cause?

A.The user is not a member of the FSSO group
B.The FSSO collector agent is not running
C.The user's IP address is not in the source address range of the policy
D.The FortiGate is not polling the domain controller
AnswerC

FSSO authenticates the user, but the policy's source address must match the user's IP.

Why this answer

Option C is correct because even though the FortiGate is receiving FSSO login events, the firewall policy also includes a source address restriction. If the user's IP address falls outside the defined source address range, the policy will not match, and the user will be denied access despite being authenticated via FSSO. The FSSO group membership is only one condition; the source IP must also satisfy the policy's source address criteria.

Exam trap

The trap here is that candidates assume receiving FSSO login events guarantees policy match, ignoring that the source address condition in the firewall policy is a separate, independent requirement that must also be satisfied.

How to eliminate wrong answers

Option A is wrong because if the user were not a member of the FSSO group, the FortiGate would not show the user as authenticated, and the administrator would not see the user's login events in the FSSO status. Option B is wrong because the FSSO collector agent is confirmed to be running since the FortiGate is receiving login events; a stopped collector agent would prevent event reception. Option D is wrong because the FortiGate is already receiving login events, which proves it is successfully polling or receiving data from the domain controller; if polling were failing, no events would appear.

109
Multi-Selecthard

A FortiGate administrator is configuring a policy-based routing (PBR) rule to send all traffic from the 'Engineering' VLAN (10.1.0.0/16) to a dedicated internet link through gateway 203.0.113.1. The administrator also wants to apply a traffic shaper to limit bandwidth. Which THREE configuration tasks must be performed?

Select 3 answers
A.Define a traffic shaper object with the desired bandwidth limits
B.Enable SD-WAN on the FortiGate
C.Configure Central NAT to translate the source IP
D.Create a policy-based route with source 10.1.0.0/16 and gateway 203.0.113.1
E.Create a firewall policy allowing traffic from Engineering VLAN to internet and apply the traffic shaper
AnswersA, D, E

The shaper must exist before it can be applied in a firewall policy.

Why this answer

Option A is correct because a traffic shaper object must first be defined with the desired bandwidth limits (e.g., maximum rate, burst size) before it can be applied to a firewall policy. Without this object, the shaper cannot be referenced or enforced.

Exam trap

The trap here is that candidates often think SD-WAN is required for PBR or that Central NAT is mandatory, when in fact PBR and traffic shaping are independent features that can be configured without SD-WAN or Central NAT.

110
MCQmedium

A FortiGate has multiple firewall policies. Policy ID 1 allows HTTP from LAN to WAN. Policy ID 2 allows all traffic from DMZ to WAN. A packet arrives from the DMZ interface destined to a web server on the internet using HTTPS. Which policy is matched?

A.Policy ID 1, because it is first in order
B.Policy ID 2, but only if it has a service allowing HTTPS
C.Implicit deny, because no policy matches HTTPS traffic
D.Policy ID 2, because it matches the source interface and destination
AnswerD

Policy 2 allows all traffic from DMZ to WAN, including HTTPS.

Why this answer

Policy lookup is performed top-down. The first matching policy is used. Policy 1 matches only LAN traffic, not DMZ.

Policy 2 matches all traffic from DMZ to WAN, so it matches the packet.

111
Multi-Selecthard

An administrator notices that VoIP traffic (SIP) is not being inspected by the IPS profile applied to the firewall policy. The administrator suspects the traffic is being accelerated by NPU offloading. Which TWO actions can prevent NPU offloading for SIP traffic to ensure IPS inspection? (Choose two.)

Select 2 answers
A.Change the policy inspection mode to 'Proxy-Based'
B.Disable 'Allow Offload' in the policy advanced options
C.Enable 'Set SNAT' on the policy
D.Enable 'Deep Inspection' on the policy
E.Create a separate VIP for SIP
AnswersA, B

Proxy-based inspection cannot be offloaded.

Why this answer

Disabling NPU offloading per policy can be done by configuring the policy to use 'Proxy-Based' inspection or by disabling 'capwap' and 'offload' options in the firewall policy advanced settings. Also, enabling SSL inspection forces software processing.

112
Multi-Selecthard

An administrator needs to configure destination NAT for multiple internal servers using a single public IP address by differentiating based on destination port. The public IP 203.0.113.10 should map to: (A) 10.0.0.1:80 for HTTP, (B) 10.0.0.2:443 for HTTPS. Which TWO configuration steps are required? (Choose two.)

Select 2 answers
A.Create a VIP for HTTP mapping port 80 to 10.0.0.1
B.Create an IP pool for the public IP
C.Create a VIP for HTTPS mapping port 443 to 10.0.0.2
D.Configure policy-based routing for each server
E.Use Central SNAT with port forwarding
AnswersA, C

VIP defines the mapping.

Why this answer

A VIP group with multiple VIPs each having a different port mapping allows this. Alternatively, separate VIPs with different public ports can be used. Option A and C are correct.

113
MCQeasy

Which of the following is NOT a valid address object type in FortiGate?

A.Subnet
B.Wildcard FQDN
C.Geography
D.MAC address
AnswerD

MAC addresses are not used in firewall policy address objects; policies use IP addresses.

Why this answer

FortiGate address objects support Subnet, Wildcard FQDN, and Geography types, but MAC addresses are not a valid address object type. MAC addresses are used in other contexts like static ARP entries or DHCP reservations, not as firewall address objects.

Exam trap

The trap here is that candidates may confuse MAC address filtering (available in some security features like device identification) with a valid firewall address object type, leading them to incorrectly select a wrong answer.

How to eliminate wrong answers

Option A is wrong because Subnet is a standard address object type in FortiGate, used to define IPv4 or IPv6 network ranges. Option B is wrong because Wildcard FQDN is a valid address object type that matches multiple FQDNs using wildcard patterns (e.g., *.example.com). Option C is wrong because Geography is a valid address object type that allows matching traffic based on source or destination country using GeoIP databases.

114
Multi-Selectmedium

An admin is troubleshooting why traffic from a specific host (10.0.1.10) to a web server (203.0.113.50:80) is being denied. The FortiGate has several policies. Which TWO CLI commands should the admin use to identify which policy is matching the traffic? (Choose two.)

Select 2 answers
A.execute ping 203.0.113.50
B.diagnose firewall iprope lookup 10.0.1.10 -> 203.0.113.50 80
C.diagnose debug flow
D.diagnose firewall policy list
E.get firewall policy
AnswersB, D

Simulates the policy lookup for a specific flow, showing which policy matches.

Why this answer

'diagnose firewall policy list' shows the policy list with IDs. 'diagnose firewall iprope' shows the lookup order and matching policy. 'get firewall policy' is a config command, not for real-time traffic. 'execute' commands are for pinging, not policy lookup.

115
MCQmedium

An admin configures a firewall policy to allow SMTP traffic from a mail server to the internet with NAT enabled. External recipients report that the email source IP is the FortiGate's external interface IP. The admin wants the source to be a specific IP from a pool. What should the admin configure?

A.Create a central SNAT policy with the source as the mail server and the translated IP as the desired address
B.Use a VIP with port forwarding to translate the source
C.In the firewall policy, enable NAT and specify the IP pool as a fixed port range or overload
D.Enable NAT on the policy and set the IP pool configuration to use a dynamic IP pool
AnswerC

In policy-based NAT, you can enable NAT and select an IP pool. The pool can be configured for overload (PAT) or fixed port range, but the translated IP is taken from the pool.

Why this answer

Policy-based NAT allows specifying a fixed IP address or IP pool for source NAT. The admin should configure the policy's NAT settings to use a specific IP pool or IP address.

116
MCQhard

A company has a FortiGate 100F with two ISPs (ISP1 and ISP2) for load balancing. They use SD-WAN to direct traffic. The firewall has a policy that allows HTTP and HTTPS traffic from internal users (10.0.0.0/8) to the internet. The policy uses FSSO authentication with an Active Directory domain controller. Recently, users on the 10.0.1.0/24 subnet report that they are prompted for authentication repeatedly, even though they are domain-joined and logged in. Users on other subnets do not have this issue. The administrator checks the FSSO configuration and sees that the collector agent is running and the FortiGate is receiving login events. The FortiGate's policy is configured with source address 10.0.0.0/8 and FSSO group 'Domain Users'. The administrator also notices that the FortiGate's SD-WAN rules are configured to use ISP1 for traffic from 10.0.0.0/8 except for traffic from 10.0.1.0/24, which uses ISP2. The FortiGate's FSSO collector agent is configured to listen on the IP address 192.168.1.1, which is the IP of the interface connected to ISP1. What is the most likely cause of the authentication issue?

A.The FSSO group 'Domain Users' does not include the affected users
B.The SD-WAN rule for 10.0.1.0/24 is misconfigured and drops authentication traffic
C.The domain controller is not reachable from the FortiGate
D.The FSSO collector agent is listening on an IP that is not reachable from the 10.0.1.0/24 subnet due to SD-WAN routing
AnswerD

The collector agent's IP is on ISP1 interface, but traffic from 10.0.1.0/24 goes via ISP2, so the domain controller may not be able to send login events to that IP.

Why this answer

The FSSO collector agent listens on 192.168.1.1, which is the IP of the interface connected to ISP1. SD-WAN rules send traffic from 10.0.1.0/24 via ISP2, so authentication packets from these users (e.g., to the collector agent) may be routed through ISP2 and never reach the collector agent at 192.168.1.1, causing repeated authentication prompts. This is a classic SD-WAN routing asymmetry issue where FSSO traffic does not follow the expected path.

Exam trap

The trap here is that candidates assume FSSO authentication failures are always due to misconfigured groups or domain connectivity, overlooking how SD-WAN routing can cause asymmetric traffic flows that break the FSSO communication path.

How to eliminate wrong answers

Option A is wrong because the issue is subnet-specific (10.0.1.0/24) and other subnets work fine, indicating the 'Domain Users' group membership is not the problem. Option B is wrong because SD-WAN rules do not drop traffic; they only influence path selection, and authentication traffic (like FSSO) is not explicitly blocked by the rule. Option C is wrong because the domain controller is reachable from the FortiGate (the collector agent is running and receiving login events), and the issue is isolated to a specific subnet, not a general reachability problem.

117
MCQmedium

An admin needs to ensure that all traffic from the 10.0.1.0/24 network to the internet uses a specific public IP address (203.0.113.10) as the source IP, with port translation enabled. The FortiGate has multiple WAN interfaces. Which NAT configuration should the admin use on the firewall policy?

A.Create an IP pool of type Overload with the range 203.0.113.10 and select it in the policy
B.Enable NAT on the policy and set the IP pool configuration to use the interface address
C.Configure a Central SNAT rule that matches the source subnet and set the translated address to 203.0.113.10
D.Use a VIP to perform destination NAT and set the source IP in the VIP configuration
AnswerA

An Overload IP pool with a single IP (or range) will perform PAT using that public IP as the source.

Why this answer

Option A is correct because an IP Pool of type Overload (Port Block Allocation) allows you to specify a single public IP address (203.0.113.10) as the translated source IP for all traffic from 10.0.1.0/24, with port address translation (PAT) enabled. This ensures that all outbound traffic uses that specific IP as the source, regardless of which WAN interface the traffic egresses, and the 'Overload' type automatically performs port translation to multiplex multiple internal hosts behind that single IP.

Exam trap

The trap here is that candidates often confuse Central SNAT rules (which are applied globally and not tied to a specific firewall policy) with policy-based IP Pool configuration, leading them to select Option C, even though the question explicitly requires the NAT configuration to be set on the firewall policy itself.

How to eliminate wrong answers

Option B is wrong because enabling NAT on the policy and setting the IP pool configuration to use the interface address would use the IP address of the egress interface itself, not the specific public IP 203.0.113.10; this does not allow you to force a different source IP than the interface address. Option C is wrong because a Central SNAT rule can match the source subnet and set the translated address to 203.0.113.10, but Central SNAT rules are applied globally and may conflict with policy-based NAT; the question explicitly asks for NAT configuration on the firewall policy, not a central rule. Option D is wrong because a VIP (Virtual IP) is used for destination NAT (DNAT), translating incoming traffic's destination IP, not for source NAT; setting a source IP in a VIP configuration is not a valid method for outbound source translation.

118
Multi-Selectmedium

A FortiGate administrator is troubleshooting why traffic from a specific internal host is not being allowed through a firewall policy. The policy appears correct and is enabled. Which TWO diagnostic commands could the administrator use to determine if the traffic is matching a different policy?

Select 2 answers
A.get system performance status
B.config system ha
C.execute ping options
D.diagnose firewall iprope list
E.diagnose debug flow
AnswersD, E

This shows hit counts for each policy, indicating which policies are being matched.

Why this answer

Using diagnose debug flow to trace the packet and diagnose firewall iprope list to see policy hit counts are effective ways to identify traffic matching.

119
MCQmedium

An admin wants to ensure that VoIP traffic (UDP ports 5060-5061) from the internal network to the internet is prioritized over other traffic when the WAN link is congested. Which feature should be configured on the firewall policy?

A.Enable NAT on the policy
B.QoS marking only (DSCP)
C.Traffic shaping policy with a guaranteed bandwidth allocation and high priority
D.Configure a security profile with QoS settings
AnswerC

Traffic shaping policies can prioritize traffic by assigning a higher priority queue.

Why this answer

Option C is correct because a traffic shaping policy with guaranteed bandwidth allocation and high priority ensures that VoIP traffic (UDP ports 5060-5061) receives the necessary bandwidth and is prioritized over other traffic during WAN congestion. Traffic shaping policies on FortiGate allow you to set guaranteed bandwidth, maximum bandwidth, and priority levels, which directly address congestion by reserving resources for critical traffic like VoIP.

Exam trap

The trap here is that candidates confuse DSCP marking (which only tags packets for external QoS) with local traffic shaping that actually enforces bandwidth guarantees and priority on the FortiGate itself, leading them to choose option B instead of C.

How to eliminate wrong answers

Option A is wrong because enabling NAT on the policy translates source IP addresses but does not provide any traffic prioritization or bandwidth guarantees during congestion. Option B is wrong because QoS marking only (DSCP) sets the Differentiated Services Code Point in the IP header for downstream devices, but on FortiGate, DSCP marking alone does not enforce local queuing or bandwidth allocation; it relies on downstream routers to honor the markings, which is insufficient for guaranteed prioritization on the WAN link. Option D is wrong because a security profile with QoS settings does not exist; security profiles (e.g., antivirus, web filtering) inspect content but do not manage bandwidth allocation or traffic priority, and QoS settings are configured separately in traffic shaping policies.

120
Matchingmedium

Match each FortiGate logging destination to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stored on the FortiGate's internal memory or disk

Centralized log collector and analyzer

Standard protocol to send logs to external servers

Cloud-based log storage and management

Used for monitoring device status and performance

Why these pairings

Different logging and monitoring options on FortiGate.

121
MCQhard

A FortiGate has a policy-based NAT rule that translates source IPs from subnet 192.168.1.0/24 to 203.0.113.10 when accessing the internet. The admin also enables Central SNAT with a rule that translates the same subnet to 203.0.113.20. If both are configured, which translation will be applied to traffic from 192.168.1.0/24 to the internet?

A.Both translations will be applied, causing an error
B.Central SNAT because it is a global setting
C.The FortiGate will use the translation from the policy with the highest ID
D.Policy-based NAT because it is evaluated first
AnswerD

Policy-based NAT rules are evaluated before Central SNAT rules.

Why this answer

Policy-based NAT is evaluated before Central SNAT because it is directly tied to the firewall policy that matches the traffic. When a policy-based NAT rule exists for the same traffic, it takes precedence over Central SNAT rules, regardless of any global settings or rule IDs. Therefore, the source IPs from 192.168.1.0/24 will be translated to 203.0.113.10.

Exam trap

The trap here is that candidates often assume Central SNAT, being a centralized feature, overrides all other NAT rules, but FortiGate explicitly gives policy-based NAT higher precedence for traffic matching a firewall policy.

How to eliminate wrong answers

Option A is wrong because FortiGate does not apply both translations simultaneously; it selects one based on precedence, and policy-based NAT is evaluated first, so no error occurs. Option B is wrong because Central SNAT is not a global setting that overrides policy-based NAT; policy-based NAT is tied to a specific firewall policy and takes precedence over Central SNAT for that matched traffic. Option C is wrong because the FortiGate does not use the policy ID to determine NAT precedence between policy-based NAT and Central SNAT; policy-based NAT is always evaluated first regardless of ID.

122
MCQhard

An admin configures a policy-based NAT rule (central SNAT) to translate source IPs from 10.0.0.0/24 to a dynamic IP pool of 203.0.113.1-203.0.113.10 with overload enabled. Users report that some connections are dropped. What is the MOST likely cause?

A.The port range for each IP in the pool is exhausted
B.The firewall policy has 'set nat enable' disabled
C.The route to the internet is missing
D.The pool does not have enough IPs to cover all users
AnswerA

Each IP has a limited number of ports (around 64,000). Under heavy traffic, ports can be exhausted, causing connection drops.

Why this answer

With overload enabled (Port Address Translation), the firewall translates multiple internal IPs to a single public IP by using unique source ports. Each public IP can handle up to 65,535 ports, but the actual usable port range is often smaller due to reserved ports and system limits. When all ports on all IPs in the pool are consumed, new connections are dropped because no port can be allocated for the translation.

Exam trap

The trap here is that candidates assume the pool must have enough IPs for each user, but overload (PAT) allows many users to share a single IP, so the real bottleneck is port exhaustion, not IP count.

How to eliminate wrong answers

Option B is wrong because 'set nat enable' is a legacy setting for policy-based NAT; central SNAT rules do not require this option to be enabled on the firewall policy. Option C is wrong because a missing internet route would cause all outbound traffic to fail, not just some connections being dropped. Option D is wrong because dynamic IP pools with overload do not require one IP per user; the issue is port exhaustion, not a lack of IP addresses.

123
MCQhard

An administrator uses 'diagnose sys session list' and sees the following output for a session: 'proto=6 proto_state=01 duration=3600 expire=3599'. The session is for HTTPS traffic. What does 'proto_state=01' typically indicate in FortiGate?

A.The session is being NATted
B.The session is fully established and active
C.The session is in the initial connection setup phase (SYN_SENT)
D.The session is being inspected by a security profile
AnswerC

proto_state=01 indicates the TCP handshake is in progress or incomplete, suggesting the session is not fully established.

Why this answer

In FortiGate, 'proto_state=01' for TCP (proto=6) indicates the session is in the SYN_SENT phase, meaning the initial SYN packet has been sent but the three-way handshake is not yet complete. For HTTPS traffic, this shows the session is still in the connection setup stage, not fully established. The 'duration' and 'expire' values reflect the time since the session was created and the remaining timeout, which is typical for an incomplete handshake.

Exam trap

The trap here is that candidates often confuse 'proto_state=01' with a fully established session because they see 'duration' and 'expire' values and assume the session is active, but the state code explicitly indicates the handshake is incomplete.

How to eliminate wrong answers

Option A is wrong because NAT status is indicated by the 'nat' field in the session list output, not by 'proto_state'; 'proto_state=01' is a TCP state code, not a NAT indicator. Option B is wrong because a fully established and active TCP session would show 'proto_state=02' (ESTABLISHED), not '01' (SYN_SENT). Option D is wrong because security profile inspection is shown by flags like 'ips', 'av', or 'app' in the session output, not by the TCP state field; 'proto_state' only reflects the TCP handshake phase.

124
MCQmedium

A network administrator has configured a firewall policy allowing traffic from the internal network (10.0.0.0/8) to the internet. Users report that some websites are not loading. The administrator runs 'diagnose firewall iprope list 100000' and sees the policy listed with a hit count of zero. What is the MOST likely cause?

A.The source interface or destination interface is incorrectly configured
B.The policy has a schedule that does not match the current time
C.The policy is placed below a more specific or broader policy that matches the same traffic
D.The FortiGate has a routing issue preventing traffic from reaching the internet
AnswerC

Since the hit count is zero, the traffic is being matched by an earlier policy. The policy order determines which policy is used first.

Why this answer

The hit count of zero indicates the policy is not being matched. Policy order matters; if a policy above this one matches the traffic, this policy will never be used. The administrator should check if a policy above is matching the traffic first.

125
Multi-Selecthard

An admin is troubleshooting why traffic from VLAN 10 to the internet is not being translated by a Central SNAT rule. The Central SNAT rule is configured with source interface 'port2.10', destination interface 'wan1', source address '192.168.10.0/24', and IP pool 'pool1'. The firewall policy for internet access has NAT enabled but no IP pool attached. Which THREE steps should the admin take to resolve the issue? (Choose three.)

Select 3 answers
A.Verify that the firewall policy does not have an IP pool configured
B.Ensure the Central SNAT rule's IP pool is configured with overload enabled
C.Check that the Central SNAT rule's source interface matches the actual incoming interface (port2.10)
D.Disable NAT on the firewall policy to force Central SNAT usage
E.Confirm that the firewall policy's 'NAT' option is enabled
AnswersA, C, E

If an IP pool is attached, it overrides Central SNAT.

Why this answer

Central SNAT rules require that the firewall policy has NAT enabled but no IP pool attached. If the policy has an IP pool, Central SNAT is bypassed. Also, the Central SNAT rule must match the traffic's source interface and destination interface.

Common issues: policy has an IP pool attached, or the policy's NAT is disabled, or the Central SNAT rule's interface is wrong.

126
MCQmedium

A network administrator configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to a web server (172.16.1.10). Users on the 10.0.0.0/8 network cannot access the web server, but other internal users can. The administrator checks the policy list and sees the policy is enabled and in the correct position. What is the most likely cause?

A.The policy is placed below a deny-all policy
B.NAT is not configured on the policy
C.The firewall does not have a route to the 10.0.0.0/8 network
D.The policy is disabled
AnswerC

Without a route, traffic from that network will be dropped.

Why this answer

The most likely cause is that the firewall does not have a route to the 10.0.0.0/8 network. Even though the policy is enabled and correctly positioned, the firewall must have a return route to the source network (10.0.0.0/8) for the web server's response traffic to reach the users. Without this route, the firewall drops the return packets, causing connectivity failure for those specific users.

Exam trap

The trap here is that candidates often focus solely on the policy configuration (order, NAT, enablement) and overlook the fundamental requirement that the firewall must have a route to the source network for return traffic to flow correctly.

How to eliminate wrong answers

Option A is wrong because a deny-all policy below the HTTP policy would not affect traffic matched by the higher-priority allow policy; the firewall processes policies top-down and stops at the first match. Option B is wrong because NAT is not required for HTTP traffic from internal users to an internal web server; NAT is typically used for translating private IPs to public IPs when accessing external networks. Option D is wrong because the question explicitly states the policy is enabled, so a disabled policy cannot be the cause.

127
MCQmedium

An administrator needs to allow FTP traffic from the internal network to a specific server on the internet. The FTP server uses passive mode. Which service object should be used in the firewall policy to ensure proper operation?

A.Use a custom service object with TCP/21 and TCP/20
B.Use the predefined 'FTP' service object and also allow a high port range (e.g., TCP/1024-65535)
C.Use the predefined 'FTP' service object
D.Use the 'ALL' service object
AnswerB

Passive FTP requires control on TCP/21 and data on a random high port. Allowing high port range ensures data connections succeed.

Why this answer

FTP uses TCP/21 for control. Passive mode uses a range of high ports for data. A generic FTP service object may include TCP/21 and TCP/20 (active mode).

For passive, a custom service with TCP/21 and the data port range is needed, but the question asks which service object to use. Typically, the predefined 'FTP' service includes TCP/21 only. Many deployments create a custom service for passive.

However, the best answer is to use the FTP service and also allow the ephemeral port range.

128
MCQeasy

An admin wants to allow traffic only from specific countries to access a web server. Which type of address object should be used in the firewall policy?

A.Subnet object
B.Geography object
C.FQDN object
D.Wildcard FQDN object
AnswerB

Correct. Geography objects allow matching traffic based on the source IP's country.

Why this answer

FortiGate supports geography-based address objects that allow or deny traffic based on the source IP's country. These are configured using geography objects.

129
MCQeasy

An admin needs to translate the source IP of traffic from multiple internal hosts to a single public IP when accessing the internet, while keeping track of each session. Which NAT method should be used?

A.Fixed port range NAT
B.One-to-one NAT
C.Central SNAT without overload
D.Overload NAT (Port Address Translation)
AnswerD

Overload NAT uses a single public IP and differentiates sessions by source port.

Why this answer

Overload NAT (also known as PAT) allows many internal hosts to share a single public IP by using different source ports.

130
Multi-Selectmedium

An administrator is troubleshooting why traffic from a specific subnet (192.168.10.0/24) to the internet is not being matched by the expected firewall policy. The policy list shows an allow policy for this traffic at ID 10, but there is a deny policy at ID 5 for any traffic from 192.168.0.0/16. Which TWO statements are correct?

Select 2 answers
A.The deny policy at ID 5 is matching the traffic before the allow policy at ID 10
B.The allow policy at ID 10 will override the deny policy because it is more specific
C.The traffic will be matched by the implicit deny at the end of the policy list
D.The administrator should enable 'policy override' on the allow policy
E.The administrator should change the deny policy's source to exclude 192.168.10.0/24 or move the allow policy above ID 5
AnswersA, E

Since ID 5 has a lower numeric value, it is evaluated first. The source 192.168.10.0/24 is a subset of 192.168.0.0/16, so deny matches.

Why this answer

Option A is correct because FortiGate firewall policies are evaluated sequentially from top to bottom based on their policy ID. Since policy ID 5 (deny for 192.168.0.0/16) appears before policy ID 10 (allow for 192.168.10.0/24), traffic from 192.168.10.0/24 is matched by the broader deny policy first, and the allow policy is never reached. This is a fundamental behavior of FortiGate's policy lookup order.

Exam trap

The trap here is that candidates often assume firewall policies use a 'most specific match' logic like routing, but FortiGate strictly uses sequential first-match based on policy ID order.

131
MCQmedium

A FortiGate administrator has configured a firewall policy allowing HTTP traffic from the internal network (10.0.1.0/24) to the DMZ server (192.168.1.10). The policy is placed after a deny-all policy that blocks traffic from internal to DMZ. Even though the allow policy is more specific, traffic is still being denied. What is the most likely cause?

A.The deny-all policy has a higher policy ID than the allow policy
B.The allow policy is configured with the wrong source interface
C.The allow policy uses a schedule that is not active at the current time
D.The deny-all policy is placed above the allow policy in the policy list
AnswerD

FortiGate evaluates policies from top to bottom. The first match applies. If the deny-all is above the allow, all traffic is denied.

Why this answer

FortiGate uses first-match logic for firewall policies. The deny-all policy is placed before the allow policy, so all traffic hits the deny policy first and is dropped. The allow policy never gets evaluated.

132
Multi-Selecthard

An administrator is troubleshooting why traffic from a specific VLAN (192.168.10.0/24) to the internet is not being NATed correctly. The firewall policy allows the traffic with NAT enabled and uses an IP Pool (overload) for the source translation. The IP Pool is configured with the address 203.0.113.10. However, the traffic still shows the original source IP. Which THREE of the following could cause this issue? (Choose three.)

Select 3 answers
A.There is a Central SNAT rule with higher priority that does not match the traffic
B.The firewall policy does not have the IP Pool selected in the NAT section
C.The IP Pool is configured on the wrong outgoing interface
D.The IP Pool uses one-to-one NAT instead of overload
E.Another firewall policy above the current one matches the traffic and either denies it or does not use NAT
AnswersB, C, E

The policy must explicitly reference the IP Pool under 'NAT' -> 'Use IP Pool'.

Why this answer

Possible causes: The policy may not have the IP Pool selected in the NAT settings; the policy order might be incorrect if another policy matches first; the IP Pool might be assigned to the wrong interface or contain a different IP range; or the traffic might be matching a different policy that doesn't use NAT. Central SNAT rules could also override, but the question specifies policy-based NAT.

133
MCQeasy

Which statement about the implicit deny policy on a FortiGate is true?

A.It is a user-configurable policy that can be deleted
B.It allows traffic that matches no other policy
C.It can be moved to a different position in the policy list
D.It is always at the bottom of the policy list and denies all unmatched traffic
AnswerD

The implicit deny is the last policy and drops all traffic that hasn't matched any preceding policy.

Why this answer

The implicit deny policy is a built-in policy at the end of the policy list that denies all traffic not matching any explicit policy. It cannot be removed or modified.

134
Multi-Selecthard

An admin is configuring a policy-based NAT (central SNAT) to translate internal users to a pool of public IPs using overload. The admin wants to ensure that specific applications using non-standard ports are not affected by NAT. Which THREE steps should the admin consider?

Select 3 answers
A.Disable NAT for those applications by adding a policy before the NAT policy with 'set nat disable'
B.Configure a separate IP pool dedicated to those applications
C.Use a fixed port range in the IP pool configuration
D.Use central SNAT with a VIP for source NAT
E.Enable 'set nat enable' on the policy
AnswersA, B, C

This allows the traffic to bypass NAT entirely.

Why this answer

Option A is correct because adding a policy before the central SNAT policy with `set nat disable` explicitly exempts specific traffic from NAT translation. This ensures that applications using non-standard ports are not affected by the overload behavior of the IP pool, which could otherwise cause port conflicts or session failures. The policy-based NAT (central SNAT) processes policies sequentially, so a higher-priority match with NAT disabled overrides any subsequent NAT rules.

Exam trap

The trap here is that candidates often think a separate IP pool (Option B) or fixed port range (Option C) can protect non-standard port applications, but these options only affect the pool behavior, not the NAT decision itself, and they do not prevent the FortiGate from modifying the source port, which is the root cause of the issue.

135
MCQmedium

A network admin runs 'diag sys session filter proto 6' and 'diag sys session list' and sees many sessions with state 'SYN_SENT' to a public web server. The firewall policy allows TCP/443. What is the MOST likely cause?

A.The web server is overloaded and dropping connections
B.The policy is in proxy mode but should be flow mode
C.The destination NAT (VIP) for the web server is not configured
D.The firewall policy has session TTL set too low
AnswerC

Without a VIP, the firewall does not translate the destination IP to the internal server, so the server never receives the request.

Why this answer

SYN_SENT indicates that the FortiGate has sent a SYN but not received a SYN-ACK, suggesting the server is not responding, possibly due to a missing DNAT or VIP configuration for inbound traffic.

136
Multi-Selectmedium

A company has two internet connections (WAN1 and WAN2). The administrator wants to route HTTP traffic from the internal network through WAN1, and all other traffic through WAN2. Which TWO configurations are needed?

Select 2 answers
A.Define an SD-WAN rule that matches HTTP and sets WAN1 as preferred
B.Apply NAT with IP pool on the firewall policy
C.Add a static route with a lower priority to WAN1
D.Create a policy-based routing rule to send HTTP traffic to WAN1
E.Configure load balancing between WAN1 and WAN2
AnswersA, D

Why this answer

Option A is correct because SD-WAN rules allow you to define application-based routing policies. By creating an SD-WAN rule that matches HTTP traffic and sets WAN1 as the preferred interface, the FortiGate will automatically steer HTTP sessions out through WAN1 while using the default routing table (which points to WAN2) for all other traffic. This leverages the SD-WAN feature's ability to perform per-application load balancing and failover without requiring policy-based routing.

Exam trap

The trap here is that candidates often confuse policy-based routing (Option D) with SD-WAN rules (Option A), not realizing that both are valid methods for application-based routing on FortiGate, and the question asks for TWO configurations needed, so both A and D are correct.

137
MCQeasy

Which of the following is a characteristic of policy-based NAT on a FortiGate?

A.NAT is configured directly in the firewall policy using the 'set nat' option
B.NAT is configured separately from firewall policies using Central NAT rules
C.NAT is applied to all traffic regardless of policy
D.NAT can only be used with IP pools
AnswerA

Policy-based NAT is configured per-policy.

Why this answer

Policy-based NAT uses the 'set nat' command in a firewall policy to enable source NAT, while Central NAT uses a separate NAT policy table.

138
MCQeasy

Which statement best describes the 'implicit deny' policy on a FortiGate?

A.It can be moved to a different position in the policy list
B.It is automatically applied to all traffic that does not match any explicit policy
C.It is a configurable policy that denies all traffic
D.It logs all denied traffic by default
AnswerB

Any traffic not matched by a higher-priority allow policy is denied by the implicit deny.

Why this answer

The 'implicit deny' policy on a FortiGate is a built-in, last-resort rule that automatically denies any traffic not matching an explicit firewall policy. It is not visible in the policy list and cannot be moved, modified, or deleted; it is always applied as the final rule to ensure that only explicitly permitted traffic is allowed through the FortiGate.

Exam trap

The trap here is that candidates often confuse the implicit deny with a configurable policy, thinking it can be moved, logged, or modified, when in fact it is a fixed, non-configurable default rule that is always present and never logs traffic by default.

How to eliminate wrong answers

Option A is wrong because the implicit deny policy is not a movable entry in the policy list; it is a fixed, invisible rule that always resides at the bottom of the policy evaluation order. Option C is wrong because the implicit deny is not configurable — it is a hardcoded default behavior that cannot be edited or removed. Option D is wrong because the implicit deny does not log denied traffic by default; logging must be explicitly enabled on an explicit deny policy or via global logging settings.

139
MCQhard

A FortiGate with multiple WAN interfaces uses policy-based routing (PBR) to route traffic from subnet 10.0.0.0/24 through port1 and 10.0.1.0/24 through port2. However, traffic from 10.0.0.0/24 is still using port2. The PBR rule appears correctly configured. What is the MOST likely issue?

A.The source subnet in the PBR rule is incorrectly specified as 10.0.1.0/24
B.The firewall policy for that traffic has a route override setting that bypasses PBR
C.The static route for 0.0.0.0/0 has a higher administrative distance than the PBR rule
D.The PBR rule has a higher priority number than other rules
AnswerB

If the policy has an explicit route override (like setting the outgoing interface), it will bypass PBR. Disabling route override allows PBR to work.

Why this answer

PBR rules are evaluated before routing table lookups. But if a firewall policy is matching the traffic before PBR (depending on configuration), the policy's route may override PBR. Also, PBR requires that the policy does not have a route override.

Another common issue is that the policy's destination interface is set to auto or the wrong interface, causing the route table decision to take precedence. However, the most common mistake is that the policy created for that traffic has its 'policy-based routing' option disabled or is using a different routing method.

140
MCQmedium

A network admin has configured a firewall policy allowing HTTPS traffic from the internal network to a DMZ web server. Users report that the web pages load slowly. The admin checks the policy and notices traffic shaping is not applied. What is the BEST action to ensure fair bandwidth distribution for HTTPS traffic?

A.Create a traffic shaping policy and apply it to the firewall policy
B.Increase the bandwidth of the internet link
C.Configure policy-based routing for HTTPS traffic
D.Enable QoS on the outgoing interface
AnswerA

Traffic shapers are applied directly to firewall policies to control bandwidth for matching traffic.

Why this answer

Traffic shaping is the correct mechanism to enforce fair bandwidth distribution for HTTPS traffic. By creating a traffic shaping policy and applying it to the firewall policy, the admin can allocate a specific bandwidth guarantee or limit for HTTPS sessions, preventing them from starving other traffic. Without shaping, HTTPS traffic can consume all available bandwidth, causing slow performance for other users.

Exam trap

The trap here is that candidates often confuse QoS (which prioritizes packets) with traffic shaping (which controls bandwidth allocation), leading them to select option D, but QoS alone does not enforce fair distribution of bandwidth across multiple sessions.

How to eliminate wrong answers

Option B is wrong because increasing the internet link bandwidth does not enforce fair distribution; it only adds more capacity, which can still be monopolized by aggressive HTTPS traffic. Option C is wrong because policy-based routing controls the path traffic takes, not bandwidth allocation; it does not shape or limit traffic. Option D is wrong because QoS on the outgoing interface is a lower-level mechanism that typically prioritizes packets based on DSCP or CoS values, but it does not provide the per-policy bandwidth control that traffic shaping offers in FortiGate.

141
MCQeasy

A FortiGate administrator configures a firewall policy to allow HTTP traffic from internal users to the internet. The policy uses source address 'internal_subnet', destination address 'all', and service 'HTTP'. After applying the policy, users report they cannot access websites. What is the most likely cause?

A.The source interface is misconfigured
B.The destination address object 'all' is incorrect
C.The policy order is incorrect and a deny policy above is blocking the traffic
D.The policy only allows HTTP (port 80), but users are likely accessing HTTPS (port 443)
AnswerD

A common oversight: the policy only permits port 80, but most websites use HTTPS on port 443.

Why this answer

The policy explicitly allows HTTP (TCP port 80), but modern web traffic predominantly uses HTTPS (TCP port 443). Since the service object does not include HTTPS, the firewall will drop HTTPS packets by default unless a separate policy or rule permits them. This is the most likely reason users cannot access websites, as most sites redirect HTTP to HTTPS or require HTTPS for secure connections.

Exam trap

The trap here is that candidates assume 'HTTP' covers all web traffic, but FortiGate treats HTTP and HTTPS as distinct services based on port numbers, and the implicit deny will block any unmatched traffic.

How to eliminate wrong answers

Option A is wrong because the source interface misconfiguration would typically cause a complete lack of connectivity for all traffic from that interface, not just web browsing, and the policy would not match at all. Option B is wrong because the destination address object 'all' is a valid FortiGate object that represents any destination IP address, and it is correct for allowing traffic to the internet. Option C is wrong because while policy order can affect traffic matching, the question states the policy was applied and there is no indication of a deny policy above; the most direct and common cause is the service mismatch.

142
Multi-Selectmedium

A FortiGate administrator needs to allow SMTP traffic (TCP port 25) from the internal network (10.0.0.0/8) to a mail server in the DMZ (172.16.0.10). The administrator wants to apply an antivirus profile and log all sessions. Which THREE configuration steps are required?

Select 3 answers
A.Create a schedule object and apply it to the policy
B.Create a firewall policy with source: 10.0.0.0/8, destination: 172.16.0.10, service: SMTP, action: ACCEPT
C.Create an antivirus profile and apply it to the policy
D.Configure NAT on the policy to translate source IPs
E.Enable logging on the firewall policy
AnswersB, C, E

Why this answer

Option B is correct because a firewall policy must be created to allow SMTP traffic from the internal network (10.0.0.0/8) to the DMZ mail server (172.16.0.10) on TCP port 25. The policy must specify the source, destination, service (SMTP), and action (ACCEPT) to permit the traffic. Without this policy, the traffic would be blocked by default.

Exam trap

The trap here is that candidates often assume NAT is required for any traffic leaving a private network, but in FortiGate, NAT is only needed when the destination is on a different network segment that requires source address translation, such as the internet, not for internal-to-DMZ traffic.

143
Multi-Selectmedium

A FortiGate admin wants to ensure that traffic from the internal network (192.168.1.0/24) to the internet uses a specific public IP (203.0.113.10) for source NAT, and that the same public IP is also used for inbound connections to an internal web server (10.0.1.10) on port 443. Which TWO configurations are required? (Choose two.)

Select 2 answers
A.Configure an IP Pool with type Overload using 203.0.113.10
B.Configure a Virtual IP mapping 203.0.113.10:443 to 10.0.1.10:443
C.Create a firewall policy with source NAT enabled and the IP Pool selected
D.Configure Central SNAT with the same public IP
AnswersA, B

This provides source NAT for outbound traffic using the required public IP.

Why this answer

Option A is correct because an IP Pool with type Overload allows multiple internal hosts to share a single public IP (203.0.113.10) for source NAT when traffic goes to the internet. This is the standard method for PAT (Port Address Translation) in FortiGate, enabling many-to-one NAT.

Exam trap

The trap here is that candidates often confuse IP Pools (for source NAT) with Virtual IPs (for destination NAT), or think that enabling source NAT in a policy alone is enough without configuring the IP Pool object.

144
MCQmedium

An administrator needs to apply traffic shaping to limit bandwidth for video streaming traffic on a firewall policy. Which configuration step is required?

A.Use an application control profile to restrict video streaming
B.Configure policy-based routing to shape traffic
C.Enable QoS on the interface and set the bandwidth limit
D.Create a traffic shaper and reference it in the firewall policy
AnswerD

Traffic shapers define bandwidth limits and are applied via policies.

Why this answer

To apply traffic shaping, a traffic shaper must be created and then referenced in the firewall policy. Option A is correct.

145
MCQeasy

An administrator wants to restrict access to a web server from only specific countries. The FortiGate is located at the network edge. Which address object type should be used in the source field of the firewall policy?

A.FQDN address object
B.Wildcard FQDN address object
C.Geography address object
D.Subnet address object
AnswerC

Allows country-based filtering.

Why this answer

Option C is correct because a Geography address object allows the FortiGate to match traffic based on the source IP's country of origin, using the built-in GeoIP database. This is the only address object type that can restrict access by country without requiring manual IP range updates.

Exam trap

The trap here is that candidates may confuse Geography address objects with FQDN or Subnet objects, mistakenly thinking that a wildcard or domain-based object can filter by geographic location, when in fact only the Geography object leverages the FortiGate's GeoIP database for country-level matching.

How to eliminate wrong answers

Option A is wrong because an FQDN address object resolves to a specific IP address or set of IP addresses, not to a country or geographic region. Option B is wrong because a Wildcard FQDN address object matches domain names with wildcards (e.g., *.example.com) and is used for web filtering or DNS-based policies, not for geographic restrictions. Option D is wrong because a Subnet address object defines a specific IP range or network segment, which cannot dynamically represent all IPs from a particular country.

146
Multi-Selecthard

A company needs to allow inbound HTTPS traffic from the internet to a web server behind the FortiGate. The public IP is 203.0.113.10, and the internal server is 192.168.1.10. The server must receive the original source IP of the client. Which THREE configurations are required to achieve this?

Select 3 answers
A.A firewall policy from WAN to DMZ allowing HTTPS traffic to the VIP
B.Disabling source NAT on the firewall policy (set nat enable disable)
C.A static route for 203.0.113.10 pointing to the ISP gateway
D.A Central SNAT policy to translate the source to the FortiGate's IP
E.A Virtual IP (VIP) mapping 203.0.113.10:443 to 192.168.1.10:443
AnswersA, B, E

The policy must permit the traffic to the VIP destination.

Why this answer

To allow inbound HTTPS and preserve the source IP, you need a VIP to translate destination, a firewall policy allowing the traffic, and no source NAT (or use a policy that does not SNAT). SNAT would hide the original source IP.

147
Multi-Selectmedium

A FortiGate administrator is implementing a policy to allow outbound traffic from the internal network to the internet. The requirements are: (1) all traffic from internal users must be source NATed to the external interface IP, (2) traffic from a specific server must use a different public IP, (3) HTTP traffic must be shaped to 10 Mbps. Which THREE configuration elements should the administrator create? (Choose three.)

Select 3 answers
A.A traffic shaper for HTTP traffic
B.A VIP for the server
C.A firewall policy with NAT enabled and the IP pool referenced
D.An IP Pool for the specific server's public IP
E.A policy-based routing rule for the server
AnswersA, C, D

Traffic shaper limits bandwidth.

Why this answer

An IP pool for the specific server, a traffic shaper for HTTP, and firewall policies to apply them. Option B, C, and D are correct.

148
MCQmedium

A FortiGate administrator wants to ensure that traffic from the 192.168.1.0/24 network to the internet is translated to a single public IP address using overload (PAT). Which NAT configuration should be used?

A.Policy-based NAT with a fixed port range
B.One-to-one NAT IP Pool
C.Virtual IP (VIP) with port forwarding
D.Central SNAT with a dynamic IP pool using overload
AnswerD

Central SNAT using an IP Pool with overload enables PAT for many-to-one translation.

Why this answer

IP Pool with Overload (PAT) allows many private IPs to be translated to a single public IP using port address translation. This is the most common configuration for internet access.

149
MCQmedium

Given the exhibit, a user in the internal network tries to SSH to a public server (203.0.113.10). What will happen and why?

A.The SSH connection will succeed because policy 1 allows all services before policy 2 is evaluated.
B.The SSH connection will succeed because policy 2 is evaluated first.
C.The SSH connection will be blocked because policy 2 explicitly denies SSH.
D.The SSH connection will be blocked because policy 1 does not include SSH service specifically.
AnswerA

Policy 1 matches all traffic from internal to wan1, so SSH is allowed before reaching the deny policy.

Why this answer

Policy 1 is an implicit allow-all rule that matches all traffic before policy 2 is evaluated. Since FortiGate processes policies in sequential order from top to bottom, the SSH connection to 203.0.113.10 matches policy 1 first, which permits all services, including SSH. Therefore, the connection succeeds without ever reaching policy 2.

Exam trap

The trap here is that candidates assume a deny rule later in the policy list will block traffic, forgetting that FortiGate uses first-match logic, so an earlier allow-all rule takes precedence.

How to eliminate wrong answers

Option B is wrong because policy 2 is not evaluated first; FortiGate evaluates policies in sequential order from top to bottom, so policy 1 is checked before policy 2. Option C is wrong because although policy 2 explicitly denies SSH, it is never reached due to the earlier match with policy 1. Option D is wrong because policy 1 does not need to include SSH specifically; it allows all services, which inherently includes SSH.

150
MCQmedium

A FortiGate administrator wants to ensure that traffic from the internal network to an external FTP server uses a specific source IP address (203.0.113.10). The internal network uses RFC 1918 addresses. Which NAT configuration should be used?

A.Policy-based NAT using an IP pool set to 'Fixed Port Range'
B.Virtual IP (VIP) mapping the internal server to 203.0.113.10
C.Central SNAT with dynamic IP pool
D.Policy-based NAT using an IP pool with type 'Overload' and the IP address 203.0.113.10
AnswerD

An IP pool with type 'Overload' (PAT) using a single IP will translate all matching sessions to that IP address. This meets the requirement.

Why this answer

Option D is correct because policy-based NAT with an IP pool type 'Overload' (PAT) allows multiple internal hosts to share the single public IP 203.0.113.10 for outbound traffic. This meets the requirement to translate RFC 1918 source addresses to a specific source IP when accessing an external FTP server, while preserving port multiplexing.

Exam trap

The trap here is confusing VIP (inbound destination NAT) with source NAT (SNAT), leading candidates to select Option B, even though the requirement is for outbound traffic from internal clients to use a specific source IP.

How to eliminate wrong answers

Option A is wrong because 'Fixed Port Range' IP pools are used for static port allocation, typically for protocols that require predictable ports (e.g., SIP), not for general outbound source NAT with a single IP. Option B is wrong because a Virtual IP (VIP) is used for inbound destination NAT (port forwarding) to map an external IP to an internal server, not for outbound source NAT from internal clients. Option C is wrong because Central SNAT with a dynamic IP pool would select from a range of IPs, not guarantee the specific source IP 203.0.113.10.

← PreviousPage 2 of 4 · 237 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Firewall Policies and NAT questions.