CCNA Nse4 System Network Questions

50 of 200 questions · Page 3/3 · Nse4 System Network topic · Answers revealed

151
MCQhard

Refer to the exhibit. The FortiGate has two default routes. The administrator attempts to ping 8.8.8.8 from the CLI and receives no response. What is the most likely reason?

A.The second route is overwriting the first route
B.Both routes are equal-cost and load-balancing is not working
C.The configuration is invalid because duplicate default routes are not allowed
D.The gateway 203.0.113.1 (port1) is unreachable
AnswerD

The first route is preferred (distance 10), so if its gateway is unreachable, traffic fails.

Why this answer

When a FortiGate has multiple default routes, it uses the route with the lowest distance (administrative distance) as the primary route. If the gateway for the primary route (203.0.113.1 on port1) is unreachable, the FortiGate will not be able to reach 8.8.8.8, even if a secondary default route exists. The ping fails because the device cannot ARP for the gateway or the next-hop is down, causing the route to be inactive.

Exam trap

The trap here is that candidates often assume both default routes are active and load-balanced, but FortiGate uses administrative distance to select a single active route, and if the gateway of that route is unreachable, the route becomes invalid and no traffic is forwarded until the next route is considered.

How to eliminate wrong answers

Option A is wrong because a second default route does not 'overwrite' the first; FortiGate supports multiple default routes and selects the best one based on distance or priority, not by overwriting. Option B is wrong because both routes are not equal-cost (they have different distances, 10 and 20), so load-balancing is not applicable; FortiGate uses the route with the lowest distance. Option C is wrong because duplicate default routes are allowed in FortiGate; they are valid as long as they have different distances or priorities, providing redundancy.

152
MCQeasy

Which of the following FortiGate operating modes allows the firewall to act as a Layer 3 device, performing NAT and routing between interfaces?

A.Flow-based inspection mode
B.NAT/Route mode
C.VLAN mode
D.Transparent mode
AnswerB

Correct. NAT/Route mode enables routing and NAT.

Why this answer

NAT/Route mode (option B) is correct because it configures the FortiGate as a Layer 3 device with distinct interfaces in different subnets, enabling it to perform routing (forwarding packets based on routing table entries) and Network Address Translation (NAT) to translate private IP addresses to public IP addresses. This mode is the default and most common operational mode for perimeter firewalls, allowing policy-based routing and NAT rules to be applied between zones.

Exam trap

The trap here is confusing operational modes (NAT/Route vs. Transparent) with inspection modes (Flow-based vs. Proxy-based), leading candidates to incorrectly select Flow-based inspection mode as the answer for Layer 3 routing and NAT capabilities.

How to eliminate wrong answers

Option A is wrong because Flow-based inspection mode is a processing mode (not an operational mode) that inspects packets in a single pass using pattern matching and heuristics, but it does not define the firewall's Layer 3 routing or NAT capabilities. Option C is wrong because VLAN mode is not a standard FortiGate operational mode; VLANs are configured as sub-interfaces within NAT/Route or Transparent modes to segment traffic, but they do not independently enable Layer 3 routing or NAT. Option D is wrong because Transparent mode operates as a Layer 2 bridge (similar to a switch) without IP addresses on its interfaces, meaning it cannot perform NAT or routing between interfaces—it forwards traffic based on MAC addresses.

153
MCQeasy

Which CLI command is used to configure NTP on a FortiGate?

A.config system ntp-server
B.config system time
C.execute ntp sync
D.config system ntp
AnswerD

This is the correct command to configure NTP settings.

Why this answer

The correct command to configure NTP on a FortiGate is `config system ntp`, which enters the NTP configuration context where you can set the NTP server addresses, authentication, and sync interval. This is the top-level command for NTP settings in the FortiOS CLI, as documented in the FortiGate Administration Guide.

Exam trap

The trap here is that candidates confuse `config system ntp` with `config system ntp-server` (which does not exist) or think `execute ntp sync` is a valid command, when in fact the correct command to force a sync is `execute time ntp`.

How to eliminate wrong answers

Option A is wrong because `config system ntp-server` is not a valid FortiOS command; the correct parent context is `config system ntp`, and individual servers are added under `config system ntp` using `set server`. Option B is wrong because `config system time` is used to manually set the system date and time, not to configure NTP synchronization. Option C is wrong because `execute ntp sync` is not a valid FortiOS command; the correct command to trigger an immediate NTP sync is `execute time ntp`.

154
MCQeasy

An administrator is configuring a VLAN interface on a FortiGate. The physical interface is port2 and the VLAN ID is 100. Which of the following correctly creates the VLAN interface?

A.config system interface edit port2.100 set vlanid 100 set type vlan next end
B.config system interface edit port2 set vlanid 100 next end
C.config system interface edit port2.100 set type vlan next end
D.config system vlan edit port2.100 set vlanid 100 next end
AnswerA

This is the correct CLI syntax to create a VLAN subinterface with ID 100.

Why this answer

Option A is correct because it uses the correct CLI syntax to create a VLAN subinterface on a FortiGate. The command `config system interface` enters the interface configuration context, `edit port2.100` creates or edits the subinterface named with the physical interface and VLAN ID, `set vlanid 100` assigns the VLAN tag, and `set type vlan` explicitly defines the interface type as VLAN. This matches the required configuration for 802.1Q VLAN tagging on FortiGate.

Exam trap

The trap here is that candidates often confuse the FortiGate CLI with Cisco IOS, where `interface port2.100` automatically implies a VLAN subinterface without needing an explicit `set type vlan` or `set vlanid` command, leading them to choose Option C or D.

How to eliminate wrong answers

Option B is wrong because it attempts to set the VLAN ID directly on the physical interface `port2` instead of creating a separate VLAN subinterface; FortiGate does not allow a VLAN ID on a physical interface. Option C is wrong because it creates the subinterface `port2.100` and sets the type to VLAN but omits the `set vlanid 100` command, which is mandatory to specify the 802.1Q tag. Option D is wrong because it uses the invalid command `config system vlan`; FortiGate does not have a `system vlan` configuration context—VLAN interfaces are always configured under `config system interface`.

155
Drag & Dropmedium

Drag and drop the steps to configure a static route on a FortiGate firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes on FortiGate are configured in the router static configuration context, requiring a sequence number, destination, device, and gateway.

156
MCQeasy

A FortiGate is configured with two WAN interfaces (port1 and port2) connected to different ISPs. The administrator wants to load-balance outbound traffic across both links using equal-cost routes. Which routing configuration should be applied?

A.Configure policy routes to direct traffic based on source IP.
B.Enable BGP to dynamically learn routes from both ISPs.
C.Configure static routes with equal distance and enable ECMP.
D.Configure static routes with different distances (e.g., 10 and 20) to the same destination.
AnswerC

Why this answer

Option C is correct because ECMP (Equal-Cost Multi-Path) routing allows a FortiGate to load-balance outbound traffic across multiple interfaces when static routes have the same distance (administrative distance) and destination. By configuring two static routes with equal distance (e.g., 10) to 0.0.0.0/0 via port1 and port2, the FortiGate automatically distributes sessions across both links using a hash-based algorithm (e.g., source-destination IP), achieving the desired load balancing without dynamic routing protocols.

Exam trap

The trap here is that candidates confuse 'different distances' (which creates failover) with 'equal distances' (which enables load balancing), often selecting option D because they think varying metrics distributes traffic, but in reality, only equal administrative distances trigger ECMP load sharing.

How to eliminate wrong answers

Option A is wrong because policy routes are used for policy-based routing (PBR) based on criteria like source IP, not for simple load balancing across equal-cost links; they override the routing table and do not inherently provide ECMP load sharing. Option B is wrong because BGP is a dynamic routing protocol that can learn routes from ISPs, but it requires ISP cooperation and is unnecessary for simple outbound load balancing; ECMP with static routes is simpler and sufficient. Option D is wrong because configuring static routes with different distances (e.g., 10 and 20) creates a primary/backup (failover) scenario, not load balancing; the route with the lower distance is always preferred, and traffic never uses the higher-distance route unless the primary fails.

157
Multi-Selecteasy

Which TWO of the following are prerequisites for configuring a high availability (HA) cluster on FortiGate? (Choose two.)

Select 2 answers
A.An HA heartbeat interface must be a dedicated interface.
B.All interfaces must be configured with static IP addresses.
C.The FortiGate units must be running the same firmware version.
D.The configuration must be identical on both units.
E.The FortiGate units must be the same model.
AnswersC, E

Firmware must match for HA.

Why this answer

Option C is correct because FortiGate HA requires all cluster members to run the same firmware version to ensure configuration compatibility and consistent behavior. Mismatched firmware can lead to synchronization failures or unpredictable failover events, as the HA heartbeat and session synchronization protocols depend on identical code bases.

Exam trap

The trap here is that candidates often assume identical configuration is required before forming the cluster, but FortiGate automatically synchronizes the primary's configuration to the secondary, making pre-existing identical configs unnecessary.

158
MCQhard

After upgrading FortiGate firmware, the administrator notices that the 'config router static' command now shows a new keyword 'distance' instead of 'weight'. The upgrade also changed the ECMP load-balancing behavior. What was the likely change in the ECMP algorithm?

A.The ECMP algorithm changed from source-IP-based to weighted (hash-based)
B.The ECMP algorithm changed from weighted to source-dest-IP
C.The ECMP algorithm is now configurable via 'config system ecmp'
D.The ECMP algorithm changed from source-dest-IP to round-robin
AnswerA

In older versions, ECMP by default used source-IP; newer versions use a hash of src-dst IP/port.

Why this answer

The correct answer is A because the upgrade replaced the 'weight' keyword with 'distance' in static routes, indicating a shift from a weighted ECMP algorithm (where routes with lower weight were preferred) to a hash-based algorithm (using source IP by default). This change aligns with FortiOS moving to a more deterministic ECMP load-balancing method, where the 'distance' parameter now influences route selection but ECMP hashing distributes traffic across equal-cost paths based on packet attributes.

Exam trap

The trap here is that candidates confuse the 'distance' keyword with administrative distance or assume the ECMP algorithm change is configurable via a dedicated 'ecmp' command, when in fact it is set under 'config system settings' and the default changed from weighted to source-IP-based hashing.

How to eliminate wrong answers

Option B is wrong because the change is from weighted to source-IP-based hashing, not from weighted to source-dest-IP; source-dest-IP is a separate hash algorithm that can be configured but is not the default after the upgrade. Option C is wrong because ECMP load-balancing is configured via 'config system settings' with the 'ecmp-algorithm' command, not via 'config system ecmp', which does not exist in FortiOS. Option D is wrong because the algorithm changed from weighted to source-IP-based hashing, not from source-dest-IP to round-robin; round-robin is not a supported ECMP algorithm in FortiOS.

159
Multi-Selecteasy

An administrator wants to integrate FortiGate with FortiAnalyzer for logging. Which TWO steps are necessary?

Select 2 answers
A.Set the FortiAnalyzer IP under 'config system log-fortianalyzer set status enable set server <ip>'.
B.Enable logging to FortiAnalyzer under the log settings.
C.Create a firewall policy allowing traffic from FortiGate to FortiAnalyzer on port 514.
D.Configure SNMP traps to send logs to FortiAnalyzer.
E.Install a FortiAnalyzer license on FortiGate.
AnswersA, B

Why this answer

Option A is correct because the command 'config system log-fortianalyzer set status enable set server <ip>' directly configures FortiGate to send logs to a specific FortiAnalyzer server. Option B is correct because enabling logging to FortiAnalyzer under the log settings activates the log forwarding mechanism, which is a necessary step to ensure logs are actually transmitted after the server IP is configured.

Exam trap

The trap here is that candidates often assume a firewall policy is needed to allow outbound syslog traffic, but FortiGate's own traffic is not subject to its firewall policies unless explicitly restricted, making option C a common distractor.

160
MCQmedium

An administrator wants to configure SNMP on a FortiGate to allow a monitoring server 192.168.1.100 to poll read-only information. Which set of commands is correct?

A.config system snmp sysinfo set status enable set community public set trap-receiver 192.168.1.100 end
B.config system snmp community edit 1 set name public set query enable set query-port 161 set hosts 192.168.1.100 end
C.config system snmp set enable set community public set host 192.168.1.100 end
D.config system interface edit port1 set snmp-index 1 set allowaccess snmp end
AnswerB

Why this answer

Option B is correct because SNMP read-only polling on FortiGate is configured under the `config system snmp community` hierarchy. The `set query enable` command allows SNMP GET requests, `set query-port 161` specifies the standard SNMP port, and `set hosts 192.168.1.100` restricts polling to that specific monitoring server. This matches the requirement for read-only access without configuring traps or enabling SNMP globally via the sysinfo context.

Exam trap

The trap here is that candidates often confuse the `config system snmp sysinfo` context (for system contact/location) with the community configuration context, or mistakenly think SNMP is enabled globally via a simple `set enable` command, when in fact the community must be explicitly created and enabled with `set query enable`.

How to eliminate wrong answers

Option A is wrong because `config system snmp sysinfo` is used to set system contact and location information, not to enable SNMP polling or define communities; `set community public` is invalid in that context, and `set trap-receiver` configures trap destinations, not polling hosts. Option C is wrong because `config system snmp` is not a valid configuration path on FortiGate; SNMP is configured under `config system snmp community` and `config system snmp sysinfo`, and `set enable` and `set community` are not valid commands at that level. Option D is wrong because `config system interface` with `set allowaccess snmp` only enables SNMP access on a specific interface, but it does not configure the SNMP community, query settings, or allowed hosts, which are required for the monitoring server to poll.

161
Multi-Selecthard

A FortiGate administrator is planning an upgrade from FortiOS 6.4 to 7.2. Which THREE steps should be performed before the upgrade? (Choose three.)

Select 3 answers
A.Verify hardware compatibility with the target firmware
B.Check the upgrade path and required intermediate versions
C.Back up the current configuration
D.Remove all firewall policies
E.Enable automatic firmware checks
AnswersA, B, C

Some models may not support newer versions.

Why this answer

Verifying hardware compatibility with the target firmware is essential because FortiGate models have specific hardware limitations (e.g., CPU, RAM, storage) that may not support newer FortiOS versions. For example, older models like the FortiGate 100D cannot upgrade beyond FortiOS 6.0, and attempting to install 7.2 could result in a failed boot or bricked device. This step ensures the hardware meets the minimum requirements for the target firmware.

Exam trap

The trap here is that candidates may think removing firewall policies is necessary to avoid compatibility issues during the upgrade, but FortiOS automatically handles policy migration, and deleting them only adds unnecessary risk and downtime.

162
MCQeasy

An administrator needs to configure a FortiGate to allow web traffic from the internal network to the Internet. The internal network is 192.168.1.0/24 and the WAN interface is port1 with IP 203.0.113.1. Which firewall policy is correct?

A.Source: internal, Destination: port1, Service: HTTP/HTTPS, Action: ACCEPT
B.Source: port1, Destination: internal, Service: HTTP/HTTPS, Action: ACCEPT
C.Source: external, Destination: internal, Service: HTTP/HTTPS, Action: ACCEPT
D.Source: internal, Destination: port1, Service: ALL, Action: ACCEPT
AnswerA

This policy allows internal users to access web services on the Internet.

Why this answer

Option A is correct because the firewall policy must match traffic originating from the internal network (source: internal) destined for the Internet via the WAN interface (destination: port1), and the service must be restricted to HTTP/HTTPS to allow web traffic only. The action ACCEPT permits the traffic. This aligns with the standard stateful inspection flow where source and destination interfaces are defined based on traffic direction.

Exam trap

The trap here is that candidates often confuse the source and destination interfaces in a policy, thinking the destination should be the internal network instead of the WAN interface for outbound traffic, or they select Service: ALL to avoid missing any protocol, ignoring the requirement for web traffic only.

How to eliminate wrong answers

Option B is wrong because it reverses the source and destination interfaces: traffic from port1 (WAN) to internal would be inbound, not outbound web traffic from internal to the Internet. Option C is wrong because 'external' is not a valid source interface in this context; the source must be the internal network interface, and the destination interface must be port1 for outbound traffic. Option D is wrong because it uses Service: ALL, which would allow all protocols (e.g., SSH, SMTP) instead of restricting to HTTP/HTTPS as required for web traffic only, violating the principle of least privilege.

163
MCQeasy

An administrator wants to ensure that traffic to a specific web server always exits through a particular ISP link, regardless of route changes. Which feature should be configured?

A.Equal-cost multi-path (ECMP) routing
B.Policy-based routing (PBR)
C.Static route with higher distance
D.SD-WAN with load balancing
AnswerB

Policy routes allow forwarding decisions based on source/destination, overriding the routing table.

Why this answer

Policy-based routing (PBR) allows you to override the routing table by applying a route map to match traffic (e.g., source/destination IP, port) and explicitly set the next-hop interface or ISP link. This ensures traffic to the specific web server always exits through the designated ISP, regardless of dynamic route changes or the routing table's default behavior.

Exam trap

The trap here is that candidates confuse PBR with static routing or SD-WAN load balancing, thinking that a static route with a higher distance or SD-WAN can force traffic to a specific link, but only PBR provides the granular match-and-set logic to override the routing table for specific traffic flows regardless of route changes.

How to eliminate wrong answers

Option A is wrong because ECMP distributes traffic across multiple equal-cost paths for load balancing, not for pinning traffic to a specific link. Option C is wrong because a static route with a higher distance (administrative distance) acts as a backup route and only takes effect when the primary route is unavailable, not for forcing traffic to a particular link when the primary route is active. Option D is wrong because SD-WAN with load balancing distributes traffic across multiple WAN links based on policies or performance metrics, which does not guarantee that all traffic to a specific web server always uses the same ISP link.

164
MCQhard

A FortiGate is configured with two WAN interfaces in an SD-WAN zone. The administrator wants to ensure voice traffic uses the interface with the lowest latency. Which SD-WAN configuration should be used?

A.Set the strategy to 'Manual'
B.Set the strategy to 'Load Balance'
C.Configure an SD-WAN rule with a performance SLA that monitors latency and set strategy to 'Best Quality'
D.Use policy-based routing with a higher priority for voice traffic
AnswerC

Best Quality selects the best performing interface based on SLA metrics.

Why this answer

Option C is correct because SD-WAN rules with a performance SLA allow the FortiGate to monitor real-time latency on each WAN interface and dynamically route voice traffic to the interface with the lowest latency. The 'Best Quality' strategy selects the best-performing interface based on the SLA metrics, ensuring optimal voice quality.

Exam trap

The trap here is that candidates often confuse policy-based routing (PBR) with SD-WAN rules, not realizing that PBR lacks dynamic SLA-based path selection and cannot automatically adapt to changing network conditions.

How to eliminate wrong answers

Option A is wrong because setting the strategy to 'Manual' requires the administrator to statically assign traffic to a specific interface, which cannot adapt to changing latency conditions. Option B is wrong because 'Load Balance' distributes traffic across interfaces based on load, not latency, and does not guarantee the lowest-latency path for voice traffic. Option D is wrong because policy-based routing (PBR) uses static routing rules that do not dynamically adjust based on real-time latency measurements, unlike SD-WAN rules with performance SLAs.

165
MCQeasy

A FortiGate has been configured with two WAN interfaces (wan1, wan2) in an SD-WAN zone. The administrator wants to ensure that traffic for a specific internal server uses only wan1. What is the most appropriate method?

A.Disable wan2 in the SD-WAN zone
B.Use policy routing with a higher priority for wan1
C.Configure a static route with a higher distance for wan2
D.Create an SD-WAN rule to match the server's traffic and set the preferred member to wan1
AnswerD

SD-WAN rules provide application-aware steering and can force specific traffic to use wan1.

Why this answer

Option D is correct because SD-WAN rules allow granular traffic steering based on application, source, or destination. By creating an SD-WAN rule that matches the traffic destined for the internal server and setting the preferred member to wan1, the FortiGate will use SD-WAN's policy-based routing to ensure that traffic egresses exclusively via wan1, while other traffic can still use both WAN interfaces as per other rules.

Exam trap

The trap here is that candidates often confuse policy routing (Option B) with SD-WAN rules, not realizing that SD-WAN rules are the proper mechanism for per-traffic member selection within an SD-WAN zone, and that policy routing operates at a different layer and can override SD-WAN behavior if not carefully managed.

How to eliminate wrong answers

Option A is wrong because disabling wan2 in the SD-WAN zone removes it from all load-balancing and failover, which is overly broad and not a targeted solution for a single server's traffic. Option B is wrong because policy routing (PBR) operates independently of SD-WAN and can create conflicts; SD-WAN rules are the intended method for per-traffic member selection within an SD-WAN zone. Option C is wrong because configuring a static route with a higher distance for wan2 affects all traffic using that route, not just the specific server's traffic, and static routes do not integrate with SD-WAN's application-aware steering.

166
MCQmedium

You run the following command on a FortiGate: ``` diagnose sys session filter dport 443 diagnose sys session list ``` The output shows: ``` proto=6 proto_state=01 duration=3600 expire=3599 ``` What does this indicate?

A.The session has been established for 3600 seconds and has 3599 seconds remaining before timeout.
B.The session is using TCP state 01 (SYN_SENT) and is still in the process of establishing.
C.The session has been idle for 3600 seconds and will expire in 3599 seconds.
D.The session is using UDP protocol and will expire in 3599 seconds.
AnswerA

Duration shows seconds since session started, expire shows seconds until timeout.

Why this answer

Option A is correct because the output shows `duration=3600` and `expire=3599`, which indicate the session has been active for 3600 seconds and has 3599 seconds remaining before timeout. The `proto=6` confirms TCP (protocol 6), and `proto_state=01` represents the TCP state for an established connection (ESTABLISHED), not a handshake state.

Exam trap

The trap here is confusing `duration` (time since session creation) with idle time, and misinterpreting `proto_state=01` as a handshake state (SYN_SENT) instead of the correct ESTABLISHED state.

How to eliminate wrong answers

Option B is wrong because `proto_state=01` in FortiGate's session table represents TCP state ESTABLISHED (not SYN_SENT); SYN_SENT would be state 02. Option C is wrong because `duration` measures the total time since the session was created, not idle time; idle time is tracked separately via the `idle` field in the session list. Option D is wrong because `proto=6` explicitly indicates TCP, not UDP (which would be proto=17).

167
MCQmedium

An administrator configures a FortiGate to use NTP for time synchronization. After configuration, the FortiGate still shows the wrong time. Which command should the administrator run to verify NTP status?

A.show system ntp
B.execute ntp status
C.diagnose sys time status
D.diagnose sys ntp status
AnswerD

This command displays NTP synchronization status.

Why this answer

Option D is correct because 'diagnose sys ntp status' is the FortiGate CLI command that provides detailed NTP synchronization status, including whether the FortiGate is synchronized to an NTP server, the stratum level, and the last sync time. This command is specifically designed for troubleshooting NTP issues, unlike the other options which either show configuration or are invalid.

Exam trap

The trap here is that candidates confuse configuration commands (show system ntp) with diagnostic commands, or they assume a generic 'ntp status' command exists, when Fortinet specifically uses 'diagnose sys ntp status' for operational verification.

How to eliminate wrong answers

Option A is wrong because 'show system ntp' displays the NTP configuration (e.g., server addresses, authentication settings), not the operational status or synchronization state. Option B is wrong because 'execute ntp status' is not a valid FortiGate command; the correct execute command for NTP is 'execute ntp sync' to force synchronization. Option C is wrong because 'diagnose sys time status' shows the system time and time source (e.g., NTP, manual), but it does not provide detailed NTP peer status, offset, or jitter information.

168
MCQmedium

An administrator configures a FortiGate in transparent mode. Which of the following is correct regarding transparent mode operation?

A.The FortiGate performs NAT between its interfaces.
B.The FortiGate interfaces can be on different subnets.
C.The FortiGate requires a management IP on each interface.
D.The FortiGate is invisible to end devices and does not modify IP addresses.
AnswerD

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses without performing any IP-level modifications. This means it does not perform NAT, and end devices are unaware of its presence, making option D correct.

Exam trap

The trap here is that candidates confuse transparent mode with NAT/Route mode, assuming that all FortiGate modes perform NAT or require IP addresses on each interface, when in fact transparent mode is purely Layer 2 and does not modify IP headers.

How to eliminate wrong answers

Option A is wrong because transparent mode does not perform NAT; NAT is a Layer 3 function used in NAT/Route mode. Option B is wrong because all interfaces in transparent mode must belong to the same subnet to maintain Layer 2 bridging. Option C is wrong because transparent mode requires only a single management IP (typically on the management interface or a dedicated VLAN), not an IP on each interface.

169
MCQmedium

A FortiGate is set to NAT/Route mode. The admin wants traffic from internal users to the internet to use an IP address on the WAN interface for source NAT. Which configuration is required?

A.Set the FortiGate to transparent mode
B.Configure a policy route to force traffic through a specific interface
C.Configure a virtual IP mapping internal IPs to the WAN IP
D.Enable NAT on the policy from internal to WAN and set the outgoing interface to the WAN interface
AnswerD

This performs source NAT to the WAN IP.

Why this answer

In NAT/Route mode, source NAT (SNAT) is configured by enabling NAT on the firewall policy that governs traffic from the internal network to the WAN interface. When NAT is enabled on the policy and the outgoing interface is set to the WAN interface, FortiGate automatically translates the source IP of internal users to the primary IP address of that WAN interface (or a configured IP pool). This is the standard method for allowing internal users to access the internet with a public IP address.

Exam trap

The trap here is that candidates often confuse virtual IP (VIP) for source NAT, but VIP is strictly for destination NAT (inbound traffic), whereas source NAT for outbound traffic requires enabling NAT on the firewall policy.

How to eliminate wrong answers

Option A is wrong because transparent mode operates at Layer 2 without routing or NAT capabilities, which would prevent the required source NAT for internet access. Option B is wrong because policy routes control the path traffic takes based on routing criteria, not source NAT; they do not perform IP address translation. Option C is wrong because a virtual IP (VIP) is used for destination NAT (port forwarding), mapping an external IP/port to an internal server, not for source NAT of outbound traffic.

170
MCQhard

During a firmware upgrade, the admin uploads the image via the GUI and clicks 'Upgrade'. The FortiGate reboots but comes up with the old firmware. What is the MOST likely cause?

A.The firmware image file is corrupted or not compatible with the platform
B.The FortiGate was in HA mode and the peer did not upgrade
C.The admin did not reboot after the upgrade
D.The admin forgot to save the configuration before upgrading
AnswerA

Corrupted or incompatible images cause upgrade failure; the FortiGate reverts to previous firmware.

Why this answer

When a FortiGate reboots after an upgrade but loads the old firmware, the most likely cause is that the uploaded firmware image was corrupted or incompatible with the platform. The FortiGate verifies the image integrity (e.g., checksum) during the upgrade process; if the image fails validation, the system will not commit the new firmware and will fall back to the previous version stored in the secondary boot partition. This ensures the device remains operational even if the upgrade image is invalid.

Exam trap

The trap here is that candidates often assume a failed upgrade is due to a missing reboot or HA misconfiguration, but Fortinet specifically designs the upgrade process to automatically reboot and validate the image, making image corruption or incompatibility the primary cause when the old firmware reappears.

How to eliminate wrong answers

Option B is wrong because in an HA cluster, the upgrade process is coordinated; if the peer does not upgrade, the primary would either fail to upgrade or the cluster would split, but the FortiGate would not reboot to the old firmware on its own—it would typically remain on the new firmware or fail to complete the upgrade. Option C is wrong because the admin explicitly clicked 'Upgrade', which triggers an automatic reboot; no separate manual reboot is required, and the issue is that the device came up with old firmware, not that it didn't reboot. Option D is wrong because configuration is stored separately from firmware; forgetting to save the config does not affect which firmware version loads after reboot—the config is saved automatically before upgrade or can be restored, but it does not cause the old firmware to load.

171
MCQeasy

A FortiGate is deployed in NAT/Route mode. The administrator wants to create a policy that allows internal users to access the internet and also translates their private IP addresses to the public IP of the FortiGate's WAN interface. Which policy configuration is required?

A.Configure a virtual IP (VIP) for the WAN interface
B.Set the policy action to ACCEPT and enable SNAT in the policy advanced options
C.Add a static route with NAT enabled
D.Enable NAT on the firewall policy
AnswerD

Enabling NAT on the policy performs source NAT to the outgoing interface IP.

Why this answer

Option D is correct because in NAT/Route mode, enabling NAT on the firewall policy performs source NAT (SNAT) by default, translating the private source IP addresses of internal users to the public IP address of the FortiGate's WAN interface. This is the standard method for allowing internal users to access the internet while hiding their private addresses behind a single public IP.

Exam trap

The trap here is that candidates may confuse source NAT (enabled on the firewall policy) with destination NAT (configured via VIPs) or mistakenly think NAT is a routing feature, leading them to select options like static route with NAT or VIP configuration.

How to eliminate wrong answers

Option A is wrong because a virtual IP (VIP) is used for destination NAT (DNAT), translating incoming traffic's destination IP to an internal server, not for translating source IPs of outbound traffic. Option B is wrong because while setting the policy action to ACCEPT is necessary, SNAT is not a separate toggle in advanced options; NAT is enabled directly on the firewall policy, and there is no 'SNAT' checkbox distinct from the NAT option. Option C is wrong because static routes do not have a NAT feature; NAT is configured at the firewall policy level, not on routing entries.

172
Multi-Selecthard

A FortiGate administrator is setting up a new FortiGate and needs to integrate it with FortiAnalyzer and FortiManager. Which THREE statements are correct regarding this integration?

Select 3 answers
A.FortiAnalyzer can generate reports based on the logs received from FortiGate.
B.FortiManager can be used to manage multiple FortiGate devices from a central console.
C.FortiAnalyzer can push configuration changes to the FortiGate.
D.FortiGate uses the FGFM protocol to communicate with FortiAnalyzer.
E.FortiAnalyzer can receive logs from the FortiGate for centralized logging and analysis.
AnswersA, B, E

FortiAnalyzer provides reporting capabilities.

Why this answer

Option A is correct because FortiAnalyzer is designed to receive logs from FortiGate devices and use them to generate comprehensive reports. The FortiGate sends logs via syslog or the FGFM protocol, and FortiAnalyzer stores them in its SQL database, allowing administrators to create scheduled or on-demand reports for compliance, traffic analysis, and security events.

Exam trap

The trap here is that candidates often confuse the roles of FortiAnalyzer and FortiManager, assuming FortiAnalyzer can manage configurations or that FGFM is used for both, when in fact FGFM is the FortiGate-FortiManager protocol, while FortiAnalyzer uses syslog or FGFM only for log forwarding.

173
MCQmedium

An administrator creates a firewall policy to allow internal users to access the internet. The source interface is 'internal', destination interface is 'wan1', and NAT is enabled. Users complain that they cannot access external resources. The administrator verifies that the default route points to the ISP gateway. What is the most likely missing configuration?

A.The DNS server is not configured on the FortiGate
B.The FortiGate is in transparent mode
C.The policy action is set to DENY
D.The session helper for FTP is disabled
AnswerC

If the policy action is DENY, traffic is blocked despite other correct settings.

Why this answer

The most likely missing configuration is that the firewall policy action is set to DENY. Even with correct NAT, routing, and DNS settings, if the policy action is DENY, traffic from the internal interface to the wan1 interface will be dropped. The administrator must ensure the policy action is ACCEPT to permit outbound traffic.

Exam trap

The trap here is that candidates often overlook the policy action and instead focus on routing or NAT issues, assuming that if the default route and NAT are configured, traffic must flow, but the policy action is the gatekeeper that must be set to ACCEPT.

How to eliminate wrong answers

Option A is wrong because DNS server configuration is not required for basic internet access; users can use external DNS servers or IP addresses directly. Option B is wrong because transparent mode operates at Layer 2 and does not use NAT or routing in the same way; the scenario describes NAT enabled and a default route, which implies the FortiGate is in NAT/route mode. Option D is wrong because the session helper for FTP is only relevant for FTP traffic, not general internet access, and its disabling would not block all external resources.

174
MCQeasy

A network administrator needs to configure a FortiGate to participate in SNMP monitoring. Which CLI command enables SNMP agent on the FortiGate?

A.config system snmp set status enable
B.set system snmp enable
C.set snmp agent enable
D.enable snmp service
AnswerA

This is the correct command sequence to enable SNMP.

Why this answer

The correct command to enable the SNMP agent on a FortiGate is 'config system snmp' followed by 'set status enable'. This enters the SNMP configuration context and activates the SNMP agent, which is required for the FortiGate to respond to SNMP queries from management systems. Without this command, the SNMP service remains disabled regardless of other SNMP settings.

Exam trap

The trap here is that candidates often confuse the FortiGate CLI syntax with Cisco IOS commands, where 'snmp-server enable' or 'snmp-server community' are used, leading them to select a similarly phrased but incorrect option like 'enable snmp service'.

How to eliminate wrong answers

Option B is wrong because 'set system snmp enable' is not a valid FortiGate CLI command; the correct syntax requires entering the 'config system snmp' context first. Option C is wrong because 'set snmp agent enable' does not exist in FortiGate CLI; the agent is controlled via the 'status' parameter under 'config system snmp'. Option D is wrong because 'enable snmp service' is not a valid FortiGate command; SNMP is managed through the 'config system snmp' hierarchy, not a simple service enable command.

175
MCQmedium

A FortiGate is configured with two ISPs (WAN1 and WAN2) and uses SD-WAN for load balancing. The administrator notices that traffic to a critical SaaS application is being sent over the slower link. What should the administrator do to ensure this traffic uses the faster link?

A.Create an SD-WAN rule to match the SaaS application's destination and set preferred member to the faster link.
B.Remove the slower link from the SD-WAN interface.
C.Increase the bandwidth on the slower link.
D.Configure policy-based routing for the SaaS application.
AnswerA

SD-WAN rules allow traffic steering based on application.

Why this answer

Option A is correct because SD-WAN rules allow you to define traffic steering policies based on application or destination, and setting a preferred member explicitly directs matching traffic to the faster link. This overrides the default load-balancing algorithm, ensuring critical SaaS traffic uses the optimal path without affecting other traffic.

Exam trap

The trap here is that candidates often confuse SD-WAN rules with policy-based routing, thinking PBR can achieve the same result, but PBR lacks SD-WAN's application awareness, SLA monitoring, and seamless failover integration.

How to eliminate wrong answers

Option B is wrong because removing the slower link from the SD-WAN interface would eliminate redundancy and failover capability, not solve the traffic steering issue. Option C is wrong because increasing bandwidth on the slower link does not change the SD-WAN load-balancing decision; the traffic would still be sent to that link based on the current algorithm. Option D is wrong because policy-based routing (PBR) is a static routing mechanism that does not integrate with SD-WAN's dynamic path selection, performance SLA monitoring, or application-based steering, and it can conflict with SD-WAN rules.

176
Multi-Selectmedium

An administrator is configuring a FortiGate to send logs to a FortiAnalyzer. Which TWO of the following are required? (Choose two.)

Select 2 answers
A.Enable local logging on the FortiAnalyzer
B.Create a firewall policy on the FortiGate to allow log traffic
C.Ensure network connectivity between FortiGate and FortiAnalyzer
D.Disable local logging on the FortiGate
E.Configure the FortiGate to send logs to the FortiAnalyzer
AnswersC, E

Essential for log transmission.

Why this answer

Option C is correct because the FortiGate must have IP reachability to the FortiAnalyzer to send logs over the network, typically using TCP port 514 (syslog) or FortiGate's proprietary log forwarding protocol. Without network connectivity, log transmission will fail regardless of configuration.

Exam trap

The trap here is that candidates often think a firewall policy is needed to allow log traffic, but FortiGate's own traffic (including logs) is not subject to firewall policies; only transit traffic requires policies.

177
MCQmedium

A network administrator needs to configure a FortiGate to allow administrative access from a specific management subnet only. Which configuration step should be taken?

A.Create a local-in policy to permit traffic from the management subnet.
B.Disable administrative access on all interfaces except the management interface.
C.Configure an inbound firewall policy allowing HTTPS from the management subnet to the FortiGate's interface IP.
D.Under system > admin > settings, restrict administrative access to trusted hosts.
AnswerD

Why this answer

Option D is correct because the 'Trusted Hosts' feature under System > Admin > Settings allows you to restrict administrative access (HTTPS, SSH, Telnet, etc.) to specific source IP addresses or subnets. This is the intended method for limiting management access to a management subnet without affecting other traffic or interface configurations.

Exam trap

The trap here is that candidates often confuse local-in policies with trusted hosts, thinking that a local-in policy is the primary method for restricting management access, when in fact trusted hosts is the simpler and correct approach for source-based restriction.

How to eliminate wrong answers

Option A is wrong because a local-in policy filters traffic destined to the FortiGate itself, but it is typically used for advanced traffic shaping or rate limiting, not for restricting administrative access based on source subnet; using it for this purpose would be overly complex and not the standard practice. Option B is wrong because disabling administrative access on all interfaces except the management interface does not restrict access by source IP; it only limits which interfaces can be used for management, but any host on the management subnet could still access the FortiGate from that interface. Option C is wrong because an inbound firewall policy controls traffic passing through the FortiGate (forward traffic), not traffic destined to the FortiGate itself (local-in traffic); administrative access is governed by local-in policies or trusted hosts, not by standard firewall policies.

178
MCQeasy

A FortiGate needs to resolve DNS names for outbound traffic. The administrator configures DNS servers under System > DNS. However, internal DNS queries for private domains fail. What additional configuration is required?

A.Create a DNS database entry for the private domain.
B.Add a static route for DNS traffic.
C.Configure a DNS server on the WAN interface.
D.Enable DNS proxy on the FortiGate.
AnswerA

Why this answer

When a FortiGate is configured with DNS servers under System > DNS, it can resolve public DNS names for outbound traffic. However, for private domains (e.g., internal.company.local), the FortiGate cannot resolve these because they are not registered in public DNS. Creating a DNS database entry for the private domain allows the FortiGate to act as an authoritative DNS server for that domain, providing local resolution for internal queries.

Exam trap

The trap here is that candidates often confuse the DNS proxy (which forwards queries) with the DNS database (which provides authoritative answers), leading them to select option D instead of A.

How to eliminate wrong answers

Option B is wrong because static routes are used for network-layer reachability, not for DNS resolution; DNS traffic will already follow the default route if the DNS server is reachable via the WAN. Option C is wrong because configuring a DNS server on the WAN interface is not a standard FortiGate feature; DNS servers are configured globally under System > DNS, and adding a DNS server on the WAN interface does not enable local domain resolution. Option D is wrong because enabling DNS proxy on the FortiGate only forwards DNS queries to configured DNS servers and does not provide local resolution for private domains; it is used for caching or filtering, not for authoritative responses.

179
Multi-Selectmedium

A FortiGate administrator needs to configure NTP to ensure accurate time on the device. Which two steps are required? (Choose two.)

Select 2 answers
A.Enable the 'Sync on Save' option
B.Specify at least one NTP server address
C.Enable NTP under System > Settings
D.Configure a firewall policy to allow NTP traffic (UDP 123)
E.Set the time zone to the local time zone
AnswersB, C

At least one server is required for synchronization.

Why this answer

NTP requires both enabling the NTP service on the FortiGate (System > Settings) and specifying at least one NTP server address so the device can synchronize its clock. Without a server address, the NTP client has no source to query, and without enabling the service, the NTP client process will not run.

Exam trap

The trap here is that candidates often think a firewall policy is required for NTP traffic, but FortiGate's own NTP client uses the management interface and does not need a policy, unlike user traffic destined for NTP servers.

180
MCQeasy

A FortiGate administrator needs to backup the configuration to a remote TFTP server. Which CLI command should be used?

A.copy config tftp <filename> <tftp_server_ip>
B.execute restore config tftp <filename> <tftp_server_ip>
C.execute backup config tftp <filename> <tftp_server_ip>
D.backup configuration to tftp <tftp_server_ip>
AnswerC

Why this answer

Option C is correct because the 'execute backup config tftp' command is the proper CLI syntax in FortiOS for backing up the current configuration to a remote TFTP server. This command triggers an immediate backup operation, and the filename and TFTP server IP are required parameters to specify the destination.

Exam trap

The trap here is that candidates familiar with Cisco IOS may mistakenly choose 'copy config tftp' (Option A) or 'backup configuration to tftp' (Option D), but FortiOS uses the 'execute' command structure and specific syntax 'backup config tftp' for this operation.

How to eliminate wrong answers

Option A is wrong because 'copy config tftp' is not a valid FortiOS command; Fortinet uses the 'execute' prefix for operational commands, and 'copy' is used in Cisco IOS, not FortiOS. Option B is wrong because 'execute restore config tftp' is used to restore a configuration from a TFTP server, not to back up; the keyword 'restore' indicates the opposite direction of data flow. Option D is wrong because 'backup configuration to tftp' is not a valid CLI command in FortiOS; the correct syntax requires the 'execute' keyword and the order 'backup config tftp'.

181
MCQhard

A FortiGate configured in NAT/Route mode is connected to the internet via port1 with an IP 10.0.0.1/24. The internal network uses 192.168.1.0/24. Users can browse the internet but cannot reach a public server at 203.0.113.5. A static default route exists. What is the most likely cause?

A.The static default route points to the wrong gateway
B.The public server is down
C.The firewall policy for outbound traffic does not have NAT enabled
D.The DNS server is not configured
AnswerC

Without NAT, internal private IPs are sent untranslated and cannot reach the internet.

Why this answer

Option C is correct because in NAT/Route mode, outbound traffic from a private IP (192.168.1.0/24) to a public internet destination requires source NAT (masquerading) to translate the private source IP to the interface IP (10.0.0.1). Without NAT enabled on the firewall policy, the FortiGate forwards the packet with the original private source IP, which is not routable on the public internet, so the return traffic cannot reach the internal host. The static default route exists and users can browse other sites, indicating routing is functional, but the specific public server is unreachable due to missing NAT.

Exam trap

The trap here is that candidates assume a working internet connection implies all outbound policies are correct, but FortiGate requires NAT to be explicitly enabled per policy, and missing NAT can cause selective unreachability while other traffic (e.g., to servers with public IPs that accept private source IPs) might still work.

How to eliminate wrong answers

Option A is wrong because the static default route points to the correct gateway (likely the ISP next-hop) since users can browse the internet successfully; a wrong gateway would break all outbound traffic. Option B is wrong because the public server being down would affect all users trying to reach it, but the question states users can browse the internet, implying other external destinations are reachable, so the server is likely up but unreachable due to a configuration issue. Option D is wrong because DNS is used for name resolution, not for IP connectivity; if DNS were misconfigured, users would fail to resolve domain names but could still reach the server by its IP address (203.0.113.5), and the question does not mention DNS failures.

182
MCQhard

A FortiGate has two WAN interfaces (wan1, wan2) configured with ECMP routes to the same destination. The administrator notices that traffic for a single session is being load-balanced across both links, causing performance issues. What should be configured to ensure sessions stick to one link?

A.Set policy routing to use source-based routing.
B.Change ECMP load balancing method to 'source-ip-based' or 'source-dst-ip-based'.
C.Configure SD-WAN rules to enforce per-session stickiness.
D.Disable ECMP and use a single default route.
AnswerB

Why this answer

Option B is correct because changing the ECMP load balancing method to 'source-ip-based' or 'source-dst-ip-based' ensures that all packets belonging to the same session (identified by source IP or source-destination IP pair) are hashed to the same egress interface. This prevents a single session from being split across multiple WAN links, which can cause out-of-order packets and performance degradation. FortiGate’s ECMP hash algorithm uses the configured method to compute a hash value that deterministically selects the outgoing interface for each flow.

Exam trap

The trap here is that candidates often confuse ECMP load balancing methods with SD-WAN stickiness features, assuming SD-WAN is required for session persistence, when in fact ECMP’s hash algorithm can be tuned directly to achieve per-session stickiness.

How to eliminate wrong answers

Option A is wrong because policy routing (PBR) is used to override the routing table based on criteria like source/destination IP or port, but it does not inherently provide per-session stickiness; without careful configuration, PBR can still lead to asymmetric routing or session splitting. Option C is wrong because SD-WAN rules can enforce stickiness via session-based load balancing (e.g., 'source-ip-based' or 'session-based'), but the question specifically asks about ECMP routes, and SD-WAN is a separate feature that requires additional configuration and is not the direct fix for ECMP load balancing. Option D is wrong because disabling ECMP and using a single default route eliminates load balancing entirely, which is an overreaction and does not address the requirement to keep sessions on one link while still allowing load balancing across different sessions.

183
MCQhard

An administrator configures a FortiGate HA cluster with two units in active-passive mode. After setup, the secondary unit shows 'standby' status but traffic is not failing over when the primary is shut down. What is the most likely cause?

A.The HA heartbeat interface is not configured on the same subnet.
B.The cluster is in active-active mode.
C.The session failover feature is disabled.
D.The primary unit's configuration changes were not synchronized to the secondary.
AnswerD

Why this answer

Option D is correct because in an active-passive HA cluster, the secondary unit must have a synchronized copy of the primary's configuration to take over traffic. If configuration synchronization is not enabled or fails, the secondary remains in standby but lacks the necessary policies and settings to handle traffic, so failover does not occur even though HA status appears normal.

Exam trap

The trap here is that candidates assume 'standby' status guarantees failover readiness, but FortiGate requires configuration synchronization to be explicitly enabled and successful for the standby unit to take over traffic; otherwise, it remains a passive observer without operational policies.

How to eliminate wrong answers

Option A is wrong because if the heartbeat interface were not on the same subnet, the units would not form an HA cluster at all—they would not detect each other, and the secondary would not show 'standby' status. Option B is wrong because the cluster is explicitly configured in active-passive mode, as stated in the question, so it cannot be in active-active mode; the secondary showing 'standby' confirms passive operation. Option C is wrong because session failover (FGSP or session-pickup) is a feature for preserving existing sessions during failover, but basic traffic failover (new connections) does not depend on it; the cluster will still fail over traffic without session failover enabled.

184
MCQmedium

A FortiGate administrator needs to ensure that all DNS queries from internal clients are forwarded to a specific DNS server for security filtering. Which configuration should be applied?

A.Use policy routing to redirect DNS traffic to the server
B.Create a firewall policy to allow DNS traffic to the external server only
C.Enable DNS forwarding under Network > DNS and set the system DNS to the desired server
D.Configure a DNS database on the FortiGate
AnswerC

DNS forwarding makes the FortiGate resolve queries using the specified DNS servers.

Why this answer

Option C is correct because DNS forwarding on FortiGate allows the device to act as a DNS relay, intercepting DNS queries from internal clients and forwarding them to a specified DNS server for security filtering. This is configured under Network > DNS by setting the system DNS to the desired server, which ensures all DNS traffic is redirected without requiring policy routing or firewall rule changes.

Exam trap

The trap here is that candidates often confuse DNS forwarding with policy routing or firewall policies, assuming traffic redirection requires explicit routing or allow rules, rather than understanding that DNS forwarding is a dedicated application-layer relay feature.

How to eliminate wrong answers

Option A is wrong because policy routing is used to steer traffic based on routing criteria (e.g., source/destination IP), not to transparently forward DNS queries; it would require complex rules and does not inherently provide DNS-specific relay functionality. Option B is wrong because creating a firewall policy to allow DNS traffic to an external server only permits traffic but does not force all internal DNS queries to that server; clients could still use other DNS servers if configured. Option D is wrong because a DNS database on FortiGate is used for hosting local DNS records (e.g., for internal resolution or split DNS), not for forwarding queries to an external security filtering server.

185
MCQeasy

A FortiGate administrator needs to allow remote management of a FortiGate from the internet. Which administrative access protocols should be enabled on the WAN interface? (Choose the best single answer.)

A.Ping and SNMP
B.HTTP and Telnet
C.FTP and TFTP
D.HTTPS and SSH
AnswerD

HTTPS and SSH provide encrypted access for web and CLI management.

Why this answer

HTTPS (port 443) and SSH (port 22) are the only secure administrative access protocols that provide encrypted communication for remote management over the internet. HTTP and Telnet transmit credentials and data in plaintext, making them unsuitable for WAN-facing interfaces. FortiGate best practices mandate disabling all insecure protocols on external interfaces and enabling only HTTPS and SSH for administrative access.

Exam trap

The trap here is that candidates often confuse 'administrative access' with 'monitoring or file transfer protocols' (e.g., SNMP, FTP) or fail to recognize that HTTP and Telnet are insecure for internet-facing interfaces, leading them to choose options that include unencrypted protocols.

How to eliminate wrong answers

Option A is wrong because Ping (ICMP) is not an administrative access protocol—it is used for connectivity testing, and SNMP is a monitoring protocol, not a management interface for CLI/GUI access. Option B is wrong because HTTP and Telnet both transmit data in plaintext, exposing credentials and configuration to interception, and are strongly discouraged on any internet-facing interface. Option C is wrong because FTP and TFTP are file transfer protocols, not administrative access protocols; they do not provide a command-line or web-based management interface for the FortiGate itself.

186
Multi-Selecthard

Which THREE statements about FortiGate's 'config system global' settings are true? (Choose three.)

Select 3 answers
A.The 'trusthost' setting restricts administrative access to specific source IPs.
B.The 'admin-login-retry-limit' setting limits the number of failed login attempts before lockout.
C.The 'hostname' setting sets the device name displayed in the GUI.
D.The 'allowaccess' setting controls which protocols are allowed on an interface.
E.The 'timezone' setting sets the FortiGate's local time zone.
AnswersB, C, E

This is a global security setting.

Why this answer

Option B is correct because the 'admin-login-retry-lockout' setting (often referred to as 'admin-login-retry-limit' in older firmware) defines the number of consecutive failed administrative login attempts before the administrator account is locked out for a specified duration. This is a security feature to prevent brute-force attacks against the management interface.

Exam trap

The trap here is confusing global system settings with interface-specific or admin-specific settings, leading candidates to select 'trusthost' or 'allowaccess' which are configured in different contexts (admin and interface respectively).

187
Multi-Selecthard

A FortiGate is configured in active-active HA mode. An administrator notices that session failover is not working properly during a failover event. Which THREE configurations should be checked?

Select 3 answers
A.Ensure the load-balance method is set to 'load-balance' or 'weighted-load-balance'.
B.Enable session synchronization under HA settings.
C.Increase the session TTL.
D.Set the HA mode to 'active-passive'.
E.Verify that all interfaces are included in the HA configuration.
AnswersA, B, E

Why this answer

Option A is correct because in active-active HA mode, the load-balance method must be set to 'load-balance' or 'weighted-load-balance' to ensure that session ownership is properly distributed and that session failover can occur. If the method is set to 'hub' or 'spoke', session synchronization and failover may not function as expected, as these modes are designed for different topologies.

Exam trap

The trap here is that candidates may assume session failover is solely dependent on enabling session synchronization, overlooking the critical requirement that the load-balance method must be correctly set for active-active mode to distribute and synchronize sessions properly.

188
MCQmedium

An administrator configures SNMP on a FortiGate to monitor CPU and memory usage. After applying the configuration, the NMS cannot reach the FortiGate via SNMP. The FortiGate's interface has SNMP access enabled. What is the most likely missing configuration?

A.A firewall policy is missing to permit SNMP traffic from the NMS.
B.The SNMP community string is not configured.
C.NTP is not configured, causing time mismatch.
D.The FortiGate is not configured to send SNMP traps.
AnswerA

A policy must allow UDP 161 from the NMS to the FortiGate interface.

Why this answer

The most likely missing configuration is a firewall policy to permit SNMP traffic from the NMS. Even though SNMP access is enabled on the interface, FortiGate uses firewall policies to control all traffic traversing between zones, including management traffic from an NMS. Without an explicit policy allowing UDP ports 161 (SNMP queries) and 162 (traps) from the NMS source to the FortiGate interface, the SNMP requests are dropped by the firewall.

Exam trap

The trap here is that candidates assume enabling SNMP on the interface is sufficient, overlooking that FortiGate requires a dedicated firewall policy to allow management traffic from external sources to the device itself.

How to eliminate wrong answers

Option B is wrong because the SNMP community string is a required authentication parameter, but its absence would cause an authentication failure (e.g., 'noSuchName' error) rather than a complete unreachability; the NMS would still receive a response. Option C is wrong because NTP synchronization affects log timestamps and certificate validation, not SNMP reachability; SNMP operates independently of system time. Option D is wrong because SNMP traps are unsolicited notifications sent from the FortiGate to the NMS, but the question states the NMS cannot reach the FortiGate, which implies a failure of SNMP queries (polling), not traps; traps are not required for basic SNMP polling.

189
Multi-Selectmedium

Which TWO configuration changes can reduce the risk of unauthorized administrative access to a FortiGate?

Select 2 answers
A.Use the default 'admin' account for all administrators
B.Restrict administrative access to trusted hosts
C.Change the default administrative port
D.Set a simple password for ease of use
E.Disable both HTTPS and HTTP administrative access
AnswersB, C

Limits source IPs that can initiate admin sessions.

Why this answer

Restricting administrative access to trusted hosts (Option B) is a fundamental security best practice that limits the source IP addresses allowed to connect to the FortiGate management interface. By configuring a trusted host list, the FortiGate will only accept administrative sessions (e.g., HTTPS, SSH, or Telnet) from specified IP addresses or subnets, effectively blocking all unauthorized sources. This reduces the attack surface and prevents brute-force or credential-stuffing attacks from untrusted networks.

Exam trap

The trap here is that candidates often think disabling HTTPS entirely is a valid security measure, but the NSE4 exam expects you to recognize that HTTPS must remain enabled for secure remote GUI access, and that disabling both HTTP and HTTPS would render the web interface inaccessible, which is not a recommended security practice.

190
MCQmedium

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is blocked by a firewall policy
B.The session is a UDP connection to port 443
C.The session is experiencing high latency
D.The session is a TCP connection to port 443 that has been active for 1 hour
AnswerD

Duration 3600 seconds = 1 hour. Proto=6 is TCP.

Why this answer

Option D is correct because the output shows `proto=6`, which is the protocol number for TCP, and `dport=443` indicates the destination port is HTTPS. The `duration=3600` field means the session has been active for 3600 seconds (1 hour), and `expire=3599` shows the remaining lifetime in seconds. This confirms an active TCP session to port 443 that has been established for one hour.

Exam trap

The trap here is that candidates often confuse `proto=6` with UDP or misinterpret `duration` as a latency value, leading them to select the high-latency or UDP options instead of recognizing the TCP protocol number and session age.

How to eliminate wrong answers

Option A is wrong because the output does not show any deny or drop flags; `proto_state=01` indicates a normal established TCP session (state 01 is typically ESTABLISHED in Fortinet's session table), not a blocked session. Option B is wrong because `proto=6` is TCP, not UDP (UDP is protocol 17); port 443 is commonly used for HTTPS over TCP, not UDP. Option C is wrong because the output provides no latency or RTT metrics; `duration` and `expire` are time-based counters, not indicators of network performance.

191
MCQmedium

A network administrator notices that after configuring a new static route on a FortiGate, traffic to a remote subnet is still being forwarded via the default route. The administrator confirms the static route is present in the routing table with a lower distance than the default route. What is the MOST likely cause?

A.The static route is disabled by a firewall policy.
B.The static route is configured with a higher priority than the default route.
C.The static route's destination subnet overlaps with a directly connected subnet.
D.The static route's gateway is not reachable via any interface.
AnswerD

If the next-hop gateway is unreachable (no ARP entry or interface down), the route will not be installed in the routing table, and traffic will use the default route.

192
Multi-Selectmedium

An administrator is configuring SNMP on a FortiGate for monitoring. Which THREE items are required for SNMPv3 configuration?

Select 3 answers
A.Security level (authPriv or authNoPriv)
B.Authentication protocol (e.g., SHA) and privacy protocol (e.g., AES)
C.SNMP view definition for the user
D.SNMP community string (read-only or read-write)
E.SNMP user with username and authentication password
AnswersA, B, E

Security level defines whether authentication and privacy are used.

Why this answer

SNMPv3 requires a security level to define whether authentication and encryption are used. The security level (authPriv or authNoPriv) determines the operational mode for the user, making it a mandatory configuration element. Without specifying the security level, the FortiGate cannot enforce the appropriate authentication and privacy policies for SNMPv3 communications.

Exam trap

The trap here is that candidates often confuse SNMPv3 with SNMPv2c and incorrectly select the community string option, forgetting that SNMPv3 eliminates community strings in favor of user-based authentication and encryption.

193
MCQhard

A FortiGate administrator configures policy-based routing (PBR) to direct traffic from subnet 192.168.1.0/24 to the internet via ISP1. However, traffic from that subnet is still using the default route via ISP2. What is the most likely cause?

A.The PBR rule's source address does not match the traffic correctly.
B.The default route has a lower administrative distance than the PBR rule.
C.PBR is not supported on FortiGate.
D.The PBR rule has a higher priority than the default route.
AnswerA

Why this answer

Policy-based routing (PBR) on FortiGate overrides the routing table only when the traffic matches all configured criteria, including the source address. If the source address in the PBR rule does not match 192.168.1.0/24 exactly (e.g., a typo, wrong subnet mask, or missing entry), the traffic falls through to the default route via ISP2. This is the most likely cause because PBR rules are evaluated before the routing table, but only for matching traffic.

Exam trap

The trap here is that candidates often confuse PBR with static routing and assume the default route's administrative distance or priority can override PBR, but PBR is evaluated before the routing table and is not subject to route metrics.

How to eliminate wrong answers

Option B is wrong because administrative distance is a property of routes in the routing table, not of PBR rules; PBR operates before the routing table lookup and is not compared to administrative distance. Option C is wrong because PBR is fully supported on FortiGate, including in NSE4 scope, and is commonly used for multi-WAN setups. Option D is wrong because a higher priority in PBR would make the rule more likely to match, not less; the issue is that the rule is not matching at all, not that it is being overridden by the default route.

194
MCQmedium

A network administrator is configuring a new FortiGate and needs to ensure that all traffic from the internal network to the internet is source NATed to the public IP address on port1. The default route points to port1. Which configuration step is required to achieve this?

A.Configure a static route to the internet with NAT enabled
B.Enable NAT on the firewall policy from internal to internet
C.Set the interface port1 to NAT mode in its settings
D.Create an IP pool with the public IP and reference it in the policy
AnswerB

In a firewall policy, enabling NAT performs source NAT (masquerade) using the egress interface IP.

Why this answer

Option B is correct because source NAT (SNAT) on a FortiGate is configured at the firewall policy level, not on the interface or via a static route. By enabling NAT on the firewall policy from the internal network to the internet, the FortiGate automatically translates the source IP of traffic egressing port1 to the interface's primary IP address (the public IP). This is the standard method for implementing source NAT in FortiOS, as defined in the FortiGate Administration Guide.

Exam trap

The trap here is that candidates often confuse NAT configuration with interface settings or static routes, mistakenly thinking NAT must be enabled on the egress interface or as part of the route, whereas FortiOS applies NAT exclusively at the firewall policy level.

How to eliminate wrong answers

Option A is wrong because static routes in FortiOS do not have a NAT toggle; NAT is not a property of a route but of a firewall policy. Option C is wrong because interfaces in FortiOS do not have a 'NAT mode' setting; NAT is applied per policy, not per interface. Option D is wrong because an IP pool is only required when you need to translate to a specific IP address that is not the interface IP (e.g., for load balancing or PAT with a pool), but the question states the public IP is on port1, so the default interface NAT (enabled in the policy) suffices without an IP pool.

195
MCQhard

An administrator configures a VLAN interface on a FortiGate's physical port with the IP 192.168.10.1/24. The VLAN ID is 10. The administrator connects a switch port configured as an access port (untagged) in VLAN 10. The devices on the switch cannot ping the FortiGate's VLAN interface. What is the most likely cause?

A.The switch port should be configured as a trunk port allowing VLAN 10
B.The FortiGate's physical port is not set to the same VLAN ID
C.The FortiGate's administrative access is not enabled on the VLAN interface
D.The FortiGate's VLAN interface is not assigned to any VDOM
AnswerA

The switch port must send tagged frames (trunk) for the FortiGate VLAN interface to recognize them.

Why this answer

The switch port is configured as an access port, which sends frames untagged. However, the FortiGate's VLAN interface expects to receive 802.1Q-tagged frames because the VLAN is defined as a subinterface on the physical port. For the FortiGate to process traffic for VLAN 10, the switch port must be configured as a trunk (or tagged) port that sends frames with the VLAN 10 tag.

An access port strips the tag, so the FortiGate never sees the VLAN 10 traffic.

Exam trap

The trap here is that candidates often confuse access/trunk port behavior with VLAN interface configuration on firewalls, mistakenly thinking an access port is sufficient because the VLAN ID matches, when in fact the FortiGate requires tagged frames for subinterfaces.

How to eliminate wrong answers

Option B is wrong because the FortiGate's physical port does not have a VLAN ID setting; VLANs are defined as subinterfaces, and the VLAN ID is set on the VLAN interface itself, not on the physical port. Option C is wrong because administrative access (e.g., HTTPS, SSH, ping) is a separate setting that controls management protocols, not basic IP connectivity; the devices cannot ping due to a Layer 2 tagging mismatch, not because ping is disabled. Option D is wrong because VDOM assignment is only relevant in multi-tenant or virtualized FortiGate configurations; by default, all interfaces belong to the root VDOM, and the VLAN interface would still be reachable if the tagging were correct.

196
MCQhard

You are troubleshooting a FortiGate HA cluster (active-passive) and notice that after a failover, some existing TCP sessions are not being maintained. The hbdev heartbeat interfaces are configured correctly, and session synchronization is enabled. What is the MOST likely cause?

A.The secondary unit is in maintenance mode
B.NPU offloading is enabled on the primary FortiGate
C.The HA uptime monitor is not configured
D.Session pickup is not enabled in the HA configuration
AnswerB

NPU offloading can cause sessions to be offloaded to hardware and not fully synced to the backup unit. Disabling NPU offloading ensures all sessions are synced.

Why this answer

In FortiGate HA, session synchronization relies on NPU offloaded sessions being re-synced. If the NPU offloading was enabled on the primary, sessions might not be fully synced to the backup. Disabling NPU offloading on the primary ensures all sessions are handled by the CPU and thus properly synced.

197
Multi-Selectmedium

An administrator needs to configure a FortiGate to send logs to a FortiAnalyzer. Which two configurations are required? (Choose two.)

Select 2 answers
A.Configure FortiAnalyzer IP under config system central-management
B.Set log-fortianalyzer to enable under config log setting
C.Enable log transfer under config log fortianalyzer setting
D.Configure a firewall policy to allow logs to leave
E.Create a log filter to send all logs
AnswersA, B

This sets the FortiAnalyzer server address.

Why this answer

Option A is correct because the FortiGate must be configured to know the FortiAnalyzer's IP address under `config system central-management` to establish the logging connection. Option B is correct because the `set log-fortianalyzer enable` command under `config log setting` activates the log transmission to the configured FortiAnalyzer. Without both, the FortiGate will not send logs to the FortiAnalyzer.

Exam trap

The trap here is that candidates mistakenly think a firewall policy is required to allow log traffic out, but FortiGate's log transmission to FortiAnalyzer uses the management VDOM and bypasses regular firewall policies.

198
MCQmedium

An administrator runs 'diagnose sniffer packet any "host 10.0.1.100" 4' and sees packets being sent but no response. The FortiGate has a static route for 10.0.1.0/24 via 192.168.1.1. The administrator checks the routing table and sees the route is present. What is the most likely cause of no response?

A.The outgoing interface in the static route is incorrect or down.
B.The FortiGate has a policy route overriding the static route.
C.The destination host has a firewall blocking ICMP.
D.The static route has a higher administrative distance than a dynamic route.
AnswerA

An incorrect interface would cause packets to be sent out the wrong port, not reaching the destination.

Why this answer

Option B is correct because even if the route exists, the outgoing interface might be incorrectly configured. The sniffer shows packets leaving the FortiGate but the destination might not be reachable via that interface. Option A is incorrect because a missing route would show 'no matching route' in debug.

Options C and D are less likely given the symptom.

199
MCQmedium

After upgrading FortiGate firmware from 6.0 to 7.2, an administrator notices that a static route pointing to a next-hop IP 10.0.0.1 is no longer working. The route is present in the configuration but the FortiGate shows it as 'not active'. What is the MOST likely cause?

A.FortiGate now requires a default administrative distance of 10 for static routes
B.The route was deleted during the upgrade and needs to be re-added
C.The next-hop IP is not directly connected to any FortiGate interface
D.The remote gateway is down
AnswerC

FortiGate requires static route next-hop to be directly connected. If the next-hop is not on a directly connected subnet, the route will be inactive.

Why this answer

In FortiOS 7.2, a static route is considered 'active' only if the next-hop IP is reachable via a directly connected interface. If the next-hop IP 10.0.0.1 is not on a directly connected subnet, the route will be present in the configuration but marked as 'not active'. This is a fundamental routing principle: the next hop must be directly reachable (i.e., the router must have an ARP entry for it) for the route to be installed in the routing table.

Exam trap

The trap here is that candidates often assume a static route will be active as long as the configuration is present and the remote gateway is reachable, but FortiGate (and most routers) require the next-hop IP to be directly connected for the route to be installed in the routing table.

How to eliminate wrong answers

Option A is wrong because the default administrative distance for static routes in FortiOS remains 10 (unchanged from 6.0 to 7.2), and administrative distance does not affect whether a route is 'active'—it only influences route selection among multiple routes to the same destination. Option B is wrong because the route is still present in the configuration, so it was not deleted during the upgrade; the issue is that it is not active, not that it is missing. Option D is wrong because the remote gateway being down would cause the route to be present but possibly inactive only if the next hop is directly connected; if the next hop is not directly connected, the route would be inactive regardless of the remote gateway's state.

200
MCQeasy

Which protocol does FortiGate use to synchronize sessions between HA cluster members?

D.FGCP
AnswerD

FGCP is FortiGate's proprietary HA protocol.

Why this answer

FortiGate uses the FortiGate Cluster Protocol (FGCP) to synchronize session tables, configuration, and state information between HA cluster members. FGCP is a proprietary protocol that ensures seamless failover by replicating session data in real time, allowing the backup unit to take over active sessions without interruption.

Exam trap

The trap here is that candidates familiar with Cisco or open-standard redundancy protocols (HSRP, VRRP) may assume FortiGate uses one of those, but FortiGate relies on its proprietary FGCP for HA session synchronization.

How to eliminate wrong answers

Option A is wrong because HSRP (Hot Standby Router Protocol) is a Cisco-proprietary protocol for router redundancy, not used by FortiGate for session synchronization. Option B is wrong because OSPF (Open Shortest Path First) is a dynamic routing protocol for exchanging routing information, not for synchronizing sessions in an HA cluster. Option C is wrong because VRRP (Virtual Router Redundancy Protocol) is an open-standard protocol for default gateway redundancy, but FortiGate does not use it for session synchronization; FGCP is the dedicated HA protocol.

← PreviousPage 3 of 3 · 200 questions total

Ready to test yourself?

Try a timed practice session using only Nse4 System Network questions.