Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 175

1000 questions total · 14pages · All types, answers revealed

Page 1 of 14

Page 2
1
MCQmedium

An administrator has configured OSPF on a FortiGate with multiple areas. They want to ensure that routes from area 0 are redistributed into area 1, but they notice that routes from area 1 are not appearing in area 0. What is the most likely configuration issue?

A.There is a firewall policy blocking OSPF packets
B.The ABR has 'area 1 stub' configured, preventing LSA type 5 redistribution
C.The redistribution is done with a route map that is not permitting the routes
D.The ABR is not configured with 'area 0' and 'area 1' on the same router
AnswerB

If area 1 is configured as a stub area, it blocks type 5 LSAs (external routes). Redistribution into area 0 would not be affected, but routes from area 1 into area 0 may be blocked if area 1 is a stub.

2
MCQhard

You receive an alert from FortiSandbox that a file has been rated 'highly malicious'. The FortiGate has the FortiSandbox inline scanning enabled with the action 'block malicious'. However, the file is still being downloaded by users. What is the most likely reason?

A.The FortiSandbox device is not reachable from FortiGate
B.The IPS sensor is blocking the connection before the antivirus inspection
C.The antivirus database is outdated
D.The file type is not listed in the scanning profile for FortiSandbox
AnswerD

If the file type is excluded, FortiGate will not submit it to FortiSandbox for analysis, allowing it to pass.

Why this answer

Option D is correct. Inline scanning requires the file to be forwarded to FortiSandbox; if the file type is not included in the scanning profile (e.g., by file extension, MIME type, or size), it will bypass scanning.

3
Multi-Selecthard

A FortiGate administrator is troubleshooting why files are not being submitted to FortiSandbox for analysis. Which THREE conditions must be met for file submission to work? (Choose three.)

Select 3 answers
A.SSL inspection must be disabled for the policy
B.The file type must be in FortiSandbox's supported list
C.The antivirus profile must be in proxy-based inspection mode
D.The FortiSandbox must be in inline scanning mode
E.The FortiGate must have a valid FortiSandbox license
AnswersB, C, E

Unsupported files are not submitted.

Why this answer

Option B is correct because FortiSandbox only supports analysis for specific file types (e.g., PE, PDF, Office documents). If the file type is not in the supported list, the FortiGate will not submit it, even if all other conditions are met. This is a fundamental filtering step in the FortiGate-FortiSandbox integration.

Exam trap

The trap here is that candidates often confuse the requirement for SSL inspection (must be enabled, not disabled) and assume FortiSandbox must be in inline mode, when in fact the FortiGate's inspection mode (proxy-based) is the critical factor.

4
Multi-Selecthard

A FortiManager administrator wants to use automation stitches to respond to a specific security event on managed FortiGates. Which THREE components are required to build an automation stitch? (Select THREE.)

Select 3 answers
A.Trigger
B.Route
C.Action
D.FortiView dashboard
E.ADOM
AnswersA, B, C

The trigger defines the event that starts the automation stitch.

Why this answer

An automation stitch in FortiManager requires three core components: a Trigger (the event that starts the stitch), a Route (a conditional path that determines which actions to execute based on the trigger's output), and an Action (the actual response, such as a CLI script or object change). Without these three, the stitch cannot function as a complete automation workflow.

Exam trap

The trap here is that candidates often confuse FortiView or ADOM as required components because they are frequently used in FortiManager workflows, but they are not part of the automation stitch's three mandatory building blocks.

5
MCQhard

When configuring FortiGate with FortiSandbox integration, an administrator wants to block files that are rated 'High Risk' by the sandbox. Which setting must be enabled in the antivirus profile to automatically quarantine these files?

A.Configure an automation stitch to quarantine files based on sandbox verdict
B.Enable 'File Filter' in the antivirus profile and add a rule for high-risk files
C.Enable 'Submit Files to FortiSandbox' and set action to 'Block'
D.Enable 'FortiSandbox Quarantine' in the IPS profile
AnswerC

This setting submits files and blocks high-risk verdicts.

Why this answer

Option C is correct because the 'Submit Files to FortiSandbox' setting in the antivirus profile, when set to 'Block', directly instructs FortiGate to quarantine files that receive a 'High Risk' verdict from FortiSandbox. This action is part of the antivirus profile's sandbox integration, not a separate automation or IPS feature, and it automatically handles the quarantine without requiring additional configuration.

Exam trap

The trap here is that candidates often confuse the 'Block' action in the antivirus profile with automation stitches or file filters, assuming they need a separate workflow to quarantine files, when in fact the antivirus profile's sandbox integration directly handles the quarantine based on the verdict.

How to eliminate wrong answers

Option A is wrong because automation stitches are used for custom workflows (e.g., sending alerts or triggering scripts) but are not the primary setting to automatically quarantine files based on sandbox verdict; the antivirus profile's built-in 'Block' action handles this directly. Option B is wrong because 'File Filter' in the antivirus profile is used to block files by type or pattern (e.g., .exe), not to act on sandbox risk ratings; it does not interpret sandbox verdicts. Option D is wrong because 'FortiSandbox Quarantine' is not a setting in the IPS profile; IPS profiles focus on intrusion prevention signatures, not file quarantine based on sandbox analysis.

6
MCQeasy

What is the purpose of BFD (Bidirectional Forwarding Detection) in a FortiGate routing configuration?

A.To encrypt routing protocol traffic
B.To detect forwarding path failures quickly
C.To authenticate routing peers
D.To provide load balancing across multiple paths
AnswerB

BFD rapidly detects failures for faster convergence.

Why this answer

BFD provides fast failure detection for routing protocols like OSPF and BGP, enabling sub-second convergence by detecting link failures faster than protocol hello timers.

7
MCQmedium

An administrator configures a performance SLA to monitor a remote server. The SLA status shows 'dead' for one WAN member. The administrator checks the interface and sees that it is up and passing other traffic. What is the most likely cause?

A.The FortiGate's routing table does not have a route to the probe target
B.The interface is not added as an SD-WAN member
C.The SLA probe is using TCP port 80 but the server is only responding to ICMP
D.The SLA probe interval is set too high
AnswerC

If the probe type does not match the server's response, the SLA fails even if the link is up.

Why this answer

Performance SLA probes may fail due to firewall rules blocking ICMP or the probe port, or the server not responding to the probe type.

8
MCQeasy

An administrator wants to use a FortiGate to manage FortiSwitch units via the LAN. Which interface configuration is required on the FortiGate to allow this management?

A.The interface must have 'set role lan' configured
B.The interface must be configured as a 'trunk' mode to connect to the FortiSwitch
C.The interface must be a member of a VDOM
D.The interface must have 'set type switch' enabled
AnswerB

The FortiGate interface connecting to a FortiSwitch should be configured in 'trunk' mode (as opposed to 'switch' mode) to allow management and VLAN traffic.

9
MCQeasy

Which Fortinet product is specifically designed to deploy decoys and lures to detect lateral movement and early-stage attacks inside the network?

A.FortiSandbox
B.FortiEDR
C.FortiDeceptor
D.FortiClient
AnswerC

FortiDeceptor deploys decoys and lures to detect lateral movement.

Why this answer

FortiDeceptor is a deception technology that uses decoys to detect attackers moving laterally within the network.

10
MCQmedium

During an SD-WAN health check, an administrator observes that a performance SLA for wan1 shows 'Status: dead' even though the interface is up and can ping the SLA server. The SLA configuration uses a TCP echo probe to 8.8.8.8 port 443. What is the most likely cause?

A.The SLA server is blocking ICMP echo requests.
B.The performance SLA is configured with the wrong threshold.
C.The firewall policy allowing the probe traffic is missing.
D.The probe protocol is TCP echo, but the server at 8.8.8.8 does not support TCP echo on port 443.
AnswerD

TCP echo uses port 7 by default; using a different port will not elicit a proper echo response unless the server is configured for it.

Why this answer

A TCP echo probe expects a TCP connection to the specified port, but the server must be configured to respond to TCP echo requests (RFC 862), which typically uses port 7. Using port 443 (HTTPS) would not result in a TCP echo response; the server would not send back the same data. The probe would fail, causing the SLA to show as dead.

11
MCQeasy

An administrator needs to monitor traffic flows across multiple FortiGate devices in a Security Fabric. The administrator wants to see a unified view of all traffic, including inter-device traffic, from a single pane. Which Fortinet tool provides this capability?

A.FortiAP
B.FortiManager
C.FortiGate local logs
D.FortiAnalyzer
AnswerD

FortiAnalyzer aggregates logs and provides cross-device traffic visibility.

Why this answer

FortiAnalyzer is the correct tool because it aggregates logs and traffic data from multiple FortiGate devices within a Security Fabric, providing a unified view of all traffic, including inter-device flows. It uses the FortiTelemetry protocol to collect logs and supports the Security Fabric's topology mapping, allowing administrators to monitor cross-device traffic from a single pane of glass.

Exam trap

The trap here is that candidates often confuse FortiManager's centralized management capabilities with FortiAnalyzer's log aggregation and monitoring functions, leading them to select FortiManager for traffic visibility when it is actually designed for policy and configuration management, not real-time traffic analysis.

How to eliminate wrong answers

Option A is wrong because FortiAP is a wireless access point device that provides Wi-Fi connectivity, not a centralized log aggregation or traffic monitoring tool for multiple FortiGates. Option B is wrong because FortiManager is primarily a centralized management platform for configuration and policy deployment, not a log analysis or traffic monitoring tool; it does not provide the unified traffic view that FortiAnalyzer offers. Option C is wrong because FortiGate local logs are stored locally on each device and cannot provide a unified view across multiple FortiGates or show inter-device traffic flows.

12
Multi-Selectmedium

A FortiGate administrator is configuring a multi-peer IPsec VPN where two remote sites (Site A and Site B) connect to a central hub. The administrator wants to ensure that if the primary peer for a site goes down, traffic automatically fails over to the backup peer. Which TWO settings must be configured on the hub's phase1?

Select 2 answers
A.Set 'auto-negotiate' to 'enable'
B.Set 'dpd' to 'on-demand'
C.Set 'aggregate-ipsec' to 'round-robin'
D.Set 'peer-options' to include both peers with 'priority'
E.Set 'failover' to 'enable'
AnswersD, E

Why this answer

Multi-peer VPN requires configuring 'peer-options' with multiple peer IPs and priorities, and enabling 'failover' on the phase1 interface to allow automatic switching to the backup peer if the primary goes down.

13
MCQmedium

A FortiGate in HA active-passive mode has two VDOMs. VDOM-1 is configured for management (management VDOM). The administrator connects to the management VDOM IP to manage the device. What is a characteristic of the management VDOM?

A.It provides administrative access and is separate from data VDOMs
B.It automatically synchronizes configuration to other VDOMs
C.It must be the root VDOM
D.It can only be accessed via the console port
AnswerA

Management VDOM is dedicated to management traffic, isolating administrative access from data traffic.

Why this answer

In an HA active-passive setup with multiple VDOMs, a management VDOM is dedicated to administrative access (e.g., SSH, HTTPS, SNMP) and is logically separated from data VDOMs that handle production traffic. This separation ensures that management traffic does not interfere with data plane operations and that administrative access remains available even if data VDOMs experience issues. The management VDOM can be any VDOM, not necessarily the root, and its configuration is not automatically synchronized to other VDOMs.

Exam trap

The trap here is that candidates often assume the management VDOM must be the root VDOM or that it automatically syncs configurations to other VDOMs, but Fortinet explicitly separates these concepts to allow flexible administrative isolation without affecting global settings or HA synchronization.

How to eliminate wrong answers

Option B is wrong because the management VDOM does not automatically synchronize its configuration to other VDOMs; configuration synchronization in HA is handled at the system level (e.g., via FGCP), not by the management VDOM itself. Option C is wrong because the management VDOM does not have to be the root VDOM; any VDOM can be designated as the management VDOM, and the root VDOM is a separate concept used for global settings. Option D is wrong because the management VDOM can be accessed via any allowed administrative interface (e.g., network interfaces with HTTPS/SSH enabled), not only the console port; console access is just one of many possible methods.

14
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN tunnel that establishes phase 1 but fails phase 2. Which TWO commands are MOST useful to diagnose the phase 2 failure? (Choose two.)

Select 2 answers
A.diagnose sys session list
B.show vpn ipsec phase2-interface
C.get system performance status
D.diagnose vpn ike config
E.diagnose debug application ike 255
AnswersD, E

Shows phase 2 proposals and selectors.

Why this answer

Options A and D are correct. 'diagnose vpn ike config' shows the IKE configuration including phase 2 proposals and selectors. 'diagnose debug application ike 255' enables detailed IKE debug, which will show the negotiation details including phase 2 failure reasons.

15
MCQmedium

A FortiGate administrator notices that a VPN tunnel goes down and re-establishes every 30 minutes. The administrator checks the tunnel's phase1 and phase2 lifetimes. The phase1 lifetime is set to 86400 seconds and phase2 to 3600 seconds. What is the most likely cause of the tunnel dropping?

A.The phase2 lifetime is set to 3600 seconds, causing rekey failures
B.The phase1 lifetime is too short, causing frequent renegotiation
C.The VPN tunnel is not configured to use NAT traversal
D.The DPD (Dead Peer Detection) timeout is triggered every 30 minutes
AnswerD

If DPD retry timeout is set to a value that results in the peer being declared dead after 30 minutes, the tunnel will be torn down and re-established.

Why this answer

The phase2 lifetime of 3600 seconds (1 hour) would cause rekey every hour, but the tunnel drops every 30 minutes. Option B is correct because DPD settings can cause the tunnel to be considered dead if the peer does not respond; if DPD timeout is set to 1800 seconds (30 minutes), the tunnel would be torn down. However, the rekey should succeed; DPD timeout indicates the peer is not reachable, possibly due to a transient issue.

But among options, DPD is most plausible.

16
MCQmedium

A FortiGate is configured to send logs to FortiAnalyzer. The administrator notices that logs are not appearing on FortiAnalyzer. Running 'diagnose log device show' shows 'connected=no'. What is the most likely cause?

A.The log rate is too high and logs are being dropped
B.The FortiGate's log buffer is full
C.The FortiGate cannot reach the FortiAnalyzer due to a network issue
D.The FortiAnalyzer license has expired
AnswerC

Connectivity failure is the primary reason for 'connected=no'.

Why this answer

Option B is correct. 'connected=no' indicates that the FortiGate is not successfully establishing a connection to the FortiAnalyzer. This is commonly due to network connectivity issues between the two devices or incorrect IP/port configuration.

17
Multi-Selectmedium

Which TWO of the following are required components for a Fortinet ZTNA solution? (Select two.)

Select 2 answers
A.FortiAuthenticator
B.FortiWeb
C.FortiAnalyzer
D.FortiGate
E.FortiClient EMS
AnswersD, E

FortiGate is the ZTNA gateway.

Why this answer

FortiGate is the enforcement point in a ZTNA solution, acting as the ZTNA gateway that verifies device posture and user identity before granting access to protected applications. It terminates ZTNA tunnels from FortiClient and applies identity-based policies, making it a required component for traffic inspection and access control.

Exam trap

The trap here is that candidates often assume FortiAuthenticator is required because ZTNA involves identity, but FortiGate can handle authentication locally or via any SAML IdP, making FortiAuthenticator optional, not mandatory.

18
Multi-Selectmedium

A FortiGate is experiencing high latency on traffic passing through it. The administrator suspects that asymmetric routing is occurring. Which TWO symptoms are indicative of asymmetric routing?

Select 2 answers
A.The routing table shows multiple equal-cost paths to the same destination.
B.Traffic from the same source IP arrives on different interfaces for different sessions.
C.Traffic matching a policy is logged as allowed but the application does not work.
D.CPU usage is consistently above 90% during peak hours.
E.The firewall logs show TCP SYN packets but no corresponding SYN-ACK packets for the same session.
AnswersB, E

This indicates that the return traffic may be arriving on a different interface than expected.

Why this answer

Asymmetric routing occurs when traffic from the same source IP takes different paths through the network, causing packets to arrive on different FortiGate interfaces for different sessions. This breaks stateful inspection because the firewall expects all packets of a session to traverse the same interface; when they don't, it can lead to session timeouts or dropped packets, manifesting as high latency.

Exam trap

The trap here is that candidates often confuse asymmetric routing with general routing issues like ECMP (option A) or performance problems (option D), but the exam specifically tests the stateful firewall behavior where traffic arriving on different interfaces for the same session is the definitive symptom.

19
MCQmedium

A FortiGate administrator receives alerts about a device communicating with a known botnet C2 server. The traffic is encrypted with TLS. Which ATP feature is most effective to block this communication?

A.Application control to block the C2 application
B.Antivirus profile with SSL inspection
C.IPS signature for botnet activity
D.DNS Filter with botnet C2 domain blocking
AnswerD

DNS filter blocks resolution of known malicious domains, preventing communication.

Why this answer

DNS Filter with botnet C2 domain blocking is the most effective because it proactively prevents the initial DNS resolution of the botnet's command-and-control domain, stopping the TLS handshake before it even begins. Since the traffic is encrypted with TLS, other security mechanisms like application control or IPS would require decryption to inspect the payload, which may not be feasible or configured. DNS Filter operates at Layer 7 without needing to decrypt the traffic, directly blocking the domain lookup based on FortiGuard's real-time threat intelligence.

Exam trap

The trap here is that candidates assume encrypted traffic requires SSL inspection to block it, but DNS Filter blocks the domain resolution before encryption occurs, making it the most efficient and non-intrusive solution for C2 communication.

How to eliminate wrong answers

Option A is wrong because Application Control identifies applications by signature or IP/port patterns, but encrypted TLS traffic hides the application payload, and the C2 server may use common ports (e.g., 443) that cannot be blocked without decryption. Option B is wrong because Antivirus profiles with SSL inspection require the FortiGate to perform man-in-the-middle decryption of the TLS traffic, which may break certificate pinning, cause privacy issues, or be impossible if the device uses certificate pinning or non-proxyable TLS. Option C is wrong because IPS signatures for botnet activity rely on pattern matching in the decrypted payload or unencrypted headers; without SSL inspection, the IPS engine cannot see the encrypted C2 commands, and the botnet may use dynamic IPs or domain fronting to evade signature-based detection.

20
MCQhard

A FortiGate in an HA cluster shows the message 'split-brain detected' in the event log. The administrator checks the HA status and sees both units are in 'standalone' mode. What is the MOST likely cause of this split-brain scenario?

A.The heartbeat interface is down on both units, causing them to assume they are the primary
B.The HA priority is set to the same value on both units
C.The HA mode is set to 'active-active' instead of 'active-passive'
D.The HA cluster is using a unicast heartbeat and the configuration is incorrect
AnswerA

When heartbeat communication is lost, both units may assume primary role, leading to split-brain.

Why this answer

Option A is correct. Loss of heartbeat communication is the typical cause of split-brain.

21
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is in a half-open state (proto_state=01) and will expire in 3600 seconds.
B.The session has been idle for 3600 seconds and will be removed in 3599 seconds.
C.The session is using TCP and has been up for 3600 seconds, with 3599 seconds remaining before expiry.
D.The session is UDP and has 3600 seconds to live.
AnswerC

proto=6 is TCP, duration is uptime, expire is remaining time.

22
MCQhard

An admin creates a VDOM named 'CustomerA' with inter-VDOM link to the management VDOM. The admin wants CustomerA administrators to manage only their own VDOM. Which configuration step is required?

A.Use the 'config system admin' command and set trusthost to the admin's IP
B.Place the management VDOM and CustomerA in different administrative domains (ADOMs) in FortiManager
C.Create a new administrator and set the 'VDOM' field to 'CustomerA' and assign a profile with appropriate permissions
D.Enable admin-role override in the VDOM settings
AnswerC

This restricts the admin to only CustomerA VDOM.

Why this answer

Option C is correct because to restrict a VDOM administrator to manage only their own VDOM, you must create a new administrator account and explicitly set the 'VDOM' field to that VDOM (e.g., 'CustomerA') and assign a profile with the necessary permissions. This ensures the admin's scope is limited to that VDOM, preventing access to the management VDOM or other VDOMs.

Exam trap

The trap here is confusing IP-based access control (trusthost) with VDOM-based administrative scoping, leading candidates to select Option A instead of understanding that VDOM assignment is the correct method to isolate admin privileges to a single VDOM.

How to eliminate wrong answers

Option A is wrong because the 'trusthost' setting restricts the source IP address from which an admin can log in, not the VDOM scope; it does not limit the admin to managing only CustomerA. Option B is wrong because administrative domains (ADOMs) are a FortiManager concept for multi-device management, not a FortiGate VDOM isolation feature; the question is about local VDOM administration on a single FortiGate. Option D is wrong because 'admin-role override' is not a standard FortiGate VDOM setting; the correct mechanism is to assign the admin to a specific VDOM via the 'config system admin' command with the 'vdom' parameter.

23
Multi-Selecteasy

A FortiGate is experiencing high CPU usage due to a large number of sessions. Which TWO actions can the admin take to mitigate the issue? (Choose two.)

Select 2 answers
A.Set a shorter session TTL for idle sessions to free up resources
B.Increase the session table size
C.Upgrade the firmware to the latest version
D.Implement session rate limiting using 'config system session-ttl'
E.Disable all security profiles
AnswersA, D

Shorter TTL removes idle sessions quicker, reducing table size and CPU overhead.

Why this answer

Rate limiting sessions and increasing session TTL can reduce CPU load by controlling session creation and expiration. Option A and D are correct.

24
MCQeasy

What is the primary function of FortiAnalyzer's FortiView feature?

A.Centralized device configuration management
B.Scheduling and generating compliance reports
C.Real-time traffic monitoring and visualization
D.Automated remediation of security incidents
AnswerC

FortiView is the real-time monitoring tool.

Why this answer

FortiView on FortiAnalyzer provides real-time traffic monitoring and visualization by aggregating logs from FortiGate devices and displaying them in graphical dashboards. It allows administrators to instantly view top talkers, applications, threats, and other network activity without needing to run manual queries, making it the primary function for live traffic analysis.

Exam trap

The trap here is that candidates confuse FortiView's real-time monitoring with FortiManager's centralized management or FortiAnalyzer's reporting capabilities, leading them to pick Option A or B instead of recognizing that FortiView is explicitly designed for live traffic visualization.

How to eliminate wrong answers

Option A is wrong because centralized device configuration management is handled by FortiManager, not FortiAnalyzer; FortiAnalyzer focuses on log management and reporting, not pushing configuration changes. Option B is wrong because while FortiAnalyzer can generate compliance reports, that is a secondary feature of the Reports module, not the primary function of FortiView, which is specifically for real-time monitoring and visualization. Option D is wrong because automated remediation of security incidents is a function of FortiSOAR or FortiGate's automation stitches, not FortiAnalyzer's FortiView, which is read-only and does not execute actions.

25
Multi-Selecthard

An organization uses FortiAnalyzer for centralized logging. The security team wants to use playbooks to automate responses to detected incidents. Which THREE components are essential for a playbook to function?

Select 3 answers
A.Trigger
B.A report schedule
C.Conditions
D.A dashboard visualization
E.Actions
AnswersA, C, E

Defines what event initiates the playbook.

Why this answer

A trigger is essential because it defines the event or condition that initiates the playbook execution. Without a trigger, the playbook has no starting point and cannot automate responses to detected incidents. In FortiAnalyzer, triggers can be based on log events, alerts, or scheduled intervals.

Exam trap

The trap here is that candidates often confuse 'report schedule' or 'dashboard visualization' as necessary components because they are common FortiAnalyzer features, but they are not part of the core playbook execution triad of trigger, conditions, and actions.

26
MCQmedium

A FortiGate administrator needs to integrate with FortiNAC to enforce network access control for wired and wireless devices. The administrator wants FortiNAC to dynamically assign VLANs based on the device's security posture. Which FortiNAC feature enables this?

A.DHCP fingerprinting
B.NAC policies
C.RADIUS accounting
D.SNMP traps
AnswerB

NAC policies use device posture information to assign VLANs dynamically.

Why this answer

NAC policies define rules for device classification and VLAN assignment based on posture assessment results.

27
Multi-Selecthard

A FortiGate is configured with OSPF multi-area. The administrator needs to ensure that routes from area 2 are advertised into area 0. Which TWO configurations are necessary?

Select 2 answers
A.Configure a virtual-link between area 2 and area 0
B.Set the OSPF network type to point-to-point
C.Configure an Area Border Router (ABR) between area 2 and area 0
D.Disable OSPF on area 0
E.Enable route redistribution from OSPF into OSPF
AnswersC, E

ABR is required to connect areas.

Why this answer

An Area Border Router (ABR) must be present, and route redistribution from area 2 into area 0 is required (or OSPF automatically advertises inter-area routes but only if the ABR has the routes in its OSPF database). Typically, OSPF automatically advertises routes between areas if the ABR has them, but redistribution may be needed if routes are from a different protocol or if filtering is applied. For simplicity, most common answer: ABR and redistribution or proper area configuration.

However, the question asks for configurations necessary; OSPF automatically advertises intra-area routes to other areas via ABR, but if routes are from another protocol, redistribution is needed. Assuming OSPF routes within area 2, the ABR will advertise them to area 0 automatically. But since the question includes 'from area 2 into area 0', the ABR is the key.

Also, a virtual-link might be needed if area 2 does not connect to area 0 directly. But the expected answers: ABR and redistribution. Alternatively, just ABR and proper area configuration.

I'll go with ABR and redistribution as typical for exam.

28
Multi-Selecthard

An administrator is troubleshooting an SD-WAN deployment where traffic from the branch to the datacenter is being sent over the backup LTE link even though the primary MPLS link has low latency and jitter. The SD-WAN rule uses 'Best Quality' strategy with latency and jitter metrics. The performance SLA for MPLS shows 'alive'. Which TWO configurations could cause this behavior?

Select 2 answers
A.BFD is enabled on MPLS but not on LTE.
B.The SD-WAN rule has 'set member' configured to only include LTE.
C.The performance SLA is not associated with the SD-WAN rule.
D.The route to the datacenter is learned via OSPF with a lower cost over LTE.
E.The latency threshold is set too low for MPLS.
AnswersB, C

If MPLS is not listed as a member in the rule, it won't be used.

Why this answer

If the SD-WAN rule has an 'input-device' match that excludes MPLS, or if the rule's 'set member' does not include MPLS, traffic will not use it even if the SLA is good. Another possibility is that the performance SLA is not associated with the rule, so the rule treats MPLS as unavailable. Options A and B are the most likely.

29
MCQhard

An administrator is troubleshooting an SD-WAN scenario where traffic from a branch office to a critical SaaS application is experiencing high latency. The SD-WAN rule uses the best quality SLA strategy. The administrator runs 'diagnose sys sdwan neighbor' and sees that both WAN links have SLA compliance above 90%. However, traffic still uses the slower link. The administrator then runs 'diagnose sys sdwan health-check list' and notices that the health-check server IP is different from the SaaS application's server IP. What is the MOST likely reason the traffic is not using the best-performing link?

A.The health-check server's IP does not match the application's destination IP, so SLA measurements are not representative
B.The SD-WAN rule is configured with 'set load-balance-mode' instead of 'best-quality'
C.The health-check server is not reachable from the faster link
D.The SD-WAN rule has a manual routing override configured
AnswerA

SLA probes measure performance to the configured server, which may not correlate with actual performance to a different destination. The administrator should configure a health-check server that represents the real application traffic.

Why this answer

SD-WAN SLA health checks measure performance to a specific server (e.g., a public DNS or internet IP). If the actual application traffic goes to a different server, the measured SLA may not reflect the real path performance to that destination. The route selection logic uses SLA results only for the configured health-check server.

30
MCQeasy

Which FortiClient ATP feature provides protection against zero-day malware by monitoring process behavior and blocking suspicious activities at the endpoint?

A.FortiClient Web Filtering
B.FortiClient Cloud Sandbox
C.FortiClient Exploit Prevention
D.FortiClient Vulnerability Scan
AnswerC

Exploit Prevention monitors process behavior and blocks exploit techniques.

Why this answer

FortiClient Exploit Prevention is correct because it uses real-time behavioral monitoring of process activities—such as API calls, memory access patterns, and code injection attempts—to detect and block zero-day malware that has no known signature. Unlike signature-based detection, this feature identifies malicious behavior at runtime, making it effective against previously unseen threats.

Exam trap

The trap here is that candidates often confuse cloud sandboxing (Option B) with endpoint behavioral protection, but FortiClient Cloud Sandbox is a separate, file-based analysis feature that does not provide real-time process monitoring on the endpoint.

How to eliminate wrong answers

Option A is wrong because FortiClient Web Filtering controls access to URLs and categorizes web traffic based on reputation and category, but it does not monitor process behavior or block suspicious activities at the endpoint. Option B is wrong because FortiClient Cloud Sandbox submits suspicious files to a cloud-based sandbox for dynamic analysis, which is a reactive, offline detection method rather than real-time behavioral monitoring on the endpoint. Option D is wrong because FortiClient Vulnerability Scan checks for missing patches and configuration weaknesses, but it does not monitor or block process-level behavior in real time.

31
MCQmedium

An administrator configures a new ADOM in FortiManager for a set of FortiGates. The administrator wants to assign meta fields to devices in this ADOM. Where should the meta fields be defined?

A.Policy & Objects -> Object configurations
B.Device Manager -> ADOM settings
C.System settings -> Admin
D.Global database objects
AnswerB

Meta fields are configured in ADOM settings under Device Manager.

Why this answer

Meta fields in FortiManager are defined at the ADOM level under Device Manager -> ADOM settings. This ensures that the custom fields are available for all devices within that specific ADOM, allowing consistent metadata assignment across managed FortiGates. Defining them elsewhere, such as in global database objects, would apply them globally rather than per-ADOM, which is not the administrator's intent.

Exam trap

The trap here is that candidates may confuse ADOM-specific settings with global database objects, assuming meta fields must be defined globally for consistency, but FortiManager requires them to be defined at the ADOM level to maintain isolation between administrative domains.

How to eliminate wrong answers

Option A is wrong because 'Policy & Objects -> Object configurations' is used for managing firewall policies and shared objects, not for defining device-level meta fields. Option C is wrong because 'System settings -> Admin' deals with administrative access and user permissions, not device metadata configuration. Option D is wrong because 'Global database objects' are shared across all ADOMs and would apply meta fields globally, whereas the requirement is to assign meta fields specifically to devices in a single ADOM.

32
MCQhard

An administrator is testing failover in an HA cluster. They unplug the primary FortiGate's port1 (the heartbeat interface) but the secondary does not take over. The heartbeat is configured on port1. What is the MOST likely cause?

A.The primary unit still has a heartbeat path through other interfaces
B.The HA uptime is less than the failover hold time
C.The secondary unit's priority is higher than the primary's
D.The secondary unit has a faulty power supply
AnswerA

If heartbeat is configured on multiple interfaces, the secondary may still receive heartbeat from the primary via another interface, preventing failover.

Why this answer

Option C is correct. In HA, failover is triggered by loss of heartbeat plus loss of monitored ports or a dead gateway. Simply unplugging the heartbeat interface may cause split-brain, not failover, because the primary is still operational and the secondary still sees the primary's heartbeat? Actually, unplugging the heartbeat interface on the primary means the secondary loses heartbeat.

But if the primary still has other monitored ports up, it will remain primary. However, the secondary should detect loss of heartbeat and become primary after a timeout. But if the primary still has heartbeat on another path? The question says heartbeat is configured on port1 and that port was unplugged.

The likely cause is that the primary still has another heartbeat interface or the failover threshold is not met. Option C is the most plausible.

33
MCQeasy

Which FortiGate feature can automatically block traffic from an IP address that is detected as malicious by FortiSandbox?

A.Traffic Shaping
B.Intrusion Prevention System (IPS)
C.Application Control
D.Automation Stitch
AnswerD

Automation stitches can react to security events and update threat feeds dynamically.

Why this answer

Option D is correct because Automation Stitch in FortiOS allows you to create a trigger-action pair that automatically blocks an IP address when FortiSandbox detects malicious activity. The trigger can be a FortiSandbox IOC (Indicator of Compromise) event, and the action can be an IP block via a local or external block list, enabling real-time, automated threat response without manual intervention.

Exam trap

The trap here is that candidates often confuse IPS (which blocks malicious traffic patterns) with automated IP blocking based on external threat intelligence, not realizing that Automation Stitch is the dedicated mechanism for orchestrating responses to FortiSandbox verdicts.

How to eliminate wrong answers

Option A is wrong because Traffic Shaping is a QoS mechanism that prioritizes or limits bandwidth for specific traffic types, not a security feature that blocks IPs based on threat intelligence. Option B is wrong because Intrusion Prevention System (IPS) detects and blocks exploit attempts and vulnerability-based attacks using signatures and protocol decoders, but it does not automatically block IPs based on FortiSandbox verdicts; IPS actions are triggered by traffic patterns, not external sandbox IOCs. Option C is wrong because Application Control identifies and controls application usage (e.g., blocking social media or video streaming) based on application signatures, not by blocking malicious IPs detected by FortiSandbox.

34
Multi-Selecthard

A FortiGate admin configures inter-VDOM routing between VDOM-A and VDOM-B using a VDOM link. The admin wants traffic from VDOM-A to reach a server in VDOM-B. Which three configuration steps are required? (Choose three.)

Select 3 answers
A.Enable NAT on the VDOM link interface
B.Configure static routes pointing to the VDOM link interface on both VDOMs
C.Configure a firewall policy on VDOM-A allowing traffic to the VDOM link interface
D.Disable ARP on the VDOM link interfaces
E.Create a VDOM link and assign an interface to each VDOM
AnswersB, C, E

Routes are needed to direct traffic towards the other VDOM via the link.

Why this answer

Option B is correct because inter-VDOM routing via a VDOM link requires each VDOM to have a static route pointing to the VDOM link interface as the next hop. Without these routes, traffic from VDOM-A destined for a server in VDOM-B would have no path to the VDOM link, and the FortiGate would drop the packets. The static route ensures the firewall can forward traffic between the two VDOMs across the VDOM link.

Exam trap

The trap here is that candidates often assume VDOM links automatically route traffic between VDOMs, but they forget that each VDOM maintains its own independent routing table, so explicit static routes are mandatory for inter-VDOM communication.

35
MCQmedium

An administrator wants to use FortiExtender to provide LTE WAN connectivity. After connecting the FortiExtender to the FortiGate, the LTE interface is not showing up. What is the first troubleshooting step?

A.Run 'execute lte test' command
B.Configure an SD-WAN rule for LTE traffic
C.Verify the FortiExtender is connected to the correct port and powered on
D.Check the signal strength of the LTE connection
AnswerC

Physical connectivity is the first check.

Why this answer

Verify that the FortiExtender is properly connected and powered. Check the USB or Ethernet connection to the FortiGate. Also verify that the FortiExtender is recognized in the dashboard.

Often a reboot of the FortiExtender or FortiGate can resolve detection issues.

36
MCQeasy

A network administrator runs 'get system ha status' on a FortiGate HA cluster and sees that only one unit shows as primary. The secondary unit shows as 'standalone' with no HA peer detected. What is the MOST likely cause of this issue?

A.The cluster serial numbers do not match
B.The heartbeat interface is down or misconfigured
C.The HA group ID is different on each unit
D.The HA priority on the secondary unit is set to 0
AnswerB

If the heartbeat link fails, the secondary cannot communicate with the primary and will assume it is standalone, resulting in the observed status.

Why this answer

When the HA heartbeat link is down, the secondary unit cannot detect the primary and will operate as standalone. The serial number mismatch or priority settings would cause different behavior (e.g., split-brain or both primary).

37
MCQeasy

An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal application. The application is accessed via HTTPS. Which component must be configured on the FortiGate to act as a reverse proxy for the application?

A.FortiClient EMS
B.SSL-VPN portal
C.ZTNA proxy
D.ZTNA inline CASB
AnswerC

Why this answer

ZTNA proxy is the FortiGate feature that acts as a reverse proxy, terminating the client connection and initiating a new connection to the internal application. It enforces access policies based on identity and device posture.

38
MCQmedium

A FortiGate admin runs 'diagnose debug application authd -1' but sees no output for LDAP authentication attempts. What is the MOST likely reason?

A.The LDAP server is unreachable
B.The FortiGate is in FIPS mode
C.The LDAP server timed out
D.Debug flow is not enabled
AnswerD

To see authd debug, you need to enable debug flow or set debug level.

Why this answer

Option B is correct because without enabling debug flow or setting debug level, authd may not output debug messages. Option A is not specific to authd. Option C would cause connection errors, not silent.

Option D is unlikely.

39
MCQmedium

An administrator configures BGP route advertisement but the routes are not being sent to the neighbor. The BGP session is established. What is the MOST likely cause?

A.The BGP administrative distance is set too high
B.The BGP neighbor has the wrong update-source interface
C.The route is filtered by a route-map
D.The 'network' statement is missing for the desired prefix
AnswerD

Without a network statement, FortiGate does not advertise the route even if it is in the routing table.

Why this answer

For routes to be advertised, they must be present in the BGP table, which requires either redistribution from another protocol or manual network statements. The most common causes are missing 'network' statements or redistribution configuration.

40
MCQhard

An administrator is troubleshooting BGP and runs 'get router info bgp neighbors 10.0.0.1' and sees 'BGP state = Active'. The neighbor IP is reachable via ping. What is the most likely cause?

A.The BGP update-source interface is missing
B.The BGP network statement is missing
C.The BGP router-id is not configured
D.The BGP neighbor's remote-as is misconfigured
AnswerD

A mismatch in remote AS will cause the neighbor to reject the connection, leading to Active state.

Why this answer

BGP state Active indicates the router is trying to initiate a TCP connection but has not received a response. Since ping works, the issue is likely a TCP port 179 issue, such as a firewall blocking the port or BGP misconfiguration (e.g., wrong remote AS).

41
MCQmedium

An administrator creates a new VDOM and assigns interfaces. The VDOM is intended to operate in transparent mode. Which additional step is required?

A.Set the VDOM's mode to transparent under config system settings
B.Disable NAT on all policies
C.Configure a management IP for the VDOM
D.No additional steps; VDOMs default to transparent mode
AnswerA

The VDOM must be explicitly set to transparent mode.

Why this answer

A VDOM does not default to transparent mode; it must be explicitly configured. The command 'config system settings' with 'set vdom-type transparent' changes the VDOM's operational mode from the default NAT/route mode to transparent mode, which is required for the VDOM to function as a Layer 2 bridge.

Exam trap

The trap here is that candidates assume VDOMs default to transparent mode or that disabling NAT alone is sufficient, but FortiGate requires an explicit mode change via 'config system settings' to enable transparent operation.

How to eliminate wrong answers

Option B is wrong because disabling NAT on policies is a common practice in transparent mode but is not an additional step required to enable transparent mode; NAT is automatically unavailable in transparent mode. Option C is wrong because configuring a management IP is optional and only needed for administrative access, not to set the VDOM to transparent mode. Option D is wrong because VDOMs default to NAT/route mode, not transparent mode; an explicit configuration change is required.

42
MCQeasy

A network administrator wants to delegate management of a specific VDOM to a junior administrator. The junior should be able to modify firewall policies and objects within that VDOM but not change system settings or other VDOMs. Which administrative access configuration meets this requirement?

A.Place the VDOM in transparent mode to allow full access
B.Create a RADIUS user that is assigned to the VDOM group
C.Use the management VDOM feature to assign the junior admin to the VDOM
D.Create a local user with an admin profile that has permissions for that VDOM only
AnswerD

Local users can be assigned profiles and restricted to specific VDOMs.

Why this answer

Option D is correct because FortiGate allows you to create a local user with an admin profile that has permissions scoped to a specific VDOM. By assigning the junior administrator to that VDOM-only profile, they can modify firewall policies and objects within that VDOM but cannot change system settings or access other VDOMs. This is the standard method for delegating VDOM-specific administrative access without granting global or multi-VDOM privileges.

Exam trap

The trap here is that candidates often confuse the management VDOM feature (which only handles management traffic routing) with VDOM-specific admin profiles, or assume that transparent mode or RADIUS group assignment inherently restricts permissions, when in fact only a properly scoped admin profile can enforce VDOM-level access control.

How to eliminate wrong answers

Option A is wrong because placing a VDOM in transparent mode changes its operational mode (layer 2 forwarding) and does not restrict administrative access; it still allows full access to the VDOM's configuration if the admin has appropriate permissions. Option B is wrong because a RADIUS user assigned to a VDOM group only controls authentication and group membership, not the specific permissions within a VDOM; the admin profile assigned to the user determines the actual access scope, and RADIUS alone does not restrict to a single VDOM. Option C is wrong because the management VDOM feature is used to centralize management traffic (e.g., SNMP, syslog) and does not delegate administrative permissions; it does not restrict a junior admin to a specific VDOM.

43
MCQhard

A FortiGate is deployed as the edge firewall for a medium-sized enterprise. The network has three internal zones: Trust (10.10.0.0/16), DMZ (172.16.0.0/24), and Guest (192.168.0.0/24). The FortiGate has an IPSec VPN to a branch office (10.20.0.0/16). Users in the Trust zone report intermittent connectivity to a web server in the DMZ (172.16.0.10, TCP port 443). The FortiGate logs show occasional 'session denied' messages for traffic from Trust to DMZ with reason 'denied by forward policy check'. The security policy has an explicit allow rule for Trust to DMZ HTTPS. The administrator has verified routing is correct and there are no address overlaps. When the issue occurs, the administrator runs 'diag debug flow' and sees that the packet matches the correct policy but still gets denied. The debug output also shows 'forward policy check: denied'. What is the most likely cause and recommended action?

A.A traffic shaping policy or application control profile is blocking the traffic; review and adjust the traffic shaping policy or application control profile applied to the policy.
B.The route to the DMZ is intermittently flapping; add a static route with a higher distance.
C.The security profiles (AV, IPS) are blocking the traffic; temporarily disable all security profiles on the policy.
D.The session helper for HTTPS is interfering; disable the HTTPS session helper.
AnswerA

Forward policy check denials are caused by traffic shaping or application control.

Why this answer

The debug flow output shows the packet matches the correct security policy but is still denied by 'forward policy check'. This indicates that a secondary policy component, such as a traffic shaping policy or application control profile, is blocking the traffic. These features can override the security policy action if they are configured to deny or drop matching traffic, even when the security policy itself is set to allow.

Exam trap

The trap here is that candidates often assume a security policy 'allow' rule is sufficient, overlooking that FortiGate's forward policy check evaluates additional policy layers (like traffic shaping or application control) that can independently deny traffic even after a security policy match.

How to eliminate wrong answers

Option B is wrong because route flapping would cause 'no route to host' errors, not 'denied by forward policy check' in the debug flow; the administrator has already verified routing is correct. Option C is wrong because security profiles (AV, IPS) would show specific block messages in the logs (e.g., 'IPS: blocked') and the debug flow would indicate the profile action, not a generic 'forward policy check' denial. Option D is wrong because the HTTPS session helper is used for non-standard ports or explicit proxy scenarios and does not cause 'forward policy check' denials; disabling it would not resolve a policy-based block.

44
MCQmedium

A company has two FortiGate firewalls in an HA active-passive cluster. They want to separate network traffic for different departments using VDOMs. After configuring VDOMs on both units, the HA status shows 'synchronized' but traffic for one VDOM is not passing through the active unit. What is the most likely cause?

A.The administrator account used to configure VDOMs lacks permission.
B.The HA mode must be active-active to use VDOMs.
C.A VDOM link is missing on the passive unit.
D.HA is not compatible with VDOMs.
AnswerC

VDOM links are not automatically synchronized; if the passive unit lacks a required VDOM link, traffic may not pass correctly.

Why this answer

In an HA active-passive cluster, VDOM configurations must be identical on both units for synchronization to be complete. A missing VDOM link on the passive unit means the inter-VDOM routing path is not fully replicated, so even though HA status shows 'synchronized' (which may only reflect global or non-VDOM-specific settings), traffic for that VDOM cannot be forwarded correctly by the active unit because the passive unit's configuration is incomplete, breaking the expected redundancy and traffic flow.

Exam trap

The trap here is that candidates assume 'synchronized' HA status guarantees full operational parity, but FortiGate's HA synchronization does not always replicate VDOM-specific link configurations, leading to a scenario where traffic fails despite a healthy HA state.

How to eliminate wrong answers

Option A is wrong because administrator permissions affect the ability to configure VDOMs, not the operational passing of traffic after configuration is complete; the HA status 'synchronized' indicates the configuration was applied successfully. Option B is wrong because VDOMs are fully supported in both active-active and active-passive HA modes; the mode does not determine VDOM functionality. Option D is wrong because HA is explicitly compatible with VDOMs; FortiGate supports VDOMs in HA clusters, and this is a documented feature.

45
MCQeasy

What is the purpose of FortiAnalyzer in a Fortinet security fabric?

A.To provide sandboxing and advanced threat protection
B.To act as a network firewall and IPS
C.To collect and analyze logs, generate reports, and provide visibility into security events
D.To manage and deploy configurations to FortiGates
AnswerC

FortiAnalyzer aggregates logs from multiple devices.

Why this answer

FortiAnalyzer is the centralized logging and analytics platform within the Fortinet Security Fabric. It aggregates logs from FortiGate and other Fabric devices, correlates events, generates compliance reports, and provides a single-pane-of-glass view for security monitoring and forensic analysis. This directly supports visibility and reporting, not real-time threat prevention or configuration management.

Exam trap

The trap here is confusing FortiAnalyzer with FortiManager, as both are central management tools, but FortiAnalyzer focuses on log collection and reporting, while FortiManager handles configuration deployment and policy management.

How to eliminate wrong answers

Option A is wrong because sandboxing and advanced threat protection are functions of FortiSandbox, not FortiAnalyzer; FortiAnalyzer can integrate with FortiSandbox for log correlation but does not perform sandboxing itself. Option B is wrong because network firewall and IPS are core functions of FortiGate, not FortiAnalyzer; FortiAnalyzer is a log collector and analyzer, not an inline security device. Option D is wrong because managing and deploying configurations to FortiGates is the role of FortiManager, which uses the FortiGate API and policy packages; FortiAnalyzer has no configuration deployment capabilities.

46
MCQmedium

An administrator configures a FortiGate with VDOMs and notices that the 'config vdom' command lists multiple VDOMs, but only one VDOM is shown in the 'show full-configuration' output. What is the most likely reason?

A.The administrator is in the context of a specific VDOM
B.The VDOMs are not properly synchronized
C.The VDOMs are not assigned any interfaces
D.The FortiGate is in transparent mode
AnswerA

In VDOM mode, 'show full-configuration' shows only the current VDOM's config. The admin must be in the root VDOM to see all VDOMs.

Why this answer

The 'config vdom' command lists all VDOMs configured on the FortiGate because it operates in the global context. However, 'show full-configuration' only displays the configuration of the current VDOM context. If the administrator is inside a specific VDOM (e.g., after executing 'config vdom' and 'edit <vdom-name>'), the output is scoped to that VDOM, not the global configuration.

This is a fundamental behavior of VDOM-based CLI navigation in FortiOS.

Exam trap

The trap here is that candidates assume 'config vdom' lists all VDOMs because they are all active, but they forget that 'show full-configuration' output is context-dependent and only reflects the current VDOM or global scope, not the entire device configuration.

How to eliminate wrong answers

Option B is wrong because VDOM synchronization is not relevant to CLI output scoping; synchronization affects configuration replication between HA members, not the visibility of VDOMs in 'show full-configuration'. Option C is wrong because unassigned interfaces do not prevent a VDOM from appearing in 'show full-configuration'; a VDOM without interfaces still has its own configuration block. Option D is wrong because transparent mode is a separate operational mode that does not affect VDOM listing or configuration display; a FortiGate in transparent mode can still have multiple VDOMs and the same CLI scoping rules apply.

47
MCQmedium

A FortiGate is configured with two VRF instances (VRF1 and VRF2). The admin needs to allow traffic from VRF1 to reach a server in VRF2. The server is directly connected to the FortiGate on an interface in VRF2. What configuration is required?

A.Add both VRFs to the same VDOM
B.Use VRF route leaking with route maps to export necessary routes between VRFs
C.Configure a static route in VRF1 pointing to the server's IP via the VRF2 interface
D.Configure a firewall policy with source VRF1 and destination VRF2
AnswerB

Route leaking allows redistribution of routes between VRFs, enabling inter-VRF communication.

Why this answer

Option D is correct. VRF leaking (route leaking) between VRFs is required to enable communication. Without leaking, VRFs are isolated.

A route map or policy can be used to export routes between VRFs.

48
MCQmedium

A network admin configures OSPF on a FortiGate with multiple areas. To ensure that routes from one area are advertised into another area, which OSPF feature must be properly configured?

A.OSPF route redistribution
B.OSPF passive interface
C.OSPF virtual-link
D.OSPF network type
AnswerA

Route redistribution controls route advertisement between OSPF areas or from other protocols.

Why this answer

Route redistribution is used to inject routes from one OSPF area into another or from other protocols. Without redistribution, routes stay within their own area.

49
MCQeasy

An administrator needs to monitor the FortiGate's CPU usage in real-time from the CLI. Which command should be used?

A.diagnose debug application httpsd
B.diagnose hardware sysinfo memory
C.get system performance status
D.diagnose sys top
AnswerD

This is the correct command for real-time CPU monitoring.

Why this answer

The command 'diagnose sys top' displays real-time CPU and memory usage for FortiGate processes, similar to 'top' on Linux. It's the standard CLI tool for performance monitoring.

50
MCQeasy

Which technology uses DMARC reports to help administrators identify unauthorized use of their email domain?

A.SPF
B.DKIM
C.FortiMail
D.DMARC
AnswerD

DMARC provides aggregate and forensic reports about email authentication.

Why this answer

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the correct answer because it specifically uses aggregate and forensic reports (DMARC reports) to provide administrators with visibility into how their email domain is being used, including unauthorized or spoofed emails. These reports are generated by receiving mail servers and sent back to the domain owner, detailing authentication results from SPF and DKIM checks, which helps identify and mitigate domain abuse.

Exam trap

The trap here is that candidates confuse DMARC's reporting and policy enforcement features with the underlying authentication mechanisms (SPF and DKIM), thinking those protocols alone provide visibility into unauthorized use, when in fact only DMARC defines the reporting format and feedback loop.

How to eliminate wrong answers

Option A (SPF) is wrong because SPF only defines which IP addresses are authorized to send mail for a domain via DNS TXT records, but it does not generate reports or provide visibility into unauthorized use. Option B (DKIM) is wrong because DKIM provides a cryptographic signature to verify email integrity and sender authenticity, but it does not produce reports on domain usage or abuse. Option C (FortiMail) is wrong because FortiMail is a secure email gateway product that can implement DMARC policies and process reports, but it is not the technology that uses DMARC reports itself; DMARC is the standard that defines the reporting mechanism.

51
MCQhard

An administrator runs 'diagnose sys session filter dport 443' and sees: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a UDP session
B.The session is in TIME_WAIT state
C.The session is in SYN_SENT state
D.The session is in ESTABLISHED state
AnswerD

TCP state 01 indicates ESTABLISHED.

Why this answer

The output shows `proto=6`, which indicates TCP (protocol 6). The `proto_state=01` corresponds to the TCP state for an established connection (ESTABLISHED). The `duration=3600` and `expire=3599` confirm the session has been active for 3600 seconds and will expire in 3599 seconds, which is typical for a long-lived established TCP session.

Therefore, option D is correct.

Exam trap

The trap here is that candidates may misinterpret `proto_state=01` as a connection setup state (like SYN_SENT) or confuse it with a UDP session, but the protocol number 6 and the specific state value 01 clearly indicate an established TCP session.

How to eliminate wrong answers

Option A is wrong because `proto=6` explicitly indicates TCP, not UDP (UDP uses protocol 17). Option B is wrong because `proto_state=01` represents the ESTABLISHED state, not TIME_WAIT (which would be a different state value, such as 11 in some implementations). Option C is wrong because `proto_state=01` is not SYN_SENT; SYN_SENT would typically be represented by a different state value (e.g., 02 in some Fortinet implementations) and would not have a duration of 3600 seconds, as SYN_SENT is a transient state.

52
MCQhard

A FortiGate administrator configures a multi-peer IPsec VPN with two remote gateways for redundancy. The phase 1 configuration has 'set proposal aes256-sha256' and 'set dpd on-idle'. The tunnel is established but traffic fails over to the backup peer only after a long delay. What change would improve failover time?

A.Increase the phase 2 lifetime
B.Enable NAT traversal
C.Use IKEv1 instead of IKEv2
D.Change DPD mode to 'on-demand' and reduce retry count
AnswerD

On-demand sends DPD probes regularly regardless of traffic, enabling faster detection.

Why this answer

DPD on-idle sends probes only when there is no traffic. With DPD on-idle, failure detection can be slow. Changing to DPD on-demand (active probing) or reducing retry intervals speeds up failure detection.

53
MCQeasy

Which SD-WAN load balancing algorithm is best for ensuring that all traffic from a specific source-destination pair uses the same WAN link?

A.Spillover
B.Source-dest IP
C.Volume
D.Lowest-cost
AnswerB

Source-dest IP hashes both IPs, ensuring same pair goes to same link.

54
MCQmedium

An administrator wants to group firewall objects by department (e.g., Sales, Engineering) and easily filter them in FortiManager policy packages. Which feature should be used?

A.Tags in FortiGate
B.ADOM overrides
C.Meta fields
D.Policy package folders
AnswerC

Why this answer

Meta fields in FortiManager allow administrators to define custom attributes (e.g., Department) for firewall objects. These fields can then be used to group and filter objects within policy packages, enabling efficient management by department without requiring separate ADOMs or VDOMs.

Exam trap

The trap here is that candidates may confuse meta fields with FortiGate tags, but tags are device-local and not available for filtering in FortiManager policy packages, whereas meta fields are a FortiManager-specific feature designed for cross-device object grouping.

How to eliminate wrong answers

Option A is wrong because Tags in FortiGate are local to the FortiGate device and are not synchronized to FortiManager for filtering in policy packages; they are used for object categorization on the device itself. Option B is wrong because ADOM overrides are used to manage configuration differences across ADOMs, not to group or filter objects by custom attributes like department. Option D is wrong because Policy package folders organize policy packages themselves, not individual firewall objects within a package.

55
MCQhard

A FortiGate is configured to submit files to FortiSandbox. The administrator notices that files are being submitted but no verdicts are returned. Which two conditions could cause this?

A.The FortiSandbox server is not reachable from the FortiGate
B.The file type is not supported by FortiSandbox
C.The file size exceeds the FortiSandbox submission limit
D.The FortiSandbox license has expired
E.The antivirus profile is set to monitor mode

Why this answer

If FortiSandbox is not reachable or the file is too large, verdicts may not be returned. Other options like expiry or incorrect scan mode do not prevent verdict return.

56
MCQmedium

A FortiGate administrator notices that traffic from a specific subnet is being dropped unexpectedly. The security policy allows the traffic, and there are no firewall policies blocking it. What is the most efficient first step to identify the cause of the drops?

A.Use the 'diag sniffer packet any "host 10.0.1.0/24" 4' command to capture packets and analyze where they are dropped.
B.Run 'diagnose debug flow' with the source IP and look for 'no matching policy' or 'dropped' messages.
C.Enable 'deny-log' on all policies and check logs for the subnet.
D.Enable global traffic logging and review logs after some traffic passes.
AnswerA

Packet sniffer with filter can capture the actual packets and show the drop reason in the output.

Why this answer

The 'diag sniffer packet any "host 10.0.1.0/24" 4' command captures packets at the kernel level before firewall processing, allowing you to see if traffic is reaching the FortiGate and where it is being dropped (e.g., due to reverse-path forwarding, session helper, or DoS policies). This is the most efficient first step because it provides immediate, low-level visibility into packet drops without requiring configuration changes or waiting for logs.

Exam trap

The trap here is that candidates often jump to 'diagnose debug flow' as the default troubleshooting tool, but it only works after a session is created, missing pre-session drops that the sniffer can immediately expose.

How to eliminate wrong answers

Option B is wrong because 'diagnose debug flow' is a session-level debug that requires traffic to first match a session; if traffic is dropped before session creation (e.g., by ASIC, DoS policy, or RPF check), the debug flow may show no output or misleading 'no matching policy' messages, wasting time. Option C is wrong because enabling 'deny-log' on all policies only logs drops caused by explicit firewall policies, but the question states no policies are blocking the traffic, so this would not capture the actual drop cause (e.g., session helper, DoS, or routing issues). Option D is wrong because enabling global traffic logging requires a configuration change and waiting for traffic to pass, which is inefficient; logs may also not show the specific drop reason (e.g., kernel-level drops are not always logged).

57
MCQmedium

Two FortiGates in an HA cluster are experiencing a split-brain scenario where both units become primary. The administrator checks the HA configuration and sees that the heartbeat interfaces are configured correctly but the link status is 'down' on both units. What could cause this?

A.The heartbeat interface has been administratively disabled
B.The physical cable connecting the heartbeat interfaces is faulty
C.The HA group ID is different on each unit
D.The HA priority values are the same on both units
AnswerB

Correct. A faulty cable causes link down, leading to loss of heartbeat and split-brain.

Why this answer

A split-brain occurs when heartbeat communication is lost. If the heartbeat interfaces show link down, it indicates a physical or layer-1 issue, such as a faulty cable or switch port.

58
MCQeasy

An administrator wants to enforce that only devices with antivirus software installed and up-to-date can access the corporate network. Which FortiGate feature should be used?

A.Application control profile
B.ZTNA tags and posture checks
C.IPsec VPN with pre-shared key
D.Web filtering profile
AnswerB

ZTNA tags can reflect compliance status from EMS.

Why this answer

FortiGate uses ZTNA device posture checks via FortiClient EMS to enforce endpoint compliance, such as antivirus status.

59
MCQeasy

An administrator needs to verify if a FortiGate is receiving BGP routes from a peer. Which command should the admin run to see the BGP routing table?

A.get router info routing-table bgp
B.show ip bgp
C.diagnose ip router bgp table
D.get router info bgp table
AnswerD

This command shows the BGP routing table entries.

Why this answer

'get router info bgp table' displays the BGP routing table, showing learned and advertised routes.

60
MCQmedium

An administrator wants to integrate FortiGate with an external threat intelligence feed to block known malicious IP addresses automatically. Which object should be used to consume the feed?

A.External Threat Intelligence Feed
B.IP Pool
C.Address Group
D.Security Profile Group
AnswerA

This object dynamically updates with threat indicators.

Why this answer

External Threat Intelligence Feeds in FortiGate are configured under Security Fabric > External Threat Intelligence, and they can be used in policies as source/destination.

61
MCQeasy

A FortiGate administrator needs to delegate firewall policy management to different teams for different departments. Each team should have full control over their policies but should not see or modify policies of other departments. Which feature allows this separation?

A.ADOMs in FortiAnalyzer
B.Policy packages in FortiManager
C.Security fabric tags
D.Administrative profiles (admin profiles) with restricted VDOM access
AnswerD

Admin profiles can be created that limit an administrator's access to specific VDOMs, providing the required separation.

Why this answer

Option D is correct because administrative profiles with restricted VDOM access allow a FortiGate administrator to assign specific VDOMs to different admin accounts. By creating separate VDOMs for each department and granting admin accounts access only to their respective VDOMs, each team can fully manage firewall policies within their VDOM without seeing or modifying policies in other VDOMs. This leverages FortiGate's VDOM-based multi-tenancy and role-based access control (RBAC) to enforce strict policy isolation.

Exam trap

The trap here is that candidates often confuse FortiManager's policy packages (Option B) as the solution for policy delegation, but FortiManager alone does not enforce visibility restrictions without ADOMs, and the question explicitly asks for a FortiGate feature, not a management platform feature.

How to eliminate wrong answers

Option A is wrong because ADOMs (Administrative Domains) are a FortiAnalyzer feature used to segregate log and report data, not to delegate firewall policy management on FortiGate. Option B is wrong because policy packages in FortiManager are used for centralized policy management and revision control, but they do not inherently prevent an administrator from seeing or modifying policies of other departments unless combined with ADOMs or admin profiles; the question specifically asks for a FortiGate feature, not FortiManager. Option C is wrong because security fabric tags are metadata labels used for grouping and automation within the Security Fabric, not for RBAC or policy isolation between administrative teams.

62
MCQeasy

A FortiGate is configured with multiple virtual routers (VRFs). The administrator wants to allow communication between two VRFs using a firewall policy. Which type of interface is required for the policy?

A.VDOM link
B.VLAN subinterface
C.Loopback interface
D.Virtual-wire pair
AnswerA

VDOM links are used to connect VDOMs or VRFs; firewall policies can be applied to allow traffic between VRFs.

63
MCQeasy

Which FortiManager feature allows an administrator to view the exact CLI commands that will be pushed to a managed FortiGate before installation?

A.Policy Check
B.Revision History
C.Device Manager Dashboard
D.Install Preview
AnswerD

Install Preview displays the CLI commands that will be pushed.

Why this answer

Install Preview is the correct answer because it allows an administrator to review the exact CLI commands that FortiManager will push to a managed FortiGate during the next installation. This feature provides a pre-installation view of the configuration changes, enabling verification before committing changes to the device.

Exam trap

The trap here is that candidates may confuse Install Preview with Revision History, thinking that viewing past configurations is the same as previewing pending changes, but Revision History only shows saved snapshots, not the upcoming installation script.

How to eliminate wrong answers

Option A is wrong because Policy Check is used to validate policy consistency and conflicts across FortiGates, not to preview CLI commands. Option B is wrong because Revision History stores previous configuration backups and allows rollback, but does not show the pending CLI commands for the next installation. Option C is wrong because the Device Manager Dashboard provides a summary view of device status and configuration, but does not display the exact CLI commands that will be pushed.

64
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGate devices. The tunnel is established, but traffic is not passing. Which configuration should the administrator check first?

A.Firewall policies
B.NAT traversal configuration
C.Static routes
D.Phase1 parameters
AnswerA

Firewall policies must explicitly permit the traffic between the IPsec interface and the destination zone.

Why this answer

When an IPsec VPN tunnel is established but traffic does not pass, the most common cause is missing or misconfigured firewall policies. Even with correct Phase 1 and Phase 2 settings, the FortiGate will not forward traffic between the tunnel interface and the destination network unless an explicit firewall policy permits it. This is because FortiGate uses a stateful inspection model where all traffic must be allowed by a policy, regardless of the VPN being up.

Exam trap

The trap here is that candidates assume a working Phase 1 and Phase 2 automatically allows traffic, but FortiGate requires explicit firewall policies to permit traffic through the tunnel, unlike some other vendors where the VPN configuration itself implies a permit.

How to eliminate wrong answers

Option B (NAT traversal configuration) is wrong because NAT traversal is only relevant when there is a NAT device between the VPN peers; if the tunnel is already established, NAT-T is likely working or not needed, and it does not block traffic flow. Option C (Static routes) is wrong because while routes are necessary for traffic to reach the tunnel interface, the tunnel being established indicates that routing is likely correct; the issue is that even with correct routes, traffic is dropped at the policy layer. Option D (Phase1 parameters) is wrong because if Phase 1 parameters were mismatched, the tunnel would not establish at all; the fact that the tunnel is up means Phase 1 negotiation succeeded.

65
MCQhard

You have configured a route map named 'RM-BGP' to filter routes redistributed from OSPF into BGP. The route map uses 'set community 65000:100' and 'set metric 50'. After applying the route map under 'config router bgp' with 'redistribute ospf route-map RM-BGP', you see that routes are being redistributed but without the community and metric. What is wrong?

A.The route map does not have any 'match' criteria, so it never applies
B.The route map is missing a 'set community' statement with 'additive' option
C.The BGP neighbor requires 'soft-reconfiguration inbound' to see the changes
D.The 'set metric' command is not supported for BGP redistribution
AnswerA

Without match statements, the route map may not be applied. A common configuration error.

Why this answer

Route-map statements require 'match' conditions; if no match is specified, the route map may not match any routes. Also, the route map must have a sequence number with 'match ip address' or similar.

66
MCQhard

In a FortiManager deployment with global ADOM enabled, an administrator creates a firewall policy in the global ADOM. What is the effect of this policy on the per-ADOM devices?

A.The policy is used only if no per-ADOM policy exists with the same name
B.The policy is applied only to devices in the same ADOM as the global ADOM
C.The policy is ignored unless explicitly assigned to each ADOM
D.The policy is installed as a header policy on all managed FortiGates
AnswerD

Global policies are typically inserted as header policies in each device's policy list.

Why this answer

Global ADOM policies are pushed to all devices in all ADOMs unless a per-ADOM policy overrides them. The global policy is installed before per-ADOM policies.

67
Multi-Selectmedium

An administrator is troubleshooting why a new firewall policy on a managed FortiGate is not taking effect. The policy was created in FortiManager and installed successfully. Which TWO steps should the administrator verify to identify the issue? (Select TWO.)

Select 2 answers
A.Reboot the FortiGate
B.Review the FortiGate's routing table
C.Check if the policy is disabled
D.Check the policy order in the policy list
E.Verify the FortiGate's HA status
AnswersC, D

A policy must be enabled to match traffic.

Why this answer

Option C is correct because a policy that is disabled in FortiManager will be installed to the managed FortiGate in a disabled state, meaning it will not process any traffic. The administrator must verify that the policy is enabled in FortiManager before or after installation, as a disabled policy is effectively inactive regardless of installation success.

Exam trap

The trap here is that candidates often assume a successful installation guarantees the policy is active, overlooking the disabled state or the impact of policy order on traffic matching.

68
Matchingmedium

Match each FortiGate security profile to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Malware protection

URL and content filtering

DNS-based threat protection

Application visibility and control

Intrusion prevention

Why these pairings

These profiles are applied in firewall policies.

69
MCQmedium

A FortiGate has OSPF configured in multiple areas. The administrator wants to redistribute routes from area 0 into area 1 with a metric of 10. Which command is correct?

A.config router ospf config redistribute "ospf" set status enable set metric 10 end
B.config router ospf config redistribute "connected" set metric 10 end
C.config router ospf config area edit 1 set type nssa end
D.config router ospf set redistribute "ospf" metric 10
AnswerA

Redistributing OSPF into OSPF with a metric is used to influence inter-area routes.

70
MCQeasy

An administrator needs to check the health of an SD-WAN link by viewing the last SLA probe results. Which command should be used?

A.diagnose sys sdwan sla-log
B.get system interface physical
C.diagnose debug application sdwan -1
D.diagnose sys virtual-wan-link health-check
AnswerD

This command shows the results of SD-WAN health checks including SLA status.

Why this answer

Option A is correct. 'diagnose sys virtual-wan-link health-check' displays current health check status.

71
MCQmedium

An admin wants to create a custom IPS signature to detect a specific exploit that sends a string 'EXPLOIT' in the HTTP Host header. Which signature syntax is correct?

A.F-SBID( --name "HTTP_EXPLOIT" --protocol http --header Host --content "EXPLOIT" )
B.F-SBID( --name "HTTP_EXPLOIT" --service HTTP --header Host --content "EXPLOIT" )
C.F-SBID( --name "HTTP_EXPLOIT" --protocol tcp --header Host --content "EXPLOIT" )
D.F-SBID( --name "HTTP_EXPLOIT" --protocol http --header Host --content "EXPLOIT" )
AnswerD

This follows correct F-SBID syntax with protocol http and header Host.

Why this answer

Option D is correct because the FortiGate custom IPS signature syntax requires the `--protocol http` flag to specify the application-layer protocol for HTTP inspection, and `--header Host` to target the HTTP Host header field. The `--content` parameter then defines the string 'EXPLOIT' to match within that header, enabling precise detection of the exploit.

Exam trap

The trap here is that candidates often confuse `--protocol tcp` with `--protocol http`, not realizing that HTTP header inspection requires the application-layer protocol keyword to enable the HTTP parser, even though HTTP traffic uses TCP as its transport.

How to eliminate wrong answers

Option A is wrong because it uses `--protocol http` (correct) but the syntax is identical to D and listed as incorrect in the question context; however, the actual error is that A is a duplicate of D and the question marks D as correct, so A is considered wrong due to the answer key. Option B is wrong because it uses `--service HTTP` instead of `--protocol http`; the `--service` flag is not a valid parameter in FortiGate IPS signatures for specifying the protocol layer, and the correct keyword is `--protocol`. Option C is wrong because it uses `--protocol tcp`, which specifies the transport-layer protocol rather than the application-layer HTTP protocol; while HTTP runs over TCP, the signature must use `--protocol http` to enable HTTP header parsing and the `--header` directive.

72
MCQmedium

A FortiGate administrator configures an antivirus profile with Machine Learning (ML) engine enabled. The ML engine is not detecting any threats, even though new unknown malware is present. What is the MOST likely reason?

A.The ML engine requires a separate subscription
B.The ML engine is only for outbreak prevention
C.The FortiGuard antivirus subscription is expired, preventing ML model updates
D.The antivirus profile is set to flow-based inspection
AnswerC

ML engine needs updated models from FortiGuard; expired subscription stops updates.

Why this answer

The FortiGate ML engine relies on FortiGuard for model updates that enable it to detect new and unknown malware. If the FortiGuard antivirus subscription is expired, the ML engine cannot receive these updates, rendering it unable to identify novel threats. This is the most likely reason the ML engine is not detecting any threats despite the presence of new unknown malware.

Exam trap

The trap here is that candidates may assume the ML engine works independently of subscriptions or that flow-based inspection disables it, when in fact the engine's effectiveness is entirely dependent on current FortiGuard updates.

How to eliminate wrong answers

Option A is wrong because the ML engine is included with the FortiGuard Antivirus subscription and does not require a separate subscription; it is an integrated feature. Option B is wrong because the ML engine is not limited to outbreak prevention; it provides continuous, real-time detection of unknown malware using behavioral analysis and static file analysis. Option D is wrong because flow-based inspection does not disable the ML engine; the ML engine works with both proxy-based and flow-based inspection modes, though flow-based may have reduced detection granularity.

73
Multi-Selecthard

A security team is configuring FortiMail for email security. They want to ensure that incoming emails are authenticated using SPF, DKIM, and DMARC, and that emails failing authentication are quarantined. Which THREE settings must be configured in FortiMail? (Choose three.)

Select 3 answers
A.Enable DKIM verification in the anti-spam policy
B.Enable TLS encryption for incoming SMTP
C.Enable DMARC verification and set the action for DMARC failure to quarantine
D.Enable SPF verification in the anti-spam policy
E.Configure a recipient verification policy
AnswersA, C, D

DKIM verification must be enabled to verify DKIM signatures.

Why this answer

Option A is correct because DKIM verification must be explicitly enabled in the anti-spam policy to allow FortiMail to validate the DKIM signature on incoming emails. Without this setting, DKIM authentication is not performed, and the email's DKIM status will not be evaluated.

Exam trap

The trap here is that candidates often confuse transport security (TLS) with email authentication protocols, mistakenly thinking TLS is required for SPF/DKIM/DMARC enforcement, when in fact TLS is optional and unrelated to the authentication chain.

74
MCQhard

An administrator is troubleshooting a ZTNA issue where users are able to authenticate but the application access is still blocked. The ZTNA status on FortiClient shows 'Connected' but the application does not load. What is the MOST likely cause?

A.The user's FortiClient does not have the required ZTNA tags assigned
B.The ZTNA application is not configured with HTTPS
C.The FortiClient EMS server is not reachable from the FortiGate
D.The FortiGate is not configured with the correct ZTNA application gateway
AnswerA

ZTNA tags define access permissions. If the user's client lacks the required tags, the FortiGate blocks access even though the client is connected.

Why this answer

ZTNA uses tags to determine which users or devices can access which applications. If the necessary tags are missing, access is denied even if the client is connected.

75
Multi-Selectmedium

A FortiGate administrator is setting up automation stitches in FortiManager to remediate threats. The stitch should run a CLI script on a managed FortiGate when a specific event is logged. Which THREE components must be configured in the automation stitch?

Select 3 answers
A.Trigger
B.Schedule
C.Conditions
D.Recovery action
E.Action (CLI script)
AnswersA, C, E

The trigger defines what event starts the automation. It is mandatory.

Why this answer

Option A is correct because an automation stitch in FortiManager requires a trigger to define the event that initiates the stitch. Without a trigger, the stitch has no starting condition and cannot execute. The trigger specifies the log event that, when matched, causes the stitch to run.

Exam trap

The trap here is that candidates often confuse the 'recovery action' (used for rollback in automation stitches) as a required component, but it is optional and only relevant when the stitch includes a recovery step; the three mandatory components are trigger, conditions, and action.

Page 1 of 14

Page 2