Sample questions
Fortinet NSE 7 Advanced Security NSE7 practice questions
A FortiGate cluster (A-P) has a session that is not synchronizing to the secondary unit. The administrator runs 'diagnose sys ha session-sync status' and sees that the session count is different between primary and secondary. Which is the most likely cause?
Trap 1: The session is using a custom application control profile that…
Application control profiles do not affect session sync.
Trap 2: The HA heartbeat interface is down.
If heartbeat is down, no synchronization would occur at all.
Trap 3: The secondary unit has insufficient memory to accept new sessions.
Memory issues would cause more widespread problems.
- A
The session is using a custom application control profile that prevents synchronization.
Why wrong: Application control profiles do not affect session sync.
- B
The HA heartbeat interface is down.
Why wrong: If heartbeat is down, no synchronization would occur at all.
- C
The secondary unit has insufficient memory to accept new sessions.
Why wrong: Memory issues would cause more widespread problems.
- D
The session was created by a local-in traffic (e.g., management traffic) which is not synchronized.
Local-in sessions are typically not synced across HA members.
An administrator is troubleshooting a scenario where IPSec VPN tunnels between two FortiGates are flapping. The logs show Phase 1 is up but Phase 2 fails with 'no proposal chosen'. The remote FortiGate has multiple Phase 2 selectors configured. What is the most likely cause?
Trap 1: Mismatched pre-shared keys.
Pre-shared key mismatch would cause Phase 1 to fail, not Phase 2.
Trap 2: Dead Peer Detection (DPD) settings are too aggressive.
DPD issues would cause the tunnel to drop after being established, not a Phase 2 failure.
Trap 3: Certificate validation failure.
Certificate issues would affect Phase 1 if certificate authentication is used, but logs show Phase 1 is up.
- A
Mismatched Phase 2 proxy IDs (local/remote subnets).
The error 'no proposal chosen' is often due to mismatched proxy IDs in Phase 2.
- B
Mismatched pre-shared keys.
Why wrong: Pre-shared key mismatch would cause Phase 1 to fail, not Phase 2.
- C
Dead Peer Detection (DPD) settings are too aggressive.
Why wrong: DPD issues would cause the tunnel to drop after being established, not a Phase 2 failure.
- D
Certificate validation failure.
Why wrong: Certificate issues would affect Phase 1 if certificate authentication is used, but logs show Phase 1 is up.
Match each FortiGate interface type to its usage.
Drag a concept onto its matching description — or click a concept then click the description.
Hardware network port
Virtual LAN subinterface
Virtual interface for management or routing
Combines multiple physical links for redundancy
Link aggregation (LAG) for increased bandwidth
A company is deploying FortiGate with Advanced Threat Protection (ATP) and wants to block advanced malware that uses encrypted C2 communications. Which security profile should be configured to perform SSL inspection and detect malicious traffic?
Trap 1: Data Leak Prevention profile
DLP prevents data exfiltration, not malware detection.
Trap 2: Web Filtering profile
Web filtering profiles do not inspect encrypted traffic unless SSL inspection is configured separately, but the primary profile for malware detection is antivirus.
Trap 3: Intrusion Prevention profile
IPS profiles detect exploits but do not decrypt traffic by themselves.
- A
Data Leak Prevention profile
Why wrong: DLP prevents data exfiltration, not malware detection.
- B
Antivirus profile with SSL inspection
Antivirus profiles can be configured with SSL inspection to detect malware in encrypted C2 traffic.
- C
Web Filtering profile
Why wrong: Web filtering profiles do not inspect encrypted traffic unless SSL inspection is configured separately, but the primary profile for malware detection is antivirus.
- D
Intrusion Prevention profile
Why wrong: IPS profiles detect exploits but do not decrypt traffic by themselves.
Drag and drop the steps to configure a FortiGate to send logs to a FortiAnalyzer into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure an HA cluster on FortiGate into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to troubleshoot a FortiGate SSL VPN connection failure into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a FortiGate as a DHCP server into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A customer reports intermittent connectivity issues between two internal subnets separated by a FortiGate firewall. The traffic is allowed by the policy, but users experience timeouts during peak hours. Which troubleshooting step should you take first?
Trap 1: Run a packet sniffer on the FortiGate to capture traffic between…
Packet capture is useful but more resource-intensive; should be done after simpler checks.
Trap 2: Disable hardware acceleration on the FortiGate.
This could reduce performance and is not a first step in troubleshooting intermittent connectivity.
Trap 3: Configure SNAT on the policy to translate the source IP.
SNAT is not a troubleshooting step and may not resolve the issue.
- A
Run a packet sniffer on the FortiGate to capture traffic between the subnets.
Why wrong: Packet capture is useful but more resource-intensive; should be done after simpler checks.
- B
Check the session table for session limits and session congestion.
Peak hour timeouts often indicate session table exhaustion; checking this is the quickest diagnostic step.
- C
Disable hardware acceleration on the FortiGate.
Why wrong: This could reduce performance and is not a first step in troubleshooting intermittent connectivity.
- D
Configure SNAT on the policy to translate the source IP.
Why wrong: SNAT is not a troubleshooting step and may not resolve the issue.
An administrator is troubleshooting a VPN tunnel that is not coming up. The remote peer is a third-party device. Which THREE actions should be taken to diagnose the issue?
Trap 1: Confirm that UDP ports 500 and 4500 are not blocked by any firewall.
This should be checked, but it's not one of the three most direct actions for a tunnel not coming up; it's more about network path.
Trap 2: Review the routing table to ensure the remote subnet is reachable…
This is relevant after the tunnel is established.
- A
Ensure that the pre-shared key matches on both sides.
Mismatched PSK is a common cause of tunnel failure.
- B
Confirm that UDP ports 500 and 4500 are not blocked by any firewall.
Why wrong: This should be checked, but it's not one of the three most direct actions for a tunnel not coming up; it's more about network path.
- C
Verify that the remote peer's IP address is reachable via ping.
Basic connectivity must exist before IKE negotiation.
- D
Check the IPSec VPN logs with 'diag debug application ike -1'.
IKE debug shows detailed negotiation steps.
- E
Review the routing table to ensure the remote subnet is reachable through the tunnel interface.
Why wrong: This is relevant after the tunnel is established.
A FortiGate administrator sees the following kernel log: 'kernel: [pid 1234] received packet with unknown or unsupported protocol 0x0800 on interface port1, drop'. What does this log indicate?
Trap 1: The packet is an ARP request that failed.
ARP uses protocol type 0x0806.
Trap 2: The packet has an invalid MAC address.
MAC address issues generate different logs.
Trap 3: The packet has IP options set that are not supported.
IP options would be handled at a higher layer.
- A
The packet is an ARP request that failed.
Why wrong: ARP uses protocol type 0x0806.
- B
The packet has an invalid MAC address.
Why wrong: MAC address issues generate different logs.
- C
The interface is not configured with an IP address or is in the wrong VDOM.
The kernel drops packets when the interface is not configured to handle that protocol.
- D
The packet has IP options set that are not supported.
Why wrong: IP options would be handled at a higher layer.
A company's FortiGate is configured with multiple IPsec VPN tunnels to branch offices. One tunnel keeps dropping and re-establishing every few minutes. The logs show 'IPsec SA negotiation failed' with error 'proposal mismatch'. What is the most likely cause?
Trap 1: Dead Peer Detection (DPD) configured too aggressively
DPD only monitors peer liveness; it doesn't cause proposal mismatch.
Trap 2: NAT-Traversal (NAT-T) not enabled
NAT-T affects encapsulation, not proposal matching.
Trap 3: Pre-shared key mismatch
Incorrect PSK results in authentication failure, not proposal mismatch.
- A
Dead Peer Detection (DPD) configured too aggressively
Why wrong: DPD only monitors peer liveness; it doesn't cause proposal mismatch.
- B
Mismatched encryption or authentication algorithms between the two VPN peers
Proposal mismatch directly indicates algorithms or parameters don't match.
- C
NAT-Traversal (NAT-T) not enabled
Why wrong: NAT-T affects encapsulation, not proposal matching.
- D
Pre-shared key mismatch
Why wrong: Incorrect PSK results in authentication failure, not proposal mismatch.
An administrator is configuring a FortiGate HA cluster in active-passive mode. The company has two ISPs, and the primary FortiGate is connected to ISP1 and ISP2. The secondary FortiGate is connected only to ISP2. The administrator wants to ensure that failover occurs only if both ISP1 and ISP2 connections are lost on the primary device. Which configuration approach should be used?
Trap 1: Use gateway monitoring with virtual router failover, and set the…
Gateway monitoring typically affects routing tables and not HA priority directly.
Trap 2: Configure gateway monitoring on the primary for ISP1 only, and set…
This would cause failover if ISP1 alone fails, even if ISP2 is still up.
Trap 3: Set the HA priority of the primary to 1 and the secondary to 0, and…
Link-fail-signal causes immediate priority drop on any single link failure, which would trigger failover if ISP1 fails even if ISP2 is up.
- A
Use gateway monitoring with virtual router failover, and set the failure threshold to 2.
Why wrong: Gateway monitoring typically affects routing tables and not HA priority directly.
- B
Configure gateway monitoring on the primary for ISP1 only, and set the HA failover threshold to 1.
Why wrong: This would cause failover if ISP1 alone fails, even if ISP2 is still up.
- C
Set the HA priority of the primary to 1 and the secondary to 0, and enable link-fail-signal on both ISP interfaces on the primary.
Why wrong: Link-fail-signal causes immediate priority drop on any single link failure, which would trigger failover if ISP1 fails even if ISP2 is up.
- D
Set the HA priority of the primary to 1 and the secondary to 0, and enable link-fail-signal on both ISP interfaces on the primary, then set 'set ha-priority 1' on the primary and 'set ha-priority 0' on the secondary.
This ensures that the primary's priority drops to 0 only when both ISP links fail, since link-fail-signal reduces priority by 1 for each failed link.
A FortiGate is blocking HTTP traffic from 10.0.1.5 to 10.0.2.100, despite an explicit allow policy. The exhibit shows the configuration and debug flow output. What is the most likely cause?
Exhibit
Refer to the exhibit.
config firewall policy
edit 1
set name "Allow-Web"
set srcintf "port1"
set dstintf "port2"
set srcaddr "10.0.1.0/24"
set dstaddr "10.0.2.100"
set action accept
set schedule "always"
set service "HTTP"
set logtraffic all
next
end
diag debug flow show function-name show-verbose
--- flow debug output ---
proton_state=0, reason=session-denied
id=20085 trace_id=155 func=print_pkt_detail line=4945 msg="vd-root:0 received a packet from port1: 10.0.1.5:45231 -> 10.0.2.100:80, proto 6."
id=20085 trace_id=155 func=resolve_ip_tuple line=4125 msg="Find an existing session, id 00001234, original direction"
id=20085 trace_id=155 func=__ip_session_match_tuple line=2818 msg="Session state: not ready"
id=20085 trace_id=155 func=__ip_session_find_by_session_id line=2773 msg="session session_deny because state proto is not ready"Trap 1: The policy is applied to the wrong source interface.
The debug shows the packet received on port1, which matches the policy.
Trap 2: The policy action is set to deny.
Exhibit shows action accept.
Trap 3: The source address object does not include 10.0.1.5.
The srcaddr is 10.0.1.0/24 which includes 10.0.1.5.
- A
The policy is applied to the wrong source interface.
Why wrong: The debug shows the packet received on port1, which matches the policy.
- B
The policy action is set to deny.
Why wrong: Exhibit shows action accept.
- C
TCP SYN flood protection is dropping the incomplete session.
The 'state proto not ready' indicates TCP handshake incomplete; often due to DoS protection thresholds.
- D
The source address object does not include 10.0.1.5.
Why wrong: The srcaddr is 10.0.1.0/24 which includes 10.0.1.5.
Which TWO configurations are required to enable SSL VPN authentication using a RADIUS server on a FortiGate?
Trap 1: Configure an LDAP server to synchronize user accounts
LDAP is not required for RADIUS authentication.
Trap 2: Configure an SSL VPN portal with 'Require Authentication' enabled
Portal settings don't specify the authentication method.
Trap 3: Set a local password policy for SSL VPN users
Password policy is not required; RADIUS handles passwords.
- A
Create a user group that includes the RADIUS server as an authentication method
A user group ties the RADIUS server to SSL VPN authentication.
- B
Configure an LDAP server to synchronize user accounts
Why wrong: LDAP is not required for RADIUS authentication.
- C
Configure an SSL VPN portal with 'Require Authentication' enabled
Why wrong: Portal settings don't specify the authentication method.
- D
Define the RADIUS server under User & Authentication > RADIUS Servers
The RADIUS server must be defined before it can be used.
- E
Set a local password policy for SSL VPN users
Why wrong: Password policy is not required; RADIUS handles passwords.
Refer to the exhibit. A FortiGate is connected to the Security Fabric and registered with FortiManager. However, the administrator notices that the FortiGate is not receiving policy updates from FortiManager. What is the most likely cause?
Exhibit
FGT # get system fabric-status Fabric Role: Member Fabric Status: Connected Fabric Group: MyGroup Fabric Root: FGT-Root (serial: FG100D3TF16800001) Last contact: 2024-01-15 10:30:00 FGT # diagnose test application fgfms 3 FGFMs status: Registered with FortiManager: Yes FortiManager IP: 192.168.1.100 FortiManager status: Connected Last heartbeat: 2024-01-15 10:29:55
Trap 1: The Fabric Root serial number is incorrect
The serial number is present.
Trap 2: The FortiGate is not registered with FortiManager
Registration is 'Yes'.
Trap 3: The Security Fabric is not fully connected
The fabric status shows 'Connected'.
- A
The Fabric Root serial number is incorrect
Why wrong: The serial number is present.
- B
The FortiGate is not registered with FortiManager
Why wrong: Registration is 'Yes'.
- C
The policy package on FortiManager is not assigned to the correct device group or policy target
The device is in a fabric group, but policy must be assigned to that group.
- D
The Security Fabric is not fully connected
Why wrong: The fabric status shows 'Connected'.
An HA cluster is configured with two FortiGates in active-passive mode. The administrator wants to ensure that the secondary unit automatically takes over if the primary unit fails. Which TWO settings must be configured?
Trap 1: Set ha-priority to 100 on primary
Priority is optional for failover; the cluster can function without explicit priority.
Trap 2: Set ha-mode to active-active
active-active mode is for load sharing, not failover.
Trap 3: Enable session-pickup
session-pickup is for session failover, not for the unit to take over.
- A
Set ha-mode to active-passive
active-passive mode ensures one unit is standby.
- B
Set ha-priority to 100 on primary
Why wrong: Priority is optional for failover; the cluster can function without explicit priority.
- C
Set ha-mode to active-active
Why wrong: active-active mode is for load sharing, not failover.
- D
Enable configuration synchronization
Config sync ensures the secondary has the same configuration.
- E
Enable session-pickup
Why wrong: session-pickup is for session failover, not for the unit to take over.
Refer to the exhibit. An administrator has configured an active-passive HA cluster. After reviewing the configuration and status, the administrator wants to ensure that the management interface (port2) is accessible on both units using the same IP address. What additional configuration is required?
Exhibit
config system ha
set mode a-p
set group-name "HA_Cluster"
set password ENC abcd1234
set hbdev "port1" 100
set session-pickup enable
set session-pickup-connectionless enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port2"
set gateway 10.0.0.1
next
end
end
HA cluster status:
HA Health Status: OK
Model: FortiGate-100F
Mode: Active-Passive
Group: HA_Cluster
Debug: 0
npu-1: primary
npu-2: standbyTrap 1: Set the gateway to 0.0.0.0
The gateway is already configured correctly.
Trap 2: Enable ha-mgmt-status on the secondary unit
ha-mgmt-status is already enabled globally.
Trap 3: Disable session-pickup to free resources
Session pickup is unrelated to management interface access.
- A
Set the gateway to 0.0.0.0
Why wrong: The gateway is already configured correctly.
- B
Enable ha-mgmt-status on the secondary unit
Why wrong: ha-mgmt-status is already enabled globally.
- C
Configure a virtual management IP under the cluster settings
A virtual IP ensures the management interface is reachable via the same IP on both units.
- D
Disable session-pickup to free resources
Why wrong: Session pickup is unrelated to management interface access.
A company wants to deploy ZTNA to secure access to internal applications for remote employees. They have a FortiGate with a public IP and internal servers. Which deployment mode should they choose to minimize changes to existing firewall rules?
Trap 1: SSL VPN with ZTNA
SSL VPN also requires rule changes.
Trap 2: IPsec VPN with ZTNA
IPsec VPN requires additional rules for VPN traffic.
Trap 3: Both proxy-based and IPsec VPN
Both would require more changes than proxy alone.
- A
SSL VPN with ZTNA
Why wrong: SSL VPN also requires rule changes.
- B
IPsec VPN with ZTNA
Why wrong: IPsec VPN requires additional rules for VPN traffic.
- C
Both proxy-based and IPsec VPN
Why wrong: Both would require more changes than proxy alone.
- D
Proxy-based ZTNA
Proxy-based ZTNA uses a single policy and does not require modifying existing rules.
A company uses FortiGate ZTNA to provide remote access to an internal web application. The application requires client certificates for authentication. The administrator has configured the ZTNA rule to use certificate authentication. However, users report that they are prompted for credentials repeatedly. What is the most likely cause?
Trap 1: The user's password has expired.
Certificate authentication does not use passwords.
Trap 2: The ZTNA rule is configured to use SAML authentication instead.
The rule is set to certificate authentication.
Trap 3: The FortiClient EMS server is not reachable from the client.
EMS is not required for certificate authentication.
- A
The user's password has expired.
Why wrong: Certificate authentication does not use passwords.
- B
The ZTNA rule is configured to use SAML authentication instead.
Why wrong: The rule is set to certificate authentication.
- C
The client certificate is not trusted by the FortiGate.
An untrusted certificate causes authentication failures.
- D
The FortiClient EMS server is not reachable from the client.
Why wrong: EMS is not required for certificate authentication.
Which TWO statements are true regarding BGP path selection in a FortiGate SD-WAN environment?
Trap 1: SD-WAN cannot be applied to routes learned via BGP.
SD-WAN can be applied to any route.
Trap 2: SD-WAN can modify BGP MED values to influence path selection.
SD-WAN does not modify BGP attributes.
Trap 3: SD-WAN rules always follow the BGP best path selection.
SD-WAN rules can override BGP best path.
- A
BGP best path selection is independent of SD-WAN rules unless explicitly overridden.
BGP selects best path; SD-WAN can apply rules after.
- B
SD-WAN cannot be applied to routes learned via BGP.
Why wrong: SD-WAN can be applied to any route.
- C
SD-WAN can modify BGP MED values to influence path selection.
Why wrong: SD-WAN does not modify BGP attributes.
- D
SD-WAN rules always follow the BGP best path selection.
Why wrong: SD-WAN rules can override BGP best path.
- E
SD-WAN can use BGP community values as match criteria in SD-WAN rules.
BGP communities can be matched in SD-WAN rules.
A company uses SSL VPN with FortiGate for remote access. Users report that after connecting, they can access internal web servers but cannot ping them. Which configuration is most likely missing?
Trap 1: Split tunneling settings
Split tunneling affects which traffic goes through the tunnel, but does not block ICMP specifically.
Trap 2: SSL VPN web portal settings
Web portal settings are for web-mode access, not tunnel-mode policies.
Trap 3: DNS server configuration
DNS server is for name resolution, not for ICMP traffic.
- A
Split tunneling settings
Why wrong: Split tunneling affects which traffic goes through the tunnel, but does not block ICMP specifically.
- B
SSL VPN web portal settings
Why wrong: Web portal settings are for web-mode access, not tunnel-mode policies.
- C
Firewall policy allowing ICMP
The firewall policy for SSL VPN traffic must permit ICMP protocol in addition to TCP/80 and TCP/443.
- D
DNS server configuration
Why wrong: DNS server is for name resolution, not for ICMP traffic.
An administrator needs to configure a site-to-site IPsec VPN with a remote FortiGate that has a dynamic IP address. Which phase1 parameter must be set to support this?
Trap 1: Enable Perfect Forward Secrecy (PFS)
PFS is a security feature for key material, not for dynamic peer support.
Trap 2: Enable NAT traversal
NAT traversal is for when a NAT device is between peers, not for dynamic IP support.
Trap 3: Use certificate-based authentication
Certificates can be used but do not solve the dynamic IP problem; aggressive mode with PSK is simpler.
- A
Enable Perfect Forward Secrecy (PFS)
Why wrong: PFS is a security feature for key material, not for dynamic peer support.
- B
Enable NAT traversal
Why wrong: NAT traversal is for when a NAT device is between peers, not for dynamic IP support.
- C
Use certificate-based authentication
Why wrong: Certificates can be used but do not solve the dynamic IP problem; aggressive mode with PSK is simpler.
- D
Set mode to aggressive and use a pre-shared key
Aggressive mode allows the responder to initiate without knowing the peer IP; pre-shared key is used for authentication.
Which TWO actions are appropriate when troubleshooting a slow network connection through a FortiGate?
Trap 1: Increase the session TTL to reduce session setup overhead.
Changing session TTL does not address root cause and may exhaust resources.
Trap 2: Disable flow control on the WAN interface.
Disabling flow control can cause packet drops and worsen performance.
Trap 3: Disable all security profiles to free resources.
Disabling security profiles bypasses security and may not be necessary.
- A
Increase the session TTL to reduce session setup overhead.
Why wrong: Changing session TTL does not address root cause and may exhaust resources.
- B
Check the CPU and memory utilization on the FortiGate.
High resource usage can cause slowdowns; checking this is a standard diagnostic step.
- C
Verify the routing table for correct next-hop entries.
Incorrect routing can cause traffic to take suboptimal paths, leading to slowness.
- D
Disable flow control on the WAN interface.
Why wrong: Disabling flow control can cause packet drops and worsen performance.
- E
Disable all security profiles to free resources.
Why wrong: Disabling security profiles bypasses security and may not be necessary.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.