CCNA Nse4 System Network Questions

75 of 200 questions · Page 1/3 · Nse4 System Network topic · Answers revealed

1
MCQmedium

An administrator configures a policy route to force traffic from a specific source subnet to use a particular WAN interface. After applying the configuration, the traffic still uses the default route. What is the most likely cause?

A.The static default route has a lower administrative distance than the policy route
B.The FortiGate's VDOM is enabled and the policy route is in the wrong VDOM
C.The policy route's incoming interface is incorrectly configured
D.The policy route has a lower priority than the static default route
AnswerC

Policy routes match based on incoming interface; if the traffic enters on a different interface, the policy route is not applied.

Why this answer

Policy routes are evaluated based on the incoming interface specified in the rule. If the incoming interface is misconfigured (e.g., set to 'any' or the wrong physical interface), the FortiGate will not match the traffic against the policy route, causing it to fall through to the routing table and use the default route. The policy route must explicitly match the interface on which the traffic enters the FortiGate.

Exam trap

The trap here is that candidates often confuse policy routes with static routes or assume that a policy route applies globally, when in fact the incoming interface is a critical matching condition that must be correctly configured for the policy to take effect.

How to eliminate wrong answers

Option A is wrong because administrative distance applies to routes in the routing table, not to policy routes; policy routes override the routing table regardless of administrative distance. Option B is wrong because while VDOM misplacement can cause policy routes to not apply, the question states the configuration was applied, and VDOM issues would typically prevent the policy from being created or visible, not silently ignore it. Option D is wrong because policy routes do not have a 'priority' value relative to static routes; they are evaluated before the routing table lookup, and if the incoming interface matches, the policy route is used unconditionally.

2
MCQmedium

You run 'get system performance status' and see CPU usage at 95% with high context switch rate. The FortiGate is not passing any traffic. What is the most likely cause?

A.A routing loop is causing continuous packet processing
B.The FortiGate is under a DDoS attack
C.The antivirus engine is updating signatures
D.The FortiGate is in transparent mode
AnswerA

Even with no traffic, a misconfigured route can cause kernel loops that consume CPU.

Why this answer

A routing loop causes the FortiGate to continuously process and re-process packets as they are forwarded in a cycle between routers, leading to high CPU usage and context switch rates. The loop prevents traffic from being successfully delivered, resulting in zero traffic passing through the FortiGate. This matches the observed symptoms of 95% CPU usage and high context switching.

Exam trap

The trap here is that candidates often associate high CPU usage with a DDoS attack, but the key clue is the high context switch rate combined with zero traffic passing, which points to a routing loop rather than a flood of traffic.

How to eliminate wrong answers

Option B is wrong because a DDoS attack would typically cause high CPU usage and packet drops, but the FortiGate would still pass some legitimate traffic or at least process packets; the complete inability to pass traffic is more characteristic of a routing loop. Option C is wrong because antivirus signature updates are a background process that may cause a temporary CPU spike but not sustained 95% usage with high context switching, and they do not prevent all traffic from passing. Option D is wrong because transparent mode does not inherently cause high CPU usage or context switching; it is a Layer 2 forwarding mode that should not impact performance in this way.

3
MCQmedium

A company has a FortiGate 200F with FortiOS 7.2 and two ISPs (WAN1: 100 Mbps, WAN2: 50 Mbps). The company uses SD-WAN to load balance outbound internet traffic. Recently, the company added a new VoIP application that requires low latency and jitter. The administrator configured an SD-WAN rule to match the VoIP traffic and set the strategy to 'best quality' with a performance SLA measuring latency and jitter. However, after testing, the VoIP traffic is still using WAN2 (the slower link) even when WAN1 has lower latency. The performance SLA shows both links meeting the SLA thresholds. What is the most likely reason?

A.The 'best quality' strategy uses bandwidth as a tiebreaker when SLA is met.
B.The VoIP traffic is being offloaded by NPU bypassing SD-WAN.
C.The administrator needs to enable 'set internet-service enable' on the rule.
D.The SD-WAN rule is not matching the VoIP traffic correctly.
AnswerA

Fortinet's best quality uses bandwidth to break ties.

Why this answer

When the 'best quality' strategy is used in an SD-WAN rule, FortiGate selects the best-performing link based on the configured performance SLA metrics (e.g., latency and jitter). However, if multiple links meet the SLA thresholds, the tiebreaker is the link with the highest bandwidth. In this scenario, both WAN1 and WAN2 meet the SLA, so FortiGate selects WAN2 because it has higher bandwidth (100 Mbps vs. 50 Mbps), not because of latency.

This explains why VoIP traffic uses WAN2 despite WAN1 having lower latency.

Exam trap

The trap here is that candidates assume 'best quality' always selects the link with the best SLA metrics (e.g., lowest latency), but FortiGate uses bandwidth as a tiebreaker when multiple links meet the SLA, which is a subtle but critical detail tested in NSE4.

How to eliminate wrong answers

Option B is wrong because NPU offloading does not bypass SD-WAN; SD-WAN policies are applied before hardware acceleration, and NPU offloading only affects forwarding after the policy decision. Option C is wrong because 'set internet-service enable' is used for internet service-based routing, not for matching VoIP traffic in an SD-WAN rule; the rule already matches VoIP traffic via application control or other criteria. Option D is wrong because the question states the rule was configured to match VoIP traffic, and the performance SLA shows both links meeting thresholds, indicating the traffic is being matched and processed by SD-WAN; the issue is the tiebreaker logic, not a matching failure.

4
MCQeasy

Which command is used to back up the FortiGate configuration to a TFTP server?

A.save config tftp <filename> <server_ip>
B.backup tftp config <filename> <server_ip>
C.execute backup config tftp <filename> <server_ip>
D.copy config tftp <filename> <server_ip>
AnswerC

Correct CLI command.

Why this answer

The correct command to back up the FortiGate configuration to a TFTP server is 'execute backup config tftp <filename> <server_ip>'. This is because FortiGate uses the 'execute' command for operational tasks, and 'backup config tftp' specifically instructs the system to export the running configuration to a TFTP server. The other options use incorrect syntax or commands that are not recognized by the FortiGate CLI.

Exam trap

The trap here is that candidates familiar with Cisco IOS may mistakenly choose 'copy config tftp' (Option D), which is valid for Cisco but not for FortiGate, where the correct syntax requires 'execute backup config tftp'.

How to eliminate wrong answers

Option A is wrong because 'save config tftp' is not a valid FortiGate command; the correct syntax uses 'execute backup' rather than 'save'. Option B is wrong because 'backup tftp config' reverses the order of keywords and omits 'execute', which is required for operational commands in FortiGate. Option D is wrong because 'copy config tftp' is a Cisco IOS command, not a FortiGate command; FortiGate uses 'execute backup config tftp' for this purpose.

5
MCQmedium

A company is deploying a FortiGate HA cluster in active-passive mode across two data centers. The network team reports that after a failover, some existing TCP sessions are dropped. Which configuration change should be applied to maintain session persistence during failover?

A.Enable session synchronization between cluster members
B.Disable NAT inspection on the firewall policy
C.Configure gratuitous ARP on the virtual IP
D.Increase the heartbeat interval to 2 seconds
AnswerA

Session sync shares session state between primary and secondary, maintaining sessions during failover.

Why this answer

In an active-passive HA cluster, session synchronization (config.sys ha session-sync) ensures that TCP session state information is replicated from the active unit to the passive unit. Without this, the passive unit has no knowledge of existing sessions after a failover, causing them to be dropped. Enabling session synchronization allows the new active unit to continue forwarding traffic for established sessions seamlessly.

Exam trap

The trap here is that candidates often confuse gratuitous ARP (which handles Layer 2 updates) with session persistence, assuming that updating MAC tables is sufficient to maintain TCP sessions, but session state must be replicated at Layer 4.

How to eliminate wrong answers

Option B is wrong because disabling NAT inspection does not affect session persistence during failover; NAT is a separate function and does not control session state replication. Option C is wrong because gratuitous ARP is used to update the network with the new MAC address of the virtual IP after failover, but it does not preserve existing TCP sessions; it only ensures Layer 2 reachability. Option D is wrong because increasing the heartbeat interval to 2 seconds would actually slow down failure detection, potentially increasing session loss, and has no impact on session synchronization.

6
MCQhard

A medium-sized enterprise has a FortiGate 100F in NAT/Route mode with three interfaces: port1 (WAN, 203.0.113.1/24, gateway 203.0.113.254), port2 (internal, 192.168.1.1/24), and port3 (DMZ, 10.0.0.1/24). The internal network hosts a web server at 192.168.1.10 and a mail server at 192.168.1.20. The DMZ hosts a public web server at 10.0.0.10 and a public DNS server at 10.0.0.20. The company has a single public IP 203.0.113.1. The administrator has configured the following: - Port forwarding: external HTTP to DMZ web server (10.0.0.10:80) and external DNS to DMZ DNS server (10.0.0.20:53). - Outbound NAT (IP Pool) for internal users to 203.0.113.1. - Firewall policies allowing internal to external, DMZ to external, and external to DMZ (for forwarded services). Users report that they can access the Internet but cannot reach the internal web server (192.168.1.10) via its public IP (203.0.113.1:80). The DMZ web server is accessible from the Internet. What is the most likely cause?

A.The firewall policy from internal to DMZ is blocking traffic
B.Hairpin NAT is not enabled on the FortiGate
C.The port forwarding rule maps the public IP to the DMZ server, not the internal server
D.The IP Pool for outbound NAT is misconfigured
AnswerC

The port forwarding is set to DMZ server (10.0.0.10), so internal users cannot reach the internal server via the public IP.

Why this answer

The port forwarding rule explicitly maps external HTTP (port 80) to the DMZ web server at 10.0.0.10. Since the internal web server at 192.168.1.10 is not referenced in any port forwarding rule, traffic destined to the public IP 203.0.113.1:80 from the internal network will not be redirected to 192.168.1.10. This is the root cause of the issue, not a missing hairpin NAT or misconfigured outbound NAT.

Exam trap

The trap here is that candidates often assume hairpin NAT is the universal fix for internal access to public IPs, but they overlook that the port forwarding rule must first exist for the target internal server; without that rule, hairpin NAT has no effect.

How to eliminate wrong answers

Option A is wrong because the problem is about accessing the internal web server via its public IP, not about traffic between internal and DMZ zones; the firewall policy from internal to DMZ is irrelevant here. Option B is wrong because hairpin NAT (also called NAT reflection) is only needed when a device on the internal network tries to reach another internal device via the public IP, but in this scenario, the port forwarding rule does not even point to the internal server, so enabling hairpin NAT would not fix the issue. Option D is wrong because the IP Pool for outbound NAT is correctly configured to translate internal users' source IPs to 203.0.113.1 for Internet access, and users can already access the Internet, indicating outbound NAT is functioning properly.

7
MCQeasy

Which of the following is required to allow a FortiGate to synchronize its clock with an NTP server?

A.Firewall policy allowing NTP traffic (UDP 123) from the FortiGate to the NTP server
B.Enable NTP in the admin settings
C.Set the timezone using config system global
D.Disable daylight saving time
AnswerA

If the NTP server is on a different network, NTP traffic must be permitted.

Why this answer

A FortiGate synchronizes its clock with an NTP server using NTP traffic, which relies on UDP port 123. Without a firewall policy that explicitly permits outbound UDP 123 traffic from the FortiGate to the NTP server, the NTP packets are dropped by the FortiGate's own firewall engine, preventing clock synchronization. This policy is required even for traffic originating from the FortiGate itself, as the FortiGate applies firewall rules to all traffic, including management traffic.

Exam trap

The trap here is that candidates assume management traffic (like NTP) is exempt from firewall policies, but FortiGate treats all traffic—including its own—as subject to policy enforcement, so a specific firewall policy for UDP 123 is mandatory for NTP synchronization to succeed.

How to eliminate wrong answers

Option B is wrong because enabling NTP in the admin settings (via 'config system ntp') is necessary to configure NTP servers and enable the NTP client, but it does not bypass the need for a firewall policy to allow the actual UDP 123 traffic. Option C is wrong because setting the timezone using 'config system global' is a separate configuration that affects how the local time is displayed, but it does not enable or facilitate NTP synchronization with an external server. Option D is wrong because disabling daylight saving time is a timezone-related setting that does not impact the ability to send or receive NTP packets; NTP synchronization works independently of DST settings.

8
MCQhard

A FortiGate is configured in transparent mode. The administrator notices that traffic passing through the FortiGate is not being logged, even though log all sessions is enabled on the policy. What is the most likely reason?

A.Traffic is being bridged without session creation because the policy is set to 'accept' without logging enabled.
B.The FortiGate is not operating in a VDOM.
C.The FortiGate is in transparent mode and cannot log traffic.
D.The log memory buffer is full and not sending to syslog.
AnswerA

In transparent mode, traffic might not create sessions unless logging is explicitly enabled.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge and does not create sessions for traffic that is simply bridged between interfaces. Even with 'log all sessions' enabled on the policy, if the policy action is 'accept' without explicit logging enabled (i.e., the 'Logging' option is not set to 'All Sessions' or 'Security Events'), the traffic is forwarded without session logging. This is because transparent mode policies require separate logging configuration to generate logs, and the default 'accept' action does not log unless specifically configured.

Exam trap

The trap here is that candidates assume 'log all sessions' on the policy automatically logs all traffic, but in transparent mode, the policy must also have logging explicitly enabled (e.g., set to 'All Sessions') for logs to be generated, as the default 'accept' action does not log.

How to eliminate wrong answers

Option B is wrong because VDOM operation is not required for logging in transparent mode; logging functionality is independent of VDOMs. Option C is wrong because transparent mode can log traffic when logging is properly configured on the policy; it is not a limitation of the mode itself. Option D is wrong because a full log memory buffer would cause logs to be dropped or overwritten, but it would not prevent the FortiGate from attempting to log traffic; the issue here is that no log entries are generated at all, which points to a configuration problem, not a buffer issue.

9
Multi-Selectmedium

An administrator wants to use FortiManager to manage multiple FortiGates. Which three steps must be performed to establish communication between a FortiGate and FortiManager? (Choose THREE.)

Select 3 answers
A.Place the FortiGate in transparent mode
B.Ensure network connectivity between the FortiGate and FortiManager
C.Configure the FortiGate's management interface with an IP address
D.Enable FortiManager registration and provide a registration password
E.Set the FortiManager IP address on the FortiGate under System > FortiManager
AnswersB, D, E

Without connectivity, registration will fail.

Why this answer

Option B is correct because FortiManager communicates with managed FortiGates over TCP/541 (FGFM protocol). Without IP-level connectivity between the two devices, the registration and management tunnel cannot be established. This is a prerequisite before any configuration steps can succeed.

Exam trap

The trap here is that candidates often confuse general FortiGate interface configuration (Option C) with the specific FortiManager registration steps, or incorrectly assume transparent mode (Option A) is required for management, when in fact the three required steps are ensuring connectivity, enabling registration with a password, and setting the FortiManager IP address on the FortiGate.

10
MCQhard

A FortiGate in NAT/Route mode has a policy with NAT enabled. The admin needs the source IP of traffic from internal users (192.168.1.0/24) to be translated to the interface IP of port1 (203.0.113.1) when accessing the internet. Which configuration is necessary?

A.Add a static route for 192.168.1.0/24 with next-hop 203.0.113.1
B.Set the administrative access to HTTPS on port1
C.Create a central NAT rule with source 192.168.1.0/24 and IP pool 203.0.113.2-203.0.113.10
D.Configure a firewall policy with NAT enabled and the outbound interface set to port1
AnswerD

By default, NAT on a policy uses the egress interface IP as the translated source.

Why this answer

Option D is correct because in NAT/Route mode, enabling NAT on a firewall policy with the outbound interface set to port1 causes the FortiGate to translate the source IP of traffic from the internal network (192.168.1.0/24) to the IP address of that interface (203.0.113.1) by default. This is the standard method for source NAT (SNAT) in a policy-based configuration, requiring no additional IP pool or static route for the translation itself.

Exam trap

The trap here is that candidates may confuse the need for an IP pool or static route with the simple policy-based NAT, assuming that translating to the interface IP requires additional configuration beyond enabling NAT on the policy.

How to eliminate wrong answers

Option A is wrong because a static route for 192.168.1.0/24 with next-hop 203.0.113.1 is unnecessary and incorrect; the internal subnet is directly connected, and the next-hop for internet-bound traffic should be the default gateway, not the interface IP. Option B is wrong because setting administrative access to HTTPS on port1 only enables management access to the interface, not source NAT translation. Option C is wrong because creating a central NAT rule with an IP pool of 203.0.113.2-203.0.113.10 would translate the source IP to a range of addresses, not the single interface IP (203.0.113.1), which does not match the requirement.

11
Multi-Selectmedium

An administrator is configuring a FortiGate HA cluster in active-passive mode. Which two statements are correct about this configuration?

Select 2 answers
A.The cluster IP address is assigned to both units simultaneously.
B.One unit is active and forwards traffic, while the other is passive and does not forward traffic unless a failover occurs.
C.Both units can forward traffic simultaneously.
D.Heartbeat interfaces are optional.
E.Session synchronization is configured to maintain stateful failover.
AnswersB, E

This defines active-passive HA.

Why this answer

In an active-passive HA cluster, only the active unit processes and forwards traffic, while the passive unit remains in standby mode and does not forward traffic unless a failover occurs. This ensures high availability without load sharing. Additionally, session synchronization is configured to replicate stateful session information from the active to the passive unit, enabling seamless failover without disrupting established sessions.

Exam trap

The trap here is that candidates often confuse active-passive with active-active mode, mistakenly thinking both units can forward traffic simultaneously, or they assume the cluster IP is shared by both units at all times.

12
Multi-Selectmedium

A FortiGate administrator needs to configure a backup and restore strategy for the FortiGate configuration. Which TWO statements are correct regarding configuration backup and restore?

Select 2 answers
A.When restoring a configuration to a different FortiGate model, the interface names may cause the restore to fail.
B.The encrypted backup can only be restored on a FortiGate running the same firmware version.
C.It is not possible to restore only a specific section of the configuration (e.g., only firewall policies).
D.The backup file is encrypted by default to protect sensitive information.
E.The backup file contains all system settings, including firmware version information.
AnswersA, E

Interface names differ between models; restoring a configuration with mismatched interface names will fail.

Why this answer

Option A is correct because FortiGate configurations include interface-specific names (e.g., port1, port2, wan1) that may not exist on a different model. If the target FortiGate lacks those exact interface names, the restore process will fail due to mismatched interface references, preventing the configuration from being applied.

Exam trap

The trap here is that candidates assume encrypted backups are firmware-version locked (Option B) or that partial restore is impossible (Option C), when in fact FortiGate supports both cross-version encrypted restores and partial configuration restoration.

13
MCQmedium

A FortiGate administrator needs to upgrade the firmware from FortiOS 6.4 to 7.0. The administrator downloads the upgrade image but when uploading via the GUI, the FortiGate reboots and comes back with the same firmware version. What is the most likely cause?

A.The firmware image was corrupted during download.
B.The FortiGate does not support firmware upgrade via GUI; CLI must be used.
C.The administrator uploaded the wrong image (e.g., for a different FortiGate model).
D.The administrator must first upgrade to an intermediate version before 7.0.
AnswerC

If the image is for a different platform, FortiGate will reject it and reboot without upgrading.

Why this answer

Option C is correct because uploading a firmware image intended for a different FortiGate model will cause the upgrade to fail silently. The FortiGate validates the image against its hardware platform; if the image does not match, the device rejects it and reboots with the existing firmware. This is a common issue when administrators accidentally download the image for a different series (e.g., FortiGate 100F vs. 200F).

Exam trap

The trap here is that candidates may assume a reboot with unchanged firmware always indicates corruption or a need for intermediate upgrades, overlooking the critical platform validation that rejects mismatched images.

How to eliminate wrong answers

Option A is wrong because a corrupted image would typically cause a checksum error or fail to upload, not result in a reboot with the same firmware version. Option B is wrong because FortiGate fully supports firmware upgrades via the GUI; CLI is an alternative but not a requirement. Option D is wrong because FortiGate 6.4 to 7.0 is a direct upgrade path supported by Fortinet; no intermediate version is required for this jump.

14
MCQhard

An administrator runs the following CLI command on a FortiGate: 'diagnose sys session filter dport 443' and sees output indicating sessions with proto_state=01 and duration=3600. What does this indicate about the sessions?

A.The sessions are UDP-based and have been active for 3600 seconds.
B.The sessions are TCP connections in SYN state and have a timeout of 3600 seconds.
C.The sessions are TCP connections in established state with a duration of 3600 seconds.
D.The sessions are ICMP packets with a TTL of 3600.
AnswerC

Why this answer

The CLI command 'diagnose sys session filter dport 443' filters sessions with destination port 443, which is the default HTTPS port. The output shows 'proto_state=01' and 'duration=3600'. In FortiGate session diagnostics, 'proto_state=01' indicates a TCP session in the established state (state 1), and 'duration' is the time in seconds since the session was created, so 3600 seconds means the session has been active for one hour.

Option C correctly identifies this.

Exam trap

The trap here is confusing the 'duration' field (elapsed time since session creation) with a timeout or TTL value, and misinterpreting 'proto_state=01' as a generic protocol indicator rather than a TCP state code.

How to eliminate wrong answers

Option A is wrong because 'proto_state=01' is specific to TCP, not UDP; UDP sessions use different state codes (e.g., 00 for no state). Option B is wrong because 'proto_state=01' represents the established state, not the SYN state (which would be state 0x02 or similar), and 'duration' is the elapsed time, not a timeout value. Option D is wrong because ICMP packets do not use TCP port numbers like 443, and 'duration' is not related to TTL (Time To Live).

15
MCQhard

An administrator configures an HA cluster of two FortiGates in active-passive mode. The cluster is synchronized, but after a failover, some existing TCP sessions are dropped. What is the most likely cause?

A.The heartbeat interface is configured as a dedicated management interface
B.Session synchronization (session-pickup) is disabled
C.The cluster is operating in NAT mode
D.The cluster is using a virtual MAC address for the HA interface
AnswerB

Session synchronization ensures sessions are replicated to the standby unit; without it, sessions are lost on failover.

Why this answer

Session synchronization (session-pickup) is required for active-passive HA clusters to replicate TCP session state from the primary FortiGate to the secondary. When disabled, the backup unit has no knowledge of existing sessions after a failover, causing those sessions to be dropped because the new primary cannot match incoming packets to any session table entry.

Exam trap

The trap here is that candidates often confuse virtual MAC addressing or heartbeat configuration with session state replication, but the core requirement for session persistence after failover is session-pickup being enabled.

How to eliminate wrong answers

Option A is wrong because a dedicated management heartbeat interface does not affect session synchronization; it only separates management traffic from HA traffic. Option C is wrong because NAT mode does not inherently cause session drops after failover; session-pickup is still required regardless of the operation mode. Option D is wrong because using a virtual MAC address for the HA interface ensures seamless Layer 2 failover but does not impact session state replication; session-pickup is the mechanism that preserves TCP sessions.

16
Multi-Selectmedium

An administrator is troubleshooting why traffic from a specific source IP is not being matched by a policy route. Which THREE steps should the administrator take to diagnose the issue?

Select 3 answers
A.Disable all firewall policies to test routing.
B.Change the administrative distance of the default route to 0.
C.Verify the source address object in the policy route matches the traffic's source IP.
D.Check the policy route list order and ensure the matching condition is above the default route.
E.Use the 'diagnose debug flow' command to trace packet flow.
AnswersC, D, E

Why this answer

Option C is correct because the most fundamental step in troubleshooting a policy route mismatch is to verify that the source address object defined in the policy route exactly matches the source IP of the traffic. If the object is misconfigured (e.g., wrong subnet mask, incorrect IP range, or a typo), the traffic will never hit the policy route, regardless of other settings.

Exam trap

The trap here is that candidates often jump to modifying routing or firewall policies (Options A and B) instead of first verifying the policy route's matching criteria and order, which are the most common root causes of policy route mismatches.

17
MCQhard

An organization has two FortiGate units in an HA cluster. They need to perform a firmware upgrade on the primary unit without causing a failover. Which procedure should be followed?

A.Upgrade the primary unit first, then the secondary will automatically synchronize
B.Upgrade both units simultaneously using the GUI
C.Disable HA, upgrade both, then re-enable HA
D.Upgrade the secondary unit first, then perform a graceful failover, then upgrade the original primary
AnswerD

This minimizes downtime as the secondary takes over before the primary is upgraded.

Why this answer

Option D is correct because in an HA cluster, upgrading the secondary unit first ensures that the primary remains active and can take over if the upgrade fails. After the secondary is upgraded and stable, a graceful failover is performed to make it the new primary, allowing the original primary to be upgraded without causing an unplanned failover or service interruption.

Exam trap

The trap here is that candidates assume upgrading the primary first is safe because the secondary will synchronize, but they overlook that the primary reboot triggers an automatic failover, which is not a 'graceful' upgrade path.

How to eliminate wrong answers

Option A is wrong because upgrading the primary first would cause it to reboot, triggering an automatic failover to the secondary, which is not desired. Option B is wrong because upgrading both units simultaneously can lead to a split-brain scenario or both units rebooting at the same time, causing a complete outage. Option C is wrong because disabling HA breaks the cluster state and requires re-synchronization, which is disruptive and not recommended for a controlled upgrade.

18
MCQmedium

An administrator notices that traffic to a particular subnet is being load-balanced across two WAN links, but they want all traffic to that subnet to use a single link. Which feature should be configured?

A.Policy routing
B.ECMP routing
C.Static route with higher distance
D.Route summarization
AnswerA

Policy routing can direct specific traffic to a particular interface.

Why this answer

Policy routing (also called PBR) allows you to override the routing table based on criteria such as source/destination IP, protocol, or port. By configuring a policy route that matches traffic to the specific subnet and sets the output interface to a single WAN link, you can force all that traffic to use one link instead of being load-balanced.

Exam trap

The trap here is that candidates often confuse ECMP load-balancing with the ability to pin traffic to a single link, mistakenly thinking that adjusting ECMP weights or distances will achieve the same result as policy routing.

How to eliminate wrong answers

Option B is wrong because ECMP (Equal-Cost Multi-Path) routing is exactly what causes load-balancing across multiple equal-cost routes; disabling or not using ECMP would not selectively force traffic to a single link without affecting other traffic. Option C is wrong because a static route with a higher distance would only be used as a backup if the primary route fails, but it does not prevent load-balancing when multiple equal-cost routes exist. Option D is wrong because route summarization aggregates multiple subnets into a single prefix to reduce routing table size, but it does not control which link is used for traffic to a specific subnet.

19
Multi-Selecthard

An administrator is configuring a FortiGate HA cluster in active-passive mode with two units. Which three conditions must be met for failover to occur? (Choose three.)

Select 3 answers
A.A monitored interface on the primary unit goes down
B.The primary unit loses all heartbeat communication with the secondary unit
C.The secondary unit receives a higher priority configuration
D.The primary unit's CPU usage exceeds 90%
E.The primary unit stops sending session synchronization packets
AnswersA, B, E

Monitored interface failure triggers failover.

Why this answer

Option A is correct because in an active-passive HA cluster, a monitored interface going down on the primary unit triggers a failover. The FortiGate HA daemon detects the link failure and, if the interface is configured as a monitored interface, the primary unit will relinquish its active role, allowing the secondary unit to take over.

Exam trap

The trap here is that candidates often confuse high CPU or memory usage as a failover trigger, but FortiGate HA does not use resource thresholds for failover unless explicitly configured via custom scripts or SNMP traps.

20
MCQhard

You run the following diagnose command on a FortiGate and see the output: diagnose sys session filter dport 443 diagnose sys session list ... proto=6 proto_state=01 duration=3600 expire=3599 ... What does the 'proto_state=01' indicate?

A.The session is UDP, indicated by proto_state 01
B.The session is in a half-open state (SYN_SENT)
C.The session has been fully established
D.The session is being terminated
AnswerB

Correct. proto_state=01 corresponds to TCP SYN_SENT.

Why this answer

In FortiGate session diagnostics, 'proto_state=01' for a TCP session (proto=6) indicates the session is in a half-open state, specifically SYN_SENT, meaning the initial SYN packet has been sent but the three-way handshake has not yet completed. This is a transient state before the session becomes fully established (proto_state=02).

Exam trap

The trap here is that candidates confuse 'proto_state=01' with a fully established session because they see 'duration' and 'expire' values that look normal, not realizing that a half-open TCP session can still have a duration counter if the initial SYN was sent.

How to eliminate wrong answers

Option A is wrong because proto_state=01 is a TCP state indicator, not UDP; UDP sessions do not use proto_state values in the same way and proto=6 explicitly indicates TCP. Option C is wrong because a fully established TCP session is indicated by proto_state=02 (ESTABLISHED), not 01. Option D is wrong because a session being terminated would show a state like FIN_WAIT or TIME_WAIT, not proto_state=01 which represents an incomplete handshake.

21
MCQhard

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is in established state and has been active for 1 hour
B.The session is in FIN_WAIT state
C.The session is in TIME_WAIT state and will close soon
D.The session is in SYN_SENT state waiting for a SYN-ACK
AnswerA

proto_state=01 means established, duration=3600 seconds = 1 hour.

Why this answer

Option A is correct because the output shows `proto=6` (TCP), `proto_state=01` (ESTABLISHED state per Fortinet's session state encoding), `duration=3600` seconds (1 hour), and `expire=3599` seconds (nearly full lifetime remaining). This indicates the session is actively established and has been ongoing for one hour, matching the description of an established state session.

Exam trap

The trap here is that candidates misinterpret `proto_state=01` as a generic 'active' state without knowing Fortinet's specific numeric encoding, leading them to confuse it with FIN_WAIT or TIME_WAIT states that have different numeric values and shorter expire times.

How to eliminate wrong answers

Option B is wrong because `proto_state=01` corresponds to TCP ESTABLISHED, not FIN_WAIT (which would be state 05 or 06 in Fortinet's session table). Option C is wrong because TIME_WAIT state (state 09) would show a short expire value near zero, not 3599 seconds, and the session is not closing soon. Option D is wrong because SYN_SENT state (state 02) would show `proto_state=02` and a very short duration, not 3600 seconds of activity.

22
MCQeasy

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is in a half-closed state
B.The session is about to expire
C.The session is a UDP session
D.The session is active and established
AnswerD

proto=6 (TCP), proto_state=01 (established), duration shows normal active session.

Why this answer

The output shows `proto=6` (TCP), `proto_state=01` (TCP ESTABLISHED), `duration=3600` seconds, and `expire=3599` seconds remaining. This indicates a fully established TCP session that has been active for one hour and still has nearly a full hour of idle timeout remaining. Therefore, the session is active and established, making option D correct.

Exam trap

The trap here is that candidates misinterpret `expire=3599` as 'about to expire' because they confuse the remaining idle timeout with the total session duration, or they misread `proto=6` as UDP due to common port 443 association with QUIC (UDP).

How to eliminate wrong answers

Option A is wrong because `proto_state=01` corresponds to TCP state ESTABLISHED, not a half-closed state (which would be `proto_state=09` or `0A` for FIN_WAIT or CLOSE_WAIT). Option B is wrong because `expire=3599` means the session still has 3599 seconds left before timeout, so it is not about to expire. Option C is wrong because `proto=6` indicates TCP, not UDP (which would be `proto=17`).

23
MCQhard

An administrator configures an aggregate interface (port1 and port2) on a FortiGate. After connecting the switch ports, the aggregate interface shows 'down'. The individual member ports are up. What is the MOST likely cause?

A.The member ports are set to different speeds
B.The switch ports are not configured for LACP or static aggregation
C.The aggregate interface IP address is in the same subnet as the management interface
D.The FortiGate needs a reboot after creating an aggregate interface
AnswerB

The switch must have the corresponding ports in an aggregate group with matching LACP settings; otherwise, the FortiGate will not see the aggregation and the interface stays down.

Why this answer

The aggregate interface remains down because the switch ports are not configured for LACP or static aggregation. For a FortiGate aggregate interface to come up, both the FortiGate member ports and the corresponding switch ports must be configured with the same aggregation protocol (LACP active/passive or static). Without this, the switch treats the ports as individual links, causing a mismatch that keeps the aggregate interface down.

Exam trap

The trap here is that candidates assume the aggregate interface will come up automatically if the member ports are physically up, overlooking the requirement for matching aggregation configuration on the switch side.

How to eliminate wrong answers

Option A is wrong because different speeds on member ports would cause the aggregate interface to fail to form or degrade performance, but the individual ports would still show up; the aggregate interface would not necessarily show 'down' due to speed mismatch alone, as FortiGate can still form an aggregate with speed differences in some configurations. Option C is wrong because an IP address conflict between the aggregate interface and the management interface would cause routing or connectivity issues, not prevent the aggregate interface from coming up at Layer 1/2. Option D is wrong because a reboot is not required after creating an aggregate interface; the interface state updates dynamically once the configuration and physical connections are correct.

24
MCQmedium

An administrator is configuring a FortiGate in a transparent mode. Which of the following features is NOT available in transparent mode?

A.Source NAT
B.VLAN tagging
C.Intrusion Prevention System (IPS)
D.Security profiles (AV, web filter)
AnswerA

NAT is not available because transparent mode does not route IP packets.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge without routing capabilities, meaning it cannot perform Source NAT (SNAT) because SNAT requires Layer 3 routing to translate source IP addresses. Transparent mode does not have an IP address on its interfaces for routing, so features dependent on Layer 3 forwarding, such as NAT, are unavailable.

Exam trap

The trap here is that candidates often assume security features like IPS or AV require Layer 3 routing, but they actually operate at higher layers and work in transparent mode, while NAT is the only option that explicitly depends on Layer 3 functionality.

How to eliminate wrong answers

Option B is wrong because VLAN tagging is fully supported in transparent mode; the FortiGate can pass and even tag/untag VLAN frames as a Layer 2 device. Option C is wrong because IPS operates at Layer 2-7 and inspects traffic passing through the bridge, so it works in transparent mode without requiring Layer 3 routing. Option D is wrong because security profiles like antivirus and web filtering inspect application-layer content and are independent of Layer 3 routing, making them available in transparent mode.

25
MCQmedium

A network administrator configures a new FortiGate as the default gateway for a subnet. The FortiGate has two WAN interfaces (port1 and port2) connected to different ISPs. The admin wants to load-balance outbound traffic across both links. Which configuration method will achieve this goal?

A.Configure a single default gateway and rely on ARP for failover
B.Configure a policy route for each subnet directing traffic to a different ISP
C.Configure two static default routes with different distances
D.Configure two static default routes with the same distance and metric
AnswerD

ECMP uses routes with equal administrative distance and metric to distribute traffic across multiple paths.

Why this answer

Option D is correct because configuring two static default routes with the same distance and metric enables ECMP (Equal-Cost Multi-Path) routing on FortiGate. This allows the FortiGate to load-balance outbound traffic across both WAN interfaces (port1 and port2) using a per-flow or per-packet algorithm, distributing sessions between the two ISPs.

Exam trap

The trap here is that candidates often confuse ECMP (same distance/metric) with floating static routes (different distances), mistakenly thinking that multiple default routes with different distances will load-balance, when in fact they only provide failover.

How to eliminate wrong answers

Option A is wrong because relying on a single default gateway with ARP failover does not provide load balancing; it only offers failover if the gateway becomes unreachable, and ARP is not a load-balancing mechanism. Option B is wrong because policy routes direct traffic based on source/destination criteria, not for general load balancing of all outbound traffic; they are used for selective routing, not equal distribution across two default paths. Option C is wrong because configuring two static default routes with different distances creates a primary/backup scenario (floating static route), where only the route with the lower distance is active, and the other is used only if the primary fails—no load balancing occurs.

26
MCQmedium

A company wants to ensure that administrative access to FortiGate is only allowed from the internal trusted network (192.168.1.0/24) and that all other access attempts are blocked. Which CLI command should the administrator configure first?

A.config system admin; edit admin; set trusthost 192.168.1.0 255.255.255.0; end
B.config system interface; edit port1; set allowaccess ping https ssh; end
C.config system global; set admin-http-redirect enable; end
D.set admin-sport 443
AnswerA

Trusted hosts restrict administrative access to specified source IPs.

Why this answer

Option A is correct because the `config system admin` command with `set trusthost` restricts administrative login attempts to only the specified source IP address or subnet. By setting `trusthost 192.168.1.0 255.255.255.0`, the FortiGate will only allow admin access from the 192.168.1.0/24 network, blocking all other sources. This is the foundational step to enforce source-based access control for administrative interfaces.

Exam trap

The trap here is that candidates often confuse `set allowaccess` (which enables protocols on an interface) with `set trusthost` (which restricts source IPs for admin login), leading them to select Option B thinking it controls who can access the device.

How to eliminate wrong answers

Option B is wrong because `config system interface` with `set allowaccess` controls which administrative protocols (e.g., HTTPS, SSH, PING) are enabled on a specific interface, not the source IP addresses allowed to connect. Option C is wrong because `config system global` with `set admin-http-redirect enable` only redirects HTTP admin traffic to HTTPS for encryption, it does not restrict the source network of admin access. Option D is wrong because `set admin-sport 443` changes the administrative HTTPS port to 443 (or another port), but it does not filter which source IPs can reach that port.

27
Multi-Selectmedium

Which TWO of the following are valid methods to upgrade the FortiGate firmware? (Choose two.)

Select 2 answers
A.Use the GUI under System > Firmware.
B.Use the command 'execute upgrade image tftp <ip> <filename>'.
C.Use the command 'execute backup config tftp'.
D.Use the command 'execute reboot'.
E.Use the command 'execute restore config tftp'.
AnswersA, B

GUI provides a firmware upgrade option.

Why this answer

Option A is correct because the FortiGate GUI provides a dedicated interface under System > Firmware to upload and install firmware images, which is a standard and supported upgrade method. This method allows administrators to select a local or remote firmware file and apply it with minimal disruption when proper procedures are followed.

Exam trap

The trap here is that candidates may confuse backup/restore or reboot commands with firmware upgrade commands, or incorrectly assume that only GUI-based methods are valid, while the TFTP upgrade command is also a legitimate and commonly tested method.

28
MCQmedium

An administrator needs to integrate a FortiGate with FortiAnalyzer for centralized logging. After configuring the FortiAnalyzer IP and enabling logging, the FortiGate shows 'connection refused' for FortiAnalyzer. What is the most likely cause?

A.The FortiAnalyzer is not registered with the FortiGate.
B.The FortiGate is not generating any logs.
C.The FortiAnalyzer SNMP community string is incorrect.
D.A firewall is blocking the required ports between FortiGate and FortiAnalyzer.
AnswerD

Ports 514/443 must be open.

Why this answer

The 'connection refused' error indicates that the FortiGate is attempting to establish a TCP connection to the FortiAnalyzer, but the FortiAnalyzer is actively rejecting the connection attempt. This is most commonly caused by a firewall (either on the network path or on the FortiAnalyzer itself) blocking the required ports, such as TCP 514 (syslog) or TCP 443/8443 (FortiGate-FortiAnalyzer protocol). Without proper port access, the TCP handshake fails, resulting in a connection refused message.

Exam trap

The trap here is that candidates often confuse 'connection refused' with 'no route to host' or 'timeout', and may incorrectly attribute the issue to registration or log generation rather than recognizing that a TCP-level rejection points to a firewall or port blocking issue.

How to eliminate wrong answers

Option A is wrong because the FortiAnalyzer does not need to be registered with the FortiGate; registration is the opposite direction (FortiGate registers with FortiAnalyzer) and a missing registration would cause an authentication or authorization failure, not a TCP-level 'connection refused'. Option B is wrong because the FortiGate not generating logs would not cause a connection refused error; the error occurs during the initial connection setup, before any log data is transmitted. Option C is wrong because SNMP community strings are used for SNMP-based monitoring, not for FortiGate-FortiAnalyzer logging communication, which uses TCP-based protocols like syslog or FortiGate-FortiAnalyzer proprietary protocol.

29
MCQhard

A FortiGate is configured in an HA active-passive cluster. The primary unit fails. After the secondary takes over, a policy route configured on the primary is not working. What is the MOST likely reason?

A.The secondary unit does not support policy routes
B.The policy route configuration is not synchronized in HA
C.The HA cluster requires a reboot after failover
D.The policy route references an interface that does not exist on the new primary
AnswerD

If the secondary has different interface names or the policy route uses a specific interface index, it may not be valid.

Why this answer

When a FortiGate HA cluster fails over, the new primary unit assumes the configuration synchronized from the original primary. However, if a policy route references a specific interface (e.g., port1 or a VLAN subinterface) that is physically present on the failed unit but not on the new primary (or has a different name/index), the policy route will fail because the kernel cannot resolve the egress interface. FortiGate HA synchronizes the configuration, but interface mappings must match across cluster members for policy routes to work after failover.

Exam trap

The trap here is that candidates assume HA synchronizes everything perfectly, but they overlook that interface-dependent objects like policy routes can break if the physical interface mapping differs between cluster members.

How to eliminate wrong answers

Option A is wrong because FortiGate secondary units in an active-passive HA cluster fully support policy routes; there is no feature restriction based on role. Option B is wrong because HA synchronization includes policy route configuration by default (via the HA configuration synchronization mechanism), so the configuration is present on the secondary. Option C is wrong because HA failover does not require a reboot; the secondary takes over seamlessly without a reboot, and a reboot would only be needed if the cluster is recovering from a split-brain or other severe error.

30
MCQmedium

A FortiGate administrator needs to integrate with FortiAnalyzer for centralized logging. After configuring the FortiAnalyzer IP and enabling logging, the FortiGate shows 'connection status: disconnected'. What is the most likely cause?

A.The FortiGate is in transparent mode.
B.The FortiAnalyzer firmware version is newer than the FortiGate's.
C.The administrator forgot to enable HTTPS for log upload.
D.The FortiGate does not have a route to the FortiAnalyzer.
AnswerD

Why this answer

The most likely cause is that the FortiGate does not have a route to the FortiAnalyzer. Even with the correct IP and logging enabled, the FortiGate must be able to reach the FortiAnalyzer over the network; without a valid route, the TCP connection (typically on port 514 for syslog or port 443/541 for FortiGate-FortiAnalyzer protocol) will fail, resulting in a 'disconnected' status.

Exam trap

The trap here is that candidates often assume a configuration or protocol mismatch (like HTTPS or firmware version) is the cause, when the fundamental issue is simple network reachability—FortiGate cannot connect to FortiAnalyzer without a valid route.

How to eliminate wrong answers

Option A is wrong because transparent mode does not inherently prevent connectivity to FortiAnalyzer; the FortiGate can still send logs as long as it has a management IP and a route. Option B is wrong because firmware version differences do not cause a 'disconnected' status; FortiAnalyzer and FortiGate can interoperate across versions, though some features may be limited. Option C is wrong because HTTPS is not required for log upload; FortiGate typically uses syslog (UDP/TCP 514) or the FortiGate-FortiAnalyzer protocol (TCP 541) for logging, and HTTPS is used for web management, not log transport.

31
MCQeasy

A FortiGate is configured in transparent mode. Which of the following statements is true?

A.The FortiGate can have multiple routing tables
B.The FortiGate supports VLAN sub-interfaces
C.The FortiGate acts as a router and performs NAT
D.The FortiGate interfaces have IP addresses for management only
AnswerD

Interfaces are in bridge mode; a management IP is assigned to the bridge.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses rather than IP addresses. Interfaces do not require IP addresses for data forwarding; they only need IP addresses for management access (e.g., HTTPS, SSH, or SNMP). This makes option D correct.

Exam trap

The trap here is that candidates often assume transparent mode still supports routing or NAT because they confuse it with NAT/route mode, but transparent mode explicitly disables routing and NAT, focusing solely on Layer 2 bridging and firewall inspection.

How to eliminate wrong answers

Option A is wrong because transparent mode uses a single routing table (the management VDOM's routing table) and does not support multiple routing tables, which are a feature of NAT/route mode. Option B is wrong because VLAN sub-interfaces are not supported in transparent mode; the FortiGate treats VLANs as separate interfaces but cannot create sub-interfaces on physical ports. Option C is wrong because transparent mode does not perform routing or NAT; it acts as a transparent bridge, forwarding frames without modifying IP headers.

32
MCQhard

You run the following CLI command on a FortiGate: 'diagnose sys session filter dport 443' and see this output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a TCP connection that has been active for 1 hour and will expire in 3599 seconds
B.The session is using TCP and has been open for 3600 seconds with a remaining lifetime of 3599 seconds, indicating it is a long-lived session
C.The session is UDP (proto=6 is TCP? Actually proto=6 is TCP) and the output indicates an ICMP error
D.There is a problem because the session duration equals the expire time, meaning it will be removed immediately
AnswerB

The output shows duration 3600 (seconds since session created) and expire 3599 (seconds until session removal). This is normal for a persistent HTTPS session.

Why this answer

Option B is correct because the output shows a TCP session (proto=6) with a duration of 3600 seconds (1 hour) and an expire value of 3599 seconds, meaning the session has been active for 3600 seconds and will be removed in 3599 seconds if no further traffic is seen. This indicates a long-lived session, typical for persistent connections like HTTPS, where the session timer resets with each packet.

Exam trap

The trap here is that candidates misinterpret 'duration' and 'expire' as being equal or see the large numbers and assume a problem, when in fact the values indicate a normal long-lived session with the TCP timeout nearly reached but not expired.

How to eliminate wrong answers

Option A is wrong because it states the session has been active for 1 hour and will expire in 3599 seconds, which is factually correct but does not address the key implication that this is a long-lived session, making it incomplete rather than technically incorrect; however, the question asks what the output indicates, and B provides the full interpretation. Option C is wrong because proto=6 is TCP (not UDP), and the output shows a TCP state (proto_state=01, which is TCP_ESTABLISHED), not an ICMP error. Option D is wrong because the duration (3600) and expire (3599) are not equal; they differ by 1 second, and the session is not being removed immediately—expire indicates remaining lifetime, not a problem.

33
Matchingmedium

Match each Fortinet security feature to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Detects and prevents network intrusions

Identifies and controls application traffic

Blocks access to malicious or unauthorized websites

Scans and removes malware from traffic

Decrypts and inspects encrypted traffic

Why these pairings

These are core UTM features of FortiGate.

34
MCQmedium

A network administrator has configured a static route on a FortiGate with a distance of 10 and a priority of 0. Later, they add another static route to the same destination with a distance of 15 and priority of 0. Which route will be used for traffic forwarding?

A.The route with distance 15 because it has a higher priority
B.Both routes will be used for ECMP load balancing
C.The route with distance 15 will be used because it was added last
D.The route with distance 10 because it has a lower administrative distance
AnswerD

Correct. FortiGate selects the route with the lowest administrative distance. If distances are equal, then priority is used as a tiebreaker.

Why this answer

The correct answer is D because the FortiGate uses administrative distance as the primary metric for route selection when multiple static routes exist to the same destination. A lower administrative distance (10) is preferred over a higher one (15), regardless of the order in which the routes were added. Priority (0 in both cases) is a tie-breaker only when distances are equal, so it does not affect this decision.

Exam trap

The trap here is that candidates often confuse administrative distance with priority or assume that the most recently added route takes precedence, but FortiGate strictly follows the lower administrative distance rule for route selection.

How to eliminate wrong answers

Option A is wrong because a higher distance value indicates lower preference, not higher priority; administrative distance is the primary metric, and lower is better. Option B is wrong because ECMP (Equal-Cost Multi-Path) requires routes to have the same administrative distance and metric; here distances differ (10 vs 15), so ECMP does not apply. Option C is wrong because the FortiGate does not use the order of addition as a routing decision factor; the route with the lower administrative distance is always preferred, regardless of which was added last.

35
MCQmedium

A FortiGate is configured with two WAN interfaces in an active-passive HA cluster. The administrator notices that the passive unit is not synchronizing configuration changes from the active unit. What is the MOST likely cause?

A.The HA heartbeat interface is not configured or is down.
B.The passive unit has a different firmware version.
C.The HA mode is set to active-active instead of active-passive.
D.The administrator must manually trigger a sync from the active unit.
AnswerA

Configuration synchronization occurs over the heartbeat link. If it's not working, sync fails.

Why this answer

In an HA cluster, the heartbeat interface is responsible for synchronizing configuration changes and monitoring peer status between the active and passive units. If the heartbeat interface is not configured or is down, the passive unit cannot receive configuration updates from the active unit, leading to a synchronization failure. This is the most likely cause because without a functional heartbeat link, the cluster cannot maintain state or configuration consistency.

Exam trap

The trap here is that candidates often assume synchronization is triggered manually or that HA mode affects sync behavior, but FortiGate HA relies entirely on a functional heartbeat link for automatic configuration replication, regardless of the active-passive or active-active mode.

How to eliminate wrong answers

Option B is wrong because while different firmware versions can cause compatibility issues, the HA cluster typically prevents formation or logs a version mismatch error, but the passive unit would not even join the cluster; the question states the passive unit is present but not synchronizing, so a missing or down heartbeat is more likely. Option C is wrong because the HA mode (active-active vs. active-passive) affects failover behavior and load sharing, not the synchronization mechanism itself; both modes use the heartbeat interface for sync, so changing the mode would not prevent sync if the heartbeat is functional. Option D is wrong because configuration synchronization in FortiGate HA is automatic and continuous via the heartbeat link; there is no manual trigger required from the active unit—if the heartbeat is up, sync happens automatically.

36
MCQhard

A FortiGate is configured with two equal-cost default routes to different ISPs. The administrator notices that traffic for a specific destination is load-balanced across both links as expected. However, they want all traffic from a specific source IP to use only ISP1, while other traffic remains load-balanced. Which configuration should be applied?

A.Increase the administrative distance of the ISP2 default route to 20
B.Create a policy route with source address set to the specific IP and set the gateway to ISP1
C.Configure SD-WAN rules to steer the traffic
D.Add a static host route for the specific source IP via ISP1
AnswerB

Policy routes match before the routing table and can steer traffic to a specific gateway.

Why this answer

Policy routing allows you to override the routing table for specific traffic based on criteria such as source IP. By creating a policy route that matches the specific source IP and sets the next-hop gateway to ISP1, you ensure that traffic from that source always uses ISP1, while all other traffic continues to be load-balanced across both equal-cost default routes. This is the most direct and flexible method for source-based path selection without altering the global routing behavior.

Exam trap

The trap here is that candidates often confuse policy routing with static routing or administrative distance changes, mistakenly thinking that modifying route preference or adding a host route for the source IP will achieve source-based forwarding, when in fact policy routing is the only method that allows traffic selection based on source IP without affecting other traffic.

How to eliminate wrong answers

Option A is wrong because increasing the administrative distance of the ISP2 default route to 20 would make it less preferred than the ISP1 route (default AD 10), causing all traffic to use ISP1 only, not just traffic from the specific source IP. Option C is wrong because SD-WAN rules are designed for advanced traffic steering and load balancing across multiple WAN links, but they require SD-WAN to be enabled and configured, which is an unnecessary complexity for this simple source-based policy requirement; a policy route is the standard and simpler solution. Option D is wrong because a static host route is used for a specific destination IP, not a source IP; adding a static host route for the source IP would be syntactically incorrect and would not achieve the desired behavior.

37
Multi-Selecthard

An administrator is configuring a FortiGate in transparent mode and needs to forward traffic between two VLANs. Which three configurations are required? (Choose three.)

Select 3 answers
A.Enable NAT on the policies to translate addresses between VLANs
B.Assign an IP address to each VLAN subinterface for management
C.Create VLAN subinterfaces on the physical interface for each VLAN
D.Create firewall policies to allow traffic between the VLANs
E.Configure static routes to route between VLANs
AnswersB, C, D

In transparent mode, each VLAN subinterface typically gets an IP for management, but for traffic forwarding, the FortiGate needs to be in the VLANs. Actually, a management IP is required for the VDOM, but not necessarily on each VLAN? In transparent mode, you set a management IP for the VDOM, but traffic forwarding between VLANs requires the FortiGate to have interfaces in both VLANs. So subinterfaces are needed, and they usually have IPs assigned for management, but forwarding itself uses layer 2. However, to perform any layer 3 inspection, the FortiGate needs IPs on the subnets. So likely needed.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge, so VLAN subinterfaces must be created on the physical interface to tag and separate traffic for each VLAN (Option C). An IP address must be assigned to each VLAN subinterface for management access (Option B), as the FortiGate does not route between VLANs at Layer 3 but still needs an IP to be reachable for administration. Firewall policies are required to control and allow traffic between VLANs (Option D), even in transparent mode, because the FortiGate applies security rules to Layer 2 forwarded frames.

Exam trap

The trap here is that candidates assume transparent mode requires routing or NAT for inter-VLAN communication, but FortiGate in transparent mode bridges VLANs at Layer 2, relying on an external router for Layer 3 forwarding.

38
MCQmedium

A FortiGate administrator wants to send logs to a FortiAnalyzer. The FortiAnalyzer IP is 192.168.1.100, and logging is configured under Log & Report. However, no logs are being received. Which command should the administrator use on the FortiGate to verify connectivity to the FortiAnalyzer?

A.diagnose log device status
B.execute ping 192.168.1.100
C.show full-configuration log fortianalyzer
D.get system ha status
AnswerA

This command shows the status of log devices, including connection state and last log time.

Why this answer

Option A is correct because the 'diagnose log device status' command specifically checks the connectivity status and last-acknowledged sequence number between the FortiGate and the configured FortiAnalyzer. This command verifies whether the FortiGate can reach the FortiAnalyzer at the logging protocol level (FGFM), which is essential for log transmission, unlike a basic ICMP ping that only tests network-layer reachability.

Exam trap

The trap here is that candidates assume a successful ping (Option B) proves log connectivity, but the NSE4 exam tests the distinction between network-layer reachability and application-layer log protocol status, making the diagnostic command the only correct verification method.

How to eliminate wrong answers

Option B is wrong because 'execute ping 192.168.1.100' only tests basic ICMP reachability at the network layer; it does not verify that the FortiAnalyzer is accepting logs or that the FGFM (FortiGate-to-FortiAnalyzer) tunnel is established. Option C is wrong because 'show full-configuration log fortianalyzer' displays the current logging configuration (e.g., IP, encryption settings) but does not test live connectivity or the status of the log transmission channel. Option D is wrong because 'get system ha status' shows High Availability cluster state and has no relevance to FortiAnalyzer connectivity or log forwarding.

39
MCQhard

An administrator needs to configure a FortiGate to send logs to two different syslog servers for redundancy. Which configuration method should be used?

A.Under 'config log syslogd setting', set 'status enable' and then add multiple servers using 'set server <ip1> <ip2>'.
B.Configure two separate log settings for each server.
C.Configure one syslog server and use a load balancer.
D.Use a FortiAnalyzer to forward logs to syslog servers.
AnswerA

Multiple servers can be added in a space-separated list.

Why this answer

Option A is correct because FortiGate's syslog configuration allows you to specify multiple syslog servers in a single 'config log syslogd setting' block by using the 'set server' command with a space-separated list of IP addresses. This enables redundant log delivery without requiring separate configuration blocks or external devices. The FortiGate will attempt to send logs to the first server; if it fails, it automatically fails over to the next server in the list.

Exam trap

The trap here is that candidates mistakenly think they need to create separate syslog configuration blocks (Option B) or use external devices (Option C), when FortiGate's native 'set server' command with multiple IPs provides built-in redundancy without additional configuration complexity.

How to eliminate wrong answers

Option B is wrong because FortiGate does not support configuring two separate 'log syslogd setting' blocks; you can only have one syslogd setting per VDOM, and attempting to create a second would overwrite the first. Option C is wrong because using an external load balancer introduces unnecessary complexity and a single point of failure, whereas FortiGate natively supports multiple syslog servers for redundancy without additional hardware. Option D is wrong because FortiAnalyzer is a log management and analysis tool, not a syslog forwarder; while it can forward logs to syslog servers, this adds an extra hop and is not the direct, native method for sending logs to two syslog servers from the FortiGate itself.

40
MCQeasy

Which command is used to display the current FortiGate firmware version?

A.get system statistics
B.get hardware status
C.get system status
D.get system performance status
AnswerC

Displays firmware version and other system info.

Why this answer

The 'get system status' command is the correct way to display the current FortiGate firmware version. This command outputs a comprehensive summary of the system state, including the firmware version (e.g., FortiOS v7.4.0), the system uptime, serial number, and HA status. It is the standard CLI command for verifying the exact build and patch level of the FortiGate.

Exam trap

The trap here is that candidates often confuse 'get system status' with 'get system statistics' because both commands start with 'get system', but only 'get system status' provides the firmware version, while 'get system statistics' focuses on performance counters.

How to eliminate wrong answers

Option A is wrong because 'get system statistics' displays real-time traffic statistics such as CPU and memory usage, session counts, and packet rates, not the firmware version. Option B is wrong because 'get hardware status' shows hardware-related information like chassis temperature, fan speed, and power supply status, not the firmware version. Option D is wrong because 'get system performance status' provides a snapshot of system performance metrics (e.g., CPU load, memory utilization, disk usage) but does not include the firmware version.

41
Multi-Selecthard

A FortiGate is configured in an HA cluster with two units. The cluster is working, but the administrator wants to ensure that configuration changes made on the primary unit are automatically synchronized to the secondary unit. Which two conditions must be met? (Choose TWO.)

Select 2 answers
A.The HA configuration must be properly set with a valid group ID and password
B.Both units must have the same firmware version and license
C.The heartbeat interface must be operational and configured correctly
D.The HA cluster must be configured with a virtual MAC address
E.VDOM mode must be enabled on both units
AnswersA, C

A valid HA configuration is necessary for cluster formation and synchronization.

Why this answer

Option A is correct because the HA group ID and password are essential for the cluster to identify and authenticate members. Without a matching group ID and password, the secondary unit will not accept configuration synchronization from the primary, as these parameters ensure that only authorized units participate in the cluster and receive configuration updates.

Exam trap

The trap here is that candidates often assume firmware and license matching (Option B) is required for config sync, but FortiGate HA only requires same firmware version for cluster formation, not for the sync process itself, and licenses do not affect synchronization.

42
MCQeasy

Which FortiGate operating mode is used when the device acts as a Layer 2 bridge without performing NAT?

A.HA mode
B.Transparent mode
C.VPN mode
D.NAT/Route mode
AnswerB

Transparent mode acts as a Layer 2 bridge.

Why this answer

Transparent mode (Option B) is correct because in this mode the FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses without performing any NAT or routing. The device is invisible to the network, and all interfaces share the same IP subnet, allowing it to inspect and filter traffic at the application layer while remaining transparent to connected devices.

Exam trap

The trap here is that candidates often confuse Transparent mode with NAT/Route mode, assuming that a firewall must always route or perform NAT, when in fact Transparent mode allows Layer 2 inspection without altering the IP path.

How to eliminate wrong answers

Option A is wrong because HA mode (High Availability) is a clustering configuration for redundancy and failover, not an operating mode that determines Layer 2 bridging or NAT behavior. Option C is wrong because VPN mode is not a standard FortiGate operating mode; VPNs are configured as features within either NAT/Route or Transparent mode. Option D is wrong because NAT/Route mode operates at Layer 3, performing routing and NAT by default, which contradicts the requirement of acting as a Layer 2 bridge without NAT.

43
MCQeasy

A network administrator needs to allow SSH access to the FortiGate from a management subnet 10.0.1.0/24. Which configuration step is required on the interface connected to that subnet?

A.Enable HTTPS administrative access only
B.Set the administrative access to 'any'
C.Enable SSH administrative access on the interface
D.Configure a firewall policy allowing SSH from the subnet
AnswerC

SSH must be enabled on the interface for SSH connections to be accepted.

Why this answer

Option C is correct because to allow SSH access to the FortiGate from a specific subnet, you must enable SSH administrative access on the interface connected to that subnet. This setting controls which management protocols are permitted to reach the FortiGate itself at the interface level, independent of firewall policies. Without enabling SSH on the interface, the FortiGate will drop SSH packets at Layer 3 before any policy lookup occurs.

Exam trap

The trap here is that candidates often assume a firewall policy is sufficient to allow management traffic, forgetting that administrative access must be explicitly enabled on the interface for protocols like SSH, HTTPS, or Telnet.

How to eliminate wrong answers

Option A is wrong because enabling only HTTPS administrative access would allow HTTPS but not SSH; SSH requires its own administrative access toggle on the interface. Option B is wrong because there is no 'any' administrative access setting; administrative access is configured per protocol (e.g., HTTPS, SSH, PING) and cannot be set to a wildcard value. Option D is wrong because a firewall policy allowing SSH from the subnet is not sufficient; the interface-level administrative access must first permit SSH management traffic, otherwise the FortiGate discards the packets before they reach the firewall engine.

44
MCQmedium

A FortiGate administrator wants to integrate the FortiGate with a FortiAnalyzer for centralized logging. Which configuration step is required on the FortiGate?

A.Create a firewall policy allowing traffic from FortiAnalyzer to the FortiGate
B.Configure a syslog server pointing to the FortiAnalyzer IP
C.Enable 'Send Logs to FortiAnalyzer' under Log Settings and specify the FortiAnalyzer IP
D.Configure an SNMP community on the FortiAnalyzer
AnswerC

This is the correct method to integrate with FortiAnalyzer.

Why this answer

Option C is correct because FortiGate integrates natively with FortiAnalyzer via the 'Send Logs to FortiAnalyzer' setting under Log Settings. This uses FortiGate's proprietary logging protocol (not syslog) to securely forward logs to the FortiAnalyzer IP, enabling centralized log management and analysis without additional firewall policies for inbound traffic.

Exam trap

The trap here is that candidates confuse native FortiAnalyzer logging with syslog, selecting Option B because they assume all log forwarding uses syslog, but FortiGate uses a proprietary protocol for FortiAnalyzer integration.

How to eliminate wrong answers

Option A is wrong because FortiGate initiates outbound log connections to FortiAnalyzer, so no inbound firewall policy is required; the traffic flows from FortiGate to FortiAnalyzer, not the reverse. Option B is wrong because FortiAnalyzer integration uses FortiGate's native FortiAnalyzer logging protocol, not syslog; configuring a syslog server would send logs in syslog format, which FortiAnalyzer can receive but is not the required step for native integration. Option D is wrong because SNMP is used for monitoring and traps, not for centralized logging; FortiAnalyzer does not require an SNMP community for log reception.

45
MCQeasy

What is the primary purpose of configuring a loopback interface on a FortiGate?

A.To provide a stable IP address for management and routing protocols
B.To aggregate bandwidth from multiple physical interfaces
C.To enable NAT for internal networks
D.To increase the number of available physical ports
AnswerA

Loopback interfaces are always up and provide a consistent IP for management and routing.

Why this answer

A loopback interface on a FortiGate is a virtual interface that is always up, independent of physical link states. It provides a stable and reachable IP address for management access (e.g., HTTPS, SSH) and for routing protocols like OSPF or BGP to use as the router ID or source interface, ensuring consistent connectivity even if physical interfaces fail.

Exam trap

The trap here is that candidates often confuse a loopback interface with a physical interface used for link aggregation or NAT, not realizing its primary role is to provide a stable, always-up logical endpoint for management and routing protocol stability.

How to eliminate wrong answers

Option B is wrong because aggregating bandwidth from multiple physical interfaces is achieved through link aggregation (LACP or static aggregation), not a loopback interface. Option C is wrong because NAT for internal networks is configured using policies and IP pools, not by creating a loopback interface. Option D is wrong because a loopback interface is virtual and does not increase the number of physical ports; it only provides a logical addressing endpoint.

46
MCQmedium

A FortiGate administrator wants to synchronize the system time with an external NTP server. Which CLI command should be used to configure the NTP server?

A.execute date
B.diagnose ntp status
C.config system ntp
D.config system global
AnswerC

This enters NTP configuration mode to add servers.

Why this answer

Option C is correct because the `config system ntp` command enters the NTP configuration context in FortiOS, where you can specify NTP servers, authentication, and synchronization settings. This is the standard CLI path for configuring NTP on FortiGate devices, as opposed to other commands that only display status or set the date manually.

Exam trap

The trap here is that candidates confuse `config system ntp` with `config system global` because both are under the `config system` hierarchy, but NTP configuration has its own dedicated subcommand and is not a global setting.

How to eliminate wrong answers

Option A is wrong because `execute date` is used to manually set the system date and time, not to configure an NTP server for automatic synchronization. Option B is wrong because `diagnose ntp status` is a diagnostic command that shows the current NTP synchronization status, not a configuration command. Option D is wrong because `config system global` is used for global system settings like hostname and admin password, not for NTP server configuration.

47
MCQmedium

An administrator wants to synchronize the FortiGate's time with a reliable NTP server. After configuring the NTP server, they notice the time is still incorrect. What could be the issue?

A.The FortiGate does not have a firewall policy allowing NTP traffic from the FortiGate itself
B.The NTP server is not reachable due to a missing route
C.The FortiGate does not support NTP
D.The NTP server is not configured correctly
AnswerA

Traffic from the FortiGate to the NTP server must be allowed by a policy.

Why this answer

By default, FortiGate does not allow traffic sourced from its own IP addresses, including NTP queries, to pass through its interfaces unless an explicit firewall policy permits it. Even if the NTP server is reachable via routing, the FortiGate's own NTP client traffic is subject to the same policy enforcement as any other traffic. Therefore, a firewall policy must be created with the source set to the FortiGate's interface IP and the destination set to the NTP server to allow NTP (UDP port 123) traffic outbound.

Exam trap

The trap here is that candidates assume NTP traffic is automatically allowed for management purposes, but FortiGate treats all traffic, including its own, as subject to firewall policies, so a missing explicit policy is a common oversight.

How to eliminate wrong answers

Option B is wrong because a missing route would cause the NTP server to be unreachable, but the question states the administrator configured the NTP server and noticed the time is still incorrect, implying the server is reachable at the network layer; the issue is policy-based, not routing. Option C is wrong because FortiGate fully supports NTP (RFC 1305) for time synchronization, and this is a standard feature in FortiOS. Option D is wrong because the NTP server configuration (IP address or hostname) may be correct, but without a firewall policy to permit the outbound NTP traffic from the FortiGate itself, the synchronization will fail regardless of server correctness.

48
Multi-Selectmedium

An administrator is configuring a new FortiGate and wants to ensure it can be managed centrally via FortiManager. Which TWO steps are required?

Select 2 answers
A.Enable HTTPS access on the management interface.
B.Configure SNMP community for FortiManager to poll.
C.Enable FortiManager on the interface used for management.
D.Set the FortiManager IP address under 'config system central-management'.
E.Create a firewall policy allowing FortiManager access from the management subnet.
AnswersC, D

Why this answer

Option C is correct because FortiGate requires the 'FortiManager' feature to be explicitly enabled on the management interface to allow FortiManager to establish a connection. Option D is correct because the FortiManager IP address must be set under 'config system central-management' to define the central management server. Without these two steps, FortiManager cannot discover or manage the FortiGate.

Exam trap

The trap here is that candidates often think a firewall policy is needed for FortiManager traffic, but FortiManager uses an outbound-initiated FGFM tunnel that bypasses normal firewall policies, making option E a common distractor.

49
MCQmedium

You run the following CLI command on a FortiGate: diagnose sys session filter dport 443 diagnose sys session list And you see the output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a UDP session to port 443
B.The session is in a CLOSE state
C.The session is a TCP connection to port 443 that was just established and will expire in about 1 hour
D.The session has been active for 1 hour and has 1 second remaining before expiry
AnswerC

Duration 3600 seconds (1 hour) and expire 3599 seconds (almost 1 hour left) indicates a new session.

Why this answer

The command `diagnose sys session filter dport 443` filters sessions to destination port 443, and `diagnose sys session list` displays matching sessions. The output shows `proto=6`, which is the protocol number for TCP, and `expire=3599` seconds, indicating the session will expire in about 1 hour (3600 seconds total). The `proto_state=01` corresponds to TCP state ESTABLISHED, meaning the session is active and just established, not closing.

Therefore, option C is correct.

Exam trap

The trap here is that candidates confuse `duration` (time since session started) with `expire` (time remaining), or misinterpret `proto=6` as UDP because port 443 is commonly associated with HTTPS/TLS, but the protocol field explicitly shows TCP.

How to eliminate wrong answers

Option A is wrong because `proto=6` indicates TCP, not UDP (UDP is protocol 17). Option B is wrong because `proto_state=01` represents TCP ESTABLISHED state, not CLOSE (which would be state 07 or 08). Option D is wrong because `duration=3600` means the session has been active for 1 hour, but `expire=3599` means there are 3599 seconds (about 1 hour) remaining before expiry, not 1 second.

50
Multi-Selecthard

An administrator is troubleshooting a FortiGate that is not passing traffic. The policy allows traffic, but the session table shows no sessions. Which THREE steps should the administrator take to diagnose the issue? (Choose three.)

Select 3 answers
A.Verify the interface status and link state.
B.Run 'diagnose npu np6 show' to check offloading.
C.Check the ARP table to ensure the next-hop MAC is resolved.
D.Examine the routing table for the destination network.
E.Disable the firewall policy and check if traffic flows.
AnswersA, C, D

Interface down would stop traffic.

Why this answer

Option A is correct because if the interface is down or has a link issue, the FortiGate cannot send or receive any traffic, resulting in no sessions being created even if the policy allows traffic. Verifying interface status and link state is a fundamental first step in troubleshooting connectivity issues, as it ensures the physical or logical layer is operational before checking higher-layer configurations.

Exam trap

The trap here is that candidates may assume a policy allowing traffic guarantees session creation, but they overlook that the FortiGate must first be able to physically receive and forward the traffic, which depends on interface, ARP, and routing being correctly configured.

51
MCQhard

A FortiGate in HA active-passive cluster is experiencing failover events. The administrator runs 'get system ha status' and sees that the 'sync status' is 'out of sync'. What is the most likely cause?

A.The HA mode is set to active-active.
B.The session synchronization is disabled.
C.The passive unit has a different firmware version.
D.The heartbeat interface is down.
AnswerC

Why this answer

In an HA active-passive cluster, the 'sync status' indicates whether configuration and session data are synchronized between the primary and secondary units. When the passive unit has a different firmware version, the FortiGate cannot synchronize its configuration or sessions because the data structures and features may differ between versions, leading to an 'out of sync' status. This is a common prerequisite: both units must run the exact same firmware image for HA synchronization to function.

Exam trap

The trap here is that candidates often confuse 'session synchronization' with 'configuration synchronization' and assume that disabling session sync (Option B) would cause the 'sync status' to show 'out of sync', but the command output specifically reflects configuration sync status, not session sync.

How to eliminate wrong answers

Option A is wrong because setting the HA mode to active-active does not directly cause an 'out of sync' status; active-active mode still requires synchronization between units, and the sync status would reflect issues like version mismatch or heartbeat failure, not the mode itself. Option B is wrong because disabling session synchronization would only affect session failover capability, not the configuration sync status; the 'sync status' field primarily reflects configuration synchronization, and even with session sync disabled, configuration sync can still be 'in sync'. Option D is wrong because if the heartbeat interface is down, the HA cluster would likely detect a link failure and trigger a failover or show 'heartbeat lost' rather than 'out of sync'; the 'sync status' specifically tracks data synchronization, not heartbeat connectivity.

52
MCQmedium

An administrator wants to aggregate two physical interfaces (port1 and port2) on a FortiGate to increase bandwidth and provide redundancy. Which interface type should be created?

A.Aggregate interface
B.Loopback interface
C.VLAN interface
D.Software switch interface
AnswerA

Aggregate interfaces (LAG) provide increased bandwidth and redundancy.

Why this answer

An aggregate interface (also known as a Link Aggregation Group or LAG) combines multiple physical interfaces into a single logical link, increasing bandwidth and providing redundancy. This is the correct choice because it directly supports the administrator's goal of aggregating port1 and port2 on a FortiGate, using the IEEE 802.3ad standard (LACP) or static aggregation.

Exam trap

The trap here is that candidates often confuse a software switch interface with link aggregation, but a software switch simply bridges ports at Layer 2 without the load-balancing and failover mechanisms of an aggregate interface.

How to eliminate wrong answers

Option B is wrong because a loopback interface is a virtual interface used for management or routing protocol stability, not for aggregating physical links. Option C is wrong because a VLAN interface is a logical interface for 802.1Q VLAN tagging on a single physical or aggregate interface, not a method to combine multiple physical ports. Option D is wrong because a software switch interface creates a Layer 2 bridge between ports, but it does not provide link aggregation for increased bandwidth or redundancy in the same way as an aggregate interface.

53
Multi-Selectmedium

An administrator needs to integrate a FortiGate with FortiManager for centralized management. Which two steps are required? (Choose two.)

Select 2 answers
A.Enable SNMP on the FortiGate to allow FortiManager to monitor.
B.Configure a firewall policy allowing traffic from FortiGate to FortiManager on port 541 (FGFM).
C.Configure a VPN tunnel between FortiGate and FortiManager.
D.Configure the FortiGate to connect to FortiManager using the 'execute fortimanager register' command.
E.Set the FortiGate's operation mode to transparent.
AnswersB, D

FortiGate-FortiManager communication uses port 541 (FGFM) and must be allowed.

Why this answer

Option B is correct because FortiGate and FortiManager communicate using the FortiGate-to-FortiManager (FGFM) protocol over TCP port 541. A firewall policy must be configured on the FortiGate to allow outbound traffic to the FortiManager on this port, enabling registration and ongoing management. Option D is correct because the 'execute fortimanager register' command is the standard CLI method to initiate the registration process, providing the FortiManager IP address and optional registration code.

Exam trap

The trap here is that candidates often confuse SNMP (monitoring) or VPN (tunneling) as requirements for FortiManager integration, when in fact the FGFM protocol on TCP 541 and the registration command are the only mandatory steps.

54
MCQeasy

What is the default administrative account on a FortiGate?

A.master
B.root
C.guest
D.admin
AnswerD

Default admin account.

Why this answer

The default administrative account on a FortiGate is 'admin'. This account is created automatically during the initial boot process and has full super-admin privileges, allowing complete access to the device's configuration and management interfaces. It is the only default account with administrative rights, and its password must be set during initial setup.

Exam trap

The trap here is that candidates may confuse the FortiGate default admin account with the default accounts of other operating systems or network devices, such as 'root' on Linux or 'master' on Cisco, leading them to select the wrong option.

How to eliminate wrong answers

Option A is wrong because 'master' is not a default account on FortiGate; it is a common default account on some other network devices like Cisco switches. Option B is wrong because 'root' is the default administrative account on Unix/Linux systems, not on FortiGate, which runs a proprietary FortiOS. Option C is wrong because 'guest' is a default read-only account on FortiGate, not an administrative account; it is intended for limited monitoring access without configuration privileges.

55
MCQmedium

An administrator is troubleshooting a connectivity issue. A ping from the FortiGate to 8.8.8.8 succeeds, but traffic from internal hosts to the internet is failing. The firewall policy allows the traffic. What is the most likely cause?

A.The default route on the FortiGate is missing
B.The internal hosts have the wrong default gateway configured
C.DNS resolution is failing
D.The FortiGate's interface to the internal network is down
AnswerB

If hosts point to a wrong gateway, traffic won't reach the FortiGate.

Why this answer

Since the FortiGate can ping 8.8.8.8, its default route and internet connectivity are working. The issue is that internal hosts cannot reach the internet, which points to a Layer 3 forwarding problem at the host level. The most likely cause is that the internal hosts have the wrong default gateway configured, so their traffic is not being sent to the FortiGate for routing.

Exam trap

The trap here is that candidates assume a successful ping from the FortiGate implies end-to-end connectivity, overlooking that the internal hosts' default gateway configuration is independent of the FortiGate's own routing table.

How to eliminate wrong answers

Option A is wrong because if the default route on the FortiGate were missing, the FortiGate itself would not be able to ping 8.8.8.8, but the ping succeeded. Option C is wrong because DNS resolution failure would prevent name resolution, but the question describes a connectivity issue where traffic to the internet is failing, and the ping to 8.8.8.8 uses an IP address, not a hostname, so DNS is not the bottleneck. Option D is wrong because if the FortiGate's interface to the internal network were down, the FortiGate would not be able to communicate with internal hosts at all, but the firewall policy allows the traffic and the FortiGate can still ping external IPs, indicating the internal interface is operational.

56
MCQeasy

Which of the following statements about FortiGate backup is true?

A.The backup includes all current sessions and logs
B.The backup file contains the full configuration and can be encrypted with a password
C.A backup can be restored only on the same hardware model
D.Backup files are saved in plain text format
AnswerB

Backups are encrypted and can have a password for extra security.

Why this answer

Option B is correct because FortiGate backup files contain the full device configuration, including all settings and policies, and can be encrypted with a password using the 'execute backup config' command with the 'password' option. This ensures confidentiality during storage or transfer, as the backup is stored in a binary format that requires the password for decryption during restoration.

Exam trap

The trap here is that candidates often assume backups include all runtime data like sessions and logs, or that backups are model-specific, but FortiGate explicitly separates configuration from volatile state data, and restoration is firmware-version dependent, not hardware-model dependent.

How to eliminate wrong answers

Option A is wrong because FortiGate backups do not include current sessions or logs; sessions are volatile and stored in memory, while logs are typically stored separately on local disk or external storage, and only the configuration is backed up. Option C is wrong because a backup can be restored on any FortiGate model that supports the same firmware version, not just the same hardware model, though some model-specific features may require manual adjustment. Option D is wrong because backup files are saved in a binary, encrypted format (not plain text) when a password is set, and even without a password, the file is not plain text but a proprietary format that cannot be easily read.

57
MCQmedium

An administrator needs to configure a loopback interface on a FortiGate for management purposes. Which of the following is true regarding loopback interfaces?

A.Loopback interfaces are virtual and can be used as source IP for management traffic.
B.Loopback interfaces require a physical port to be associated.
C.Loopback interfaces cannot be used in firewall policies.
D.Loopback interfaces are only available in transparent mode.
AnswerA

Why this answer

Loopback interfaces are virtual interfaces that are always up and do not depend on the physical link state. They can be assigned an IP address and used as the source IP for management traffic (e.g., SNMP, syslog, NTP, or administrative access), ensuring consistent reachability even if physical interfaces fail. This makes option A correct.

Exam trap

The trap here is that candidates often assume loopback interfaces are only for routing protocols or require a physical link, but FortiGate allows them to serve as stable management endpoints independent of physical interface status.

How to eliminate wrong answers

Option B is wrong because loopback interfaces are purely virtual and do not require any physical port association; they exist independently of hardware interfaces. Option C is wrong because loopback interfaces can be used in firewall policies just like any other interface, allowing traffic to be inspected or routed to/from the FortiGate itself. Option D is wrong because loopback interfaces are available in both NAT/Route mode and transparent mode, not exclusively in transparent mode.

58
Multi-Selecteasy

An admin is configuring ECMP (Equal Cost Multi-Path) on a FortiGate with two ISPs. Which TWO conditions must be met for ECMP to load balance traffic across both links? (Choose two.)

Select 2 answers
A.The routes must be configured with the same metric
B.The routes must have the same priority
C.The FortiGate must be in transparent mode
D.The routes must have the same administrative distance
E.The routes must point to different next-hop IP addresses
AnswersB, D

Equal priority ensures both routes are considered.

Why this answer

ECMP requires that multiple routes to the same destination have equal cost. On FortiGate, the cost is determined by administrative distance (AD) and priority (which is the route metric). Both routes must have the same AD and the same priority to be considered equal-cost and eligible for load balancing.

If either value differs, one route will be preferred over the other, and ECMP will not activate.

Exam trap

The trap here is that candidates confuse 'metric' (which is the priority value on FortiGate) with 'administrative distance', or assume ECMP requires different next-hop IPs, when in fact the key condition is equal cost (same AD and same priority).

59
MCQmedium

A FortiGate administrator configures SNMPv2c on the FortiGate to send traps to a monitoring server. However, no traps are received. The monitoring server can ping the FortiGate. What is the MOST likely cause?

A.SNMPv2c is not supported on FortiGate; only v3 is supported.
B.The FortiGate's firewall policy blocks SNMP traffic from the monitoring server.
C.The SNMP community string does not match between FortiGate and server.
D.The monitoring server's IP is not in the SNMP trap receiver list on FortiGate.
AnswerC

SNMPv2c uses community strings; if they differ, the server will reject traps.

Why this answer

SNMPv2c uses community strings as a form of authentication. If the community string configured on the FortiGate does not match the one configured on the monitoring server, the server will reject the trap. Since the server can ping the FortiGate, network connectivity is fine, and the issue is most likely an authentication mismatch.

Exam trap

The trap here is that candidates assume SNMP traps are blocked by a firewall policy, but since traps are initiated by the FortiGate (outbound), the server's ability to ping the FortiGate confirms Layer 3 reachability, shifting the focus to authentication or receiver configuration.

How to eliminate wrong answers

Option A is wrong because FortiGate fully supports SNMPv2c, not just v3. Option B is wrong because SNMP traps are sent from the FortiGate to the server, not initiated by the server, so a firewall policy blocking inbound SNMP from the server would not prevent outbound traps. Option D is wrong because the trap receiver list specifies where traps are sent, not which IPs are allowed to receive them; if the server's IP were missing from the list, the FortiGate would not send traps to it, but the question states the administrator configured traps to be sent to the server, so this is less likely than a community string mismatch.

60
MCQmedium

An administrator wants to back up the FortiGate configuration to a TFTP server at 10.10.10.10. Which CLI command should be used?

A.execute backup config tftp 10.10.10.10
B.backup config tftp 10.10.10.10
C.copy config tftp 10.10.10.10
D.execute save config tftp 10.10.10.10
AnswerA

Why this answer

The correct command to back up a FortiGate configuration to a TFTP server is 'execute backup config tftp <server-ip>'. This is because 'execute' is the FortiOS CLI keyword for initiating operational commands, and 'backup config tftp' specifies the action and protocol. The syntax is case-sensitive and must include the 'execute' prefix to be recognized by the FortiGate CLI.

Exam trap

The trap here is that candidates may forget the 'execute' keyword, which is mandatory for all operational commands in FortiOS, and mistakenly choose a command that looks correct but lacks it, such as 'backup config tftp'.

How to eliminate wrong answers

Option B is wrong because it omits the required 'execute' keyword; FortiOS CLI commands for operational tasks like backup must start with 'execute'. Option C is wrong because 'copy config tftp' is not a valid FortiOS command; the correct verb is 'backup', not 'copy'. Option D is wrong because 'execute save config tftp' uses 'save' instead of 'backup', and 'save config' is used for saving the running configuration to flash memory, not for exporting to a TFTP server.

61
MCQeasy

A FortiGate administrator wants to ensure that all firewall policies are backed up before performing a firmware upgrade. Which backup method preserves the configuration in a format that can be restored to the same or different FortiGate model?

A.Use 'execute backup full-config tftp'
B.Copy the configuration from the system config script
C.Backup the configuration via CLI using 'execute backup config tftp'
D.Save the running config from the GUI Dashboard
AnswerC

This backs up the full configuration in text format, which can be restored to any FortiGate.

Why this answer

Option C is correct because 'execute backup config tftp' saves the FortiGate configuration in a plain-text, human-readable format that can be restored to the same or a different FortiGate model. This command backs up only the configuration (not firmware or logs) and is model-agnostic, allowing restoration across different hardware platforms as long as the firmware version is compatible.

Exam trap

The trap here is confusing 'execute backup config tftp' with 'execute backup full-config tftp', where candidates mistakenly think a full backup is safer, not realizing it is model-specific and cannot be restored to a different FortiGate model.

How to eliminate wrong answers

Option A is wrong because 'execute backup full-config tftp' backs up the entire system image including firmware, which is model-specific and cannot be restored to a different FortiGate model. Option B is wrong because copying the configuration from the system config script only provides a read-only view of the current configuration; it does not create a backup file that can be restored via CLI or TFTP. Option D is wrong because saving the running config from the GUI Dashboard exports the configuration in a binary or proprietary format that may not be compatible with different models or CLI restoration methods.

62
MCQmedium

An administrator wants to allow management access to a FortiGate from a specific subnet 10.10.10.0/24 via HTTPS. Which configuration achieves this?

A.config system global set admin-sport 443 set allowaccess https 10.10.10.0/24 end
B.config router policy edit 1 set src 10.10.10.0/24 set dst 10.0.0.0/8 set action accept set protocol https end
C.config system admin edit admin set trustedhost 10.10.10.0/24 set allowaccess https end
D.config system interface edit port1 set allowaccess https set trustedhosts 10.10.10.0 255.255.255.0 end
AnswerD

Why this answer

Option D is correct because management access to a FortiGate interface is controlled via the `config system interface` context, where `set allowaccess https` enables HTTPS management on that interface, and `set trustedhosts` restricts access to the specified subnet 10.10.10.0/24. This configuration ensures only hosts from that subnet can reach the FortiGate's HTTPS management interface on the given port.

Exam trap

The trap here is that candidates often confuse the `config system admin` context (which only controls per-admin trusted hosts for authentication) with the interface-level `trustedhosts` setting, or mistakenly think global settings like `admin-sport` also control access restrictions.

How to eliminate wrong answers

Option A is wrong because `config system global` does not contain `set allowaccess` or `set trustedhosts`; the `set admin-sport` command changes the HTTPS port globally but access control is not configured in system global. Option B is wrong because `config router policy` is used for routing policy-based routing, not for management access control; it does not restrict HTTPS management access to the FortiGate itself. Option C is wrong because while `config system admin` allows setting `trustedhost` per administrator, the `set allowaccess https` command is invalid in that context; `allowaccess` is an interface-level parameter, not an admin-level parameter.

63
MCQmedium

An administrator is troubleshooting a loss of connectivity between two sites connected via a VPN tunnel. The FortiGate logs show 'Tunnel: phase 1 negotiation failed'. Which two parameters MUST match on both peers for phase 1 to succeed? (Select two. Not all options are used.)

A.IPsec proposal (encryption and authentication)
B.Pre-shared key
C.IKE version (v1 or v2)
D.Local ID
E.Local and remote IP addresses
AnswerB, C

The PSK must match on both ends.

Why this answer

The pre-shared key (PSK) is a mandatory authentication method for IKE phase 1. Both peers must use an identical PSK string; a mismatch causes the 'phase 1 negotiation failed' error because the IKE SA cannot be authenticated. FortiGate logs this failure when the calculated hash of the PSK does not match between the two endpoints.

Exam trap

The trap here is that candidates often confuse phase 1 and phase 2 parameters, incorrectly selecting the IPsec proposal (which is a phase 2 parameter) instead of the IKE version, which is a critical phase 1 matching requirement.

How to eliminate wrong answers

Option A is wrong because the IPsec proposal (encryption and authentication) is negotiated during phase 2, not phase 1; phase 1 uses its own set of proposals (e.g., encryption, hash, DH group) which are not listed here. Option D is wrong because the Local ID is optional and used for identification purposes (e.g., when using certificates or aggressive mode), but it is not a mandatory parameter that must match for phase 1 success; mismatched Local IDs can still allow phase 1 if the PSK and other core parameters match. Option E is wrong because local and remote IP addresses are the endpoints of the tunnel and must be correctly configured, but they are not 'parameters that must match on both peers' — each peer has its own local and remote IP, and they are complementary, not identical.

64
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is in an error state
B.The session has been idle for 3600 seconds
C.The session is to port 3600
D.The session is about to expire in 3599 seconds
AnswerD

expire=3599 shows remaining session lifetime.

Why this answer

The 'expire=3599' field indicates the session will be removed from the session table in 3599 seconds. The 'duration=3600' shows the session has been active for 3600 seconds, so the total session lifetime is 7200 seconds (3600 + 3599). This is a normal TCP session (proto=6) in state 01 (SYN_SENT), not an error or idle condition.

Exam trap

The trap here is confusing 'duration' (time since session started) with 'expire' (time until session ends), leading candidates to incorrectly interpret the 3600 value as idle time or a port number.

How to eliminate wrong answers

Option A is wrong because 'proto_state=01' indicates a normal TCP SYN_SENT state, not an error state; error states would show different values like 11 (TIME_WAIT) or 0 (CLOSE). Option B is wrong because 'duration=3600' shows the session has been active for 3600 seconds, not idle; idle time is tracked separately via 'idle' field, which is not present here. Option C is wrong because 'dport=443' is the destination port, and 'duration=3600' is the session age in seconds, not a port number.

65
MCQmedium

An administrator configures two FortiGate units in an active-passive HA cluster. After a failover, some existing TCP sessions are dropped. What is the most likely reason for this behavior?

A.Session synchronization is not enabled
B.The failover time is too slow
C.The FortiGate units are running different firmware versions
D.The HA cluster is using a virtual MAC address
AnswerA

Session synchronization must be enabled to maintain TCP sessions across failover.

Why this answer

In an active-passive HA cluster, session synchronization must be explicitly enabled to replicate TCP session state from the primary unit to the backup unit. Without session sync, the backup unit has no knowledge of existing TCP sessions after a failover, causing those sessions to be dropped because the new primary cannot match incoming packets to any session table entry.

Exam trap

The trap here is that candidates often assume HA automatically synchronizes all state information, but FortiGate requires explicit configuration of session synchronization (via 'set session-pickup enable' in the HA settings) to preserve existing TCP sessions after a failover.

How to eliminate wrong answers

Option B is wrong because failover time affects the duration of traffic interruption but does not cause session drops if sessions are synchronized; even a fast failover will drop unsynchronized sessions. Option C is wrong because running different firmware versions is not supported in an HA cluster and would prevent the cluster from forming or operating correctly, but the question states the cluster is configured and failover occurs, so firmware mismatch is not the cause of session drops. Option D is wrong because using a virtual MAC address actually helps maintain session continuity by ensuring the same MAC address is used after failover, preventing ARP cache issues; it does not cause session drops.

66
MCQmedium

An admin configures an aggregate interface on a FortiGate using two physical ports. After configuration, the admin notices that traffic is not load-balancing evenly. What is the MOST likely cause?

A.The aggregate interface is set to active-passive mode
B.The aggregate interface is using the default load-balancing algorithm
C.The physical ports are connected to different switches
D.The MTU size is mismatched on the physical ports
AnswerB

The default hash algorithm (e.g., source-dest-ip) can cause uneven distribution if many sessions share the same source-dest pair.

Why this answer

The default load-balancing algorithm for an aggregate interface (LAG) on FortiGate is based on the source and destination MAC addresses. This algorithm often results in uneven traffic distribution, especially when traffic flows are limited to a small number of MAC pairs. To achieve more even load balancing, the algorithm should be changed to one that considers IP addresses or Layer 4 ports, such as 'src-dst-ip' or 'src-dst-ip-port'.

Exam trap

The trap here is that candidates often assume uneven load balancing is caused by a hardware issue or physical misconfiguration, when in fact the default MAC-based hash algorithm is the root cause in most scenarios.

How to eliminate wrong answers

Option A is wrong because active-passive mode does not cause uneven load balancing; it intentionally uses only one active link, so traffic is not load-balanced at all, but the question states that traffic is load-balancing (just not evenly). Option C is wrong because connecting physical ports to different switches is a valid configuration for an aggregate interface (cross-switch LAG) and does not inherently cause uneven load balancing; it may affect failover behavior but not the distribution algorithm. Option D is wrong because an MTU mismatch on the physical ports would cause packet fragmentation or drops, not uneven load balancing; the aggregate interface would likely fail to pass traffic correctly rather than distribute it unevenly.

67
Multi-Selectmedium

An administrator is setting up SNMP monitoring on a FortiGate. Which two configurations are necessary for a basic SNMP setup? (Choose two.)

Select 2 answers
A.Create a firewall policy to allow SNMP traffic from the monitoring server
B.Configure an SNMP community with read-only access
C.Enable the SNMP agent under System > SNMP
D.Set the SNMP trap destination IP
E.Configure a user for SNMPv3
AnswersB, C

A community is required for authentication (v2c) and to define access.

Why this answer

Option B is correct because an SNMP community with read-only access defines the basic authentication and access control for SNMPv1/v2c queries, which is essential for monitoring. Option C is correct because the SNMP agent must be enabled on the FortiGate to process SNMP requests from the monitoring server.

Exam trap

The trap here is that candidates often confuse optional features like trap destinations or SNMPv3 authentication as mandatory for basic monitoring, when only the agent enablement and a community string are required.

68
Multi-Selecthard

An administrator configures a VLAN interface on a FortiGate trunk port. The VLAN is allowed on the trunk, but the FortiGate cannot ping the default gateway of that VLAN. Which two items must be verified? (Choose two.)

Select 3 answers
A.The VLAN interface has an IP address in the correct subnet.
B.A firewall policy allows ICMP from the FortiGate to the gateway.
C.The VLAN interface is administratively up.
D.The trunk port is set to access mode.
E.The VLAN ID matches the switch configuration.
AnswersA, C, E

The IP must match the VLAN's subnet for communication.

Why this answer

Option A is correct because the VLAN interface must have an IP address in the correct subnet to communicate with the default gateway. Without a matching subnet, the FortiGate cannot route ICMP packets to the gateway, even if the VLAN is allowed on the trunk.

Exam trap

The trap here is that candidates often assume a firewall policy is needed for FortiGate-originated traffic, but local-in policies (not regular policies) control such traffic, and ICMP to the gateway is typically allowed by default unless explicitly blocked.

69
MCQhard

An administrator plans to upgrade FortiGate firmware from version 6.0 to 7.2. The current version is 6.0.10. Which upgrade path is correct?

A.Upgrade to 6.4 first, then to 7.2
B.It is not possible to upgrade from 6.0 to 7.2
C.Direct upgrade from 6.0.10 to 7.2.0 is supported
D.Upgrade to 6.2, then 6.4, then 7.0, then 7.2
AnswerD

This is the correct sequential upgrade path.

Why this answer

FortiGate firmware upgrades must follow a supported path that does not skip major versions. Upgrading from 6.0.10 to 7.2.0 requires stepping through 6.2, 6.4, and 7.0 because Fortinet only supports upgrades from one major version to the next major version (e.g., 6.0→6.2→6.4→7.0→7.2). Option D correctly lists this sequential path.

Exam trap

The trap here is that candidates assume a direct upgrade is possible because both versions are relatively recent, but Fortinet strictly enforces sequential major version upgrades to prevent configuration and system incompatibilities.

How to eliminate wrong answers

Option A is wrong because upgrading directly from 6.0 to 6.4 skips version 6.2, which is not supported by Fortinet's upgrade path requirements. Option B is wrong because upgrading from 6.0 to 7.2 is possible, but only by following the correct multi-step path through intermediate versions. Option C is wrong because a direct upgrade from 6.0.10 to 7.2.0 is not supported; Fortinet requires upgrading through each major version in sequence.

70
Matchingmedium

Match each FortiGate security profile component to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Scans files for malware

Controls access to URLs and web categories

Identifies and allows/denies application traffic

Detects and blocks network attacks

Decrypts encrypted traffic for inspection

Why these pairings

These profiles are applied to firewall policies for UTM inspection.

71
MCQmedium

A FortiGate is configured with an aggregate interface (link aggregation group) consisting of two physical ports. The administrator notices that traffic is not being distributed evenly across the two links. Which configuration setting should be verified to improve load balancing?

A.Check the LACP mode (active vs passive)
B.Increase the MTU on the aggregate interface
C.Verify the load-balancing algorithm for the aggregate interface
D.Ensure the physical ports are in the same VDOM
AnswerC

The algorithm determines how traffic is hashed to links; changing it can improve distribution.

Why this answer

The aggregate interface uses a load-balancing algorithm to distribute traffic across member links. If traffic is uneven, the algorithm (e.g., source-destination IP, source-destination MAC, or layer 4 port) may not match the traffic pattern, causing hash polarization. Verifying and adjusting this algorithm is the correct step to improve distribution.

Exam trap

The trap here is confusing LACP negotiation settings (active/passive) with the actual traffic distribution mechanism, leading candidates to incorrectly select option A instead of recognizing that the load-balancing algorithm directly controls link utilization.

How to eliminate wrong answers

Option A is wrong because LACP mode (active vs passive) controls link negotiation and aggregation establishment, not traffic distribution across already-aggregated links. Option B is wrong because increasing MTU affects maximum packet size but has no impact on how traffic is hashed or distributed among aggregate members. Option D is wrong because VDOM membership ensures logical separation but does not influence the load-balancing algorithm or per-packet distribution across physical ports in an aggregate.

72
MCQmedium

An administrator needs to ensure that all traffic from the internal network to the internet goes through a web proxy for content filtering. Which configuration is required on the FortiGate?

A.Enable the proxy feature and set the web proxy port to 80.
B.Enable web proxy in the firewall policy and set action to accept.
C.Configure an explicit web proxy and create a proxy policy.
D.Configure a transparent proxy by using an SSL inspection profile.
AnswerC

Why this answer

Option C is correct because to enforce web proxy-based content filtering for all internal-to-internet traffic, the FortiGate must be configured with an explicit web proxy (which listens on a specific IP and port, typically 8080) and a corresponding proxy policy that defines the traffic matching criteria and action. This setup ensures that client browsers are configured to send requests to the proxy, and the proxy policy applies content filtering rules.

Exam trap

The trap here is that candidates often confuse enabling the web proxy feature in a firewall policy (transparent proxy) with the explicit proxy configuration that requires a separate proxy policy, leading them to select option B.

How to eliminate wrong answers

Option A is wrong because simply enabling the proxy feature and setting the web proxy port to 80 does not create a functional proxy policy; without a proxy policy, no traffic is actually processed through the proxy for content filtering. Option B is wrong because enabling web proxy in a firewall policy with action set to accept does not redirect traffic through the proxy; it only allows the traffic to pass without proxy inspection. Option D is wrong because a transparent proxy uses an SSL inspection profile to intercept traffic transparently, but it does not require an explicit proxy configuration or a proxy policy; instead, it relies on firewall policies with web proxy enabled, which is not the same as the explicit proxy approach needed for the described requirement.

73
Multi-Selecthard

A FortiGate configured in transparent mode needs to allow HTTP traffic between two VLANs. The administrator has created a firewall policy. However, traffic is still blocked. Which TWO additional configurations are necessary for transparent mode operation?

Select 2 answers
A.Enable VLAN forwarding on the bridge
B.Configure a management IP address on the FortiGate
C.Create static routes for each VLAN subnet
D.Disable antivirus inspection on the policy
E.Assign IP addresses to the internal interfaces
AnswersA, B

The bridge must be configured to forward VLAN-tagged traffic.

Why this answer

In transparent mode, the FortiGate acts as a Layer 2 bridge, so VLAN tags must be preserved and forwarded across the bridge. Enabling VLAN forwarding on the bridge (option A) allows the FortiGate to pass 802.1Q-tagged frames between VLANs, which is essential for inter-VLAN HTTP traffic. Without this, the bridge will drop VLAN-tagged frames, blocking the traffic even if a firewall policy exists.

Exam trap

The trap here is that candidates often assume transparent mode requires IP addresses on interfaces (like NAT/route mode) or that static routes are needed for inter-VLAN traffic, but the key is understanding that transparent mode is Layer 2 and requires VLAN forwarding and a management IP for policy enforcement.

74
MCQeasy

An administrator needs to back up the full configuration of a FortiGate, including all system settings, policies, and objects. Which CLI command should be used?

A.diagnose debug config-error-log read
B.execute backup config tftp <filename> <server>
C.show full-configuration
D.execute restore config tftp <filename> <server>
AnswerB

This backs up the configuration to a TFTP server.

Why this answer

The correct command is 'execute backup config tftp <filename> <server>' because it explicitly triggers a full configuration backup (including system settings, policies, and objects) to a TFTP server. This is the standard FortiGate CLI command for exporting the entire running configuration to an external TFTP server, ensuring all configuration elements are captured.

Exam trap

The trap here is confusing the 'backup' and 'restore' commands (options B and D) or mistaking a display-only command like 'show full-configuration' for an actual backup operation.

How to eliminate wrong answers

Option A is wrong because 'diagnose debug config-error-log read' is a diagnostic command used to view configuration error logs, not to perform a backup. Option C is wrong because 'show full-configuration' displays the entire configuration on the console but does not save or transfer it to a backup file or server. Option D is wrong because 'execute restore config tftp <filename> <server>' is used to restore a configuration from a TFTP server, not to back it up.

75
MCQmedium

A FortiGate administrator needs to allow remote management from the internet only from a specific IP address. Which configuration achieves this?

A.Create a local-in policy to allow management access only from the trusted host
B.Change the admin port to a non-standard port
C.Enable HTTPS and restrict admin access via admin host
D.Use a firewall policy with source address restriction
AnswerA

Local-in policies control traffic destined to the FortiGate itself, allowing source IP restriction.

Why this answer

A local-in policy is the correct method to restrict remote management access to a FortiGate from the internet because it operates at the control plane level, filtering traffic destined to the FortiGate itself before it reaches the management daemons. By specifying a source IP address in a local-in policy, you can explicitly allow HTTPS or SSH management only from that trusted host, while implicitly denying all other sources. This is more secure than relying on firewall policies, which apply to traffic passing through the FortiGate, not to traffic destined to the FortiGate's own IP addresses.

Exam trap

The trap here is that candidates often confuse firewall policies (which control traffic passing through the FortiGate) with local-in policies (which control traffic destined to the FortiGate), leading them to incorrectly select option D, thinking a standard firewall policy can restrict management access from the internet.

How to eliminate wrong answers

Option B is wrong because changing the admin port to a non-standard port is a form of security through obscurity and does not restrict access to a specific IP address; it only changes the port number, which can still be scanned and accessed from any source. Option C is wrong because enabling HTTPS and restricting admin access via admin host (the 'admin host' setting) is a legacy method that only works for GUI access and does not apply to SSH or other management protocols; it also does not provide the granularity of a local-in policy. Option D is wrong because a firewall policy with source address restriction applies to traffic transiting through the FortiGate (forwarding plane), not to traffic destined to the FortiGate itself (control plane); management traffic is handled by the control plane and must be filtered using local-in policies or the 'trusted host' feature.

Page 1 of 3 · 200 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Nse4 System Network questions.