CCNA High Availability and Diagnostics Questions

75 of 145 questions · Page 1/2 · High Availability and Diagnostics · Answers revealed

1
MCQeasy

What is the function of Zero Trust Network Access (ZTNA) on a FortiGate?

A.It allows users to securely access internal applications without a VPN, based on identity and device posture
B.It replaces the firewall policy for all traffic
C.It encrypts all traffic between the FortiGate and the internet
D.It is a cloud-based subscription for antivirus updates
AnswerA

ZTNA enables granular, identity-based access to applications without traditional VPN.

Why this answer

ZTNA provides secure access to applications based on identity and device posture, without requiring a VPN.

2
MCQhard

An administrator is configuring ZTNA (Zero Trust Network Access) on a FortiGate. The administrator needs to ensure that only clients with a valid posture assessment can access an internal application. Which access proxy setting must be configured to enforce this requirement?

A.Enable SSL deep inspection on the access proxy
B.Configure a ZTNA rule with a ZTNA tag requirement
C.Set the access proxy to use certificate-based authentication
D.Enable multi-factor authentication on the access proxy
AnswerB

ZTNA rules use tags to enforce security posture. The rule must be set to require a specific tag that is only assigned to compliant clients.

Why this answer

ZTNA uses access proxies to secure access. To enforce client posture assessment, the administrator needs to configure an access proxy with a ZTNA rule that includes a ZTNA tag matching the required posture. The tag is assigned by FortiClient EMS based on compliance.

The access proxy rule can then require that the client presents a valid ZTNA tag.

3
MCQeasy

An administrator wants to monitor real-time traffic flows on a FortiGate, specifically to see packet details for traffic matching certain criteria. Which command should the administrator use to capture live packets on an interface?

A.diagnose sniffer packet
B.diagnose debug enable and diagnose debug flow trace
C.diagnose sys session list
D.execute system grep from CLI
AnswerA

'diagnose sniffer packet' captures and displays packet headers and payload in real time.

Why this answer

The 'diagnose sniffer packet' command is the built-in packet capture tool on FortiGate. It allows capturing packets on interfaces with filters for IP, port, protocol, etc. Example: 'diagnose sniffer packet any "host 10.0.0.1" 4'.

4
MCQmedium

A FortiGate administrator notices that after upgrading the firmware, the HA cluster fails to form. Both units show the correct HA configuration. What is the most likely cause?

A.The HA heartbeat interfaces are not connected
B.The HA mode is set to active-active on one unit and active-passive on the other
C.The firmware versions are different on the two units
D.The HA priority values are identical
AnswerC

Firmware mismatch is a common cause after upgrade of only one unit.

Why this answer

HA clusters require all members to run the same firmware version. Mismatched firmware prevent cluster formation.

5
Multi-Selectmedium

An administrator is setting up an active-passive HA pair and wants to ensure that the cluster can properly monitor each unit's health. Which TWO interfaces must be configured as HA heartbeat interfaces? (Choose two.)

Select 2 answers
A.The internal switch interface (e.g., port3)
B.A VLAN interface on a dedicated trunk that is only used for HA
C.A dedicated physical interface that is not used for data traffic
D.The WAN interface (port1)
E.The management interface
AnswersB, C

Using a dedicated VLAN on a trunk also works, as long as it is not shared with data traffic.

Why this answer

Heartbeat interfaces are used for cluster communication and health monitoring. FortiGate requires at least one dedicated heartbeat interface, but best practice is to have two for redundancy. The heartbeat interfaces can be physical interfaces or VLANs.

They should be dedicated to HA traffic and not carry regular data traffic. Options: The correct ones are physical or VLAN interfaces designated as heartbeat. Option C and D are correct because heartbeat interfaces can be any unused interface, and they should not carry data traffic.

Option A is wrong because management interfaces are separate. Option B is wrong because the WAN interface is typically used for data. Option E is wrong because the internal switch interface is usually for LAN traffic.

6
Multi-Selecthard

An administrator is troubleshooting a FortiGate that is not sending logs to FortiCloud. The FortiGate has internet connectivity and a valid FortiCloud subscription. Which THREE steps should the administrator take to resolve this issue? (Select three.)

Select 3 answers
A.Ensure that the log types (traffic, event, security) are enabled for FortiCloud
B.Verify the FortiCloud status in the dashboard
C.Check if the FortiGate can resolve FortiCloud's FQDN
D.Increase the log buffer size
E.Disable the antivirus profile temporarily
AnswersA, B, C

Log forwarding must have the appropriate log types selected.

Why this answer

The three correct steps are: verify FortiCloud status to ensure registration, check allowed log types, and verify DNS resolution (FortiCloud uses FQDN).

7
MCQmedium

A FortiGate administrator needs to ensure that traffic logs are sent to a FortiAnalyzer even when the FortiGate's local disk is full. What configuration is required?

A.Enable 'disk logging' with rollover policy
B.Increase the log severity to 'emergency' only
C.Enable 'remote log' under Log Settings and specify the FortiAnalyzer IP
D.Configure a log filter to send only security logs
AnswerC

This directly sends logs to FortiAnalyzer, independent of local disk.

Why this answer

Configuring the FortiAnalyzer as a log destination ensures logs are sent immediately. The local disk issue does not affect remote logging. Optionally, the admin can set logging to 'fallback' or 'any', but the direct method is to configure the remote syslog/FortiAnalyzer.

8
Multi-Selecthard

A FortiGate administrator is configuring an active-passive HA cluster and needs to ensure that management access is available via a dedicated management IP address that does not fail over. Which three steps should the administrator take? (Choose three.)

Select 3 answers
A.Assign an IP address to the management interface
B.Enable 'set ha-mgmt-interface' on the management interface
C.Set the management interface to be part of the HA cluster management IP
D.Ensure the management interface is not configured as a heartbeat interface
E.Configure a dedicated management interface (e.g., port3)
AnswersA, D, E

The IP must be configured on the interface for management access.

Why this answer

To have a dedicated management IP that does not fail over, the administrator should configure a dedicated management interface (separate from HA heartbeat), assign an IP to it, and ensure the management access is configured on that interface. The management interface can be in a separate VDOM if desired.

9
Multi-Selectmedium

A FortiGate administrator is configuring logging to meet a compliance requirement that all security events must be stored for at least one year. The FortiGate has limited local disk space. Which THREE actions should the administrator take to meet this requirement? (Choose three.)

Select 3 answers
A.Set the log severity filter to only log 'emergency' events to reduce volume
B.Configure log rolling and retention policies to automatically delete older logs from the local disk after a set period
C.Disable local disk logging to save space
D.Configure the FortiGate to send logs to a FortiAnalyzer device
E.Enable logging to FortiCloud for cloud-based log storage
AnswersB, D, E

This manages local disk space by rotating logs, while external storage retains them long-term.

Why this answer

To store logs for a year with limited local disk, the administrator needs to offload logs to an external storage solution such as FortiAnalyzer or FortiCloud, and also set appropriate log retention policies. The correct actions are: enable logging to FortiAnalyzer (A), enable logging to FortiCloud (C), and configure log rolling and retention to automatically delete old logs from local disk (E). Option B is wrong because increasing log severity to only 'emergency' would lose most logs.

Option D is wrong because disabling disk logs would avoid local storage but without external logging, logs would be lost.

10
MCQhard

An administrator configures HA override on a cluster with priority 200 on primary and 100 on secondary. The primary fails, secondary takes over. When primary recovers, what happens?

A.Both units become active, causing a conflict
B.Secondary remains active until next failover
C.The administrator must manually trigger failback
D.Primary immediately takes over as active
AnswerD

Override enables preemption: when the higher priority unit recovers, it becomes active.

Why this answer

With HA override enabled, the higher priority unit (primary) will preempt the secondary upon recovery, assuming it has higher priority.

11
MCQmedium

An administrator notices that the FortiGate is not receiving updates from FortiGuard. The DNS settings are correct and the FortiGate can ping update.fortiguard.net. What is the MOST likely cause?

A.The firewall policy blocks outbound HTTPS
B.The antivirus profile is blocking the update traffic
C.The FortiGuard subscription has expired
D.The update server IP address changed
AnswerC

An expired subscription prevents update downloads, even if connectivity is present.

Why this answer

If DNS and connectivity are fine, the issue is often that the FortiGate's FortiGuard subscription has expired or the contract is not properly registered.

12
MCQmedium

A FortiGate administrator has configured an active-passive HA cluster with two units. During a failover test, they notice that existing TCP sessions are dropped and must be re-established. What configuration change should the administrator make to ensure sessions are preserved during failover?

A.Enable session synchronization between the cluster members
B.Configure a dedicated heartbeat interface
C.Enable HA override
D.Increase the HA priority on the primary unit
AnswerA

Session sync ensures session state is shared, preserving TCP sessions during failover.

Why this answer

Session synchronization (session sync) allows the active unit to share session table entries with the passive unit. During failover, the new active unit has the session table pre-populated, so existing sessions continue without interruption.

13
MCQmedium

An administrator runs 'diagnose debug flow' and sees the output 'no matching policy'. What does this indicate?

A.The packet is being processed by a policy with the correct source/destination
B.There is no firewall policy that allows the traffic from the source to the destination
C.The packet was dropped due to an antivirus signature match
D.The packet is being routed through a blackhole route
AnswerB

'No matching policy' indicates the packet did not match any configured firewall policy.

Why this answer

The debug flow trace shows packets flowing through the firewall policy evaluation. 'No matching policy' means the packet did not match any firewall policy.

14
MCQhard

A FortiGate administrator runs 'diagnose debug flow' and sees the output 'FW-6: packet is allowed by policy' but the packet is still dropped. What additional debug information should the administrator check to determine why the packet is dropped after being allowed?

A.Check the traffic log for the session
B.Enable 'diagnose debug flow show function-name' to see more detailed stages
C.Check the session table for the packet
D.Run 'diagnose sniffer packet' to capture the packet
AnswerB

This shows the internal processing stages, which can reveal where the drop occurs.

Why this answer

After policy lookup, further processing like security profiles, NAT, or routing may drop the packet. The 'function-name' parameter in debug flow shows deeper inspection stages.

15
MCQeasy

An administrator is configuring an active-passive HA cluster and wants to ensure that the secondary unit can be monitored and managed directly via HTTPS even when it is not the primary. Which setting must be enabled?

A.Use the same IP address for both units with different ports
B.Enable 'set management-ip' on the HA configuration
C.Configure a virtual IP address for management in the firewall policy
D.Set 'ha-mgmt-status enable' on the interface
AnswerB

The 'set management-ip' command assigns a separate IP address to each unit in the cluster, allowing direct HTTPS access to the secondary unit even when it is not active.

Why this answer

In active-passive HA, the management interface allows individual management of each unit. Enabling 'management interface' on a dedicated interface (or a VLAN) gives each unit its own IP address for out-of-band management, independent of the HA cluster IP.

16
MCQeasy

Which log severity level indicates that a log message is for informational purposes and does not require immediate action?

A.Notice
B.Debug
C.Information
D.Warning
AnswerC

Information logs are for informational messages that do not require action.

Why this answer

Option B is correct. In FortiGate, log severity levels follow the standard syslog severity: 0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=informational, 7=debug. Informational is level 6.

17
MCQeasy

An administrator has two FortiGate units in an active-passive HA cluster. The cluster is configured to use the heartbeat interface port3. During a failover test, the primary unit fails but the secondary does not take over. What is the most likely cause?

A.The secondary unit has an override enabled.
B.The heartbeat interface (port3) is down on the secondary unit.
C.Session pickup is disabled on the cluster.
D.The HA uptime on the secondary is less than the primary.
AnswerB

Correct; heartbeat loss prevents failover.

Why this answer

In an active-passive HA cluster, the secondary unit monitors the primary's health via the heartbeat interface. If the heartbeat interface (port3) is down on the secondary, it cannot receive or send heartbeat packets, so it will not detect the primary's failure and will not initiate a failover. This is the most direct cause of the secondary not taking over.

Exam trap

The trap here is that candidates often assume session pickup or override settings are responsible for failover behavior, when in fact the heartbeat interface status is the fundamental prerequisite for any failover to occur.

How to eliminate wrong answers

Option A is wrong because override is a feature used in active-active clusters to force a unit to become primary, not a cause for a secondary failing to take over in active-passive. Option C is wrong because session pickup (or session synchronization) affects whether existing sessions are preserved after failover, not whether the failover itself occurs. Option D is wrong because HA uptime comparison is used for tie-breaking when both units have equal priority; if the secondary has lower uptime, it would still take over if the primary fails, as long as heartbeat communication is intact.

18
MCQmedium

A FortiGate administrator wants to ensure that in an active-passive HA cluster, a specific unit becomes the primary (active) unit after a reboot. Which configuration parameter should be set to a higher value on that unit?

A.HA session pickup delay
B.HA override
C.HA priority
D.HA group-id
AnswerC

The unit with higher priority becomes active.

Why this answer

The HA priority determines the active unit in active-passive mode; higher priority wins.

19
MCQeasy

What is the purpose of the 'override' setting in FortiGate HA?

A.It enables the higher-priority unit to reclaim the primary role after recovery
B.It allows management access to the cluster via a virtual IP
C.It disables HA failover during maintenance windows
D.It forces the secondary unit to become primary immediately
AnswerA

When override is enabled, a device with higher priority will become primary after it recovers from a failure.

Why this answer

HA override allows a device with higher priority to take over as primary after it recovers from a failure.

20
MCQeasy

Which of the following log types on FortiGate records traffic that is denied by a firewall policy?

A.HA logs
B.Event logs
C.Traffic logs
D.Security logs
AnswerC

Traffic logs log all permitted and denied session attempts.

Why this answer

Traffic logs record both allowed and denied traffic based on firewall policies. Security logs record detection events (antivirus, IPS). Event logs record system events.

21
MCQeasy

An administrator wants to send logs from a FortiGate to an external syslog server. Which log forwarding method should they configure?

A.Syslog
B.SMTP
C.NetFlow
D.SNMP
AnswerA

Syslog is the standard protocol for log forwarding.

Why this answer

Option A is correct. FortiGate supports sending logs to an external syslog server via 'config log syslogd setting'.

22
Multi-Selectmedium

A FortiGate administrator wants to ensure that logs are retained even after a power outage. Which THREE storage options provide persistent log storage? (Choose three.)

Select 3 answers
A.Local disk logs
B.FortiAnalyzer
C.FortiCloud
D.Syslog server
E.Memory buffer logs
AnswersA, B, C

Stored on local hard drive, persistent.

Why this answer

Local disk logs are stored on the FortiGate's hard drive, FortiAnalyzer is an external logging appliance, and FortiCloud provides cloud-based log storage. Syslog servers typically do not guarantee retention on the FortiGate side.

23
MCQmedium

An SD-WAN rule is configured with a 'manual' strategy and multiple members. The engineer wants to ensure that voice traffic always uses the MPLS link as long as it meets the SLA, otherwise use the broadband link. Which configuration is required?

A.Set the strategy to 'volume' and configure MPLS as preferred.
B.Set the manual strategy with MPLS as first member and enable SLA check.
C.Use 'load balancing' strategy and assign MPLS a higher weight.
D.Set the strategy to 'best quality' and set MPLS with highest priority.
AnswerB

Correct; manual strategy with SLA check will use the first member if SLA is met, otherwise the next.

Why this answer

Option B is correct because a manual strategy with ordered members and an SLA check allows the SD-WAN rule to first attempt the MPLS link; if the SLA is met, traffic uses MPLS, and if the SLA fails, the rule automatically fails over to the next member (broadband). This directly implements the engineer's requirement of 'MPLS if SLA met, otherwise broadband.'

Exam trap

The trap here is that candidates often confuse 'manual strategy' with 'best quality' strategy, assuming 'best quality' will always pick MPLS, but 'best quality' dynamically selects the best-performing link at any moment, which may not be MPLS if broadband has better SLA metrics.

How to eliminate wrong answers

Option A is wrong because the 'volume' strategy distributes traffic based on volume ratios, not on SLA compliance or preferred link selection. Option C is wrong because 'load balancing' strategy distributes traffic across members based on weights, not on SLA-based failover; a higher weight does not guarantee exclusive use of MPLS when SLA is met. Option D is wrong because 'best quality' strategy selects the link with the best SLA performance dynamically, but it does not enforce a strict preference for MPLS first; it may choose broadband if it has better metrics at that moment.

24
MCQmedium

A FortiGate administrator is troubleshooting a VPN tunnel that is not establishing. The administrator wants to view the IKE debug output in real time. Which command should they use?

A.diagnose debug application ike -1
B.diagnose debug flow filter dport 500
C.diagnose sniffer packet any "udp port 500"
D.diagnose debug application ipsec -1
AnswerA

This enables IKE debug output at maximum verbosity.

Why this answer

Option A is correct. 'diagnose debug application ike -1' enables IKE debug with verbosity level -1 (all messages). This is the standard command for debugging IPsec IKE negotiations.

25
MCQhard

An administrator is configuring HA on two FortiGates. Both units have the same model and firmware. When they are connected, neither unit becomes active. The admin checks the HA status and sees that the cluster is not formed. What is the MOST likely cause?

A.The heartbeat interface is not configured
B.The management interface is used as a heartbeat
C.The HA password is incorrect
D.The HA group-id does not match
AnswerA

Heartbeat interfaces are mandatory for HA cluster formation.

Why this answer

HA requires at least one heartbeat interface configured on both units. Without it, they cannot communicate.

26
MCQhard

A FortiGate administrator is diagnosing a performance issue. They notice that the CPU usage is consistently high. Which command can provide a real-time view of the processes consuming CPU?

A.get system performance status
B.diagnose sys session stat
C.diagnose debug flow
D.diagnose sys top
AnswerD

This command displays real-time process list with CPU/memory consumption.

Why this answer

Option D is correct. 'diagnose sys top' provides a real-time top-like view of processes and their CPU/memory usage, helpful for identifying resource hogs.

27
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session has expired and will be removed in 1 second
B.The session is closing and has 3599 seconds until the entry is removed
C.The session is initiating a TCP connection and has not yet completed the handshake
D.The session is fully established and has been active for 3600 seconds
AnswerC

proto_state=01 indicates SYN_SENT, meaning the session is still in the handshake phase.

Why this answer

proto_state=01 means TCP SYN_SENT state, meaning the three-way handshake is incomplete. The session is still establishing.

28
MCQmedium

An administrator needs to configure a FortiGate to send logs to an external FortiAnalyzer. Which setting is required?

A.Setting the log disk quota
B.Configuring syslog server
C.Enabling FortiCloud logging
D.Configuring FortiAnalyzer under Log Settings
AnswerD

Under Log & Report > Log Config, you can add a FortiAnalyzer device.

Why this answer

FortiGate uses the 'Log Device' or 'FortiAnalyzer' configuration to send logs to an external FortiAnalyzer.

29
MCQhard

A FortiGate admin is troubleshooting intermittent VPN disconnections. The admin enables debug flow with 'diagnose debug flow filter daddr 10.0.0.1' and 'diagnose debug flow trace start 10'. The output shows 'msg: send to x.x.x.x via intf port1' but then immediately 'msg: no matching policy'. However, the firewall policy list shows a policy that should match. What is the most likely cause?

A.The policy's source interface is not the incoming interface
B.The firewall policy is disabled
C.The VPN tunnel is down
D.A static route is missing or incorrect, causing the traffic to exit the wrong interface
AnswerD

The traffic should be routed into the VPN tunnel (e.g., interface ssl.root or vpn-interface). Instead, it is routed out port1 (the internet interface). This is a routing problem. The policy lookup then fails because there is no policy on port1 for that destination (or the policy on port1 has different source/destination).

Why this answer

The 'no matching policy' message indicates that the traffic did not match any policy. Since the debug shows the traffic is going out via port1, but the policy might be configured on a different interface (e.g., the VPN interface). In a VPN scenario, traffic destined for the remote subnet must match a policy from the VPN tunnel interface to the destination.

If the traffic is being routed out port1 (the physical WAN) instead of through the VPN tunnel, the policy check fails. This is often due to missing or incorrect routing. Alternatively, the policy might be correctly configured but the traffic is being processed on the wrong VDOM, but the routing issue is more common.

30
MCQeasy

An administrator wants to troubleshoot a traffic flow issue on a FortiGate. They suspect packets are being dropped. Which command should they use to perform a real-time packet capture on an interface?

A.diagnose sniffer packet
B.get system performance status
C.diagnose sys session list
D.diagnose debug flow
AnswerA

This is the standard command for packet capture on FortiGate.

Why this answer

Option A is correct. The 'diagnose sniffer packet' command is used to capture packets in real time on FortiGate interfaces.

31
MCQeasy

Which log severity level indicates a failure that requires immediate attention?

A.Debug
B.Emergency
C.Warning
D.Information
AnswerB

Emergency indicates a system-level failure requiring immediate action.

Why this answer

In Fortinet's FortiOS, log severity levels follow the standard syslog protocol (RFC 5424). The 'Emergency' level (severity 0) indicates a system is unusable or has experienced a critical failure that requires immediate administrator intervention, such as a hardware failure or a security breach. This is the highest severity level, designed to alert for urgent action.

Exam trap

The trap here is that candidates often confuse 'Warning' with a critical failure, but 'Warning' only indicates a potential problem, while 'Emergency' is the only level that signifies a system-wide failure requiring immediate attention.

How to eliminate wrong answers

Option A is wrong because 'Debug' (severity 7) is the lowest severity level, used for detailed troubleshooting information and does not indicate any failure. Option C is wrong because 'Warning' (severity 4) indicates a potential issue that might require attention but does not denote an immediate failure requiring urgent action. Option D is wrong because 'Information' (severity 6) is a normal operational message, such as a successful login or configuration change, and does not represent any failure.

32
MCQeasy

In an active-active HA cluster, which of the following must be identical on both FortiGate units?

A.HA priority
B.Management IP address
C.Virtual cluster ID
D.Hostname
AnswerC

Correct; virtual cluster ID must match.

Why this answer

In an active-active HA cluster, the virtual cluster ID must be identical on both FortiGate units because it defines the cluster group and ensures that only units with the same ID can form an HA cluster. This ID is used in heartbeat packets to verify cluster membership and prevent accidental merging of separate clusters. Without a matching virtual cluster ID, the units will not recognize each other as part of the same HA group.

Exam trap

The trap here is that candidates often confuse 'must be identical' with configuration values that are typically synchronized (like priority or hostname), but the virtual cluster ID is the only parameter that must match before cluster formation can occur, while others can differ or are overwritten during synchronization.

How to eliminate wrong answers

Option A is wrong because HA priority determines the role (primary or secondary) within the cluster and can differ between units to establish a preferred leader; it does not need to be identical. Option B is wrong because the management IP address is a unique per-unit setting used for individual administrative access, and in an HA cluster, a separate virtual management IP (or floating IP) is used for cluster management, not the individual unit's management IP. Option D is wrong because the hostname is a local identifier for each FortiGate and can be different; it does not affect HA cluster formation or operation.

33
MCQeasy

What is the purpose of the heartbeat interface in a FortiGate HA cluster?

A.To exchange HA heartbeat messages for health monitoring
B.To synchronize session tables and configuration
C.To provide out-of-band management access
D.To forward user traffic between cluster members
AnswerA

Heartbeat interfaces detect peer status; loss of heartbeat triggers failover.

Why this answer

The heartbeat interface in a FortiGate HA cluster is dedicated to exchanging HA heartbeat messages between cluster members. These messages are used to monitor the health and availability of each unit, enabling failover detection and ensuring cluster stability. It does not handle session synchronization, management access, or user traffic forwarding.

Exam trap

The trap here is that candidates often confuse the heartbeat interface with the HA sync interface, assuming it handles session synchronization or configuration replication, when in fact it only performs health monitoring.

How to eliminate wrong answers

Option B is wrong because session table and configuration synchronization is performed over the dedicated HA sync interface, not the heartbeat interface. Option C is wrong because out-of-band management access is typically provided by a dedicated management interface or VLAN, not the heartbeat interface. Option D is wrong because forwarding user traffic between cluster members is the role of the cluster link or inter-chassis links, while the heartbeat interface only carries health-check messages.

34
MCQhard

An administrator runs 'diagnose debug flow' for a specific policy and sees the following output: id=20085 trace_id=10 func=vf_ip_route_in msg='No matching interface to route packet' What does this indicate?

A.The packet is being blocked by a firewall policy
B.The source interface is down
C.The destination IP address has no matching route in the routing table
D.The session table is full
AnswerC

The message clearly states no matching interface to route the packet.

Why this answer

The trace indicates that FortiGate cannot find a route to forward the packet, meaning the destination is unreachable.

35
Multi-Selectmedium

An administrator is configuring an active-passive HA pair. Which THREE of the following must be identical on both units for the cluster to form? (Choose three.)

Select 3 answers
A.HA priority
B.Hostname
C.HA password
D.Firmware version
E.Operation mode (NAT/Transparent)
AnswersC, D, E

If configured, must match.

Why this answer

Operation mode, firmware version, and HA password (if set) must match. Priority can differ. Hostname is not required to match.

36
MCQmedium

A FortiGate administrator needs to send logs to an external FortiAnalyzer for centralized monitoring. Which log configuration step is required?

A.Configure syslog server
B.Add the FortiAnalyzer as a logging device in System > FortiAnalyzer
C.Enable FortiCloud logging
D.Enable disk logging on the FortiGate
AnswerB

FortiAnalyzer is configured under System > FortiAnalyzer to enable log forwarding.

Why this answer

To send logs from a FortiGate to an external FortiAnalyzer for centralized monitoring, the administrator must add the FortiAnalyzer as a logging device under System > FortiAnalyzer. This step establishes the secure, authenticated connection (typically using FortiGate's proprietary protocol over TCP/514 or TCP/3000) and enables log forwarding to the FortiAnalyzer. Without this configuration, the FortiGate will not send logs to the FortiAnalyzer, even if other logging methods are enabled.

Exam trap

The trap here is that candidates often confuse the FortiAnalyzer configuration with a generic syslog server setup, assuming any external logging destination works the same way, but FortiAnalyzer requires a specific device registration and protocol that differs from standard syslog.

How to eliminate wrong answers

Option A is wrong because configuring a syslog server sends logs in standard syslog format (RFC 3164/5424) to a generic syslog collector, not to a FortiAnalyzer, which uses a proprietary protocol for enhanced features like log correlation and reporting. Option C is wrong because enabling FortiCloud logging sends logs to FortiGate Cloud, not to an on-premises FortiAnalyzer, and is a separate service requiring a different subscription. Option D is wrong because enabling disk logging on the FortiGate stores logs locally on the FortiGate's hard disk or SSD, which does not forward logs to an external FortiAnalyzer; it only retains logs for local viewing and troubleshooting.

37
MCQhard

A FortiGate administrator has configured an active-passive HA cluster. After a failover event, the former primary unit comes back online and immediately takes over as primary again, causing another failover. The administrator wants the original primary to stay in standby until the current primary fails. Which setting should be configured?

A.Enable HA override on both units
B.Set the HA mode to active-active
C.Disable HA override on both units
D.Increase the HA priority on the primary unit
AnswerC

Disabling override prevents a unit from preempting the current primary when it comes back online.

Why this answer

HA override (set ha-override enable) causes a device to resume primary role when it becomes available with higher priority. Disabling override prevents this preemptive behavior.

38
MCQmedium

An administrator has configured an active-passive HA cluster. During a failover test, the standby unit becomes active but existing user sessions are lost, requiring users to re-establish connections. Which configuration change would prevent this behavior?

A.Lower HA priority on the primary
B.Enable session pickup
C.Set HA override to enabled
D.Increase the heartbeat interval
AnswerB

Session pickup is a FortiOS HA feature that synchronizes sessions to the standby unit for stateful failover.

Why this answer

Session synchronization (session sync) replicates active sessions to the standby unit so that sessions survive a failover.

39
MCQeasy

An administrator wants to capture HTTP traffic on port1 for troubleshooting. Which CLI command should be used?

A.diagnose debug flow
B.execute sniffer packet
C.diagnose sys session filter
D.diagnose sniffer packet port1 'tcp port 80'
AnswerD

This is the correct command to capture HTTP traffic on interface port1.

Why this answer

The 'diagnose sniffer packet' command is used to capture packets in FortiGate CLI.

40
MCQhard

A FortiGate administrator is setting up an HA cluster with two FortiGates. The heartbeat interfaces are connected via a dedicated switch. The administrator wants to ensure that the management IP is always accessible through the active unit. Which configuration is required?

A.Configure 'set management-ip' under the HA interface configuration
B.Configure a virtual IP address for the management interface
C.Set the management IP on each unit separately
D.Use the same IP address on both units
AnswerA

This assigns a floating management IP that follows the active unit.

Why this answer

Option C is correct. In HA, the management interface IP must be configured on the HA interface or as a dedicated management interface. Setting 'set management-ip' on the HA interface ensures the management IP is always on the active unit.

41
MCQmedium

A FortiGate receives log messages with severity 'warning'. What is the log severity level number for 'warning' according to FortiGate's log severity levels?

A.3
B.6
C.4
D.5
AnswerC

Warning is severity level 4.

Why this answer

FortiGate severity levels: Emergency=0, Alert=1, Critical=2, Error=3, Warning=4, Notification=5, Information=6, Debug=7.

42
MCQhard

A FortiGate in an active-active HA cluster is experiencing asymmetric routing. The administrator runs 'diagnose debug flow' on a packet from a client to a server. The flow trace shows the packet is allowed by policy, but the response is dropped. What is the most likely cause?

A.The TTL of the packet is too low
B.The HA mode should be changed to active-passive
C.The policy on the secondary unit has a different schedule
D.The session synchronization is not enabled between cluster members
AnswerD

Session sync ensures all cluster members share session state, preventing drops due to asymmetric routing.

Why this answer

In active-active HA, asymmetric routing can cause session state issues because each unit may see only one direction of traffic. Without session synchronization and strict session pickup, the unit receiving the response may not have the session and drops it.

43
MCQhard

A company has two FortiGate 100F units in an active-passive HA cluster with firmware version 7.2.5. The cluster is configured with session pickup and all interfaces are monitored. The network consists of three VLANs: VLAN10 (Users), VLAN20 (Servers), and VLAN30 (DMZ). The cluster is connected to two ISPs: ISP1 (port1) and ISP2 (port2). The internal network uses a single aggregated link (port3 and port4) as a LAG to the core switch. One day, the primary FortiGate experiences a hardware failure and the secondary takes over. After the primary is replaced and rejoins the cluster, the administrator notices that traffic passing through the cluster is intermittently dropping for a few seconds every minute. The administrator checks the cluster status and sees that the new primary (previously secondary) is in 'primary' state and the old primary (newly replaced) is in 'secondary' state. What is the most likely cause of the intermittent traffic drops?

A.The LAG configuration on the new FortiGate does not match the active cluster configuration.
B.Session pickup is not enabled on the new FortiGate.
C.The HA cluster is in split-brain state.
D.The heartbeat interface is configured on the LAG, causing HA instability.
AnswerA

Correct; mismatched LAG configuration can cause interface instability and traffic drops.

Why this answer

The most likely cause is that the LAG configuration on the newly replaced FortiGate does not match the active cluster configuration. In an HA cluster, all LAG member interfaces (port3 and port4) must have identical settings—including LACP mode, speed, duplex, and VLAN membership—on both units. When the secondary FortiGate became primary and the replaced unit rejoined as secondary, any mismatch in the LAG configuration would cause the cluster to continuously renegotiate or flap the aggregated link, leading to intermittent traffic drops every few seconds as the HA cluster attempts to synchronize and stabilize the interface state.

Exam trap

The trap here is that candidates often attribute intermittent traffic drops to session pickup or split-brain issues, but the key clue is the periodic nature of the drops (every minute), which points to a configuration mismatch on the aggregated link rather than a session synchronization or HA state problem.

How to eliminate wrong answers

Option B is wrong because session pickup is a feature that synchronizes existing sessions between HA members to prevent traffic loss during failover; it does not cause intermittent drops after the cluster is stable, and it is already enabled on the cluster per the scenario. Option C is wrong because a split-brain state would cause both units to claim primary status and actively forward traffic, leading to duplicate packets and network loops, not intermittent drops every minute, and the cluster status shows one primary and one secondary. Option D is wrong because the heartbeat interface is typically a dedicated interface (e.g., port5 or a separate management port) and is not configured on the LAG; even if it were, HA instability would manifest as constant failovers or loss of heartbeat, not as periodic traffic drops of a few seconds every minute.

44
MCQmedium

A FortiGate administrator needs to send logs to a FortiAnalyzer device for long-term storage and analysis. Which log configuration must be set up?

A.Configure an IPsec tunnel to FortiAnalyzer
B.Add the FortiAnalyzer as a logging destination in Log Settings
C.Enable disk logging on the FortiGate
D.Configure syslog server pointing to FortiAnalyzer IP
AnswerB

FortiAnalyzer is configured under Log & Report > Log Setting as a logging destination.

Why this answer

Logs are sent to FortiAnalyzer by configuring the Log Settings > Log Forwarding or the Log & Report > Log Setting to send logs to FortiAnalyzer.

45
MCQhard

An administrator is troubleshooting a FortiGate that is not sending logs to FortiAnalyzer. The FortiAnalyzer is reachable from the FortiGate. Which command should the administrator use to test the connectivity and log forwarding?

A.execute log send
B.execute log fortianalyzer test
C.ping <FortiAnalyzer IP>
D.diagnose debug application fortianalyzer
AnswerB

This command sends a test log message to FortiAnalyzer and reports success/failure.

Why this answer

Option D is correct. 'execute log fortianalyzer test' sends a test log to FortiAnalyzer to verify connectivity and configuration.

46
MCQmedium

An administrator configures a FortiGate HA cluster in active-passive mode. After a failover, some UDP-based sessions are lost. What is the MOST likely reason?

A.The heartbeat interface failed
B.UDP session synchronization is not enabled by default
C.The failover triggered a routing table change
D.The HA priority was set too low on the backup unit
AnswerB

In active-passive HA, only TCP sessions are synchronized. UDP sessions are not synced unless 'set session-sync-udp' is configured.

Why this answer

UDP is stateless and not synchronized by default in active-passive HA unless session synchronization is configured. TCP sessions are synchronized by default.

47
MCQhard

A FortiGate admin wants to inspect SSL-encrypted traffic for threats using IPS. The admin creates an SSL inspection profile with 'full SSL inspection' and applies it to the policy. What additional configuration is necessary for the IPS engine to process the decrypted traffic?

A.Enable 'set ssl-ssh-profile' under the IPS sensor
B.Enable 'IPS' under the SSL inspection profile
C.Configure the FortiGate's CA certificate on clients
D.Apply an IPS sensor to the same firewall policy
AnswerD

The IPS sensor is a separate security profile that must be added to the policy to scan decrypted traffic.

Why this answer

IPS inspection requires that the security profile (IPS sensor) is also applied to the same firewall policy. SSL inspection alone only decrypts; the IPS profile inspects the decrypted traffic.

48
MCQhard

An administrator runs 'diagnose sys session list' and sees a session with 'expire=0'. What does this indicate?

A.The session has expired and will be removed soon
B.The session is a long-lived session that does not expire
C.The session has been idle for 0 seconds
D.The session is permanently established and will not expire
AnswerA

expire=0 indicates the session lifetime has ended and it will be cleaned up.

Why this answer

expire=0 means the session TTL has reached zero and the session is eligible for removal in the next cleanup cycle.

49
MCQmedium

An administrator needs to store logs for compliance purposes and wants them to be retained even if the FortiGate is reset. Which log storage option should they use?

A.FortiAnalyzer
B.FortiCloud logs
C.Syslog server
D.Local disk logs
AnswerA

FortiAnalyzer is dedicated log storage that can be configured for long-term retention and is independent of FortiGate resets.

Why this answer

Option C is correct. FortiAnalyzer provides centralized log storage that is separate from the FortiGate, ensuring logs are retained even if the FortiGate is reset.

50
MCQmedium

A FortiGate cluster in active-passive HA is configured with two heartbeat interfaces. The primary unit fails completely. The secondary unit detects the failure and becomes primary. After the original primary recovers, it remains in passive mode. What is the most likely reason for this behavior?

A.The heartbeat interfaces are not properly configured
B.The HA override setting is disabled
C.The priority of the original primary is lower than the current primary
D.The HA override setting is enabled
AnswerB

With override disabled, the recovered unit does not preempt the current primary.

Why this answer

When override is disabled (the default), the recovered unit will not preempt the current primary. The cluster stays with the current primary until it fails. This is the expected behavior for graceful recovery.

51
Multi-Selectmedium

An active-passive HA cluster is experiencing frequent failovers. Which TWO factors could cause unnecessary failovers? (Choose two.)

Select 2 answers
A.Using a data interface as the heartbeat interface
B.An unstable network link for the heartbeat
C.Different firmware versions on cluster members
D.Mismatched HA passwords between cluster members
E.Mismatched HA priority values
AnswersA, B

Data interfaces may have fluctuating link status, triggering failover.

Why this answer

Incorrect heartbeat interface configuration (e.g., using a busy data port) can cause false positives. A mismatched HA password prevents proper communication, but may not cause failover; mismatched priority affects role selection, not failover frequency. Unstable heartbeat links cause failover.

52
MCQmedium

A FortiGate administrator wants to configure ZTNA to secure access to an internal application. Which of the following components is essential for ZTNA to function?

A.FortiCloud
B.FortiClient EMS
C.FortiAnalyzer
D.A VPN tunnel to the client
AnswerB

FortiClient EMS provides endpoint compliance and identity information required for ZTNA.

Why this answer

ZTNA requires FortiGate to verify the user's identity and device posture. The FortiClient EMS provides device posture information and client certificates, which are essential for ZTNA access control.

53
Multi-Selectmedium

A FortiGate administrator is troubleshooting an issue where HTTPS traffic is not being properly inspected by the web filter. The policy has SSL inspection enabled. Which TWO commands would provide the most useful real-time debugging information? (Choose two.)

Select 2 answers
A.diagnose test application ips 1
B.diagnose debug flow filter dport 443 ; diagnose debug flow show function-name ; diagnose debug enable
C.diagnose sys session filter dport 443 ; diagnose sys session list
D.execute log display
E.diagnose sniffer packet any 'port 443' 4
AnswersB, E

This enables flow debugging for HTTPS traffic, showing the inspection stages.

Why this answer

Diagnose debug flow traces the packet through the firewall pipeline, showing each stage. Diagnose sniffer packet captures the actual packets, useful for seeing the SSL handshake. The other options are not real-time for this issue.

54
MCQmedium

A FortiGate HA cluster is running in active-passive mode with two units. The administrator notices that the primary unit fails over to the secondary unit every few minutes, causing service disruption. The heartbeat interfaces are configured on port1 and port2. What is the MOST likely cause of the frequent failovers?

A.Session synchronization is consuming too much bandwidth
B.The HA priority is set to 0 on the primary unit
C.The heartbeat interfaces are experiencing high packet loss
D.The HA override setting is enabled, causing the secondary to take over
AnswerC

Unreliable heartbeat links (high packet loss/jitter) cause false failure detection, leading to frequent failovers.

Why this answer

High packet loss or jitter on the heartbeat link can cause the secondary unit to believe the primary is down, triggering unnecessary failovers. Heartbeat interfaces must be reliable.

55
MCQeasy

A FortiGate administrator needs to capture packets on the DMZ interface to troubleshoot a connectivity issue. Which CLI command should be used to start a packet capture?

A.diagnose sniffer packet
B.diagnose debug flow
C.diagnose sys session list
D.execute packet-capture start
AnswerA

This is the correct command to capture packets on an interface.

Why this answer

The command 'diagnose sniffer packet' is used for packet capture on FortiGate interfaces.

56
MCQmedium

An administrator is reviewing log files on a FortiGate and needs to identify events related to a specific user authentication failure. The FortiGate has local disk logging enabled. Which command would the administrator use to search the logs for this event?

A.diagnose debug authd fsrv record
B.show log traffic-log
C.execute log filter
D.get log traffic
AnswerC

This command sets filters for log display; used with 'execute log display' to search logs.

Why this answer

Option D is correct. The 'execute log filter' command allows filtering logs by various criteria (user, type, etc.) before displaying them with 'execute log display'.

57
MCQmedium

An administrator configures a FortiGate HA cluster in active-active mode. After enabling session synchronization, they notice that new sessions are not being synced to the secondary unit. The cluster is using a dedicated heartbeat interface. What could be the reason?

A.The HA mode is set to active-passive
B.The firewall policy does not have session sync enabled
C.The session TTL is too short
D.The heartbeat interface is not configured with an IP address
AnswerB

For active-active HA, session sync must be enabled per-policy; otherwise sessions are not synced.

Why this answer

In active-active HA, session synchronization requires that the session sync flag is enabled on the firewall policy. Without it, sessions are not synced.

58
MCQmedium

A network administrator is troubleshooting a FortiGate HA cluster that is not failing over as expected. The cluster consists of two units in active-passive mode. The administrator issues the command 'diagnose sys ha status' and sees that both units have the same priority. What is the most likely cause of the failover issue?

A.The HA override setting is disabled
B.The HA mode is set to active-active instead of active-passive
C.The session pickup feature is enabled
D.The HA heartbeat interfaces are not properly connected
AnswerA

With override disabled, a secondary unit with lower priority cannot preempt the primary after a failback. The primary must fail completely for a failover to occur.

Why this answer

In active-passive HA, the unit with the higher priority (lower number) becomes primary. If priorities are equal, the primary is determined by serial number. Equal priorities do not prevent failover; the issue is likely that the override setting is disabled, so a lower-priority unit cannot take over even if the primary fails unless override is enabled.

59
MCQmedium

A company has two FortiGate units in an active-active HA cluster. They want to ensure that sessions initiated from the internet through a virtual IP are synchronized to the peer unit in case of failover. Which HA setting is required?

A.Enable 'set ha-mgmt-status enable' on the WAN interface
B.Set 'set schedule' to 'round-robin' for the VIP
C.Configure the same virtual IP on both units
D.Enable 'session-pickup' under config system ha
AnswerD

Session pickup enables synchronization of all sessions, including those from VIPs, to the standby unit. Without it, sessions are not synced.

Why this answer

In active-active HA, session synchronization is enabled by default for TCP sessions, but for UDP and other protocols, session sync needs to be explicitly enabled. However, the question is about ensuring sessions are synchronized. The key setting is 'session-pickup' which enables session synchronization for all protocols.

Also, for active-active, 'session-pickup-connectionless' should be enabled for UDP and ICMP. But the most direct answer is to enable session-pickup globally.

60
MCQhard

During a failover in an active-passive HA cluster, the newly active unit does not have the same session table as the previous primary, causing all existing sessions to drop. Which setting should the administrator verify?

A.HA override is enabled on both units
B.The heartbeat interface is configured as a dedicated management interface
C.The session pickup setting is enabled
D.The cluster is operating in active-active mode
AnswerC

Session pickup synchronizes session tables; if disabled, sessions are lost on failover.

Why this answer

Session synchronization must be enabled and properly configured to replicate sessions to the standby unit.

61
MCQhard

In an active-active HA cluster, what is the purpose of the 'session sync' configuration?

A.To synchronize configuration changes between cluster members
B.To balance the number of sessions across cluster members
C.To replicate session state so that if one unit fails, another can take over without interruption
D.To synchronize the time between cluster members
AnswerC

Session sync maintains state for seamless failover.

Why this answer

Session sync ensures that sessions are shared between cluster units so that any unit can handle traffic for a given session.

62
MCQhard

An administrator runs 'diagnose sys session filter dport 443' and then 'diagnose sys session list'. The output shows many sessions with 'proto_state=01' and 'expire=3599'. What does 'expire=3599' indicate?

A.The session has 3599 packets
B.The session has been alive for 3599 seconds
C.The session has 3599 bytes of data transferred
D.The session will timeout in 3599 seconds
AnswerD

Expire shows remaining time before the session is removed due to inactivity.

Why this answer

In FortiGate diagnostics, the 'expire' field in the session list output indicates the remaining time in seconds before the session times out. A value of 3599 seconds means the session will be removed from the session table after that many seconds of inactivity, assuming no further traffic matches the session. This is a key metric for understanding session lifecycle and timeout behavior.

Exam trap

The trap here is confusing 'expire' (remaining time until timeout) with 'duration' (time since session creation), leading candidates to incorrectly select option B.

How to eliminate wrong answers

Option A is wrong because 'expire' does not represent a packet count; packet counts are shown in separate fields like 'packets' or 'pkt_in/pkt_out'. Option B is wrong because 'expire' is the remaining time until timeout, not the elapsed time since the session was created; the 'duration' field tracks how long the session has been alive. Option C is wrong because 'expire' is unrelated to data transfer size; byte counts are displayed in fields such as 'bytes' or 'total_bytes'.

63
MCQmedium

A FortiGate administrator runs 'diagnose sys session filter dport 443' and then 'diagnose sys session list'. The output shows many sessions with 'proto_state=01' and 'expire=0'. What does this indicate about these sessions?

A.The sessions are for UDP traffic
B.The sessions are in the process of being established
C.The sessions are fully established and active
D.The sessions have expired and are being removed from the session table
AnswerD

expire=0 means the session timer has expired, and the session is being cleaned up.

Why this answer

In FortiGate session table, 'expire=0' means the session has expired (or is being cleaned up). 'proto_state=01' often indicates TCP SYN sent state. Sessions with expire=0 are not fully established or are closing.

64
MCQeasy

Which FortiGate log type records information about firewall policy matches and traffic statistics?

A.Event logs
B.Traffic logs
C.Audit logs
D.Security logs
AnswerB

Traffic logs are generated when traffic matches a firewall policy and record session details.

Why this answer

Traffic logs record information about every session that matches a firewall policy, including source/destination, ports, bytes, and duration. Security logs record IPS, antivirus, web filtering events. Event logs record system events.

65
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a UDP connection to port 443
B.The session will expire in 3600 seconds
C.The session has been established for 3600 seconds
D.The TCP three-way handshake is incomplete; only SYN was sent
AnswerD

TCP state SYN_SENT (01) indicates the initial SYN was sent but no SYN-ACK received yet.

Why this answer

protocol 6 is TCP. proto_state=01 means TCP SYN_SENT. The session duration is 3600 seconds, expire 3599 seconds left.

66
MCQmedium

An administrator needs to ensure that in an active-passive HA cluster, the primary unit always remains the preferred master unless it fails, regardless of other factors. The administrator sets the primary's HA priority to 200 and the secondary to 100. However, after a reboot of the primary, the secondary becomes the primary. What additional step is required?

A.Set 'set ha-mgmt-status enable' on the primary
B.Reduce the secondary priority to 0
C.Increase the primary priority to 255
D.Set 'set override enable' under config system ha
AnswerD

Enabling override tells HA to actively switch back to the highest priority unit when it recovers. Without override, the cluster does not preempt.

Why this answer

In HA, the 'override' setting (or 'set override enable') ensures that when the primary recovers, it will preempt the current primary and become active again. Without override, the cluster uses a non-preemptive mode: once a unit becomes primary, it stays primary even if a higher-priority unit comes back online.

67
Multi-Selectmedium

A FortiGate administrator needs to ensure that a specific traffic flow is fully inspected by the antivirus and IPS profiles. The traffic is HTTPS. Which THREE configuration items are required? (Select three.)

Select 3 answers
A.Enable flow-based inspection mode globally
B.Apply an IPS profile to the firewall policy
C.Apply an antivirus profile to the firewall policy
D.Enable SSL/TSL deep inspection on the firewall policy
E.Configure a DNS filter profile
AnswersB, C, D

IPS profile is needed to detect and prevent intrusions.

Why this answer

SSL inspection is required to decrypt HTTPS; then antivirus and IPS profiles can inspect the decrypted traffic. The firewall policy must include these profiles.

68
Multi-Selectmedium

A FortiGate administrator is troubleshooting a traffic issue where users cannot access a specific website. The administrator runs 'diagnose debug flow' and sees the output indicating that traffic is being denied by a firewall policy. Which two actions should the administrator take to identify the specific policy denying the traffic? (Choose two.)

Select 2 answers
A.Run 'diagnose debug enable' and then reproduce the issue
B.Use 'diagnose sys session list' to find the policy ID
C.Review the policy list and look for the policy ID shown in the debug output
D.Check the traffic log for the session to see the policy ID
E.Disable all firewall policies temporarily
AnswersC, D

The debug flow output typically includes the policy ID that applied. The admin can then review that specific policy.

Why this answer

The debug flow output includes the policy ID that denied the traffic. The administrator can check the policy details using 'show firewall policy <id>' or check the traffic log for the session to see which policy was matched.

69
MCQmedium

An administrator notices that the FortiGate HA cluster has two units, but only one is shown as 'primary' and the other as 'standby'. The administrator did not configure any load balancing. Which HA mode is in use?

A.Active-passive
B.Load-balanced cluster
C.Standalone
D.Active-active
AnswerA

Active-passive uses primary/standby roles.

Why this answer

In active-passive HA, one unit is primary (active) and the other is standby (passive).

70
MCQmedium

A FortiGate HA cluster is set to active-active mode. The administrator notices that session synchronization is enabled but some sessions are not being synced between cluster units. Which of the following is a likely cause for incomplete session synchronization in active-active mode?

A.The cluster is using unicast heartbeat
B.The 'set session-sync-id' is not configured or mismatched between cluster units
C.The heartbeat interface speed is set to 1 Gbps
D.The HA override is enabled
AnswerB

Active-active requires a session synchronization ID to be set; if it's missing or mismatched, sessions are not synced properly.

Why this answer

Option A is correct. In active-active HA, session synchronization must be set to 'all' or 'group' to sync sessions; the default may only sync specific sessions. The 'session-sync-id' must match on all units.

71
Multi-Selecthard

An administrator is troubleshooting a VPN tunnel that fails to establish. Which TWO CLI commands would provide the most relevant diagnostic information? (Choose two.)

Select 2 answers
A.show full-configuration vpn ipsec
B.execute ping-options source
C.diagnose debug application ike -1
D.get system performance status
E.diagnose vpn ike log
AnswersC, E

Enables real-time IKE debugging output.

Why this answer

'diagnose vpn ike log' provides detailed IKE negotiation logs; 'diagnose debug application ike -1' enables real-time IKE debugging. Both are essential for VPN troubleshooting.

72
MCQmedium

Refer to the exhibit. An SD-WAN rule for voice traffic uses the SLA strategy with sla-match-mode 'any'. SLA 'sla1' measures ping to 8.8.8.8. If wan1 has latency 90 ms and jitter 10 ms, and wan2 has latency 110 ms and jitter 5 ms, which link will be selected for voice traffic?

A.Neither link, because both fail jitter?
B.wan1, because it meets the SLA thresholds.
C.Both links, because sla-match-mode 'any' allows any link that meets SLA.
D.wan2, because it has lower jitter.
AnswerB

Correct; wan1 meets both latency and jitter thresholds.

Why this answer

With sla-match-mode 'any', the SD-WAN rule selects the first link that meets any of the configured SLA thresholds. The SLA for voice traffic measures ping to 8.8.8.8 with thresholds for latency and jitter. wan1 has latency 90 ms and jitter 10 ms, which both fall within typical SLA thresholds (e.g., latency < 150 ms, jitter < 20 ms), so it meets the SLA. wan2 has latency 110 ms, which also meets the latency threshold, but since 'any' mode selects the first qualifying link, wan1 is chosen. Option B is correct because wan1 satisfies the SLA and is selected first.

Exam trap

The trap here is that candidates often assume sla-match-mode 'any' selects all links that meet any SLA, but it actually selects only the first qualifying link in the order, leading to confusion with 'all' mode or load-balancing behavior.

How to eliminate wrong answers

Option A is wrong because both links do not fail jitter; wan1 has jitter 10 ms and wan2 has jitter 5 ms, both within typical thresholds, and the SLA is met by at least one link. Option C is wrong because sla-match-mode 'any' does not select all links that meet SLA; it selects the first link that meets any SLA threshold, not all links. Option D is wrong because the selection is not based on lower jitter; it is based on the first link meeting the SLA thresholds, and wan1 is evaluated first.

73
MCQmedium

An administrator is configuring a FortiGate HA cluster and wants to ensure that the primary unit is always preferred based on its configuration priority. Which setting should be enabled to allow the primary unit to resume its role after a failover if it regains connectivity?

A.set ha-inherit-priority enable
B.set override enable
C.set session-pickup enable
D.set ha-priority 255
AnswerB

Override enables a higher-priority unit to reclaim the primary role.

Why this answer

Option C is correct. The HA override setting allows a higher-priority unit to take over the primary role when it rejoins the cluster after a failure, even if it was previously secondary.

74
MCQmedium

An admin is troubleshooting why a user's traffic is not being logged. The firewall policy has logging enabled at 'All Sessions'. The admin checks the traffic log and sees no entries for that user. The admin runs 'diagnose debug flow' and sees the traffic is matching the policy. What could be the issue?

A.The user's traffic is not traversing the FortiGate
B.The log queue is overflowing and logs are being dropped
C.The logging filter is set to only log 'emergency' severity
D.The log disk is full and cannot accept new logs
AnswerB

If the log rate exceeds the ability to write to disk, logs can be dropped. The admin should check 'diagnose log device status' and 'diagnose log test'.

Why this answer

If the traffic is matching the policy but not appearing in logs, the most common reason is that the log buffer is full or logs are being dropped due to high rate. Alternatively, the log device (e.g., disk) might be full or the log queue is overflowing. Another possibility is that the log severity filter is too restrictive, but by default traffic logs are logged at 'information' severity.

The scenario says logging is enabled, so the issue is likely log buffer overflow or disk full. Option D addresses log disk space or buffer overflow.

75
Multi-Selectmedium

In a FortiGate HA cluster, the administrator wants to reduce failover time when the primary unit fails. Which two adjustments can help achieve this? (Choose two.)

Select 2 answers
A.Decrease the 'set ha-heartbeat-interval' value
B.Increase the 'set session-pickup-delay' value
C.Enable 'set ha-arp-interval'
D.Decrease the 'set ha-failover-threshold' value
E.Increase the 'set ha-heartbeat-interval' value
AnswersA, D

A shorter interval means faster detection of heartbeat loss.

Why this answer

Options A and B are correct. Decreasing the heartbeat interval (how often heartbeats are sent) and decreasing the failover threshold (number of missed heartbeats before failover) both reduce the time to detect failure and trigger failover.

Page 1 of 2 · 145 questions totalNext →

Ready to test yourself?

Try a timed practice session using only High Availability and Diagnostics questions.