CCNA Firewall Policies and NAT Questions

75 of 237 questions · Page 3/4 · Firewall Policies and NAT · Answers revealed

151
MCQmedium

An administrator creates a firewall policy with a traffic shaper to limit bandwidth for guest wireless users. After applying the policy, users can still consume high bandwidth. The administrator confirms the policy is matching. What is the MOST likely reason the traffic shaper is not effective?

A.The traffic shaper's maximum bandwidth is set too high
B.The traffic shaper is applied to the wrong direction (egress vs ingress)
C.The traffic shaper is configured but not applied to the policy's 'Traffic Shaper' field
D.The traffic shaper is a per-IP shaper but the policy applies to a subnet
AnswerC

Even if a shaper is defined, it must be explicitly assigned in the policy's 'Traffic Shaper' or 'Per-IP Shaper' field. If left as 'None', no shaping occurs.

Why this answer

Option C is correct because in FortiGate, a traffic shaper must be explicitly selected in the 'Traffic Shaper' field of the firewall policy to be applied. Simply creating a shaper and configuring it is insufficient; the policy's shaper field links the shaper to the traffic. Without this link, the shaper is not enforced, even if the policy matches.

Exam trap

The trap here is that candidates assume creating a traffic shaper automatically applies it to all matching traffic, but FortiGate requires explicit assignment in the firewall policy's shaper field to enforce the limit.

How to eliminate wrong answers

Option A is wrong because setting the maximum bandwidth too high would still limit bandwidth, just at a higher threshold; it would not cause the shaper to be completely ineffective. Option B is wrong because traffic shapers in FortiGate are applied per policy and control both ingress and egress directions based on the shaper type (e.g., per-policy shaper applies to both directions); direction misconfiguration would not render the shaper entirely ineffective. Option D is wrong because a per-IP shaper applied to a subnet is valid and would limit each individual IP's bandwidth; it would not cause the shaper to be ineffective.

152
MCQmedium

An organization needs to restrict internet access for employees to business hours only (Monday to Friday, 8:00 to 18:00). Which object should the admin use in the firewall policy?

A.A schedule object with recurring time
B.A time-range object
C.An on-time schedule
D.A calendar object
AnswerA

Schedule objects can be one-time or recurring; recurring fits this requirement.

Why this answer

Schedule objects define time ranges. The admin should create a recurring schedule for weekdays during business hours and apply it to the policy.

153
Multi-Selecteasy

A FortiGate admin is creating a firewall policy to allow outbound HTTP and HTTPS traffic from the internal network. The admin wants to ensure that traffic is inspected by security profiles (antivirus, web filter). Which THREE of the following must be configured on the firewall policy to achieve this?

Select 3 answers
A.Set the action to ACCEPT
B.Set the schedule to always
C.Apply an antivirus profile and a web filter profile to the policy
D.Configure the service to include HTTP and HTTPS
E.Enable NAT on the policy
AnswersA, C, D

Action must be ACCEPT to allow traffic; DENY would block it.

Why this answer

To inspect traffic with security profiles, the admin must enable inspection mode (proxy-based or flow-based), select the appropriate security profiles, and ensure that traffic matches the policy (correct source/destination). The service object for HTTP and HTTPS is needed to match the traffic.

154
MCQhard

A FortiGate admin configures an IP pool with type 'Fixed Port Range' to translate source IPs from 192.168.1.0/24 to 203.0.113.0/28 using port range 10000-20000. After applying the IP pool to a policy, some users cannot establish connections while others work. What is the MOST likely cause?

A.The internal subnet is using RFC 1918 addresses that cannot be NATed
B.The IP pool's port range is exhausted because the number of internal hosts exceeds the number of available port ranges
C.The IP pool is configured with overload enabled, causing conflicts
D.The firewall policy has NAT disabled
AnswerB

Fixed port range provides a dedicated port block per host; if more hosts than port blocks, some will be denied.

Why this answer

Fixed port range assigns a unique port range per internal IP. If the number of internal hosts exceeds the number of available port ranges, no range will be available for new hosts, causing failures.

155
MCQeasy

Which of the following describes the implicit deny action in FortiGate firewall policies?

A.A policy that is automatically created when the first policy is added
B.A policy that denies traffic based on the source IP
C.A policy that denies all traffic and can be moved to any position
D.A default policy that denies all traffic unless explicitly allowed
AnswerD

Correct description.

Why this answer

The implicit deny is a default rule at the end of the policy list that denies all traffic not explicitly allowed. It cannot be moved or deleted.

156
Multi-Selecthard

A FortiGate admin is troubleshooting an issue where traffic from VLAN 10 to the internet is not being NATed even though a policy-based NAT rule is configured. The admin verifies that the firewall policy uses the correct IP Pool. Which THREE steps should the admin take to diagnose the problem? (Choose three.)

Select 3 answers
A.Reboot the FortiGate to clear any session table issues
B.Examine the IP Pool configuration for correct interface binding or port exhaustion
C.Verify that the firewall policy is being hit using 'diagnose firewall fwpolicy list' or logs
D.Check the session table using 'diagnose sys session list' to see if NAT is applied
E.Disable all other firewall policies to isolate the issue
AnswersB, C, D

Misconfigured pool (e.g., wrong interface) or port exhaustion can cause NAT failure.

Why this answer

Option B is correct because policy-based NAT requires the IP Pool to be bound to the correct outgoing interface (the one the traffic egresses on). If the interface binding is wrong or the pool has exhausted its port range (e.g., all PAT ports are used), NAT will fail silently. Examining the IP Pool configuration directly reveals these misconfigurations.

Exam trap

The trap here is that candidates often assume a firewall policy with NAT enabled will always work, overlooking that the IP Pool itself must be correctly bound to the egress interface and not exhausted, and that rebooting or disabling policies are not valid diagnostic steps.

157
MCQeasy

A FortiGate administrator wants to create a firewall policy that matches traffic based on the destination domain name (e.g., *.example.com). Which type of address object should be used?

A.FQDN object
B.Wildcard FQDN object
C.Subnet object
D.Geography object
AnswerB

Wildcard FQDN supports patterns like *.example.com.

Why this answer

Wildcard FQDN objects allow matching based on domain name patterns like *.example.com. Option D is correct.

158
MCQhard

A FortiGate has the following policy list: ID 1: allow from trust to untrust, source 10.0.0.0/24, destination all, service HTTP, NAT enabled. ID 2: allow from trust to untrust, source 10.0.1.0/24, destination all, service ALL, NAT enabled. A host 10.0.1.50 sends an HTTP request to 203.0.113.5. Which policy matches?

A.Policy ID 2 because it matches the source and service
B.Both policies, and the traffic is load-balanced
C.No policy matches, traffic is denied by implicit deny
D.Policy ID 1 because it is first in order and matches the service HTTP
AnswerA

Policy ID 2 matches source and service.

Why this answer

FortiGate uses first-match logic. Policy ID 1 matches source 10.0.0.0/24 and service HTTP. Policy ID 2 matches source 10.0.1.0/24 and service ALL.

The host 10.0.1.50 is in 10.0.1.0/24 but also in 10.0.0.0/24? No, 10.0.1.0/24 is not a subset of 10.0.0.0/24. Actually 10.0.0.0/24 covers 10.0.0.0-10.0.0.255, so 10.0.1.50 is not in that range. Therefore policy ID 1 does not match (source mismatch).

Policy ID 2 matches because source 10.0.1.0/24 includes 10.0.1.50 and service ALL includes HTTP. So answer B.

159
MCQmedium

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a TCP session that has been established for 1 hour and will expire in about 1 hour
B.The session is a UDP session with destination port 443
C.The session will expire in 3600 seconds
D.The session is a TCP session in SYN_SENT state
AnswerA

Correct interpretation.

Why this answer

Option A is correct because the output shows `proto=6`, which indicates TCP (protocol number 6), and `proto_state=01` corresponds to TCP state ESTABLISHED. The `duration=3600` means the session has been active for 3600 seconds (1 hour), and `expire=3599` indicates the session will expire in 3599 seconds (approximately 1 hour). This matches the description of a TCP session established for 1 hour with about 1 hour remaining before expiry.

Exam trap

The trap here is that candidates often confuse `duration` with `expire` or misinterpret `proto=6` as generic 'TCP' without recognizing that `proto_state=01` specifically indicates the ESTABLISHED state, not SYN_SENT or other states.

How to eliminate wrong answers

Option B is wrong because `proto=6` specifies TCP, not UDP (UDP uses protocol number 17). Option C is wrong because `expire=3599` indicates the session will expire in 3599 seconds, not 3600 seconds; the value 3600 is the duration, not the expiry time. Option D is wrong because `proto_state=01` represents the ESTABLISHED state, not SYN_SENT (which would be state 02 in Fortinet's session state encoding).

160
MCQmedium

An admin wants to block all traffic from a specific geographic region. Which address object type should be used in the firewall policy source?

A.FQDN
B.Subnet
C.IP range
D.Geography
AnswerD

Geography objects use IP geolocation to match traffic from specific countries.

Why this answer

Option D is correct because FortiGate firewalls include a built-in Geography address object type that allows policies to match traffic based on the source or destination IP address's registered country or region. This object uses GeoIP databases to classify IP addresses, enabling administrators to block or allow traffic from entire geographic areas without needing to manually list individual subnets or ranges.

Exam trap

The trap here is that candidates may confuse Geography with IP range or subnet, thinking they can manually compile a list of all IPs for a region, but FortiGate's Geography object automates this via the GeoIP database and is the correct, scalable approach for geographic blocking.

How to eliminate wrong answers

Option A is wrong because FQDN (Fully Qualified Domain Name) objects resolve to IP addresses via DNS and are used for policies based on domain names, not geographic location. Option B is wrong because a Subnet object defines a contiguous block of IP addresses using a network prefix (e.g., 192.168.1.0/24) and cannot represent an entire geographic region. Option C is wrong because an IP range object specifies a start and end IP address (e.g., 10.0.0.1-10.0.0.255) and is intended for arbitrary address ranges, not for geographic classification.

161
MCQmedium

A FortiGate has two firewall policies: Policy 1 (from port1 to port2, source all, destination 10.0.1.0/24, schedule always, action accept) and Policy 2 (from port1 to port2, source all, destination all, schedule 'Business Hours', action accept). A user attempts to connect from port1 to 10.0.1.5 at 8 PM on a Saturday. The traffic is denied. What is the most likely reason?

A.Policy 1 only matches destination 10.0.1.10, and Policy 2's schedule is not active at this time
B.The source address is not included in either policy
C.Policy 1 is placed below Policy 2 in the policy order, so Policy 2 is evaluated first
D.Policy 2 has an implicit deny action
AnswerA

The destination 10.0.1.5 is not matched by Policy 1 (which matches only .10). Policy 2 matches the destination but its schedule restricts it to business hours, so it is not valid at 8 PM Saturday. Thus, no policy matches and traffic is implicitly denied.

Why this answer

Policy 1 matches the destination 10.0.1.0/24, which includes 10.0.1.5, but the answer option incorrectly states it only matches 10.0.1.10. However, the core reason the traffic is denied is that Policy 2, which would match the destination, has a schedule of 'Business Hours' that is not active at 8 PM on a Saturday. Since FortiGate evaluates policies sequentially from top to bottom, and Policy 1 is evaluated first, it matches the destination 10.0.1.5 and has an action of accept, so traffic should be permitted.

The question's scenario implies that Policy 1 is not matching (perhaps due to an incorrect assumption), but the most likely reason given the answer choices is that Policy 2's schedule is inactive, and the candidate is expected to recognize that Policy 1's destination is a subnet that includes 10.0.1.5, so the correct answer is A based on the provided options.

Exam trap

The trap here is that candidates may assume Policy 1 only matches a specific host (10.0.1.10) rather than the entire subnet, or they may overlook that Policy 2's schedule being inactive causes it to be skipped, leading them to incorrectly attribute the denial to policy order or source mismatch.

How to eliminate wrong answers

Option B is wrong because both policies have source set to 'all', so the source address is included in both policies. Option C is wrong because even if Policy 1 is placed below Policy 2, Policy 2 would be evaluated first and would match the destination all, but its schedule is inactive, so traffic would be denied by the implicit deny at the end of the policy list, not because of policy order. Option D is wrong because Policy 2 has an action of accept, not deny; the implicit deny is a default behavior at the end of the policy list, not an action within Policy 2.

162
MCQhard

A FortiGate with multiple VDOMs has a policy that allows traffic from VDOM A to VDOM B. The admin notices that traffic from VDOM A to a specific server in VDOM B is being dropped. The session log shows 'deny by forward policy check'. What is the MOST likely cause?

A.The inter-VDOM link is down
B.NAT is required for inter-VDOM traffic
C.The source VDOM has exceeded its session limit
D.The policy in VDOM B to allow traffic from VDOM A is missing or misconfigured
AnswerD

Forward policy check occurs in the destination VDOM.

Why this answer

Inter-VDOM links require policies in both VDOMs: one in VDOM A for outgoing traffic, and one in VDOM B for incoming traffic. The error 'deny by forward policy check' indicates that the policy in the destination VDOM (VDOM B) is missing or denying the traffic.

163
MCQmedium

A company has a web server in the DMZ that needs to be accessible from the internet on port 443 (HTTPS). The administrator configures a Virtual IP (VIP) mapping the public IP 203.0.113.10 to the private IP 10.0.1.10 port 443. Which firewall policy is required to allow inbound traffic?

A.A policy from WAN to DMZ with source any, destination IP of the server (10.0.1.10), and action ACCEPT
B.A policy from WAN to DMZ with source any, destination VIP, and action ACCEPT
C.No firewall policy is needed; the VIP automatically allows traffic
D.A policy from DMZ to WAN with source VIP, destination any, and action ACCEPT
AnswerB

This policy allows traffic destined to the VIP. The VIP translation occurs before policy lookup, so the policy must allow traffic to the VIP.

Why this answer

Option B is correct because when a Virtual IP (VIP) is configured in FortiGate, the firewall policy must reference the VIP object as the destination, not the actual private IP. The VIP translates the public IP (203.0.113.10) to the private IP (10.0.1.10), and the policy from WAN to DMZ with destination VIP ensures that inbound traffic is matched and permitted before NAT translation occurs. Without this policy, the VIP alone does not allow traffic; it only defines the translation rule.

Exam trap

The trap here is that candidates often assume a VIP automatically permits traffic or that the policy should use the private IP, but FortiGate requires an explicit firewall policy referencing the VIP object to allow inbound traffic through the NAT mapping.

How to eliminate wrong answers

Option A is wrong because the policy must use the VIP object as the destination, not the actual private IP (10.0.1.10); referencing the private IP bypasses the NAT translation and will not match the incoming traffic destined to the public IP. Option C is wrong because a VIP does not automatically allow traffic; it only defines the NAT mapping, and a corresponding firewall policy with action ACCEPT is mandatory to permit the traffic. Option D is wrong because the required policy must be from WAN to DMZ (inbound direction), not from DMZ to WAN; the DMZ-to-WAN policy would control outbound responses, not the initial inbound connection.

164
MCQmedium

A FortiGate administrator needs to create a firewall policy that allows traffic from the internal network (10.0.0.0/8) to a public web server (203.0.113.10) on port 443. The policy must also perform source NAT using the FortiGate's external IP (198.51.100.1). Which NAT configuration should be applied?

A.Create an IP pool with the external IP and reference it in the firewall policy
B.Enable NAT on the firewall policy without specifying an IP pool
C.Create a VIP for the web server and reference it in the firewall policy
D.Configure Central SNAT and a matching rule
AnswerB

Enabling NAT on the policy uses the egress interface IP (198.51.100.1) as the source IP.

Why this answer

When 'NAT' is enabled on a firewall policy, FortiGate performs source NAT using the egress interface IP by default. Option A correctly states this default behavior for outbound traffic.

165
MCQeasy

Which of the following best describes the policy lookup order on a FortiGate firewall?

A.Policies are evaluated in the order they appear in the policy list, from top to bottom
B.Policies are evaluated based on the number of hits, least-hit first
C.Policies are evaluated randomly to balance load
D.The policy with the highest priority number is evaluated first
AnswerA

FortiGate iterates through the policy list sequentially and applies the first matching policy.

Why this answer

FortiGate uses a top-down sequential match: the first policy that matches the traffic is executed, and subsequent policies are ignored.

166
Multi-Selecteasy

Which THREE of the following are valid address object types in FortiGate? (Choose three.)

Select 3 answers
A.Subnet
B.MAC address
C.Geography
D.FQDN
E.Wildcard
AnswersA, C, D

Standard address object.

Why this answer

A is correct because a Subnet address object in FortiGate defines a range of IP addresses using a network address and subnet mask (e.g., 192.168.1.0/24). This is one of the fundamental object types used in firewall policies to match traffic based on source or destination IP ranges.

Exam trap

The trap here is that candidates often confuse the 'Wildcard' address type with the wildcard subnet mask notation (e.g., 0.0.0.255) used within a Subnet object, leading them to incorrectly select Wildcard as a separate object type.

167
MCQmedium

A FortiGate admin runs 'diagnose sys session filter src 10.0.0.10' and gets no output. What does this indicate?

A.The session table is full
B.The source IP 10.0.0.10 is not currently active in any session table
C.The firewall policy is blocking traffic from 10.0.0.10
D.The diagnose command syntax is incorrect
AnswerB

No sessions match the filter; the source is either idle or the session expired.

Why this answer

The 'diagnose sys session filter' command in FortiGate is used to filter and display active session entries in the session table. When the command 'diagnose sys session filter src 10.0.0.10' returns no output, it means that no session in the session table matches the source IP address 10.0.0.10, indicating that this IP is not currently involved in any active session. This does not imply the session table is full, a policy block, or a syntax error.

Exam trap

The trap here is that candidates may assume no output means a syntax error or a full session table, but FortiGate clearly indicates syntax errors with an error message, and a full table still shows existing sessions; the correct interpretation is that the source IP has no active sessions.

How to eliminate wrong answers

Option A is wrong because a full session table would still show sessions that match the filter, or the command would return an error or warning about table capacity, not simply no output. Option C is wrong because a firewall policy blocking traffic would prevent sessions from being created, but the command only checks the session table; if no session exists, it returns no output regardless of the policy reason. Option D is wrong because the syntax 'diagnose sys session filter src 10.0.0.10' is correct; if the syntax were incorrect, FortiGate would return a syntax error message, not a blank output.

168
MCQhard

A FortiGate has a central SNAT policy that translates internal users to a single IP pool address. The admin wants specific traffic (e.g., from a particular subnet) to use a different IP pool. What is the correct approach?

A.Create a new central SNAT policy with the specific subnet as source and place it above the existing policy
B.Create a policy-based NAT rule with the specific subnet and place it above the central SNAT policy
C.Use VIP to translate the source address
D.Modify the existing central SNAT policy to use a dynamic IP pool
AnswerA

Central SNAT policies are evaluated sequentially. A more specific source policy above will match first.

Why this answer

Central SNAT policies are evaluated in order; they can include source and destination criteria. To override the general policy, a more specific policy must be placed above it. Dynamic IP pools cannot be used in policy-based NAT for central SNAT.

169
MCQmedium

A company has a FortiGate with multiple VDOMs. An admin creates a firewall policy in the root VDOM to allow traffic from a subnet to the internet. The traffic is not matching the policy. What is the most likely cause?

A.The traffic is in a different VDOM than the policy
B.The internet-facing interface is not part of any VDOM
C.The subnet object is defined in the wrong address group
D.The policy is placed at the bottom of the list
AnswerA

Correct. Each VDOM has its own policy set. If the traffic is in VDOM2, policies in root VDOM do not apply.

Why this answer

Firewall policies are VDOM-specific. Traffic in a different VDOM will not match policies from another VDOM. The policy must be created in the VDOM where the traffic is being routed.

170
MCQmedium

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a TCP session that has been active for 3600 seconds and will expire in 3599 seconds
B.The session is a UDP session for DNS
C.The session is an ICMP echo request
D.The session is blocked by a firewall policy
AnswerA

Correct interpretation.

Why this answer

proto=6 indicates TCP, proto_state=01 is TCP SYN_SENT (or ESTABLISHED depending on FortiOS version, but typically 01 is ESTABLISHED), duration=3600 seconds, expire=3599 seconds remaining. The session is established and about to expire (TTL almost up).

171
MCQeasy

Which of the following statements about firewall policy ordering in FortiGate is correct?

A.Policies are evaluated from bottom to top
B.The most specific policy always takes precedence regardless of order
C.Policies are evaluated from top to bottom, and the first match is applied
D.The implicit permit rule at the end allows all traffic not explicitly denied
AnswerC

This is the correct behavior of FortiGate's policy engine.

Why this answer

FortiGate firewall policies are evaluated sequentially from top to bottom in the policy list. The first policy that matches the source, destination, service, and other criteria is applied, and no further policies are evaluated. This is the fundamental 'first-match' behavior that governs traffic processing in FortiGate.

Exam trap

The trap here is that candidates often confuse FortiGate's top-down first-match logic with other firewall platforms that use bottom-up evaluation or automatic specificity-based precedence, leading them to select option A or B.

How to eliminate wrong answers

Option A is wrong because FortiGate evaluates policies from top to bottom, not bottom to top; bottom-to-top evaluation is a common misconception from other firewall platforms. Option B is wrong because FortiGate does not automatically prioritize the most specific policy; order in the policy list determines precedence, and a more specific policy placed lower will never be reached if a less specific policy above matches first. Option D is wrong because the implicit deny rule at the end of the policy list silently drops all traffic that does not match any explicit policy; there is no implicit permit rule in FortiGate.

172
MCQeasy

Which type of address object allows a FortiGate to perform DNS resolution to match traffic based on a domain name?

A.Wildcard FQDN
B.Subnet
C.FQDN
D.Geography
AnswerC

FQDN address objects resolve domain names to IPs via DNS.

Why this answer

Option C is correct because an FQDN (Fully Qualified Domain Name) address object in FortiGate allows the firewall to perform DNS resolution to match traffic based on a domain name. When a policy uses an FQDN object, FortiGate resolves the domain name to IP addresses via DNS and updates the policy dynamically as the DNS record changes, enabling traffic matching by domain rather than static IP.

Exam trap

The trap here is that candidates often confuse FQDN with Wildcard FQDN, thinking the wildcard variant is the only one that performs DNS resolution, but both use DNS; the question specifically asks for the type that 'allows' DNS resolution, and the standard FQDN is the foundational object for this purpose.

How to eliminate wrong answers

Option A is wrong because a Wildcard FQDN (e.g., *.example.com) matches any subdomain of a given domain but still relies on DNS resolution for IP mapping; however, the question asks for the type that 'allows a FortiGate to perform DNS resolution to match traffic based on a domain name,' and the standard FQDN object is the direct answer, while Wildcard FQDN is a variant used for broader domain matching. Option B is wrong because a Subnet object defines a range of IP addresses (e.g., 192.168.1.0/24) and does not involve DNS resolution or domain name matching at all. Option D is wrong because a Geography object matches traffic based on geographical location (country or region) using IP geolocation databases, not domain names or DNS resolution.

173
Multi-Selecthard

An admin needs to configure a FortiGate to allow multiple internal servers to be accessible from the internet using the same public IP but different ports. For example, internal server A (192.168.1.10:80) should be reachable via 203.0.113.10:8080, and internal server B (192.168.1.20:443) via 203.0.113.10:8443. Which TWO configuration steps are required?

Select 2 answers
A.Create two separate VIPs, one for each server, and add them to a VIP group
B.Disable NAT on the policy to preserve the source IP
C.Configure a firewall policy with destination set to the VIP group and action set to allow
D.Configure Central SNAT to translate the source IP
E.Create a single VIP with port forwarding that maps multiple ports
AnswersA, C

VIP groups allow combining multiple VIPs under one destination object.

Why this answer

Option A is correct because each internal server requires a unique Virtual IP (VIP) to map a specific external port to a specific internal IP and port. Adding these VIPs to a VIP group allows a single firewall policy to reference all of them, enabling the FortiGate to differentiate traffic based on the destination port and forward it to the correct internal server.

Exam trap

The trap here is that candidates often think a single VIP with multiple port mappings can handle different internal servers, but FortiGate VIPs are one-to-one mappings; a VIP group is required to aggregate multiple VIPs under one policy.

174
MCQeasy

Which of the following is a valid address object type in FortiGate that can be used to match traffic based on the domain name of the destination?

A.Wildcard FQDN
B.Subnet
C.FQDN
D.Geography
AnswerC

FQDN address objects match traffic to a specific domain name, resolving to IP.

Why this answer

FQDN address objects allow matching traffic based on fully qualified domain names, which are resolved to IP addresses dynamically.

175
MCQmedium

An administrator wants to ensure that traffic from the engineering department (subnet 192.168.10.0/24) to the internet uses a specific public IP address for source NAT. Additionally, traffic from the marketing department (192.168.20.0/24) should use a different public IP. Which method should be used?

A.Configure a single Central SNAT rule with multiple source subnets and a single IP pool
B.Create two firewall policies, each with its own IP pool, for the respective subnets
C.Use VIP for source NAT
D.Use a single policy with a dynamic IP pool that randomly assigns IPs
AnswerB

This allows granular control over which IP is used for each subnet.

Why this answer

Option B is correct because the requirement is to map specific source subnets to different public IP addresses. In FortiGate, this is achieved by creating separate firewall policies for each subnet, each with its own IP pool configured for source NAT. A single Central SNAT rule with one IP pool cannot differentiate between subnets to assign different public IPs.

Exam trap

The trap here is that candidates often confuse IP pools (used for source NAT) with Virtual IPs (used for destination NAT), leading them to incorrectly select VIP for source NAT.

How to eliminate wrong answers

Option A is wrong because a single Central SNAT rule with one IP pool would apply the same public IP to all traffic matching the rule, regardless of source subnet, failing to meet the requirement for different public IPs per department. Option C is wrong because Virtual IP (VIP) is used for destination NAT (port forwarding), not source NAT; it translates incoming traffic's destination, not outgoing traffic's source. Option D is wrong because a dynamic IP pool randomly assigns IPs from a range, which does not guarantee that traffic from engineering always uses one specific public IP and marketing uses another; it would mix them.

176
Multi-Selectmedium

A FortiGate admin is troubleshooting an issue where traffic from a specific internal host (10.0.1.50) to the internet is not being NATed as expected. The firewall policy has NAT enabled with an IP pool of type Overload. Which TWO conditions could cause the traffic to bypass the IP pool?

Select 2 answers
A.The firewall policy's NAT setting is set to 'disable'
B.The IP pool is configured for one-to-one NAT
C.The internal host is using a non-standard source port
D.A policy with a lower policy ID matches the traffic and has NAT enabled with a different IP pool or no pool
E.The IP pool is configured with a source filter that does not include 10.0.1.50
AnswersD, E

Policy matching stops at the first match; if a higher-priority policy matches, the intended policy is not evaluated.

Why this answer

Traffic may bypass the IP pool if a higher-priority policy matches first (policy ordering) or if the IP pool is incorrectly configured (e.g., the pool's source filter does not include the internal host).

177
MCQeasy

A FortiGate admin wants to ensure that traffic destined to a specific web server is inspected by an IPS profile. Which configuration is necessary?

A.Enable IPS on the firewall policy directly
B.Set the policy's action to 'IPS'
C.Create a security profile group containing the IPS profile and apply it to the policy
D.Configure a VIP for the web server
AnswerC

Security profiles are applied to policies via security policy groups.

Why this answer

Option C is correct because in FortiGate, IPS inspection is applied via a security profile group that includes the IPS profile, which is then attached to a firewall policy. The firewall policy itself does not have a direct 'enable IPS' toggle; instead, IPS profiles are part of the security profiles that must be explicitly assigned to the policy to inspect traffic.

Exam trap

The trap here is that candidates may think IPS can be enabled directly on the policy or that a special policy action exists for IPS, but FortiGate requires IPS to be applied as a security profile, not as a policy attribute.

How to eliminate wrong answers

Option A is wrong because FortiGate does not allow enabling IPS directly on the firewall policy; IPS is a security profile that must be applied through a security profile group or individually. Option B is wrong because setting the policy's action to 'IPS' is not a valid configuration; the policy action is either 'ACCEPT' or 'DENY', and IPS inspection is configured separately via security profiles. Option D is wrong because configuring a Virtual IP (VIP) is used for destination NAT and port forwarding, not for applying IPS inspection to traffic.

178
MCQhard

During a security audit, the administrator runs the command 'diagnose firewall policy list' and sees the following output: policy id=1: allow from port1 to port2, src=10.0.0.0/8, dst=any, action=accept policy id=2: deny from port1 to port2, src=10.0.0.0/8, dst=172.16.0.0/12, action=deny policy id=3: allow from port1 to port2, src=any, dst=any, action=accept A host with IP 10.0.1.5 sends traffic to 172.16.0.1. Which policy will match?

A.Policy 3
B.Policy 1
C.Implicit deny
D.Policy 2
AnswerB

The traffic matches policy 1 because the source is within 10.0.0.0/8 and destination is any. Policy 2 is more specific but comes after policy 1, and FortiGate uses first-match.

Why this answer

Policy 1 matches because the source IP 10.0.1.5 falls within the 10.0.0.0/8 range, the destination IP 172.16.0.1 is not explicitly matched by policy 2's destination of 172.16.0.0/12 (since 172.16.0.1 is the network address itself and is included, but policy 2 is a deny and is evaluated before policy 3; however, policy 1 is evaluated first due to its lower ID, and since it matches both source and destination with action accept, the traffic is permitted by policy 1 before reaching policy 2). In FortiGate, policies are evaluated sequentially by ID, and the first match is applied.

Exam trap

The trap here is that candidates assume a deny rule with a more specific destination will override a broader allow rule, forgetting that FortiGate uses first-match logic based on policy ID order, not longest-prefix matching or specificity.

How to eliminate wrong answers

Option A is wrong because policy 3 is an 'allow any/any' catch-all, but it is evaluated after policy 1 and policy 2; since policy 1 matches first, policy 3 is never reached. Option C is wrong because the implicit deny only applies if no explicit policy matches; here policy 1 matches, so the traffic is accepted before any implicit deny is considered. Option D is wrong because policy 2's destination is 172.16.0.0/12, which includes 172.16.0.1, but policy 1 has a lower ID and matches first, so policy 2 is not evaluated for this traffic.

179
MCQmedium

A company wants to allow FTP (TCP ports 20-21) from their internal network (192.168.1.0/24) to a specific external server (203.0.113.50). They also need to inspect FTP traffic for viruses. What should the admin configure?

A.Create a policy from internal to external with service FTP and enable antivirus
B.Configure an explicit proxy policy for FTP and apply antivirus
C.Enable NAT on the policy and use a custom service for FTP
D.Use a policy with service ALL and rely on the antivirus profile
AnswerA

A standard policy with FTP service and antivirus profile will inspect FTP traffic.

Why this answer

FTP inspection requires an explicit proxy policy for FTP or enabling FTP inspection in the security profile. The simplest is to create a policy allowing FTP and apply an antivirus profile.

180
MCQmedium

An admin creates a firewall policy allowing HTTP traffic from internal users to the internet. Users complain that they cannot access HTTPS websites. The admin checks and sees that the policy only has HTTP service. What is the BEST course of action to allow HTTPS while maintaining security?

A.Create a new policy above the existing one with HTTPS service
B.Add the HTTPS service to the existing policy
C.Use a security policy that automatically adds HTTPS
D.Change the HTTP service to ALL services
AnswerB

This allows HTTPS traffic without changing the HTTP rule, maintaining least privilege.

Why this answer

The simplest and most secure approach is to add the HTTPS service to the existing policy, as it is a common web protocol.

181
Multi-Selectmedium

An administrator wants to configure traffic shaping to limit bandwidth for YouTube video streaming. Which THREE objects or settings must be configured on the FortiGate to apply traffic shaping?

Select 3 answers
A.Traffic shaper (e.g., shared or per-IP shaper)
B.Application control profile to identify YouTube traffic
C.A DNS filter to block YouTube
D.A firewall policy that applies the traffic shaper and the application control profile
E.A static route for YouTube's IP range
AnswersA, B, D

Defines the bandwidth limits.

Why this answer

To apply traffic shaping, you need a traffic shaper (defining bandwidth limits), an application control profile to identify YouTube traffic, and a firewall policy that applies both the shaper and the profile.

182
MCQhard

A FortiGate is configured with multiple policies. The first policy allows traffic from 10.0.0.0/8 to any destination. The second policy denies traffic from 10.0.1.0/24 to any destination. What happens when a packet from 10.0.1.5 to 8.8.8.8 arrives?

A.The packet is denied by implicit deny
B.The packet is allowed by the first policy
C.The packet matches both policies and is allowed
D.The packet is denied by the second policy
AnswerB

The source 10.0.1.5 is within 10.0.0.0/8, so the first policy matches and allows the traffic.

Why this answer

FortiGate firewall policies are evaluated in sequential order from top to bottom. The first policy matches source 10.0.0.0/8, which includes 10.0.1.5, and allows the traffic to any destination. Since the packet matches this policy first, it is accepted and the second policy is never evaluated.

Therefore, the packet is allowed by the first policy.

Exam trap

The trap here is that candidates often assume FortiGate uses a longest-prefix match or that a more specific deny policy will override a broader allow policy, but FortiGate strictly follows first-match order, not prefix length.

How to eliminate wrong answers

Option A is wrong because the packet matches an explicit allow policy (the first policy) before any implicit deny rule can apply; implicit deny only triggers when no explicit policy matches. Option C is wrong because FortiGate uses first-match logic, not a longest-prefix or combined-match approach; once a packet matches the first policy, subsequent policies are not checked. Option D is wrong because the second policy is never reached; the packet is evaluated against the first policy, which matches and allows it, so the deny policy is ignored.

183
MCQmedium

A FortiGate has multiple WAN interfaces (port1, port2) connected to different ISPs. The administrator wants traffic from the internal network to use port1 for general internet access but use port2 for traffic to a specific cloud service (203.0.113.0/24). Which feature should be used to achieve this?

A.Create a VIP for the cloud service
B.Configure static routes with different distances
C.Use SD-WAN rules to load balance
D.Use policy-based routing (PBR) to route traffic based on destination
AnswerD

PBR can match specific traffic and route it out a specific interface.

Why this answer

Policy-based routing (PBR) allows you to override the default routing table based on criteria such as source/destination IP, protocol, or port. In this scenario, PBR can match traffic destined to 203.0.113.0/24 and force it out through port2, while all other internet traffic follows the default route via port1. This provides granular control without affecting the general routing behavior.

Exam trap

The trap here is that candidates often confuse SD-WAN load balancing with policy-based routing, assuming that SD-WAN rules can enforce a strict 'always use this interface for this destination' policy, when in fact SD-WAN is primarily for dynamic load balancing and failover, not for static, deterministic path selection based solely on destination.

How to eliminate wrong answers

Option A is wrong because a Virtual IP (VIP) is used for destination NAT (port forwarding) to map a public IP to an internal server, not to control outbound path selection. Option B is wrong because static routes with different distances influence the routing table based on administrative distance, but they cannot selectively route traffic based on destination subnet when both interfaces have a default route; they would simply prefer one default route over the other for all traffic. Option C is wrong because SD-WAN rules load-balance or failover traffic across multiple links based on performance metrics or volume, but they do not provide the deterministic, policy-based path selection required to send specific traffic to a specific interface while using another for general internet access.

184
Multi-Selectmedium

A FortiGate admin needs to block all traffic from the 'Guest' VLAN (192.168.100.0/24) to the internal network (10.0.0.0/8) except for DNS traffic (UDP 53) to the internal DNS server at 10.0.0.10. Which TWO firewall policy configuration elements are required to achieve this? (Choose two.)

Select 2 answers
A.An address group for the internal DNS server
B.A firewall policy with source 'Guest' VLAN, destination 'Internal network', service 'ALL', action 'deny'
C.A firewall policy with source 'Guest' VLAN, destination 'Internal DNS server', service 'DNS', action 'accept'
D.A traffic shaper to limit DNS traffic
E.A schedule object to apply the policies only during business hours
AnswersB, C

This policy will block all other traffic from Guest to internal.

Why this answer

Option B is correct because a deny policy with source 'Guest' VLAN (192.168.100.0/24), destination 'Internal network' (10.0.0.0/8), and service 'ALL' will block all traffic from the Guest VLAN to the internal network. Option C is correct because an explicit accept policy for DNS (UDP 53) to the internal DNS server (10.0.0.10) must be placed before the deny policy, as FortiGate firewall policies are evaluated in order from top to bottom, and the first matching policy determines the action.

Exam trap

The trap here is that candidates often think an address group (Option A) is necessary for the DNS server, but a single address object works just as well, and the real key is the policy ordering between the explicit accept and the explicit deny.

185
Multi-Selectmedium

A network admin needs to configure a FortiGate to allow remote VPN users (IPsec VPN) to access a web server in the DMZ. The VPN users are assigned IPs from 10.10.10.0/24. The web server is at 192.168.2.10:80. Which TWO objects must be created to define the traffic for the firewall policy? (Choose two.)

Select 2 answers
A.A service object for HTTP (TCP/80)
B.An address object for the web server 192.168.2.10
C.An address object for the VPN user subnet 10.10.10.0/24
D.A user group object for VPN authentication
E.A schedule object for business hours
AnswersB, C

Destination address object.

Why this answer

The firewall policy needs to identify the source (VPN users) and destination (web server). Address objects for the VPN subnet and the web server IP are required.

186
MCQhard

A FortiGate has a firewall policy with NAT enabled using an IP pool of type 'Fixed Port Range'. The pool range is 203.0.113.10-203.0.113.20 with port range 10000-20000. A user initiates a connection to an external server. Which of the following describes how the FortiGate will assign the source address and port?

A.The FortiGate uses the pool IPs in round-robin and assigns the same port number as the original source port
B.The FortiGate assigns a fixed IP and port mapping based on the original source IP and port, so the same internal host always gets the same public IP and port range
C.The FortiGate randomly selects an IP from the pool and a random port from 10000-20000 for each session
D.The FortiGate uses the first available IP in the pool and assigns a port sequentially from 10000 upward
AnswerB

Fixed Port Range maps the internal IP/port to a consistent public IP and port range, ensuring that the same internal host uses the same public IP (if possible) and port range.

Why this answer

Fixed Port Range NAT (also known as NAT with fixed port range) creates a deterministic mapping between an internal host's source IP and port and a specific public IP and port range from the pool. This ensures that the same internal host always receives the same public IP and a dedicated port range (10000-20000 in this case), which is essential for protocols that require consistent source addressing, such as SIP or H.323. The FortiGate does not round-robin, randomly assign, or sequentially assign ports; it uses a hash of the original source IP to select the fixed public IP and port range.

Exam trap

The trap here is that candidates often confuse 'Fixed Port Range' with 'Port Block Allocation' or assume it behaves like standard dynamic PAT (Port Address Translation), where each session gets a random or sequential port, but Fixed Port Range is specifically designed for deterministic mapping per internal host.

How to eliminate wrong answers

Option A is wrong because Fixed Port Range NAT does not use round-robin IP assignment; it uses a deterministic mapping based on the original source IP, and it does not preserve the original source port number. Option C is wrong because the IP and port assignment is not random; it is fixed per internal host to maintain session consistency for protocols like SIP. Option D is wrong because the FortiGate does not use the first available IP or assign ports sequentially; it uses a hash-based algorithm to allocate a specific public IP and a dedicated port range for each internal host.

187
Drag & Dropmedium

Drag and drop the steps to create a firewall policy allowing HTTP traffic from internal to DMZ into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall policies require defining interfaces, source/destination addresses, and services before enabling.

188
MCQeasy

Which statement best describes the implicit deny policy at the end of a FortiGate policy list?

A.It denies all traffic that does not match any explicit policy, and it logs the denied traffic
B.It can be moved to a different position in the policy list
C.It can be disabled or deleted by the admin
D.It is always present and denies any traffic that does not match an explicit allow policy
AnswerD

Correct. The implicit deny is always at the end of the policy list and blocks all traffic that does not match a preceding explicit policy.

Why this answer

The implicit deny policy is a built-in rule that denies all traffic not matching any explicit policy. It cannot be moved, modified, or deleted. Traffic that hits it is logged if logging is enabled on the last explicit policy? Actually, logging for implicit deny is not configurable; it is not logged by default.

The correct answer is that it denies all unmatched traffic.

189
Multi-Selectmedium

A FortiGate admin is troubleshooting a policy that should allow VoIP traffic. The admin suspects that the SIP ALG is interfering. Which TWO actions should the admin take to verify or resolve the issue?

Select 2 answers
A.Disable the SIP ALG on the firewall policy
B.Enable 'set sip-nat-trace' on the policy
C.Enable 'set ssl-ssh-profile' on the policy
D.Increase the session TTL for SIP
E.Create a service object for SIP and set 'alg-mode' to 'disable'
AnswersA, E

Disabling the ALG for the policy prevents ALG from modifying packets.

Why this answer

Option A is correct because disabling the SIP ALG on the firewall policy stops the FortiGate from inspecting and modifying SIP traffic at the application layer. This is a common troubleshooting step when the SIP ALG interferes with VoIP traffic, as it can alter SIP headers or signaling in ways that break compatibility with certain VoIP providers or endpoints.

Exam trap

The trap here is that candidates may confuse 'sip-nat-trace' (a diagnostic tool) with a fix for ALG interference, or think increasing session TTL addresses the problem, when the real solution is to disable the ALG's application-layer processing.

190
MCQeasy

A FortiGate administrator needs to ensure that all internal users (10.0.0.0/8) accessing the internet use a single public IP address 203.0.113.10 for source NAT. Which NAT configuration should be used?

A.Create a Central SNAT rule with a Dynamic IP Pool using overload
B.Enable NAT on the outgoing interface policy without an IP pool
C.Create a policy-based NAT rule with fixed port range
D.Configure a VIP with port forwarding
AnswerA

Overload allows many internal users to share one public IP via port address translation.

Why this answer

Option A is correct because Central SNAT with a Dynamic IP Pool using overload (Port Address Translation) allows all internal users in 10.0.0.0/8 to share a single public IP (203.0.113.10) by dynamically mapping multiple private source IPs and ports to unique source ports on the public IP. This is the standard method for many-to-one NAT, ensuring all outbound internet traffic appears from the same public address.

Exam trap

The trap here is that candidates often confuse enabling NAT on the interface policy (Option B) with using a specific IP pool, not realizing that interface NAT uses the interface's own IP and cannot force a different public address without an explicit IP pool.

How to eliminate wrong answers

Option B is wrong because enabling NAT on the outgoing interface policy without an IP pool uses the interface's own IP address (typically the WAN IP) for source NAT, not a specific public IP like 203.0.113.10, and may not guarantee a single IP if the interface has multiple addresses. Option C is wrong because a policy-based NAT rule with fixed port range would restrict the number of concurrent sessions to the size of the port range, causing connection failures under load, and is not designed for many-to-one overload NAT. Option D is wrong because a VIP with port forwarding is used for inbound destination NAT (port mapping to internal servers), not for outbound source NAT from internal users to the internet.

191
MCQmedium

A network administrator configures a firewall policy allowing HTTP traffic from the internal network (10.0.0.0/8) to the internet. After applying the policy, users report they can browse the web, but the FortiGate logs show that all sessions are using the 'implicit deny' policy ID 0. What is the most likely cause?

A.The source interface on the policy is set to the WAN interface instead of the internal interface
B.Central NAT is enabled and overriding the policy-based NAT
C.The policy has a schedule applied that is currently inactive
D.The policy is placed after the implicit deny rule
AnswerA

If the source interface is wrong, the traffic will not match this policy. The administrator may have a different policy (or the implicit allow) allowing the traffic, but the logs show the implicit deny is being hit because the correct policy is not matched.

Why this answer

Option A is correct because if the source interface on the firewall policy is set to the WAN interface instead of the internal interface, traffic arriving from the internal network (10.0.0.0/8) on the internal interface will not match that policy. The FortiGate then falls through to the implicit deny policy (ID 0), which logs and drops the session. Since HTTP traffic is still reaching the internet, it suggests that another mechanism (such as a default route or NAT) is allowing the traffic, but the policy matching fails due to the interface mismatch.

Exam trap

The trap here is that candidates assume a policy with correct source/destination addresses will match regardless of the interface setting, but FortiOS strictly enforces interface matching, and a mismatch causes the policy to be ignored, leading to the implicit deny being hit.

How to eliminate wrong answers

Option B is wrong because Central NAT (centralized NAT policies) does not cause the implicit deny policy to be used; it only affects how NAT is applied, not the firewall policy matching itself. Option C is wrong because an inactive schedule would cause the policy to not match, but the logs would show the policy ID of the scheduled policy (not ID 0) if it were present, and the traffic would still be denied by the implicit deny; however, the question states users can browse the web, which would not happen if the only applicable policy had an inactive schedule. Option D is wrong because the implicit deny rule is always the last rule in the policy list; a policy placed after it is impossible in FortiOS, as the implicit deny is a built-in rule that cannot be reordered.

192
MCQeasy

A FortiGate administrator needs to allow all internal users (10.0.0.0/8) to access a web server in the DMZ (192.168.1.100) using HTTPS. The administrator wants to apply a web filter profile to block malicious URLs while allowing legitimate traffic. Which of the following is the correct policy configuration?

A.Policy: source=internal, destination=DMZ, service=ALL, action=ACCEPT, web filter profile=default
B.Policy: source=internal, destination=DMZ, service=HTTP, action=ACCEPT, web filter profile=default
C.Policy: source=internal, destination=DMZ, service=HTTPS, action=ACCEPT, web filter profile=default
D.Policy: source=internal, destination=DMZ, service=HTTPS, action=DENY, web filter profile=default
AnswerC

This correctly allows HTTPS traffic and applies web filtering.

Why this answer

To allow HTTPS traffic from internal to DMZ with web filtering, the policy must have source=internal_network, destination=DMZ_server, service=HTTPS, action=ACCEPT, and the web filter profile applied. The other options either block the traffic, use the wrong service, or misapply the profile.

193
MCQhard

A FortiGate with multiple WAN interfaces uses policy-based routing (PBR) to route traffic from a specific subnet out of a particular interface. The admin also has a firewall policy allowing that subnet to the internet. However, the traffic is not being routed as expected. What could be the issue?

A.The firewall policy is placed above the PBR rule
B.The PBR rule does not have a matching protocol or service defined
C.The PBR rule uses an incorrect source or destination address
D.The FortiGate is in transparent mode
AnswerC

If the PBR rule does not match the traffic (e.g., wrong subnet), traffic follows the routing table instead.

Why this answer

Policy-based routing is evaluated after the routing table lookup but before firewall policy matching. If the PBR rule is incorrectly configured (e.g., wrong source/destination), traffic may take a different path. Another common issue is that PBR might conflict with the default route.

The question asks for the most likely issue — often it's that the PBR rule is not matching the traffic.

194
Multi-Selecthard

An admin needs to configure NAT for internal users accessing the internet. The requirements are: 1) All internal users must be translated to a single public IP. 2) The translation should use port address translation (PAT). 3) The configuration must allow tracking of which internal user initiated a connection. Which THREE settings must be configured? (Choose three.)

Select 3 answers
A.Set the policy's NAT to use the egress interface IP
B.Configure a central SNAT policy with the same pool
C.Enable NAT on the firewall policy and select the IP pool
D.Enable logging on the firewall policy to record user activity
E.Create an IP pool with the public IP address and set type to Overload
AnswersC, D, E

The policy must use NAT and reference the IP pool for translation.

Why this answer

To translate to a single public IP with PAT, the admin should use an IP pool configured as overload (PAT). Additionally, to track users, the policy must have logging enabled for user activity, and optionally, identity-based policy or authentication can be used. The pool itself does not track users; logging does.

195
MCQhard

A FortiGate admin configures a firewall policy to allow outbound HTTP traffic and applies a web filter profile. The admin notices that some users can access a known malicious URL while others are blocked. All users are in the same source subnet (10.0.1.0/24). What is the MOST likely cause of this inconsistent behavior?

A.The FortiGate is using a proxy server that caches different results for different users
B.The web filter profile is configured to 'allow' but the FortiGuard rating is inconsistent
C.The firewall policy has an FQDN destination that resolves to different IPs for different users due to DNS load balancing
D.Some users have a different web filter profile applied due to a policy ordering issue where a higher-priority policy matches their traffic
AnswerD

If a policy with a lower policy ID does not have the web filter profile, traffic matching that policy will bypass the intended filtering.

Why this answer

Option D is correct because when multiple firewall policies match traffic from the same source subnet, FortiGate uses the first matching policy in order (lowest policy ID). If a higher-priority policy with a different web filter profile matches some users' traffic (e.g., based on source port or application), those users will have different filtering behavior. This is a classic policy ordering issue where the intended web filter profile is not applied consistently to all users in the same subnet.

Exam trap

The trap here is that candidates assume all traffic from the same subnet is treated identically, overlooking that FortiGate policy matching is first-match and can differentiate based on other attributes like source port or user identity, leading to inconsistent profile application.

How to eliminate wrong answers

Option A is wrong because FortiGate does not use an external proxy server for web filtering by default; it uses local proxy-based inspection or flow-based inspection, and caching is not a factor in inconsistent web filter results. Option B is wrong because FortiGuard ratings are consistent per URL and do not vary per user; if the rating is inconsistent, it would affect all users equally, not selectively. Option C is wrong because FQDN resolution in firewall policies is performed by the FortiGate itself, not per user; DNS load balancing would return different IPs to the FortiGate, but the FortiGate resolves the FQDN once and uses that single IP for policy matching, so it cannot cause per-user differences.

196
MCQmedium

An administrator configures a firewall policy with source address 'internal_net' (10.0.0.0/16) and destination address 'server_farm' (10.10.10.0/24). The action is set to ACCEPT with NAT enabled. However, traffic from 10.0.1.100 to 10.10.10.50 is being denied. What is the most likely cause?

A.The destination address 'server_farm' does not include 10.10.10.50
B.There is a deny policy above this policy that matches the traffic
C.The NAT translation is causing the traffic to be dropped
D.The source address 'internal_net' does not include 10.0.1.100
AnswerB

A higher priority deny policy would block traffic before reaching this allow policy.

Why this answer

Policy order must be checked; another policy higher in the list with a DENY action might match before this policy. Also, the source/destination must match exactly.

197
MCQeasy

Which of the following statements about FortiGate policy lookup order is correct?

A.Policies are evaluated from top to bottom, and the first matching policy is used
B.Policies are evaluated based on a priority number assigned to each policy
C.Policies are evaluated from bottom to top, and the last matching policy is used
D.Policies are evaluated randomly to balance load
AnswerA

FortiGate processes policies sequentially from the top of the list. Once a match is found, that policy is applied.

Why this answer

FortiGate uses a top-down sequential search for policy matching. When a packet arrives, the firewall starts at the top of the policy list and evaluates each policy in order until it finds one where all configured criteria (source, destination, service, schedule, etc.) match. The first matching policy is then applied, and no further policies are checked.

This is the fundamental behavior of FortiGate's firewall policy lookup.

Exam trap

The trap here is that candidates often confuse FortiGate's sequential top-down evaluation with other firewall platforms (like Cisco ASA) that use a priority-based or implicit-rule model, leading them to incorrectly select Option B or C.

How to eliminate wrong answers

Option B is wrong because FortiGate does not assign a numeric priority to each policy; the order in the policy list (sequence number) determines the evaluation order, not a separate priority field. Option C is wrong because FortiGate evaluates policies from top to bottom, not bottom to top; the last matching policy would never be used unless it is the first match from the top. Option D is wrong because FortiGate does not use random selection for policy matching; it strictly follows the sequential top-down order to ensure deterministic and predictable traffic handling.

198
MCQmedium

A FortiGate administrator needs to ensure that traffic from the LAN (192.168.1.0/24) to the DMZ (10.0.0.0/24) uses a specific outbound interface (port3) instead of the default route. Which feature should be configured to achieve this?

A.Static route with a higher distance
B.Virtual IP (VIP) with port forwarding
C.Policy-based routing (PBR) in the firewall policy
D.SD-WAN rule to force traffic to port3
AnswerC

Why this answer

Policy-based routing (PBR) allows the FortiGate to override the routing table for specific traffic based on criteria defined in a firewall policy, such as source and destination addresses. By configuring a PBR rule that matches traffic from 192.168.1.0/24 to 10.0.0.0/24 and setting the outbound interface to port3, the administrator can force this traffic to use port3 instead of the default route. This is the correct feature for interface-based path selection that is not based on destination prefix alone.

Exam trap

The trap here is that candidates often confuse policy-based routing (PBR) with static routes or SD-WAN, assuming that a static route with a higher administrative distance can override the default route for specific source-destination pairs, but static routes are destination-based and cannot match on source IP or other L4 criteria without PBR.

How to eliminate wrong answers

Option A is wrong because a static route with a higher distance would be less preferred than the default route (which typically has a lower distance), so it would not override the default route for the specified traffic. Option B is wrong because a Virtual IP (VIP) with port forwarding is used for destination NAT (port forwarding) to translate public IP addresses to private ones, not to influence routing decisions or outbound interface selection. Option D is wrong because an SD-WAN rule can steer traffic to a specific interface, but SD-WAN requires the interfaces to be members of an SD-WAN zone and is designed for WAN link load balancing, not for simple interface override in a LAN-to-DMZ scenario without SD-WAN being enabled.

199
MCQhard

A FortiGate is configured with multiple VDOMs. The administrator creates a firewall policy in VDOM A that allows traffic from VDOM A to VDOM B using inter-VDOM links. Users in VDOM A can initiate traffic, but return traffic from VDOM B is not reaching them. What is the MOST likely cause?

A.The inter-VDOM link is down
B.The session helper is not configured for the application
C.The reverse path forwarding (RPF) check is blocking return traffic
D.A firewall policy is missing in VDOM B to allow return traffic
AnswerD

Inter-VDOM communication requires policies in both VDOMs: one for forward traffic and one for return traffic. Without a policy in VDOM B, return packets are dropped.

Why this answer

In a multi-VDOM FortiGate, inter-VDOM links require firewall policies in both VDOMs to allow bidirectional traffic. The policy in VDOM A permits the outbound session, but return traffic from VDOM B is implicitly denied unless a corresponding policy exists in VDOM B. Without that policy, the FortiGate drops the return packets, preventing communication.

Exam trap

The trap here is that candidates assume a single policy on the initiating VDOM is sufficient for bidirectional traffic, forgetting that inter-VDOM links require explicit policies in both VDOMs to allow return traffic.

How to eliminate wrong answers

Option A is wrong because if the inter-VDOM link were down, no traffic (including the initial outbound traffic) would pass, but the issue is specifically with return traffic. Option B is wrong because session helpers are used for application-layer protocols (e.g., FTP, SIP) to manage dynamic ports; they are not required for basic TCP/UDP return traffic and would not cause a complete lack of return packets. Option C is wrong because reverse path forwarding (RPF) checks are applied to incoming interfaces to verify the source IP route; in inter-VDOM scenarios, the FortiGate does not perform RPF on inter-VDOM links as they are internal virtual interfaces, and the problem is policy-based, not routing-based.

200
MCQmedium

A network admin needs to log all traffic from the sales VLAN to the internet. The firewall policy is configured with logging enabled. However, the admin notices that only session start logs are generated, not detailed traffic logs. What setting must be enabled to capture per-packet or per-session details?

A.Enable 'Log Memory' on the policy
B.Enable security profiles
C.Set the log generation to 'All sessions' in the policy
D.Configure a traffic shaper
AnswerC

This ensures that every session generates log entries, including per-session details.

Why this answer

Option C is correct because in FortiGate, the 'Log Generation' setting on a firewall policy controls whether logs are generated for session start only or for all sessions. By default, a policy may log only session start events; setting it to 'All sessions' ensures that per-session details (including traffic volume, duration, and packet counts) are recorded. This is distinct from enabling security profiles, which inspect traffic but do not change the logging verbosity.

Exam trap

The trap here is that candidates often confuse enabling security profiles (like UTM features) with increasing log verbosity, but security profiles only inspect content and do not change the policy's log generation setting from 'Session start' to 'All sessions'.

How to eliminate wrong answers

Option A is wrong because 'Log Memory' is not a valid setting on a FortiGate firewall policy; memory logging is a global setting for storing logs locally, not a per-policy toggle for detailed logs. Option B is wrong because enabling security profiles (e.g., antivirus, web filter) adds inspection but does not alter the log generation mode from session-start to all-sessions; detailed traffic logs require the policy's log generation setting to be changed. Option D is wrong because a traffic shaper controls bandwidth allocation and QoS, not logging verbosity; it has no effect on whether per-packet or per-session details are captured.

201
MCQmedium

A FortiGate admin wants to create a firewall policy that allows traffic from the internal network to the internet. The source is a subnet 192.168.1.0/24, and the destination is 'all'. The admin wants to apply NAT to hide internal IPs. Which NAT configuration is BEST suited for this scenario?

A.Configure a VIP for source NAT
B.Use policy-based routing to send traffic through a NAT device
C.Enable 'NAT' on the firewall policy and use the outgoing interface address
D.Create a one-to-one IP pool and apply it to the policy
AnswerC

Enabling NAT on the policy (policy-based NAT) with interface address is the simplest way to hide internal IPs.

Why this answer

Option C is correct because enabling NAT on the firewall policy with the outgoing interface address is the standard method for source NAT (masquerading) in FortiGate. This configuration translates all internal source IPs (192.168.1.0/24) to the single IP address of the egress interface, hiding the internal subnet from the internet. It is the simplest and most efficient approach for typical internet-bound traffic, requiring no additional objects like IP pools or VIPs.

Exam trap

The trap here is that candidates often confuse VIPs (destination NAT) with source NAT, or assume that a one-to-one IP pool is required for hiding internal IPs, when in fact interface NAT with PAT is the default and best practice for internet-bound traffic in FortiGate.

How to eliminate wrong answers

Option A is wrong because a Virtual IP (VIP) is used for destination NAT (port forwarding), not source NAT; applying a VIP to hide internal IPs would incorrectly translate destination addresses instead of source addresses. Option B is wrong because policy-based routing (PBR) controls the path traffic takes based on routing policies, not NAT; it does not perform address translation and would require a separate NAT device, which is unnecessary in FortiGate. Option D is wrong because a one-to-one IP pool maps each internal IP to a unique external IP, which is overkill and wasteful for hiding a subnet behind a single public IP; dynamic IP pools (overload) or interface NAT are more appropriate for many-to-one masquerading.

202
MCQeasy

Which of the following best describes a Virtual IP (VIP) in FortiGate?

A.A method to translate a public IP/port to a private IP/port for inbound traffic
B.A method to translate private source IPs to a public IP for outbound traffic
C.A method to group multiple firewall policies
D.A method to load balance traffic across multiple WAN interfaces
AnswerA

VIP maps external (public) addresses to internal (private) destinations, enabling inbound access.

Why this answer

A Virtual IP (VIP) in FortiGate is used for Destination NAT (DNAT), translating an incoming public IP address and port to a private IP address and port. This allows external hosts to access internal servers (e.g., web servers) using a public IP, while the server remains on a private RFC 1918 address. The VIP object is referenced in a firewall policy to permit the inbound traffic and perform the translation.

Exam trap

The trap here is confusing Virtual IP (Destination NAT) with IP Pool (Source NAT), as both involve address translation but serve opposite traffic directions; candidates often pick Option B thinking VIP is for outbound translation.

How to eliminate wrong answers

Option B is wrong because it describes Source NAT (SNAT) or IP Pool, not a Virtual IP; SNAT translates private source IPs to a public IP for outbound traffic. Option C is wrong because grouping multiple firewall policies is done using policy packages or policy groups, not a Virtual IP. Option D is wrong because load balancing traffic across multiple WAN interfaces is achieved using SD-WAN or ECMP routing, not a Virtual IP; VIPs can be used for server load balancing (SLB) but not for balancing across WAN interfaces.

203
MCQhard

An administrator configures a VIP for inbound HTTP traffic to an internal server (192.168.1.10:80). External users can reach the server via the VIP, but internal users on the same subnet as the server cannot access the server using its public IP. What is the most likely cause?

A.The internal users do not have a route to the VIP's public IP
B.The firewall policy for internal-to-DMZ traffic has NAT disabled
C.The VIP is configured on the wrong interface
D.NAT reflection (hairpin NAT) is not enabled
AnswerD

Why this answer

Option D is correct because internal users on the same subnet as the server (192.168.1.10) attempting to reach the server via its public VIP (e.g., 203.0.113.10) will send packets to the FortiGate, which performs destination NAT (DNAT) to the private IP. Without NAT reflection (also called hairpin NAT or NAT loopback), the FortiGate does not translate the source IP for traffic that enters and leaves the same interface, so the server sees the source as the internal user's private IP and replies directly, bypassing the FortiGate. This breaks the return path because the internal user's packet was destined for the VIP but the reply comes from the private IP, causing asymmetric routing and connection failure.

Exam trap

The trap here is that candidates often assume internal users can reach the server via the public IP because the VIP works for external users, overlooking the fact that hairpin NAT is a separate feature required for traffic that enters and exits the same FortiGate interface.

How to eliminate wrong answers

Option A is wrong because internal users on the same subnet as the server do not need a route to the VIP's public IP; they already have a default route via the FortiGate, and the issue is not about routing but about NAT behavior for traffic that hairpins. Option B is wrong because the scenario involves inbound HTTP traffic from external users (which works) and internal users accessing the VIP; the firewall policy for internal-to-DMZ traffic is irrelevant here since the traffic is from internal users to the VIP (which is typically on the WAN interface), and NAT is not disabled for that policy—the problem is the lack of source NAT for hairpin traffic. Option C is wrong because the VIP is correctly configured for inbound traffic (external users can reach the server), so the interface assignment is not the issue; the problem is specific to internal users initiating connections to the VIP.

204
Multi-Selectmedium

Which TWO statements about firewall policy authentication are correct?

Select 2 answers
A.Authentication cannot be used with FSSO
B.Authentication is only supported for inbound traffic
C.Authentication can be configured on a per-policy basis
D.Authentication can be based on local, LDAP, or RADIUS databases
E.Authentication is performed after the traffic is allowed by the policy
AnswersC, D

Authentication is a policy setting.

Why this answer

Option C is correct because FortiGate firewall policies allow authentication to be enabled on a per-policy basis using the 'set auth-on-demand' or 'set auth-cert' options, which enforce user authentication before traffic is processed. This granular control enables administrators to apply authentication only to specific policies, such as those controlling access to sensitive resources, without affecting other traffic flows.

Exam trap

The trap here is that candidates often assume authentication is only for inbound traffic or that it happens after policy allowance, but FortiGate enforces authentication as a prerequisite to policy matching, not as a post-allowance step.

205
MCQeasy

A FortiGate administrator needs to create a firewall policy that allows outbound traffic to the internet but denies access to a specific list of malicious IP addresses. The malicious IP list is updated frequently. Which address object type should be used for the destination addresses to block?

A.IP Range address object
B.FQDN address object
C.Geography address object
D.Subnet address object
AnswerB

FQDN objects can be updated via DNS or external dynamic lists.

Why this answer

FQDN address objects can resolve to a list of IP addresses that change dynamically, making them suitable for frequently updated IP lists. Subnet objects are static.

206
MCQeasy

Which statement about the implicit deny policy at the bottom of the firewall policy list is true?

A.It only applies to traffic from the internet
B.It can be edited to change the action to accept
C.It is optional and can be removed
D.It drops all traffic that does not match any explicit policy
AnswerD

Why this answer

The implicit deny policy is a built-in, unchangeable rule at the bottom of the FortiGate firewall policy list that drops all traffic not matching any explicit policy. It ensures that only explicitly permitted traffic is allowed, enforcing a default-deny security posture. This policy cannot be edited, removed, or reordered, and it applies to all traffic regardless of source.

Exam trap

The trap here is that candidates often think the implicit deny policy can be edited or removed because they confuse it with an explicit deny policy that they can create and modify, but the implicit deny is a fixed, unchangeable rule at the bottom of the list.

How to eliminate wrong answers

Option A is wrong because the implicit deny policy applies to all traffic, not just traffic from the internet; it covers internal, DMZ, and any other interface traffic as well. Option B is wrong because the implicit deny policy is hardcoded and cannot be edited; its action is permanently set to deny and cannot be changed to accept. Option C is wrong because the implicit deny policy is mandatory and cannot be removed; it is always present at the bottom of the policy list and is not optional.

207
MCQhard

An administrator configures a firewall policy with a schedule object that is set to 'Available: Mon-Fri 09:00-17:00'. At 10:00 AM on Saturday, users report they cannot access the resource. The administrator checks the policy list and sees the policy is enabled. What is the MOST likely reason?

A.The FortiGate's system time is incorrect
B.A deny policy with higher priority is blocking the traffic
C.The schedule object is not correctly applied to the policy
D.The schedule object only allows traffic on weekdays, and Saturday is not included
AnswerD

The schedule 'Mon-Fri 09:00-17:00' does not include Saturday, so the policy is inactive on Saturday. Traffic then hits the implicit deny.

Why this answer

The schedule object is configured to allow traffic only from Monday to Friday, 09:00-17:00. Since Saturday is outside this range, the firewall policy will deny or not match the traffic, even though the policy is enabled. This is the most direct and likely reason for the access failure.

Exam trap

The trap here is that candidates may overlook the schedule's day-of-week restriction and assume the policy is simply 'enabled' means it should work, failing to recognize that a schedule object can limit traffic to specific days and times, making the policy inactive outside those windows.

How to eliminate wrong answers

Option A is wrong because an incorrect system time would affect all schedule-based policies, but the issue is specifically tied to the day of the week (Saturday), not a time drift; moreover, the administrator would likely notice other time-related anomalies. Option B is wrong because a deny policy with higher priority would block traffic regardless of the schedule, but the question states the policy is enabled and the schedule is the only configured restriction; there is no indication of a conflicting deny rule. Option C is wrong because the schedule object is correctly applied to the policy (the administrator sees the policy in the list with the schedule), and the issue is that the schedule itself does not include Saturday, not that it is misapplied.

208
MCQmedium

An administrator needs to translate a single internal server (192.168.1.10:8080) to a public IP (203.0.113.10:80) so that external users can access it via HTTP. Which type of VIP should be configured?

A.Server Load Balancing VIP
B.Virtual IP (VIP) with no port forwarding
C.Static NAT (one-to-one VIP)
D.Port Forwarding VIP
AnswerD

Why this answer

Port Forwarding VIP (also called DNAT or destination NAT) is the correct choice because it translates a single internal server's IP and port (192.168.1.10:8080) to a specific public IP and port (203.0.113.10:80), allowing external HTTP users to reach the internal server. This is a one-to-one mapping of a public IP:port to a private IP:port, which is the exact definition of port forwarding in FortiGate.

Exam trap

The trap here is that candidates often confuse Static NAT (one-to-one IP mapping) with Port Forwarding VIP, forgetting that Static NAT translates all ports and does not allow port remapping, while Port Forwarding VIP specifically handles port translation.

How to eliminate wrong answers

Option A is wrong because Server Load Balancing VIP distributes traffic across multiple backend servers using a virtual server IP, not a single internal server mapping. Option B is wrong because a Virtual IP (VIP) with no port forwarding would map the entire public IP to the private IP without changing the port, so external users on port 80 would not reach port 8080. Option C is wrong because Static NAT (one-to-one VIP) maps an entire public IP to an entire private IP (all ports), not a specific port translation like 8080 to 80.

209
MCQeasy

A network administrator needs to allow only HTTPS traffic from the internal network (10.0.0.0/8) to the public DNS server (8.8.8.8). Which firewall policy configuration BEST enforces this restriction?

A.Source: ALL, Destination: 8.8.8.8, Service: HTTPS, Action: Accept
B.Source: 10.0.0.0/8, Destination: 8.8.8.8, Service: ALL, Action: Accept
C.Source: 10.0.0.0/8, Destination: 8.8.8.8, Service: HTTPS, Action: Accept
D.Source: 10.0.0.0/8, Destination: ALL, Service: HTTPS, Action: Accept
AnswerC

Why this answer

Option C is correct because it specifies the internal network (10.0.0.0/8) as the source, the public DNS server (8.8.8.8) as the destination, and HTTPS (TCP/443) as the service, with an Accept action. This precisely matches the requirement to allow only HTTPS traffic from the internal network to that specific destination, blocking all other traffic by default via the implicit deny rule.

Exam trap

The trap here is that candidates may confuse 'service' with 'destination port' and overlook that specifying 'ALL' for service or destination will permit unintended traffic, failing the precise restriction required.

How to eliminate wrong answers

Option A is wrong because it allows traffic from ALL sources, not just the internal network (10.0.0.0/8), which violates the restriction. Option B is wrong because it allows ALL services (any protocol/port) from the internal network to 8.8.8.8, not just HTTPS, which fails to restrict traffic to HTTPS only. Option D is wrong because it allows HTTPS traffic from the internal network to ALL destinations, not just 8.8.8.8, which does not enforce the destination restriction.

210
MCQhard

A FortiGate has policy-based NAT enabled. The admin wants to translate the source IP of internal users to the interface IP for internet traffic. The firewall policy has NAT enabled. However, traffic from the internal network to the internet shows the original source IP instead of the interface IP. What is the MOST likely reason?

A.Central NAT is enabled and overrides the per-policy NAT setting
B.The destination is a VIP that disables NAT
C.The NGFW mode is set to profile-based
D.The policy is configured in proxy inspection mode
AnswerA

With central NAT enabled, the policy's NAT flag is ignored; central NAT rules are used instead.

Why this answer

Central NAT must be disabled for policy-based NAT to work. When central NAT is enabled, it overrides the per-policy NAT settings.

211
MCQeasy

An administrator needs to block all traffic from a specific geographic region. Which object type should be used as the source in the firewall policy?

A.FQDN address
B.IP range address
C.Wildcard FQDN address
D.Geography address
AnswerD

Geography objects allow matching based on the source IP's country, enabling region-based blocking.

Why this answer

A geography address object (also known as a geolocation object) allows the firewall to match traffic based on the source IP's registered country or region using GeoIP databases. This is the correct object type when the requirement is to block all traffic from a specific geographic region, as it evaluates the source IP against the FortiGate's built-in geolocation mapping.

Exam trap

The trap here is that candidates often confuse geography objects with IP range or FQDN objects, mistakenly thinking they can manually compile IP ranges for a region or use domain-based filtering to block geographic traffic, which is inefficient and inaccurate.

How to eliminate wrong answers

Option A (FQDN address) is wrong because it resolves a fully qualified domain name to IP addresses, which does not provide geographic region filtering. Option B (IP range address) is wrong because it defines a contiguous block of IP addresses, not a geographic region, and would require manual maintenance of all IPs in that region. Option C (Wildcard FQDN address) is wrong because it matches domain names using wildcards (e.g., *.example.com), which is unrelated to geographic location and cannot filter by region.

212
MCQmedium

An administrator configures a firewall policy with a schedule that allows traffic only during business hours (Monday to Friday, 09:00-18:00). At 17:55 on a Friday, a user establishes an SSH session that is still active at 18:05. What happens to the session when the schedule ends?

A.The session is immediately terminated at 18:00
B.The session continues until it ends naturally
C.The session is allowed but new sessions are blocked
D.The session is terminated after a 60-second grace period
AnswerB

FortiGate does not interrupt established sessions when a schedule ends; the session remains active until it closes.

Why this answer

FortiGate firewall policies control the establishment of new sessions based on the schedule. Once a session is established, it is tracked in the session table and continues to be forwarded even if the schedule ends, until the session naturally terminates or times out. This behavior ensures that ongoing traffic is not abruptly disrupted when a schedule expires.

Exam trap

The trap here is that candidates assume schedules enforce a hard cutoff on all traffic, but FortiGate only applies schedules to new session initiation, not to already established sessions.

How to eliminate wrong answers

Option A is wrong because FortiGate does not immediately terminate active sessions when a schedule ends; it only blocks new session establishments. Option C is wrong because it describes the actual behavior (new sessions blocked, existing sessions continue), but the question asks what happens to the already active session, which continues until it ends naturally, not just 'allowed'—the session is not simply allowed; it continues without interruption. Option D is wrong because there is no 60-second grace period for session termination after a schedule ends; sessions persist based on their own idle timeout or until they finish naturally.

213
Multi-Selecthard

An administrator needs to configure outbound NAT for 200 internal users using a single public IP (203.0.113.1). The public IP provides 2000 ports. Some applications require a deterministic source port range for logging. Which TWO NAT settings should be used?

Select 2 answers
A.IP Pool type: One-to-One
B.Configure a VIP for the public IP
C.Enable session helper for application
D.IP Pool type: Overload
E.Set 'Fixed Port Range' on the IP Pool
AnswersD, E

Why this answer

Option D (IP Pool type: Overload) is correct because it enables Port Address Translation (PAT), allowing 200 internal users to share a single public IP (203.0.113.1) by multiplexing sessions across the 2000 available ports. Option E (Set 'Fixed Port Range' on the IP Pool) is correct because it assigns a deterministic source port range to each user, which is required for logging and auditing applications that expect consistent port mappings.

Exam trap

The trap here is that candidates often confuse 'Fixed Port Range' with static NAT or assume that session helpers (Option C) are needed for port allocation, when in fact session helpers are for application-layer gateway functions, not for deterministic port assignment.

214
Multi-Selectmedium

A FortiGate administrator is troubleshooting a connectivity issue where internal clients cannot reach a public web server. The administrator has confirmed that routing is correct and there are no security profiles blocking traffic. Which TWO debugging steps should the administrator take? (Choose two.)

Select 2 answers
A.Reboot the FortiGate
B.Run a packet capture on the internal interface
C.Change the NAT mode to Central SNAT
D.Disable the antivirus profile
E.Check the firewall policy list for matching policies
AnswersB, E

Verify traffic reaches the FortiGate.

Why this answer

Checking the firewall policy list helps identify if an allow policy exists and its order. Running a packet capture helps see if traffic reaches the FortiGate and is being matched. Option A and D are correct.

215
MCQeasy

An administrator wants to create a firewall policy that blocks all traffic from a specific IP address (10.0.0.99) to the internet, but allows all other traffic. Which policy configuration is correct?

A.Create a deny policy for source 10.0.0.99 to destination 'all' on the WAN interface, then an allow policy for all other traffic
B.Create an allow policy for source 'all' and then a deny policy for 10.0.0.99
C.Use a local-in policy to block the IP
D.Create a policy that denies all traffic from 10.0.0.99 to any destination
AnswerA

The deny policy should be placed above the allow policy.

Why this answer

Option A is correct because FortiGate firewall policies are evaluated sequentially from top to bottom, and the first matching policy is applied. By placing a deny policy for source 10.0.0.99 to destination 'all' on the WAN interface first, traffic from that IP is blocked. Then a subsequent allow policy for all other traffic (source 'all') permits everything else, ensuring the specific IP is blocked while all other traffic is allowed.

Exam trap

The trap here is that candidates often think a deny policy alone is sufficient, forgetting that FortiGate requires an explicit allow policy for other traffic to pass, or they misorder policies, placing the allow before the deny, which causes the deny to be ineffective due to first-match logic.

How to eliminate wrong answers

Option B is wrong because if an allow policy for source 'all' is placed before the deny policy for 10.0.0.99, traffic from 10.0.0.99 will match the allow policy first and be permitted, defeating the block requirement. Option C is wrong because local-in policies are used to control traffic destined to the FortiGate itself (management traffic), not traffic transiting through the FortiGate to the internet. Option D is wrong because while it denies traffic from 10.0.0.99 to any destination, it does not include an allow policy for other traffic, which would result in all other traffic being implicitly denied by default unless a separate allow policy is added.

216
MCQeasy

Which firewall policy matching parameter is evaluated FIRST when a packet arrives at a FortiGate interface?

A.Source address
B.Service
C.Schedule
D.Incoming interface
AnswerD

The first match criterion is the incoming interface (and outgoing interface for some policies).

Why this answer

When a packet arrives at a FortiGate interface, the firewall policy lookup begins by matching the incoming interface. This is because the interface is the first parameter evaluated in the policy-matching sequence, as defined by FortiGate's session-based architecture. Only after the interface match is successful does the FortiGate proceed to evaluate source address, destination address, service, and schedule.

Exam trap

The trap here is that candidates often assume source or destination address is checked first, confusing the FortiGate's policy evaluation order with that of other firewalls (e.g., Cisco ASA) where interface is not always the primary match key.

How to eliminate wrong answers

Option A is wrong because source address is evaluated after the incoming interface in the policy-matching order; the FortiGate must first determine which interface the packet arrived on before checking source addresses. Option B is wrong because service (protocol/port) is evaluated later in the sequence, typically after source and destination addresses have been matched. Option C is wrong because schedule (time-based availability) is the last parameter checked in the policy lookup, after all other conditions (interface, source, destination, service) have been satisfied.

217
Multi-Selectmedium

An administrator needs to allow internal users to access a public web server using the server's private IP address, while external users access it via a public IP. Which TWO components are required?

Select 2 answers
A.Central SNAT policy
B.An IP pool for source NAT
C.A static route on the FortiGate for the public IP
D.A VIP (Virtual IP) mapping the public IP to the private IP
E.A firewall policy allowing traffic from internal to the server's private IP
AnswersD, E

Needed for external access.

Why this answer

To allow internal users to access the server via private IP, a firewall policy must allow the traffic. To allow external users, a VIP is used to map the public IP to the private IP, and a corresponding policy is needed.

218
Multi-Selectmedium

An administrator is troubleshooting a connectivity issue where users in the 10.0.0.0/24 subnet cannot access the internet. The FortiGate has the following policies (in order): 1: allow 10.0.0.0/24 -> any, service: HTTP, HTTPS 2: deny any -> any, service: all Users can browse HTTP but not HTTPS. Which TWO actions would resolve the issue?

Select 2 answers
A.Verify that the HTTPS service object is correctly defined and not misspelled
B.Create a new policy above policy 1 allowing all traffic from 10.0.0.0/24
C.Add HTTPS to the allowed services in policy 1
D.Move policy 2 above policy 1
E.Check if the HTTPS service object includes both TCP/443 and TCP/8443
AnswersA, C

A typo in service name could cause the policy to not match.

Why this answer

Policy 1 only allows HTTP and HTTPS. If HTTPS is not working, check if HTTPS is correctly defined. Also, policy 2 denies all other traffic.

The solution is to ensure HTTPS is allowed in policy 1 and that it is correctly defined.

219
Multi-Selecthard

An organization requires that outbound HTTP and HTTPS traffic from the internal network be translated to a single public IP address (203.0.113.1) using overload NAT (PAT). Which TWO configurations are necessary?

Select 2 answers
A.Disable 'Allow Traffic' on the implicit deny policy
B.Configure a one-to-one NAT IP pool
C.Create an IP pool with type 'Overload' and specify the public IP address
D.Configure a VIP for the public IP
E.Enable 'NAT' on the firewall policy and select the IP pool
AnswersC, E

An IP pool with overload type enables PAT using that public IP.

Why this answer

Overload NAT (PAT) allows multiple internal hosts to share a single public IP by translating source ports. To achieve this, you must create an IP pool with type 'Overload' that specifies the public IP address (203.0.113.1) and then enable NAT on the firewall policy, selecting that IP pool. This configuration ensures outbound HTTP/HTTPS traffic is translated to the single public IP with unique source ports.

Exam trap

The trap here is that candidates often confuse one-to-one NAT (Option B) with overload NAT, or think a VIP (Option D) is needed for outbound traffic, when in fact VIPs are strictly for inbound destination NAT.

220
MCQeasy

Which of the following is the default action of a FortiGate firewall policy if no policy matches the traffic?

A.Log and drop
B.Redirect to authentication
C.Accept
D.Deny
AnswerD

Traffic that does not match any policy is implicitly denied.

Why this answer

FortiGate firewall policies operate on a 'first-match' basis, and if no policy matches the traffic, the default action is to deny the traffic. This is a fundamental security principle to ensure that only explicitly permitted traffic is allowed through the firewall. The implicit deny rule is automatically applied at the end of the policy list and cannot be removed or modified.

Exam trap

The trap here is that candidates may confuse the default action of a firewall with the default action of a router (which forwards traffic) or assume that FortiGate logs all denied traffic by default, but neither is true; the implicit deny is silent unless explicitly configured to log.

How to eliminate wrong answers

Option A is wrong because 'Log and drop' is not a default action; logging is only performed if a policy explicitly enables logging, and the implicit deny does not generate logs by default. Option B is wrong because 'Redirect to authentication' is a feature of authentication policies or captive portal configurations, not the default action for unmatched traffic. Option C is wrong because 'Accept' would violate the security model of a firewall, which must block all traffic unless explicitly allowed; accepting unmatched traffic would create a security vulnerability.

221
MCQmedium

An admin needs to allow inbound SMTP traffic from the internet to a mail server in the DMZ. The public IP is 203.0.113.10, and the mail server's private IP is 10.0.0.5. Which VIP configuration is correct?

A.VIP: external IP 203.0.113.10 port 25 -> internal IP 10.0.0.5 port 25
B.VIP: external IP 203.0.113.10 port 25 -> internal IP 10.0.0.5 port 80
C.VIP: external IP 203.0.113.10 all ports -> internal IP 10.0.0.5 all ports
D.VIP: external IP 203.0.113.10 port 80 -> internal IP 10.0.0.5 port 80
AnswerA

This correctly maps SMTP traffic to the mail server.

Why this answer

Option A is correct because it configures a Virtual IP (VIP) that maps the public IP 203.0.113.10 on TCP port 25 (SMTP) to the internal mail server IP 10.0.0.5 on port 25. This allows inbound SMTP traffic from the internet to reach the mail server in the DMZ, performing both destination NAT (DNAT) and port forwarding for the specific SMTP service.

Exam trap

The trap here is that candidates may confuse port numbers or assume that any port mapping will work, but the NSE4 exam specifically tests that the VIP must match the service port (SMTP = 25) and that only the correct port mapping enables the intended application traffic.

How to eliminate wrong answers

Option B is wrong because it maps port 25 on the external IP to port 80 on the internal IP, which would send SMTP traffic to the mail server's HTTP port instead of the SMTP port, breaking email delivery. Option C is wrong because it maps all ports from the external IP to all ports on the internal IP, which is overly permissive and violates the principle of least privilege, exposing unnecessary services. Option D is wrong because it maps port 80 (HTTP) on the external IP to port 80 on the internal IP, which does not allow SMTP traffic on port 25, so inbound email would be blocked.

222
Multi-Selecthard

An admin troubleshoots an issue where internal users cannot access an internal server using its public IP address. The server is published via a VIP. The admin has already verified that the firewall policy allows traffic from internal to the VIP. Which THREE checks should the admin perform to resolve the issue? (Choose three.)

Select 3 answers
A.Enable NAT reflection on the VIP
B.Check if there is a firewall policy allowing traffic from internal to the VIP's mapped IP (private IP)
C.Configure the internal users to use the private IP directly
D.Verify that the server is listening on the internal interface
E.Change the VIP to use port forwarding
AnswersA, B, D

Allows internal users to access the VIP from inside.

Why this answer

Common causes for hairpin NAT issues: NAT reflection not enabled, policy for internal to VIP missing (but already verified), or the VIP is not configured to allow internal traffic (i.e., not on the correct interface). Additionally, DNS resolution might point to the public IP, but internal DNS might need to return private IP. Also, the server might not be listening on the internal interface.

The three most relevant: enable NAT reflection, ensure policy allows traffic, and check that the server is reachable via internal IP.

223
MCQhard

An administrator configures Central SNAT with a dynamic IP pool for internet-bound traffic. Some users report that certain applications fail when they should be translated to a specific public IP. The administrator checks the policy-based NAT rules and finds none. What is the most likely reason for the failure?

A.A higher priority Central SNAT rule matches the traffic first
B.The traffic is being dropped by a security profile
C.The firewall policy has NAT disabled
D.The IP pool is configured on the wrong interface
AnswerA

Why this answer

Central SNAT rules are evaluated in order of priority, and the first matching rule is applied. If a higher-priority Central SNAT rule matches the traffic before the intended rule with the specific public IP, the traffic will be translated to the IP defined in that higher-priority rule, causing the applications to fail. Since no policy-based NAT rules exist, the issue lies in the Central SNAT rule priority order.

Exam trap

The trap here is that candidates often assume the issue is with the firewall policy's NAT setting or interface binding, when in fact Central SNAT rules have their own independent priority-based evaluation that can preempt the intended translation.

How to eliminate wrong answers

Option B is wrong because security profiles (e.g., antivirus, web filter) inspect traffic after NAT is applied; they would not prevent NAT from occurring, only block the session after translation. Option C is wrong because Central SNAT operates independently of the firewall policy's NAT setting; even if the firewall policy has NAT disabled, Central SNAT rules can still perform source NAT. Option D is wrong because the IP pool is bound to the Central SNAT rule, not directly to an interface; the rule's configuration determines the egress interface, and a misconfigured interface would not cause a specific public IP translation failure—it would affect all traffic using that rule.

224
Multi-Selectmedium

An organization wants to implement least privilege for firewall policies. Which THREE best practices should be followed? (Choose three.)

Select 3 answers
A.Use a single schedule covering all days
B.Specify the exact services required (e.g., TCP/443, TCP/22)
C.Apply security profiles (e.g., antivirus, IPS) to inspect allowed traffic
D.Use any any for source and destination to simplify management
E.Use specific source and destination addresses
AnswersB, C, E

Restricts allowed protocols and ports.

Why this answer

Option B is correct because specifying exact services (e.g., TCP/443, TCP/22) enforces least privilege by allowing only the necessary protocols and ports, reducing the attack surface. In FortiGate firewall policies, this is configured under the 'Service' field, where you can select predefined services or create custom ones to match specific TCP/UDP port numbers. This prevents overly permissive rules that could expose services like SMB (TCP/445) or RDP (TCP/3389) unintentionally.

Exam trap

The trap here is that candidates often choose 'Use any any for source and destination to simplify management' (Option D) thinking it reduces administrative overhead, but this directly contradicts the principle of least privilege and is a common misconfiguration in FortiGate environments.

225
MCQeasy

What is the purpose of the 'implicit deny' policy on a FortiGate?

A.It allows traffic from trusted internal networks
B.It denies all traffic that does not match any explicit policy
C.It logs all traffic that is denied
D.It allows all traffic that matches no other policy
AnswerB

The implicit deny acts as a catch-all deny rule.

Why this answer

The 'implicit deny' policy on a FortiGate is a default, last-resort rule that denies all traffic not matching any explicit firewall policy. It ensures that any packet that does not meet the source, destination, service, or schedule criteria of a configured policy is dropped, enforcing a default-deny security posture. This behavior is fundamental to stateful firewall operation and prevents unauthorized traffic from traversing the device.

Exam trap

The trap here is that candidates often confuse the implicit deny with a logging or allow action, or assume it behaves like a default permit, when in fact it silently drops all unmatched traffic without logging unless explicitly configured.

How to eliminate wrong answers

Option A is wrong because the implicit deny does not allow traffic from trusted internal networks; it denies all unmatched traffic regardless of source, and allowing trusted traffic requires explicit permit policies. Option C is wrong because the implicit deny does not inherently log all denied traffic; logging must be explicitly enabled on a deny policy or via global logging settings, and the implicit deny itself generates no log entry by default. Option D is wrong because the implicit deny does not allow traffic; it denies any traffic that does not match an explicit policy, and allowing unmatched traffic would require an explicit permit-all policy at the end of the policy list.

← PreviousPage 3 of 4 · 237 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Firewall Policies and NAT questions.