Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 751825

1000 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQeasy

What is the function of FortiAnalyzer in a Fortinet Security Fabric?

A.To collect logs and generate reports and incidents
B.To manage VDOM configurations
C.To act as a VPN concentrator
D.To provide real-time firewall management
AnswerA

FortiAnalyzer is the logging and analytics platform.

Why this answer

FortiAnalyzer is the centralized logging and reporting appliance within the Fortinet Security Fabric. It collects logs from FortiGate and other Fabric components, correlates events, generates compliance reports, and creates incidents for security analysis. This aligns directly with option A, as its primary function is log aggregation and report generation, not real-time management or VPN termination.

Exam trap

The trap here is that candidates often confuse FortiAnalyzer with FortiManager, assuming both handle configuration management, but FortiAnalyzer is strictly for logging and reporting, while FortiManager handles centralized policy and VDOM management.

How to eliminate wrong answers

Option B is wrong because managing VDOM configurations is a function of FortiGate itself (via CLI or FortiManager), not FortiAnalyzer. Option C is wrong because acting as a VPN concentrator is a role of FortiGate or FortiClient, not FortiAnalyzer, which lacks IPsec/SSL VPN termination capabilities. Option D is wrong because providing real-time firewall management is the domain of FortiGate's local management interface or FortiManager, whereas FortiAnalyzer is focused on historical log analysis and reporting, not live policy changes.

752
Multi-Selecthard

An administrator is investigating an alert from FortiEDR indicating a suspicious process on an endpoint. The administrator wants to gather more context. Which TWO sources can provide threat intelligence to enrich the investigation?

Select 2 answers
A.Local antivirus signature database
B.FortiGate traffic logs
C.FortiGuard Outbreak Prevention
D.Third-party threat intelligence feeds
E.FortiClient local cache
AnswersC, D

FortiGuard Outbreak Prevention provides real-time threat intelligence about outbreaks.

Why this answer

Options C and D are correct. FortiGuard Outbreak Prevention and third-party threat feeds provide external threat intelligence about indicators of compromise.

753
MCQhard

A FortiGate has two WAN interfaces (port1, port2) as SD-WAN members. The performance SLA monitor is configured for both with a latency threshold of 50 ms. The measured latency on port1 is 45 ms and on port2 is 55 ms. An SD-WAN rule uses 'lowest-cost' algorithm. Which interface will be selected for new sessions?

A.port1 because its latency is within threshold and lower than port2
B.port2 because port1's latency is close to threshold
C.The session is dropped
D.Both interfaces are used equally
AnswerA

port1 meets the SLA and has lower latency, hence lower cost.

Why this answer

Lowest-cost algorithm selects the member with the lowest cost, where cost is based on the performance SLA metric. Port1 has lower latency (45 ms < 55 ms) and is within threshold, so it has lower cost.

754
MCQhard

A FortiGate is running OSPF with multiple areas. The admin wants to redistribute a static route (192.168.100.0/24) into OSPF area 0. The route is configured as a static route on the FortiGate. Which configuration step is essential to ensure the static route is redistributed into OSPF?

A.Create a prefix list to allow the static route and apply it to the OSPF area
B.Set the administrative distance of the static route to 110
C.Configure a route map to match the static route and set OSPF type
D.Enable 'redistribute static' under the OSPF router configuration
AnswerD

Without enabling redistribution on the OSPF process, static routes will not be advertised.

Why this answer

Option B is correct because OSPF does not redistribute static routes by default. The 'redistribute static' command must be configured under the OSPF process, and optionally route maps can filter, but redistribution must be enabled.

755
MCQmedium

A company uses FortiManager to manage multiple FortiGate firewalls. After making changes to a policy package, the administrator runs an install preview and sees a warning: 'Policy ID 10 will be deleted on device XYZ'. What is the most likely reason for this warning?

A.Policy ID 10 was manually added on the device but is not present in the policy package
B.The policy package has been corrupted and needs to be re-imported
C.The device is in a different ADOM and cannot use the same policy ID
D.A revision history conflict exists that prevents the install
AnswerA

The install preview shows actions to align the device with the package.

Why this answer

The warning 'Policy ID 10 will be deleted on device XYZ' indicates that the policy package on FortiManager does not contain Policy ID 10, but the device currently has it. During an install, FortiManager synchronizes the device's policy set with the policy package, so any policy present on the device but absent from the package is flagged for deletion. This is a standard consistency check to prevent unintended policy loss.

Exam trap

The trap here is that candidates assume the warning indicates an error or conflict, when in fact it is a normal behavior of FortiManager's policy synchronization to remove policies that were manually added on the device outside of FortiManager management.

How to eliminate wrong answers

Option B is wrong because a corrupted policy package would typically cause install failures or error messages about parsing or integrity, not a specific warning about a single policy ID being deleted. Option C is wrong because ADOMs are administrative domains that separate management; a device in a different ADOM cannot be targeted by the same policy package at all, so the warning would not appear. Option D is wrong because a revision history conflict would prevent the install from proceeding or generate a conflict error, not a specific deletion warning for a single policy ID.

756
MCQmedium

A FortiGate administrator configures inter-VDOM routing. Traffic from VDOM-A to VDOM-B is blocked. The administrator checks the policy in VDOM-A allowing traffic to the VDOM link interface. What else must be verified?

A.That there is a corresponding policy in VDOM-B allowing traffic from the VDOM link to the destination
B.That the VDOM link uses a different interface type
C.That the VDOM link interface is in the same subnet
D.That inter-VDOM routing is enabled in system settings
AnswerA

Traffic must be allowed in both directions.

Why this answer

In inter-VDOM routing, traffic traverses a VDOM link, which consists of two interfaces—one in each VDOM. A policy in VDOM-A permits traffic to the VDOM link interface, but the packet must also be allowed by a policy in VDOM-B from the VDOM link interface to the destination. Without this second policy, VDOM-B will drop the traffic, even if VDOM-A's policy is correct.

Exam trap

The trap here is that candidates assume a single policy in the source VDOM is sufficient, overlooking that inter-VDOM routing requires explicit policy approval in both VDOMs due to the independent security domains.

How to eliminate wrong answers

Option B is wrong because the VDOM link interface type does not affect policy requirements; it is always a point-to-point logical link, and changing the type does not bypass the need for policies in both VDOMs. Option C is wrong because VDOM link interfaces are not required to be in the same subnet; they are typically in different subnets or use unnumbered interfaces, and subnet configuration does not influence policy enforcement. Option D is wrong because inter-VDOM routing is implicitly enabled when a VDOM link is created; there is no separate system setting to toggle, and the issue is policy-based, not a global routing toggle.

757
MCQmedium

Which command is used on a FortiGate to view the current state of BFD sessions?

A.get router info bfd
B.show bfd sessions
C.execute bfd show
D.diagnose sys bfd session list
AnswerD

This shows BFD session details.

Why this answer

Option D is correct because 'diagnose sys bfd session list' is the FortiGate CLI command used to display the current state of Bidirectional Forwarding Detection (BFD) sessions, including session state, local/remote discriminators, and timers. This command is part of the 'diagnose' utility, which provides detailed operational and diagnostic information for troubleshooting BFD in SD-WAN or routing contexts.

Exam trap

The trap here is that candidates familiar with Cisco IOS may instinctively choose 'show bfd sessions' (Option B), but FortiGate uses a different CLI syntax where 'diagnose' is the proper command for detailed operational state, not 'show' or 'execute'.

How to eliminate wrong answers

Option A is wrong because 'get router info bfd' is not a valid FortiGate command; the correct 'get' command for BFD is 'get router info bfd session' or 'get router info bfd neighbor', but the given syntax is incomplete and incorrect. Option B is wrong because 'show bfd sessions' is a Cisco IOS command, not a FortiGate command; FortiGate uses 'get' or 'diagnose' syntax, not 'show'. Option C is wrong because 'execute bfd show' is not a valid FortiGate command; 'execute' commands are used for actions like ping or traceroute, not for displaying BFD session state.

758
MCQmedium

An administrator runs 'diagnose debug application ipsmonitor -1' and sees repeated messages: 'IPS engine restarting'. What is the MOST likely cause of this behavior?

A.The FortiGate is overloaded with too many concurrent sessions
B.The IPS engine is running out of memory
C.The firewall policy is configured for flow-based inspection
D.The IPS signatures are outdated and need updating
AnswerB

Memory exhaustion causes the IPS engine to restart to free resources.

Why this answer

Option A is correct. IPS engine restarts often indicate memory exhaustion or a crash. High memory usage can force the engine to restart to reclaim resources.

759
Multi-Selectmedium

A FortiGate administrator is investigating a security incident and needs to identify which user initiated a specific outbound connection to a malicious IP address. The company uses FSSO for authentication. Which THREE pieces of information from FortiAnalyzer logs would be MOST useful? (Choose three.)

Select 3 answers
A.Username from the FortiGate authentication log
B.Destination IP address
C.Event type (e.g., traffic, event, attack)
D.Source IP address of the session
E.Timestamp of the session
AnswersA, D, E

Links the session to the authenticated user.

Why this answer

Options A, B, and D are correct. Source IP identifies the device, username identifies the authenticated user, and timestamp correlates events. Destination IP (C) is known, and event type (E) might not show user association.

760
MCQeasy

A network administrator needs to create a separate firewall policy for the guest network while keeping management traffic in the main VDOM. Which VDOM type should be configured for the guest network?

A.Root VDOM
B.Administrative VDOM
C.Management VDOM
D.Traffic VDOM
AnswerD

Traffic VDOMs are used to create separate firewall policies for different network segments.

Why this answer

Option D is correct because a Traffic VDOM is a lightweight VDOM type designed specifically to handle user traffic, such as guest network traffic, without the overhead of management-plane functions. It allows the administrator to separate guest traffic into its own firewall policy domain while keeping management traffic (e.g., SSH, HTTPS, SNMP) in the main Root VDOM, ensuring that guest users cannot access the management interface or configuration.

Exam trap

The trap here is that candidates often confuse 'Management VDOM' with a real VDOM type, but FortiGate does not have a dedicated Management VDOM—management is always tied to the Root VDOM, and guest traffic separation requires a Traffic VDOM.

How to eliminate wrong answers

Option A is wrong because the Root VDOM is the default VDOM that contains both management and traffic functions; configuring the guest network in the Root VDOM would mix guest traffic with management traffic, defeating the purpose of separation. Option B is wrong because an Administrative VDOM is not a standard VDOM type in FortiGate; it is a misconception—FortiGate uses 'Admin VDOM' only in the context of multi-tenancy or VDOM administration, not for traffic separation. Option C is wrong because a Management VDOM does not exist as a separate VDOM type; management traffic is always handled by the Root VDOM or a dedicated management interface, and creating a separate VDOM for management is not supported—guest traffic must be isolated in a Traffic VDOM.

761
MCQhard

An administrator runs 'diagnose vpn ike gateway list' and sees that the IKE SA state is 'UP' but the IPsec SA state is 'DOWN'. The remote peer is a FortiGate. What is the most likely cause of this issue?

A.The pre-shared key is incorrect
B.The tunnel interface is down
C.The Phase2 parameters (encryption, authentication, proxy IDs) do not match between the peers
D.The firewall policy on the remote FortiGate is blocking UDP 500
AnswerC

Phase2 negotiations use separate parameters; if they mismatch, IPsec SA fails while IKE SA remains up.

Why this answer

If IKE is up but IPsec is down, the Phase2 parameters are not matching between peers. Common causes include mismatched encryption algorithms, proxy IDs, or lifetimes.

762
Multi-Selecthard

A FortiGate with multiple VDOMs is experiencing high CPU usage. The administrator suspects that one VDOM is consuming excessive resources. Which THREE methods can be used to limit resource usage per VDOM?

Select 3 answers
A.Apply per-VDOM traffic shaping policies
B.Enable HA resource reservation
C.Configure VDOM resource limits (CPU/memory)
D.Enable VDOM logging
E.Set the VDOM CPU quota
AnswersA, C, E

Traffic shaping limits bandwidth per VDOM.

Why this answer

Option A is correct because per-VDOM traffic shaping policies allow the administrator to apply bandwidth limits and QoS policies specifically to traffic within a particular VDOM, preventing that VDOM from monopolizing the FortiGate's CPU resources. This is achieved by configuring shaping policies under the VDOM's firewall policy that match traffic and apply a traffic shaper, which can limit bandwidth and prioritize traffic, thereby reducing CPU load from that VDOM.

Exam trap

The trap here is that candidates often confuse 'resource reservation' (which guarantees resources for HA) with 'resource limits' (which cap usage per VDOM), leading them to select Option B, which is unrelated to per-VDOM CPU control.

763
Multi-Selectmedium

A network administrator is configuring SD-WAN rules with load balancing. They want to distribute HTTP traffic evenly across two WAN links based on the number of sessions. Which TWO settings should they use? (Choose two.)

Select 2 answers
A.Ensure the SD-WAN rule matches HTTP traffic (e.g., using protocol or port criteria).
B.Set the load balancing algorithm to 'volume'.
C.Create a performance SLA to monitor the links.
D.Enable 'set update-static-route' on the SD-WAN rule.
E.Set the load balancing algorithm to 'session'.
AnswersA, E

The rule must match HTTP traffic to apply the load balancing algorithm to that traffic.

Why this answer

To distribute HTTP sessions evenly, the load balancing algorithm should be 'session', and the SD-WAN rule must match HTTP traffic using appropriate criteria (e.g., destination port 80).

764
MCQhard

A FortiGate has multiple VRFs. The administrator wants to leak a route from VRF1 to VRF2. Which configuration is required?

A.Configure route leaking using route maps and set vrf command under VRF1's routing process
B.Use the config router vrf-leak command to define leaking rules
C.Enable inter-VRF routing on the VDOM
D.Configure a static route in VRF2 pointing to the next-hop in VRF1 with a different administrative distance
AnswerA

Route leaking between VRFs is achieved by configuring route maps with set vrf and applying them under the routing process of the source VRF.

Why this answer

Option A is correct because route leaking between VRFs on a FortiGate is achieved by configuring route maps with the `set vrf` command under the source VRF's routing process. This allows specific routes from VRF1 to be imported into VRF2, enabling controlled inter-VRF communication without requiring a VDOM or static route workaround.

Exam trap

The trap here is that candidates confuse the FortiGate-specific route leaking method (route maps with `set vrf`) with generic Cisco-style VRF leaking commands or assume that a static route with a different administrative distance can bypass VRF isolation, which fails because VRFs are isolated at Layer 3 and require explicit route redistribution.

How to eliminate wrong answers

Option B is wrong because the `config router vrf-leak` command does not exist in FortiOS; route leaking is configured using route maps and the `set vrf` command under the routing process, not a dedicated vrf-leak command. Option C is wrong because enabling inter-VRF routing on a VDOM is a different concept—it allows all VRFs within a VDOM to communicate without explicit route leaking, which is not the same as selective route leaking between specific VRFs. Option D is wrong because configuring a static route in VRF2 pointing to a next-hop in VRF1 with a different administrative distance does not leak the route; it creates a static route that may fail because the next-hop is in a different VRF and not reachable without proper route leaking or inter-VRF connectivity.

765
MCQeasy

An administrator runs 'diagnose sys top' and sees process 'httpsd' consuming 95% CPU. What is the best immediate action to alleviate the issue?

A.Change the administration HTTPS port and restrict access to trusted hosts
B.Kill the httpsd process
C.Disable HTTPS administration access
D.Reboot the FortiGate
AnswerA

Correct. Changing the port and restricting source IPs can mitigate the attack without losing access.

Why this answer

The httpsd process handles HTTPS administrative access. High CPU could be due to brute-force attacks or excessive GUI logins. The best action is to change the administrative access port or limit access via trusted hosts.

766
Multi-Selecthard

A FortiGate is experiencing high CPU usage due to IPsec VPN traffic. The admin wants to offload cryptographic operations to the hardware. Which THREE conditions must be met for hardware acceleration to work? (Choose three.)

Select 3 answers
A.The FortiGate must have a compatible NP7 or CP9 processor
B.The IPsec phase 2 proposal must use encryption algorithms supported by the hardware accelerator (e.g., AES-GCM)
C.The VPN interface must be configured with 'set acceleration-mode ipsec'
D.The VPN tunnel must not be configured with features that disable offload, such as IPsec interface mode with kernel-version-dependent features
E.The firewall policy using the VPN interface must not have NAT enabled
AnswersA, B, D

Hardware acceleration requires specific processor models.

Why this answer

Hardware acceleration (CP8/CP9) requires specific conditions: supported encryption algorithms, no advanced features that disable offload, and the traffic must match a VPN policy that uses the hardware acceleration capable interface.

767
Multi-Selectmedium

A network administrator is configuring SD-WAN rules and wants to ensure that voice traffic is sent over the link with the lowest jitter. Which TWO configurations should the administrator apply? (Choose two.)

Select 2 answers
A.Set the SD-WAN rule strategy to 'lowest cost'
B.Configure the SD-WAN rule to use 'volume' load balancing
C.Set the SD-WAN rule strategy to 'best quality'
D.Enable 'set jitter-threshold' on the SD-WAN rule
E.Ensure the performance SLA measures jitter
AnswersC, E

Best quality uses the priority order of metrics, which can include jitter.

Why this answer

To use jitter as the selection metric, the performance SLA must include jitter measurement, and the SD-WAN rule strategy should be 'best quality' with jitter as the highest priority metric.

768
MCQeasy

In a multi-VDOM deployment, what is the purpose of inter-VDOM routing?

A.To route traffic between the management VDOM and data VDOMs
B.To provide redundancy for VDOMs in an HA setup
C.To allow traffic to pass between different VDOMs via firewall policies
D.To connect VDOMs to external routers
AnswerC

Inter-VDOM routing uses VDOM links and policies.

Why this answer

Inter-VDOM routing allows traffic to be forwarded between different VDOMs on the same FortiGate unit. This is achieved by configuring inter-VDOM links (IVL) or using VDOM peering, and then applying firewall policies to control and secure the traffic flow between VDOMs. Option C correctly identifies that firewall policies are the mechanism used to permit or deny inter-VDOM traffic.

Exam trap

The trap here is that candidates often assume inter-VDOM routing is automatic or purely a routing function, but Fortinet requires explicit firewall policies to permit traffic between VDOMs, making it a security-controlled feature rather than a simple routing path.

How to eliminate wrong answers

Option A is wrong because inter-VDOM routing is not limited to traffic between the management VDOM and data VDOMs; it applies to any pair of VDOMs. Option B is wrong because inter-VDOM routing does not provide redundancy for VDOMs in an HA setup; HA redundancy is handled by the HA configuration itself, not by inter-VDOM routing. Option D is wrong because inter-VDOM routing is an internal FortiGate function, not a method to connect VDOMs to external routers; external connectivity is achieved through physical interfaces or VLANs assigned to VDOMs.

769
MCQmedium

A FortiGate admin runs the following command: 'diagnose sys session filter dport 443' and sees output indicating sessions with state 'proto_state=01' and 'duration=3600, expire=3599'. What does this indicate about the session?

A.The session is established and has been active for 3600 seconds
B.The session has timed out and is being removed
C.The session is in a closing state
D.The session is in a half-open state
AnswerA

proto_state=01 means established. Duration is how long it's been active.

Why this answer

The command 'diagnose sys session filter dport 443' filters sessions with destination port 443 (HTTPS). The output shows 'duration=3600, expire=3599', meaning the session has been active for 3600 seconds and will expire in 3599 seconds. The 'proto_state=01' indicates a TCP session in the established state (state 1 = TCP_ESTABLISHED).

This confirms the session is fully established and actively tracked by the FortiGate session table.

Exam trap

The trap here is that candidates confuse 'duration' with 'timeout' or assume a high duration means the session is about to expire, when in fact 'expire' shows remaining time and 'proto_state=01' confirms an established session.

How to eliminate wrong answers

Option B is wrong because 'expire=3599' shows the session still has time remaining, not that it has timed out; a timed-out session would have an expire value of 0 or be absent from the table. Option C is wrong because a closing state (e.g., TCP_FIN_WAIT or TCP_CLOSE_WAIT) would show a different proto_state value (e.g., 02, 03, or 04), not '01'. Option D is wrong because a half-open state (e.g., TCP_SYN_SENT) would have a proto_state of 00 or a very short duration, not 3600 seconds with an established state.

770
Multi-Selecthard

During a BGP troubleshooting session, an administrator sees that the BGP neighbor state is 'Active'. Which three conditions could cause this state? (Choose THREE.)

Select 3 answers
A.The remote AS number is misconfigured
B.The BGP update timer is too short
C.The neighbor IP address is incorrectly configured
D.The maximum-prefix limit has been exceeded
E.A firewall is blocking TCP port 179
AnswersA, C, E

ASN mismatch causes the remote end to reject the open message, leading to Active state.

Why this answer

Active state means BGP is trying to initiate a TCP connection but hasn't succeeded. Common causes include incorrect neighbor IP, ASN mismatch, or TCP port blocking.

771
MCQmedium

An administrator wants to ensure that all traffic from a specific LAN subnet (192.168.10.0/24) to the internet uses a particular WAN interface (wan1) in an SD-WAN setup, while other traffic uses wan2. What is the correct configuration to achieve this?

A.Create a policy-based routing rule with source 192.168.10.0/24 and set outgoing interface to wan1
B.Configure an SD-WAN rule with source address matching 192.168.10.0/24 and set the preferred member to wan1
C.Set the default route for wan1 with a higher distance
D.Use a route map with prefix list to match the subnet and set next-hop to wan1
AnswerB

SD-WAN rules allow source-based matching and preferred member selection.

Why this answer

SD-WAN rules are used to match traffic based on criteria and direct it to specific members. The rule would match source 192.168.10.0/24 and set the destination interface to wan1.

772
Multi-Selecthard

An administrator configures FortiManager automation stitches to respond to high CPU usage on a FortiGate. The stitch should trigger a script to run diagnostics. Which THREE components are required in an automation stitch?

Select 3 answers
A.Condition (e.g., severity threshold)
B.Trigger (e.g., event type)
C.Result (e.g., email notification)
D.Action (e.g., CLI script)
E.Target (e.g., device or device group)
AnswersB, D, E

Defines when the stitch activates.

Why this answer

Option B is correct because an automation stitch in FortiManager requires a trigger to define the event that initiates the stitch, such as a high CPU usage event. The trigger specifies the event type (e.g., 'CPU Usage High') that the FortiGate reports, which then activates the stitch. Without a trigger, the automation stitch has no starting point to respond to the condition.

Exam trap

The trap here is that candidates often confuse 'Condition' (like a severity threshold) as a separate component, but in FortiManager automation stitches, conditions are embedded within the trigger or action, not a standalone required element.

773
MCQeasy

A FortiGate administrator wants to verify whether a specific session is being offloaded to the NP6 processor. Which CLI command should the administrator use?

A.diagnose sys session filter src 10.0.0.1 ; diagnose sys session list
B.get system performance status
C.diagnose hardware sysinfo memory
D.diagnose npu np6 session list
AnswerA

This shows session details and offload status.

Why this answer

Option A is correct. 'diagnose sys session filter' followed by 'diagnose sys session list' shows session details including offload status (NPU flag).

774
MCQeasy

Which FortiGate feature allows multiple independent routing tables on a single device, enabling traffic separation for different departments or customers?

A.ECMP
B.VRF
C.VDOM
D.Policy-based routing
AnswerB

VRF creates independent routing tables on the same FortiGate.

Why this answer

VRF (Virtual Routing and Forwarding) partitions the routing table into multiple instances, each with its own routing table and forwarding decisions.

775
Multi-Selecteasy

Which TWO statements about VDOM limits on FortiGate are correct? (Choose TWO.)

Select 2 answers
A.VDOMs can be created only in NAT mode
B.All FortiGate models support at least 10 VDOMs
C.VDOM support requires a valid FortiGate license
D.The maximum number of VDOMs is fixed per model and cannot be exceeded
E.VDOMs can be added without additional memory
AnswersC, D

VDOMs often require an advanced feature license.

Why this answer

Option C is correct because VDOM support on FortiGate is a licensed feature. Without a valid FortiGate license (e.g., an Advanced or Enterprise license bundle), the VDOM functionality is disabled, and the device operates in a single-VDOM (split-task) mode. This licensing requirement ensures that only authorized models and configurations can utilize VDOM isolation.

Exam trap

The trap here is that candidates often assume VDOMs are a free feature available on all models without licensing, or that VDOM count is unlimited, when in fact both a valid license and model-specific hard limits apply.

776
Multi-Selectmedium

A network administrator is configuring SD-WAN on a FortiGate and wants to ensure that VoIP traffic uses the link with the lowest latency while bulk download traffic uses the link with the highest bandwidth. Which TWO configuration steps are required?

Select 2 answers
A.Assign a static route for the VoIP subnet
B.Create an SD-WAN rule for VoIP traffic with 'best quality' strategy
C.Enable BFD on all WAN interfaces
D.Configure a route map for VoIP traffic
E.Create a performance SLA for latency
AnswersB, E

Best quality uses the member with best SLA performance (e.g., lowest latency).

Why this answer

To achieve this, the administrator must create SD-WAN rules that match traffic types and assign appropriate strategies (best quality for VoIP, lowest cost for bulk).

777
MCQmedium

A FortiGate is receiving BGP routes from a neighbor but not advertising them to other peers. The administrator runs 'get router info bgp network' and sees the routes are in the BGP table but not advertised. What is the most likely cause?

A.BGP synchronization is enabled and the routes are not in the IGP
B.An outbound route map is applied that filters these routes
C.The next hop is unreachable
D.The router-id is the same as the peer
AnswerB

Correct. A route map can selectively permit or deny routes from being advertised.

Why this answer

BGP routes are not advertised unless they pass outbound filtering (prefix lists, route maps) or are not the best path. Additionally, if synchronization is enabled, routes must be in the IGP routing table. The most common cause is a missing or restrictive outbound route map.

778
MCQmedium

A company wants to deploy ZTNA to secure access to internal applications for remote employees. They have a FortiGate with a public IP and internal servers. Which deployment mode should they choose to minimize changes to existing firewall rules?

A.SSL VPN with ZTNA
B.IPsec VPN with ZTNA
C.Both proxy-based and IPsec VPN
D.Proxy-based ZTNA
AnswerD

Proxy-based ZTNA uses a single policy and does not require modifying existing rules.

Why this answer

Proxy-based ZTNA (Option D) is correct because it uses a forward proxy architecture that intercepts traffic at Layer 7, allowing the FortiGate to enforce ZTNA access policies without modifying existing firewall rules. The proxy terminates the client connection and initiates a new connection to the internal server, so no inbound port forwarding or firewall rule changes are needed for the internal servers.

Exam trap

The trap here is that candidates often assume any ZTNA deployment requires VPN tunnels (SSL or IPsec) and overlook the proxy-based mode, which is specifically designed to avoid firewall rule changes by operating at Layer 7 without tunnel overhead.

How to eliminate wrong answers

Option A is wrong because SSL VPN with ZTNA still requires traditional VPN tunnel termination and typically needs firewall rules to allow the VPN traffic and forward it to internal servers, which contradicts the goal of minimizing changes to existing firewall rules. Option B is wrong because IPsec VPN with ZTNA also requires tunnel configuration and firewall rules to permit IPsec traffic and route it to internal servers, adding complexity rather than minimizing rule changes. Option C is wrong because combining both proxy-based and IPsec VPN introduces unnecessary complexity and still requires firewall rule modifications for the IPsec VPN component, failing to achieve the minimal-change objective.

779
MCQmedium

An administrator is deploying ZTNA for a legacy application that uses a fixed IP address and port. Which ZTNA component is responsible for securely proxying traffic from the user to the application without exposing the application's actual network location?

A.ZTNA access proxy
B.ZTNA inline CASB
C.IPsec VPN gateway
D.FortiClient EMS
AnswerA

The ZTNA access proxy sits between the user and the application, terminating the user's connection and establishing a secure connection to the application server.

Why this answer

The ZTNA proxy component acts as an intermediary, hiding the application server's IP address and providing secure access based on identity and posture.

780
MCQmedium

A network engineer is configuring an HA pair of FortiGate firewalls. They want to ensure that session failover occurs for UDP-based voice traffic with minimal interruption. Which HA configuration setting is most important for achieving this goal?

A.Enable session-pickup
B.Enable session-pickup-delay
C.Set ha-pickup-delay to 0
D.Configure ha-mgmt-interfaces
AnswerA

session-pickup enables the backup unit to take over existing sessions.

Why this answer

Session-pickup is the correct setting because it enables the secondary FortiGate to synchronize UDP session state information from the primary, allowing seamless failover of voice traffic without requiring new session establishment. UDP is connectionless, so without session-pickup, the secondary would drop the traffic as unknown, causing noticeable interruption in real-time voice streams.

Exam trap

The trap here is that candidates confuse 'session-pickup-delay' or 'ha-pickup-delay' with the actual session synchronization mechanism, assuming any delay-related setting is key, when in fact the fundamental enabler is session-pickup itself.

How to eliminate wrong answers

Option B is wrong because session-pickup-delay introduces a delay before the secondary takes over sessions, which would increase interruption for UDP voice traffic, not minimize it. Option C is wrong because ha-pickup-delay controls the delay for the HA cluster to start picking up sessions after failover, not the session synchronization itself; setting it to 0 does not enable session-pickup. Option D is wrong because ha-mgmt-interfaces are used for out-of-band management access to each unit in the HA cluster and have no effect on session failover or synchronization of UDP sessions.

781
MCQmedium

A FortiGate has two WAN interfaces configured as SD-WAN members. The administrator wants traffic to specific destination IP addresses to use a particular member. Which SD-WAN configuration object should be used to achieve this?

A.SD-WAN rule
B.Route map
C.Prefix list
D.Performance SLA
AnswerA

SD-WAN rules define which traffic goes to which member based on matching criteria.

Why this answer

SD-WAN rules allow matching traffic based on criteria such as source/destination IP, and then forward it to a specific SD-WAN member or strategy.

782
Drag & Dropmedium

Drag and drop the steps to configure a FortiGate to use an external authentication server (e.g., RADIUS) for admin login into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Add server, configure details, create group, assign to admin, then test.

783
MCQmedium

A FortiGate administrator is configuring a multi-peer IPsec VPN where two remote sites connect to a central hub. The administrator wants to ensure that if one remote site loses connectivity, the other site can still reach the hub. Which configuration is essential?

A.Use the same preshared key for both remote sites
B.Configure separate phase1 interfaces for each remote site
C.Enable auto-negotiation on all phase1 interfaces
D.Configure a single phase1 interface with multiple remote IPs
AnswerB

Each remote site requires its own phase1 configuration so that they operate independently. If one fails, the other remains up.

Why this answer

Multi-peer VPN requires each remote site to have its own phase1 and phase2 configuration. The hub must have separate phase1 interfaces or separate phase1 configs for each peer. Option D is correct: configure separate phase1 for each remote site.

784
MCQhard

A FortiGate administrator receives a report that a user downloaded a malicious PDF file. The antivirus profile has machine learning engine enabled, CDR enabled, and FortiSandbox integration. However, the file was allowed. The log shows: 'file=malicious.pdf, action=allow, ml_score=85, cd_result=clean, sandbox=not_submitted'. What is the most likely reason the file was not submitted to FortiSandbox?

A.The file size exceeded the maximum file size for FortiSandbox submission
B.CDR reconstructed the file, making it appear clean
C.The machine learning engine scored the file as clean (score below threshold)
D.The file was excluded by a file type filter in the antivirus profile
AnswerA

FortiSandbox has a configurable file size limit; files larger than that are not submitted.

Why this answer

FortiSandbox submission is controlled by file size limits. If the PDF exceeds the maximum file size configured for submission, it will not be sent. The default limit is often around 10 MB, but can be configured.

785
MCQmedium

After upgrading FortiGate firmware, an admin notices that several sessions using SIP are failing. The SIP ALG was enabled before the upgrade. What is the MOST likely cause?

A.The SIP session helper is now deprecated
B.The SIP service port changed
C.The SIP ALG configuration was reset to default, affecting session handling
D.The FortiGate's SIP inspection profile was removed
AnswerC

Upgrades can reset ALG settings, causing SIP sessions to fail.

Why this answer

Firmware upgrades can reset or change default settings. Option B is correct because the SIP ALG might have been disabled or its settings changed, breaking SIP session helpers. Checking the ALG configuration is the first step.

786
Multi-Selectmedium

Which THREE statements are true about FortiGate SD-WAN health-check configuration?

Select 3 answers
A.Health-check probes can be sent from any interface, including loopback.
B.Health-check can only be configured on physical interfaces, not VLANs or subinterfaces.
C.Health-check can be configured with multiple thresholds for jitter, latency, and packet loss.
D.Health-check can update the routing table by setting 'update-static-route' to enable fallback.
E.Health-check can be configured to use HTTP or DNS protocols to verify link health.
AnswersC, D, E

Performance SLA thresholds can be defined for jitter, latency, and packet loss.

Why this answer

Option C is correct because FortiGate SD-WAN health-check allows configuring multiple thresholds for jitter, latency, and packet loss. These thresholds are used to determine the quality of a link; if any threshold is exceeded, the link is considered failed. This enables granular control over link health assessment beyond simple reachability.

Exam trap

The trap here is that candidates often assume health-check can use any interface as a source (like loopback) or that it only works on physical interfaces, but FortiGate restricts probe source to the member interface and supports VLANs and aggregates.

787
MCQhard

You run the following command on a FortiGate: diagnose sys session filter dport 443 diagnose sys session list Output: proto=6 proto_state=01 duration=3600 expire=3599 What does the 'proto_state=01' indicate?

A.The session is fully established and in the 'established' state
B.The session is in the 'init' state, meaning the first SYN packet has been seen but the handshake is not complete
C.The session is a UDP or ICMP session with no state tracking
D.The session is being torn down (FIN or RST received)
AnswerB

proto_state=01 indicates the session is being initiated (SYN seen).

Why this answer

Option B is correct. In FortiGate session table, proto_state values: 01 means the session is in the 'init' state (SYN sent, SYN-ACK not yet received). For TCP, this indicates the connection is being established.

788
MCQeasy

A FortiGate is operating in transparent mode. Which of the following statements is true about this mode?

A.The FortiGate does not modify the MAC addresses of packets
B.The FortiGate can route between different VLANs
C.The FortiGate can perform NAT
D.The FortiGate operates as a Layer 2 device and does not require IP addresses on its interfaces
AnswerD

In transparent mode, interfaces are not assigned IP addresses; the FortiGate bridges traffic at Layer 2.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding frames based on MAC addresses without modifying them. It does not require IP addresses on its interfaces for traffic forwarding, though management IP addresses can be assigned. This allows the FortiGate to be inserted into an existing network segment without reconfiguring IP subnets.

Exam trap

The trap here is that candidates often confuse transparent mode with NAT/Route mode, assuming that because the FortiGate can apply security policies, it must also perform routing or NAT, but in transparent mode it acts purely as a Layer 2 bridge.

How to eliminate wrong answers

Option A is wrong because the FortiGate in transparent mode does not modify the MAC addresses of packets when forwarding them, but this statement is actually true, not false; however, the question asks for the correct statement, and D is more comprehensive. Option B is wrong because transparent mode operates at Layer 2 and cannot route between VLANs; routing requires Layer 3 interfaces, which are not used in transparent mode. Option C is wrong because NAT is a Layer 3 function that requires IP routing, and transparent mode does not perform routing or NAT; it simply bridges traffic at Layer 2.

789
Multi-Selectmedium

A network administrator is configuring SD-WAN on a FortiGate with three WAN links: MPLS (10 Mbps), Broadband (50 Mbps), and LTE (20 Mbps). They want to load balance traffic based on link bandwidth, with the option to manually steer critical traffic to the MPLS link. Which TWO steps must be taken to achieve this?

Select 2 answers
A.Set the SD-WAN rule strategy to 'Maximize Bandwidth' with volume algorithm for general traffic.
B.Create a separate SD-WAN rule for critical traffic with strategy 'Manual' and select MPLS as the preferred member.
C.Set the load balancing algorithm to 'Spillover' on all rules.
D.Enable ECMP on the FortiGate.
E.Configure a performance SLA for each link.
AnswersA, B

This enables bandwidth-based load balancing.

Why this answer

To load balance based on bandwidth, the 'Maximize Bandwidth' strategy with volume algorithm should be used. To allow manual steering, the SD-WAN rule for critical traffic should be set to 'Manual' strategy with MPLS selected as the preferred member. Options B and D together satisfy both requirements.

790
MCQhard

A large enterprise uses FortiGate as their perimeter firewall with ATP features enabled. They have a mix of internal users and remote VPN users. Recently, several remote users reported that their machines became infected with ransomware after connecting to the VPN. The IT team suspects that the ransomware entered through the VPN tunnel. The FortiGate has an antivirus profile applied to the VPN policy with SSL inspection enabled for all traffic. However, the logs show that no malware was detected. Upon investigation, the team finds that the remote users' machines are not managed by the company and do not have any endpoint protection. The ransomware was delivered via a spear-phishing email that the users opened on their remote machines. The email traffic passed through the VPN tunnel to the corporate mail server first, then back to the user. The FortiGate antivirus profile is configured to scan SMTP traffic but the email was sent from an external source to the corporate mail server, and the mail server uses STARTTLS to receive emails. The FortiGate does not perform SSL inspection on the SMTP traffic because the SMTP service is not included in the SSL inspection profile. What action should the administrator take to prevent this in the future?

A.Disable STARTTLS on the corporate mail server to force plaintext SMTP
B.Add SMTP to the SSL inspection profile to decrypt and scan email traffic
C.Require remote users to install endpoint protection with FortiClient
D.Block all SMTP traffic from remote VPN users
AnswerB

This allows the antivirus to inspect encrypted SMTP traffic and detect malware.

Why this answer

Option B is correct because the FortiGate's antivirus profile is configured to scan SMTP traffic, but the email was encrypted via STARTTLS, and SMTP is not included in the SSL inspection profile. By adding SMTP to the SSL inspection profile, the FortiGate can decrypt the SMTP traffic, allowing the antivirus engine to inspect the email content for malware, including ransomware delivered via spear-phishing.

Exam trap

The trap here is that candidates assume the antivirus profile is sufficient because it is applied to the VPN policy and includes SMTP scanning, but they overlook that SSL inspection must be explicitly configured for the SMTP service to decrypt STARTTLS-encrypted traffic before scanning can occur.

How to eliminate wrong answers

Option A is wrong because disabling STARTTLS on the mail server would force plaintext SMTP, but this does not address the root cause—the FortiGate is already configured to scan SMTP traffic; the issue is that the traffic is encrypted and not being decrypted for inspection. Option C is wrong because requiring remote users to install FortiClient endpoint protection is a good security practice but does not solve the immediate problem of the FortiGate not inspecting encrypted SMTP traffic; the ransomware entered through the VPN tunnel and was not detected due to lack of SSL inspection on SMTP. Option D is wrong because blocking all SMTP traffic from remote VPN users would prevent legitimate email communication and is an overly restrictive measure; the goal is to inspect the traffic, not block it entirely.

791
MCQeasy

You receive an alert that FortiAnalyzer log disk usage is at 95%. Which action should you take to immediately free up space without losing important logs?

A.Delete all logs older than 30 days
B.Enable log compression
C.Configure log archiving to an external storage
D.Increase log disk quota
AnswerC

Archiving moves old logs off the device.

Why this answer

Option C is correct because archiving old logs to external storage is the best practice to free space while preserving logs. Option A would lose logs. Option B is not a standard feature.

Option D is temporary.

792
MCQhard

An administrator runs the following CLI command on a FortiGate and sees the output below: diagnose vpn ike gateway list vd: root/0 name: REMOTE_GW vrf: 0 version: 2 state: UP IKE SA: created 1s ago 1.2.3.4:500->5.6.7.8:500 What is the most likely explanation for the IKE SA being created only 1 second ago?

A.The remote peer changed its IP address
B.DPD detected a dead peer and renegotiated
C.The phase 2 SA expired and triggered phase 1 rekey
D.The VPN tunnel was just configured or a configuration change was applied
AnswerD

Recent creation time indicates the SA was just negotiated, typical after applying config changes or restarting IKE.

Why this answer

The IKE SA was recently created, suggesting a previous SA was deleted and a new one established. This often happens after configuration changes or a restart of IKE negotiation.

793
MCQeasy

Which FortiGate security feature can reconstruct files to remove potentially malicious content while preserving the file's usability?

A.Antivirus outbreak prevention
B.Content Disarm and Reconstruction
C.FortiSandbox
D.IPS application control
AnswerB

CDR disinfects files by removing active content and rebuilding them.

Why this answer

Content Disarm and Reconstruction (CDR) is the correct answer because it actively removes potentially malicious content—such as macros, scripts, or embedded objects—from files (e.g., Office documents, PDFs) and then reconstructs a clean, usable version. Unlike detection-based approaches, CDR eliminates threats by sanitizing the file structure itself, ensuring the file remains functional for the end user while blocking exploits.

Exam trap

The trap here is that candidates often confuse FortiSandbox's detection capabilities with CDR's proactive sanitization, mistakenly thinking sandboxing can reconstruct files when it only analyzes and blocks them.

How to eliminate wrong answers

Option A is wrong because Antivirus outbreak prevention relies on signature-based detection and blocking of known malware patterns, not on file reconstruction or sanitization. Option C is wrong because FortiSandbox uses behavioral analysis and sandboxing to detect unknown threats, but it does not reconstruct files to remove malicious content; it only provides verdicts and can block or quarantine files. Option D is wrong because IPS application control focuses on detecting and preventing network-level attacks and application misuse, not on file-level content sanitization or reconstruction.

794
MCQeasy

A network engineer is deploying a FortiGate in transparent mode at a branch office. The goal is to insert the firewall without changing the existing IP subnet scheme. Which statement about transparent mode is TRUE?

A.The FortiGate must have a unique IP subnet for each interface
B.Transparent mode supports all routing protocols like OSPF and BGP
C.NAT is required for traffic to pass through the FortiGate
D.The FortiGate acts as a Layer 2 bridge and forwards traffic based on MAC addresses
AnswerD

This is the definition of transparent mode. It operates at Layer 2.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses without modifying the IP subnet scheme. This allows the firewall to be inserted into an existing network segment without requiring IP reconfiguration of connected devices.

Exam trap

The trap here is that candidates often confuse transparent mode with routed mode, assuming that IP addressing or routing protocols are required, when in fact transparent mode operates purely at Layer 2.

How to eliminate wrong answers

Option A is wrong because in transparent mode, all interfaces share the same IP subnet (the management IP is assigned to the bridge, not per interface). Option B is wrong because transparent mode does not support routing protocols like OSPF or BGP; it operates at Layer 2 and forwards traffic based on MAC addresses, not IP routing tables. Option C is wrong because NAT is not required; traffic passes through the FortiGate as a transparent bridge, and NAT is typically used in routed (Layer 3) modes.

795
Multi-Selecthard

An administrator is configuring automation stitches to respond to a detected ransomware outbreak. Which THREE components are essential for an automation stitch?

Select 3 answers
A.Schedule
B.Condition
C.Log device
D.Action
E.Trigger
AnswersB, D, E

Conditions refine when the action should be taken.

Why this answer

Options A, C, and D are correct. An automation stitch requires a trigger (event), a condition (optional but often used), and an action (response).

796
MCQhard

An administrator is configuring FortiClient EMS to enforce compliance for remote users. The requirement is that all remote devices must have disk encryption enabled. The administrator has created a compliance rule in EMS that checks for 'Full Disk Encryption' and set the action to 'Block'. However, users with unencrypted drives are still able to connect to the VPN. What is the most likely missing configuration?

A.The FortiClient telemetry is not sending compliance status
B.The compliance rule is not enabled on the FortiGate via ZTNA tag
C.The VPN policy on the FortiGate does not require compliance check
D.The compliance rule is not assigned to a FortiClient configuration profile
AnswerD

In EMS, compliance rules must be part of a configuration profile that is assigned to endpoints. Without assignment, the rule is not enforced.

Why this answer

For compliance enforcement, the compliance rule must be applied to a configuration profile that is assigned to the users. Option B is correct because without assigning the compliance rule via a profile, the rule is not enforced on endpoints.

797
Multi-Selecteasy

An administrator is configuring FortiMail to be more secure against advanced email threats. Which THREE features should they enable to protect against email-based phishing attacks?

Select 3 answers
A.DKIM signing/verification
B.CDR (Content Disarm and Reconstruction)
C.FortiSandbox inline scanning
D.SPF verification
E.DMARC policy enforcement
AnswersA, D, E

DKIM verifies message integrity and sender domain.

Why this answer

Options A, B, and E are correct. SPF, DKIM, and DMARC are email authentication standards that help verify sender identity and prevent spoofing/phishing.

798
Multi-Selectmedium

An administrator is configuring SD-WAN with two members: MPLS and Broadband. The requirement is that voice traffic (UDP ports 16384-32768) should use MPLS primarily, and if MPLS fails SLA, then use Broadband. Which two configurations are needed? (Choose TWO.)

Select 2 answers
A.Disable the Broadband member from the SD-WAN zone
B.Configure a performance SLA for the MPLS member
C.Create an SD-WAN rule that matches voice traffic and uses 'best quality' strategy
D.Configure policy-based routing for voice traffic
E.Set the load balancing algorithm to 'sessions'
AnswersB, C

Required to monitor link quality.

Why this answer

A performance SLA monitors the MPLS link quality, and an SD-WAN rule is configured to match voice traffic with a strategy that prefers MPLS but falls back to Broadband if SLA fails. Without the SLA, the rule cannot detect failure.

799
MCQhard

An administrator configures OSPF on a FortiGate with multiple areas. After configuration, the FortiGate does not become an ABR. What is the most likely reason?

A.The router-id is not configured
B.The OSPF process is not enabled
C.The network type is set to point-to-point
D.There is no interface assigned to area 0
AnswerD

An ABR must have at least one interface in area 0 and one in another area.

Why this answer

To be an ABR, the FortiGate must have interfaces in area 0 (backbone) and at least one other area. If no interface is in area 0, it cannot be an ABR.

800
MCQeasy

Which load balancing algorithm in SD-WAN sends new sessions to the member interface with the least number of active sessions?

A.Sessions
B.Volume
C.Spillover
D.Source-dest IP
AnswerA

Sessions algorithm sends to the interface with the fewest active sessions.

801
MCQeasy

An administrator wants to verify that a BGP route is being advertised to a neighbor. Which command displays the routes that FortiGate is advertising to a specific BGP neighbor?

A.get router info bgp network
B.get router info bgp neighbor <ip> advertised-routes
C.diagnose ip router bgp routes
D.show ip bgp summary
AnswerB

Correct command.

Why this answer

Option A is correct. 'get router info bgp neighbor <ip> advertised-routes' shows all routes that the FortiGate is advertising to that specific BGP neighbor. This is the standard command for verifying outbound route advertisement.

802
MCQmedium

A network administrator has configured an IPsec VPN between two FortiGates using IKEv2 with pre-shared keys. The tunnel establishes successfully, but after a few minutes, traffic stops passing through. The administrator runs 'diagnose vpn ike log' and sees 'DPD timeout' messages. What is the most likely cause of this issue?

A.The remote FortiGate is behind a NAT device without proper NAT-T configuration
B.The IPsec phase2 proposal is mismatched, causing rekey failures
C.The IKE SA lifetime is set too long, causing the tunnel to expire
D.The local FortiGate's DPD interval is set too low, causing false positives
AnswerA

NAT-T is required when one peer is behind NAT. Without it, DPD packets may be dropped, causing the tunnel to be considered dead.

Why this answer

DPD timeout indicates that the remote peer is not responding to Dead Peer Detection probes. The most common cause is a misconfigured firewall on the path dropping UDP 500 or 4500 packets, or NAT keepalive issues if NAT is involved. Option C is correct because DPD relies on bidirectional IKE traffic; if the remote FortiGate is behind a NAT device without proper NAT-T configuration, the DPD packets may be dropped.

803
MCQeasy

Which SD-WAN load balancing algorithm distributes traffic based on the number of active sessions per interface?

A.Sessions
B.Volume
C.Source-destination IP
D.Spillover
AnswerA

Sessions algorithm distributes based on number of sessions per interface.

Why this answer

The 'sessions' algorithm balances by session count. Other algorithms use volume, spillover, source-dest IP hash, or lowest cost.

804
Multi-Selectmedium

An administrator is investigating a security incident using FortiAnalyzer logs. The admin needs to identify all connections from a specific internal IP (10.0.0.100) to external servers on TCP port 443 during the last hour. Which TWO log fields should be used to filter the logs? (Choose two.)

Select 2 answers
A.dstip
B.dstport
C.srcip
D.action
E.policyid
AnswersB, C

Correct. Destination port field filters by port number (443).

Why this answer

To filter traffic from a source IP and destination port, the administrator should use the source IP field and the destination port field. The service field may also show port but is less precise.

805
MCQhard

An administrator configures Multi-Peer VPN (MPVPN) on a FortiGate aggregator. The aggregator has two phase1 configurations for the same remote subnet but different peers. The aggregator's routing table shows both peers as next hops. The administrator notices that traffic between the aggregator and the remote subnet is load-balanced across both peers. What is the cause?

A.The MPVPN feature automatically load-balances traffic across all active peers.
B.The phase1 configurations have the same proposal settings, causing implicit load balancing.
C.The aggregator has two static routes with equal cost to the remote subnet.
D.The remote peers are both advertising the same subnet via BGP with equal metrics.
AnswerC

Why this answer

MPVPN itself does not load balance; it provides redundancy. Load balancing occurs if multiple routes to the same destination exist with equal administrative distance and cost. Static routes with equal distance cause ECMP behavior.

BGP with equal metrics can also cause it, but the question states static routes are in the routing table.

806
MCQmedium

A network administrator notices that several endpoints are infected with ransomware despite having FortiGate ATP enabled. The logs show that the files were downloaded over HTTPS, and the antivirus profile did not detect them. What is the most likely reason?

A.SSL inspection was not enabled on the antivirus profile
B.Application control profile blocked the download
C.FortiSandbox was not configured to analyze the files
D.IPS signature database was outdated
AnswerA

Without SSL inspection, encrypted traffic bypasses antivirus scanning.

Why this answer

FortiGate ATP's antivirus engine cannot inspect encrypted HTTPS traffic unless SSL inspection is explicitly enabled on the antivirus profile. Without SSL inspection, the antivirus profile only sees encrypted payloads and cannot match file signatures or heuristics, allowing ransomware to pass undetected. The logs confirm files were downloaded over HTTPS, making this the most likely root cause.

Exam trap

The trap here is that candidates assume FortiGate's antivirus can automatically inspect HTTPS traffic because it is part of the ATP suite, but FortiGate requires explicit SSL inspection configuration to decrypt and scan encrypted downloads.

How to eliminate wrong answers

Option B is wrong because an application control profile blocks applications or categories, not files; it would not prevent the download of a ransomware file over HTTPS unless the application itself (e.g., a specific browser) was blocked, which is unrelated to the antivirus detection failure. Option C is wrong because FortiSandbox is an additional analysis layer that can detect unknown threats, but the primary reason the file was not detected is that the antivirus profile never saw the decrypted content; even if FortiSandbox were configured, it would not receive the file for analysis without SSL inspection. Option D is wrong because an outdated IPS signature database affects intrusion prevention, not antivirus file scanning; IPS signatures are for network-level attacks, not for detecting malware in downloaded files, and the antivirus engine uses its own signature database.

807
MCQmedium

A FortiGate administrator wants to integrate FortiClient EMS to enforce compliance before granting VPN access. The FortiGate is the SSL VPN gateway. Which configuration is required on the FortiGate to use FortiClient's posture check?

A.Add the FortiClient EMS server as a telemetry source and create a ZTNA tag based on posture data.
B.Configure the FortiGate as a SAML IdP for FortiClient EMS.
C.Configure FortiClient EMS as a user group server and assign it to the SSL VPN portal.
D.Enable 'compliance check' under SSL VPN settings and specify the EMS IP address.
AnswerA

Why this answer

FortiClient EMS sends posture data to FortiGate via telemetry. The admin must define ZTNA tags for conditions (e.g., antivirus running) and use those tags in firewall policies or SSL VPN permissions. There is no direct 'compliance check' setting in SSL VPN; it's done via ZTNA.

808
MCQhard

Two FortiGate units in an HA cluster are experiencing synchronization issues. The administrator runs 'diagnose sys ha checksum cluster' and sees different checksum values for the 'system' and 'router' objects. What is the FIRST step to resolve the mismatch?

A.Execute 'execute ha synchronize start' from the primary unit
B.Upgrade the firmware on both units to the same version
C.Reboot both units to force a full sync
D.Disable and re-enable HA on both units
AnswerA

This command forces configuration synchronization from primary to secondary.

Why this answer

Option B is correct. The checksum mismatch indicates configuration drift. The first step should be to synchronize the configuration from the primary unit to the secondary using 'execute ha synchronize start'.

809
MCQmedium

An administrator is configuring a FortiGate in transparent mode for a data center segment. Which of the following is true about transparent mode operation in an enterprise environment?

A.The FortiGate requires an IP address on each interface to route between VLANs
B.Transparent mode operates at Layer 2, so no IP configuration is needed on the FortiGate interfaces
C.Transparent mode is only available on specific hardware models
D.Transparent mode supports NAT and VPN termination
AnswerB

The FortiGate acts as a transparent bridge; interfaces have no IP addresses.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses rather than IP addresses. This means the FortiGate interfaces do not require IP addresses for traffic forwarding; a management IP is configured on a VLAN interface or the root VDOM for administrative access only. Option B correctly identifies that transparent mode functions at Layer 2, so no IP configuration is needed on the physical interfaces for data plane operation.

Exam trap

The trap here is that candidates assume a firewall always needs IP addresses on its interfaces to function, but in transparent mode the FortiGate acts as a bump-in-the-wire at Layer 2, requiring only a management IP for administrative access, not for traffic forwarding.

How to eliminate wrong answers

Option A is wrong because in transparent mode, the FortiGate does not route between VLANs; it bridges traffic at Layer 2, and inter-VLAN routing would require a Layer 3 device upstream or a separate VDOM in NAT/route mode. Option C is wrong because transparent mode is available on all FortiGate models that support the current FortiOS version, not limited to specific hardware. Option D is wrong because transparent mode does not support NAT or VPN termination; these features require the FortiGate to operate in NAT/route mode (Layer 3) with IP routing enabled.

810
MCQmedium

A network administrator notices that FortiGate is not blocking a known malicious file that was submitted to FortiSandbox and received a 'malicious' verdict. The firewall policy includes a FortiSandbox inline scan profile. What is the MOST likely cause?

A.The antivirus signature database is outdated
B.The FortiSandbox license has expired
C.The FortiSandbox is not configured as an inline scanner in the antivirus profile
D.The file is larger than the maximum file size allowed for scanning
AnswerC

Inline scanning requires configuration in the antivirus profile to forward files to FortiSandbox for real-time analysis and enforce blocking based on verdict.

Why this answer

Option A is correct because inline scanning requires the FortiSandbox to be configured as the inline scanner in the antivirus profile. If only a scheduled scan or a separate FortiSandbox is used for analysis, the inline blocking will not occur.

811
MCQhard

A security analyst is investigating a phishing email that bypassed email security. The email's headers show SPF=pass, DKIM=pass, but DMARC=quarantine. The email was delivered to the inbox. What is the most likely reason DMARC did not block or quarantine the email?

A.The email was sent from a subdomain not covered by DMARC
B.The SPF and DKIM alignment checks passed, so DMARC treated the email as authentic
C.The DMARC record had a pct (percentage) of less than 100
D.The DMARC policy was set to 'none'
AnswerB

DMARC uses alignment of SPF and DKIM. If both pass, DMARC passes, and the policy (quarantine) is not triggered.

Why this answer

Option B is correct because DMARC uses SPF and DKIM alignment to determine authenticity. When both SPF and DKIM pass and are aligned (i.e., the domain in the From header matches the domain used in SPF/DKIM), DMARC considers the email authentic and applies the policy accordingly. In this case, the DMARC policy was set to 'quarantine', but because alignment checks passed, DMARC treated the email as legitimate and allowed delivery to the inbox, rather than quarantining it.

Exam trap

Fortinet often tests the misconception that a DMARC policy of 'quarantine' or 'reject' will always block or quarantine emails that fail SPF or DKIM, but the trap here is that DMARC only applies its policy when both SPF and DKIM fail alignment; if either passes alignment, DMARC considers the email authentic and does not enforce the policy.

How to eliminate wrong answers

Option A is wrong because if the email was sent from a subdomain not covered by DMARC, DMARC would not apply at all, and the email would be subject to the parent domain's policy only if the subdomain is explicitly included; however, the question states DMARC=quarantine, indicating DMARC did apply. Option C is wrong because a pct value less than 100 would only reduce the percentage of emails subject to the DMARC policy, but the email still passed alignment, so DMARC would not quarantine it regardless of the pct setting. Option D is wrong because if the DMARC policy was set to 'none', DMARC would not quarantine or reject the email, but the header shows DMARC=quarantine, meaning the policy was indeed set to quarantine, yet the email was delivered because alignment passed.

812
MCQeasy

What is the primary function of FortiDeceptor in a network security architecture?

A.To provide network access control for endpoints
B.To aggregate logs from multiple security devices
C.To lure attackers into interacting with decoys and generate alerts
D.To detect and block malware at the endpoint
AnswerC

FortiDeceptor uses decoys to detect lateral movement.

Why this answer

FortiDeceptor is a deception-based threat detection solution that deploys decoys (fake assets) across the network to lure attackers. When an attacker interacts with a decoy, FortiDeceptor generates a high-fidelity alert, enabling early detection of lateral movement or reconnaissance without relying on signatures.

Exam trap

The trap here is that candidates confuse FortiDeceptor's deception-based detection with endpoint protection or log aggregation, but the exam specifically tests that its primary function is to lure attackers into interacting with decoys and generate alerts.

How to eliminate wrong answers

Option A is wrong because network access control for endpoints is the function of FortiNAC, not FortiDeceptor, which focuses on deception rather than admission control. Option B is wrong because log aggregation from multiple security devices is the role of FortiAnalyzer or a SIEM, not FortiDeceptor, which generates its own alerts from decoy interactions. Option D is wrong because detecting and blocking malware at the endpoint is the domain of FortiEDR or endpoint security solutions, whereas FortiDeceptor does not execute or block code on endpoints.

813
MCQmedium

An administrator is configuring a FortiGate as a SAML Identity Provider (IdP) for a third-party service provider. Which of the following is REQUIRED for the FortiGate IdP configuration?

A.The SP's metadata must be imported as a firewall address
B.User accounts must be synchronized with an LDAP server
C.A certificate for signing SAML assertions
D.A pre-shared key between FortiGate and the SP
AnswerC

The IdP must have a certificate to sign SAML responses. This certificate is trusted by the SP.

Why this answer

As a SAML IdP, FortiGate requires a digital certificate to sign SAML assertions. The service provider's public certificate is needed to encrypt assertions if required, but the IdP's own certificate is mandatory. Option B is correct.

814
Multi-Selectmedium

An organization wants to implement email authentication to prevent spoofing. Which TWO standards should they configure? (Choose two.)

Select 2 answers
A.SPF
B.DMARC
C.TLS
D.STARTTLS
E.DKIM
AnswersA, E

SPF specifies which servers are authorized to send email.

Why this answer

SPF (Sender Policy Framework) is correct because it allows the domain owner to publish a list of authorized sending IP addresses in a DNS TXT record, enabling receiving mail servers to verify that the email originated from an approved source. DKIM (DomainKeys Identified Mail) is correct because it adds a digital signature to email headers, which the receiving server validates against a public key published in DNS, ensuring the message was not tampered with and truly came from the claimed domain. Together, SPF and DKIM form the foundational layers of email authentication that DMARC builds upon.

Exam trap

Fortinet often tests the distinction between authentication standards (SPF, DKIM) and transport security protocols (TLS, STARTTLS), leading candidates to mistakenly select TLS or STARTTLS as anti-spoofing measures when they only provide encryption, not sender verification.

815
Multi-Selecthard

A FortiGate has two VDOMs: VDOM-A and VDOM-B. The administrator wants VDOM-A to have administrative access to VDOM-B for troubleshooting. The administrator configures a management VDOM. Which THREE steps are required to allow administrative access from VDOM-A to VDOM-B? (Choose three.)

Select 3 answers
A.Designate VDOM-A as the management VDOM
B.Enable 'inter-vdom-routing' globally
C.Configure static routes on the management VDOM to reach VDOM-B's management network
D.Create a firewall policy on VDOM-B allowing administrative access from VDOM-A's management IP
E.Disable 'admin-sport' to allow HTTP access
AnswersA, C, D

Management VDOM provides central administrative access to other VDOMs.

Why this answer

Designating VDOM-A as the management VDOM is the first required step because it establishes VDOM-A as the administrative container that can access other VDOMs. In FortiOS, a management VDOM is a special VDOM that has visibility and control over other VDOMs for management purposes. Without this designation, VDOM-A would not have the inherent privilege to initiate administrative sessions into VDOM-B.

Exam trap

The trap here is that candidates often confuse inter-VDOM routing (for data traffic) with the management VDOM feature (for administrative access), leading them to incorrectly select Option B as a required step.

816
Multi-Selectmedium

An administrator needs to integrate a FortiSwitch with a FortiGate for LAN edge management. The FortiSwitch will be used to provide access ports for end users. Which THREE configuration steps are required on the FortiGate?

Select 3 answers
A.Create a port profile that defines VLAN and security settings for the access ports
B.Configure a DHCP server on the FortiGate to assign IP addresses to FortiSwitch management
C.Enable STP on the FortiGate interface
D.Enable CAPWAP on the FortiGate interface connected to the FortiSwitch
E.Authorize the FortiSwitch in the FortiGate's managed switch list
AnswersA, D, E

Port profiles are used to configure the switch ports from the FortiGate.

Why this answer

The FortiGate acts as the controller for managed FortiSwitches. Key steps include enabling CAPWAP, creating a port profile, and authorizing the switch.

817
MCQmedium

A FortiGate administrator is configuring OSPF over an IPsec VPN between a hub and a spoke. The OSPF adjacency forms correctly, but routes from the spoke are not being advertised to the hub. The administrator checks the OSPF database on the hub and sees no Type-1 LSAs from the spoke. What is the most likely issue?

A.The OSPF hello interval is set too high
B.The OSPF network type is set to broadcast on both ends
C.The OSPF interface is configured as passive
D.The MTU mismatch between the two VPN interfaces
AnswerC

Passive interface prevents OSPF from sending hellos and LSAs, so no routes are advertised. This would still allow adjacency if passive is only on one side? Actually, passive on one side prevents adjacency; but if adjacency formed, passive might not be the issue. Alternatively, route filtering could be the cause. But among options, passive is most plausible.

Why this answer

For OSPF to advertise routes, the interfaces must be in the correct area and not passive. Option D is correct because if the interface is set as passive, OSPF will not send or receive updates on that interface, preventing route advertisement.

818
Multi-Selecthard

A FortiGate administrator wants to generate customized reports in FortiAnalyzer for different departments. The administrator needs to ensure that each department can only see its own logs. Which TWO configurations are necessary?

Select 2 answers
A.Configure meta fields on FortiGate objects
B.Create separate ADOMs for each department
C.Use dataset filters in FortiView reports to restrict data per device group
D.Enable per-device logging on FortiGate
E.Assign each administrator the 'super_admin' profile
AnswersB, C

ADOMs isolate logs and reports per department.

Why this answer

Option B is correct because ADOMs (Administrative Domains) in FortiAnalyzer provide administrative isolation, allowing each department to have its own segregated management domain. This ensures that administrators assigned to a specific ADOM can only view and generate reports from logs belonging to that ADOM, enforcing strict data separation.

Exam trap

The trap here is that candidates often confuse data filtering (e.g., datasets or FortiView filters) with administrative access control, mistakenly believing that filters alone can prevent a user from seeing other departments' logs, whereas filters only hide data from view but do not enforce security boundaries.

819
Multi-Selecthard

An administrator configures ZTNA with FortiClient EMS. The goal is to restrict access to an internal application based on device posture. The administrator configures a ZTNA tag for 'Compliant' that checks antivirus and OS patch status. Which TWO additional steps are required on the FortiGate to enforce access based on this tag?

Select 2 answers
A.Enable SSL deep inspection on the firewall policy
B.Create a ZTNA policy that includes the 'Compliant' tag as a required condition
C.Create a ZTNA access proxy for the internal application
D.Import the FortiClient EMS certificate to FortiGate
E.Configure a firewall policy with source set to the EMS connector
AnswersB, C

The ZTNA policy defines which tags are required for access.

Why this answer

To use ZTNA tags, the administrator must configure a ZTNA access proxy to publish the application and a ZTNA policy that references the tag to grant access.

820
MCQmedium

A FortiGate VPN administrator is configuring IKEv2 with certificate-based authentication using a PKI. The administrator has imported the CA certificate and the local certificate onto the FortiGate. When initiating the VPN, the tunnel fails to establish. The CLI log shows 'IKEv2 authentication failed' and 'certificate validation failure'. What is the most likely missing configuration?

A.The IKEv2 proposal includes an incompatible encryption algorithm
B.The local certificate is not associated with the phase1 interface
C.The remote peer's certificate is not signed by the imported CA
D.The CA certificate is not configured for peer certificate validation
AnswerD

The phase1 must include a reference to the CA certificate (via 'set ca-cert' or 'set certificate-peer') to validate the peer's certificate. Without this, the FortiGate does not know which CA to trust.

Why this answer

For certificate-based authentication, the FortiGate must be configured to verify the peer's certificate against the trusted CA. Option D is correct because the peer's certificate must be validated, and if the CA certificate is not properly referenced in the phase1 configuration (e.g., 'set certificate-peers' or 'set enforcesecrets'), validation fails.

821
MCQeasy

An administrator wants to use SAML SSO with FortiGate as the Service Provider (SP) to allow users to authenticate via an external IdP. What must be configured first on the FortiGate to establish the SAML trust?

A.A firewall policy to allow SAML traffic
B.A RADIUS server for user authentication
C.An LDAP server for group membership lookup
D.A certificate for SAML signing and encryption
AnswerD

The FortiGate must have a certificate to sign SAML messages; this certificate's public key is shared with the IdP to verify signatures.

Why this answer

SAML SSO requires the FortiGate to have a certificate that the IdP trusts for signing assertions. Option D is correct because the FortiGate needs to import a CA-signed certificate (or use a self-signed) to sign SAML requests and also to establish the trust relationship with the IdP.

822
MCQhard

You deploy a FortiGate in transparent mode for a retail branch. The upstream router's ARP table shows the FortiGate's management IP, but end users cannot reach the internet. The FortiGate's management IP is on the same subnet as the users. What should you verify first?

A.The upstream router is forwarding traffic to the FortiGate's management MAC
B.The firewall policy allows traffic from internal to external
C.The FortiGate's routing table has a default route
D.The FortiGate's management interface is in the same VDOM as user traffic
AnswerB

Transparent mode firewalling still requires policies. If no policy permits the traffic, it will be denied by default.

Why this answer

In transparent mode, the FortiGate acts as a Layer 2 bridge and does not require a routing table for user traffic; forwarding decisions are based on firewall policies. Since the management IP is on the same subnet as users, the upstream router can ARP for it, but user traffic must be explicitly allowed by a firewall policy from the internal to external zone. Without such a policy, packets are dropped even if Layer 2 connectivity exists.

Exam trap

The trap here is that candidates assume transparent mode operates like a simple switch or bridge without policy enforcement, overlooking that FortiGate still requires explicit firewall policies to forward traffic even in Layer 2 mode.

How to eliminate wrong answers

Option A is wrong because the upstream router's ARP table already shows the FortiGate's management IP, indicating it has resolved the MAC; the issue is not ARP resolution but policy enforcement. Option C is wrong because in transparent mode, the FortiGate does not route traffic based on its own routing table; user traffic is bridged and subject to firewall policies, not IP routing. Option D is wrong because the management interface is implicitly in the same VDOM as user traffic in transparent mode (management IP shares the subnet), and VDOM separation is not the cause of the connectivity failure.

823
MCQhard

A FortiGate has ECMP configured with two equal-cost routes to a destination. The administrator wants to ensure that all packets from a given source IP use the same next-hop. Which ECMP load balancing method should be configured?

A.Source IP
B.Destination IP
C.Source-destination IP
D.Round robin
AnswerA

Source IP hash ensures all traffic from the same source uses the same path, regardless of destination.

Why this answer

Source IP hash ensures that all traffic from a specific source IP goes to the same next-hop, providing session persistence without using source-destination IP pair.

824
Multi-Selecteasy

An administrator wants to integrate a FortiSwitch with a FortiGate for LAN edge management. Which TWO steps are required for initial setup? (Choose two.)

Select 2 answers
A.Configure OSPF on the FortiSwitch
B.Connect the FortiSwitch to the FortiGate's managed switch port
C.Set the FortiSwitch to 'transparent' mode
D.Authorize the FortiSwitch in the FortiGate's switch controller
E.Create a firewall policy allowing traffic between FortiSwitch and FortiGate
AnswersB, D

The switch must be physically connected to a port that is configured as a managed switch port.

Why this answer

Option B is correct because a FortiSwitch must be physically connected to a FortiGate port that has been configured as a managed switch port (via config system interface and set type switch). This dedicated port enables the FortiGate to discover and manage the FortiSwitch using the FortiLink protocol, which encapsulates control and data traffic over a single link. Without this physical connection to a managed switch port, the FortiGate cannot establish the FortiLink adjacency required for LAN edge management.

Exam trap

The trap here is that candidates often assume a firewall policy is required for all traffic between devices, but FortiLink management traffic bypasses firewall rules because it uses a dedicated control channel that is implicitly permitted by the FortiGate's internal switch controller logic.

825
MCQhard

A FortiGate administrator wants to block a custom protocol anomaly where a client sends an HTTP request with a malformed header containing a null byte. Which advanced IPS feature should be used?

A.Create a custom IPS signature to match the null byte pattern
B.Enable 'Outbreak Prevention' in the IPS sensor
C.Use the 'http-policy' setting in the WAF profile
D.Enable Protocol Anomaly Detection in the IPS sensor
AnswerD

Protocol anomaly detection identifies malformed packets that violate protocol standards.

Why this answer

Protocol Anomaly Detection in the IPS sensor is designed to identify deviations from standard protocol behavior, such as malformed headers or null bytes in HTTP requests. This feature inspects traffic for known protocol violations without requiring custom signatures, making it the correct choice for blocking a null byte anomaly in HTTP headers.

Exam trap

The trap here is that candidates often confuse custom IPS signatures with protocol anomaly detection, assuming any pattern match requires a signature, when in fact FortiGate's IPS engine includes built-in protocol decoders that automatically detect RFC violations like null bytes.

How to eliminate wrong answers

Option A is wrong because creating a custom IPS signature to match a null byte pattern is unnecessary and less efficient; Protocol Anomaly Detection already handles such protocol violations natively. Option B is wrong because Outbreak Prevention is a feature for blocking emerging threats based on real-time intelligence, not for detecting protocol anomalies like malformed headers. Option C is wrong because the 'http-policy' setting in a WAF profile is used for web application firewall rules (e.g., SQL injection, XSS), not for low-level protocol anomaly detection like null bytes in headers.

Page 10

Page 11 of 14

Page 12