Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 826900

1000 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQhard

A FortiGate administrator runs 'diagnose ips anomaly list' and sees many entries with 'protocol anomaly - tcp_port_scan'. The administrator wants to reduce false positives. Which action should be taken in the IPS sensor configuration?

A.Increase the threshold for the port scan detection in the IPS sensor.
B.Add the trusted server IPs to an exemption list in the IPS sensor.
C.Disable the TCP port scan filter entirely.
D.Change the action from 'block' to 'monitor' for all IPS filters.
AnswerA

Increasing the threshold reduces false positives by requiring more ports to be scanned in the time window.

827
MCQmedium

A FortiGate administrator uses FortiAnalyzer for log analysis and wants to identify all sessions that were blocked by a specific firewall policy ID 10. Which log filter should be applied?

A.Filter by 'action eq block' and then manually look for policy 10
B.Filter by 'policyid == 10'
C.Filter by 'policy_id = 10'
D.Filter by 'devid contains 10'
AnswerB

FortiAnalyzer uses 'eq' for equality, but many interfaces accept '==' as well; the standard is 'policyid eq 10'.

Why this answer

FortiAnalyzer logs contain a field for the policy ID that triggered the action. The correct filter is 'policyid eq 10'.

828
MCQeasy

Which SD-WAN load balancing algorithm distributes new sessions based on the number of active sessions on each link?

A.Source-dest IP
B.Spillover
C.Volume
D.Sessions
AnswerD

Sessions algorithm distributes based on the number of active sessions.

829
Drag & Dropmedium

Drag and drop the steps to configure a FortiGate as a DNS server (DNS proxy) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enable DNS proxy, set interface and port, configure upstream, set caching, then allow traffic.

830
Multi-Selecthard

You are troubleshooting BGP route advertisement issues. Which THREE debug commands would be useful to identify why a route is not being advertised to a neighbor? (Choose three.)

Select 3 answers
A.diagnose debug router bgp <neighbor>
B.get router info bgp neighbors <neighbor> received-routes
C.get router info bgp summary
D.get router info bgp neighbors <neighbor> advertised-routes
E.get router info routing-table bgp
AnswersA, D, E

Shows BGP debug messages including updates.

Why this answer

Options B, C, and D are correct. Debug BGP (B) shows updates and errors. Show route (C) checks if route exists in table.

Show advertised-routes (D) shows what is sent. Option A shows summary only. Option E shows received but not advertisement.

831
Multi-Selectmedium

A FortiGate is integrated with FortiSwitch and FortiAP. The administrator wants to manage both devices from the FortiGate GUI using the LAN edge management features. Which THREE conditions must be met for this integration to work?

Select 3 answers
A.FortiAP must be in CAPWAP mode to connect to the FortiGate.
B.The FortiGate must be in NAT mode.
C.FortiSwitch must be in the same Layer 2 domain as the FortiGate management interface.
D.The FortiGate must operate in transparent mode.
E.The FortiGate must have a separate VDOM for each managed device.
AnswersA, B, C

FortiAP uses CAPWAP to tunnel traffic to the FortiGate.

Why this answer

FortiSwitch and FortiAP management via FortiGate (LAN edge) requires: the FortiGate must be in NAT mode (transparent mode does not support this), a CAPWAP connection is used for FortiAP, and the devices must be in the same broadcast domain or reachable via the management VLAN. Option A is incorrect because FortiGate can manage them without VDOM. Option D is required for Layer 2 adjacency.

832
MCQmedium

An admin wants to ensure that office documents (e.g., Word, Excel) downloaded from the internet are safe before users open them. Which feature should be used to remove potentially malicious macros and active content?

A.Machine learning engine
B.Content Disarm and Reconstruction (CDR)
C.Antivirus pattern matching
D.FortiSandbox file submission
AnswerB

CDR strips active content like macros, scripts, and embedded objects from documents.

Why this answer

Option D is correct because Content Disarm and Reconstruction (CDR) removes active content from documents to neutralize threats while preserving usability.

833
MCQmedium

You run 'diagnose sys session filter dport 443' and see sessions with a duration of 7200 seconds and expire time of 3600 seconds. What does this indicate?

A.The session has been idle for 7200 seconds
B.The session helper is interfering with the session
C.The session has been alive for 7200 seconds and will expire in 3600 seconds
D.The session has already expired
AnswerC

Duration is time alive; expire is remaining lifetime.

Why this answer

Option C is correct because expire time being less than duration indicates the session has been alive longer than its remaining lifetime, which could mean the session is about to expire or there is a timing issue. Option A is incorrect because the expire is less than duration. Option B is incorrect because the session is still active.

Option D is not supported by data.

834
Multi-Selectmedium

An administrator needs to configure a FortiGate to allow inter-VDOM routing between VDOM-1 and VDOM-2. Which TWO actions are required? (Choose two.)

Select 2 answers
A.Configure firewall policies on each VDOM to permit traffic across the VDOM link
B.Create a VDOM link between the two VDOMs
C.Disable NAT on all policies
D.Enable inter-VDOM routing under system settings
E.Assign an IP address to the VDOM link in only one VDOM
AnswersA, B

Correct.

Why this answer

Option A is correct because inter-VDOM routing requires explicit firewall policies on each VDOM to control and permit traffic traversing the VDOM link. Without these policies, the FortiGate will drop the traffic at the VDOM boundary, even if the VDOM link is up and IP addresses are configured.

Exam trap

The trap here is that candidates often assume inter-VDOM routing is automatically allowed once the VDOM link is created, forgetting that firewall policies are mandatory on both sides to explicitly permit the traffic.

835
MCQmedium

An administrator wants to use FortiManager to manage multiple FortiGates, each in a separate customer environment. The administrator needs to isolate configuration changes per customer and ensure each customer's admin can only see their own devices. What FortiManager feature should be used?

A.Administrative domains (ADOMs)
B.Administrator profiles
C.Policy packages
D.VDOMs on managed FortiGates
AnswerA

ADOMs partition FortiManager into separate management domains, each with its own devices and policy packages, ensuring isolation.

Why this answer

Administrative Domains (ADOMs) in FortiManager allow the administrator to logically partition the management plane, isolating configuration changes per customer. Each ADOM can contain a set of FortiGates, and administrators assigned to an ADOM can only see and manage devices within that ADOM, ensuring strict separation of customer environments.

Exam trap

The trap here is that candidates often confuse VDOMs (a FortiGate-level virtualization feature) with ADOMs (a FortiManager-level management isolation feature), assuming that VDOMs on the managed devices can provide the administrative separation required at the FortiManager level, but VDOMs only virtualize the firewall itself, not the management plane in FortiManager.

How to eliminate wrong answers

Option B (Administrator profiles) is wrong because administrator profiles define permissions (read/write/access control) for a user but do not isolate which devices or configurations the user can see; they work in conjunction with ADOMs but cannot provide device-level isolation alone. Option C (Policy packages) is wrong because policy packages are containers for firewall policies that can be assigned to ADOMs or devices, but they do not enforce administrative isolation between customers; they are a configuration object, not a management boundary. Option D (VDOMs on managed FortiGates) is wrong because VDOMs are a FortiGate feature for virtualizing a single FortiGate into multiple logical firewalls, not a FortiManager feature for isolating management of multiple FortiGates; FortiManager uses ADOMs to manage VDOMs across devices, but VDOMs themselves do not provide the administrative separation required at the FortiManager level.

836
MCQhard

A FortiGate with FortiExtender is using LTE as a backup WAN link. When the primary link fails, the LTE link does not take over. What could be the cause?

A.The primary link's performance SLA is still passing.
B.The FortiExtender is not configured in pass-through mode.
C.The FortiExtender firmware is out of date.
D.The LTE interface is not added as an SD-WAN member.
AnswerD

Without adding to SD-WAN, the backup link won't be used for failover.

Why this answer

Option D is correct because for an LTE interface to be used as a backup WAN link in an SD-WAN setup, it must be explicitly added as an SD-WAN member. Without this, the FortiGate will not consider the LTE interface for traffic steering or failover, even if the primary link fails. The SD-WAN rules and performance SLA are only evaluated against interfaces that are members of the SD-WAN zone.

Exam trap

The trap here is that candidates often assume any working backup interface will automatically take over when the primary fails, but FortiGate SD-WAN requires explicit membership in the SD-WAN zone for failover to occur.

How to eliminate wrong answers

Option A is wrong because if the primary link's performance SLA is still passing, the SD-WAN logic would not trigger a failover to the backup link; the LTE link would not take over because the primary is considered healthy. Option B is wrong because pass-through mode is relevant for extending the FortiGate's interfaces via the FortiExtender, but it is not a prerequisite for LTE failover; the LTE interface can be used in normal mode as long as it is properly configured and added to SD-WAN. Option C is wrong while outdated firmware can cause various issues, the most direct and common reason for LTE not taking over is that the interface is not a member of the SD-WAN zone, not a firmware version problem.

837
MCQmedium

A user reports that they cannot connect to a remote office via IPsec VPN. Phase 1 is up, but Phase 2 fails to establish. The administrator runs 'diagnose vpn ike log' and sees 'no matching phase2 proposal'. What should be checked?

A.The firewall policies allow IKE traffic
B.The local and remote subnet definitions are correct
C.The pre-shared key is correct
D.The Phase 2 proposal settings (encryption, authentication, PFS) match on both peers
AnswerD

Mismatched Phase 2 proposals prevent the tunnel from establishing.

Why this answer

The error 'no matching phase2 proposal' indicates that the Phase 2 parameters (encryption, authentication, etc.) do not match between the two endpoints. The administrator should verify the Phase 2 selectors on both sides.

838
MCQeasy

What is the purpose of FortiDeceptor in an enterprise security architecture?

A.To simulate real assets and detect attackers attempting to interact with decoys
B.To provide VPN access for remote users
C.To encrypt all data at rest on endpoints
D.To block all inbound traffic from suspicious IP addresses
AnswerA

FortiDeceptor creates decoys to attract and detect attackers.

Why this answer

FortiDeceptor is a deception-based threat detection solution that deploys decoys (simulated real assets like servers, databases, or IoT devices) across the network. When an attacker probes or interacts with these decoys, FortiDeceptor generates high-fidelity alerts, enabling early detection of lateral movement or reconnaissance without relying on signatures. This aligns with the Advanced Threat Protection domain by shifting from reactive blocking to proactive deception.

Exam trap

The trap here is that candidates confuse FortiDeceptor's deception-based detection with traditional prevention mechanisms like firewalls or VPNs, assuming it blocks threats directly rather than detecting them through interaction with decoys.

How to eliminate wrong answers

Option B is wrong because FortiDeceptor does not provide VPN access; that is the function of FortiClient or FortiGate's IPsec/SSL VPN capabilities. Option C is wrong because FortiDeceptor does not encrypt data at rest on endpoints; endpoint encryption is typically handled by solutions like FortiClient with full disk encryption or third-party tools. Option D is wrong because FortiDeceptor does not block inbound traffic from suspicious IPs; that is the role of FortiGate's firewall policies, IPS, or FortiGuard IP reputation filtering.

839
MCQmedium

A FortiGate administrator configures a ZTNA rule to allow access to an internal application. The rule uses a ZTNA tag to identify the application server. However, users cannot connect to the application. What is the most likely cause if the ZTNA proxy and firewall policies are correctly configured?

A.The ZTNA tag is not assigned to the application server in FortiClient EMS
B.The ZTNA proxy is configured with the wrong port
C.The user's device posture check fails
D.The application server does not have FortiClient installed
AnswerA

Tags are assigned to endpoints via EMS; without proper assignment, FortiGate cannot identify the server as a ZTNA resource.

Why this answer

ZTNA tags must be registered with FortiGate via FortiClient EMS. If the tags are not assigned to the server, the FortiGate cannot match the server to the ZTNA rule, and access will be denied.

840
MCQmedium

An administrator configures SD-WAN with two members (wan1, wan2) and a performance SLA for ICMP to 1.1.1.1. The SD-WAN rule is set to 'Best Quality' with 'latency' metric. The admin notices that traffic sometimes switches to the other link even when the current link has acceptable latency. Which action can reduce unnecessary flapping?

A.Configure a hysteresis value for the SLA
B.Increase the SLA probe interval
C.Use 'manual' strategy instead
D.Increase the 'update-cascade-interface' setting
AnswerA

Hysteresis adds a buffer: the link must be significantly better before switching, reducing flapping.

841
MCQmedium

An admin receives an email from FortiMail regarding a message that was rejected due to SPF failure. What does this indicate about the email?

A.The email's From address domain does not match the sending server's IP per the domain's SPF record
B.The email's DKIM signature is invalid
C.The email contains a virus
D.The email is missing a Message-ID header
AnswerA

SPF checks the envelope sender domain against the sending IP.

Why this answer

SPF (Sender Policy Framework) validates that the sending server IP is authorized to send mail for the domain in the envelope sender. A failure means the IP is not authorized.

842
MCQeasy

What is the primary benefit of using FortiClient with ATP features in conjunction with FortiGate?

A.It allows users to bypass security policies
B.It replaces the need for a firewall
C.It enables endpoint detection and response with automated quarantine through FortiGate
D.It provides a single sign-on portal for all users
AnswerC

FortiClient ATP can detect threats and trigger FortiGate to isolate the endpoint.

Why this answer

FortiClient ATP (Advanced Threat Protection) integrates with FortiGate to share telemetry and enable coordinated response, such as quarantining an endpoint when a threat is detected.

843
MCQmedium

An administrator wants to prevent users from downloading known malicious files from the internet. The administrator has enabled FortiGuard Outbreak Prevention and applied an antivirus profile to the outbound policy. However, some malicious files are still reaching users. What configuration step is most likely missing?

A.The antivirus profile has 'FortiGuard Outbreak Prevention' enabled
B.The FortiGuard subscription has expired
C.The antivirus profile does not have 'FortiGuard Outbreak Prevention' enabled
D.The security policy is not configured for proxy-based inspection
AnswerC

Outbreak prevention is an additional toggle in the antivirus profile; without it, the feature does not activate.

Why this answer

Option C is correct because FortiGuard Outbreak Prevention is a separate toggle within the antivirus profile that must be explicitly enabled to leverage real-time outbreak intelligence. Even if the administrator believes they have enabled it, the profile may have the feature disabled by default or inadvertently left off, allowing known malicious files to bypass detection. Without this toggle, the antivirus engine relies only on static signatures and cannot block files flagged by FortiGuard's outbreak database.

Exam trap

The trap here is that candidates assume enabling FortiGuard Outbreak Prevention at the system or global level automatically applies it to all antivirus profiles, when in fact it must be explicitly enabled within each antivirus profile's settings.

How to eliminate wrong answers

Option A is wrong because stating that the antivirus profile has 'FortiGuard Outbreak Prevention' enabled would contradict the scenario where malicious files are still reaching users; if it were enabled, the outbreak prevention would block those files. Option B is wrong because an expired FortiGuard subscription would affect all FortiGuard services, not just outbreak prevention, and the question specifies that the administrator enabled FortiGuard Outbreak Prevention, implying the subscription is active. Option D is wrong because proxy-based inspection is not a prerequisite for FortiGuard Outbreak Prevention; the feature works with both proxy-based and flow-based inspection modes as long as the antivirus profile is applied and the toggle is enabled.

844
Multi-Selecthard

A FortiGate administrator is configuring OSPF over an IPsec VPN overlay in a hub-and-spoke topology. The spokes have dynamic IPs and use ADVPN. Which THREE conditions are necessary for OSPF to work correctly over the VPN tunnels?

Select 3 answers
A.The OSPF router ID must be unique across all spokes
B.The OSPF hello interval must be less than the DPD retry interval
C.The hub must have all spoke routes in its routing table before OSPF starts
D.The tunnel interfaces must have an IP address configured
E.The OSPF network type on the tunnel interfaces must be set to point-to-point
AnswersA, D, E

OSPF router IDs must be unique to prevent routing issues.

Why this answer

OSPF requires stable network types and correct interface configuration. For ADVPN, OSPF should use point-to-point network type to avoid DR elections and ensure proper neighbor relationships.

845
MCQeasy

A FortiGate administrator needs to configure BFD (Bidirectional Forwarding Detection) on a BGP peer to quickly detect link failures. Which CLI command enables BFD on the BGP neighbor 10.1.1.1?

A.config router policy set bfd enable end
B.config system interface edit port1 set bfd enable next end
C.config router static set bfd enable end
D.config router bgp config neighbor edit 10.1.1.1 set bfd enable next end end
AnswerD

BFD is enabled per neighbor under the BGP configuration.

846
MCQmedium

A FortiGate administrator sees the following syslog message repeatedly: 'IPsec phase 2 failed to establish SA with peer due to proposal mismatch.' The administrator has already verified that the phase 2 parameters (encryption, authentication, PFS, and lifetime) match on both sides. What else should the administrator check?

A.The local and remote subnets defined in the phase 2 selector
B.The phase 1 proposal settings
C.The DPD configuration
D.The pre-shared key
AnswerA

Mismatched traffic selectors will cause phase 2 negotiation to fail.

Why this answer

Phase 2 negotiation can also fail due to mismatched traffic selectors (local and remote subnets).

847
Drag & Dropmedium

Drag and drop the steps to configure an HA cluster on FortiGate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First set HA mode and priority, then connect heartbeat, then configure management IP and VIP, and finally verify.

848
MCQmedium

An administrator wants to detect lateral movement and early stages of an attack using decoy systems that mimic production assets. Which Fortinet product should they deploy?

A.FortiSIEM
B.FortiEDR
C.FortiNDR
D.FortiDeceptor
AnswerD

FortiDeceptor uses decoys to detect attacks.

Why this answer

FortiDeceptor is specifically designed to detect lateral movement and early-stage attacks by deploying decoy systems (honeypots) that mimic production assets. It uses deception technology to lure attackers away from real targets and trigger alerts when decoys are probed or compromised, enabling early threat detection without impacting production systems.

Exam trap

The trap here is that candidates may confuse FortiDeceptor with FortiNDR or FortiEDR because all three involve threat detection, but only FortiDeceptor uses active decoy systems to mimic production assets for deception-based detection.

How to eliminate wrong answers

Option A is wrong because FortiSIEM is a security information and event management solution that aggregates logs and correlates events, but it does not deploy decoy systems or actively mimic production assets for deception. Option B is wrong because FortiEDR is an endpoint detection and response solution that protects endpoints via behavioral analysis and threat hunting, but it does not create decoy systems or honeypots to simulate production assets. Option C is wrong because FortiNDR is a network detection and response solution that analyzes network traffic for anomalies and threats using machine learning, but it does not deploy decoy systems or mimic production assets for deception-based detection.

849
Multi-Selecthard

A FortiGate HA cluster is configured with VDOMs. Each VDOM is assigned to different physical interfaces. The cluster is in active-passive mode. Which TWO statements about VDOM synchronization in HA are correct?

Select 2 answers
A.VDOM configuration, including interfaces and policies, is synchronized between cluster members.
B.In active-passive HA, traffic for each VDOM can be distributed across cluster members.
C.Each VDOM can have its own HA mode (active-passive or active-active) independent of the global HA mode.
D.The HA virtual MAC address feature can be enabled per VDOM to handle ARP issues during failover.
E.If one VDOM fails, the entire HA cluster fails over to the standby unit.
AnswersA, D

All configuration, including VDOM-specific settings, is synchronized in an HA cluster.

Why this answer

Option A is correct because in a FortiGate HA cluster, VDOM configuration—including interfaces, policies, and other settings—is fully synchronized between cluster members. This ensures that both the active and passive units have identical VDOM configurations, enabling seamless failover without manual reconfiguration.

Exam trap

The trap here is that candidates often confuse VDOM-level failover behavior with global HA failover, mistakenly thinking a single VDOM failure triggers a full cluster failover, when in reality FortiGate HA only fails over on unit-level failures.

850
MCQmedium

A network engineer is troubleshooting a Security Fabric where a downstream FortiGate (model 60F) is not appearing in the Fabric topology of the root FortiGate (model 600E). Both devices are running FortiOS 7.4. The root FortiGate shows the downstream device as 'Unreachable' in the Security Fabric widget. The engineer has verified that the downstream FortiGate can ping the root FortiGate's management IP. What is the most likely cause of this issue?

A.The root FortiGate does not have HTTPS access to the downstream FortiGate.
B.The downstream FortiGate has insufficient memory to support Security Fabric features.
C.The downstream FortiGate's management interface is configured on a different VLAN.
D.The administrator account on the downstream FortiGate does not have 'super_admin' privileges.
AnswerB

Low-end models may not meet the minimum memory requirements for Fabric operations.

Why this answer

The FortiGate 60F has limited memory (typically 512 MB or less), and FortiOS 7.4 enforces a minimum memory requirement for downstream devices to participate in the Security Fabric. When the downstream device has insufficient memory, the root FortiGate marks it as 'Unreachable' even though basic IP connectivity (ping) works. This is a known hardware limitation for lower-end models like the 60F when running newer FortiOS versions.

Exam trap

The trap here is that candidates assume connectivity issues (ping working) imply Fabric should work, but Fortinet deliberately tests the hardware memory limitation as a non-obvious cause for 'Unreachable' status in the Security Fabric topology.

How to eliminate wrong answers

Option A is wrong because HTTPS access from the root to the downstream is required for Fabric establishment, but the root already shows the downstream as 'Unreachable' (not 'Discovered' or 'Pending'), indicating the issue is not about HTTPS reachability; the root has already attempted discovery. Option C is wrong because the management interface VLAN mismatch would prevent the downstream from being discovered at all, yet the root sees the device (as 'Unreachable'), meaning Layer 3 connectivity exists. Option D is wrong because the administrator account on the downstream does not need 'super_admin' privileges for Fabric join; a 'profi_admin' or 'restricted_admin' with appropriate Fabric permissions is sufficient, and the root would not show 'Unreachable' if the account lacked privileges—it would show an authentication failure.

851
MCQhard

A FortiGate is configured with policy-based routing (PBR) to route certain traffic through a specific next hop. However, some traffic that should match the PBR rule is not being affected. What is a likely reason?

A.The PBR rule uses a route map that references an incorrect prefix list.
B.The PBR rule is applied on the wrong interface or direction.
C.The PBR rule has a higher priority than the SD-WAN rule, but the traffic is hitting the SD-WAN rule first because of firewall policy order.
D.The traffic is generated locally from the FortiGate and PBR does not affect locally generated traffic.
AnswerB

PBR must be applied to the ingress interface where traffic arrives. If applied to the wrong interface or direction, traffic will not match.

Why this answer

Policy-based routing is applied on the ingress interface. If the administrator applied it to the egress interface or forgot to apply it to the correct ingress interface, the traffic will not match.

852
MCQhard

A company uses FortiWeb to protect its web application. They want to block SQL injection attempts. Which FortiWeb feature should be configured to inspect HTTP requests for malicious SQL patterns?

A.URL Access Rule
B.Web Application Firewall (WAF) Signatures
C.HTTP Protocol Constraint
D.IP List
AnswerB

WAF Signatures include pre-defined rules for SQL injection, XSS, etc.

Why this answer

FortiWeb uses Web Application Firewall signatures to detect SQL injection. These are pre-configured signatures that match SQL patterns.

853
Multi-Selectmedium

An administrator is configuring FortiDeceptor to detect threats within the network. Which TWO statements about FortiDeceptor are correct?

Select 2 answers
A.It requires a separate hardware appliance for each network segment
B.It sends alerts to FortiSIEM or FortiSOAR for automated response
C.It uses decoys and lures to attract attackers
D.It uses signature-based detection to identify malware
E.It can replace firewall functionality
AnswersB, C

Integration with SIEM/SOAR enables automated response to detected threats.

Why this answer

Options A and D are correct. FortiDeceptor uses decoys and lures to attract attackers, and it sends alerts to FortiSIEM or FortiSOAR for automated response.

854
MCQhard

A FortiGate is configured as a SAML SP for user authentication. When a user attempts to access a protected resource, the FortiGate redirects the user to the IdP login page, but after successful authentication, the user is not redirected back to the original resource. What is the MOST likely cause?

A.The user's browser has cookies disabled
B.The IdP certificate is not trusted by the FortiGate
C.The SAML assertion consumer service URL on the IdP does not include a trailing slash
D.The FortiGate is configured as a SAML IdP instead of SP
AnswerC

FortiGate expects the ACS URL to match exactly; a missing trailing slash can cause the IdP to send the response to an unexpected endpoint.

Why this answer

The SAML assertion consumer service URL must match exactly, including the trailing slash, for the IdP to send the response correctly. A mismatch prevents proper redirect.

855
Multi-Selectmedium

A FortiGate administrator is troubleshooting a scenario where traffic between two VDOMs is not working. The admin has configured inter-VDOM routing. Which TWO steps should the administrator verify? (Choose two.)

Select 2 answers
A.Check that NAT is enabled on the policies
B.Check that there is a firewall policy in the destination VDOM allowing the return traffic
C.Check that the inter-VDOM link is configured as a physical interface
D.Check that there is a firewall policy in the source VDOM allowing traffic to the destination VDOM
E.Check that both VDOMs are in the same administrative VDOM
AnswersB, D

Return traffic must be permitted by a policy in the destination VDOM.

Why this answer

Option B is correct because inter-VDOM routing requires firewall policies in both the source and destination VDOMs to permit traffic. The destination VDOM must have a policy allowing the return traffic (from the destination to the source) for the session to be established. Without this, the FortiGate will drop the return packets, breaking the bidirectional flow.

Exam trap

The trap here is that candidates assume a single policy in the source VDOM is sufficient, overlooking that inter-VDOM routing requires explicit policies in both VDOMs to allow the forward and return traffic.

856
MCQeasy

A FortiGate is configured with OSPF multi-area. The administrator wants to ensure that routes from area 0 are redistributed into area 1. Which OSPF configuration is required?

A.Enable 'redistribute connected' on the ABR
B.Set the 'area type' to 'nssa' on area 1
C.Configure a route redistribution policy under OSPF
D.No additional configuration is needed; ABRs automatically advertise inter-area routes
AnswerD

OSPF ABRs by default advertise routes from one area to another.

Why this answer

OSPF automatically redistributes routes between areas. No special redistribution is needed; ABRs (Area Border Routers) advertise inter-area routes by default.

857
Matchingmedium

Match each high availability (HA) mode to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

One unit handles traffic; standby takes over on failure

Both units handle traffic simultaneously

FortiGate Clustering Protocol

Synchronizes sessions between HA members

Link used for HA communication and synchronization

Why these pairings

These are fundamental HA concepts in FortiOS.

858
MCQmedium

An administrator configures a route map to control redistribution of connected routes into OSPF. The route map uses a prefix list to match routes. After applying the redistribution, no routes are redistributed. What is the most likely oversight?

A.The route map is missing a 'set' action, so it denies all routes
B.The prefix list is configured with the wrong sequence number
C.OSPF process ID is incorrect
D.The connected routes are not in the routing table
AnswerA

Without set, route map denies by default.

Why this answer

The route map must have a 'set' action or at least 'set metric' to actually redistribute. If the route map only matches but has no set statement, the routes are not injected. Also, the route map must be applied to the redistribution statement.

859
Multi-Selectmedium

A FortiGate administrator wants to detect and block protocol anomalies as part of advanced IPS. Which three options are available in FortiGate's custom IPS signatures? (Choose three.)

Select 3 answers
A.Protocol-specific fields
B.Protocol anomaly detection
C.Packet length constraints
D.Application signatures
E.URL filtering
AnswersA, B, C

Can specify fields like TCP flags, HTTP headers.

Why this answer

Correct answers: A, B, D. Custom IPS signatures can target specific protocol fields, packet length, and protocol anomalies. Application control is separate.

860
MCQmedium

A FortiGate is configured with SD-WAN and multiple members. The administrator notices that traffic to a critical application is consistently routed over a low-quality link, even though a better link is available. The SD-WAN rule uses the 'Best Quality' strategy with a performance SLA. What is the most likely reason?

A.The better link is failing its SLA probes
B.The better link is in 'standby' mode
C.The SD-WAN rule is using source-based routing
D.The application traffic is not matching the SD-WAN rule
AnswerA

Correct. If a link fails SLA, it is considered out of compliance and not selected by 'Best Quality'.

Why this answer

The 'Best Quality' strategy selects the best link based on measured performance. If the better link is not meeting the SLA, it will not be selected. The administrator should check the SLA thresholds and ensure the link is passing.

861
MCQeasy

In a Zero Trust Network Access architecture, which component acts as the policy enforcement point for access decisions?

A.FortiClient agent
B.FortiAnalyzer
C.FortiGate ZTNA gateway
D.FortiClient EMS
AnswerC

The FortiGate enforces access based on tags and policies.

Why this answer

In a Zero Trust Network Access (ZTNA) architecture, the FortiGate ZTNA gateway acts as the policy enforcement point (PEP). It terminates encrypted ZTNA tunnels from FortiClient agents, inspects traffic against configured access policies, and enforces decisions based on identity, device posture, and context. This is distinct from the control plane (FortiClient EMS) or logging (FortiAnalyzer).

Exam trap

The trap here is that candidates confuse the ZTNA gateway (PEP) with the EMS (controller) or FortiClient (client), but only the gateway sits inline and enforces access decisions based on the ZTNA access proxy protocol.

How to eliminate wrong answers

Option A is wrong because FortiClient is the ZTNA client that initiates connections and reports device posture, not the enforcement point. Option B is wrong because FortiAnalyzer is a logging and analytics platform that collects logs and generates reports, not a real-time policy enforcement component. Option D is wrong because FortiClient EMS is the management server that distributes ZTNA configurations and verifies device compliance, but it does not enforce access decisions inline.

862
MCQeasy

A company wants to ensure that only company-managed laptops with up-to-date antivirus can access the internal file server remotely. Which Fortinet solution integrates with FortiGate to enforce device compliance before granting ZTNA access?

A.FortiClient EMS
B.FortiAnalyzer
C.FortiSandbox
D.FortiWeb
AnswerA

FortiClient EMS manages endpoint security and compliance, and provides posture data to FortiGate for ZTNA access control.

Why this answer

FortiClient EMS (Endpoint Management Server) manages FortiClient endpoints and can enforce compliance policies. It integrates with FortiGate to provide device posture information via ZTNA tags, enabling access control based on compliance.

863
MCQmedium

An administrator is deploying a FortiGate in transparent mode to seamlessly integrate into an existing network. The administrator needs to manage the FortiGate remotely over the network. Which configuration is required?

A.Configure a management IP address under the VDOM settings
B.Create a VLAN interface and assign an IP
C.Assign an IP address to the physical interfaces
D.Enable DHCP client on the interfaces
AnswerA

A management IP allows remote access to the FortiGate in transparent mode.

Why this answer

In transparent mode, FortiGate operates as a Layer 2 bridge and does not route traffic, so physical interfaces cannot have IP addresses. To enable remote management, a dedicated management IP must be configured under the VDOM settings, which allows the FortiGate to be reachable via protocols like HTTPS, SSH, or SNMP without participating in Layer 3 forwarding.

Exam trap

The trap here is that candidates often assume transparent mode still requires an IP on an interface (like a VLAN or physical port) for management, but FortiGate transparent mode uses a VDOM-level management IP that is not tied to any specific interface, which is a key distinction from routed mode.

How to eliminate wrong answers

Option B is wrong because creating a VLAN interface and assigning an IP is used in transparent mode only if the management IP is placed on a specific VLAN, but the question asks for the general requirement, and the management IP is configured under VDOM settings, not as a separate VLAN interface. Option C is wrong because assigning an IP address to physical interfaces is not allowed in transparent mode; interfaces remain unnumbered and operate at Layer 2. Option D is wrong because enabling DHCP client on interfaces is not applicable in transparent mode, as interfaces do not have IP addresses and the FortiGate does not obtain an IP via DHCP for management; the management IP is statically configured under VDOM settings.

864
Multi-Selectmedium

A company has deployed FortiClient with advanced threat protection (ATP) features. Which TWO capabilities does FortiClient ATP provide beyond basic antivirus?

Select 2 answers
A.Exploit prevention and vulnerability scanning
B.Application control and inventory
C.Real-time malware protection using machine learning
D.VPN connectivity
E.Web filtering and URL rating
AnswersA, C

FortiClient ATP includes exploit prevention and vulnerability assessment.

865
Multi-Selecthard

An administrator is deploying a hub-and-spoke ADVPN with three spoke sites. The spokes have dynamic IP addresses. The hub has a static IP. The administrator wants the spokes to establish direct shortcut tunnels when they communicate with each other. Which THREE conditions must be met for shortcut tunnels to be established? (Choose three.)

Select 3 answers
A.The spoke tunnel interfaces must be in the same IP subnet
B.The spokes must have static public IP addresses
C.The hub must be configured with 'set shortcuthub enable' to act as a shortcut hub
D.Auto-discovery must be enabled in the phase1 settings on all spokes
E.The hub must have routes to all spoke local subnets
AnswersA, D, E

Shortcut tunnels require the spoke tunnel interfaces to be in the same subnet (e.g., 10.0.0.0/24) to allow direct communication.

Why this answer

For ADVPN shortcuts, auto-discovery must be enabled on phase1 (B), the hub must have routes to spoke subnets (D), and the spoke must have a tunnel interface with an IP in the same subnet as other spokes (E). The shortcuthub is not required if the hub is the central point.

866
Multi-Selectmedium

An administrator wants to implement ZTNA with FortiClient EMS to control access to an internal web application. Which TWO components are essential for the ZTNA proxy to function correctly?

Select 2 answers
A.A static route on FortiGate pointing to the application server's network
B.SSL certificate installed on the application server
C.A public DNS record for the ZTNA gateway's FQDN
D.A firewall policy allowing traffic from the ZTNA gateway to the application server
E.An application mapping object that specifies the internal server IP and port
AnswersD, E

The gateway forwards traffic to the server; policy must permit it.

Why this answer

A ZTNA proxy requires a configured application mapping (defining the internal server) and a firewall policy that permits traffic from the ZTNA gateway to the internal server.

867
MCQmedium

A FortiGate administrator runs the following diagnostic command: 'diagnose vpn ike gateway list'. The output shows a gateway with state 'down'. The administrator verifies that the peer is reachable and the pre-shared key is correct. What is a possible reason for the gateway state being 'down'?

A.The remote gateway IP address has changed.
B.DPD is disabled on both ends.
C.IKE idle timeout has expired.
D.The phase2 proposal is mismatched.

Why this answer

A phase2 mismatch can cause the IKE gateway to go down if the SA negotiation fails. The gateway state reflects phase1, but a failed phase2 can cause the entire IKE SA to be deleted. Option B would show 'up' but idle; option C would cause unreachability, but the question states peer is reachable.

868
MCQhard

Refer to the exhibit. An administrator runs the 'diagnose vpn ike stats' command on a FortiGate. What does the output indicate?

A.The tunnel is vulnerable to a man-in-the-middle attack because the IPsec SAs are using the same encryption algorithm.
B.The tunnel configuration is incorrect because there are two IPsec SAs under one IKE SA.
C.The tunnel is using two IKE SAs for redundancy.
D.The tunnel has one IKE SA and two IPsec SAs, which is normal for a single VPN tunnel.
AnswerD

A single tunnel uses two IPsec SAs (one for each direction) under one IKE SA.

Why this answer

The 'diagnose vpn ike stats' output shows one IKE SA (phase 1) and two IPsec SAs (phase 2). This is normal for a single VPN tunnel when using IPsec with both inbound and outbound SAs, or when the tunnel is configured with separate SAs for different traffic selectors. The presence of two IPsec SAs under one IKE SA does not indicate an error or vulnerability; it is the expected behavior for a standard IPsec VPN tunnel.

Exam trap

The trap here is that candidates may misinterpret the presence of two IPsec SAs as a redundancy or error, when in fact it is the normal and expected result of IPsec's directional SA model.

How to eliminate wrong answers

Option A is wrong because using the same encryption algorithm for both IPsec SAs does not inherently make the tunnel vulnerable to a man-in-the-middle attack; the vulnerability would depend on the algorithm's strength and key management, not the mere duplication. Option B is wrong because having two IPsec SAs under one IKE SA is not a configuration error; it is standard for IPsec to create separate SAs for each direction (inbound and outbound) or for different traffic selectors. Option C is wrong because the output shows only one IKE SA, not two; redundancy would require multiple IKE SAs, which is not indicated here.

869
MCQhard

A FortiGate in transparent mode is deployed in a data center. The admin notices that ARP requests from a downstream switch for the default gateway are not being answered. The FortiGate's management IP is configured on the same subnet as the switch. What is the most likely cause?

A.The management IP is configured on the same VLAN as the downstream switch, causing a conflict
B.The downstream switch has port security enabled
C.The FortiGate has a firewall policy blocking ARP
D.The FortiGate's ARP table is full
AnswerA

In transparent mode, the FortiGate should not have the management IP on the same broadcast domain as its interfaces; it must be on a dedicated management interface or VLAN.

Why this answer

In transparent mode, the FortiGate acts as a Layer 2 bridge and does not participate in ARP for traffic passing through it. However, the management IP is used for administrative access and must be unique on the network. If the management IP is configured on the same VLAN as the downstream switch, it creates an IP address conflict with the switch's own interface or the default gateway, causing the switch to either ignore or not forward ARP requests for that IP.

The FortiGate will not respond to ARP requests for the management IP if it detects a duplicate IP on the same broadcast domain, as per RFC 5227.

Exam trap

The trap here is that candidates assume transparent mode FortiGates always forward ARP transparently, but they forget that the management IP is a Layer 3 exception that must be unique and can cause ARP conflicts if placed on the same subnet as other devices.

How to eliminate wrong answers

Option B is wrong because port security on a switch typically limits MAC addresses per port or disables the port upon violation, but it does not prevent the FortiGate from responding to ARP requests for its management IP; the symptom described is a lack of ARP replies, not a port being err-disabled. Option C is wrong because FortiGate firewall policies operate at Layer 3 and above (IP, TCP, UDP) and do not filter or block ARP, which is a Layer 2 protocol; ARP handling is controlled by the kernel and interface settings, not by firewall policies. Option D is wrong because a full ARP table would prevent the FortiGate from learning new ARP entries, but it would not stop the FortiGate from responding to ARP requests for its own IP address; the device always replies to ARP requests for its own configured IPs regardless of table capacity.

870
MCQmedium

An admin wants to block malicious files detected by FortiSandbox at the FortiGate level. Which configuration is required on the FortiGate to automatically block files based on FortiSandbox verdict?

A.Enable Threat Feeds on FortiGate and subscribe to FortiSandbox feeds
B.Enable 'FortiSandbox inline prevention' in the antivirus profile
C.Configure an Automation Stitch that triggers on malware detected events and blocks the source IP
D.Configure a security policy with a Web Filter profile that blocks malware categories
AnswerB

This setting allows the FortiGate to block files immediately based on FortiSandbox verdicts.

Why this answer

Option C is correct because the antivirus profile must be enabled with FortiSandbox inline prevention to automatically block files based on verdict.

871
MCQhard

In FortiManager, what is the purpose of an automation stitch?

A.To combine multiple ADOMs into a single management domain
B.To trigger automated actions based on predefined events
C.To automatically deploy configuration changes to devices
D.To stitch together multiple policy packages into one
AnswerB

Automation stitches respond to events with actions like scripts or notifications.

Why this answer

Automation stitches in FortiManager allow administrators to define a set of actions triggered by specific events (e.g., high CPU, failed login). These actions can include running CLI scripts, sending SNMP traps, or email notifications. Stitches enable automated responses to network events.

872
MCQmedium

A network admin notices that files submitted to FortiSandbox are not being analyzed. The FortiGate is configured to send files to FortiSandbox. What is the MOST likely cause?

A.FortiSandbox license is expired
B.FortiGate firewall policy is blocking the connection to FortiSandbox on port 443
C.FortiSandbox is in quarantine mode
D.File size exceeds the maximum submission size limit on FortiGate
AnswerA

An expired license prevents analysis. The file submission queue will accumulate.

Why this answer

Option A is correct because FortiSandbox requires a valid license to perform analysis. Without it, files are queued but not analyzed.

873
MCQeasy

Which FortiClient feature is specifically designed to prevent the execution of unknown malware by analyzing behavior in real-time?

A.FortiClient Vulnerability Scan
B.FortiClient Application Firewall
C.FortiClient Web Filter
D.FortiClient AI Engine
AnswerD

The AI engine uses machine learning to analyze behavior and stop unknown malware.

Why this answer

Option B is correct because FortiClient's AI-driven engine uses machine learning to detect unknown threats based on behavior, not signatures.

874
MCQmedium

A FortiGate administrator needs to inspect traffic between two VLANs in the same VDOM. The administrator has configured a firewall policy that applies an antivirus profile, but traffic is passing without inspection. What should the administrator check first?

A.The FortiGuard subscription status
B.Whether the antivirus profile is configured to use flow-based inspection
C.The antivirus profile's scan mode
D.That the firewall policy's source and destination interfaces match the VLAN interfaces
AnswerD

If the policy uses wrong interfaces, traffic may be matched by a different policy or by implicit deny.

Why this answer

The most common reason for traffic passing without inspection in a VDOM is a misconfiguration in the firewall policy's interface matching. Since the traffic is between two VLANs, the policy must explicitly specify the correct source and destination VLAN interfaces. If the policy uses the wrong interfaces (e.g., a physical interface instead of the VLAN subinterface), the traffic will bypass the policy and its associated security profiles entirely.

Exam trap

The trap here is that candidates often jump to troubleshooting the antivirus profile itself (e.g., subscription, inspection mode, or scan settings) instead of verifying the fundamental policy matching, which is the first thing to check in any traffic inspection issue.

How to eliminate wrong answers

Option A is wrong because the FortiGuard subscription status affects signature updates and cloud-based lookups, but it does not prevent an already configured antivirus profile from being applied to traffic that matches a policy. Option B is wrong because flow-based inspection is a valid mode for antivirus, and if the profile is configured correctly, traffic would still be inspected; the issue here is that the policy itself is not matching the traffic. Option C is wrong because the scan mode (e.g., quick, normal, or full) controls the depth of scanning, not whether the profile is applied at all; traffic would still be inspected regardless of the scan mode if the policy matched.

875
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN tunnel that uses PKI certificates for authentication. The tunnel fails to establish. The administrator checks the certificates and finds that the local certificate is valid and the CA certificate is trusted. Which two additional checks should the administrator perform? (Choose TWO)

Select 2 answers
A.Verify that the certificate is installed in the local certificate store on the FortiGate
B.Ensure that the certificate is using RSA 2048-bit keys
C.Confirm that the certificate's private key is exportable
D.Verify that the certificate's CN matches the peer's IP address
E.Check the certificate revocation list (CRL) to ensure the certificate is not revoked
AnswersD, E

The CN (or SAN) must match the peer identifier used in IKE.

Why this answer

Common certificate issues include: the certificate's Common Name (CN) does not match the peer's IP address, or the certificate has expired. Also, the certificate must have the 'IPsec tunnel' extended key usage (EKU) and the subject alternate name (SAN) must include the peer's IP.

876
MCQmedium

A network administrator is configuring an ADVPN hub-and-spoke topology. The hub is FortiGate-A and the spokes are FortiGate-B and FortiGate-C. The administrator wants spoke-to-spoke traffic to dynamically establish direct tunnels when needed. Which two settings must be enabled on the hub's phase 1 interface to support this?

A.set mode aggressive
B.set auto-discovery-shortcut-mode both
C.set auto-discovery-sender enable
D.set add-route enable
AnswerC, D

The hub must be an auto-discovery sender to advertise routes to spokes.

Why this answer

Option B (set auto-discovery-sender enable) on the hub and Option C (set auto-discovery-receiver enable) on each spoke are required. However, since the question asks for the hub's settings, the correct answer is the hub must be configured as sender and also set add-route to enable shortcut tunnels.

877
MCQhard

A FortiGate has two WAN links and uses ECMP load balancing for default routes. The administrator wants to ensure that all packets belonging to the same TCP session go out the same interface. Which setting should be enabled?

A.Persistent NAT
B.ECMP source-destination-ip hash
C.ECMP with source-ip hash
D.ECMP with 'session-based' algorithm
AnswerD

Session-based ECMP uses a hash of the 5-tuple (src IP, dst IP, protocol, src port, dst port) to ensure all packets of a session use the same interface.

878
Multi-Selectmedium

An administrator wants to protect against zero-day malware that has not yet been discovered by signature-based detection. Which TWO technologies can help mitigate such threats?

Select 2 answers
A.Machine Learning Engine
B.Outbreak Prevention
C.Signature-based antivirus
D.Web filtering
E.Application control
AnswersA, B

ML engine analyzes file characteristics to detect unknown malware.

Why this answer

Options B and D are correct. Machine learning engine and outbreak prevention use heuristics and behavioral analysis to detect unknown threats.

879
MCQhard

You have configured VRF on a FortiGate with two VRFs: VRF 1 for guest traffic and VRF 2 for corporate traffic. You want to allow limited communication from guests to a corporate DNS server. What is the correct configuration step?

A.Create a firewall policy from VRF 1 to VRF 2 allowing DNS traffic
B.Enable 'set allow-vrf' on the DNS server's interface
C.Configure route leaking between VRF 1 and VRF 2 for the DNS server's IP
D.Place the DNS server in a management VDOM and use inter-VDOM links
AnswerC

Route leaking allows one VRF to know routes of another, enabling inter-VRF communication.

Why this answer

VRF leaking requires route leaking between VRFs; a firewall policy alone does not cross VRFs unless routes are leaked.

880
MCQhard

A FortiGate in NAT mode has a VDOM with interface port1 (10.0.1.0/24) and port2 (203.0.113.0/24). A policy allows traffic from port1 to port2 with source NAT using the IP of port2. A user at 10.0.1.10 initiates a connection to a web server at 198.51.100.1. What will be the source IP after NAT?

A.The IP address of port2 (e.g., 203.0.113.1)
B.A random IP from the port2 subnet
C.10.0.1.10
D.198.51.100.1
AnswerA

Why this answer

When source NAT is configured to use the IP address of the egress interface (port2), the FortiGate performs dynamic PAT (Port Address Translation) and translates the source IP of the packet to the primary IP address of port2 (203.0.113.1). This is the default behavior when 'set srcaddr' is set to the interface IP in the firewall policy. The user at 10.0.1.10 will therefore appear to the web server at 198.51.100.1 as coming from 203.0.113.1.

Exam trap

The trap here is that candidates often assume source NAT uses a random IP from the subnet (Option B) or forget that the source IP must be the egress interface IP, leading them to select the original private IP (Option C) or the destination IP (Option D).

How to eliminate wrong answers

Option B is wrong because source NAT with 'IP of port2' does not use a random IP from the subnet; it uses the specific primary IP of the egress interface, not a pool or dynamic assignment. Option C is wrong because 10.0.1.10 is the original private source IP, which is translated by NAT; without NAT, the packet would be dropped or unroutable on the public internet. Option D is wrong because 198.51.100.1 is the destination web server IP, not the source; confusing source and destination addresses is a common error.

881
MCQhard

A FortiGate is configured with multiple IPsec VPNs to remote branches. One of the branch VPN tunnels goes down frequently. The administrator runs 'diagnose vpn ike log' and sees repeated INITIAL_CONTACT notifications from the remote peer. What does this indicate?

A.The remote peer is rekeying the VPN tunnel
B.The local FortiGate has a mismatched pre-shared key
C.A dead peer detection timeout occurred
D.The remote peer has rebooted or restarted its VPN service
AnswerD

INITIAL_CONTACT is sent after a peer loses its state, typically due to reboot or IKE process restart. The local peer should delete old SAs and accept new ones.

Why this answer

INITIAL_CONTACT is a notify message sent by an IKE peer to indicate that it has rebooted or lost its state. When the remote peer sends this, it means the peer has restarted, causing the tunnel to re-establish. This is normal behavior after a reboot but if frequent, indicates instability at the remote end.

882
MCQeasy

An administrator wants to use FortiManager to push a new firewall policy to a managed FortiGate. Before installing, the administrator wants to review what changes will be applied. Which FortiManager feature should be used?

A.Install Preview
B.Policy & Objects - Install Wizard
C.Configuration Rollback
D.Revision History
AnswerA

Install Preview displays the CLI commands that will be executed, enabling pre-installation review.

Why this answer

Install Preview (Option A) is the correct feature because it allows the administrator to see a detailed, side-by-side comparison of the current configuration on the managed FortiGate versus the pending changes that FortiManager will push. This preview is generated by FortiManager's policy compilation engine, which calculates the exact CLI commands and object modifications required to synchronize the device database (ADOM) with the managed FortiGate. It provides a safe, non-disruptive way to validate changes before committing them, reducing the risk of misconfiguration.

Exam trap

The trap here is that candidates often confuse the Install Wizard (which guides the installation process) with Install Preview (which shows the actual changes), leading them to select Option B thinking it includes a review step, but the Install Wizard does not generate a detailed diff of pending modifications.

How to eliminate wrong answers

Option B (Policy & Objects - Install Wizard) is wrong because the Install Wizard is used to select the target devices and initiate the actual installation of policies and objects, not to preview the specific changes that will be applied; it does not provide a granular diff view. Option C (Configuration Rollback) is wrong because rollback is a recovery mechanism used to revert a FortiGate to a previous configuration revision after an installation has occurred, not a tool for previewing pending changes. Option D (Revision History) is wrong because Revision History stores past configuration snapshots for audit and rollback purposes, but it does not show the delta between the current device state and the pending changes in FortiManager's database.

883
MCQhard

You are troubleshooting a BGP neighbor flapping. The neighbor state shows 'Active'. Which command will help you see the reason for the state change?

A.get router info bgp neighbors
B.get router info bgp neighbors <neighbor> rejected-routes
C.get router info bgp neighbors <neighbor> received-routes
D.get router info bgp summary
AnswerB

This shows routes that were rejected and why, helping identify flapping cause.

Why this answer

Option D is correct because 'get router info bgp neighbors <neighbor> rejected-routes' shows routes that were rejected and the reason. Option A shows established neighbors. Option B shows summary.

Option C shows received routes but not rejection reasons.

884
MCQmedium

A FortiGate is configured with SD-WAN using BGP. The administrator wants to influence outbound traffic to prefer one SD-WAN member over another based on BGP attributes. Which BGP attribute, when modified on the FortiGate, can achieve this for outbound traffic?

A.Local-preference
B.Weight
C.AS-Path prepending
D.MED
AnswerA

Local-preference is used to influence outbound traffic within the local AS. Higher local-preference makes a route more preferred for outbound traffic.

Why this answer

AS-Path prepending adds AS numbers to the path, making it longer and less preferred on the remote side. This influences outbound traffic by making the local route less attractive to downstream routers, but for outbound traffic from the FortiGate, local-preference (option C) is the correct attribute to influence outbound path selection within the local AS.

885
MCQhard

An administrator runs the following CLI output: 'diagnose sys session filter dport 443' and sees 'proto=6 proto_state=01 duration=3600 expire=3599'. Which statement BEST describes the session?

A.The session is in the process of being torn down
B.The session is established and has been active for one hour
C.The session is a UDP session incorrectly classified as TCP
D.The TCP session is still in the SYN-SENT state
AnswerB

proto_state=01 indicates an established TCP session; duration=3600 seconds equals one hour.

Why this answer

The session shows 'proto=6' (TCP), 'proto_state=01' (TCP_ESTABLISHED), and 'duration=3600' seconds, which equals one hour. The 'expire=3599' indicates the session has 3599 seconds left before timeout, confirming it is active and established. Option B correctly identifies this as an established session that has been active for one hour.

Exam trap

The trap here is that candidates may misinterpret 'proto_state=01' as a starting state or teardown state, when in Fortinet's session table it specifically represents TCP_ESTABLISHED, and the combination of duration and expire values confirms the session is active and not in transition.

How to eliminate wrong answers

Option A is wrong because 'proto_state=01' indicates TCP_ESTABLISHED, not a teardown state; a session being torn down would show a state like TCP_FIN_WAIT or TCP_CLOSE. Option C is wrong because 'proto=6' explicitly indicates TCP, not UDP (which would be proto=17), and the state '01' is a valid TCP established state, not a misclassification. Option D is wrong because 'proto_state=01' corresponds to TCP_ESTABLISHED, not SYN-SENT (which would be state '02' or '03' depending on the Fortinet implementation); the session has already completed the three-way handshake.

886
MCQeasy

An administrator wants to load balance traffic across two ISP links using SD-WAN. The requirement is that sessions from the same source IP address must always use the same ISP link. Which SD-WAN load balancing algorithm should be used?

A.Source-destination IP
B.Sessions
C.Volume
D.Spillover
AnswerA

This algorithm hashes source and destination IP to consistently select the same member for flows between the same two hosts.

Why this answer

The source-destination IP algorithm uses a hash of source and destination IP addresses to consistently map traffic to the same member. This ensures that all sessions with the same source and destination IP pair go to the same link, meeting the requirement.

887
MCQmedium

A network administrator configures SD-WAN on a FortiGate with two WAN members (port1, port2). They set up a performance SLA to measure latency to 8.8.8.8. The SLA shows both members are 'alive'. However, traffic matching an SD-WAN rule with 'best quality' strategy is not using the lowest-latency link. What is the MOST likely cause?

A.Both WAN members have the same cost in the SD-WAN configuration
B.The SD-WAN rule is configured with 'manual' strategy
C.The SD-WAN rule has 'set-match' enabled for source IP
D.The performance SLA does not have 'latency' as the first metric in the priority order
AnswerD

Best quality uses the configured metric order; if latency is not first, another metric determines the selection.

Why this answer

The 'best quality' strategy selects based on the highest priority metric. By default, latency is not the highest priority; jitter and packet loss are considered first. The admin must configure the SLA to prioritize latency or adjust the SD-WAN rule strategy.

888
MCQeasy

An administrator is configuring a FortiGate HA cluster and wants to ensure that the cluster can tolerate a failure of one unit without administrative intervention. The cluster must also support upgrading firmware with minimal downtime. Which HA mode should the administrator select?

A.Standalone mode
B.Active-active HA
C.Active-passive HA
D.FGCP mode
AnswerC

Provides automatic failover and supports rolling firmware upgrades.

Why this answer

Active-passive HA (option C) is correct because it provides automatic failover without administrative intervention when a unit fails, and it supports hitless firmware upgrades by upgrading the standby unit first, then performing a failover to make it active, followed by upgrading the original active unit. This mode uses a single management IP and synchronizes configuration and session state between the primary and backup units, ensuring minimal downtime during both failure and upgrade scenarios.

Exam trap

The trap here is that candidates confuse FGCP (the protocol) with an HA mode, leading them to select option D, when FGCP is simply the underlying mechanism used by both active-active and active-passive modes, not a mode itself.

How to eliminate wrong answers

Option A is wrong because standalone mode offers no redundancy or failover capability, so a single unit failure causes complete service loss. Option B is wrong because active-active HA distributes traffic across all units but does not inherently support hitless firmware upgrades without additional complexity and potential session loss; it also requires careful load-balancing configuration and may not meet the 'minimal downtime' upgrade requirement as cleanly as active-passive. Option D is wrong because FGCP (FortiGate Cluster Protocol) is not an HA mode but the underlying protocol that enables both active-active and active-passive HA; selecting FGCP alone does not specify the operational mode needed for automatic failover and minimal-downtime upgrades.

889
Multi-Selectmedium

A FortiGate administrator is deploying a multi-VDOM setup for a service provider. The provider wants each customer VDOM to have its own administrative access, yet the overall device management (including firmware upgrades) should be centralized from the management VDOM. Which TWO statements are true regarding administrative VDOMs?

Select 2 answers
A.The management VDOM can be used to manage all other VDOMs
B.Traffic VDOMs cannot have any administrative access
C.Each VDOM must have a separate management IP address
D.The management VDOM is responsible for device-level functions like firmware upgrades
E.An administrator assigned to one VDOM can automatically view configurations of other VDOMs
AnswersA, D

By default, the management VDOM (or any admin with super_admin profile) can access all VDOMs.

Why this answer

Option A is correct because the management VDOM in a multi-VDOM FortiGate setup is specifically designed to provide centralized management. Administrators logged into the management VDOM can use the `execute` commands or the GUI to manage all other VDOMs, including configuration changes and monitoring, without needing to log into each VDOM individually.

Exam trap

The trap here is that candidates often assume traffic VDOMs cannot have any administrative access, but FortiGate allows per-VDOM admin accounts for delegated management, as long as the administrator is assigned to that specific VDOM.

890
MCQeasy

What is the primary purpose of Dead Peer Detection (DPD) in an IPsec VPN configuration?

A.To establish a backup tunnel in case the primary tunnel fails.
B.To detect if a VPN peer is alive by sending periodic probes and bringing down the tunnel if no response is received.
C.To automatically renegotiate IKE phase1 keys before they expire.
D.To verify the integrity of encrypted packets using HMAC authentication.
AnswerB

Why this answer

DPD sends keepalive messages to detect peer reachability. If the peer does not respond, the tunnel is marked down, allowing failover. Key renegotiation is handled by IKE lifetime settings, not DPD.

891
MCQmedium

An administrator configures a ZTNA rule with an inline CASB profile to protect access to a SaaS application. The rule uses a ZTNA tag that requires 'OS Type = Windows' and 'Antivirus = running'. A user with a Windows 10 device and Symantec antivirus running is denied access. What is the MOST likely cause?

A.The user's device is not connected to the corporate network.
B.The inline CASB profile is blocking all traffic from the ZTNA rule.
C.The ZTNA tag requires the FortiClient EMS to be installed on the device.
D.The Symantec antivirus is not listed in the FortiGate's supported antivirus list.
AnswerD

Why this answer

FortiGate checks device posture against known antivirus vendors. If Symantec is not in the supported list, the tag condition fails. FortiClient EMS is not required for ZTNA tags if using other telemetry, but the AV check requires a recognized AV.

892
MCQmedium

A network admin runs 'diagnose sys top' on a FortiGate and sees that the process 'httpsd' is consistently using 95% CPU. Which of the following actions is MOST appropriate to troubleshoot this issue?

A.Restart the FortiGate firewall engine with 'diagnose test application fgwbd 255'
B.Disable the antivirus profile on all policies to reduce processing load
C.Increase the log rate to capture more details about the httpsd process
D.Check the number of active admin sessions and consider stopping the web GUI service temporarily
AnswerD

httpsd handles web management; high CPU may be due to many admin sessions or a stuck process.

Why this answer

Option A is correct because httpsd is the web management daemon. High CPU usage from httpsd often indicates excessive web GUI access or a stuck session. The first step is to check active admin sessions and consider stopping the GUI service temporarily for diagnosis.

893
MCQmedium

An administrator is configuring a FortiGate HA cluster in active-passive mode. The company has two ISPs, and the primary FortiGate is connected to ISP1 and ISP2. The secondary FortiGate is connected only to ISP2. The administrator wants to ensure that failover occurs only if both ISP1 and ISP2 connections are lost on the primary device. Which configuration approach should be used?

A.Use gateway monitoring with virtual router failover, and set the failure threshold to 2.
B.Configure gateway monitoring on the primary for ISP1 only, and set the HA failover threshold to 1.
C.Set the HA priority of the primary to 1 and the secondary to 0, and enable link-fail-signal on both ISP interfaces on the primary.
D.Set the HA priority of the primary to 1 and the secondary to 0, and enable link-fail-signal on both ISP interfaces on the primary, then set 'set ha-priority 1' on the primary and 'set ha-priority 0' on the secondary.
AnswerD

This ensures that the primary's priority drops to 0 only when both ISP links fail, since link-fail-signal reduces priority by 1 for each failed link.

Why this answer

Option D is correct because it uses link-fail-signal on both ISP interfaces of the primary FortiGate to detect physical link loss, and sets HA priorities (primary=1, secondary=0) so that failover occurs only when both ISP links are down. Link-fail-signal triggers an HA failover only when the monitored interface loses carrier, and since both ISP1 and ISP2 interfaces are monitored, the primary will only relinquish control when both links fail, meeting the requirement.

Exam trap

The trap here is that candidates often confuse link-fail-signal with gateway monitoring or assume that setting HA priorities alone is sufficient, overlooking the need to explicitly enable link-fail-signal on the specific interfaces to trigger failover based on link status.

How to eliminate wrong answers

Option A is wrong because gateway monitoring with virtual router failover monitors reachability to a gateway IP, not physical link status, and setting a failure threshold of 2 would require two consecutive failures on a single monitored gateway, not both ISPs. Option B is wrong because configuring gateway monitoring on ISP1 only would cause failover if ISP1 alone fails, even if ISP2 is still up, violating the requirement that both ISPs must be lost. Option C is wrong because it sets HA priority but does not include the 'set ha-priority' commands on the interfaces; the description is incomplete and the syntax is incorrect for the actual configuration needed.

894
MCQmedium

A FortiGate administrator wants to implement Content Disarm and Reconstruction (CDR) for email attachments. Which security profile must be configured to enable CDR?

A.Web Filter profile
B.Antivirus profile
C.IPS profile
D.Application Control profile
AnswerB

CDR is part of the antivirus profile; it disarms and reconstructs files to remove active content.

Why this answer

Content Disarm and Reconstruction (CDR) is a security feature that removes active content (e.g., macros, scripts, embedded objects) from files and reconstructs them into a safe version. In FortiOS, CDR is configured within the Antivirus profile because it operates as part of the antivirus scanning engine, specifically under the 'File Filter' or 'Content Disarm' tab, where you can enable CDR for supported file types like Office documents and PDFs.

Exam trap

The trap here is that candidates mistakenly associate CDR with Web Filter (thinking it's a web content sanitization feature) or IPS (confusing it with file-based exploit prevention), when in fact CDR is a file-level sanitization feature tightly integrated with the antivirus engine and configured within the Antivirus profile.

How to eliminate wrong answers

Option A is wrong because Web Filter profiles control HTTP/HTTPS URL access and content categorization, not email attachment processing or file-level content sanitization. Option C is wrong because IPS profiles focus on network-based intrusion prevention by inspecting traffic for exploit signatures and anomalies, not on file reconstruction or active content removal. Option D is wrong because Application Control profiles manage application visibility and usage policies (e.g., blocking or allowing specific apps like Skype or Dropbox), not file attachment scanning or CDR operations.

895
MCQhard

An admin configures a FortiManager ADOM for a customer with multiple FortiGates. The admin wants to use meta fields to group firewalls by location. After defining a meta field 'Location' and assigning values to devices, where can the admin use the meta field for policy targeting?

A.Meta fields are automatically synced to FortiGate and used in firewall policies
B.In the ADOM level policy package, meta fields are used as variables in policy names
C.Meta fields are only used for generating reports in FortiAnalyzer
D.In the installation target of a policy package, the admin can filter devices by meta field values
AnswerD

This allows policy packages to be targeted to specific groups of devices based on meta fields.

Why this answer

Option D is correct because in FortiManager, meta fields are used within ADOM-level policy packages to filter devices during installation targeting. This allows the admin to select only FortiGates with a specific 'Location' meta field value, enabling policy targeting based on location without manual device grouping.

Exam trap

The trap here is that candidates often assume meta fields are automatically propagated to FortiGate devices or used in policy definitions, but FortiManager treats them strictly as administrative metadata for filtering and targeting during installation, not as runtime variables on the FortiGate.

How to eliminate wrong answers

Option A is wrong because meta fields are not automatically synced to FortiGate devices; they remain within FortiManager for administrative grouping and targeting, and are not used directly in FortiGate firewall policies. Option B is wrong because meta fields cannot be used as variables in policy names; they are used for filtering devices in installation targets, not for naming policies. Option C is wrong because meta fields are not limited to FortiAnalyzer reporting; they are primarily used in FortiManager for device grouping and policy targeting.

896
MCQeasy

An administrator wants to monitor real-time CPU usage per process on a FortiGate. Which command should be used?

A.diagnose hardware sysinfo cpu
B.get system performance status
C.diagnose sys top
D.show system performance monitor
AnswerC

This command displays a real-time list of processes and their resource usage.

Why this answer

The 'diagnose sys top' command shows running processes with CPU and memory usage, similar to Linux 'top'. Options B and C are not valid commands; option D shows overall CPU statistics but not per-process.

897
Multi-Selectmedium

A network administrator is configuring a hub-and-spoke ADVPN with BGP over the VPN tunnels. Which TWO conditions are necessary for the spokes to establish direct shortcut tunnels between each other?

Select 2 answers
A.The spokes must have identical phase2 proposals
B.BGP must be configured on all FortiGates (hub and spokes) to exchange routing information
C.The spokes must use the same IKE version
D.The hub must be configured with 'set next-hop-self disable' for the spoke BGP neighbors
E.The hub must have static routes for each spoke's LAN subnet
AnswersB, D

BGP is used to propagate routes. Each spoke learns the other spoke's subnets via BGP from the hub.

Why this answer

Shortcut tunnels require that the hub propagates routes without setting itself as next-hop (next-hop-self disabled), and that spokes have overlapping routing information so they know the other spoke's subnet via BGP. Option A and D are correct: BGP must be configured on all spokes to exchange routes, and the hub must not set next-hop-self so that the next-hop remains the remote spoke's tunnel IP.

898
MCQmedium

A company uses FortiWeb as a reverse proxy for their web application. They want to protect against SQL injection attacks. Which FortiWeb feature should be configured?

A.Enable 'SQL Injection Prevention' in the Web Protection Profile
B.Enable 'IPS Sensor' with SQL injection signatures
C.Use the FortiGate WAF profile instead
D.Configure a custom HTTP header validation rule
AnswerA

FortiWeb has predefined signatures for SQL injection.

Why this answer

FortiWeb's Web Protection Profile includes a dedicated 'SQL Injection Prevention' module that uses signature-based and behavioral analysis to detect and block SQL injection attempts at the application layer. This is the correct feature because FortiWeb is a web application firewall (WAF) designed specifically for HTTP/HTTPS traffic, and SQL injection protection is a core WAF function, not a general IPS or network-layer feature.

Exam trap

The trap here is that candidates assume IPS signatures can handle SQL injection because they see 'SQL injection' in signature names, but they overlook that FortiWeb's dedicated module provides application-layer decoding and context that a generic IPS sensor lacks.

How to eliminate wrong answers

Option B is wrong because IPS Sensors on FortiGate or FortiWeb are designed for network-layer attack detection (e.g., protocol anomalies, buffer overflows) and lack the application-layer context (e.g., HTTP parameter parsing, URL decoding) needed to reliably detect SQL injection. Option C is wrong because the FortiGate WAF profile is a simplified subset of FortiWeb's capabilities; it does not include the granular SQL injection prevention engine or the dedicated signature database that FortiWeb offers. Option D is wrong because custom HTTP header validation rules only inspect header fields, not the request body or URL parameters where SQL injection payloads typically reside.

899
Multi-Selectmedium

A FortiGate administrator is troubleshooting an IKEv2 VPN tunnel that fails to establish. The remote peer logs show 'no acceptable proposal' error. Which TWO possible causes should the administrator check?

Select 2 answers
A.The remote peer's IP address is unreachable
B.The phase1 encryption algorithm or integrity algorithm is mismatched
C.The local FortiGate has the wrong IKE version configured
D.The remote peer's pre-shared key is incorrect
E.The Diffie-Hellman group configured is not supported by both peers
AnswersB, E

If the local and remote proposals do not have a common algorithm, negotiation fails with 'no acceptable proposal'.

Why this answer

The 'no acceptable proposal' error occurs when the two peers cannot agree on a set of parameters. Common causes are mismatched encryption/integrity algorithms (phase1 proposal) or mismatched Diffie-Hellman groups.

900
MCQmedium

When troubleshooting a FortiGate that is not synchronizing configuration to its HA peer, which command should be used to check the HA synchronization status?

A.diagnose sys ha sync-status
B.get system ha status
C.diagnose sys ha status
D.show system ha
AnswerB

This command displays HA cluster status, sync state, and last sync error.

Why this answer

'get system ha status' provides detailed information about HA cluster status, including synchronization state and any errors.

Page 11

Page 12 of 14

Page 13