Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 676750

1000 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQmedium

Refer to the exhibit. A user reports that accessing a legitimate HTTPS website is blocked. The FortiGate logs show that the connection was denied by the antivirus profile. What is the most likely cause?

A.The antivirus profile detected a false positive in the encrypted traffic
B.The application list blocked the HTTPS application
C.The IPS profile blocked a vulnerability in the website
D.The protocol options profile blocked the SSL handshake
AnswerA

Deep inspection decrypts traffic, and antivirus may incorrectly flag legitimate content.

Why this answer

Option A is correct because the antivirus (AV) profile on FortiGate performs deep inspection of HTTPS traffic by decrypting it, scanning the content, and re-encrypting it. If the AV signature database contains a false positive for a legitimate website's content (e.g., a benign JavaScript file matching a malware signature), the connection will be denied. The log explicitly states the denial was by the AV profile, not by any other security profile, making a false positive in encrypted traffic the most likely cause.

Exam trap

The trap here is that candidates may confuse the security profile that generated the log entry (antivirus) with other profiles (application control, IPS, protocol options) that could also block HTTPS traffic, but the log's explicit attribution to the AV profile eliminates those possibilities.

How to eliminate wrong answers

Option B is wrong because the log shows the connection was denied by the antivirus profile, not by an application control profile; the application list blocking HTTPS would generate a log entry from the application control module, not the AV module. Option C is wrong because an IPS profile blocking a vulnerability would generate a log entry from the IPS sensor, not the antivirus profile, and the log explicitly attributes the denial to the AV profile. Option D is wrong because the protocol options profile blocking the SSL handshake would produce a log from the SSL inspection module or a protocol violation, not from the antivirus profile, and the connection was denied after inspection, not during the handshake.

677
Multi-Selectmedium

An administrator is configuring FortiClient EMS to enforce compliance for ZTNA. Which TWO settings are required on FortiGate to use compliance-based ZTNA tags?

Select 2 answers
A.FortiClient EMS is added as a security fabric connector
B.The ZTNA proxy rule includes a condition for required ZTNA tags
C.SSL deep inspection is enabled on the firewall policy
D.A local user database is configured for authentication
E.FortiGate is configured as a SAML IdP
AnswersA, B

This allows FortiGate to retrieve tags from EMS.

Why this answer

To use compliance tags, FortiGate must have EMS configured as a fabric connector and the ZTNA proxy rule must reference the tags.

678
MCQeasy

What is the purpose of header and footer policies in a FortiManager policy package?

A.To separate IPv4 and IPv6 policies
B.To apply policies at the top and bottom of the policy list that are not affected by reordering within the package
C.To create backup policies
D.To define policies that are only used during installation
AnswerB

Correct.

Why this answer

Header and footer policies in FortiManager policy packages allow administrators to define policies that are automatically placed at the very top (header) and very bottom (footer) of the policy list. These policies remain fixed in position and are not affected by any reordering operations performed on the regular policies within the package, ensuring that critical security controls (e.g., deny-all or allow-specific traffic) are always enforced in the correct order.

Exam trap

The trap here is that candidates often confuse header/footer policies with simple policy ordering or backup mechanisms, failing to recognize that their key purpose is to provide immutable positioning that survives reordering operations within the policy package.

How to eliminate wrong answers

Option A is wrong because header and footer policies are not used to separate IPv4 and IPv6 policies; IPv4 and IPv6 policies are managed separately within their own policy tables or via policy types, not through header/footer mechanisms. Option C is wrong because header and footer policies are not backup policies; they are active, enforced policies that maintain a fixed position, whereas backup policies would be inactive or stored separately. Option D is wrong because header and footer policies are not only used during installation; they are installed and enforced as part of the policy package and remain active on the FortiGate after installation, just like regular policies.

679
MCQeasy

Which FortiGate security feature removes potentially malicious active content from files (e.g., macros, scripts) before delivering them to end users?

A.Antivirus
B.Data Leak Prevention
C.File Filter
D.Content Disarm and Reconstruction
AnswerD

CDR removes active content to neutralize threats.

Why this answer

Content Disarm and Reconstruction (CDR) sanitizes files by removing active content.

680
MCQmedium

A FortiGate is configured with multiple VDOMs. The administrator needs to allow traffic from a VDOM named 'CustomerA' to reach a server in VDOM 'SharedServices'. Both VDOMs are on the same FortiGate. Which configuration is necessary?

A.Place both VDOMs in the same ADOM in FortiManager
B.Enable inter-VDOM routing and create policies allowing traffic between the VDOMs
C.Create a VDOM link between the two VDOMs
D.Configure the FortiGate in transparent mode
AnswerB

Inter-VDOM routing is required, and policies control the flow.

Why this answer

Inter-VDOM routing is required to route traffic between VDOMs on the same FortiGate. This is enabled globally via the CLI command 'config system global' and 'set inter-vdom-routing enable'. Once enabled, you must create firewall policies between the VDOMs (using the VDOM link or directly referencing the VDOMs in policies) to permit the traffic.

Without inter-VDOM routing, VDOMs are isolated Layer 3 domains and cannot communicate.

Exam trap

The trap here is that candidates often think a VDOM link is mandatory for inter-VDOM communication, but FortiOS actually allows direct policy-based routing between VDOMs once inter-VDOM routing is enabled globally, making the VDOM link optional.

How to eliminate wrong answers

Option A is wrong because ADOMs in FortiManager are management domains for grouping devices, not a mechanism for enabling traffic flow between VDOMs on a single FortiGate. Option C is wrong because a VDOM link is a type of interface used for inter-VDOM routing, but it is not strictly necessary; inter-VDOM routing can be achieved with policies directly referencing VDOMs after enabling the global setting. Option D is wrong because transparent mode operates at Layer 2 and does not change the requirement for inter-VDOM routing; VDOMs in transparent mode still need inter-VDOM routing enabled and policies to allow traffic between them.

681
MCQeasy

Which routing protocol is commonly used in SD-WAN deployments to exchange routes between FortiGate and the provider edge router in an MPLS network?

A.RIP
B.BGP
C.IS-IS
D.OSPF
AnswerB

BGP is the preferred protocol for exchanging routes with MPLS provider edge routers due to its scalability and policy control.

682
MCQeasy

What is the role of FortiGuard Outbreak Prevention in FortiGate's security suite?

A.To deliver real-time threat intelligence and block fast-spreading outbreaks
B.To provide offline signature updates for antivirus
C.To perform sandbox analysis of files
D.To manage endpoint security policies
AnswerA

Outbreak Prevention uses FortiGuard's real-time data.

Why this answer

FortiGuard Outbreak Prevention is a real-time threat intelligence service that proactively blocks fast-spreading outbreaks by delivering immediate signature updates and threat data to FortiGate devices. Unlike scheduled updates, it uses a push mechanism to rapidly deploy protections against emerging threats, reducing the window of vulnerability during zero-day or widespread attacks.

Exam trap

The trap here is that candidates often confuse Outbreak Prevention with regular antivirus signature updates or sandboxing, but the key distinction is that Outbreak Prevention is a real-time, push-based service for fast-spreading threats, not a scheduled or offline update mechanism.

How to eliminate wrong answers

Option B is wrong because offline signature updates are handled by FortiGuard's regular antivirus update service, not Outbreak Prevention, which requires an active internet connection for real-time intelligence. Option C is wrong because sandbox analysis is performed by FortiSandbox, a separate product that integrates with FortiGate but is not part of Outbreak Prevention's role. Option D is wrong because managing endpoint security policies is the function of FortiClient or FortiEDR, not FortiGate's Outbreak Prevention service.

683
MCQhard

A FortiGate admin configures a firewall policy with an antivirus profile in flow-based inspection mode. The admin notices that some large files are being scanned but others are allowed without scanning. What is the most likely cause?

A.The antivirus signatures are outdated
B.The antivirus profile has an exemption for certain file types
C.The FortiGate's antivirus buffer size is exceeded, causing some files to bypass scanning
D.Flow-based inspection cannot scan files larger than 10 MB
AnswerC

If the file is larger than the buffer, scanning may not complete.

Why this answer

In flow-based inspection, FortiGate uses a buffer to reassemble files before scanning. When a file exceeds the configured antivirus buffer size (default 1 MB for flow-based), the FortiGate cannot buffer the entire file for scanning and allows it to pass without inspection. This explains why some large files bypass scanning while smaller ones are scanned.

Exam trap

The trap here is that candidates assume flow-based inspection can scan any file size, overlooking the buffer size limitation that causes large files to bypass scanning entirely.

How to eliminate wrong answers

Option A is wrong because outdated signatures would cause missed detections, not selective bypassing of large files; all files would still be scanned. Option B is wrong because file-type exemptions would consistently skip those file types regardless of size, not selectively allow only large files. Option D is wrong because flow-based inspection does not have a hard 10 MB limit; the buffer size is configurable and defaults to 1 MB, and files larger than the buffer are bypassed, not blocked.

684
MCQmedium

An administrator configures an automation stitch to respond to a high severity event. The trigger is 'event' and the action is 'CLI script'. What must be defined for the action to execute properly?

A.An API token for authentication
B.A FortiManager to execute the script
C.An email server to send the script output
D.A valid CLI script that contains commands to be executed on the FortiGate
AnswerD

The action type 'CLI script' requires a script to be defined with the commands.

685
Multi-Selecthard

A FortiGate administrator is investigating a slow network issue. The 'diagnose sys session stat' shows a high number of sessions. Which THREE commands can help identify the source of the high session count?

Select 3 answers
A.diagnose sys session list | grep <policy_id>
B.diagnose sys session filter src <IP>
C.diagnose sys session top-talkers
D.diagnose sys session stat
E.diagnose netlink interface list
AnswersA, B, C

Counts sessions per policy to see which policy is most used.

Why this answer

To identify high session count sources, the administrator can list sessions filtered by source IP, list sessions per policy, or use top talkers.

686
Multi-Selecthard

A FortiGate is configured with OSPF multi-area. The administrator wants to redistribute a static route into OSPF area 0 and ensure it is propagated to all areas. Which THREE steps are required? (Choose three.)

Select 3 answers
A.Set the OSPF network type to point-to-multipoint
B.Ensure the static route has a valid next-hop and is in the routing table
C.Configure 'redistribute static' under OSPF router configuration
D.Disable OSPF on all interfaces to prevent loops
E.Configure a route map to set the metric type to E1
AnswersB, C, E

Only routes in the routing table can be redistributed.

Why this answer

To redistribute into OSPF, you need to configure redistribution under OSPF, optionally with a route map to set metrics. The route must be in the routing table. Also, OSPF must be enabled on appropriate interfaces to form adjacencies.

687
MCQeasy

Which feature allows a FortiGate to participate in multiple routing tables simultaneously, enabling network segmentation and overlapping IP address spaces?

A.VDOM
B.Policy-based routing
C.VRF
D.Route redistribution
AnswerC

VRF creates separate routing tables within a VDOM or global.

Why this answer

Virtual Routing and Forwarding (VRF) partitions the routing table into multiple independent tables, allowing overlapping IP addresses and separate routing policies per VRF. This is the standard method for network segmentation on FortiGate.

688
MCQeasy

An administrator needs to view real-time traffic logs and top applications for a specific VDOM on FortiAnalyzer. Which tool should be used?

A.FortiView
B.Playbooks
C.Incident Management
D.Reports
AnswerA

FortiView provides real-time dashboards and analytics.

Why this answer

FortiView is the correct tool because it provides real-time traffic logs and top applications per VDOM on FortiAnalyzer. It uses live data streams from FortiGate logs to display current network activity, allowing administrators to filter by VDOM and view metrics like top applications, sources, and destinations without running a report or script.

Exam trap

The trap here is that candidates confuse FortiView's real-time monitoring with Reports' historical analysis, assuming both can show live data, but only FortiView provides sub-second updates without requiring a scheduled or on-demand report generation.

How to eliminate wrong answers

Option B is wrong because Playbooks are used for automated threat response and remediation workflows, not for real-time log viewing or application monitoring. Option C is wrong because Incident Management focuses on investigating and managing security incidents from events like IPS or malware, not on displaying live traffic logs or top applications. Option D is wrong because Reports generate historical, scheduled summaries of log data, not real-time views; they require processing time and cannot show live traffic.

689
MCQhard

A company uses an advanced antivirus profile with machine learning engine enabled. After a recent outbreak, several files that were previously undetected are now flagged. How does the outbreak prevention feature help in this situation?

A.It downloads the latest ML models from FortiGuard to detect new threats
B.It sends all files to FortiSandbox for analysis
C.It quarantines all files for 24 hours until a signature is released
D.It blocks all executable files from being downloaded
AnswerA

Outbreak prevention provides immediate updates to ML models to catch new outbreaks.

Why this answer

Option A is correct because outbreak prevention uses FortiGuard to push real-time updates, including new ML models, to detect emerging threats quickly.

690
Multi-Selectmedium

A network admin is investigating a high CPU usage issue on a FortiGate firewall. The admin runs 'diagnose sys top' and sees that the 'ipsengine' process is consuming 70% CPU. Which THREE actions should the admin take to reduce CPU load?

Select 2 answers
A.Review and optimize IPS signatures; disable unnecessary signatures
B.Increase the IPS engine process priority
C.Increase the IPS engine process priority
D.Disable IPS on all policies
E.Enable IPS hardware acceleration using NPU offloading
AnswersA, E

Reducing the number of active signatures directly reduces CPU overhead.

Why this answer

High CPU usage from ipsengine can be mitigated by tuning IPS profiles, offloading inspection to NPU, or raising thresholds to reduce load from less important traffic.

691
Multi-Selecthard

A FortiGate administrator wants to use FortiManager to push configuration changes to a managed FortiGate. To ensure changes are applied correctly, the administrator wants to review the exact CLI commands that will be sent. Which TWO tools can be used for this purpose?

Select 2 answers
A.Device manager dashboard
B.Policy consistency check
C.Install preview
D.Revision history
E.ADOM lock
AnswersC, D

Install preview shows the exact CLI commands that will be executed on the device.

Why this answer

Option C is correct because the Install Preview feature in FortiManager generates a detailed list of the exact CLI commands that will be pushed to the managed FortiGate during an installation. This allows the administrator to review and verify the changes before they are applied, ensuring accuracy and preventing unintended configuration errors.

Exam trap

The trap here is that candidates may confuse the Install Preview with the Policy Consistency Check, as both involve reviewing configurations, but only the Install Preview shows the exact CLI commands that will be executed during the push.

692
MCQmedium

An organization wants to use FortiManager to manage multiple FortiGate devices. The administrator needs to ensure that each device group has separate policy and object configurations. Which FortiManager feature should be configured?

A.Policy packages with header/footer policies
B.Administrative Domains (ADOMs)
C.Global ADOM
D.Meta fields
AnswerB

ADOMs provide the required separation of configurations for different device groups.

Why this answer

Option B is correct. Administrative Domains (ADOMs) allow logical separation of devices, policies, and objects. Each ADOM can have its own policy packages and object databases, ensuring isolation between groups.

693
MCQeasy

What is the purpose of a management VDOM on a FortiGate?

A.To log all administrative actions
B.To route traffic between different VDOMs
C.To increase the number of available firewall policies
D.To provide a dedicated environment for administrative access and management protocols
AnswerD

This allows separate security controls for management.

Why this answer

A management VDOM is a dedicated virtual domain that isolates administrative traffic (e.g., HTTPS, SSH, SNMP, syslog) from data-plane traffic. This ensures that management access and protocols like RADIUS or TACACS+ authentication are processed in a separate context, preventing interference with production VDOMs and allowing granular administrative access control.

Exam trap

The trap here is that candidates often confuse a management VDOM with a logging or inter-VDOM routing function, but Fortinet specifically designed it to isolate administrative access and protocols, not to perform data-plane tasks like routing or logging.

How to eliminate wrong answers

Option A is wrong because logging all administrative actions is a function of the local log or syslog configuration, not a purpose of a management VDOM; a management VDOM can be used to send logs, but its primary purpose is not logging. Option B is wrong because routing traffic between different VDOMs is done by inter-VDOM links (IVL) or VDOM peering, not by a management VDOM, which is specifically for administrative access. Option C is wrong because the number of available firewall policies is limited by the FortiGate model and license, not by the presence of a management VDOM; a management VDOM does not increase policy capacity.

694
MCQhard

A FortiGate is the SAML Service Provider (SP) for a ZTNA application. The IdP is Azure AD. After successful authentication, the user is redirected to the ZTNA proxy with a '403 Forbidden' error. The ZTNA rule has the correct groups allowed. What is the most likely missing configuration?

A.The IdP is not sending the user's group membership in the SAML assertion.
B.The ZTNA proxy certificate is not trusted by the browser.
C.The SAML user group is not mapped to a FortiGate local group.
D.The FortiGate's clock is not synchronized with the IdP.

Why this answer

If the IdP does not include group memberships in the SAML assertion, FortiGate cannot match the user to any allowed group in the ZTNA rule, hence the 403. The other options would cause different issues (authentication failure, certificate warning, or time sync error).

695
MCQmedium

Which BGP attribute is used by FortiGate SD-WAN to influence outbound traffic path selection?

A.Next Hop
B.Local Preference
C.MED
D.AS Path
AnswerB

Local Preference is used to influence outbound traffic decision.

696
MCQmedium

An administrator configures a ZTNA gateway with inline CASB to monitor SaaS applications. Users report that access to Salesforce is blocked. The administrator reviews the ZTNA proxy rule and sees that inline CASB is enabled with a 'monitor-only' action. What is the MOST likely reason for the block?

A.The inline CASB profile is set to 'block' for Salesforce
B.The ZTNA proxy rule does not have SSL inspection enabled
C.FortiClient EMS is not assigning the required ZTNA tags
D.A separate application control profile is blocking Salesforce
AnswerD

Application control can block SaaS apps independently.

Why this answer

Inline CASB with 'monitor-only' should not block traffic. The block may be due to a separate application control or web filtering profile applied on the policy.

697
MCQhard

A company uses FortiMail to protect email. They set up DMARC with a policy of 'quarantine' for emails failing SPF and DKIM checks. However, legitimate emails from a third-party service are being quarantined. What should the admin do?

A.Add the sender domain to a whitelist in FortiMail
B.Change the DMARC policy to 'none'
C.Disable DMARC checking for that specific sender
D.Update the SPF record to include the third-party mail server IP
AnswerD

Adding the IP to SPF allows the service to pass SPF check, reducing false quarantines.

Why this answer

Option A is correct because the admin should identify and add the third-party service's IPs to the SPF record or configure DKIM for that service to align with DMARC.

698
Matchingmedium

Match each SD-WAN component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Physical or virtual interface in SD-WAN zone

Group of interfaces with same role

Defines traffic steering policy

Service Level Agreement for link quality

Monitors link latency, jitter, and packet loss

Why these pairings

These are key SD-WAN configuration elements in FortiOS.

699
MCQmedium

A company's FortiGate is configured with multiple IPsec VPN tunnels to branch offices. One tunnel keeps dropping and re-establishing every few minutes. The logs show 'IPsec SA negotiation failed' with error 'proposal mismatch'. What is the most likely cause?

A.Dead Peer Detection (DPD) configured too aggressively
B.Mismatched encryption or authentication algorithms between the two VPN peers
C.NAT-Traversal (NAT-T) not enabled
D.Pre-shared key mismatch
AnswerB

Proposal mismatch directly indicates algorithms or parameters don't match.

Why this answer

The error 'proposal mismatch' directly indicates that the two IPsec peers cannot agree on the security parameters for the IKE or IPsec SA. This occurs when the encryption algorithm (e.g., AES256 vs. AES128), authentication algorithm (e.g., SHA256 vs.

SHA1), Diffie-Hellman group, or lifetime values do not match between the FortiGate and the remote peer. The tunnel drops and re-establishes because the negotiation fails, and the FortiGate retries with the same mismatched proposal, leading to repeated failures.

Exam trap

The trap here is that candidates often confuse 'proposal mismatch' with authentication failures (pre-shared key) or connectivity issues (NAT-T/DPD), but the specific log message 'proposal mismatch' is a direct indicator of cryptographic parameter disagreement, not a key or transport layer problem.

How to eliminate wrong answers

Option A is wrong because Dead Peer Detection (DPD) being too aggressive would cause the tunnel to be torn down due to missed keepalives, not a 'proposal mismatch' error; DPD failures generate 'DPD timeout' or 'peer not responding' logs. Option C is wrong because NAT-Traversal (NAT-T) not being enabled would cause issues with UDP encapsulation when a NAT device is present, but the error would be 'no response from peer' or 'NAT detection failed', not a proposal mismatch. Option D is wrong because a pre-shared key mismatch would cause an authentication failure during IKE Phase 1, resulting in 'authentication failed' or 'invalid pre-shared key' errors, not a proposal mismatch.

700
MCQmedium

An administrator sees the following error when trying to commit changes from FortiManager to a FortiGate: 'Policy check failed: Policy ID 5 uses a zone that does not exist on the device.' What is the most likely cause?

A.The policy package is locked by another administrator
B.The zone referenced in the policy is not yet created on the FortiGate
C.The FortiGate is not running the same firmware version as FortiManager
D.The administrator has insufficient permissions
AnswerB

Why this answer

The error 'Policy check failed: Policy ID 5 uses a zone that does not exist on the device' indicates that the FortiGate does not have the zone object referenced in the policy. When FortiManager pushes a policy that references a zone, the zone must already exist on the managed FortiGate; otherwise, the commit fails. Option B correctly identifies that the zone is missing on the FortiGate.

Exam trap

The trap here is that candidates may confuse a missing object error with a firmware version mismatch or permission issue, but the error message explicitly names the missing zone, making the root cause straightforward if read carefully.

How to eliminate wrong answers

Option A is wrong because a locked policy package would produce a different error, such as 'Policy package is locked by another administrator', not a zone existence error. Option C is wrong because firmware version mismatches typically cause compatibility warnings or installation failures, not a specific zone-not-found error. Option D is wrong because insufficient permissions would result in an authorization failure or 'Permission denied' error, not a policy check failure referencing a missing zone.

701
MCQeasy

An administrator wants to secure email traffic by ensuring that incoming emails are verified against the sender's domain SPF record. Which email authentication method provides this verification?

A.DKIM
B.SPF
C.DMARC
D.S/MIME
AnswerB

SPF verifies sender IP against domain's authorized servers.

Why this answer

Option B is correct. SPF (Sender Policy Framework) checks if the sending IP is authorized by the domain's SPF record in DNS.

702
MCQmedium

An administrator is troubleshooting SD-WAN and runs the following CLI command: 'execute sdwan-health-check status' The output shows that one SD-WAN member has a status of 'dead'. What does this indicate?

A.The member interface is administratively down
B.The member is not meeting the performance SLA thresholds
C.The SD-WAN member is not included in any SD-WAN rule
D.The member has failed the health check probe to the target server
AnswerD

'Dead' indicates that the health check has failed, meaning no response from the target.

Why this answer

The SD-WAN health check monitors the connectivity to configured servers. A 'dead' status means the member is not passing the health check probes, indicating a connectivity failure.

703
MCQhard

An administrator is configuring FortiAnalyzer to receive logs from FortiGates in a multi-VDOM environment. The admin wants to ensure that logs from each VDOM are separated into their own datasets. What must be configured?

A.Enable per-VDOM logging on the FortiGate and use ADOMs on FortiAnalyzer
B.Use the same log settings for all VDOMs
C.Configure a separate log disk partition for each VDOM
D.Configure each VDOM to send logs to a different FortiAnalyzer
AnswerA

Per-VDOM logging allows each VDOM to send logs with its identifier; ADOMs on FortiAnalyzer can then organize logs per VDOM.

Why this answer

Option A is correct because per-VDOM logging on the FortiGate must be enabled to tag logs with the VDOM identifier, and ADOMs on FortiAnalyzer must be configured to segregate those logs into separate datasets. Without both, logs from different VDOMs would be mixed in a single dataset, defeating the purpose of isolation.

Exam trap

The trap here is that candidates often think disk partitions or separate FortiAnalyzers are required for log separation, but FortiAnalyzer ADOMs provide logical separation without additional hardware or complex partitioning.

How to eliminate wrong answers

Option B is wrong because using the same log settings for all VDOMs would not separate logs; it would cause all VDOM logs to be stored together in a single dataset on FortiAnalyzer. Option C is wrong because FortiAnalyzer does not support per-VDOM disk partitions; disk partitions are system-level and not tied to VDOMs. Option D is wrong because sending logs from each VDOM to a different FortiAnalyzer is unnecessary and inefficient; the correct approach is to use ADOMs on a single FortiAnalyzer to logically separate the data.

704
MCQeasy

Which FortiManager feature allows administrators to view the exact configuration changes that would be applied to a managed FortiGate before committing them?

A.Revision history
B.Install preview
C.Device manager
D.Policy checker
AnswerB

Install preview displays the pending changes.

Why this answer

Install preview in FortiManager shows the CLI commands that will be executed on the device, allowing validation before installation.

705
Multi-Selectmedium

A network engineer is troubleshooting an OSPF multi-area setup on a FortiGate. The FortiGate is an ABR (Area Border Router) connecting area 0 and area 1. The engineer notices that routes from area 1 are not being advertised into area 0. Which TWO of the following are possible causes? (Select TWO.)

Select 2 answers
A.OSPF is not enabled on the interface in area 1, or the network type is mismatched
B.The 'redistribute connected' command is missing
C.The FortiGate does not have a direct connection to area 0
D.The FortiGate has a static route to area 1 that overrides OSPF
E.The administrative distance for OSPF is set too high
AnswersA, C

Without OSPF on the interface, no adjacency forms, and routes are not learned.

Why this answer

Options A and C are correct. OSPF ABR needs a link to area 0; if there is no direct connection, routes may not be advertised. Also, interfaces in area 1 must be passive if no neighbors, but passive still advertises routes? Actually, if an interface is passive, it does not form adjacency but still advertises connected routes.

However, option C is plausible: if the interface is not running OSPF (network type mismatch), no adjacency forms. So A and C are correct.

706
MCQmedium

When testing HA failover, you manually switch the primary unit to standby. The secondary unit becomes primary but does not take over the IP address of the virtual cluster. What is the MOST likely cause?

A.Session pickup is not enabled
B.The HA interface monitoring is disabled
C.The HA mode is set to 'load-balance' without a virtual cluster IP
D.The HA cluster is in split-brain
AnswerC

In load-balance mode, the virtual IP is not automatically taken over; it must be configured.

Why this answer

Option A is correct because if the HA mode is configured as 'standalone' (load balance without virtual IP) or if the virtual cluster configuration is missing, the IP might not be taken over. Option B is not a typical cause. Option C would affect sessions, not IP takeover.

Option D is not relevant.

707
MCQhard

An SD-WAN rule uses a performance SLA to steer traffic to the best-quality link. Traffic is consistently using the backup link even though the primary link meets SLA thresholds. The admin runs 'diagnose sys sdwan sla-check' and sees the primary link SLA status is 'pass'. What is the MOST likely cause?

A.The primary link's interface is administratively down
B.The primary link's cost is set higher than the backup
C.The SD-WAN rule's strategy is not set to 'Best Quality' or 'SLA'
D.The backup link has a higher bandwidth
AnswerC

The rule must use SLA-based strategy; otherwise, it may ignore SLA results.

Why this answer

Even if SLA passes, the SD-WAN rule may prefer a different link based on strategy or load balancing. Option B is correct because the SD-WAN rule's strategy might be set to 'Maximize Bandwidth' or 'Best Quality' but with tie-breaking that favors the backup link.

708
MCQeasy

An administrator is configuring SSL VPN on FortiGate and wants to allow users to access internal applications via a web portal without installing any client software. Which SSL VPN mode should be used?

A.DTLS
B.Tunnel mode
C.Web mode
D.Split tunneling
AnswerC

Web mode provides clientless access through a web portal.

Why this answer

Web mode (option C) is correct because it enables users to access internal web applications through a FortiGate SSL VPN web portal using only a standard browser, with no client software installation required. The portal acts as a reverse proxy, translating HTTPS requests from the client to the internal application servers, making it ideal for clientless remote access.

Exam trap

The trap here is confusing 'Web mode' with 'Tunnel mode' because both are SSL VPN features, but only Web mode provides clientless access via a browser portal, whereas Tunnel mode always requires the FortiClient software to be installed.

How to eliminate wrong answers

Option A is wrong because DTLS (Datagram Transport Layer Security) is a protocol used to provide low-latency encryption for UDP-based traffic in SSL VPN tunnel mode, not a standalone SSL VPN mode for clientless web portal access. Option B is wrong because Tunnel mode requires the installation of the FortiClient SSL VPN client software on the user's device to create a virtual network interface and route all or specific traffic through the tunnel, which contradicts the requirement of no client software. Option D is wrong because Split tunneling is a routing configuration that determines whether traffic destined for the internet goes through the VPN tunnel or directly to the internet; it is not an SSL VPN mode and does not define how users access applications.

709
MCQmedium

A FortiGate admin notices that sessions to a particular server are not being logged in FortiAnalyzer. The firewall policy has logging enabled. What is the MOST likely reason?

A.The FortiAnalyzer's device registration is incorrect
B.The log queue on FortiGate is full
C.The FortiGate is not configured to send logs to FortiAnalyzer
D.The FortiAnalyzer is out of disk space
AnswerC

If the log forwarding is not set up, logs are stored locally but not sent to FortiAnalyzer.

Why this answer

Logging to FortiAnalyzer requires proper configuration on both FortiGate and FortiAnalyzer. If the FortiGate is not sending logs to the correct IP or the connectivity is broken, logs won't appear. Option D is correct.

710
MCQhard

A FortiGate with VDOMs enabled has a management VDOM (mgmt-vdom) and a traffic VDOM (traffic-vdom). The admin wants to manage the FortiGate via HTTPS from a network in traffic-vdom. What configuration is needed?

A.Configure a static route in the management VDOM to reach traffic-vdom subnets
B.Enable 'admin-sport' in the global system settings
C.Add the interface from traffic-vdom to the management VDOM using 'set vdom mgmt-vdom' in the interface configuration
D.Create a firewall policy in traffic-vdom allowing HTTPS to the FortiGate's IP
AnswerC

This moves the interface into the management VDOM, allowing management traffic.

Why this answer

Option C is correct because when VDOMs are enabled, the management VDOM owns the management IP addresses for the entire FortiGate. To allow HTTPS management from an interface in a non-management VDOM (traffic-vdom), that interface must be reassigned to the management VDOM using the 'set vdom mgmt-vdom' command. This makes the interface part of the management VDOM while still passing traffic for the original VDOM, enabling administrative access from that network.

Exam trap

The trap here is that candidates assume a firewall policy in the traffic VDOM can permit management access, but they forget that the management VDOM controls all administrative access and the interface must be explicitly assigned to it.

How to eliminate wrong answers

Option A is wrong because static routes in the management VDOM cannot reach subnets in traffic-vdom; the management VDOM has its own routing table and does not automatically route to other VDOMs without inter-VDOM links or explicit configuration. Option B is wrong because 'admin-sport' is not a valid global system setting; the correct setting for specifying a management port is 'admin-port', and it does not assign an interface to the management VDOM. Option D is wrong because firewall policies in traffic-vdom cannot allow HTTPS to the FortiGate's IP when the management IP is in the management VDOM; the traffic-vdom does not own the management IP, so the policy would never match.

711
MCQmedium

An administrator needs to generate a report showing top applications by bandwidth usage across all VDOMs for the last 30 days. Which FortiAnalyzer feature should be used?

A.FortiView
B.Playbooks
C.Log browsing
D.Incident management
AnswerA

Correct.

Why this answer

FortiView is the correct feature because it provides pre-aggregated, real-time and historical traffic analytics, including top applications by bandwidth usage, across all VDOMs without requiring custom queries. It leverages the FortiAnalyzer’s built-in data summarization engine to display per-VDOM and cross-VDOM application usage over a specified time range, such as the last 30 days.

Exam trap

The trap here is that candidates may confuse FortiView with log browsing, thinking raw logs are needed for custom reports, but FortiView’s pre-aggregated analytics are specifically designed for this exact use case.

How to eliminate wrong answers

Option B (Playbooks) is wrong because Playbooks are used for automated threat response and remediation workflows, not for generating bandwidth usage reports. Option C (Log browsing) is wrong because while log browsing allows raw log inspection, it does not aggregate or summarize top applications by bandwidth across VDOMs; it requires manual parsing and lacks built-in ranking. Option D (Incident management) is wrong because incident management focuses on tracking and resolving security incidents, not on bandwidth or application usage reporting.

712
MCQeasy

An administrator wants to see the current sessions for a specific source IP address 192.168.1.10. Which CLI command should be used?

A.diagnose sys session filter src 192.168.1.10; diagnose sys session list
B.get system session list src 192.168.1.10
C.diagnose debug flow src-addr 192.168.1.10
D.execute session list source 192.168.1.10
AnswerA

This is the correct way to filter and list sessions for a source IP.

Why this answer

The 'diagnose sys session filter' command allows filtering sessions by various criteria. Setting the source filter and then using 'diag sys session list' displays matching sessions.

713
MCQmedium

A FortiGate is configured with policy-based routing to force traffic from subnet 10.0.1.0/24 to go through a WAN interface. The administrator notices that traffic from 10.0.1.0/24 is still using the default route. Which debug command can confirm if the policy-based routing is being applied?

A.diagnose debug routing ip-probe 10.0.1.1 8.8.8.8
B.diagnose debug flow policy-based-route
C.diagnose debug enable && diagnose debug router policy
D.get router info policy-based-route
AnswerB

This command shows details of policy-based routing matches and actions.

714
Multi-Selecteasy

A FortiGate is acting as a SAML Service Provider (SP) for user authentication. Which TWO of the following are required for successful SAML SSO?

Select 2 answers
A.The FortiGate must have a static public IP address
B.The IdP's metadata must be imported to the FortiGate
C.The users must be in the same Active Directory domain as the FortiGate
D.A pre-shared key must be configured
E.The SP (FortiGate) must have a certificate for signing SAML requests
AnswersB, E

The metadata contains the IdP's entity ID, endpoints, and signing certificate, which FortiGate needs to trust and communicate.

Why this answer

For SAML SP, the IdP's metadata (including certificate and endpoints) must be imported, and the SP must have a certificate for signing/encryption. Option A and D are correct.

715
MCQeasy

Which feature in FortiMail provides an additional layer of protection by analyzing the behavior of email attachments in a sandbox environment?

A.Outbreak Prevention
B.Anti-spam
C.Content Disarm and Reconstruction
D.FortiSandbox integration
AnswerD

FortiSandbox integration sends attachments to the sandbox for dynamic analysis.

Why this answer

Option C is correct. FortiMail integrates with FortiSandbox to analyze attachment behavior in a sandbox, providing advanced threat detection beyond signature-based methods.

716
MCQmedium

A security administrator wants to generate a weekly report in FortiAnalyzer that shows the top threats detected by the FortiGate. Which feature should the administrator use to create this report?

A.Incidents
B.Reports
C.Playbooks
D.FortiView
AnswerB

Reports allow custom report generation with scheduling.

Why this answer

The Reports feature in FortiAnalyzer is specifically designed to generate scheduled, customizable reports that aggregate security event data from FortiGate devices. By creating a report template with threat-based charts and tables, the administrator can schedule a weekly output showing top threats, leveraging the ADOM and SQL-based report engine for granular data selection.

Exam trap

The trap here is that candidates confuse FortiView's real-time dashboards with the scheduled reporting capability, assuming that a dashboard can be exported weekly, but FortiView lacks the scheduling engine and template-based output that Reports provide.

How to eliminate wrong answers

Option A is wrong because Incidents in FortiAnalyzer are used for tracking and managing security incidents as they occur, not for generating scheduled summary reports. Option C is wrong because Playbooks are automation workflows for incident response actions, not for report generation. Option D is wrong because FortiView provides real-time dashboards and ad-hoc visualizations, but it lacks the scheduling and templating capabilities needed for a weekly report.

717
Multi-Selecteasy

A company is deploying FortiGate in transparent mode between an existing router and LAN switch. Which TWO statements about transparent mode are true?

Select 2 answers
A.The FortiGate forwards traffic based on MAC addresses
B.Each interface requires an IP address
C.The FortiGate can perform routing
D.Transparent mode supports multiple VDOMs
E.The FortiGate does not perform NAT by default
AnswersA, E

As a Layer 2 device, forwarding is based on MAC addresses.

Why this answer

Option A is correct because in transparent mode, FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses rather than IP addresses. It inspects packets at the application layer but does not modify the Layer 3 header, making it transparent to the network.

Exam trap

The trap here is that candidates often assume transparent mode requires IP addresses on all interfaces (like route mode) or that it can perform routing, but FortiGate transparent mode is strictly a Layer 2 bridge with no routing capability.

718
MCQmedium

An administrator is configuring a FortiGate as a LAN edge device with FortiSwitch and FortiAP. Which feature must be enabled on the FortiGate to centrally manage the FortiSwitch and FortiAP devices?

A.CAPWAP
B.LLDP
C.SNMP
D.FortiLink
AnswerD

FortiLink is the proprietary protocol for managing FortiSwitch and FortiAP from FortiGate.

Why this answer

Option D is correct. FortiLink is the protocol that enables FortiGate to manage FortiSwitch and FortiAP devices. It uses a dedicated interface (e.g., internal) with FortiLink enabled.

719
MCQhard

You run the following command on a FortiGate: `diagnose sys session filter dport 443` Output: `proto=6 proto_state=01 duration=3600 expire=3599` What does this output indicate?

A.The session is for UDP port 443, is in state ESTABLISHED, and has 3599 bytes remaining.
B.The session is for TCP port 443, is in state SYN_SENT, and has been active for 3600 seconds.
C.The session is for TCP port 443, is in state TIME_WAIT, and will expire in 3600 seconds.
D.The session is for TCP port 443, is in state FIN_WAIT, and will expire in 3599 seconds.
AnswerB

proto=6 is TCP, proto_state=01 is SYN_SENT, duration is 3600 seconds, expire is 3599 seconds remaining.

720
Multi-Selectmedium

An administrator wants to integrate a FortiExtender into an existing SD-WAN deployment. Which TWO steps are required for proper integration?

Select 2 answers
A.Disable all other WAN interfaces
B.Authorize the FortiExtender on the FortiGate
C.Enable NAT on the FortiExtender interface
D.Configure a separate VDOM for the FortiExtender
E.Configure the FortiExtender as an SD-WAN member
AnswersB, E

Authorization is needed for management and integration.

Why this answer

The FortiExtender must be authorized and added as an SD-WAN member to participate in SD-WAN.

721
MCQeasy

What is the purpose of a management VDOM in a multi-VDOM FortiGate deployment?

A.To route traffic between different VDOMs
B.To aggregate logs from all other VDOMs
C.To enforce inter-VDOM traffic policies centrally
D.To host the management interfaces and administrative services (GUI, SSH) while other VDOMs carry user traffic
AnswerD

Correct.

Why this answer

A management VDOM is dedicated to hosting all administrative interfaces (GUI, SSH, SNMP, syslog) and management services, isolating them from user traffic VDOMs. This separation ensures that management access remains available even if a data VDOM is overloaded or compromised, and it centralizes administrative control without mixing management and data plane functions.

Exam trap

The trap here is that candidates confuse the management VDOM's role with inter-VDOM routing or policy enforcement, mistakenly thinking it controls traffic between VDOMs, when in fact it only provides isolated administrative access.

How to eliminate wrong answers

Option A is wrong because inter-VDOM routing is handled by inter-VDOM links (IVL) or VDOM peering, not by a management VDOM; the management VDOM does not forward user traffic. Option B is wrong because log aggregation is typically done via syslog to an external server or a dedicated log VDOM, not by the management VDOM; the management VDOM can receive logs but its primary purpose is not aggregation. Option C is wrong because inter-VDOM traffic policies are enforced using firewall policies within each VDOM or via VDOM peering, not centrally by the management VDOM; the management VDOM does not inspect or control traffic between other VDOMs.

722
MCQmedium

A FortiGate administrator is troubleshooting a VPN tunnel that is up but no traffic passes through. The Phase 2 selectors match. The administrator runs 'diagnose vpn tunnel list' and sees that the tunnel has '0 bytes' in both directions. What is the MOST likely cause?

A.The firewall policy is not configured to allow traffic through the tunnel
B.The static route for the remote subnet does not point to the VPN tunnel interface
C.The IPsec SA rekey interval is too short
D.The NAT traversal is not enabled
AnswerB

Without proper routing, traffic is not sent to the tunnel.

Why this answer

Option B is correct. A correct Phase2 SA but zero traffic indicates that routing is not directing traffic into the tunnel. The routes for the remote subnet must point to the tunnel interface.

723
MCQmedium

An administrator needs to ensure that traffic from the internal network (10.0.0.0/8) destined to the Internet is routed through a specific next-hop (192.168.1.1) only if a more specific route for the destination does not exist. Which routing feature should be used?

A.Configure route redistribution from BGP to OSPF.
B.Enable ECMP load balancing.
C.Use policy-based routing with a deny rule for the specific prefixes that have more specific routes.
D.Create a static default route with a higher administrative distance.
AnswerC

PBR can be configured to not match traffic that matches a more specific route by using a deny policy in the route map or by setting a higher priority for the specific route.

Why this answer

Policy-based routing (PBR) allows traffic to be routed based on source/destination IP, port, etc., independent of the routing table. It can be configured to match traffic and set the next-hop, with a 'match' condition that can include the absence of a specific route. However, in FortiGate, policy-based routing rules are processed before the routing table, so if a more specific route exists, the PBR rule would still apply unless configured with the 'set match-vip' or other logic.

Actually, the best way is to use a route map or prefix list with a deny statement for specific prefixes and then apply PBR. A simpler approach is to use default route with a higher distance, but that doesn't filter by destination. The correct answer is policy-based routing with a deny rule for specific prefixes.

724
Multi-Selectmedium

An administrator needs to configure a FortiGate to ensure that antivirus scanning is performed on SMTP traffic. Which two configuration items are required? (Choose two.)

Select 2 answers
A.Firewall policy applying the antivirus profile
B.SSL/SSH inspection profile
C.Application control profile
D.Email filter profile
E.Antivirus profile
AnswersA, E

The policy must reference the profile for it to be active.

Why this answer

Option A is correct because a firewall policy is required to apply an antivirus profile to SMTP traffic. Without a firewall policy that matches the SMTP traffic (typically on port 25), the FortiGate will not inspect the traffic at all. Option E is correct because the antivirus profile itself defines the scanning settings, signatures, and actions for detecting malware in SMTP attachments and message bodies.

Exam trap

The trap here is that candidates often think an email filter profile (Option D) is sufficient for antivirus scanning, but the email filter profile handles spam and content filtering, not malware signature detection, which requires a separate antivirus profile.

725
Multi-Selectmedium

Which THREE conditions must be met for an IPsec VPN to successfully establish phase2?

Select 3 answers
A.Proxy IDs (local and remote subnets) match on both sides
B.Firewall policies allow traffic between the subnets
C.Perfect Forward Secrecy (PFS) settings match if enabled
D.Phase2 proposals match between peers
E.NAT traversal is enabled on both sides
AnswersA, C, D

Phase2 uses proxy IDs to define interesting traffic; they must match.

Why this answer

Option A is correct because IPsec Phase 2 uses Proxy IDs (local and remote subnets) to negotiate the security associations (SAs) that define which traffic is protected. If the proxy IDs do not match on both peers, the IKEv1 or IKEv2 Quick Mode exchange will fail, preventing the establishment of Phase 2 SAs. This is a fundamental requirement for matching traffic selectors in the IPsec SA negotiation.

Exam trap

The trap here is that candidates often confuse firewall policy requirements with Phase 2 negotiation requirements, mistakenly thinking that firewall policies must allow traffic before Phase 2 can establish, when in fact Phase 2 only requires matching proxy IDs, proposals, and PFS settings.

726
MCQmedium

A company uses FortiGate ZTNA to provide remote access to an internal web application. The application requires client certificates for authentication. The administrator has configured the ZTNA rule to use certificate authentication. However, users report that they are prompted for credentials repeatedly. What is the most likely cause?

A.The user's password has expired.
B.The ZTNA rule is configured to use SAML authentication instead.
C.The client certificate is not trusted by the FortiGate.
D.The FortiClient EMS server is not reachable from the client.
AnswerC

An untrusted certificate causes authentication failures.

Why this answer

When a ZTNA rule is configured for certificate authentication, the FortiGate must trust the client certificate's issuing CA. If the CA certificate is not imported into the FortiGate's trusted CA list, the certificate chain validation fails, causing the authentication to be rejected and the client to be repeatedly prompted for credentials. This is the most common cause of repeated credential prompts in certificate-based ZTNA setups.

Exam trap

The trap here is that candidates often assume repeated credential prompts are caused by password issues or SAML misconfiguration, but in a certificate-based ZTNA rule, the root cause is almost always a trust issue with the client certificate's CA on the FortiGate.

How to eliminate wrong answers

Option A is wrong because a password expiration would not cause repeated credential prompts in a certificate-based authentication scenario; certificate authentication does not rely on user passwords. Option B is wrong because if the ZTNA rule were configured to use SAML, the user would be redirected to a SAML IdP for authentication, not repeatedly prompted for credentials in the same manner as a failing certificate handshake. Option D is wrong because the FortiClient EMS server being unreachable would affect endpoint compliance and posture checks, but not the certificate authentication process itself; the repeated credential prompt is a direct result of certificate validation failure, not EMS connectivity.

727
MCQeasy

What is the function of a route map in FortiGate routing?

A.To configure load balancing between multiple WAN links.
B.To filter and modify routing information during redistribution.
C.To enable BFD on a specific interface.
D.To create a static route for a specific destination.
AnswerB

Route maps are used to match routes based on criteria and then set attributes or permit/deny the route during redistribution or policy routing.

Why this answer

Route maps provide granular control over route redistribution by matching prefix lists or other attributes and then applying actions like set metric, set next hop, or permit/deny.

728
Multi-Selecthard

An administrator is configuring BGP on a FortiGate to peer with an ISP router. The FortiGate is advertising a prefix (203.0.113.0/24) to the ISP. To ensure that traffic to the prefix is load balanced across two WAN links (port1 and port2) using SD-WAN, the administrator must configure which THREE of the following? (Select THREE.)

Select 3 answers
A.Define both port1 and port2 as SD-WAN members
B.Configure a performance SLA to monitor each link
C.Enable 'set load-balance-mode' on the SD-WAN rule to 'sessions' or another algorithm
D.Configure BGP to use the same AS number on both members
E.Create an SD-WAN rule that matches traffic and uses a load balancing algorithm like 'sessions'
AnswersA, C, E

SD-WAN members are the interfaces to be load balanced.

Why this answer

Options A, B, and D are correct. SD-WAN members must be the WAN interfaces. The SD-WAN rule must use a load balancing algorithm (e.g., sessions) to distribute traffic.

BGP must advertise the prefix via both interfaces; this is typically done via advertising the prefix through BGP on both members or by using SD-WAN to influence the routing. Actually, BGP advertisement is separate; SD-WAN does not advertise routes. But to load balance inbound traffic, the administrator may need to advertise via both links.

However, the question focuses on SD-WAN configuration, so A, B, D are essential.

729
MCQeasy

A FortiGate is configured with two static routes to the same destination 0.0.0.0/0 with equal distance but different priorities. The priority values are 10 and 20. Which route will be used for traffic matching the default route?

A.The route with priority 20 will be used.
B.The route with lower distance will be used.
C.The route with priority 10 will be used.
D.Both routes will be used for load balancing.
AnswerC

Priority 10 is higher preference than 20.

Why this answer

In FortiGate, when multiple static routes have the same distance (administrative distance) to the same destination, the route with the lowest priority value is selected. Priority is a FortiGate-specific metric that breaks ties among routes with equal distance. Since priority 10 is lower than 20, the route with priority 10 will be installed in the routing table and used for traffic matching 0.0.0.0/0.

Exam trap

The trap here is that candidates often confuse priority with administrative distance or assume higher priority is better, but FortiGate uses lower priority values as more preferred, opposite to the common intuition from other vendors like Cisco where a lower metric is better but the term 'priority' can be misleading.

How to eliminate wrong answers

Option A is wrong because a higher priority value (20) is less preferred; FortiGate selects the route with the lowest priority, not the highest. Option B is wrong because the question states both routes have equal distance, so distance does not differentiate them; the selection is based on priority, not distance. Option D is wrong because load balancing between static routes requires equal distance and equal priority; with different priorities, only the lowest priority route is active, and the other serves as a backup.

730
MCQmedium

An administrator configures FortiGate as a SAML identity provider (IdP) for a cloud application. The application (SP) initiates the login. Users are redirected to the FortiGate login page and authenticate successfully, but then receive an error from the SP. What is a common cause?

A.The SP's ACS (Assertion Consumer Service) URL is misconfigured on the FortiGate
B.The FortiGate's certificate is not trusted by the user's browser
C.The user's account is locked
D.The SAML attribute mapping is incorrect
AnswerA

If the ACS URL is wrong, the SP won't accept the assertion, causing an error after login.

Why this answer

When FortiGate is the IdP, it must be configured with the SP's ACS URL and entity ID. If these are incorrect, the SAML assertion is not accepted by the SP.

731
MCQhard

An administrator configures a custom IPS signature to detect traffic to a specific malicious domain. Which syntax is correct for a custom IPS signature in FortiGate?

A.config ips custom signature edit "malicious_domain" set signature "alert tcp any any -> any any (msg:"malicious"; content:"example.com";)" end
B.config firewall policy edit 1 set ips-filter "malicious_domain" end
C.set ips-sensor custom-signature "malicious_domain" pattern "example.com"
D.F-SBID( --name "malicious_domain"; --pattern "example.com"; --service HTTP; )
AnswerD

This is the correct FortiGate custom IPS signature syntax using F-SBID.

732
MCQhard

An administrator is troubleshooting an IPsec VPN tunnel that fails to establish. The Phase 1 status shows 'init' and the debug output indicates 'no suitable proposal found'. The remote peer is a third-party VPN device. Which of the following is the MOST likely cause?

A.The pre-shared key is incorrect on one side
B.The remote peer's IP address is not reachable
C.The IKE version or encryption algorithm does not match between the peers
D.The firewall policy allowing the VPN traffic is missing
AnswerC

Proposal mismatch is caused by incompatible IKE parameters like encryption, hash, or DH group.

Why this answer

Option C is correct. 'No suitable proposal found' means the local and remote devices do not share a common IKE proposal (encryption, authentication, DH group, etc.). This is a proposal mismatch in Phase 1.

733
MCQmedium

In a multi-VDOM deployment, an administrator needs to route traffic between VDOM-A and VDOM-B. The administrator creates a VDOM link between the two VDOMs. What additional configuration is required on each VDOM to enable inter-VDOM traffic?

A.Only a firewall policy on VDOM-A allowing traffic to VDOM-B
B.Assign the VDOM link interfaces to the same VDOM
C.Enable 'inter-vdom-routing' under system settings only
D.Configure a static route on each VDOM pointing to the other VDOM's networks via the VDOM link, and create a firewall policy allowing traffic
AnswerD

Routes direct traffic to the VDOM link, and policies permit the traffic. Both are needed.

Why this answer

Option D is correct because inter-VDOM traffic via a VDOM link requires both a static route on each VDOM pointing to the remote VDOM's networks through the VDOM link interface, and a firewall policy on each VDOM that permits the desired traffic. Without the static route, the VDOM does not know how to reach the other VDOM's subnets; without the firewall policy, traffic is blocked by the implicit deny rule. The VDOM link itself provides the Layer 2 or Layer 3 connectivity between the VDOMs, but routing and policy enforcement are mandatory for traffic to flow.

Exam trap

The trap here is that candidates often assume a VDOM link alone provides full connectivity, forgetting that FortiOS requires explicit routing and firewall policies on both sides of the link to actually forward traffic between VDOMs.

How to eliminate wrong answers

Option A is wrong because a firewall policy on VDOM-A alone is insufficient; VDOM-B also needs a firewall policy to allow return traffic, and both VDOMs require static routes to direct traffic to the other VDOM. Option B is wrong because assigning both VDOM link interfaces to the same VDOM would defeat the purpose of a multi-VDOM deployment, as traffic would remain within a single VDOM rather than crossing VDOM boundaries. Option C is wrong because 'inter-vdom-routing' is not a valid system setting in FortiOS; inter-VDOM routing is achieved through VDOM links or inter-VDOM links, not a global toggle, and static routes and firewall policies are still required.

734
MCQmedium

An administrator configures an SD-WAN rule with the 'volume' load balancing algorithm. The two WAN members have bandwidth capacities: port1 = 100 Mbps, port2 = 50 Mbps. Traffic is HTTP and HTTPS from internal users to the internet. How will the traffic be distributed?

A.Traffic is sent to the member with the least number of bytes transmitted, resulting in a balanced distribution proportional to bandwidth
B.All traffic uses port1 until it reaches 100 Mbps, then uses port2
C.Traffic is distributed evenly session-by-session (round-robin)
D.Source-destination IP pairs are hashed to a specific member
AnswerA

Volume algorithm tracks bytes transmitted and sends new traffic to the least loaded member.

Why this answer

Option C is correct. The volume algorithm distributes traffic based on the volume of bytes processed. It sends new sessions to the member with the least amount of traffic volume sent.

Over time, traffic is split proportionally to the bandwidth ratio (2:1).

735
Multi-Selecthard

A FortiGate is configured with two VPN tunnels to different remote sites. The administrator notices that traffic is not load-balanced across the tunnels; all traffic uses the first tunnel. The administrator wants to use ECMP (Equal Cost Multi-Path) routing. Which two actions are required? (Choose two.)

Select 2 answers
A.Set the same distance and priority for both static routes
B.Configure both tunnels to use the same IKE version
C.Set the same phase2 lifetime for both tunnels
D.Enable ECMP in the FortiGate's routing settings
AnswersA, D

For ECMP to work, routes must have equal administrative distance and priority.

Why this answer

ECMP requires that routes have the same distance and priority. Also, the administrator must enable ECMP in the routing settings. Option A and D are correct: set the same distance and priority for the static routes, and enable ECMP.

Note: ECMP is enabled by default in policy-based routing? Actually, for static routes, ECMP is automatically used when multiple routes have the same distance and priority. Option D is correct: enable ECMP in the routing settings (if not already). But the question asks for two actions.

So A and D.

736
MCQeasy

What is the purpose of a global ADOM in FortiManager?

A.To create global firewall policies applicable to all devices
B.To provide a common object repository that can be referenced by other ADOMs
C.To manage all devices in a single ADOM regardless of location
D.To store global logs from all FortiGates
AnswerB

Why this answer

A global ADOM in FortiManager serves as a shared object repository (e.g., addresses, services, schedules) that can be referenced by other ADOMs, enabling centralized management of common objects across multiple administrative domains. This avoids duplication and ensures consistency, as changes in the global ADOM propagate to all ADOMs that reference those objects. It does not directly create or push firewall policies; instead, it provides the building blocks for policies within individual ADOMs.

Exam trap

The trap here is that candidates confuse the global ADOM's role as a shared object repository with the ability to create and push global policies, leading them to select Option A, when in fact policies are always ADOM-specific and only objects are shared globally.

How to eliminate wrong answers

Option A is wrong because a global ADOM does not create global firewall policies applicable to all devices; policies are defined per ADOM and can reference global objects, but the global ADOM itself only stores objects, not policies. Option C is wrong because a global ADOM does not manage all devices in a single ADOM; devices are assigned to specific ADOMs (e.g., per customer or region), and the global ADOM is a separate container for shared objects, not a device management scope. Option D is wrong because a global ADOM does not store logs; log storage is handled by FortiAnalyzer or the local FortiGate storage, and FortiManager's global ADOM is focused on configuration objects, not log aggregation.

737
MCQhard

In a multi-VDOM deployment, inter-VDOM routing is configured using VDOM links. After configuring the VDOM links and adding static routes, traffic between VDOMs is not working. The administrator verifies that the VDOM link interfaces are up and have correct IP addresses. What is the most likely missing configuration?

A.The inter-VDOM routing mode is set to 'nat' instead of 'route'
B.The VDOM links are not assigned to the correct VDOM
C.Firewall policies are missing or not allowing the traffic
D.The VDOMs are in different administrative domains
AnswerC

Each VDOM needs a policy to allow traffic from the VDOM link interface to the destination.

Why this answer

In a FortiGate multi-VDOM deployment, VDOM links create a direct Layer 3 connection between VDOMs, but traffic is still subject to firewall policies. Even with correct IP addresses and static routes, inter-VDOM traffic will be dropped unless explicit firewall policies are configured on both VDOMs to permit the traffic. This is because FortiGate enforces stateful inspection at every VDOM boundary, including VDOM links.

Exam trap

The trap here is that candidates assume VDOM links bypass firewall policies because they are internal virtual connections, but FortiGate treats all inter-VDOM traffic as requiring explicit policy approval, unlike a simple router-on-a-stick design.

How to eliminate wrong answers

Option A is wrong because inter-VDOM routing mode on a VDOM link can be set to 'nat' or 'route', but both modes require firewall policies to permit traffic; the mode affects NAT behavior, not the fundamental need for policies. Option B is wrong because the administrator already verified that the VDOM link interfaces are up and have correct IP addresses, which implies they are assigned to the correct VDOMs; misassignment would cause the interfaces to be down or unreachable. Option D is wrong because VDOMs are logical partitions within a single FortiGate, and 'administrative domains' is not a FortiGate concept; VDOMs operate under the same administrative domain by default, and inter-VDOM routing does not depend on administrative domain separation.

738
Multi-Selecthard

An administrator is troubleshooting SD-WAN and wants to verify that performance SLA probes are being sent correctly. Which THREE CLI commands can provide information about the SLA probes and their results?

Select 3 answers
A.diagnose sys sdwan health-check
B.diagnose sys sdwan probe-detail
C.diagnose sys sdwan member-sla
D.diagnose sys sdwan route
E.diagnose sys sdwan config
AnswersA, B, C

This command shows health check results.

739
MCQhard

Refer to the exhibit. An administrator notices that some malware files are not being detected by FortiGate. The antivirus profile uses flow-based scanning with FortiSandbox disabled. What is the most likely reason for missed detections?

A.Flow-based scanning is less thorough than proxy-based
B.FortiSandbox inline-scan is disabled, so unknown malware is not analyzed
C.Quarantine is enabled, which causes files to be dropped before scanning
D.The antivirus profile is not applied to the firewall policy
AnswerB

Without FortiSandbox, new malware may not be detected by signatures alone.

Why this answer

Flow-based scanning inspects files as they traverse the firewall, but it relies on signatures and heuristics for detection. Without FortiSandbox inline-scan enabled, unknown or zero-day malware that does not match existing signatures will not be sent to the sandbox for behavioral analysis, so it can pass undetected. Option B correctly identifies that disabling FortiSandbox removes the ability to analyze unknown threats, which is the most likely reason for missed detections.

Exam trap

The trap here is that candidates often assume flow-based scanning is always less thorough than proxy-based, but the real issue is the lack of FortiSandbox integration for unknown malware analysis, not the scanning mode itself.

How to eliminate wrong answers

Option A is wrong because flow-based scanning is not inherently less thorough than proxy-based; it uses a single-pass, low-latency approach that can still detect known malware effectively, and the question specifies that FortiSandbox is disabled, not that flow-based scanning is the cause. Option C is wrong because quarantine is a post-detection action that stores files after they are flagged as malicious; it does not cause files to be dropped before scanning, and enabling quarantine would not prevent detection. Option D is wrong because the question states that the antivirus profile is applied to the firewall policy (the administrator notices missed detections, implying the profile is in use), and if it were not applied, no malware would be detected at all, not just some files.

740
MCQhard

An administrator is investigating a security incident and needs to determine which firewall policy allowed a specific malicious traffic flow. The traffic is no longer active. Which FortiAnalyzer log type should the admin query?

A.Event logs
B.Security logs
C.Traffic logs
D.Audit logs
AnswerC

Traffic logs contain policy ID and action for each session, perfect for this investigation.

Why this answer

Traffic logs record all allowed/denied sessions, including source/destination, policy ID, and action, making them ideal for identifying which policy allowed a flow.

741
Multi-Selecteasy

A FortiGate administrator is planning to deploy VDOMs to separate customer traffic. The administrator wants to use FortiManager for centralized management. Which TWO prerequisites must be met before the VDOMs can be managed from FortiManager?

Select 2 answers
A.Inter-VDOM routing must be enabled
B.FortiAnalyzer must be registered with FortiManager
C.The FortiGate must be assigned to an ADOM
D.The FortiGate must be added to the FortiManager device list
E.All VDOMs must be in the same ADOM
AnswersC, D

ADOM assignment organizes and isolates management.

Why this answer

Option C is correct because FortiManager uses ADOMs (Administrative Domains) to logically group managed devices, and a FortiGate must be assigned to an ADOM before its VDOMs can be managed. Option D is correct because the FortiGate must be added to the FortiManager device list (via model or managed registration) to establish communication and allow policy/object provisioning to its VDOMs.

Exam trap

The trap here is confusing inter-VDOM routing (a Layer 3 forwarding feature) with the management-plane requirement of ADOM assignment, leading candidates to incorrectly select Option A as a prerequisite for centralized management.

742
Multi-Selectmedium

A FortiGate is configured with an SD-WAN zone containing two WAN interfaces. The administrator wants to use the 'spillover' load balancing algorithm to ensure that the primary link carries traffic until its bandwidth reaches 80% utilization, after which new sessions are sent to the secondary link. Which THREE configuration steps are necessary?

Select 3 answers
A.Create a performance SLA to measure bandwidth utilization
B.Add both interfaces as members of the SD-WAN rule
C.Configure the 'spillover-threshold' on the primary interface to 80 percent
D.Assign a weight of 80 to the primary interface and 20 to the secondary
E.In the SD-WAN rule, set the load balancing method to 'spillover'
AnswersB, C, E

Why this answer

Spillover requires setting the algorithm to 'spillover' in the SD-WAN rule (option A). Then, you need to define the spillover threshold on the primary interface (option C), and also set the secondary interface as a member (option E) so traffic can fail over. Option B is not needed if you use spillover; you don't need to set weight.

Option D is incorrect because the threshold is set on the interface, not in a performance SLA.

743
MCQeasy

An administrator wants to view the current number of active sessions on a FortiGate. Which CLI command should be used?

A.exec system session count
B.show system session count
C.diagnose sys session list
D.get system performance status
AnswerD

Correct. This command displays session count, CPU, and memory usage.

Why this answer

The command 'get system performance status' provides a snapshot of system performance including session count. Alternatively, 'diagnose sys session stat' can be used.

744
Multi-Selectmedium

An administrator is configuring SD-WAN and wants to ensure that traffic matching a specific SLA rule uses the best-performing member. Which TWO commands can be used to verify the SLA performance and route selection? (Choose two.)

Select 2 answers
A.diagnose sys session list
B.diagnose sys sdwan health-check
C.get router info routing-table
D.diagnose sys sdwan info
E.show system sdwan
AnswersB, D

Shows health-check results per member.

Why this answer

Options B and D are correct. 'diagnose sys sdwan info' shows detailed SD-WAN information including SLA performance and routing decisions. 'diagnose sys sdwan health-check' shows the health-check results for each member, which is essential for SLA verification.

745
MCQmedium

A network administrator is configuring SD-WAN on a FortiGate with two WAN links (port1 and port2). They want traffic to destination 10.0.0.0/8 to use port1 as long as its latency is below 50ms and jitter below 10ms; otherwise, fail over to port2. Which SD-WAN configuration components are required?

A.SD-WAN members, one performance SLA, one SD-WAN member with a static route
B.SD-WAN members, two performance SLAs (one per interface), one SD-WAN rule
C.SD-WAN members, one performance SLA, two SD-WAN rules (one for each interface)
D.SD-WAN members, one performance SLA, one SD-WAN rule with the performance SLA as a strategy
AnswerD

The performance SLA defines latency/jitter thresholds. The SD-WAN rule references the SLA and sets the strategy to 'best quality' or 'manual' to enforce failover based on SLA compliance.

Why this answer

To implement failover based on link quality, you need SD-WAN members (interfaces), a performance SLA to monitor the links, and an SD-WAN rule that uses the SLA to determine which member to use. The 'best quality' strategy automatically switches when thresholds are not met.

746
Multi-Selectmedium

An organization uses FortiMail and wants to validate that incoming emails are from legitimate senders by checking the sender's domain against a published policy. Which two email authentication mechanisms can FortiMail use? (Choose two.)

Select 1 answer
A.DKIM and DMARC
B.STARTTLS and SPF
C.DMARC and SPF
D.SPF and DKIM
AnswersD

SPF verifies the sending IP, DKIM verifies the signature.

Why this answer

FortiMail can use SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to validate that incoming emails originate from legitimate senders by checking the sender's domain against a published policy. SPF verifies that the sending IP address is authorized by the domain's DNS TXT record, while DKIM uses a digital signature in the email header that can be validated against a public key published in the sender's DNS. Both mechanisms allow FortiMail to authenticate the sender's domain before accepting the message.

Exam trap

The trap here is that candidates often confuse DMARC as an authentication mechanism when it is actually a policy framework that relies on SPF and DKIM results, leading them to select options that include DMARC instead of the two core authentication protocols.

747
MCQeasy

An administrator wants to monitor CPU usage of specific processes on a FortiGate. Which command should be used?

A.get system performance status
B.diagnose sys top
C.get system performance
D.top
AnswerB

This shows process-level CPU and memory usage.

Why this answer

Option C is correct because 'diagnose sys top' shows real-time process CPU usage. Option A shows system resources summary. Option B shows system performance statistics.

Option D is a Linux command not available on FortiOS.

748
MCQeasy

A BGP peering between two FortiGates is not establishing. The admin runs 'get router info bgp summary' and sees the neighbor state as 'Idle'. What is the most common cause of a BGP session stuck in Idle?

A.The BGP update timer is set too high
B.The remote AS number is misconfigured
C.The neighbor IP is not reachable or the TCP port 179 is blocked
D.The route advertisement is disabled
AnswerC

BGP uses TCP port 179; if the neighbor is unreachable or port is blocked, the session cannot start, staying in Idle.

Why this answer

Idle state usually means the BGP process has not started or is waiting for a start event. The most common cause is that the neighbor IP is unreachable or the TCP connection cannot be established.

749
MCQhard

A FortiGate with two WAN interfaces configured in an SD-WAN setup uses the 'lowest-cost' load balancing algorithm. The performance SLA monitors latency and jitter. If wan1 has a cost of 10 and wan2 has a cost of 20, but wan1 is experiencing 50% packet loss, what will happen to traffic?

A.Traffic is distributed equally between both links
B.Traffic is dropped until wan1 recovers
C.Traffic continues using wan1 because cost is lower
D.Traffic is sent to wan2 because wan1 is considered dead
AnswerD

wan1 fails SLA so it's dead, traffic uses wan2.

Why this answer

The 'lowest-cost' algorithm selects the member with the lowest cost. However, if a member fails the performance SLA (e.g., high packet loss), it is considered 'dead' and will not be used, even if its cost is lower. Traffic will then be sent to the next lowest-cost member that is alive.

750
Multi-Selectmedium

Which TWO email authentication mechanisms does FortiMail support to verify sender identity and reduce spoofing? (Choose two.)

Select 2 answers
A.DMARC (Domain-based Message Authentication, Reporting & Conformance)
B.SPF (Sender Policy Framework)
C.STARTTLS
D.S/MIME
E.DKIM (DomainKeys Identified Mail)
AnswersB, E

Checks if the sending IP is authorized.

Why this answer

FortiMail supports SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) as email authentication mechanisms to verify sender identity and reduce spoofing. SPF allows the domain owner to publish authorized sending IP addresses in DNS TXT records, while DKIM uses a digital signature added to the email header, verified against a public key in the sender's DNS. Both are core components of email authentication that FortiMail can enforce or validate.

Exam trap

The trap here is that candidates confuse DMARC as an authentication mechanism rather than a policy framework that relies on SPF and DKIM results, and they may also mistake STARTTLS or S/MIME for sender verification when they are actually transport or message security protocols.

Page 9

Page 10 of 14

Page 11