CCNA Nse4 System Network Questions

75 of 200 questions · Page 2/3 · Nse4 System Network topic · Answers revealed

76
MCQmedium

An administrator wants to configure SNMPv3 on a FortiGate for secure monitoring. Which configuration is required?

A.Create an SNMPv3 user with authentication and privacy protocols.
B.Enable SNMP agent on the WAN interface only.
C.Configure an access control list for SNMP.
D.Set SNMP community string to 'public' and enable SNMPv1/v2c.
AnswerA

Why this answer

SNMPv3 requires a user-based security model (USM) with authentication (e.g., SHA) and privacy (e.g., AES) protocols to provide integrity, authentication, and encryption. Without these, SNMPv3 cannot secure monitoring traffic, making option A the mandatory configuration.

Exam trap

The trap here is that candidates often think enabling SNMP on a specific interface or using ACLs is the primary security requirement, but SNMPv3's security is entirely user-based and requires explicit authentication and privacy protocols.

How to eliminate wrong answers

Option B is wrong because SNMP agent can be enabled on any interface, not only WAN, and the interface selection does not enforce security; SNMPv3 security is user-based, not interface-based. Option C is wrong because while access control lists can restrict SNMP access, they are not required for SNMPv3; the core requirement is the user with authentication and privacy. Option D is wrong because setting the community string to 'public' and enabling SNMPv1/v2c bypasses SNMPv3's security entirely, leaving monitoring unencrypted and unauthenticated.

77
MCQmedium

A FortiGate administrator needs to upgrade the firmware from 7.0.5 to 7.2.0. The current firmware is 7.0.5. What is the recommended upgrade path?

A.Upgrade to 7.0.6 first, then to 7.2.0
B.Upgrade to 7.2.0 directly after downgrading to 7.0.0
C.Upgrade to 7.4.0 first, then downgrade to 7.2.0
D.Upgrade directly from 7.0.5 to 7.2.0
AnswerA

First upgrade to the latest 7.0.x, then to 7.2.0.

Why this answer

Fortinet firmware upgrades must follow a supported upgrade path to avoid configuration incompatibility or system instability. The recommended path from 7.0.5 to 7.2.0 is to first upgrade to the latest 7.0.x release (7.0.6) and then to 7.2.0, as direct jumps across major versions (e.g., 7.0.x to 7.2.0) are not supported and may cause upgrade failures or data loss.

Exam trap

The trap here is that candidates assume any direct upgrade between consecutive major versions is allowed, but Fortinet enforces a strict path that requires upgrading to the latest patch of the current major branch first.

How to eliminate wrong answers

Option B is wrong because downgrading to 7.0.0 before upgrading to 7.2.0 is unnecessary and introduces risk; the correct path is to upgrade within the 7.0.x branch first. Option C is wrong because upgrading to 7.4.0 (a later major version) and then downgrading to 7.2.0 is not a supported upgrade path and may cause configuration corruption or boot issues. Option D is wrong because directly upgrading from 7.0.5 to 7.2.0 is not supported; Fortinet requires an intermediate upgrade to the latest 7.0.x release to ensure compatibility of the firmware image and configuration database.

78
MCQeasy

A FortiGate is configured in NAT/Route mode. Which statement is correct about this mode?

A.Only one interface can be used for traffic.
B.The FortiGate routes traffic between different subnets and can perform NAT.
C.VLAN interfaces are not supported in this mode.
D.The FortiGate acts as a Layer 2 bridge.
AnswerB

NAT/Route mode is the default, routing Layer 3 traffic.

Why this answer

In NAT/Route mode, the FortiGate operates as a Layer 3 router, forwarding traffic between different subnets while also performing Network Address Translation (NAT) when configured. This is the default operational mode for most FortiGate deployments, enabling both routing and NAT capabilities on the same device.

Exam trap

The trap here is that candidates often confuse NAT/Route mode with Transparent mode, assuming that NAT implies bridging or that only one interface can be used, but FortiGate explicitly supports multiple routed interfaces and VLANs in this mode.

How to eliminate wrong answers

Option A is wrong because NAT/Route mode supports multiple interfaces for traffic forwarding, not just one; each interface can belong to a different subnet. Option C is wrong because VLAN interfaces are fully supported in NAT/Route mode, allowing segmentation of traffic on the same physical port. Option D is wrong because the FortiGate acts as a Layer 3 router in this mode, not a Layer 2 bridge; Layer 2 bridging is associated with Transparent mode.

79
MCQmedium

A FortiGate administrator needs to configure a policy route to send all traffic destined to 10.10.10.0/24 out through interface port3 instead of the default route. Which configuration steps are necessary?

A.Add a firewall policy with source interface any, destination 10.10.10.0/24, and set the egress interface to port3
B.Create a static route for 10.10.10.0/24 with a lower distance pointing to port3
C.Set the default gateway to port3 and remove the existing default route
D.Configure a policy route under 'config router policy' with destination 10.10.10.0/24 and output interface port3
AnswerD

Policy routes are configured under 'config router policy' and allow routing decisions based on source/destination.

Why this answer

Policy routes override the routing table for specific traffic based on criteria like source, destination, or protocol. Option D correctly configures a policy route under 'config router policy' to match destination 10.10.10.0/24 and set the output interface to port3, ensuring that traffic is forwarded out port3 regardless of the default route.

Exam trap

The trap here is confusing firewall policies (which control access and NAT) with policy routes (which control forwarding decisions), leading candidates to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because firewall policies control access and NAT, not routing; they cannot override the routing table to force traffic out a specific interface. Option B is wrong because a static route for 10.10.10.0/24 with a lower distance would still be subject to the routing table's longest-match rule and could be overridden by a more specific route or dynamic routing, whereas a policy route takes precedence over the routing table. Option C is wrong because changing the default gateway to port3 would affect all traffic, not just traffic to 10.10.10.0/24, and removing the existing default route would break connectivity for other destinations.

80
MCQeasy

An administrator needs to back up the FortiGate configuration to a remote server using SCP. Which command is correct?

A.execute backup config copy <server> <filename>
B.execute backup config scp <server> <filename>
C.execute backup config tftp <server> <filename>
D.execute backup config ftp <server> <filename>
AnswerB

SCP is used for secure copy.

Why this answer

The correct command is 'execute backup config scp <server> <filename>' because SCP (Secure Copy Protocol) is the only option listed that provides encrypted file transfer over SSH, which is required for securely backing up the FortiGate configuration to a remote server. FortiGate uses this CLI command to initiate an SCP session to the specified server and save the configuration file with the given filename.

Exam trap

The trap here is that candidates often confuse 'scp' with 'ftp' or 'tftp' because they all transfer files, but only SCP provides encryption, which is the key requirement for a secure remote backup.

How to eliminate wrong answers

Option A is wrong because 'execute backup config copy' is not a valid FortiGate command; the syntax uses 'copy' incorrectly, and there is no such subcommand for backup operations. Option C is wrong because 'execute backup config tftp' uses TFTP (Trivial File Transfer Protocol), which is unencrypted and lacks authentication, making it unsuitable for secure backups to a remote server. Option D is wrong because 'execute backup config ftp' uses FTP (File Transfer Protocol), which transmits data in cleartext including credentials, and is not the secure method specified in the question (SCP).

81
MCQeasy

Which of the following is the correct way to upgrade the firmware on a FortiGate from the CLI?

A.execute upgrade tftp
B.execute update firmware tftp
C.config system firmware upgrade tftp
D.execute firmware upgrade tftp
AnswerA

Why this answer

The correct CLI command to upgrade firmware on a FortiGate is 'execute upgrade tftp'. This command triggers the TFTP-based firmware upgrade process, where the FortiGate acts as a TFTP client to download the firmware image from a TFTP server. The 'execute' keyword is used for operational commands in FortiOS, and 'upgrade' is the specific action for firmware updates, with 'tftp' specifying the transfer protocol.

Exam trap

The trap here is that candidates confuse the 'execute upgrade tftp' command with similar-sounding but incorrect variations like 'execute update firmware tftp' or 'execute firmware upgrade tftp', often misremembering the verb-noun order or mixing up firmware updates with FortiGuard updates.

How to eliminate wrong answers

Option B is wrong because 'execute update firmware tftp' uses 'update' instead of 'upgrade'; 'update' is used for FortiGuard services (e.g., antivirus signatures), not firmware. Option C is wrong because 'config system firmware upgrade tftp' incorrectly uses 'config' mode; firmware upgrades are operational commands, not configuration commands, and must be run from the root CLI prompt. Option D is wrong because 'execute firmware upgrade tftp' reverses the verb and noun order; the correct syntax is 'execute upgrade tftp', where 'upgrade' is the action and 'tftp' is the protocol.

82
MCQeasy

What is the purpose of configuring a loopback interface on a FortiGate?

A.To create a logical interface that remains up regardless of physical link status
B.To provide a virtual IP address for NAT
C.To connect to a VLAN
D.To aggregate multiple physical interfaces for increased bandwidth
AnswerA

A loopback is always up unless administratively shut down, making it ideal for management and routing.

Why this answer

A loopback interface is a logical interface that is not tied to any physical port, so it remains operational (up/up) as long as the FortiGate itself is running. This makes it ideal for management access, BGP peering, and other services that require a stable IP address independent of physical link failures.

Exam trap

The trap here is that candidates confuse a loopback interface with a virtual IP (VIP) for NAT or with a VLAN sub-interface, because both are 'virtual' constructs, but they serve entirely different purposes in the FortiGate architecture.

How to eliminate wrong answers

Option B is wrong because a loopback interface is not used for NAT; virtual IPs (VIPs) or IP pools are used for NAT purposes. Option C is wrong because VLANs are created as sub-interfaces on physical or aggregate interfaces, not on a loopback interface. Option D is wrong because aggregating multiple physical interfaces for increased bandwidth is achieved via Link Aggregation (LAG) or 802.3ad, not a loopback interface.

83
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is an ICMP session with state 01 and expires in 1 second.
B.The session is a UDP session to port 443 and has been active for 3600 seconds.
C.The session is a TCP session to port 443 that has been active for 3600 seconds and will expire in 3599 seconds.
D.The session is a TCP session that has timed out and will be removed in 3599 seconds.
AnswerC

Why this answer

Option C is correct because the output shows 'proto=6', which is the protocol number for TCP, and 'dport=443' indicates the destination port is HTTPS. The 'duration=3600' means the session has been active for 3600 seconds, and 'expire=3599' means it will expire in 3599 seconds. The 'proto_state=01' is a TCP state code, confirming this is a TCP session.

Exam trap

The trap here is that candidates often confuse protocol numbers (e.g., thinking '6' is UDP or ICMP) or misinterpret 'expire' as the time since expiration rather than the remaining time until expiration.

How to eliminate wrong answers

Option A is wrong because 'proto=6' is TCP, not ICMP (which uses protocol number 1), and 'dport=443' specifies a port, which is not applicable to ICMP. Option B is wrong because 'proto=6' is TCP, not UDP (which uses protocol number 17), and the session is to port 443, not from it. Option D is wrong because the session has not timed out; 'expire=3599' indicates it is still active and will expire in 3599 seconds, not that it has already timed out.

84
MCQmedium

An admin wants to monitor CPU and memory usage on a FortiGate using SNMP. Which configuration is required?

A.Configure a performance SLA monitor
B.Enable SNMP agent and configure an SNMP community
C.Enable SNMP on the interface and set administrative access to SNMP
D.Configure an SNMP v3 user and enable SNMP traps
AnswerB

Enabling SNMP agent and a community allows SNMP managers to poll OIDs for CPU/memory.

Why this answer

To monitor CPU and memory usage via SNMP, the FortiGate must first have the SNMP agent enabled and an SNMP community configured. The community string acts as a password for SNMPv1/v2c queries, allowing an NMS to poll the device for OIDs like CPU usage (1.3.6.1.4.1.12356.101.4.1.1) and memory usage (1.3.6.1.4.1.12356.101.4.1.4). Without enabling the agent and defining a community, the FortiGate will not respond to SNMP GET requests.

Exam trap

The trap here is that candidates confuse enabling SNMP on an interface (administrative access) with enabling the SNMP agent itself, leading them to select option C, which only allows SNMP traffic to reach the FortiGate but does not activate the SNMP service or community required for polling.

How to eliminate wrong answers

Option A is wrong because a performance SLA monitor is used for link health checks and failover decisions (e.g., SD-WAN), not for exposing CPU/memory metrics via SNMP. Option C is wrong because enabling SNMP on an interface and setting administrative access to SNMP only allows SNMP traffic to reach the FortiGate through that interface; it does not enable the SNMP agent itself or define a community for authentication. Option D is wrong because configuring an SNMP v3 user and enabling traps is for sending unsolicited notifications (traps) to an NMS, not for responding to polled queries for CPU and memory usage; polling requires the SNMP agent and community (or user for v3) to be active.

85
MCQeasy

What is the purpose of configuring an NTP server on a FortiGate?

A.To enable time-based firewall policies.
B.To synchronize the FortiGate's system clock with a reliable time source.
C.To allow the FortiGate to act as an NTP server for the network.
D.To authenticate with FortiGuard services.
AnswerB

Why this answer

Configuring an NTP server on a FortiGate synchronizes the system clock with a reliable time source, which is essential for accurate logging, certificate validation, and time-based operations. While time-based firewall policies depend on an accurate clock, NTP itself is the mechanism to achieve that accuracy, not the policy feature itself.

Exam trap

The trap here is that candidates confuse the purpose of NTP (time synchronization) with the features that depend on accurate time, such as time-based policies or FortiGuard authentication, leading them to select those as the primary purpose.

How to eliminate wrong answers

Option A is wrong because time-based firewall policies are a feature that uses the system clock, but the purpose of NTP configuration is to synchronize that clock, not to directly enable the policies. Option C is wrong because while a FortiGate can be configured as an NTP server for the network, that is an optional role, not the primary purpose of configuring an NTP server on the device. Option D is wrong because FortiGuard services use the system clock for authentication and license validation, but NTP configuration is not a direct authentication method; it merely ensures the clock is accurate for those services.

86
MCQmedium

An administrator needs to upgrade the firmware on a FortiGate from version 6.4.10 to 7.0.1. The device currently runs FortiOS 6.4.10. Which upgrade path should be followed?

A.Downgrade to 6.2.0 then upgrade to 7.0.1
B.Upgrade to 7.0.0 first, then to 7.0.1
C.Upgrade directly from 6.4.10 to 7.0.1 via the GUI
D.Upgrade to 6.4.99 (if exists) then to 7.0.1
AnswerB

Upgrade to the first release of the next major branch, then to the target patch.

Why this answer

Fortinet requires a sequential upgrade path for major version jumps. FortiOS 6.4.10 can upgrade directly to 7.0.0, and then to 7.0.1, because 7.0.0 is the first release in the 7.0 branch. Upgrading directly from 6.4.10 to 7.0.1 is not supported as it skips the required intermediate version.

Exam trap

The trap here is that candidates assume GUI or direct upgrades are always safe, but Fortinet strictly enforces sequential version upgrades to prevent configuration and system incompatibilities.

How to eliminate wrong answers

Option A is wrong because downgrading to 6.2.0 is unnecessary and not a valid upgrade path; Fortinet does not support downgrading as a step to upgrade. Option C is wrong because upgrading directly from 6.4.10 to 7.0.1 via the GUI is not supported; the upgrade must go through 7.0.0 first. Option D is wrong because 6.4.99 does not exist as a release; Fortinet uses specific build numbers, not arbitrary patch versions, and the correct intermediate is 7.0.0.

87
MCQmedium

An administrator wants to send FortiGate logs to a FortiAnalyzer for centralized logging and reporting. Which configuration step is required on the FortiGate?

A.Enable SNMP traps to the FortiAnalyzer
B.Create a firewall policy to allow traffic to the FortiAnalyzer
C.Under Log & Report, configure the FortiAnalyzer settings and set the log forwarding
D.Configure a syslog server under System > Settings
AnswerC

FortiGate has dedicated FortiAnalyzer settings under Log & Report.

Why this answer

Option C is correct because FortiGate uses the Log & Report section to configure FortiAnalyzer settings, specifically under 'Log Settings' or 'Log Forwarding'. This enables the FortiGate to forward logs to a FortiAnalyzer device for centralized logging and reporting, using the FortiGate-FortiAnalyzer protocol (based on syslog over TCP with Fortinet extensions).

Exam trap

The trap here is that candidates often confuse the generic syslog server configuration (Option D) with the FortiAnalyzer-specific log forwarding setup, or they mistakenly think a firewall policy (Option B) is the primary step rather than the log forwarding configuration itself.

How to eliminate wrong answers

Option A is wrong because SNMP traps are used for sending network management alerts (e.g., interface down) to an SNMP manager, not for forwarding logs to FortiAnalyzer. Option B is wrong because while a firewall policy may be needed to allow outbound traffic to the FortiAnalyzer IP, it is not the primary configuration step for log forwarding; the log forwarding settings themselves are configured under Log & Report. Option D is wrong because configuring a syslog server under System > Settings is for sending logs to a generic syslog server, not for the FortiAnalyzer-specific integration which requires the dedicated FortiAnalyzer configuration under Log & Report.

88
Multi-Selectmedium

An administrator is configuring a FortiGate to use FortiManager for centralized management. Which three steps are required?

Select 3 answers
A.Enable VDOMs on the FortiGate.
B.Authorize the FortiGate in the FortiManager GUI.
C.Register the FortiGate to the FortiManager using the registration code.
D.Create a local admin account on the FortiGate for FortiManager to use.
E.Ensure network connectivity between FortiGate and FortiManager on TCP port 541.
AnswersB, C, E

Authorization is needed to accept management.

Why this answer

Option B is correct because after the FortiGate is discovered by FortiManager (via FGFM protocol), the administrator must explicitly authorize the device in the FortiManager GUI under 'Device Manager > Unregistered Devices'. This step is mandatory to establish a trusted management relationship; without authorization, the FortiGate remains in an unmanaged state and cannot receive configuration or policy updates.

Exam trap

The trap here is that candidates often confuse 'registration' (step C) with 'authorization' (step B), thinking one step suffices, when in fact both are required sequentially, and they may also incorrectly assume a local admin account (step D) is needed for authentication.

89
Multi-Selectmedium

A network administrator is configuring SNMP on a FortiGate for monitoring. Which three pieces of information are required to complete the SNMPv2c configuration? (Choose THREE.)

Select 3 answers
A.SNMPv3 authentication protocol (MD5/SHA)
B.SNMP manager IP address (allowed hosts)
C.SNMP trap receiver IP and community
D.SNMP community string
E.SNMP interface (the interface that will respond to SNMP queries)
AnswersB, D, E

Restricts which management stations can query the device.

Why this answer

SNMPv2c uses community-based security, so the SNMP community string (Option D) is required for authentication. The SNMP manager IP address (Option B) is needed to define which hosts are allowed to query the FortiGate. The SNMP interface (Option E) specifies which network interface will listen for and respond to SNMP queries.

These three pieces are mandatory for SNMPv2c configuration on a FortiGate.

Exam trap

The trap here is that candidates often confuse SNMPv2c requirements with SNMPv3 requirements, selecting authentication protocols (Option A) which are irrelevant for v2c, or they assume trap configuration is mandatory for basic monitoring, when it is actually optional.

90
MCQmedium

An administrator wants to upgrade the FortiGate firmware from version 6.4.9 to 7.0.1. What is the most important consideration before proceeding?

A.Verify the upgrade path and check for any required intermediate versions
B.Upgrade to the latest 7.0.x directly without intermediate steps
C.Disable all firewall policies before upgrading
D.Ensure the configuration is backed up
AnswerA

Fortinet recommends following the upgrade path to avoid incompatibilities.

Why this answer

FortiGate firmware upgrades must follow a validated upgrade path to avoid configuration incompatibilities or boot failures. Version 6.4.9 to 7.0.1 requires an intermediate upgrade to 7.0.0 first, as direct jumps across major versions or skipping required intermediate releases can corrupt the firmware image or render the device unbootable. Fortinet publishes explicit upgrade paths in the release notes, and ignoring them is the most common cause of failed upgrades.

Exam trap

The trap here is that candidates assume a configuration backup is the most critical step, but Fortinet specifically tests that verifying the upgrade path is the primary consideration to prevent a non-bootable device.

How to eliminate wrong answers

Option B is wrong because upgrading directly to the latest 7.0.x without intermediate steps violates Fortinet's required upgrade path; 6.4.9 must first go to 7.0.0 before reaching 7.0.1. Option C is wrong because disabling firewall policies is not a prerequisite for firmware upgrades; the upgrade process preserves the configuration, and policies remain intact. Option D is wrong because while backing up the configuration is a best practice, it is not the most important consideration; the upgrade path is critical to avoid a bricked device, whereas a backup only protects against data loss after a failure.

91
Multi-Selecthard

An admin wants to ensure that traffic between two internal subnets (10.0.1.0/24 and 10.0.2.0/24) is inspected by the FortiGate but does not have its source IP translated. Which THREE configuration elements are required? (Choose three.)

Select 3 answers
A.NAT disabled on that policy
B.A static route for each subnet on the FortiGate
C.An IP pool for source NAT
D.A firewall policy allowing traffic between the two subnets
E.Security profiles (e.g., antivirus, IPS) applied to the policy
AnswersA, D, E

To avoid source IP translation, NAT must be disabled.

Why this answer

Option A is correct because when traffic between two internal subnets does not require source IP translation, NAT must be explicitly disabled on the firewall policy. By default, FortiGate policies may have NAT enabled (especially on outbound interfaces), so disabling NAT ensures the original source IP (10.0.1.x) is preserved when communicating with 10.0.2.x. This is configured by setting the 'set nat enable' option to 'disable' in the policy or unchecking NAT in the GUI.

Exam trap

The trap here is that candidates often assume static routes are always needed for inter-subnet routing, but FortiGate automatically creates connected routes for directly attached subnets, making static routes unnecessary in this scenario.

92
MCQmedium

A FortiGate administrator notices that the device's disk usage is critically high, causing logging failures. The administrator wants to free up space without losing important logs. Which action should be taken first?

A.Delete all existing log files
B.Configure log compression
C.Disable logging to the local disk
D.Increase the disk retention period
AnswerB

Compression reduces file size without deleting logs.

Why this answer

Log compression reduces the size of existing log files on the disk without deleting any data, directly addressing the critically high disk usage while preserving all important logs. This is the safest first step because it reclaims space immediately without risking data loss or altering logging behavior.

Exam trap

The trap here is that candidates may confuse 'increasing retention period' (which makes the problem worse) with 'decreasing retention period' (which would free space but delete logs), or they may think disabling logging is a quick fix without realizing it stops all logging activity.

How to eliminate wrong answers

Option A is wrong because deleting all existing log files would permanently remove important logs, which contradicts the requirement to not lose them. Option C is wrong because disabling logging to the local disk would stop all future logging to the device, potentially losing critical security events, and does not free up space already used. Option D is wrong because increasing the disk retention period would actually cause logs to be kept longer, worsening the disk usage problem rather than solving it.

93
MCQhard

An administrator configures a FortiGate in transparent mode to be deployed between a router and a switch. After installation, traffic passes through but the administrator cannot access the FortiGate's management IP from the management network. What is the MOST likely reason?

A.The management IP is not in the same subnet as the management network.
B.Transparent mode does not support management access; only NAT/Route mode does.
C.The FortiGate's firewall policy blocks management traffic even in transparent mode.
D.The administrator must configure a management VLAN interface to access the FortiGate.
AnswerA

In transparent mode, the management IP must be in the same subnet as the management network to be reachable; otherwise, the FortiGate will not respond to management traffic.

Why this answer

In transparent mode, the FortiGate acts as a Layer 2 bridge, and its management IP must belong to the same subnet as the management network to be reachable. If the management IP is on a different subnet, the FortiGate will not respond to management traffic because it does not route between subnets in transparent mode; it only forwards traffic at Layer 2.

Exam trap

The trap here is that candidates often assume transparent mode disables all management access or requires special VLANs, when the real issue is simply a subnet mismatch between the management IP and the management network.

How to eliminate wrong answers

Option B is wrong because transparent mode fully supports management access via a dedicated management IP, just like NAT/Route mode, though the IP is used for management only and not for routing. Option C is wrong because by default in transparent mode, there is no firewall policy blocking management traffic; management access is controlled by administrative access settings (e.g., HTTPS, SSH) on the management interface, not by firewall policies. Option D is wrong because a management VLAN interface is not required; the administrator can assign a management IP directly to the FortiGate's management interface (e.g., the internal interface) as long as it is on the same subnet as the management network.

94
Multi-Selecthard

A FortiGate administrator is troubleshooting a VPN tunnel that is not coming up. The phase 1 parameters match on both sides. Which three configuration items should the administrator verify?

Select 3 answers
A.NAT traversal is enabled on both sides.
B.The phase 2 proposal matches the remote device.
C.The local and remote interface IP addresses are correctly configured.
D.The pre-shared key is identical on both sides.
E.Firewall policies permit the VPN traffic (UDP 500, 4500).
AnswersC, D, E

Incorrect IPs prevent IKE negotiation.

Why this answer

Option C is correct because the local and remote interface IP addresses define the tunnel endpoints. If these are misconfigured, the VPN cannot establish a secure connection even if all other parameters match. The FortiGate uses these addresses to route IKE traffic to the correct peer.

Exam trap

The trap here is that candidates often focus only on phase 1 parameters like encryption and authentication, forgetting that basic connectivity items like interface IPs, pre-shared keys, and firewall rules are equally critical for the tunnel to come up.

95
MCQmedium

An administrator configures a policy route to direct traffic from subnet 10.1.1.0/24 to the internet via ISP1 with a gateway of 203.0.113.1. However, traffic from that subnet is still using the default route via ISP2. What is the MOST likely cause?

A.The source interface is not specified in the policy route
C.The policy route's destination is set to 'all' which conflicts with the default route
D.The policy route is configured after the default route in the routing table
AnswerA

Policy routes require a source interface to match. If not set, the policy route may not apply.

Why this answer

Policy routes in FortiGate are evaluated based on the source interface and source address. If the source interface is not specified, the policy route may not match the incoming traffic because the firewall does not know which interface the traffic is arriving on. Without a matching source interface, the policy route is skipped, and the default route (via ISP2) is used instead.

Exam trap

The trap here is that candidates assume policy routes are evaluated after the routing table or that administrative distance affects policy route matching, when in fact policy routes are processed first and require explicit source interface matching.

How to eliminate wrong answers

Option B is wrong because administrative distance is a property of static routes, not policy routes; policy routes are evaluated before the routing table lookup, so a lower administrative distance on the default route does not override a matching policy route. Option C is wrong because setting the destination to 'all' in a policy route means it matches any destination, which does not conflict with the default route; the issue is the missing source interface, not the destination. Option D is wrong because policy routes are not ordered in the routing table; they are evaluated in the order they appear in the policy route list, and the default route is only consulted if no policy route matches.

96
MCQmedium

A FortiGate is configured with two equal-cost static default routes via two ISPs. The administrator wants to use both links simultaneously for outbound traffic, distributing sessions per source-destination pair. Which ECMP load balancing method should be configured under config system settings?

A.weighted-round-robin
B.vip-inbound-grpc
C.spillover
D.source-destination-ip
AnswerD

Correct method to distribute sessions per source-destination IP pair.

Why this answer

The source-destination-ip method under ECMP load balancing distributes sessions based on both source and destination IP addresses, ensuring that all packets belonging to the same session (same source-destination pair) are forwarded via the same path. This meets the requirement of using both links simultaneously for outbound traffic while maintaining per-session consistency.

Exam trap

The trap here is that candidates often confuse ECMP load balancing methods with general load balancing techniques, mistakenly selecting weighted-round-robin because it sounds like a standard load balancing algorithm, but it does not guarantee per-source-destination pair distribution in FortiGate's ECMP context.

How to eliminate wrong answers

Option A (weighted-round-robin) is wrong because it distributes sessions in a round-robin fashion based on weights, not per source-destination pair, which can cause session asymmetry. Option B (vip-inbound-grpc) is wrong because it is not an ECMP load balancing method; it relates to gRPC-based VIP configuration for inbound traffic. Option C (spillover) is wrong because it forwards traffic to a secondary link only when the primary link's bandwidth threshold is exceeded, not for simultaneous use of both links.

97
MCQhard

An admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a half-open TCP connection
B.The session is a multicast session
C.The session is a UDP session for DNS over HTTPS
D.The session is an established TCP session for HTTPS traffic
AnswerD

Proto=6 is TCP, proto_state=01 means established, and dport 443 is HTTPS.

Why this answer

The output shows `proto=6` (TCP), `proto_state=01` (TCP established), `dport=443` (HTTPS), and a duration/expire indicating an active session. This confirms an established TCP session for HTTPS traffic, making D correct.

Exam trap

The trap here is that candidates may misinterpret `proto_state=01` as a half-open connection (like SYN_SENT) because they confuse the numeric state value with TCP flags, when in fact 01 specifically means ESTABLISHED in FortiGate's session table.

How to eliminate wrong answers

Option A is wrong because `proto_state=01` indicates a fully established TCP connection (state ESTABLISHED), not a half-open connection (which would show state like SYN_SENT or 02). Option B is wrong because multicast sessions use UDP (proto=17) or IGMP, not TCP (proto=6), and the output shows a unicast TCP session. Option C is wrong because DNS over HTTPS uses TCP port 443 but is a UDP-based protocol (DNS itself is UDP, though DoH uses TCP); the output explicitly shows `proto=6` (TCP), not UDP (proto=17), and the session state indicates TCP, not UDP.

98
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.The web server's certificate is self-signed and FortiGate is rejecting the connection
B.The antivirus profile is configured for flow-based inspection instead of proxy-based
C.SSL/TLS deep inspection is not enabled on the firewall policy
D.The FortiGuard antivirus subscription has expired
AnswerC

HTTPS traffic is encrypted. FortiGate cannot inspect the payload without SSL deep inspection decrypting the TLS session. The antivirus profile requires inspection mode to be enabled.

Why this answer

HTTPS traffic is encrypted with SSL/TLS, so an antivirus profile cannot inspect the payload unless the firewall can decrypt the traffic. Even with antivirus enabled in the policy, without SSL/TLS deep inspection (also called SSL inspection or HTTPS decryption), FortiGate only sees encrypted packets and cannot scan for malware. Therefore, the most likely reason is that SSL/TLS deep inspection is not enabled on the firewall policy.

Exam trap

The trap here is that candidates often assume antivirus profiles automatically inspect all traffic, forgetting that encrypted HTTPS requires explicit SSL/TLS decryption before any content inspection can occur.

How to eliminate wrong answers

Option A is wrong because a self-signed certificate does not cause FortiGate to reject the connection by default; it may generate a warning or require an SSL inspection policy to handle untrusted certificates, but the traffic would still be forwarded (and remain unscanned) unless a specific action is configured. Option B is wrong because both flow-based and proxy-based inspection modes support antivirus scanning; the inspection mode affects performance and some features but does not prevent scanning of HTTPS traffic if decryption is configured. Option D is wrong because an expired FortiGuard antivirus subscription would prevent signature updates and might disable real-time scanning, but the traffic would still be inspected (with potentially outdated signatures) unless the license is completely expired and the feature is blocked; the question states antivirus is enabled, so the subscription expiry is not the most likely reason for no scanning at all.

99
MCQhard

During a firmware upgrade, the FortiGate reboots and the administrator cannot access the GUI via HTTPS. The CLI shows the system is running the previous firmware. What is the most likely cause?

A.The firmware image was corrupted during upload.
B.The administrator booted from the wrong partition.
C.The administrator did not perform a factory reset before upgrading.
D.The upgrade failed and the system rolled back to the previous firmware.
AnswerD

FortiGate has a rollback mechanism if the upgrade fails.

Why this answer

Option D is correct because FortiGate firmware upgrades include an automatic rollback mechanism. If the upgrade fails or the new firmware does not boot successfully, the system automatically reverts to the previous firmware partition during the next reboot. The administrator seeing the previous firmware and being unable to access the GUI indicates the upgrade did not complete successfully, triggering this rollback.

Exam trap

The trap here is that candidates may assume a corrupted image (Option A) is the cause, but FortiGate's automatic rollback mechanism masks the corruption by reverting to the previous firmware, making the symptom appear as if the upgrade never took effect.

How to eliminate wrong answers

Option A is wrong because a corrupted firmware image would typically cause the upgrade process to fail before the reboot, or the system would not boot at all; the rollback mechanism is designed to handle such corruption by reverting to the known good partition. Option B is wrong because FortiGate does not have a manual partition selection during boot; the boot process automatically selects the primary partition, and the rollback mechanism controls which partition is active after a failed upgrade. Option C is wrong because a factory reset is not required before a firmware upgrade; upgrades are performed directly on the running configuration, and a factory reset is only recommended for major version jumps or specific scenarios, not as a prerequisite.

100
MCQeasy

An administrator needs to configure a FortiGate to allow remote management via HTTPS from the internet. Which configuration step is required?

A.Create a firewall policy from WAN to LAN with HTTPS service and set action to ACCEPT.
B.Enable SSH access on the WAN interface instead of HTTPS.
C.Enable HTTPS access on the WAN interface and create a firewall policy allowing inbound HTTPS from any to the FortiGate's IP.
D.Configure a port forwarding rule to redirect HTTPS from WAN to the internal management IP.
AnswerC

This allows HTTPS management from the internet by enabling the service on the interface and permitting traffic.

Why this answer

Option C is correct because remote HTTPS management of a FortiGate from the internet requires two steps: enabling HTTPS access on the WAN interface (under config system interface) and creating a firewall policy that allows inbound HTTPS traffic (TCP/443) from any source to the FortiGate's own IP address. Without the explicit policy, the traffic is dropped by the implicit deny rule, even if the interface is configured to listen for HTTPS.

Exam trap

The trap here is that candidates assume enabling HTTPS on the interface alone is sufficient, forgetting that FortiGate still requires an explicit firewall policy to permit inbound traffic to its own IP, as the implicit deny rule blocks all traffic not matched by a policy.

How to eliminate wrong answers

Option A is wrong because a firewall policy from WAN to LAN with HTTPS service would forward management traffic to internal LAN hosts, not to the FortiGate itself, and does not enable the WAN interface to accept HTTPS connections. Option B is wrong because enabling SSH instead of HTTPS does not satisfy the requirement to allow remote management via HTTPS; SSH and HTTPS are separate protocols with different purposes. Option D is wrong because port forwarding is used to redirect traffic to internal servers behind the FortiGate, not to the FortiGate's own management interface; the FortiGate's management IP is directly reachable on the WAN interface when HTTPS access is enabled and a policy is in place.

101
MCQmedium

An administrator needs to allow SSH access to the FortiGate's management interface from a specific management subnet (10.0.1.0/24). Which configuration achieves this?

A.Set the administrative access profile to allow SSH from any IP
B.Configure a firewall policy to allow SSH from 10.0.1.0/24 to the FortiGate
C.Under system admin settings, set the trusted host for the administrator to 10.0.1.0/24 and enable SSH access
D.Create a local-in policy to allow SSH from 10.0.1.0/24
AnswerC

Trusted hosts restrict the source IPs allowed to manage the device.

Why this answer

Option C is correct because the trusted host setting under system admin settings restricts administrative access (including SSH) to only the specified source IP or subnet. By setting the trusted host to 10.0.1.0/24 and enabling SSH access, the FortiGate ensures that only SSH connections originating from that management subnet can reach the management interface. This is the standard method for controlling administrative access to the FortiGate's management plane.

Exam trap

The trap here is that candidates often confuse firewall policies (which control transit traffic) with administrative access controls (which control traffic destined to the FortiGate itself), leading them to incorrectly select Option B.

How to eliminate wrong answers

Option A is wrong because setting the administrative access profile to allow SSH from any IP would permit SSH connections from all sources, not just the specific management subnet, violating the requirement. Option B is wrong because firewall policies control traffic passing through the FortiGate between interfaces, not traffic destined to the FortiGate itself; administrative access is governed by administrative access settings and trusted hosts, not firewall policies. Option D is wrong because local-in policies are used to filter traffic destined to the FortiGate's own IP addresses, but they are not the primary or recommended method for restricting administrative access; the trusted host setting is the correct and simpler approach for this purpose.

102
MCQmedium

A FortiGate is operating in transparent mode. The admin needs to allow HTTP traffic from users to a web server. Which type of firewall policy is required?

A.A layer 2 firewall policy
B.A policy-based NAT rule
C.A firewall policy using zone-based security
D.A VIP policy to map the web server's public IP
AnswerA

Transparent mode uses layer 2 policies to forward traffic based on VLANs or MAC addresses.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding traffic without routing. To allow HTTP traffic from users to a web server, a Layer 2 firewall policy is required because it filters traffic based on MAC addresses and Layer 2 headers, not IP addresses or routing decisions. This policy type is the only one that works in transparent mode, as it does not involve NAT or routing.

Exam trap

The trap here is that candidates often assume firewall policies always involve IP addresses and routing, but in transparent mode, the FortiGate uses Layer 2 policies that operate at the data link layer, not the network layer.

How to eliminate wrong answers

Option B is wrong because policy-based NAT rules are used in NAT/route mode to translate IP addresses, not in transparent mode where the FortiGate does not perform IP routing or NAT. Option C is wrong because zone-based security policies are applicable in NAT/route mode for grouping interfaces into zones; transparent mode uses Layer 2 policies, not zones. Option D is wrong because VIP policies are used for destination NAT in NAT/route mode to map public IPs to private IPs, which is irrelevant in transparent mode where the FortiGate does not perform IP address translation.

103
MCQmedium

An administrator is configuring a new FortiGate and wants to allow management access from the internal network via HTTPS. The internal interface is port2 with IP 192.168.1.1/24. Which CLI command correctly enables HTTPS administrative access on port2?

A.config firewall policy edit 1 set allowaccess https end
B.config system interface edit port2 set allowaccess https end
C.config system admin edit admin set https enable end
D.config system global set admin-https enable end
AnswerB

This command sequence correctly enters the interface configuration for port2 and enables HTTPS access.

Why this answer

Option B is correct because the `config system interface` command is the proper context to set the `allowaccess` parameter, which controls the administrative protocols (such as HTTPS) permitted on a specific FortiGate interface. By editing port2 and setting `allowaccess https`, the administrator enables HTTPS management access on that interface, allowing internal users to reach the FortiGate's web GUI via 192.168.1.1.

Exam trap

The trap here is that candidates confuse the `allowaccess` parameter (which is set under `config system interface`) with global settings or firewall policies, mistakenly thinking that enabling HTTPS globally or in a policy will grant interface-specific management access.

How to eliminate wrong answers

Option A is wrong because `config firewall policy` is used to define traffic filtering rules between zones, not to enable administrative access on an interface; the `allowaccess` parameter does not exist in firewall policy configuration. Option C is wrong because `config system admin` manages administrator accounts and their permissions, not interface-level protocol access; the `set https enable` command is invalid in this context. Option D is wrong because `config system global` sets global system parameters, and `set admin-https enable` would enable HTTPS for the entire FortiGate, but it does not restrict or allow access on a specific interface like port2; the correct global command for interface-specific access is `set admin-sport` or similar, but the question requires interface-level control.

104
MCQhard

A FortiGate is configured with multiple WAN interfaces and ECMP routing. The administrator notices that traffic to a particular destination is intermittently failing. What is the MOST likely cause?

A.The ECMP routes have different distances.
B.The ECMP load balancing method is set to source-destination IP hash, causing asymmetric routing.
C.The FortiGate's session table is full.
D.The firewall policies are not configured for ECMP.
AnswerB

Asymmetric routing due to hash changes can cause session timeouts if return traffic takes a different path.

Why this answer

When ECMP is configured with the source-destination IP hash load balancing method, traffic for the same session may be sent over different WAN interfaces if the source or destination IP changes mid-session (e.g., due to NAT or asymmetric routing). This causes packets to arrive out of order or be dropped by stateful inspection, leading to intermittent failures. The FortiGate expects all packets in a session to traverse the same interface for proper state tracking.

Exam trap

The trap here is that candidates assume ECMP always works seamlessly with any load balancing method, overlooking that source-destination IP hash can cause asymmetric routing and session disruption when combined with stateful firewalling.

How to eliminate wrong answers

Option A is wrong because ECMP routes must have equal distances to be considered for load balancing; different distances would result in route selection based on distance, not ECMP. Option C is wrong because a full session table would cause all new sessions to fail, not just traffic to a particular destination intermittently. Option D is wrong because firewall policies do not need special ECMP configuration; they apply to traffic regardless of the routing path, and ECMP operates at the routing level, not the policy level.

105
MCQeasy

An administrator needs to back up the FortiGate configuration to a remote server. Which protocol is supported for backup?

AnswerD

TFTP is a supported protocol for backup and restore.

106
MCQhard

A large enterprise is deploying a FortiGate 600F as the perimeter firewall. The security team requires that all administrative access (SSH, HTTPS, and Ping) to the FortiGate must be restricted to a dedicated management network (10.10.10.0/24). Additionally, any failed login attempt from outside the management network should be logged and the source IP should be blocked for 30 minutes. The administrator has configured a local-in policy to deny all administrative access from non-management networks and enabled logging. However, the administrator wants to automatically block the offending IPs. The FortiGate is not connected to any FortiAnalyzer or FortiManager. What should the administrator do to achieve this?

A.Create an automation stitch that triggers on local-in policy logging and adds the source IP to a blocked list via CLI script.
B.Use a FortiAnalyzer to generate alerts and send to SIEM.
C.Configure a firewall policy to block the offending IPs manually based on logs.
D.Enable 'set block-session-ttl' on the local-in policy.
AnswerA

Automation stitch can execute a script to block the IP.

Why this answer

Option A is correct because an automation stitch can directly react to local-in policy log events by executing a CLI script that adds the offending source IP to a local banned user list (e.g., via `diagnose user banned-ip add`). This provides automatic, immediate blocking without requiring external devices like FortiAnalyzer, and the 30-minute duration can be set via the ban-time parameter in the script or the local-in policy's block-session-ttl.

Exam trap

The trap here is that candidates confuse 'block-session-ttl' (which only controls session timeout for already-blocked traffic) with automatic IP banning, or assume external devices like FortiAnalyzer are required when the FortiGate's automation stitch can handle the task locally.

How to eliminate wrong answers

Option B is wrong because the FortiGate is not connected to any FortiAnalyzer or FortiManager, so it cannot rely on external devices to generate alerts or forward logs to a SIEM. Option C is wrong because manually blocking IPs based on logs is not automatic and does not meet the requirement for automatic blocking; it also contradicts the need for a real-time response. Option D is wrong because 'set block-session-ttl' on a local-in policy only controls the session timeout for blocked traffic, not the automatic addition of source IPs to a banned list; it does not trigger a dynamic block action.

107
Drag & Dropmedium

Drag and drop the steps to troubleshoot a user unable to access the internet through FortiGate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting follows a logical flow: policy, NAT, routing, packet capture, then logs.

108
MCQmedium

Refer to the exhibit. The administrator notices that traffic from internal to wan1 is being logged, but the logs do not show the original source IP. What is the most likely reason?

A.The schedule is set to 'always', causing no time-based logging.
B.NAT is enabled, so the source IP is replaced with the public IP.
C.Logging is set to 'all' but only 'utma' events are logged.
D.The policy action is 'accept' without authentication.
AnswerB

NAT hides the original source IP.

Why this answer

When NAT is enabled on a FortiGate policy, the source IP of internal traffic is translated to the public IP of the FortiGate's WAN interface before the packet is logged. Since logging occurs after NAT processing, the log entries will show the translated (public) IP instead of the original internal source IP. This is the most likely reason the administrator sees logs without the original source IP.

Exam trap

The trap here is that candidates may think logging settings or policy actions (like authentication) affect the source IP in logs, when in fact NAT translation is the direct cause of the original source IP being replaced.

How to eliminate wrong answers

Option A is wrong because the schedule being set to 'always' means the policy is always active, but it does not affect whether the original source IP is logged; it only controls when the policy is enforced. Option C is wrong because 'utma' events refer to user authentication events, not traffic logging; setting logging to 'all' would log all sessions, but the source IP would still be replaced if NAT is enabled. Option D is wrong because the policy action being 'accept' without authentication simply allows traffic without requiring user authentication; it does not cause the source IP to be hidden in logs.

109
MCQmedium

An administrator configures a policy route to send all traffic from subnet 172.16.1.0/24 to a specific next-hop 10.0.0.2. However, the traffic is still using the default route. What could be the reason?

A.The policy route has a lower priority than the default route.
B.The policy route does not have a destination interface set.
C.The policy route must be configured before the default route.
D.The source subnet is not correctly defined in the policy route.
AnswerA

Why this answer

Policy routes in FortiGate are evaluated based on their priority value, where a lower number indicates higher priority. If the policy route has a higher priority value (e.g., 10) than the default route (which is implicitly 0), the default route will be preferred. The administrator must ensure the policy route's priority is lower than the default route's priority to override it.

Exam trap

The trap here is that candidates often assume policy routes automatically override static routes, but FortiGate uses a priority-based selection where the default route's implicit priority of 0 can supersede a policy route with a higher priority value.

How to eliminate wrong answers

Option B is wrong because a destination interface is not mandatory for a policy route to function; the route can be matched based on source and next-hop alone. Option C is wrong because FortiGate does not require policy routes to be configured before static routes; they are evaluated independently based on priority, not order of configuration. Option D is wrong because if the source subnet were incorrectly defined, the traffic would not match the policy route at all, but the symptom described is that traffic is using the default route, indicating the policy route exists but is not being selected due to priority.

110
MCQeasy

A network administrator needs to configure a FortiGate to allow HTTPS access to the GUI from the internal network. Which two steps must be performed?

A.Create a firewall policy that permits HTTPS traffic from internal to the FortiGate interface IP.
B.Enable HTTPS administrative access on the internal interface.
C.Disable HTTP administrative access on the internal interface.
D.Enable SSH administrative access on the internal interface.
AnswerA, B

A policy is required to allow the traffic to reach the FortiGate.

Why this answer

Option A is correct because a firewall policy must explicitly permit HTTPS traffic (TCP/443) from the internal network to the FortiGate's interface IP to allow GUI access. Option B is correct because HTTPS administrative access must be enabled on the internal interface via the CLI or GUI; without this, the FortiGate will not listen for HTTPS connections on that interface, even if a firewall policy exists.

Exam trap

The trap here is that candidates often think enabling HTTPS access on the interface alone is sufficient, forgetting that a firewall policy is also required to permit the traffic, or they mistakenly believe disabling HTTP is a prerequisite for HTTPS.

How to eliminate wrong answers

Option C is wrong because disabling HTTP administrative access is not a required step for allowing HTTPS GUI access; it is an optional security hardening step. Option D is wrong because SSH administrative access is used for CLI management, not GUI access, and enabling it does not affect HTTPS GUI connectivity.

111
MCQeasy

A FortiGate administrator needs to configure a static route to reach a remote network 192.168.100.0/24 via next-hop 10.0.0.1. Which CLI command should be used?

A.config network route edit 1 set ip 192.168.100.0 255.255.255.0 set gateway 10.0.0.1 end
B.config router static edit 1 set dst 192.168.100.0 255.255.255.0 set gateway 10.0.0.1 next end
C.config route static edit 1 set destination 192.168.100.0/24 set next-hop 10.0.0.1 end
D.config router static edit 1 set dst 192.168.100.0/24 set next-hop 10.0.0.1 end
AnswerB

Why this answer

Option B is correct because it uses the proper FortiGate CLI syntax for configuring a static route. The command 'config router static' enters the static route configuration context, and 'set dst' specifies the destination network with a subnet mask (not CIDR notation), while 'set gateway' defines the next-hop IP address. This matches the FortiGate CLI structure for static routes.

Exam trap

The trap here is that candidates familiar with Cisco IOS may use 'set destination' or 'set next-hop' (similar to Cisco's 'ip route' command) or CIDR notation, but FortiGate requires 'set dst' with a subnet mask and 'set gateway' for the next-hop, testing knowledge of vendor-specific CLI syntax.

How to eliminate wrong answers

Option A is wrong because 'config network route' is not a valid FortiGate CLI command; FortiGate uses 'config router static' for static route configuration. Option C is wrong because 'config route static' is incorrect syntax; the correct command is 'config router static', and 'set destination' and 'set next-hop' are not valid parameters (FortiGate uses 'set dst' and 'set gateway'). Option D is wrong because while it uses the correct 'config router static' command, it incorrectly uses CIDR notation '192.168.100.0/24' with 'set dst'; FortiGate requires a subnet mask in dotted decimal format (e.g., 255.255.255.0) for the destination.

112
MCQhard

A FortiGate has two internet connections: port1 (ISP1) and port2 (ISP2). An administrator configures two static default routes with equal distance and priority. Traffic to a specific public IP is observed going out port1, but the admin wants it to go out port2. What should be configured?

A.Use ECMP with source-based hashing
B.Configure a policy route to direct the specific destination to port2
C.Increase the administrative distance of the default route on port1
D.Configure a blackhole route
AnswerB

Policy routing allows granular control.

Why this answer

Policy routes (also called PBR) override the routing table for specific traffic matches. Since both default routes have equal distance and priority, the FortiGate uses ECMP or the route with the lowest cost by default. A policy route can match the specific destination IP and force the traffic out port2, bypassing the routing table lookup.

Exam trap

The trap here is that candidates assume ECMP or route metrics can selectively steer a single destination, but policy routing is the only method that overrides the routing table for specific traffic without affecting other flows.

How to eliminate wrong answers

Option A is wrong because ECMP with source-based hashing distributes traffic across multiple paths based on source IP, not destination; it would not force a specific destination to a single egress. Option C is wrong because increasing the administrative distance of the default route on port1 would make it less preferred for all traffic, not just the specific destination, breaking load balancing. Option D is wrong because a blackhole route discards traffic matching the destination, preventing it from reaching the public IP entirely.

113
MCQeasy

A FortiGate administrator needs to allow SSH management access from a specific IP address 10.0.0.100. Which configuration is required?

A.Enable SSH on the WAN interface and allow all IPs
B.Set the trusted host for the admin account to 10.0.0.100
C.Configure an access list on the upstream router
D.Create a firewall policy allowing SSH from 10.0.0.100 to the FortiGate
AnswerB

Trusted hosts restrict management access to specified IPs.

Why this answer

Option B is correct because FortiGate uses the 'trusted host' feature to restrict administrative access to specific source IP addresses. By setting the trusted host to 10.0.0.100 for the admin account, only that IP can initiate SSH sessions to the FortiGate management interface, regardless of which interface SSH is enabled on.

Exam trap

The trap here is that candidates often confuse firewall policies (which control transit traffic) with administrative access controls (which control traffic destined to the FortiGate itself), leading them to incorrectly select option D.

How to eliminate wrong answers

Option A is wrong because enabling SSH on the WAN interface and allowing all IPs would permit SSH access from any source, violating the requirement to restrict access to 10.0.0.100 only. Option C is wrong because configuring an access list on the upstream router is an external network control and does not enforce FortiGate's own administrative access restrictions; the FortiGate itself must be configured to limit management access. Option D is wrong because firewall policies control traffic passing through the FortiGate, not traffic destined to the FortiGate itself; management access is governed by administrative access settings and trusted hosts, not by firewall policies.

114
MCQeasy

Which FortiGate operating mode allows the device to act as a transparent layer 2 bridge, forwarding traffic without performing NAT or routing?

A.Transparent mode
B.HA mode
C.VDOM mode
D.NAT/Route mode
AnswerA

Transparent mode acts as a layer 2 bridge.

Why this answer

Transparent mode is the correct answer because in this mode, FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses without performing Network Address Translation (NAT) or routing. The device does not have an IP address on its interfaces for forwarding decisions, making it invisible to the network at Layer 3.

Exam trap

The trap here is that candidates often confuse 'transparent mode' with 'VDOM mode' because VDOMs can be configured in transparent mode, but VDOM mode itself is a virtualization feature, not the operating mode that defines Layer 2 bridging behavior.

How to eliminate wrong answers

Option B (HA mode) is wrong because High Availability mode is a clustering configuration for redundancy and failover, not an operating mode that changes the device's Layer 2 or Layer 3 forwarding behavior. Option C (VDOM mode) is wrong because Virtual Domain mode is a virtualization feature that allows partitioning a single FortiGate into multiple logical firewalls, each operating in its own mode (transparent or NAT/route), but it does not inherently make the device a transparent bridge. Option D (NAT/Route mode) is wrong because this is the default Layer 3 operating mode where the FortiGate performs routing and NAT, acting as a router with IP addresses on interfaces, which is the opposite of transparent bridging.

115
MCQmedium

You notice that the FortiGate HA cluster is not failing over when the primary unit loses power. The HA configuration shows 'set ha-priority 250' on the primary and 'set ha-priority 200' on the secondary. What is the most likely cause?

A.The secondary unit has a lower priority, so it never takes over
B.The password for HA synchronization is incorrect
C.The session pickup feature is disabled
D.The HA heartbeat interface is not configured correctly or is down
AnswerD

If the heartbeat fails but the primary is still reachable via management, split-brain may occur, but failover requires loss of heartbeat and monitoring.

Why this answer

The most likely cause is that the HA heartbeat interface is not configured correctly or is down (Option D). FortiGate HA relies on heartbeat packets exchanged over dedicated or VLAN interfaces to monitor peer status. If the heartbeat interface fails, the secondary unit cannot detect the primary's loss of power, so no failover occurs regardless of priority settings.

The HA priority values (250 vs. 200) are valid and would normally cause the primary to be elected as the active unit, but a broken heartbeat link prevents failover detection.

Exam trap

The trap here is that candidates often assume priority values alone determine failover behavior, but FortiGate HA failover requires a working heartbeat link to detect peer failure; without it, even a complete power loss goes unnoticed.

How to eliminate wrong answers

Option A is wrong because the secondary unit's lower priority (200) does not prevent it from taking over; in fact, when the primary fails, the secondary with the next highest priority becomes active. Option B is wrong because an incorrect HA synchronization password would cause configuration sync failures, not a failure to detect a power loss and trigger failover. Option C is wrong because session pickup (or session failover) is a feature for preserving active sessions during failover, not a requirement for the failover itself to occur.

116
Multi-Selectmedium

A network administrator has two FortiGate units that need to be configured as an HA cluster. Which TWO of the following are prerequisites for HA formation?

Select 2 answers
A.Both units must have the same FortiOS firmware version.
B.Both units must have the same hostname.
C.The HA heartbeat interface must be on the same Layer 2 network.
D.Both units must be in NAT/Route mode.
E.The HA priority must be set to 0 on both units.
AnswersA, C

Why this answer

Option A is correct because FortiGate HA clusters require all members to run the exact same FortiOS firmware version to ensure protocol compatibility and configuration synchronization. Mismatched firmware versions can cause cluster instability, failover failures, or split-brain scenarios, as the HA heartbeat protocol relies on consistent state machine behavior across units.

Exam trap

The trap here is that candidates often assume hostnames must match (Option B) because they confuse HA synchronization with general network device clustering, but FortiGate actually overwrites hostnames during sync, making mismatched hostnames irrelevant as a prerequisite.

117
Multi-Selectmedium

An administrator is configuring a loopback interface on a FortiGate for management purposes. Which three statements are true about loopback interfaces? (Choose three.)

Select 3 answers
A.Multiple loopback interfaces can be created.
B.A loopback interface is always up regardless of physical link status.
C.A loopback interface can be used as the source IP for management traffic.
D.Loopback interfaces support VLAN tagging.
E.A loopback interface requires a physical port to be associated.
AnswersA, B, C

FortiGate supports multiple loopback interfaces.

Why this answer

Option A is correct because FortiGate allows the creation of multiple loopback interfaces (up to 16, depending on the model) for various purposes such as management, routing, or VPN termination. Each loopback interface is a virtual interface that does not depend on any physical port, providing flexibility in network design.

Exam trap

The trap here is that candidates may confuse loopback interfaces with sub-interfaces or VLAN interfaces, incorrectly assuming they support VLAN tagging or require a physical port, when in fact loopback interfaces are purely logical and independent of hardware.

118
MCQeasy

Which command is used to back up the full FortiGate configuration including all settings and objects?

A.execute backup config
B.execute backup full-config
C.config backup tftp
D.system backup configuration
AnswerA

This command backs up the full configuration.

Why this answer

The 'execute backup config' command is the correct method to back up the full FortiGate configuration, including all settings and objects, to a TFTP or FTP server. This command exports the entire running configuration in a text format that can be restored later. It is the standard CLI command for a complete configuration backup.

Exam trap

The trap here is that candidates may confuse the correct command with similar-sounding but invalid options like 'execute backup full-config' or 'config backup tftp', or assume a 'system' subcommand exists for backups, when FortiGate uses the 'execute' command structure for operational tasks.

How to eliminate wrong answers

Option B is wrong because 'execute backup full-config' is not a valid FortiGate CLI command; the correct syntax uses 'config' not 'full-config'. Option C is wrong because 'config backup tftp' is not a valid command; the correct command uses 'execute backup config tftp' to specify the protocol. Option D is wrong because 'system backup configuration' is not a valid CLI command; FortiGate uses 'execute backup config' for configuration backups, not a 'system' subcommand.

119
MCQeasy

An administrator needs to back up the FortiGate configuration to a TFTP server at 10.0.0.10. Which command should be used?

A.tftp -p -l mybackup.conf 10.0.0.10
B.execute backup config tftp mybackup.conf 10.0.0.10
C.execute backup config ftp mybackup.conf 10.0.0.10
D.copy config tftp://10.0.0.10/mybackup.conf
AnswerB

This is the correct syntax for TFTP backup.

Why this answer

The correct command to back up a FortiGate configuration to a TFTP server is 'execute backup config tftp <filename> <server-ip>'. This is a standard FortiOS CLI command that uses TFTP (Trivial File Transfer Protocol) to transfer the configuration file to the specified server at 10.0.0.10. Option B matches this syntax exactly.

Exam trap

The trap here is that candidates may confuse the FortiGate CLI syntax with a standard TFTP client command (Option A) or mistakenly use 'ftp' (Option C) instead of 'tftp', overlooking the specific protocol required by the server.

How to eliminate wrong answers

Option A is wrong because 'tftp -p -l mybackup.conf 10.0.0.10' is a client-side TFTP command used on a Linux/Windows host, not a FortiGate CLI command; FortiGate does not support raw TFTP client commands. Option C is wrong because it specifies 'ftp' instead of 'tftp', which would attempt an FTP transfer, not TFTP, and the server at 10.0.0.10 is a TFTP server, not an FTP server. Option D is wrong because 'copy config tftp://10.0.0.10/mybackup.conf' is not a valid FortiOS CLI command; FortiGate uses 'execute backup' for configuration backups, not a 'copy' command with a URI.

120
MCQhard

A FortiGate administrator is troubleshooting a high CPU usage issue. The 'get system performance status' command shows that the CPU usage is consistently above 80% with no traffic. Which of the following is the most likely cause?

A.An interface is in error-disable state causing CPU interrupts.
B.The firewall policy is misconfigured, causing packet drops.
C.A DDoS attack is overwhelming the CPU.
D.A process such as the IPS engine is stuck in an infinite loop.
AnswerD

A runaway process can consume CPU even without traffic.

Why this answer

When CPU usage remains high (above 80%) with no traffic, the most likely cause is a process stuck in an infinite loop, such as the IPS engine. This is a known software bug or process hang that consumes CPU cycles even without network traffic, and it can be verified using 'diagnose sys top' to identify the offending process.

Exam trap

The trap here is that candidates often associate high CPU with external attacks or configuration errors, but the key clue 'with no traffic' eliminates those options, pointing instead to an internal process malfunction.

How to eliminate wrong answers

Option A is wrong because an interface in error-disable state would cause link flaps or port shutdown, generating CPU interrupts only when traffic is present, not with no traffic. Option B is wrong because a misconfigured firewall policy causing packet drops would only consume CPU when packets are being processed, not when there is zero traffic. Option C is wrong because a DDoS attack requires incoming traffic to overwhelm the CPU; with no traffic, there is no attack vector to cause high CPU usage.

121
MCQeasy

A network administrator is configuring a FortiGate for the first time and needs to enable administrative access via HTTPS from the internal network. Which configuration step is required?

A.Set the administrative access to HTTPS on the internal interface
B.Enable HTTPS on the system global settings
C.Create a firewall policy allowing inbound HTTPS from internal to the FortiGate
D.Configure a static route for the management subnet
AnswerA

The 'set allowaccess' command on the interface enables HTTPS access.

Why this answer

Option A is correct because administrative access to a FortiGate interface is controlled per-interface under the interface configuration. By default, HTTPS access is disabled on all interfaces. To enable administrative HTTPS access from the internal network, you must set the administrative access to HTTPS on the specific internal interface.

This allows the FortiGate to listen for HTTPS management traffic on that interface's IP address.

Exam trap

The trap here is that candidates confuse firewall policies (which control traffic passing through the FortiGate) with local-in policies (which control traffic destined to the FortiGate), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option B is wrong because HTTPS is not enabled globally; it is enabled per-interface under config system interface. The global settings only control the HTTPS port (default 443) and certificate, not the interface-level access. Option C is wrong because firewall policies control traffic passing through the FortiGate, not traffic destined to the FortiGate itself.

Administrative access is governed by the local-in policy, which is implicitly controlled by the interface's administrative access settings. Option D is wrong because a static route is only needed if the management subnet is not directly connected; for the internal network, the FortiGate already has a directly connected route, so no static route is required.

122
MCQhard

A FortiGate administrator is upgrading firmware from version 6.0 to 7.0. The upgrade path requires multiple steps. Which of the following is the recommended method to ensure a successful upgrade?

A.Upgrade to 6.2, then to 6.4, then to 7.0, following the official upgrade path
B.Perform a factory reset after upgrading to 7.0
C.Use the 'execute upgrade-version' command to automatically determine the path
D.Upload and install the 7.0 firmware directly, then restore configuration from backup
AnswerA

Stepwise upgrades ensure compatibility and prevent issues.

Why this answer

FortiGate firmware upgrades must follow a specific path to ensure compatibility of the firmware image, configuration database, and bootloader. Skipping intermediate versions (e.g., 6.2 and 6.4) can cause configuration corruption or boot failure because each major version may change the internal data structures or require a specific bootloader version. The official upgrade path from 6.0 to 7.0 is 6.0 → 6.2 → 6.4 → 7.0, as documented in Fortinet's release notes.

Exam trap

The trap here is that candidates may think a direct upgrade is acceptable because they assume firmware is backward-compatible, or they confuse the 'execute update-now' command with an automatic path resolver, when in fact Fortinet requires strict adherence to the documented upgrade path to prevent bootloader and configuration schema mismatches.

How to eliminate wrong answers

Option B is wrong because performing a factory reset after upgrading to 7.0 does not address the need for a correct upgrade path; it only resets the configuration, but the firmware itself must still be upgraded in the correct sequence to avoid bootloader or database incompatibilities. Option C is wrong because the 'execute upgrade-version' command does not exist; FortiGate uses 'execute update-now' for firmware updates, but there is no automatic path determination command—the administrator must manually follow the documented upgrade path. Option D is wrong because directly uploading and installing 7.0 firmware from 6.0 is not supported; it can result in a failed upgrade or a non-booting unit due to incompatible firmware structures, and restoring a configuration from backup after a direct upgrade may also fail if the configuration format has changed.

123
Multi-Selectmedium

A FortiGate in NAT/Route mode has multiple internal networks. The administrator wants to configure a loopback interface for management access. Which THREE statements about loopback interfaces are correct? (Choose three.)

Select 3 answers
A.The loopback interface must be assigned to a physical port
B.The loopback interface is always up regardless of physical link status
C.The loopback interface can be used as a source IP for management traffic
D.The loopback interface cannot be used for firewall policies
E.The loopback interface participates in routing protocols
AnswersB, C, E

Loopback interfaces are virtual and remain up as long as the FortiGate is running.

Why this answer

Option B is correct because a loopback interface is a logical interface that is not tied to any physical link. It remains in an 'up' state as long as the FortiGate is operational, making it ideal for management access that must be available even if physical ports fail.

Exam trap

The trap here is that candidates often assume loopback interfaces cannot be used in firewall policies or must be tied to a physical port, but FortiGate treats them as fully functional interfaces for both routing and policy enforcement.

124
Multi-Selectmedium

An administrator wants to configure HA on two FortiGate units. Which TWO of the following must match on both units for the cluster to form? (Choose two.)

Select 2 answers
A.HA heartbeat interface configuration
B.License type
C.Management IP addresses
D.Hostname
E.HA mode (active-passive or active-active) and group ID
AnswersA, E

Heartbeat interfaces must be configured consistently.

Why this answer

The HA heartbeat interface configuration must match on both FortiGate units because the heartbeat interface is used for cluster communication, synchronization, and failure detection. If the interfaces designated for heartbeat traffic differ between units, they cannot establish the required Layer 2 adjacency or exchange HA control packets, preventing cluster formation.

Exam trap

The trap here is that candidates often confuse 'must match' with 'must be identical' for management IP addresses or hostnames, but FortiGate HA only requires matching for heartbeat interface configuration and HA mode/group ID, not for administrative identifiers.

125
MCQhard

A FortiGate is configured with two WAN links (port1 and port2) and uses ECMP routing. The administrator wants to ensure that traffic from a specific internal subnet (192.168.10.0/24) always uses port1, while all other traffic uses ECMP. Which configuration should be applied?

A.Create a separate VDOM for 192.168.10.0/24 and route it through port1
B.Create two static routes with equal distances to use ECMP, and add a policy route for 192.168.10.0/24 with outgoing interface port1
C.Configure a VIP to translate 192.168.10.0/24 to an IP on port1
D.Use a firewall policy to change the route based on source
AnswerB

Policy routes can match source IP and force a specific egress interface.

Why this answer

Policy routes override the routing table for matching traffic, allowing you to force traffic from 192.168.10.0/24 out port1 while ECMP handles all other traffic. ECMP distributes traffic across multiple equal-cost routes, but a policy route takes precedence over the routing table for specified traffic. This meets the requirement without disrupting ECMP for other traffic.

Exam trap

The trap here is confusing firewall policies with routing decisions; candidates often think a firewall policy can change the outgoing interface, but it only controls access, not the path traffic takes through the network.

How to eliminate wrong answers

Option A is wrong because creating a separate VDOM for a single subnet is overkill and introduces administrative overhead; VDOMs are for multi-tenant isolation, not simple source-based routing. Option C is wrong because a VIP translates destination IPs, not source subnets, and does not control outbound interface selection. Option D is wrong because firewall policies do not change routes; they match traffic and apply actions like allow/deny, but routing decisions are made by the routing table or policy routes.

126
MCQmedium

An administrator wants to back up the FortiGate configuration to a remote FTP server. Which command should be used?

A.execute restore config ftp <filename> <server>
B.copy running-config startup-config
C.execute backup system ftp <filename> <server>
D.execute backup config ftp <filename> <server>
AnswerD

This is the correct syntax.

Why this answer

Option D is correct because the `execute backup config ftp` command is the specific FortiGate CLI command designed to back up the configuration file to a remote FTP server. This command directly initiates an FTP transfer of the current system configuration, ensuring the backup is stored externally for disaster recovery.

Exam trap

The trap here is confusing the `backup` and `restore` commands, or using a Cisco-style command like `copy running-config startup-config`, which is not valid on FortiGate devices.

How to eliminate wrong answers

Option A is wrong because `execute restore config ftp` is used to restore a configuration from an FTP server, not to back up. Option B is wrong because `copy running-config startup-config` is a Cisco IOS command for saving the running configuration to NVRAM, not a FortiGate command for backing up to an FTP server. Option C is wrong because `execute backup system ftp` is not a valid FortiGate command; the correct syntax uses `config` to specify the configuration file, not `system`.

127
Multi-Selectmedium

A FortiGate administrator needs to allow SNMP monitoring from a management station at 10.10.10.50. Which TWO configuration steps are required? (Choose two.)

Select 2 answers
A.Enable SNMP agent globally
B.Configure an SNMP community with read-only access and restrict access to 10.10.10.50
C.Configure an SNMP trap to send alerts to 10.10.10.50
D.Enable SNMP on the interface connected to the management station
E.Configure a firewall policy allowing SNMP from the management station
AnswersA, B

The SNMP agent must be enabled to respond to queries.

Why this answer

Option A is correct because the SNMP agent must be globally enabled on the FortiGate before any SNMP queries can be processed. Option B is correct because an SNMP community with read-only access defines the authentication and access control parameters, and restricting it to 10.10.10.50 ensures only that management station can poll the device.

Exam trap

The trap here is that candidates often confuse SNMP monitoring (polling) with SNMP traps, or mistakenly think a firewall policy is needed for local management traffic, when in fact SNMP agent access is controlled entirely by the community configuration and the global enable setting.

128
Multi-Selecthard

You are troubleshooting a FortiGate HA cluster that is not failing over correctly. The cluster has two units in active-passive mode. You check the HA status and see both units are in 'standalone' mode. Which THREE configurations could cause this? (Choose three.)

Select 3 answers
A.The FortiGate is configured in transparent mode
B.The HA group ID is different on each unit
C.The firmware versions are different but both are 7.0.x
D.The HA heartbeat interface is down on one unit
E.The HA password is different on each unit
AnswersB, D, E

Group ID must match for cluster formation.

Why this answer

Option B is correct because the HA group ID must match on all cluster members for them to recognize each other as part of the same cluster. If the group IDs differ, each unit will operate independently in standalone mode, as they cannot form a common HA session.

Exam trap

The trap here is that candidates often overlook the HA password requirement or assume transparent mode disables HA, but FortiGate supports HA in all operational modes, and password mismatches are a common misconfiguration.

129
Multi-Selectmedium

An administrator is configuring ECMP (Equal-Cost Multi-Path) on a FortiGate. Which TWO conditions are required for ECMP to load balance traffic across multiple routes?

Select 2 answers
A.Routes must use different next-hop IP addresses
B.Routes must have the same priority setting
C.Routes must have the same administrative distance
D.Routes must be static routes only
E.Routes must be through different interfaces
AnswersB, C

Priority must also be equal.

Why this answer

Option B is correct because ECMP requires that multiple routes have the same priority (also known as 'distance' in some contexts) to be considered equal-cost. In FortiGate, priority is a metric that determines route preference; only routes with identical priority can be used simultaneously for load balancing. Option C is also correct because administrative distance must be the same for routes to be considered equal; if administrative distances differ, the route with the lower distance is preferred, and ECMP will not apply.

Exam trap

The trap here is that candidates often confuse 'priority' with 'administrative distance' or assume ECMP requires different next-hop IPs, but FortiGate actually requires both priority and administrative distance to be identical, and next-hop IPs can be the same if interfaces differ.

130
MCQmedium

An administrator needs to forward logs from a FortiGate to a FortiAnalyzer for centralized logging. The FortiAnalyzer IP is 10.10.10.10. Which configuration is required on the FortiGate?

A.config system central-management set type fortianalyzer set ip 10.10.10.10 end
B.config log setting set fortianalyzer ip 10.10.10.10 end
C.config log syslogd setting set server 10.10.10.10 end
D.config log fortianalyzer setting set status enable set server 10.10.10.10 end
AnswerD

This correctly enables FortiAnalyzer logging and sets the server IP.

Why this answer

Option D is correct because the FortiGate uses the `config log fortianalyzer setting` command to configure direct logging to a FortiAnalyzer. This command enables the log forwarding feature (`set status enable`) and specifies the FortiAnalyzer's IP address (`set server 10.10.10.10`). The other options either use incorrect command paths or are intended for different logging destinations (e.g., syslog or central management).

Exam trap

The trap here is that candidates confuse the `config log fortianalyzer setting` command with the `config system central-management` command (used for FortiManager) or the syslog configuration, leading them to select options that configure the wrong service or miss the required `set status enable` step.

How to eliminate wrong answers

Option A is wrong because `config system central-management` is used for centralized management (e.g., FortiManager), not for log forwarding to FortiAnalyzer. Option B is wrong because `config log setting` is a global log configuration context, but the correct subcommand for FortiAnalyzer is `config log fortianalyzer setting`, not a direct `set fortianalyzer ip` syntax. Option C is wrong because `config log syslogd setting` configures syslog forwarding, which uses a different protocol (UDP/TCP syslog) and is not the native FortiAnalyzer logging method.

131
Multi-Selectmedium

An admin needs to configure a FortiGate to send logs to a FortiAnalyzer. Which TWO steps must be performed? (Choose two.)

Select 2 answers
A.Set the log aggregation interval
B.Configure SNMP trap destinations
C.Create a firewall policy to allow traffic to FortiAnalyzer
D.Configure the FortiAnalyzer IP under config system log-fortianalyzer
E.Enable logging to FortiAnalyzer using the 'set status enable' command under the same configuration
AnswersD, E

This is where the FortiAnalyzer server address is set.

Why this answer

Option D is correct because the FortiGate must be configured with the FortiAnalyzer IP address under the `config system log-fortianalyzer` hierarchy to establish the logging destination. Option E is correct because after setting the IP, the `set status enable` command must be issued to activate log forwarding to that FortiAnalyzer; without this, no logs are sent even if the IP is configured.

Exam trap

The trap here is that candidates often think a firewall policy is required to allow outbound log traffic, but FortiGate management traffic (including logs to FortiAnalyzer) bypasses the firewall policy engine and is controlled solely by the management VDOM or system settings.

132
MCQeasy

An administrator has configured two FortiGate units in an active-passive HA cluster. The primary unit fails. How does the secondary unit become active?

A.The secondary unit detects loss of heartbeat from the primary and takes over
B.The administrator must manually reboot the secondary unit
C.The secondary unit becomes active only if the heartbeat link is also down
D.The secondary unit waits for a configuration change before becoming active
AnswerA

Heartbeat monitoring triggers failover when primary is unreachable.

Why this answer

In an active-passive HA cluster, the secondary unit monitors the primary unit's health via heartbeat messages. When the primary fails and stops sending heartbeats, the secondary unit detects the loss of heartbeat and initiates a failover, transitioning to the active role. This is the default behavior in FortiGate HA, where the secondary unit does not require manual intervention or additional conditions to become active.

Exam trap

The trap here is that candidates may think the secondary unit requires the heartbeat link to be down or manual intervention to become active, but FortiGate HA automatically promotes the secondary unit upon detecting the primary's failure via heartbeat loss.

How to eliminate wrong answers

Option B is wrong because FortiGate HA is designed for automatic failover; the administrator does not need to manually reboot the secondary unit, as that would defeat the purpose of high availability. Option C is wrong because the secondary unit becomes active when the primary fails, regardless of whether the heartbeat link is also down; the heartbeat link being down alone would not trigger a failover if the primary is still active. Option D is wrong because the secondary unit does not wait for a configuration change; it becomes active based on the failure detection, and configuration synchronization occurs after the failover.

133
MCQhard

An administrator configures a policy route to send all traffic from a specific subnet to a different next-hop. However, traffic from that subnet is still using the default route. Which configuration could be causing this?

A.The firewall policy denies the traffic before policy routing
B.The policy route is applied to the wrong incoming interface
D.The policy route destination is set to all
AnswerB

If the source interface does not match the incoming interface of the traffic, the policy route will not apply.

Why this answer

Policy routes are evaluated based on the incoming interface of the traffic. If the policy route is applied to the wrong incoming interface, traffic from the specified subnet arriving on a different interface will not match the policy and will instead follow the default route. This is a common misconfiguration where the administrator assumes the policy applies globally rather than per-interface.

Exam trap

The trap here is that candidates often assume policy routes apply globally to all traffic matching the source/destination, forgetting that FortiGate requires the incoming interface to be explicitly specified for policy routes to be evaluated.

How to eliminate wrong answers

Option A is wrong because firewall policies are evaluated after policy routing in FortiGate's processing order; if policy routing matches, the traffic is forwarded to the policy route's next-hop before any firewall policy is checked, so a deny firewall policy would not cause the traffic to use the default route. Option C is wrong because a higher administrative distance makes a route less preferred, so if the default route had a higher administrative distance, it would be less likely to be used, not more; the issue is that the policy route is not being matched at all. Option D is wrong because setting the policy route destination to 'all' would match all destinations, which would actually increase the likelihood of the policy route being applied, not cause it to be ignored; the problem is the interface mismatch, not the destination setting.

134
MCQmedium

A FortiGate is operating in transparent mode. The administrator needs to configure a new VLAN interface for segmenting traffic. Which statement about VLAN interfaces in transparent mode is correct?

A.VLAN interfaces require IP addresses and act as routed interfaces in transparent mode.
B.VLAN interfaces can be created on physical interfaces and are layer-2 only, requiring no IP addresses for traffic forwarding.
C.VLAN interfaces can only be created on physical interfaces, and each VLAN requires a separate IP address in the management VDOM.
D.VLAN interfaces are not supported in transparent mode; the administrator must switch to NAT/Route mode.
AnswerB

Why this answer

In transparent mode, FortiGate acts as a layer-2 bridge, forwarding traffic based on MAC addresses. VLAN interfaces can be created on physical interfaces to segment traffic at layer 2, and they do not require IP addresses for forwarding; IP addresses are only needed for management access if desired.

Exam trap

The trap here is that candidates often assume VLAN interfaces always require IP addresses for operation, confusing transparent mode's layer-2 behavior with NAT/Route mode's layer-3 routing requirements.

How to eliminate wrong answers

Option A is wrong because VLAN interfaces in transparent mode are layer-2 only and do not require IP addresses for traffic forwarding; they are not routed interfaces. Option C is wrong because VLAN interfaces do not require a separate IP address in the management VDOM; IP addresses are optional and only for management. Option D is wrong because VLAN interfaces are fully supported in transparent mode; the administrator does not need to switch to NAT/Route mode.

135
MCQeasy

An administrator wants to upgrade the FortiOS firmware on a FortiGate. Which step is critical before starting the upgrade process?

A.Reboot the FortiGate.
B.Clear all sessions.
C.Back up the configuration file.
D.Disable all firewall policies.
AnswerC

Why this answer

Backing up the configuration file is critical before upgrading FortiOS because the upgrade process may fail or corrupt the configuration, and a backup ensures you can restore the FortiGate to its previous operational state. Without a valid backup, a failed upgrade could result in a complete loss of configuration, requiring manual reconfiguration or a factory reset. Fortinet recommends always backing up the configuration before any firmware upgrade to mitigate risks.

Exam trap

The trap here is that candidates may confuse operational steps (like clearing sessions or disabling policies) with the critical prerequisite of configuration backup, assuming the upgrade process will automatically preserve settings without risk.

How to eliminate wrong answers

Option A is wrong because rebooting the FortiGate before an upgrade is unnecessary and may disrupt current operations; the upgrade process itself handles rebooting as needed. Option B is wrong because clearing all sessions is not a prerequisite for upgrading; the FortiGate will terminate sessions during the reboot phase of the upgrade automatically. Option D is wrong because disabling all firewall policies is not required; the upgrade process preserves policy configurations, and disabling them could cause unintended traffic disruptions if the upgrade fails or is rolled back.

136
Multi-Selecthard

A FortiGate administrator needs to configure a VLAN interface and an aggregate interface. Which THREE statements are correct regarding these interface types?

Select 3 answers
A.Aggregate interfaces require at least one physical member to be up.
B.Aggregate interfaces are only supported in NAT/Route mode.
C.VLAN interfaces cannot be used in transparent mode.
D.VLAN interfaces can be created on aggregate interfaces.
E.VLAN interfaces can have their own IP address and firewall policies.
AnswersA, D, E

Why this answer

Option A is correct because an aggregate interface (LAG) requires at least one physical member port to be administratively and operationally up for the aggregate itself to be considered up. If all member ports are down, the aggregate interface goes down, which is a fundamental behavior of link aggregation groups (LAGs) per IEEE 802.3ad.

Exam trap

The trap here is that candidates often confuse the mode restrictions for VLANs and aggregates, incorrectly assuming VLANs cannot be used in Transparent mode or that aggregates are limited to NAT/Route mode, when in fact both interface types have broader support.

137
Multi-Selectmedium

A FortiGate admin needs to create a loopback interface for management purposes. Which two statements about loopback interfaces are correct? (Choose two.)

Select 2 answers
A.Loopback interfaces are always up and do not depend on physical links
B.Loopback interfaces can be used to terminate IPSec VPN tunnels
C.Loopback interfaces cannot be assigned an IP address
D.Loopback interfaces are only used for routing protocols
E.Loopback interfaces require a physical port to be up
AnswersA, B

Correct; they are always logically up.

Why this answer

Option A is correct because loopback interfaces are virtual interfaces that are always in an up/up state as long as the FortiGate is operational. They do not depend on any physical link or carrier status, making them ideal for management access and stable routing protocol peering.

Exam trap

The trap here is that candidates often assume loopback interfaces are only for routing protocols or that they cannot have an IP address, but FortiGate loopback interfaces fully support IP addressing and are used for multiple purposes including management and VPN termination.

138
MCQmedium

A FortiGate is configured with two equal-cost static routes to the same destination network (0.0.0.0/0) via two different ISPs. The administrator wants to use both links simultaneously for load balancing. What must be enabled?

A.ECMP (Equal Cost Multi-Path) routing
B.SD-WAN
D.Policy routing
AnswerA

ECMP allows the FortiGate to distribute traffic across multiple paths with equal cost.

Why this answer

Equal Cost Multi-Path (ECMP) routing is the correct feature to enable because it allows a FortiGate to load-balance traffic across multiple static routes that have the same metric (distance) to the same destination (0.0.0.0/0). By default, FortiGate uses a single best route; enabling ECMP distributes sessions across both ISP links based on a hash algorithm (e.g., source-destination IP), achieving simultaneous utilization without requiring dynamic routing protocols.

Exam trap

The trap here is that candidates confuse ECMP with SD-WAN, assuming SD-WAN is mandatory for any multi-WAN load balancing, when in fact ECMP alone suffices for equal-cost static routes without application-aware steering or link health monitoring.

How to eliminate wrong answers

Option B (SD-WAN) is wrong because SD-WAN is a broader solution for intelligent path control, application steering, and link quality monitoring, but it is not required solely for basic load balancing across equal-cost static routes—ECMP handles that natively. Option C (Link load balancing) is wrong because it is not a specific FortiGate feature; the term is generic and often refers to external hardware or SD-WAN, whereas ECMP is the precise mechanism for equal-cost route load sharing. Option D (Policy routing) is wrong because policy routing (PBR) overrides the routing table based on user-defined policies (e.g., source IP, protocol), which is used for selective traffic steering, not for automatically load-balancing all traffic across equal-cost static routes.

139
Multi-Selectmedium

An administrator is planning a firmware upgrade from FortiOS 6.0 to 7.2. Which THREE steps should be performed before starting the upgrade process?

Select 3 answers
A.Read the release notes for the target firmware version
B.Remove all static routes to avoid routing issues
C.Verify the upgrade path and ensure intermediate versions are used if needed
D.Perform a full configuration backup
E.Disable all antivirus and IPS sensors
AnswersA, C, D

Release notes contain important upgrade instructions and known issues.

Why this answer

Reading the release notes for the target firmware version (FortiOS 7.2) is essential because they document critical upgrade-specific information, such as deprecated features, changed default behaviors, known issues, and hardware compatibility requirements. Skipping this step can lead to unexpected service disruptions or feature loss after the upgrade, as the release notes often include mandatory pre-upgrade actions like disabling certain features or adjusting configurations.

Exam trap

The trap here is that candidates may think disabling security features (Option E) is a safe precaution, but Fortinet explicitly advises against disabling security profiles unless a specific release note entry warns of a conflict, making it a distractor that wastes time and reduces security posture.

140
Multi-Selecthard

Which THREE configuration steps are required to enable transparent proxy mode on a FortiGate?

Select 3 answers
A.Create a firewall policy with explicit proxy enabled
B.Enable web proxy globally under config system settings
C.Disable NAT on the firewall policy
D.Configure a software switch or 802.1Q VLAN trunk to bridge the interfaces
E.Assign an IP address to the proxy interface
AnswersA, C, D

Explicit proxy policies define traffic to be proxied.

Why this answer

Option A is correct because in transparent proxy mode, the FortiGate must intercept web traffic without clients being explicitly configured to use a proxy. Enabling explicit proxy in the firewall policy allows the FortiGate to apply proxy-based security features (like web filtering and antivirus) to traffic that matches the policy, even though the clients are unaware of the proxy. This is a key step to activate transparent proxy inspection on the specified traffic.

Exam trap

The trap here is that candidates often confuse transparent proxy mode with explicit proxy mode, mistakenly thinking that global web proxy settings or proxy interface IPs are required, when in fact transparent mode relies on bridging and policy-level explicit proxy flags without client-side configuration.

141
Multi-Selectmedium

An administrator wants to allow only HTTPS and SSH administrative access to the FortiGate from a specific management subnet 192.168.100.0/24. Which TWO steps must be taken on the FortiGate?

Select 2 answers
A.Set the trusted host(s) on the administrator account to 192.168.100.0/24
B.Create a local-in policy to allow traffic from 192.168.100.0/24
C.Enable HTTPS and SSH globally under system global
D.Configure a firewall policy to permit HTTPS and SSH from the management subnet to the FortiGate
E.On the interface, set allowaccess to https and ssh
AnswersA, E

This restricts which IPs can access the FortiGate via those protocols.

Why this answer

Option A is correct because setting the trusted host(s) on an administrator account restricts administrative logins to only those originating from the specified subnet (192.168.100.0/24). This is a per-account access control that works in conjunction with interface-level allowaccess settings to enforce administrative source IP restrictions.

Exam trap

The trap here is that candidates often confuse firewall policies (which control forwarded traffic) with local-in policies or interface allowaccess settings (which control traffic destined to the FortiGate itself), leading them to incorrectly select option D.

142
MCQhard

An administrator attempts to configure a policy route to route specific traffic from an internal subnet (10.1.1.0/24) to the internet via a different ISP. The policy route is created but traffic is still using the default route. What is the most likely cause?

A.The outgoing interface in the policy route is down.
B.The policy route is not using the correct source interface.
C.The destination address in the policy route is incorrect.
D.The static default route has a lower administrative distance than the policy route.
AnswerA

If the interface is down, the policy route is invalid.

Why this answer

Policy routes in FortiGate have a higher priority than static routes, but they are only applied if the specified outgoing interface is operationally up. If the outgoing interface is down, the policy route is skipped, and traffic falls back to the default route. This is the most likely cause because the administrator confirmed the policy route was created but traffic still uses the default route.

Exam trap

The trap here is that candidates often assume policy routes always override static routes, but they forget that FortiGate requires the outgoing interface to be up for the policy route to be active, leading them to incorrectly select administrative distance or source interface issues.

How to eliminate wrong answers

Option B is wrong because the source interface in a policy route is optional; if omitted, the policy matches based on source IP alone, so an incorrect source interface would not cause the policy to be ignored entirely. Option C is wrong because an incorrect destination address would cause the policy to not match the traffic, but the question states the policy route was created and traffic is still using the default route, implying the policy exists but is not being applied. Option D is wrong because policy routes have a higher precedence than static routes regardless of administrative distance; administrative distance only applies to static route selection, not to policy route enforcement.

143
Multi-Selecteasy

An administrator needs to configure DNS on a FortiGate so that internal hosts can resolve external domain names. Which two settings are required? (Choose two.)

Select 2 answers
A.Configure DNS servers under System > DNS.
B.Create a firewall policy allowing DNS traffic from internal to external.
C.Enable DNS proxy on the FortiGate.
D.Set the FortiGate's hostname to the domain name.
E.Configure a static route for DNS servers.
AnswersA, C

DNS server addresses must be specified for the FortiGate to perform resolution.

Why this answer

Option A is correct because configuring DNS servers under System > DNS is the fundamental step that tells the FortiGate which external DNS resolvers (e.g., 8.8.8.8) to use for resolving domain names. Without this, the FortiGate cannot forward DNS queries from internal hosts to the internet. Option C is correct because enabling the DNS proxy on the FortiGate allows it to intercept DNS requests from internal clients, cache responses for performance, and forward them to the configured DNS servers, which is essential for internal hosts to resolve external domains through the FortiGate.

Exam trap

The trap here is that candidates often think a firewall policy is required for DNS traffic, but the FortiGate's DNS proxy handles the forwarding internally, making the explicit policy unnecessary unless the proxy is disabled and hosts send queries directly.

144
MCQhard

A FortiGate in an HA active-passive cluster is experiencing frequent failovers. The administrator checks the HA statistics and sees that the primary unit's heartbeat interface has a high error rate. What is the most likely cause?

A.The heartbeat cable is faulty or the interface has a duplex mismatch
B.The heartbeat interface is configured as a single link without redundancy
C.The failover threshold is set too low
D.The HA configuration has mismatched passwords
AnswerA

High error rate suggests physical layer problems, causing heartbeat loss and failovers.

Why this answer

Option A is correct because a high error rate on the heartbeat interface indicates physical-layer issues such as a faulty cable or duplex mismatch. In an HA active-passive cluster, the heartbeat link must be reliable and low-latency; errors cause packet loss, leading the primary unit to appear unresponsive and triggering a failover to the secondary unit.

Exam trap

The trap here is that candidates often attribute frequent failovers to configuration mismatches (like passwords) or threshold settings, overlooking the physical-layer cause indicated by the high error rate on the heartbeat interface.

How to eliminate wrong answers

Option B is wrong because while a single heartbeat link without redundancy increases risk, it does not directly cause a high error rate on the interface; the error rate is a physical-layer symptom. Option C is wrong because a low failover threshold would cause failovers based on monitored metrics (e.g., link status or ping response), not a high error rate on the heartbeat interface itself. Option D is wrong because mismatched HA passwords prevent the cluster from forming or synchronizing, but they do not cause interface-level errors; the heartbeat link would still show no errors if the cable and duplex settings are correct.

145
MCQhard

A FortiGate administrator is troubleshooting a problem where users cannot access the Internet. The FortiGate has a default route pointing to the ISP gateway. The administrator runs 'execute ping 8.8.8.8' from the FortiGate CLI and it succeeds. However, internal users behind NAT are unable to reach external servers. Which is the most likely cause?

A.The default route is incorrectly configured
B.An implicit deny policy is blocking traffic from internal to external
C.No NAT policy is configured for internal users
D.External access profile is set to read-only
AnswerC

Without NAT, internal source IPs are not translated, so return traffic may be dropped.

Why this answer

The administrator confirmed that the FortiGate itself can reach the Internet (ping 8.8.8.8 succeeds), so the default route and basic connectivity are working. However, internal users behind NAT cannot reach external servers, which indicates that traffic from internal users is either not being translated or is being blocked. The most likely cause is that no NAT policy (or firewall policy with NAT enabled) exists to perform source NAT for internal users, so their private IP addresses are not translated to the FortiGate's public IP, and the ISP gateway drops the packets because private addresses are not routable on the Internet.

Exam trap

The trap here is that candidates assume a successful ping from the FortiGate CLI proves end-to-end connectivity for all users, but they overlook that NAT translation is required for internal private IPs to reach the Internet.

How to eliminate wrong answers

Option A is wrong because the default route is correctly configured — the 'execute ping 8.8.8.8' succeeded, proving the route works. Option B is wrong because an implicit deny policy would block all traffic, including the ping from the FortiGate itself; since the ping succeeded, there is no implicit deny blocking outbound traffic. Option D is wrong because the external access profile is a GUI/administrative access setting that controls read/write permissions for the web interface, not a factor in NAT or traffic forwarding.

146
MCQeasy

A FortiGate administrator is setting up a new FortiGate in a network that requires the firewall to bridge traffic between two subnets without routing. Which operating mode should the administrator select?

A.Transparent mode
B.NAT/Route mode
C.HA mode
D.VLAN mode
AnswerA

Transparent mode operates at Layer 2, bridging traffic between interfaces.

Why this answer

Transparent mode allows the FortiGate to act as a Layer 2 bridge, forwarding traffic between two subnets without performing any routing or NAT. In this mode, the firewall operates like a 'bump in the wire,' inspecting and filtering traffic based on MAC addresses and Layer 2 headers, while the IP addresses of connected devices remain unchanged. This is ideal for scenarios where the FortiGate must be inserted into an existing network without altering the IP topology.

Exam trap

The trap here is that candidates often confuse transparent mode with VLAN mode, thinking VLANs are a separate operating mode, or they assume NAT/Route mode can bridge traffic by disabling NAT, but it still performs routing at Layer 3.

How to eliminate wrong answers

Option B (NAT/Route mode) is wrong because it operates at Layer 3, performing routing and NAT, which changes the IP topology and is not suitable for bridging traffic without routing. Option C (HA mode) is wrong because it is a high-availability configuration for redundancy, not an operating mode for traffic forwarding; it can be used in either transparent or NAT/Route mode. Option D (VLAN mode) is wrong because it is not a standard operating mode on FortiGate; VLANs are configured as interfaces within transparent or NAT/Route mode, not as a separate mode.

147
MCQeasy

What is the purpose of configuring an aggregate interface on a FortiGate?

A.To enable VLAN tagging on a physical interface
B.To combine multiple physical interfaces into one logical interface for increased throughput and redundancy
C.To separate management traffic from data traffic
D.To connect two different network segments with a firewall in between
AnswerB

This is the definition of link aggregation.

Why this answer

An aggregate interface (also known as a Link Aggregation Group or LAG) combines multiple physical FortiGate interfaces into a single logical interface. This increases throughput by load-balancing traffic across the member links and provides redundancy: if one physical link fails, traffic continues over the remaining links. FortiGate supports both static aggregation and LACP (IEEE 802.3ad) for dynamic negotiation.

Exam trap

The trap here is that candidates confuse link aggregation with VLAN trunking or interface redundancy protocols like VRRP, but aggregate interfaces specifically combine bandwidth and provide link-level redundancy, not IP-level failover or VLAN separation.

How to eliminate wrong answers

Option A is wrong because VLAN tagging is configured on a physical or aggregate interface via subinterfaces, not by creating an aggregate interface itself. Option C is wrong because separating management traffic from data traffic is achieved through dedicated management interfaces, administrative access controls, or VDOMs, not by link aggregation. Option D is wrong because connecting two different network segments with a firewall in between describes the fundamental role of a firewall (routing/security), not the purpose of an aggregate interface.

148
MCQmedium

An admin configures two static routes to the same destination with different distances. The route with distance 10 points to ISP1, and the route with distance 20 points to ISP2. The admin wants to use ISP2 only if ISP1 fails. What is the expected behavior?

A.Traffic will load-balance between ISP1 and ISP2
B.Traffic will use ISP1 until its route is removed, then use ISP2
C.The route with distance 20 will be ignored entirely
D.Both routes will be active simultaneously, and the FortiGate will choose based on source IP
AnswerB

The lower distance route is preferred; higher distance becomes backup.

Why this answer

When two static routes have different administrative distances, the route with the lower distance (10) is preferred and installed in the routing table. The route with distance 20 remains in the routing table as a backup. If the preferred route (via ISP1) is removed due to a failure, the backup route (via ISP2) is automatically activated.

This behavior is fundamental to how FortiGate (and most routers) handle static routes with unequal distances.

Exam trap

The trap here is that candidates often think both routes are active and load-balancing occurs, but FortiGate only uses the route with the lowest administrative distance unless equal-cost load balancing is explicitly configured.

How to eliminate wrong answers

Option A is wrong because load-balancing requires equal-cost routes (same distance), but here distances are different (10 vs 20), so only the best route is used. Option C is wrong because the route with distance 20 is not ignored; it remains in the routing table as a backup and will be used if the primary route is removed. Option D is wrong because both routes are not active simultaneously; only the route with the lowest distance is active, and source IP is not a factor in static route selection.

149
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.The web server's certificate is self-signed and FortiGate is rejecting the connection
B.The FortiGuard antivirus subscription has expired
C.The antivirus profile is configured for flow-based inspection instead of proxy-based
D.SSL/TLS deep inspection is not enabled on the firewall policy
AnswerD

HTTPS traffic is encrypted. FortiGate cannot inspect the payload without SSL deep inspection decrypting the TLS session. The antivirus profile requires inspection mode to be enabled.

Why this answer

Option B is correct because HTTPS uses TLS encryption. Without SSL deep inspection enabled on the policy, FortiGate cannot decrypt and inspect the content of HTTPS traffic. The antivirus profile will only scan unencrypted traffic or traffic where deep inspection has decrypted it first.

150
MCQhard

Refer to the exhibit. An administrator wants to enable SNMP access on the wan1 interface. Which of the following is the most efficient method?

A.Execute 'config system interface' and edit wan1, then set allowaccess ping https ssh snmp.
B.Change the interface type to 'management' to allow SNMP.
C.Execute 'config system interface' and edit wan1, then set snmp-index 1.
D.Configure an SNMP community under 'config system snmp community'.
AnswerA

Adding 'snmp' to allowaccess enables SNMP on that interface.

Why this answer

Option A is correct because the 'allowaccess' parameter under 'config system interface' controls which management protocols (ping, https, ssh, snmp, etc.) are permitted on a given interface. By adding 'snmp' to the allowaccess list for wan1, the administrator enables SNMP access on that interface without changing its role or type.

Exam trap

The trap here is that candidates often confuse configuring an SNMP community (which defines who can query) with enabling SNMP access on an interface (which allows the SNMP agent to listen on that interface); both are required, but the question asks for the most efficient method to enable SNMP access on wan1, which is setting 'allowaccess snmp' on that interface.

How to eliminate wrong answers

Option B is wrong because changing the interface type to 'management' is not required; the 'management' type is used for dedicated management interfaces (e.g., FortiGate models with a separate MGMT port) and does not apply to a standard data interface like wan1. Option C is wrong because 'snmp-index' is used to assign an OID index for SNMP monitoring of the interface, not to enable SNMP access on the interface. Option D is wrong because configuring an SNMP community defines the community strings and hosts allowed to query the FortiGate, but it does not enable SNMP access on a specific interface; the interface-level 'allowaccess' must still be set.

← PreviousPage 2 of 3 · 200 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Nse4 System Network questions.