CCNA Nse4 Ha Diagnostics Questions

70 of 145 questions · Page 2/2 · Nse4 Ha Diagnostics topic · Answers revealed

76
MCQeasy

Which FortiGate diagnostic command allows you to capture packets on an interface for troubleshooting network connectivity issues?

A.diagnose debug flow
B.diagnose sniffer packet
C.diagnose sys session list
D.diagnose test application
AnswerB

This is the packet capture command on FortiGate.

Why this answer

The 'diagnose sniffer packet' command captures packets in real-time on a specified interface, similar to tcpdump. It is the primary tool for packet-level troubleshooting.

77
MCQmedium

An administrator is troubleshooting a FortiGate HA cluster that is experiencing frequent failovers. The heartbeat interfaces are configured on port1 and port2. Which diagnostic command should the administrator use to check heartbeat packet loss?

A.diagnose sys ha status
B.get system ha status
C.diagnose sys ha heartbeat
D.diagnose sys session list
AnswerC

This command displays heartbeat statistics and can show packet loss.

Why this answer

The 'diagnose sys ha heartbeat' command shows heartbeat statistics, including packet loss, sequence numbers, and latency, which helps diagnose heartbeat issues.

78
Multi-Selecthard

A FortiGate is configured in an A-P HA cluster. The administrator wants to ensure that session failover occurs for UDP-based voice traffic. Which TWO settings must be enabled?

Select 2 answers
A.Enable UDP session synchronization.
B.Set HA override to enabled.
C.Enable configuration synchronization.
D.Enable session pickup.
E.Set failover hold time to 1 second.
AnswersA, D

UDP sessions need explicit synchronization for failover.

Why this answer

Option A is correct because UDP session synchronization must be enabled to replicate UDP session state between HA cluster members, ensuring that active sessions for voice traffic (which typically uses UDP) are seamlessly taken over by the standby unit during a failover. Without this setting, UDP sessions are not synchronized by default, and voice calls would drop.

Exam trap

The trap here is that candidates often confuse configuration synchronization (which replicates config files) with session synchronization (which replicates dynamic session state), leading them to incorrectly select Option C instead of A.

79
MCQmedium

An administrator wants to view the current session table entries filtered by destination port 443. Which command should be used?

A.diagnose sys session filter dport 443; diagnose sys session list
B.execute session list dport 443
C.diagnose debug flow filter dport 443
D.diagnose sys session list dport 443
AnswerA

This is the correct sequence to filter and then list sessions.

Why this answer

The 'diagnose sys session filter' command sets filters, and 'diagnose sys session list' displays the filtered sessions.

80
MCQeasy

Which log severity level indicates that a device is unusable and requires immediate attention?

A.Error
B.Critical
C.Emergency
D.Alert
AnswerC

Emergency (level 0) indicates the system is unusable.

Why this answer

FortiGate log severity levels are: Emergency (0), Alert (1), Critical (2), Error (3), Warning (4), Notification (5), Information (6), Debug (7). Emergency is the highest severity, indicating the system is unusable.

81
MCQmedium

An organization wants to send FortiGate logs to a central log management system for long-term storage and compliance. Which FortiGate feature is specifically designed for collecting and analyzing logs from multiple FortiGate devices?

A.Disk logging
B.FortiGuard
C.FortiCloud
D.FortiAnalyzer
AnswerD

FortiAnalyzer is the dedicated log collector and analyzer for Fortinet devices.

Why this answer

FortiAnalyzer is the central log management and analysis platform for Fortinet devices. It aggregates logs, generates reports, and provides long-term storage.

82
MCQmedium

An administrator wants to ensure that log messages are categorized by severity and that only events with severity 'error' and above are sent to the syslog server. Which configuration should be used?

A.Set 'set severity critical' in syslog config
B.Set 'set severity error' in syslog config
C.Set 'set severity warning' in syslog config
D.Set 'set severity alert' in syslog config
AnswerB

Error sends events with severity error, critical, alert, and emergency.

Why this answer

Option B is correct. In syslog settings, 'set severity' defines the minimum severity level to send. Setting it to 'error' includes error, critical, alert, and emergency messages.

83
MCQmedium

A network admin receives an alert that the FortiGate disk logs are no longer being written. The admin checks the disk status and sees that the disk is full. However, the admin needs to preserve the logs for compliance purposes. Which action should the admin take to continue logging while preserving the existing logs?

A.Configure log upload to FortiAnalyzer and manually archive current logs, then clear the local disk
B.Increase the log disk quota to allow more logs
C.Delete all logs from the disk and restart logging
D.Compress the existing log files and set a higher compression level for future logs
AnswerA

Uploading existing logs to FortiAnalyzer preserves them off-device, then clearing the local disk frees space for continued logging. This is the proper workflow.

Why this answer

FortiGate allows log rotation and archiving. The admin can configure the log settings to compress old logs or move them to an external location (like FortiAnalyzer or FortiCloud). However, the immediate need is to free space on the disk.

The best practice is to archive existing logs to an external server and then clear the local disk, or enable automatic upload to FortiAnalyzer. The options are evaluated: Option D is the correct action because it preserves logs by uploading them to FortiAnalyzer, then clearing disk space to continue logging.

84
MCQhard

A FortiGate administrator runs 'diagnose sys session filter dport 443' followed by 'diagnose sys session list' and sees the following output for a session: src=10.0.1.10 dst=192.168.2.20 sport=12345 dport=443 proto=6 vrf=0 What does the 'proto=6' indicate about this session?

A.The session is using UDP
B.The session is using ESP
C.The session is using TCP
D.The session is using ICMP
AnswerC

Protocol number 6 is TCP.

Why this answer

Option D is correct. Protocol number 6 is TCP. The session is a TCP session to port 443 (HTTPS).

85
MCQmedium

A FortiGate administrator notices that the HA cluster is frequently failing over even though no hardware failure has occurred. The heartbeat link shows some packet loss. What is the best action to reduce unnecessary failovers?

A.Lower the heartbeat interval
B.Change HA mode to active-active
C.Increase the failover threshold
D.Disable session synchronization
AnswerC

A higher threshold requires more missed heartbeats to trigger failover, reducing sensitivity to transient packet loss.

Why this answer

Option D is correct. Increasing the failover threshold (the number of missed heartbeats before triggering failover) makes the cluster more tolerant to temporary heartbeat loss, reducing false failovers.

86
Multi-Selecteasy

A FortiGate administrator wants to send logs to both a local disk and a remote FortiCloud account. Which two conditions must be met for this to work? (Choose two.)

Select 2 answers
A.The FortiGate must be configured to log to both destinations simultaneously
B.The FortiGate must have a valid FortiCloud subscription
C.The FortiGate must be in NAT mode
D.The FortiGate must have a hard disk or SSD installed
E.The FortiGate must have a policy to allow outbound traffic to FortiCloud
AnswersB, D

FortiCloud logging requires a valid subscription.

Why this answer

The FortiGate must have local storage (disk) to store logs locally. It also must have connectivity to FortiCloud servers, and logging to FortiCloud must be enabled. The local disk logging is a separate configuration.

87
MCQeasy

Which of the following FortiGate log types records information about user authentication and administrative access?

A.Event logs
B.Traffic logs
C.System logs
D.Security logs
AnswerA

Event logs include authentication and admin access events.

Why this answer

Option A is correct. Event logs record system events such as user authentication, admin logins, and configuration changes.

88
Multi-Selecthard

An administrator is troubleshooting an issue where users cannot access an internal web server via the internet through a FortiGate. The FortiGate has a virtual IP (VIP) configured for the web server. The administrator runs 'diagnose debug flow filter daddr <public-ip>' and 'diagnose debug flow trace start 100'. The output shows 'msg: forward to x.x.x.x via intf port2' but then 'msg: policy deny'. Which TWO actions should the administrator take to resolve the issue? (Choose two.)

Select 2 answers
A.Ensure that a static route exists to the internet via the WAN interface
B.Check if the public DNS resolution for the domain is correct
C.Confirm that the firewall policy's destination is set to the internal web server's IP address (or the VIP's mapped IP)
D.Verify that the firewall policy allowing the traffic has the correct source interface (WAN)
E.Recreate the virtual IP object with a different port
AnswersC, D

After DNAT, the destination IP changes to the internal server. The firewall policy must allow traffic to that internal IP. If the policy's destination is set to the VIP's public IP, it may not match post-DNAT. The correct approach is to set the destination to the mapped IP address.

Why this answer

The debug shows that traffic is being forwarded to the internal server (via port2) but then denied by policy. This means the traffic is matching the VIP and being DNATed, but the firewall policy that should allow the traffic is either missing, disabled, or configured incorrectly. The administrator should check the firewall policy that handles the traffic after DNAT.

Common issues: the policy's source interface is not the incoming interface (should be the WAN interface), or the policy's destination is not the internal server's IP (should be the original destination or the VIP destination). Option A and D are correct: ensure the policy has the correct source interface (WAN) and that the destination is set to the VIP's mapped IP (or the VIP itself). Option B is wrong because the issue is not DNS.

Option C is wrong because adding a route to the internet won't help. Option E is wrong because the VIP is already configured.

89
Multi-Selectmedium

An administrator needs to configure HA on a pair of FortiGates with the following requirements: the cluster must support session failover for TCP, UDP, and ICMP; the management interface should be accessible on both units; and the failover must be triggered if port2 goes down. Which TWO settings must be configured? (Choose two.)

Select 2 answers
A.Enable session pickup
B.Configure a dedicated management interface
C.Add port2 to the monitored interfaces
D.Set the HA mode to active-passive
E.Set the HA override to enabled
AnswersA, C

Session pickup allows synchronization of sessions across protocols.

Why this answer

To support TCP, UDP, and ICMP session failover, the session pickup feature must be enabled. To trigger failover on interface failure, the monitor interface must include port2.

90
MCQmedium

In an active-active HA cluster, session synchronization is enabled. What is the primary purpose of session synchronization in this mode?

A.To synchronize firewall policies between cluster members
B.To load balance traffic across the cluster
C.To reduce the number of sessions on each unit
D.To ensure that sessions are not lost if a cluster unit fails
AnswerD

Session synchronization copies session information to other units so that if one fails, the session can continue on another unit.

Why this answer

In active-active HA, traffic is distributed across all cluster units. Session synchronization ensures that if a unit fails, other units have the session information to continue processing without interruption. This maintains transparent failover.

91
Multi-Selecthard

A FortiGate administrator is configuring ZTNA (Zero Trust Network Access) to secure access to an internal application. Which two components must be configured to create a ZTNA rule? (Choose two.)

Select 2 answers
A.ZTNA tag
B.ZTNA gateway
C.VPN tunnel
D.ZTNA application
E.SSL certificate
AnswersB, D

The gateway is the FortiGate component that terminates ZTNA connections.

Why this answer

Option C and D are correct. ZTNA rules require a ZTNA gateway (the FortiGate acting as proxy) and a ZTNA application (the internal resource). The rule maps external access to the internal application via the gateway.

92
MCQeasy

Which FortiGate log severity level indicates that a system is unusable and requires immediate attention?

A.Error
B.Critical
C.Emergency
D.Alert
AnswerC

Emergency (severity 0) indicates system is unusable.

Why this answer

Emergency is the highest severity level in syslog/FortiGate, indicating a system is unusable. Critical indicates critical conditions but not necessarily unusable.

93
MCQmedium

An administrator wants to view the current session table on a FortiGate. Which command should they use?

A.diagnose debug flow
B.show full-configuration
C.diagnose sys session list
D.get system performance statistics
AnswerC

This command lists all active sessions.

Why this answer

Option C is correct. 'diagnose sys session list' displays the current session table, showing all active sessions.

94
MCQeasy

Which FortiGate log type records user authentication events, such as successful logins and failed login attempts?

A.ZTNA logs
B.Event logs
C.Traffic logs
D.Security logs
AnswerB

Event logs record administrative and system events.

Why this answer

Event logs include audit events like authentication successes and failures.

95
MCQeasy

Which FortiGate feature allows administrators to verify if a specific IP address is being blocked by a security policy?

A.diagnose sys session list
B.get system ha status
C.diagnose debug flow
D.diagnose sniffer packet
AnswerC

Debug flow shows policy matches and actions for a given flow.

Why this answer

Option B is correct. 'diagnose debug flow' can trace a packet from a specific source IP and show whether it is allowed or denied by a firewall policy.

96
Multi-Selecthard

A FortiGate administrator is troubleshooting why traffic from a specific source IP is not being logged. The traffic is allowed by a firewall policy with logging enabled. Which TWO commands could the administrator use to verify if the traffic is hitting the expected policy? (Choose two.)

Select 2 answers
A.get system performance status
B.diagnose debug flow
C.diagnose sniffer packet any 'host 10.0.0.1'
D.diagnose sys session filter src 10.0.0.1
E.diagnose debug application fnbamd
AnswersB, D

Shows policy matching in real-time.

Why this answer

Diagnose debug flow traces traffic through the policy lookup. Diagnose sys session filter can show active sessions for that source IP. Sniffer packet captures packets but doesn't directly show policy match.

97
MCQmedium

In a FortiGate HA cluster, the administrator needs to perform a firmware upgrade without causing a full service outage. Which procedure should be followed?

A.Upgrade the primary unit first, then the secondary unit
B.Upgrade the secondary unit first, then perform a failover, then upgrade the primary unit
C.Disable HA and upgrade each unit separately
D.Upgrade both units simultaneously
AnswerB

This ensures one unit is always handling traffic during the upgrade process.

Why this answer

Option A is correct. The recommended procedure to upgrade with minimal downtime is to upgrade the secondary unit first, then force a failover to make it primary, and then upgrade the former primary unit.

98
MCQeasy

A FortiGate administrator needs to capture packets on interface port2 for 10 seconds to diagnose a connectivity issue. Which command should the administrator use?

A.diagnose sys session list port2 10
B.diagnose sniffer packet port2 '' 4 10
C.diagnose debug flow port2 10
D.execute sniffer port2 10
AnswerB

This command captures packets on port2 with level 4 (full hex dump) for 10 seconds.

Why this answer

The 'diagnose sniffer packet' command is used to capture packets on a FortiGate. The syntax 'diagnose sniffer packet any "" 4 10' captures on all interfaces for 10 seconds with verbose output.

99
MCQmedium

A FortiGate admin runs 'diagnose sys session filter dport 443' and then 'diagnose sys session list'. The output shows a session with 'proto=6 proto_state=01 duration=3600 expire=3599'. What does this indicate about the session?

A.The session is in a half-open state, waiting for SYN-ACK
B.The session is closing with a FIN flag
C.The session is fully established and transferring data
D.The session was blocked by a firewall policy
AnswerA

proto_state=01 corresponds to SYN_SENT. This indicates the client sent a SYN but has not received a SYN-ACK, so the session is stuck in a half-open state.

Why this answer

Protocol 6 is TCP, proto_state=01 indicates TCP SYN_SENT state (the first step of the three-way handshake). Duration and expire are in seconds. The session has been open for 3600 seconds (1 hour) and will expire in 3599 seconds, which is unusual for a TCP session that should have completed handshake quickly.

This suggests the session is stuck in SYN_SENT, likely due to no SYN-ACK response.

100
MCQmedium

A FortiGate administrator is troubleshooting an issue where internal users cannot access a public web server. The administrator runs 'diagnose debug flow' and sees the output shows 'forward to port2' but then 'no route to host'. What is the most likely cause?

A.The source IP is not in the routing table
B.The interface port2 is down
C.The FortiGate does not have a route to the destination IP
D.The destination port is blocked by a firewall policy
AnswerC

The debug output clearly shows 'no route to host', meaning the destination is not reachable via any route.

Why this answer

Option A is correct. 'No route to host' indicates that the FortiGate does not have a route to the destination IP in the routing table. The packet is being forwarded to the correct interface (port2) but then cannot be routed further.

101
MCQmedium

A FortiGate administrator configures a ZTNA rule to protect an internal web server. The rule uses an access proxy. Which component on the FortiGate terminates the incoming ZTNA connection?

A.ZTNA tag
B.SSL inspection profile
C.ZTNA application
D.ZTNA gateway
AnswerD

The gateway handles termination and proxying.

Why this answer

Option A is correct. The ZTNA gateway is the FortiGate component that terminates the incoming TLS connection from the client and proxies the request to the internal server.

102
MCQmedium

A FortiGate cluster is configured in active-passive HA. The administrator wants to manage the cluster using a single IP address that always points to the current primary unit. Which configuration should be applied?

A.Configure a virtual IP (VIP) for HTTPS management
B.Set the HA management IP as a dedicated interface IP on each unit
C.Enable 'management IP' under HA configuration with the desired IP
D.Use the same IP address on both units and disable ARP
AnswerC

The HA management IP is a floating IP that follows the primary unit.

Why this answer

The management interface in HA can have a virtual IP that follows the primary unit, accessible via the floating (virtual) management IP.

103
MCQeasy

A FortiGate administrator wants to see real-time debugging output for traffic matching a specific source IP address. Which command sequence would achieve this?

A.diagnose sys session filter src 10.0.1.10 ; diagnose sys session list
B.diagnose debug flow filter src 10.0.1.10 ; diagnose debug flow show function-name ; diagnose debug enable
C.diagnose sniffer packet any 'host 10.0.1.10' 4
D.diagnose debug reset ; diagnose debug enable ; diagnose debug flow show iprope
AnswerB

This sequence sets the filter, enables flow debug, and turns on debugging.

Why this answer

Option B is correct because the 'diagnose debug flow' command sequence is specifically designed for real-time debugging of traffic flows, allowing filtering by source IP with the 'filter src' option. Enabling debug output with 'diagnose debug enable' then shows flow trace information for packets matching the filter, which is the standard method for live traffic debugging on FortiGate.

Exam trap

The trap here is confusing packet sniffing (Option C) with flow debugging (Option B), as both can show traffic for a specific IP, but only debug flow reveals the firewall's internal processing decisions (e.g., policy ID, NAT action) in real time, which is essential for diagnosing policy-related issues.

How to eliminate wrong answers

Option A is wrong because 'diagnose sys session list' shows current session table entries, not real-time debugging output; it provides a static snapshot, not a live trace. Option C is wrong because 'diagnose sniffer packet' captures raw packets but does not provide the flow-level debugging details (e.g., firewall policy decisions, NAT translations) that 'debug flow' offers; it is a packet capture tool, not a flow debugger. Option D is wrong because the command sequence is incomplete and incorrect: 'diagnose debug reset' clears all debug settings, 'diagnose debug enable' enables debug without a filter, and 'diagnose debug flow show iprope' is not a valid command (the correct command is 'diagnose debug flow show function-name' or 'diagnose debug flow show ip-address'); this sequence would either produce no output or show unfiltered debug data.

104
MCQmedium

A FortiGate is configured with an active-passive HA cluster. The admin notices that when the primary unit fails, the secondary takes over, but after the primary recovers, it does not automatically become active again. What is the most likely reason?

A.The primary has a lower priority than the secondary
B.Override is not enabled
C.Session pickup is disabled
D.The heartbeat interface is down
AnswerB

Override must be enabled to allow a higher-priority unit to preempt the current primary.

Why this answer

By default, HA does not preempt. The 'override' setting is disabled. When the primary recovers, it does not force a failback because the cluster is non-preemptive.

The admin must enable override if they want automatic failback.

105
MCQhard

A company has two remote sites connected via an SD-WAN overlay. The headquarters uses a FortiGate with two WAN links: Fiber (priority 1) and LTE (priority 2). The SD-WAN rule for business-critical traffic uses the 'best quality' strategy with SLA targets for latency and jitter. The fiber link occasionally experiences high jitter but low latency. The engineer notices that traffic is not failing over to LTE even when jitter exceeds the threshold. What is the most likely reason?

A.The performance SLA for jitter is not configured, only latency.
B.The SD-WAN rule has SLA match set to 'either' instead of 'all'.
C.The LTE link has a higher cost and is not considered for failover.
D.The fiber link has a higher interface weight.
AnswerA

Correct; only configured SLA targets are measured for failover.

Why this answer

Option A is correct because the SD-WAN rule uses the 'best quality' strategy, which selects the best link based on configured SLA metrics. If only latency is configured in the performance SLA, jitter exceeding the threshold will not trigger a failover, as the SLA only evaluates the configured metrics. The fiber link may still meet the latency SLA, so traffic remains on it despite high jitter.

Exam trap

The trap here is that candidates assume jitter is automatically monitored in SD-WAN SLA, but FortiGate requires explicit configuration of each metric (latency, jitter, packet loss) in the performance SLA; otherwise, unconfigured metrics are ignored for failover decisions.

How to eliminate wrong answers

Option B is wrong because the 'either' vs 'all' setting in SLA match determines whether any or all configured SLA targets must be met for the link to be considered compliant; it does not prevent failover when jitter exceeds the threshold if jitter is not configured. Option C is wrong because SD-WAN failover decisions are based on SLA compliance and strategy, not link cost; cost influences route selection in routing protocols but not SD-WAN rule failover. Option D is wrong because interface weight affects load-balancing ratios in strategies like 'lowest cost' or 'maximize bandwidth', not failover decisions in 'best quality' strategy.

106
MCQhard

An administrator configures a FortiGate to use FortiGuard for web filtering. However, some users report that certain categories are not being blocked as configured. The administrator checks the FortiGuard subscription status and it is valid. What is the most likely cause?

A.The users are bypassing the FortiGate
B.The FortiGuard subscription has expired
C.The FortiGate cannot reach the FortiGuard distribution servers
D.The web filter profile is not applied to the firewall policy
AnswerC

If connectivity is lost, the FortiGate uses its local cache, which may be outdated, causing incorrect filtering.

Why this answer

Even with a valid subscription, if the FortiGate cannot reach the FortiGuard distribution servers (e.g., due to firewall policies or routing), it will use the local cache. If the cache is outdated or incomplete, filtering may not work as expected.

107
MCQeasy

An administrator wants to view real-time debug output for traffic flowing through a FortiGate. Which command should they use to enable flow tracing with a specific source IP filter?

A.diagnose debug enable
B.diagnose debug flow filter src
C.diagnose sys session filter src
D.diagnose sniffer packet filter src
AnswerB

This sets a source IP filter for debug flow tracing.

Why this answer

Option D is correct. 'diagnose debug flow' with 'filter src' sets a source IP filter for flow debugging.

108
MCQhard

An administrator is troubleshooting a slow web application. The admin suspects that the FortiGate's session table might be full, causing new sessions to be dropped. Which command should the admin use to check the current session table utilization?

A.get system performance status
B.diagnose sys session list
C.diagnose sys session stat
D.diagnose sys session filter
AnswerC

This shows session statistics including count, max, and utilization percentage.

Why this answer

The 'diagnose sys session stat' command displays statistics about the session table, including the number of current sessions and the maximum allowed. This helps determine if the session table is near capacity.

109
MCQmedium

In an active-passive HA cluster, the administrator wants to ensure that new connections are load-balanced across both units only for specific services while maintaining failover capability. Which configuration should be applied?

A.Set 'set ha-priority' to 100 on both units
B.Change HA mode to active-active
C.Configure virtual IPs for each service
D.Enable 'set load-balance-schedule' on the HA interface
AnswerD

This setting allows selective load balancing of new connections while keeping active-passive for existing sessions.

Why this answer

Option B is correct. Load balancing in HA is achieved by enabling 'load-balance-schedule' on the HA interface. This allows distributing new sessions across cluster units while retaining active-passive failover behavior.

110
MCQmedium

A FortiGate HA cluster is operating in active-passive mode. The active unit fails over to the passive unit. After the failover, some existing TCP sessions are dropped. What is the MOST likely cause?

A.The HA heartbeat interface has a high latency
B.The failover time is too slow, causing TCP timeouts
C.Session synchronization is not enabled or not working properly
D.The TCP sessions are using NAT, which cannot be synchronized
AnswerC

Active-passive HA relies on session sync to maintain state after failover. Without it, sessions are dropped.

Why this answer

TCP sessions require session synchronization to survive failover. If session sync is not configured or not functioning, sessions are lost.

111
MCQeasy

Which FortiGuard subscription service is required for URL filtering and web categorization?

A.FortiGuard IPS
B.FortiGuard Application Control
C.FortiGuard Web Filtering
D.FortiGuard Antivirus
AnswerC

Web Filtering provides URL categorization.

Why this answer

FortiGuard Web Filtering provides URL categorization and filtering capabilities.

112
Matchingmedium

Match each FortiGate routing concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manually configured path to a destination network

Link-state routing protocol for internal networks

Path-vector routing protocol for internet and WAN

Routes traffic based on source/destination or service

Load-balances traffic across multiple routes with same cost

Why these pairings

Routing methods used in FortiGate.

113
MCQmedium

An administrator notices that traffic matching a firewall policy is not being logged. The policy has logging enabled. The FortiGate has local disk storage. What should the administrator check first?

A.Whether the FortiGate has a valid FortiAnalyzer subscription
B.Whether FortiCloud logging is enabled
C.The disk health and available space using 'diagnose sys disk' commands
D.The log severity level on the policy
AnswerC

Disk issues can prevent logging; checking disk status is the first step.

Why this answer

Logging to disk requires the disk to be operational; if it's full or faulty, logs may not be written.

114
MCQmedium

An administrator is troubleshooting a policy that should allow HTTP traffic but it is being blocked. They run 'diagnose debug flow' and see the output ends with 'msg=deny by forward policy check'. What is the most likely cause?

A.The policy is configured with action DENY
B.The routing table is missing a default route
C.The session table is full
D.The HTTP traffic is not matching any policy
AnswerA

The debug flow output clearly states the packet was denied by a forward policy check, meaning a policy matched and denied it.

Why this answer

The message indicates the packet was denied by a firewall policy, meaning there is no matching policy or the matching policy has action DENY.

115
Multi-Selectmedium

A FortiGate HA cluster in active-passive mode is experiencing unexpected failovers. The administrator suspects the heartbeat link is unreliable. Which TWO actions would help diagnose the heartbeat link issue? (Select two.)

Select 2 answers
A.Disable session synchronization
B.Configure a dedicated heartbeat interface
C.Increase the HA hello timer
D.Ping the heartbeat interface IP from the peer unit
E.Enable 'diagnose debug ha heartbeat'
AnswersD, E

This tests basic connectivity.

Why this answer

Pinging the heartbeat interface IP checks connectivity; enabling debug HA heartbeat provides detailed heartbeat status.

116
MCQhard

A FortiGate administrator runs 'diagnose debug flow' with a filter for a specific source IP. The output shows 'no policy matched' for the traffic. The administrator verifies that a firewall policy exists with that source IP. What is the most likely reason for the 'no policy matched' message?

A.The firewall policy is disabled
B.The debug flow filter is not configured correctly
C.The source IP is not in the routing table
D.The traffic is being blocked by an implicit deny or a different policy before reaching the expected policy
AnswerD

In FortiGate, the first matching policy is applied. If an earlier policy denies the traffic, debug flow shows 'no policy matched' from the perspective of the correct policy, but actually a preceding policy matched.

Why this answer

Option B is correct. Debug flow may show 'no policy matched' when traffic hits an implicit deny before reaching the explicit policy, e.g., due to inter-VDOM routing or policy order where an earlier policy with a broader match blocks it.

117
Multi-Selecteasy

Which TWO of the following are valid methods to view real-time debug output on a FortiGate? (Choose two.)

Select 2 answers
A.diagnose sniffer packet
B.diagnose debug enable
C.diagnose sys session list
D.execute tail log
E.diagnose debug flow
AnswersA, E

Captures packets in real-time.

Why this answer

Diagnose debug flow and diagnose sniffer packet are real-time debug commands. Execute tail log is not a standard command.

118
Multi-Selectmedium

A FortiGate administrator is investigating a performance issue and suspects that a large number of incomplete TCP connections are consuming session table resources. Which TWO commands would help identify such sessions? (Choose two.)

Select 2 answers
A.diagnose debug flow filter dport 80 ; diagnose debug enable
B.diagnose sys session stat
C.diagnose sniffer packet any 'tcp' 4
D.diagnose sys session filter state syn-sent ; diagnose sys session list
E.diagnose sys session filter proto 6 ; diagnose sys session list
AnswersB, D

Shows counts of sessions by state, including incomplete states.

Why this answer

Diagnose sys session list with filter can show sessions by state. Diagnose sys session stat shows counts by state. The sniffer shows packets, not session state; debug flow is for tracing specific streams.

119
MCQmedium

An administrator is troubleshooting a firewall policy that should apply application control. The application control profile is configured but traffic is not being inspected. The administrator runs 'diagnose debug flow' and sees that the traffic is hitting the correct policy. What could be the issue?

A.The FortiGate has not downloaded the latest application signatures
B.The firewall policy inspection mode is set to proxy-based
C.The traffic is using encryption that prevents inspection
D.The application control profile is not enabled on the policy
AnswerB

Application control requires flow-based inspection mode.

Why this answer

Application control requires flow-based inspection; if the policy is set to proxy-based, application control may not work.

120
MCQeasy

An administrator needs to send logs from a FortiGate to a remote FortiAnalyzer for centralized log storage and analysis. Which configuration step is required on the FortiGate?

A.Configure a firewall policy allowing traffic from FortiGate to FortiAnalyzer on port 514
B.Set the FortiAnalyzer as the log destination in Log Settings
C.Create a log forwarding rule to forward all logs to the FortiAnalyzer
D.Install a FortiGate connector on the FortiAnalyzer
AnswerB

The administrator must enter the FortiAnalyzer IP address and enable logging to FortiAnalyzer under System > Settings or via CLI.

Why this answer

To send logs to FortiAnalyzer, the administrator must configure the FortiAnalyzer as a remote log destination under Log Settings. This is done via 'config log fortianalyzer setting' and specifying the server IP and other parameters.

121
MCQhard

An administrator executes 'diagnose debug flow' for a specific session and sees the output: 'id=20085 trace_id=10 func=print_pkt_detail line=5567 msg="vd-root:0 received packet via port1".' Later, the trace shows 'msg="Deny by policy"'. What is the most likely next step the administrator should take?

A.Check the routing table for the destination
B.Review the firewall policies that apply to the traffic and modify as needed
C.Restart the FortiGate to clear session table
D.Enable session helper for the protocol
AnswerB

The debug clearly states 'Deny by policy', so the solution is to adjust policy.

Why this answer

The debug flow indicates the packet is denied by a firewall policy. The admin should identify which policy is blocking it and adjust accordingly.

122
MCQeasy

A FortiGate administrator receives an alert that the FortiGuard antivirus database on the firewall is outdated. Which subscription service must be active to update the antivirus signatures?

A.FortiGuard IPS Service
B.FortiGuard Application Control Service
C.FortiGuard Antivirus Service
D.FortiGuard Web Filtering Service
AnswerC

This service provides antivirus signature updates.

Why this answer

Option B is correct. The FortiGuard Antivirus Service (AV) provides signature updates for antivirus scanning. Without a valid subscription, updates fail.

123
MCQmedium

A FortiGate administrator needs to forward logs to a FortiAnalyzer for centralized management. The FortiAnalyzer is reachable at 10.0.1.100. Which configuration step is required on the FortiGate to send logs to this FortiAnalyzer?

A.Configure a syslog server under Log Setting
B.Add a firewall policy allowing traffic from FortiGate to FortiAnalyzer
C.Configure the FortiAnalyzer in System > FortiAnalyzer
D.Enable logging to FortiCloud instead
AnswerC

The FortiAnalyzer must be configured under System > FortiAnalyzer or via CLI under 'config log fortianalyzer setting'.

Why this answer

To send logs to FortiAnalyzer, the administrator must configure the FortiAnalyzer server under System > FortiAnalyzer or via CLI using 'config log fortianalyzer setting set server 10.0.1.100'. The log forwarding policy is not used for FortiAnalyzer.

124
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is using UDP protocol
B.The session has expired and is being removed
C.The session is in the TCP SYN sent state, not yet fully established
D.The session has completed the three-way handshake and is established
AnswerC

Proto=6 is TCP, proto_state=01 indicates TCP state SYN_SENT. The session is still trying to establish.

Why this answer

The output shows a TCP session (proto=6) in state 01 (TCP SYN sent), duration 3600 seconds, and expire 3599 seconds. This indicates the session is in the initial SYN state and has not completed the three-way handshake.

125
MCQhard

A FortiGate HA cluster is experiencing frequent failovers. The administrator checks the HA event log and sees repeated 'Heartbeat loss' messages. The heartbeat interfaces are connected directly via a crossover cable. What is the MOST likely cause?

A.The session pickup option is enabled
B.The HA uptime monitor is enabled and tracking a failed interface
C.The HA override setting is disabled
D.The heartbeat interface has a duplex mismatch
AnswerD

A duplex mismatch can cause packet loss on the heartbeat link, leading to intermittent heartbeat loss and frequent failovers.

Why this answer

If heartbeat interfaces are directly connected, the expected behavior is stable. Frequent heartbeat loss suggests the heartbeat interval or failover threshold is misconfigured, or there is duplex mismatch.

126
MCQmedium

A FortiGate HA cluster is configured in active-passive mode with two units. The primary unit fails. The secondary unit takes over, but some established TCP sessions are dropped. What is the most likely cause?

A.Session synchronization is not enabled
B.The HA failover threshold is set too high
C.The HA mode is active-passive
D.The heartbeat interface is down
AnswerA

Without session sync, the backup unit has no session table, so TCP sessions are lost on failover.

Why this answer

Option D is correct because session synchronization must be enabled for sessions to be preserved during failover. Without session sync, the backup unit has no knowledge of existing sessions and drops them.

127
MCQmedium

Which type of log records information about firewall policy matches, such as allowed or denied traffic?

A.Security logs
B.Event logs
C.Traffic logs
D.Audit logs
AnswerC

Traffic logs show policy hits and traffic statistics.

Why this answer

Traffic logs record information about sessions matching firewall policies.

128
MCQmedium

A FortiGate administrator wants to configure Zero Trust Network Access (ZTNA) to secure access to an internal application. What is required on the FortiGate?

A.A FortiClient EMS subscription
B.A VPN tunnel to the application
C.A ZTNA server and a ZTNA rule
D.A firewall policy with SSL inspection enabled
AnswerC

ZTNA requires configuration of a ZTNA server (application) and a ZTNA rule (access proxy).

Why this answer

ZTNA requires a ZTNA gateway on the FortiGate to proxy and verify access.

129
MCQhard

Refer to the exhibit. An administrator has configured HA on two FortiGate units. During a failover test, the secondary unit does not take over when the primary fails. What is the most likely cause?

A.Session pickup is enabled but session-pickup-connectionless is also enabled, causing conflict.
B.Override is disabled, so the secondary cannot become primary.
C.The priority on the secondary is set to a higher value than the primary.
D.The heartbeat interface (port3) is down on the secondary unit.
AnswerD

Correct; heartbeat interface must be up for cluster communication.

Why this answer

In an HA cluster, the heartbeat interface is critical for communication between primary and secondary units. If the heartbeat interface (port3) is down on the secondary unit, it cannot receive or send HA heartbeat packets, so the secondary will not detect the primary's failure or negotiate a takeover. This directly prevents the secondary from assuming the primary role, making D the correct answer.

Exam trap

The trap here is that candidates often focus on priority or override settings as the cause of failover failure, but the real issue is usually a broken heartbeat link, which is a fundamental prerequisite for HA operation.

How to eliminate wrong answers

Option A is wrong because session pickup and session-pickup-connectionless are complementary features; enabling both does not cause a conflict that would prevent failover—session pickup is for TCP sessions, and session-pickup-connectionless extends it to UDP/other protocols. Option B is wrong because override controls whether a higher-priority unit can preempt the current primary; it does not affect the ability of a secondary to take over during a failover when the primary fails. Option C is wrong because a higher priority value on the secondary (e.g., 200 vs. 100) actually makes it more likely to become primary, not less; the issue is that the secondary cannot take over at all, which points to a connectivity or configuration problem, not priority.

130
Multi-Selecthard

A FortiGate administrator needs to configure an active-passive HA cluster to ensure that management access is available via a dedicated IP address that moves with the active unit. Which THREE configuration steps are required? (Choose three.)

Select 3 answers
A.Set the management interface under config system ha -> set ha-mgmt-status enable and assign an IP
B.Configure the management interface as part of the 'ha-mgmt-interface' under config system ha
C.Configure a dedicated heartbeat interface
D.Ensure the management interface is included in the HA synchronization by adding it to 'ha-mgmt-interface'
E.Assign a virtual MAC address to the management interface
AnswersA, B, D

This enables the floating management IP on the designated interface.

Why this answer

To provide a floating management IP, the admin must set a dedicated management interface (which can be a physical interface or VLAN), assign an IP to that interface in the HA configuration, and ensure the interface is part of the HA managed interfaces so it synchronizes.

131
MCQhard

Refer to the exhibit. The HA cluster has been operational for 5 days. The primary unit suddenly loses power. Which of the following will happen?

A.The secondary unit will become primary, but all existing sessions will be dropped.
B.The cluster will remain without a primary until the original unit is restored.
C.The secondary unit will become primary and maintain only TCP sessions.
D.The secondary unit will become primary and maintain existing UDP sessions.
AnswerD

Session pickup and session-pickup-connectionless are enabled, so UDP sessions are preserved.

Why this answer

In a FortiGate HA cluster, session synchronization is enabled by default for UDP sessions but not for TCP sessions (unless specifically configured). When the primary unit fails, the secondary unit takes over as primary and maintains all synchronized sessions, which includes UDP sessions. TCP sessions are not synchronized by default and will be dropped upon failover.

Exam trap

The trap here is that candidates often assume all sessions are synchronized in an HA cluster, but FortiGate defaults to synchronizing only UDP sessions, not TCP sessions, unless session pickup is explicitly enabled for TCP.

How to eliminate wrong answers

Option A is wrong because the secondary unit will become primary, but existing UDP sessions are maintained due to session synchronization; not all sessions are dropped. Option B is wrong because the HA cluster will elect the secondary unit as the new primary immediately upon failure of the original primary; it does not remain without a primary. Option C is wrong because TCP sessions are not synchronized by default in FortiGate HA; only UDP sessions are maintained, not TCP sessions.

132
MCQeasy

Which log severity level indicates that the system is unusable?

A.Error
B.Critical
C.Alert
D.Emergency
AnswerD

Emergency severity indicates the system is unusable.

Why this answer

FortiGate log severities follow standard syslog: Emergency (0) is the highest severity, indicating system is unusable.

133
MCQhard

In an active-active HA cluster, session synchronization is configured. A new session is created on the primary unit. When does the secondary unit learn about this session?

A.During the next heartbeat interval
B.After the session is closed
C.Within a few milliseconds to seconds after creation
D.Immediately upon session creation
AnswerC

Session synchronization occurs periodically, typically every 200ms, so the secondary learns about the session shortly after creation.

Why this answer

In active-active HA with session sync, sessions are synchronized periodically (every few seconds) or immediately depending on configuration. By default, sessions are synced every 200ms or when the session changes state.

134
MCQmedium

In an active-active HA cluster, the administrator notices that traffic is not being load-balanced evenly across both units. What is the most likely cause?

A.The load balance method is set to 'none'
B.The heartbeat interface speed is mismatched
C.The load balance method is set to 'source-ip' which naturally causes imbalance
D.The cluster is using active-passive mode
AnswerA

If load-balance method is 'none', one unit handles all traffic; this is common misconfiguration.

Why this answer

In active-active HA, load balancing requires a load-balance method (like source IP hash or round-robin). Without a proper method, traffic may not distribute evenly.

135
MCQmedium

A network engineer is configuring an SD-WAN rule to steer voice traffic to the MPLS link with the lowest latency. The SLA target is set to latency < 50 ms and jitter < 10 ms. However, the MPLS link occasionally exceeds the latency threshold. What should the engineer do to ensure voice traffic uses the best available link without manual intervention?

A.Remove the latency performance SLA and rely only on jitter.
B.Configure the SD-WAN rule with a secondary strategy to use the broadband link when SLA is not met.
C.Increase the jitter threshold to 15 ms to avoid SLA violations.
D.Disable SLA enforcement on the SD-WAN rule so voice traffic always uses the MPLS link.
AnswerB

Correct; this allows automatic failover to the broadband link when MPLS fails SLA.

Why this answer

Option B is correct because configuring a secondary strategy (e.g., fallback to broadband) allows the SD-WAN rule to automatically steer voice traffic to the best available link when the primary MPLS link fails the SLA (latency > 50 ms). This ensures continuous SLA compliance without manual intervention, leveraging Fortinet's SD-WAN dynamic path selection based on real-time performance metrics.

Exam trap

The trap here is that candidates often think increasing SLA thresholds or disabling SLA enforcement solves the problem, but the correct approach is to implement a fallback strategy to maintain SLA compliance automatically.

How to eliminate wrong answers

Option A is wrong because removing the latency SLA eliminates the ability to detect high-latency conditions, which could lead to poor voice quality on the MPLS link; jitter alone does not guarantee acceptable one-way delay. Option C is wrong because increasing the jitter threshold to 15 ms does not address the latency violation (which is the actual SLA failure), and it may allow unacceptable jitter levels that degrade voice quality. Option D is wrong because disabling SLA enforcement forces all voice traffic to the MPLS link regardless of its performance, defeating the purpose of SD-WAN intelligent steering and risking poor user experience when latency spikes.

136
MCQmedium

A FortiGate admin wants to send logs to both a local disk and a remote FortiAnalyzer. Which log configuration must be set?

A.Use the 'diagnose debug application log' command
B.Select 'Mirror local logs to FortiAnalyzer'
C.Enable local logging and configure FortiAnalyzer as a remote server
D.Set the log severity to 'Information' on both
AnswerC

Both logging methods can be enabled independently.

Why this answer

FortiGate can log to multiple destinations simultaneously by configuring both local and remote logging.

137
Multi-Selectmedium

Which TWO statements about FortiGate HA heartbeat interfaces are correct?

Select 2 answers
A.Heartbeat interfaces must be in the same VDOM.
B.Heartbeat interfaces must be dedicated management ports.
C.Heartbeat interfaces must be on the same subnet.
D.Heartbeat traffic is not encrypted by default.
E.Only two heartbeat interfaces can be configured.
AnswersC, D

Correct; heartbeat requires L2 connectivity.

Why this answer

Option C is correct because FortiGate HA heartbeat interfaces must be on the same subnet to allow the heartbeat packets (typically UDP port 496) to be exchanged directly between the primary and secondary units. This ensures Layer 2 adjacency is maintained for reliable failure detection and synchronization.

Exam trap

The trap here is that candidates often assume heartbeat interfaces must be in the same VDOM (Option A) because they think VDOM boundaries restrict HA communication, but FortiGate HA operates at the system level and can use interfaces from different VDOMs as long as they share a subnet.

138
Drag & Dropmedium

Drag and drop the steps to configure HA (High Availability) on a FortiGate pair into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

HA configuration requires physical connection, mode selection, priority, and interface monitoring before reboot.

139
MCQeasy

Which CLI command is used on a FortiGate to perform a real-time packet capture on an interface?

A.diagnose sniffer packet
B.execute packet-capture
C.diagnose debug flow
D.diagnose sys session list
AnswerA

Correct command for packet capture.

Why this answer

The 'diagnose sniffer packet' command captures packets in real-time on a specified interface.

140
MCQeasy

Which FortiGate feature allows users to access internal applications without a VPN client?

C.ZTNA
D.FortiGuard
AnswerC

ZTNA provides agentless access to applications using identity-based policies.

Why this answer

ZTNA (Zero Trust Network Access) enables agentless access to applications based on identity and context.

141
MCQhard

An administrator runs 'diagnose debug flow' for a specific source IP and sees the output includes 'no matching policy'. The FortiGate has a firewall policy that should match the traffic. What is the most likely reason for this message?

A.The FortiGate's routing table does not have a route for the destination
B.The firewall policy is disabled or the source/destination interfaces do not match the traffic's ingress/egress interfaces
C.The security profiles applied to the policy are blocking the traffic
D.The session table is full and cannot accept new sessions
AnswerB

If the policy is disabled or the interface mismatch exists, the traffic will not match any policy.

Why this answer

'no matching policy' in debug flow indicates that the traffic did not match any firewall policy. Even if a policy exists, it may not match due to incorrect source/destination interfaces, addresses, or other criteria. A common cause is that the traffic is coming from an interface that is not covered by the policy or the policy is disabled.

142
MCQeasy

A network administrator runs the following CLI command on a FortiGate to capture traffic for troubleshooting: 'diagnose sniffer packet any "host 10.0.1.100" 4'. What does the '4' at the end of the command specify?

A.The filter verbosity level
B.The maximum number of packets to capture
C.The time duration in seconds
D.The interface index
AnswerB

The last parameter is count, which limits the number of packets captured.

Why this answer

The fourth parameter in the diagnose sniffer packet command specifies the number of packets to capture.

143
Multi-Selecthard

Which THREE statements about SD-WAN rules are correct?

Select 3 answers
A.SD-WAN rules are evaluated in order of priority.
B.SD-WAN rules must use a 'load balancing' strategy.
C.SD-WAN rules can match based on application, destination, or source.
D.Each SD-WAN rule can only contain one member.
E.If no SD-WAN rule matches, the traffic is processed by the implicit rule.
AnswersA, C, E

Correct; rules have priority and are evaluated top-down.

Why this answer

SD-WAN rules are evaluated in order of priority, meaning the rule with the highest priority (lowest number) is matched first. This sequential evaluation ensures deterministic traffic steering based on the most specific match criteria defined by the administrator.

Exam trap

The trap here is that candidates often assume SD-WAN rules must use load balancing, but Fortinet allows multiple strategies including 'best quality' and 'manual', and they also mistakenly think each rule can only have one member, whereas member groups are supported for redundancy and load distribution.

144
MCQmedium

A FortiGate administrator needs to block a specific application using the FortiGuard Application Control service. Which two objects must be correctly configured in the firewall policy to achieve this? (Choose the best single answer describing the required object types.)

A.An antivirus profile and a routing policy
B.An application control profile and a firewall policy
C.A URL filter profile and a NAT policy
D.A web filter profile and an SSL inspection profile
AnswerB

The profile defines which applications to block; the policy applies the profile to traffic.

Why this answer

Application Control requires a security profile and a firewall policy that references it.

145
MCQmedium

A network engineer is configuring SD-WAN on a FortiGate with two WAN links: MPLS (port1) and Internet (port2). The MPLS link has lower latency and jitter. The engineer wants to route all VoIP traffic (SIP and RTP) over the MPLS link unless it is unavailable. Which SD-WAN rule configuration should be used?

A.Create an SD-WAN rule for VoIP traffic with strategy 'best quality' and set the SLA target for latency to 10ms on the MPLS link.
B.Create an SD-WAN rule for VoIP traffic with strategy 'load balancing' and assign equal weight to both links.
C.Create an SD-WAN rule for VoIP traffic with strategy 'manual' or 'prefer' and select MPLS as the preferred member, with Internet as backup.
D.Create an SD-WAN rule for VoIP traffic with strategy 'best quality' and set the SLA target to prefer the Internet link.
AnswerC

This ensures MPLS is used primarily and Internet only if MPLS is down.

Why this answer

Option C is correct because the engineer requires a deterministic routing policy where VoIP traffic always uses the MPLS link unless it fails. The 'manual' (or 'prefer') strategy in SD-WAN rules allows you to explicitly set a preferred member (MPLS) and designate the other link (Internet) as a backup, ensuring failover only when the preferred link is unavailable. This matches the requirement of routing all VoIP traffic over MPLS unless it is unavailable, without relying on SLA performance metrics.

Exam trap

The trap here is that candidates often confuse 'best quality' with a manual preference, assuming that setting a low latency SLA target on MPLS will force all traffic to that link, but 'best quality' can still switch to another link if SLA thresholds are not met, even if the preferred link is operational.

How to eliminate wrong answers

Option A is wrong because the 'best quality' strategy dynamically selects the link based on real-time SLA performance metrics (e.g., latency, jitter), not a fixed preference; even if MPLS meets the 10ms latency target, the rule could still switch to the Internet link if MPLS momentarily degrades, violating the requirement to use MPLS unless it is completely unavailable. Option B is wrong because 'load balancing' distributes traffic across both links based on weights or volume, which would send VoIP traffic over the Internet link even when MPLS is healthy, contradicting the requirement to use MPLS exclusively. Option D is wrong because setting the SLA target to prefer the Internet link would actively steer VoIP traffic away from the lower-latency MPLS link, which is the opposite of the desired behavior.

← PreviousPage 2 of 2 · 145 questions total

Ready to test yourself?

Try a timed practice session using only Nse4 Ha Diagnostics questions.