Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 901975

1000 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
Multi-Selecteasy

An administrator is configuring BGP with SD-WAN on a FortiGate. Which TWO statements are true about BGP and SD-WAN integration? (Choose two.)

Select 2 answers
A.BGP must be disabled on interfaces used for SD-WAN
B.BGP learned routes cannot be used as SD-WAN members
C.SD-WAN performance SLA can override BGP best path selection
D.SD-WAN rules can use BGP attributes such as AS path to influence path selection
E.BGP route redistribution is not supported with SD-WAN
AnswersC, D

SD-WAN can choose a different path based on SLA metrics.

Why this answer

BGP learned routes can be used as SD-WAN members and can influence path selection based on attributes like AS path. SD-WAN rules can use BGP attributes for load balancing.

902
Multi-Selectmedium

A FortiGate administrator needs to block an application (e.g., Facebook) while allowing HTTPS traffic for ZTNA users. Which TWO configurations are required to achieve this?

A.Web filter profile with Facebook categorized as blocked.
B.Enable 'inline CASB' on the ZTNA rule.
C.SSL deep inspection profile to decrypt HTTPS traffic.
D.Application control profile with Facebook blocked applied to the firewall policy.
E.Add a ZTNA tag for Facebook blocking.

Why this answer

Application control can identify and block Facebook regardless of port. SSL deep inspection is required to see inside HTTPS traffic where Facebook may be running. Web filter (C) blocks based on URL, but Facebook uses many domains.

Inline CASB is for SaaS applications, not the same. Tags are not used for application blocking.

903
Multi-Selectmedium

A network administrator is troubleshooting an SD-WAN setup where traffic from a specific application is not being load-balanced as expected. The SD-WAN rule uses the 'volume' load balancing algorithm. Which TWO factors could cause traffic to not be distributed equally? (Choose two.)

Select 2 answers
A.The SD-WAN rule is configured with 'mode = load-balance' but the algorithm is set to 'source-dest-ip'
B.One of the SD-WAN members is a PPPoE interface
C.The performance SLA has a high packet loss threshold causing the member to be dead
D.The traffic is asymmetric, causing sessions to be created on different members than expected
E.The traffic is encrypted and cannot be inspected
AnswersB, D

PPPoE interfaces are not supported for load balancing in SD-WAN.

Why this answer

Volume algorithm uses a weighted distribution. If one member is a PPPoE interface, it cannot be used for load balancing due to NAT issues. Also, if traffic is asymmetric, the session may not be balanced properly.

904
MCQmedium

An administrator configured an SD-WAN rule to steer traffic to a specific member interface using the 'lowest-cost' strategy. After applying, the traffic is not being load-balanced as expected. Which configuration element is MOST likely missing?

A.The 'best-quality' strategy was inadvertently selected instead.
B.A performance SLA has not been assigned to the SD-WAN member interfaces.
C.The SD-WAN member interfaces are not in the same zone.
D.The 'update-static-route' option is disabled on the SD-WAN member.
AnswerB

The lowest-cost strategy relies on performance SLA metrics to determine cost. Without an SLA, the cost is not calculated.

905
MCQhard

A FortiGate administrator configures a hub-and-spoke ADVPN network. Spokes are behind NAT. After deployment, spokes can communicate with each other only through the hub. What must be configured to allow spokes to establish direct shortcut tunnels?

A.Enable auto-negotiate on the IPsec phase1 interface
B.Configure NAT traversal on the hub's phase1
C.Set 'add-route' to 'enable' on the hub's ADVPN configuration
D.Add a firewall policy allowing IKE from spoke to spoke
AnswerC

Why this answer

For shortcut tunnels to be established, the hub must have 'add-route' enabled so that it advertises routes to other spokes. Without this, spokes will not know how to reach each other directly and will continue to route through the hub.

906
Multi-Selectmedium

An administrator is configuring SD-WAN and wants to ensure that voice traffic uses the lowest latency link. Which two configurations are required to achieve this? (Choose TWO.)

Select 2 answers
A.Configure a static route for the voice subnet
B.Configure a performance SLA with latency threshold
C.Set the SD-WAN rule to use 'manual' strategy
D.Create an SD-WAN rule that matches voice traffic and uses 'best quality' strategy
E.Enable NAT on the SD-WAN interface
AnswersB, D

The SLA measures latency and marks link quality.

Why this answer

To steer traffic based on latency, you need a performance SLA with latency measurement and an SD-WAN rule that matches the voice traffic and uses the lowest latency strategy.

907
MCQeasy

An administrator wants to create a separate virtual firewall instance on a FortiGate to isolate a DMZ environment. The DMZ must have its own routing table, firewall policies, and administrators. Which FortiGate feature should be used?

A.Virtual Domains (VDOMs)
B.Virtual Router Redundancy Protocol (VRRP)
C.Virtual LANs (VLANs)
D.Security Fabric
AnswerA

VDOMs create separate virtual firewalls with independent configuration.

Why this answer

Virtual Domains (VDOMs) are the FortiGate feature that allows the creation of multiple independent virtual firewalls within a single physical appliance. Each VDOM operates with its own separate routing table, firewall policies, and administrative domains, making it the correct choice for isolating a DMZ environment with dedicated administrators and routing.

Exam trap

The trap here is that candidates often confuse VLANs (Layer 2 segmentation) with VDOMs (full virtual firewall instances), mistakenly thinking VLANs alone can provide independent routing tables and administrative domains, which they cannot.

How to eliminate wrong answers

Option B (VRRP) is wrong because VRRP is a first-hop redundancy protocol (RFC 5798) that provides high availability for default gateways, not a mechanism to create separate virtual firewall instances with independent routing and policies. Option C (VLANs) is wrong because VLANs operate at Layer 2 to segment broadcast domains and do not provide separate routing tables, firewall policies, or administrative domains; they require a VDOM or similar construct to achieve full isolation at Layer 3 and above. Option D (Security Fabric) is wrong because the Security Fabric is a framework for centralized management and threat sharing across multiple FortiGate devices, not a feature that creates isolated virtual firewall instances on a single unit.

908
Multi-Selecthard

An administrator is troubleshooting an IPsec VPN tunnel that fails to establish. Phase 1 seems to complete, but Phase 2 fails with 'no proposal chosen'. The administrator checks the Phase 2 configuration and sees the following settings: 'Local address: 10.0.0.0/24, Remote address: 192.168.0.0/24, Proposal: aes256-sha1, Enable Perfect Forward Secrecy (PFS): Disabled'. Which TWO changes would most likely resolve the issue? (Choose two.)

Select 2 answers
A.Enable PFS on FortiGate
B.Verify that the Phase 2 selectors match exactly on both sides
C.Change the local address to 10.0.0.0/8
D.Add aes256-sha256 to the Phase 2 proposal
E.Increase the Phase 2 lifetime
AnswersA, B

If the remote side requires PFS, FortiGate must enable it to match.

Why this answer

Phase 2 failure with 'no proposal chosen' indicates a mismatch in proposal or selectors. Common causes: PFS mismatch (if remote requires PFS) or selector mismatch (subnets).

909
Multi-Selectmedium

An administrator is deploying ADVPN with a hub-and-spoke topology. The hub FortiGate is configured with 'set auto-discovery enable' and 'set add-route enable'. Spokes have 'set auto-discovery-sender enable'. However, shortcut tunnels are not being established. Which two additional conditions must be met for shortcut tunnels to form? (Choose two.)

Select 2 answers
A.The spokes must have a static route to each other's networks
B.The spokes must have 'set dpd enable' on the phase 1
C.The phase 2 configuration on the hub must have 'set auto-discovery enable'
D.Traffic must be flowing between spokes through the hub
E.The hub must be configured as a route reflector for BGP
AnswersC, D

The hub's phase 2 must allow auto-discovery to negotiate shortcuts.

Why this answer

Shortcut tunnels require traffic between spokes (A) and the hub's phase 2 must have auto-discovery enabled (C).

910
MCQhard

A FortiGate has two equal-cost paths to a destination network. ECMP is enabled. The administrator notices that all traffic uses the first path. What is the most likely cause?

A.ECMP is configured with 'spillover' mode
B.The second path is administratively down
C.ECMP is configured to use 'source-dest-ip' hash and all sessions are from same source to same destination
D.The route metric is not equal
AnswerC

That hash would send all to same path.

Why this answer

ECMP distributes session flows, but if all traffic is using one path, it might be due to a session-based hash that results in the same path for all sessions, or the ECMP load balancing may be set to 'source-dest-ip' and the traffic is from one source to one destination. More likely, the ECMP load balancing mode is set to 'usage' or there is a policy-based route overriding.

911
MCQmedium

An IPS administrator wants to detect a new custom attack that sends malformed HTTP headers. The attack pattern is a specific sequence of bytes that is not covered by existing signatures. What is the BEST way to detect this attack on FortiGate?

A.Use an automation stitch to block traffic with unusual headers
B.Enable protocol anomaly detection in the IPS sensor
C.Deploy FortiWeb as a reverse proxy
D.Create a custom IPS signature
AnswerD

Custom signatures match specific content patterns defined by the administrator.

Why this answer

Option B is correct because custom IPS signatures allow administrators to define unique patterns to detect new attacks not covered by default signatures.

912
MCQmedium

A FortiGate with SD-WAN enabled uses two members: MPLS (10 ms latency) and Internet (40 ms latency). The SD-WAN rule uses 'Best Quality' strategy with latency as the metric. Traffic to a critical application (10.1.1.0/24) is currently using the MPLS link. The MPLS link's latency increases to 60 ms due to a routing issue. How will FortiGate handle new sessions to 10.1.1.0/24?

A.New sessions will use the Internet link; existing sessions continue on MPLS.
B.FortiGate will wait for the MPLS link to recover before sending new traffic.
C.All sessions immediately switch to the Internet link.
D.Existing sessions continue on MPLS; new sessions will use MPLS until the next SLA probe.
AnswerA

Best Quality uses SLA metrics to steer new sessions to the best member, but does not affect existing sessions.

Why this answer

With 'Best Quality' strategy, FortiGate continuously monitors performance SLAs. When the MPLS link's latency exceeds the threshold or becomes worse than the Internet link, new sessions will be steered to the best available member (Internet) based on the metric. Existing sessions remain on the original link until they expire.

913
MCQmedium

An administrator configures a FortiGate to integrate with FortiSandbox for inline scanning. The policy has an antivirus profile with FortiSandbox enabled. What condition must be met for files to be submitted to FortiSandbox?

A.The antivirus profile must use proxy-based inspection mode
B.The FortiSandbox must be on the same subnet as the FortiGate
C.The FortiGate must be in NAT mode
D.SSL inspection must be disabled
AnswerA

Proxy-based inspection is required for inline FortiSandbox file submission.

Why this answer

For files to be submitted to FortiSandbox during inline scanning, the antivirus profile must use proxy-based inspection mode. This is because proxy-based inspection allows the FortiGate to buffer the entire file, perform deep analysis, and then forward it to FortiSandbox for verdict-based blocking. Flow-based inspection, in contrast, streams packets and cannot hold files for submission, making proxy mode a prerequisite for inline FortiSandbox integration.

Exam trap

The trap here is that candidates assume flow-based inspection is sufficient for inline sandboxing, but FortiGate explicitly requires proxy-based inspection to buffer and submit files for verdict-based blocking.

How to eliminate wrong answers

Option B is wrong because FortiSandbox does not need to be on the same subnet as the FortiGate; it can be located anywhere reachable via network, and communication uses HTTPS (port 443) or FortiSandbox-specific protocols. Option C is wrong because the FortiGate can operate in NAT mode or transparent mode for FortiSandbox integration; NAT mode is not a requirement. Option D is wrong because SSL inspection must be enabled (not disabled) to decrypt HTTPS traffic and allow the antivirus profile to inspect files within encrypted sessions for FortiSandbox submission.

914
MCQeasy

An administrator wants to use FortiGate as a SAML identity provider (IdP) for a third-party service. Which configuration is required on FortiGate?

A.Enable SAML authentication in the firewall policy
B.Configure FortiAuthenticator as an external IdP
C.Configure a SAML identity provider user and export FortiGate's metadata
D.Configure a SAML service provider user and import the SP metadata
AnswerC

FortiGate as IdP requires creating an IdP user and sharing its metadata with the SP.

Why this answer

FortiGate can act as an IdP by creating a SAML IdP user and configuring the service provider metadata.

915
Multi-Selectmedium

An administrator is planning a multi-VDOM deployment with a management VDOM. Which TWO statements about management VDOMs are correct? (Choose two.)

Select 2 answers
A.The management VDOM can be used for FortiGuard updates
B.The management VDOM cannot have firewall policies
C.The management VDOM requires a separate license
D.The management VDOM can host the GUI and SSH services
E.All user traffic must pass through the management VDOM
AnswersA, D

Correct.

Why this answer

Option A is correct because the management VDOM is specifically designed to handle administrative traffic, including FortiGuard updates. By isolating FortiGuard communications to the management VDOM, administrators ensure that security updates and threat intelligence downloads do not interfere with or consume bandwidth from the data VDOMs, and they can be centrally managed from a single VDOM.

Exam trap

The trap here is that candidates often assume a management VDOM cannot have firewall policies or requires a separate license, but in reality, it can have policies for administrative access and does not incur additional licensing costs.

916
MCQmedium

An enterprise FortiGate is configured with multiple VDOMs, including a management VDOM. The admin logs in to the management VDOM and wants to create a new VDOM and assign interfaces. However, the 'config vdom' command requires entering a VDOM name that is not 'root'. What is the correct next step?

A.Configure a VDOM link between the management VDOM and the new VDOM
B.Use the 'config vdom' command directly in the management VDOM CLI
C.Run 'config global' from the management VDOM to enter the global context
D.Reboot the FortiGate in multi-VDOM mode
AnswerC

The management VDOM can access the global context via 'config global' to create VDOMs and assign interfaces.

Why this answer

The management VDOM operates within the multi-VDOM context, but VDOM creation and interface assignment are global-level operations. The 'config vdom' command to create a new VDOM must be executed from the global configuration context, not from within any VDOM (including the management VDOM). Therefore, the admin must first run 'config global' to exit the management VDOM and enter the global context, where VDOMs can be created and managed.

Exam trap

The trap here is that candidates assume the management VDOM has elevated privileges to create other VDOMs, but in FortiOS, VDOM management is strictly a global-level operation, not a VDOM-level operation.

How to eliminate wrong answers

Option A is wrong because a VDOM link is used to connect two existing VDOMs for traffic forwarding, not to create a new VDOM or assign interfaces. Option B is wrong because 'config vdom' within a VDOM (including the management VDOM) only allows entering an existing VDOM's configuration; it does not permit creating a new VDOM or assigning interfaces, as those operations require global context. Option D is wrong because the FortiGate is already in multi-VDOM mode (as indicated by the presence of multiple VDOMs); rebooting does not change the context needed to create a new VDOM.

917
MCQmedium

An administrator configures a FortiGate in transparent mode for a VDOM. After switching to transparent mode, the administrator notices that the default route disappears and traffic fails. What must be configured to restore routing?

A.A static route on the upstream router
B.A management IP address and default gateway for the VDOM
C.Enable NAT mode to allow routing
D.Assign an IP address to each interface
AnswerB

Why this answer

In transparent mode, a FortiGate VDOM acts as a Layer 2 bridge and does not participate in Layer 3 routing. The default route disappears because the VDOM has no Layer 3 interface to host a routing table. To restore management connectivity and allow the FortiGate to reach remote networks (e.g., for firmware updates or logging), you must configure a management IP address and a default gateway for the VDOM.

This management IP is used solely for outbound management traffic and does not affect the bridged data plane.

Exam trap

The trap here is that candidates assume transparent mode still requires per-interface IPs or static routes for the data plane, when in fact only a single management IP and default gateway are needed for the FortiGate's own control-plane traffic.

How to eliminate wrong answers

Option A is wrong because configuring a static route on the upstream router does not provide the FortiGate itself with a default gateway; the FortiGate in transparent mode has no routed interfaces and cannot use an upstream router's route for its own management traffic. Option C is wrong because NAT mode is a separate operational mode (Layer 3) and cannot be enabled within a transparent-mode VDOM; transparent mode inherently disables routing and NAT. Option D is wrong because assigning an IP address to each interface in transparent mode is not supported; only a single management IP is assigned to the VDOM, not per-interface IPs.

918
MCQhard

A security admin notices that FortiClient ATP is not blocking threats on a managed endpoint. The FortiClient is registered with FortiGate and the ATP feature is enabled in the FortiClient profile. What is the most likely cause?

A.The FortiGate's antivirus signatures are outdated
B.The FortiClient endpoint has a different antivirus product installed that conflicts
C.The FortiGate antivirus profile applied to the FortiClient policy has 'Scan on Access' disabled
D.FortiClient is in standalone mode instead of managed mode
AnswerC

ATP relies on on-access scanning to block threats immediately.

Why this answer

FortiClient ATP uses the FortiGate's antivirus engine to scan files locally. If the endpoint's antivirus profile on FortiGate does not include 'Scan on Access', FortiClient ATP may not intercept file access events.

919
MCQhard

A FortiGate is running OSPF in a multi-area network. The administrator notices that routes from area 1 are not being redistributed into area 0. The configuration includes 'redistribute connected' under OSPF. What is the most likely cause?

A.The OSPF network type is not broadcast
B.Area 1 is a stub area
C.The ABR is not configured with 'area 0'
D.The 'redistribute connected' command is missing under the OSPF process
AnswerD

If the routes are connected interfaces in area 1, they need to be redistributed into OSPF to be advertised to other areas.

Why this answer

By default, OSPF only redistributes routes from other routing protocols or connected routes if configured. However, routes from other OSPF areas are not redistributed; they are learned via inter-area LSAs. If redistribution is not configured for connected or static routes, the issue might be that the routes are not being generated.

Option C is a plausible cause: missing 'redistribute connected' under the OSPF process.

920
Multi-Selectmedium

An administrator wants to use policy-based routing to forward traffic from subnet 192.168.1.0/24 to a specific next-hop via port2. Which TWO configuration elements are needed?

Select 2 answers
A.An SD-WAN rule overriding the routing decision.
B.A route-map that matches the source subnet and sets the next-hop.
C.A static route with a higher administrative distance.
D.A prefix-list matching 192.168.1.0/24.
E.A firewall policy matching the traffic with action 'accept'.
AnswersB, D

PBR uses route-maps to match and set next-hop.

921
Multi-Selecthard

Which TWO configurations are required to enable SSL VPN authentication using a RADIUS server on a FortiGate?

Select 2 answers
A.Create a user group that includes the RADIUS server as an authentication method
B.Configure an LDAP server to synchronize user accounts
C.Configure an SSL VPN portal with 'Require Authentication' enabled
D.Define the RADIUS server under User & Authentication > RADIUS Servers
E.Set a local password policy for SSL VPN users
AnswersA, D

A user group ties the RADIUS server to SSL VPN authentication.

Why this answer

Option A is correct because a user group must be created to reference the RADIUS server as an authentication method. This group is then applied to the SSL VPN portal or firewall policy, allowing FortiGate to forward authentication requests to the RADIUS server. Without the user group, the RADIUS server cannot be associated with SSL VPN authentication.

Exam trap

The trap here is that candidates often think configuring the RADIUS server alone is sufficient, but FortiGate requires the user group to link the RADIUS server to the SSL VPN authentication process.

922
MCQeasy

A FortiGate is configured as a ZTNA proxy for a web application. Users report that after authenticating, they receive a '502 Bad Gateway' error. What is the most likely cause?

A.The backend server is unreachable from the FortiGate.
B.The ZTNA proxy is not configured with a valid SSL certificate.
C.The user's device posture is not compliant.
D.The ZTNA rule is not using the correct source interface.

Why this answer

A 502 Bad Gateway error indicates the proxy cannot reach the backend server. The ZTNA proxy itself is working (hence the error page is served), but the connection to the real server fails.

923
Multi-Selectmedium

A network administrator is configuring SD-WAN on a FortiGate to control outbound internet traffic. The requirement is to load balance traffic across two WAN interfaces (port1 and port2) based on the number of new sessions, but only when both links are healthy. The administrator has added both interfaces to the SD-WAN zone and configured performance SLAs. Which TWO additional configuration steps are necessary to implement this requirement?

Select 2 answers
A.Enable 'ECMP load balancing' in the routing settings
B.Configure the SD-WAN rule to use a performance SLA for health checking
C.Set the load balancing algorithm to 'sessions' in the SD-WAN rule for the traffic
D.Configure a policy-based routing rule to direct traffic to the SD-WAN zone
E.Set the 'sla-check' under config system sdwan to 'enable'
AnswersB, C

Why this answer

SD-WAN load balancing is configured in the SD-WAN rules. Setting the load balancing algorithm to 'sessions' achieves session-based distribution. The rule must also be configured to use the performance SLA to check link health, typically by setting the 'health check' field under SD-WAN rule strategy.

Option A is correct because the algorithm must be set to 'sessions'. Option D is correct because the rule must reference a performance SLA to consider link health.

924
MCQmedium

An administrator configures a hub-and-spoke ADVPN with IBGP over the VPN overlays. The spokes receive the default route from the hub, but they cannot reach each other directly. The administrator wants spoke-to-spoke traffic to use shortcut tunnels. Which additional configuration is required on the hub?

A.Enable 'auto-discovery-sender' and 'auto-discovery-receiver' on the phase1 interfaces.
B.Configure 'set neighbor <spoke-ip> next-hop-self' under BGP.
C.Create a firewall policy that permits traffic between spokes.
D.Add 'set advpn-multicast enable' to the phase1 configuration.

Why this answer

ADVPN requires the hub to have 'auto-discovery-sender' and 'auto-discovery-receiver' enabled on the phase1 to exchange route information and trigger shortcut tunnel establishment between spokes.

925
MCQeasy

An administrator observes that after a failover in an HA cluster, some established sessions are dropped. The cluster is configured with session pickup enabled. What is the most likely reason for the dropped sessions?

A.The failover occurred during a configuration synchronization
B.The HA uptime is less than the session TTL
C.Session pickup only synchronizes TCP sessions, and the dropped sessions are UDP
D.The session helper for the protocol is not enabled
AnswerC

Session pickup by default only synchronizes TCP sessions. UDP and other protocols are not preserved during failover.

Why this answer

Session pickup synchronizes sessions between HA members, but if the session was established before the cluster was fully synchronized, or if the session table is full, sessions may be dropped. However, the most common reason is that session pickup only works for TCP sessions, not UDP or other protocols.

926
MCQmedium

An email security administrator wants to prevent attackers from spoofing the company's domain. Which email authentication mechanism should be configured to allow receiving servers to verify that emails claiming to be from the domain are sent from authorized mail servers?

A.DMARC
B.SPF
C.TLS for SMTP
D.DKIM
AnswerB

SPF records list authorized sending IPs or hostnames.

Why this answer

Option D is correct because SPF (Sender Policy Framework) allows domain owners to specify which servers are authorized to send emails for their domain.

927
MCQhard

A FortiGate administrator configures a custom IPS signature with the pattern 'attack' in the HTTP request URI. After applying the signature, no alerts are generated even though the traffic matches. What is the MOST likely cause?

A.The signature's protocol decoder is set to 'HTTP'
B.The signature action is set to 'pass'
C.The signature's protocol decoder is not set to 'HTTP'
D.The signature severity is too low
AnswerC

Without proper decoder, the pattern is not matched in HTTP URI.

Why this answer

The custom IPS signature pattern 'attack' will only be inspected against the HTTP request URI if the signature's protocol decoder is explicitly set to 'HTTP'. Without this decoder assignment, the IPS engine does not know which protocol layer to parse, and the pattern is never matched against the URI, resulting in no alerts despite matching traffic.

Exam trap

The trap here is that candidates often assume a signature will automatically inspect all traffic or that the 'pass' action suppresses alerts, when in fact the protocol decoder is a mandatory prerequisite for any application-layer pattern matching in FortiGate IPS.

How to eliminate wrong answers

Option A is wrong because setting the protocol decoder to 'HTTP' is exactly what is required for the signature to inspect HTTP request URIs; this would enable alerts, not prevent them. Option B is wrong because a 'pass' action would allow the traffic but still generate a log entry (alert) by default unless logging is disabled; the question states no alerts are generated, so action alone is not the cause. Option D is wrong because signature severity does not affect whether an alert is generated; severity only influences the event's priority in logs and reports, not the detection or alerting process.

928
MCQmedium

A network administrator configures a hub-and-spoke ADVPN with FortiGates. Phase 1 and phase 2 settings are correct, and spoke gateways can communicate with the hub. However, shortcut tunnels between spokes are not being established. What is the most likely cause?

A.DPD is disabled on the phase 1 interface
B.The hub FortiGate has 'set auto-discovery-sender enable' configured
C.Dynamic routing (BGP/OSPF) is not configured over the VPN overlay
D.The spoke FortiGates do not have IKEv2 enabled
AnswerC

ADVPN shortcut establishment relies on dynamic routing to exchange spoke routes via the hub. Without it, spokes don't know about each other.

Why this answer

ADVPN requires policy-based routing or routing protocol to propagate routes and trigger shortcut setup. Without a routing protocol like BGP/OSPF, spokes will not learn routes to other spokes, and shortcut negotiation fails.

929
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session has been active for 1 hour and will expire in about 1 hour
B.The session is about to expire and will be removed soon
C.The session is using UDP protocol
D.The session is in a half-open state
AnswerA

Duration=3600 (1 hour), expire=3599 (almost 1 hour).

Why this answer

The output shows a TCP session (proto=6) in state 01 (established), duration of 3600 seconds (1 hour), and expire time of 3599 seconds (almost 1 hour remaining). This indicates a long-running HTTPS session that is still active.

930
Multi-Selectmedium

An administrator wants to configure FortiGate to automatically block a source IP when a high-severity IPS event is detected. Which TWO components must be configured? (Choose two.)

Select 2 answers
A.A firewall policy with IPS enabled
B.A FortiGuard category subscription
C.An automation stitch trigger set to 'IPS Event'
D.A static route to the source IP
E.An automation stitch action set to 'Quarantine'
AnswersC, E

Trigger defines when the stitch runs.

Why this answer

Option C is correct because an automation stitch trigger set to 'IPS Event' is required to detect the high-severity IPS event and initiate the automated response. Option E is correct because the 'Quarantine' action within the automation stitch is the component that actually blocks the source IP by adding a dynamic block entry to the firewall policy.

Exam trap

The trap here is that candidates often assume enabling IPS on a firewall policy (Option A) is sufficient for automatic blocking, but FortiGate requires an explicit automation stitch to convert detection into an automated quarantine action.

931
MCQhard

An administrator runs the command 'diagnose sys session filter dport 443' on a FortiGate and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is in SYN_SENT state, meaning the three-way handshake is incomplete
B.The session is fully established and will expire in about 3599 seconds
C.The traffic is being blocked by the firewall policy
D.The session is using HTTPS and has been inspected
AnswerA

State 01 indicates SYN_SENT; the session has not yet received a SYN-ACK.

Why this answer

The output shows `proto=6` (TCP), `proto_state=01`, `duration=3600`, and `expire=3599`. In FortiGate's session table, `proto_state=01` represents the TCP state `SYN_SENT`, which means the session has sent a SYN but has not yet received a SYN-ACK, so the three-way handshake is incomplete. The `expire=3599` indicates the session will time out in 3599 seconds if the handshake does not complete, but the session is not yet established.

Exam trap

The trap here is that candidates assume `dport 443` and `expire=3599` mean an established HTTPS session, but the `proto_state=01` value explicitly indicates an incomplete handshake, not a fully established connection.

How to eliminate wrong answers

Option B is wrong because `proto_state=01` is not the established state (which would be `08` for ESTABLISHED); a fully established TCP session would show `proto_state=08` and a much shorter expiry (e.g., 3600 seconds for idle timeout). Option C is wrong because the session is present in the session table with a valid state, meaning it is not being blocked by the firewall policy; blocked traffic would not create a session entry at all. Option D is wrong because `dport 443` only indicates the destination port, not that HTTPS inspection has occurred; inspection depends on the firewall policy's SSL inspection profile, not the port number alone.

932
MCQmedium

An administrator receives an error when trying to create a ZTNA proxy rule: 'The ZTNA proxy rule requires a valid application mapping.' What does this indicate?

A.The FortiClient EMS is not reachable
B.The application mapping object is not defined
C.The SSL certificate is missing
D.The firewall policy is not in place
AnswerB

Each proxy rule must reference an application mapping.

Why this answer

A ZTNA proxy rule maps an external FQDN/port to an internal application. The error means the application mapping (which defines the internal server) is missing or misconfigured.

933
MCQmedium

A company is implementing Zero Trust Network Access using Fortinet's ZTNA solution. They have deployed a FortiGate as the ZTNA gateway and are using FortiClient as the ZTNA agent. Users report that they can initiate ZTNA connections but the connections drop after a few minutes. The FortiGate logs show that the ZTNA session is being terminated due to a endpoint compliance check failure. Which action should the administrator take to resolve this issue?

A.Review and adjust the endpoint compliance rules in FortiClient EMS.
B.Disable endpoint compliance checks on the FortiGate.
C.Increase the session timeout on the FortiGate ZTNA gateway.
D.Change the authentication method from certificate to LDAP.
AnswerA

Adjusting compliance rules to match the actual endpoint state will allow the connection to persist.

Why this answer

The correct answer is A because the FortiGate logs explicitly indicate that the ZTNA session is being terminated due to an endpoint compliance check failure. This means the FortiGate is enforcing compliance rules defined in FortiClient EMS, and when the endpoint fails those checks (e.g., missing antivirus updates, firewall disabled), the session is dropped. Reviewing and adjusting the compliance rules in EMS allows the administrator to align the requirements with the actual endpoint posture or correct the misconfiguration causing the failure.

Exam trap

The trap here is that candidates may confuse session timeout (a timer-based disconnect) with compliance enforcement (a policy-based disconnect), leading them to incorrectly choose option C instead of recognizing that the log message directly points to a compliance rule issue in EMS.

How to eliminate wrong answers

Option B is wrong because disabling endpoint compliance checks on the FortiGate would bypass the Zero Trust principle entirely, leaving the network vulnerable to non-compliant endpoints, and does not address the root cause of why compliance checks are failing. Option C is wrong because increasing the session timeout would not prevent the session from being terminated due to a compliance check failure; the timeout controls idle session duration, not compliance enforcement. Option D is wrong because changing the authentication method from certificate to LDAP does not affect endpoint compliance checks; ZTNA session termination due to compliance failure is independent of the authentication method used.

934
MCQmedium

A FortiGate administrator observes that traffic from an internal user to the internet is being blocked. The firewall policy allows the traffic, and the user can ping external hosts. The administrator runs 'diagnose debug flow' for the user's IP and sees 'session denied by forward policy check'. What is the MOST likely cause?

A.There is an implicit deny policy blocking the traffic
B.The antivirus profile has detected a threat and is blocking the session
C.The user's traffic is being rate-limited by a traffic shaper
D.The user's source IP is in a local-in policy that denies the traffic
AnswerA

The forward policy check indicates that no explicit policy matches the traffic, so it is denied by the implicit deny.

Why this answer

Option B is correct. 'session denied by forward policy check' indicates no matching policy, leading to implicit deny.

935
MCQhard

A FortiGate cluster (A-P) has a session that is not synchronizing to the secondary unit. The administrator runs 'diagnose sys ha session-sync status' and sees that the session count is different between primary and secondary. Which is the most likely cause?

A.The session is using a custom application control profile that prevents synchronization.
B.The HA heartbeat interface is down.
C.The secondary unit has insufficient memory to accept new sessions.
D.The session was created by a local-in traffic (e.g., management traffic) which is not synchronized.
AnswerD

Local-in sessions are typically not synced across HA members.

Why this answer

FortiGate A-P clusters synchronize sessions via the HA heartbeat interface, but local-in traffic (e.g., management sessions like HTTPS, SSH, or SNMP) is never synchronized because it is destined to the cluster IP itself and is inherently unit-specific. The 'diagnose sys ha session-sync status' command shows a session count mismatch because the primary unit has local-in sessions that the secondary does not replicate, making D the correct answer.

Exam trap

The trap here is that candidates assume all sessions are synchronized by default, but FortiGate explicitly excludes local-in traffic (management sessions) from HA synchronization, so a session count difference is normal and expected for those sessions.

How to eliminate wrong answers

Option A is wrong because application control profiles do not affect session synchronization; they are inspection profiles applied to traffic policies, and session synchronization is controlled by HA settings and session type, not by security profiles. Option B is wrong because if the HA heartbeat interface were down, the cluster would not be able to maintain a synchronized state at all, and the secondary would likely be isolated or the cluster would split-brain; the question states the cluster is operational with a session count difference, not a total sync failure. Option C is wrong because insufficient memory on the secondary would cause it to reject new sessions or fail to synchronize, but the symptom would be a growing session count mismatch over time, not a persistent difference for a specific session; moreover, the secondary would still attempt synchronization and log memory pressure, not simply skip a session silently.

936
MCQmedium

An administrator configures BGP over an IPsec VPN between two FortiGates. The BGP session is established, but routes from the remote site are not being installed in the local routing table. The admin verifies that the BGP neighbor configuration is correct and the remote site is advertising routes. What is the MOST likely cause?

A.The BGP timers are too aggressive causing route flapping
B.The BGP network statement is missing on the local FortiGate
C.A firewall policy is blocking BGP traffic on the VPN interface
D.The next-hop IP address is not reachable
AnswerC

The VPN interface or loopback used for BGP peering must have a firewall policy allowing inbound BGP traffic (TCP 179). Without it, BGP packets are dropped even though the VPN tunnel is up.

Why this answer

BGP routes must be allowed by a firewall policy on the loopback or interface used for BGP. Even if the VPN tunnel is up, BGP traffic (TCP port 179) may be blocked by the local-in policy or by the VPN interface's firewall policy if not explicitly allowed.

937
MCQhard

A FortiGate is running OSPF in a multi-area topology. The administrator needs to redistribute connected routes from area 0 into area 1 but does not want to leak any other routes. Which configuration is correct?

A.Use policy-based routing to forward traffic to the connected networks.
B.Add the connected networks as networks in area 1 using 'network x.x.x.x 255.255.255.0 area 1'.
C.Configure route redistribution under OSPF with 'redistribute connected' and apply a route map that permits only the desired connected networks.
D.Use 'set redistribute connected' under the OSPF interface configuration for the connected interface in area 0.
AnswerC

Using redistribution with a route map allows selective advertisement of only the specified connected routes.

938
MCQeasy

A FortiGate administrator wants to quickly identify which process is consuming the most CPU on the device. Which CLI command should be used?

A.diagnose hardware sysinfo memory
B.diagnose sys top
C.diagnose debug application crashlog read
D.get system performance status
AnswerB

This command shows real-time process CPU and memory usage, allowing identification of high CPU consumers.

Why this answer

Option A is correct. 'diagnose sys top' provides a real-time view of process CPU and memory usage.

939
MCQeasy

Refer to the exhibit. An administrator has configured an active-passive HA cluster. After reviewing the configuration and status, the administrator wants to ensure that the management interface (port2) is accessible on both units using the same IP address. What additional configuration is required?

A.Set the gateway to 0.0.0.0
B.Enable ha-mgmt-status on the secondary unit
C.Configure a virtual management IP under the cluster settings
D.Disable session-pickup to free resources
AnswerC

A virtual IP ensures the management interface is reachable via the same IP on both units.

Why this answer

In an active-passive HA cluster, the management interface (port2) must be reachable on both units using the same IP address. This is achieved by configuring a virtual management IP (also known as a management IP address) under the cluster settings. The virtual management IP is assigned to the active unit and, upon failover, is automatically moved to the new active unit, ensuring continuous management access without requiring separate IP addresses per unit.

Exam trap

The trap here is that candidates often confuse enabling ha-mgmt-status (which allows individual unit management) with configuring a virtual management IP (which provides a single shared IP for the cluster), leading them to incorrectly select Option B.

How to eliminate wrong answers

Option A is wrong because setting the gateway to 0.0.0.0 would remove the default route, making the management interface unreachable from remote networks; it does not provide a shared IP address. Option B is wrong because enabling ha-mgmt-status on the secondary unit only allows the secondary unit to be managed via its own dedicated management IP, not a shared IP address; it does not create a virtual management IP that follows the active unit. Option D is wrong because disabling session-pickup would prevent session synchronization between HA units, degrading failover performance and availability, and has no relation to management interface accessibility.

940
MCQmedium

A FortiGate is using BFD for BGP fast failure detection. The administrator wants to ensure that if the BFD session goes down, the BGP neighbor is removed and routes are withdrawn immediately. Which configuration is necessary?

A.Enable BFD on the BGP neighbor and ensure BFD timers are set lower than BGP hold time
B.Configure BGP graceful restart
C.Set BGP hold time to 0
D.Use 'set bfd-desired-min-tx 100' on the interface
AnswerA

BFD must be enabled for the BGP neighbor; when BFD detects a failure, it notifies BGP to tear down the session.

941
MCQhard

A FortiGate in an HA cluster with VDOMs enabled experiences a failover. After the failover, traffic that was passing before is now being dropped. The configuration is synchronized between the primary and secondary units. What is the most likely reason?

A.The new primary has a different VDOM configuration
B.The firewall policies are not synchronized
C.Session synchronization is not enabled between HA members
D.VDOM link interfaces are down on the new primary
AnswerC

Without session sync, the new primary lacks session information for existing connections, causing drops until clients retransmit.

Why this answer

The most likely reason is that session synchronization is not enabled between HA members. When a failover occurs, the new primary FortiGate does not have the existing session table entries from the original primary, so it treats incoming packets as new connections and may drop them if they do not match a firewall policy's initial handshake state. Even though the configuration is synchronized, session information is not shared unless session synchronization is explicitly configured, causing traffic to be dropped after failover.

Exam trap

The trap here is that candidates assume synchronized configuration includes session state, but FortiGate HA separates configuration sync from session sync, and session synchronization must be enabled as a separate setting under the HA configuration.

How to eliminate wrong answers

Option A is wrong because VDOM configuration is synchronized between HA members, so the new primary has the same VDOM configuration as the old primary. Option B is wrong because the question states that the configuration is synchronized, which includes firewall policies, so they are identical on both units. Option D is wrong because VDOM link interfaces are part of the synchronized configuration and would be in the same state on the new primary; if they were down, the issue would be a configuration or physical problem, not a failover-specific behavior.

942
Multi-Selecthard

Which TWO statements are true regarding BGP path selection in a FortiGate SD-WAN environment?

Select 2 answers
A.BGP best path selection is independent of SD-WAN rules unless explicitly overridden.
B.SD-WAN cannot be applied to routes learned via BGP.
C.SD-WAN can modify BGP MED values to influence path selection.
D.SD-WAN rules always follow the BGP best path selection.
E.SD-WAN can use BGP community values as match criteria in SD-WAN rules.
AnswersA, E

BGP selects best path; SD-WAN can apply rules after.

Why this answer

BGP best path selection operates independently of SD-WAN rules because BGP selects the best route based on its own path attributes (e.g., weight, local preference, AS path length, MED) as defined in RFC 4271. SD-WAN rules can only override this selection if explicitly configured to do so, typically by using route maps or policy-based routing to influence the decision. Without such an override, the BGP best path is installed in the routing table and SD-WAN rules then apply to traffic forwarding, not to the BGP path selection process itself.

Exam trap

The trap here is that candidates often assume SD-WAN automatically overrides BGP path selection or that BGP attributes like MED can be dynamically adjusted by SD-WAN, when in fact SD-WAN operates on the forwarding plane and can only influence path selection through explicit policy overrides or by matching existing BGP attributes like communities.

943
MCQmedium

A FortiGate is operating in transparent mode for a VDOM. Which statement about transparent mode is TRUE?

A.Virtual IP (VIP) objects are supported in transparent mode to map public to private IPs
B.The FortiGate operates as a Layer 2 bridge, forwarding frames without modifying source/destination MAC addresses
C.Each interface in the VDOM must have an IP address in the same subnet
D.The VDOM can have multiple IP subnets on the same broadcast domain, and the FortiGate inspects traffic between them
AnswerB

Transparent mode bridges traffic at Layer 2, preserving MAC addresses and performing security inspection.

Why this answer

In transparent mode, a FortiGate VDOM acts as a Layer 2 bridge, forwarding Ethernet frames based on MAC addresses without modifying the source or destination MAC addresses. This allows the FortiGate to inspect traffic between hosts on the same subnet without requiring IP address changes or routing, functioning as a security appliance that is transparent to the network.

Exam trap

The trap here is that candidates often confuse transparent mode with NAT or routing capabilities, assuming VIPs or multi-subnet routing are supported, when in fact transparent mode strictly operates at Layer 2 without IP address manipulation.

How to eliminate wrong answers

Option A is wrong because Virtual IP (VIP) objects are not supported in transparent mode; VIPs require NAT and routing, which are Layer 3 functions, and transparent mode operates strictly at Layer 2. Option C is wrong because interfaces in a transparent mode VDOM do not need IP addresses in the same subnet; they typically have no IP addresses or are assigned management IPs that can be in different subnets, as the FortiGate bridges frames without IP configuration. Option D is wrong because a transparent mode VDOM cannot have multiple IP subnets on the same broadcast domain for inspection; it bridges all traffic within the same broadcast domain and does not perform routing between subnets, which would require Layer 3 forwarding.

944
MCQmedium

Which command is used on a FortiGate to view the current routing table including VRF instances?

A.show ip route
B.get router info routing-table all
C.diagnose ip route list
D.execute router list
AnswerB

This shows all VRFs routing tables.

Why this answer

Option B is correct because 'get router info routing-table all' is the FortiGate CLI command that displays the complete routing table, including all VRF instances. This command retrieves the kernel routing table entries for every VRF, showing routes from all routing protocols (static, OSPF, BGP, etc.) and is the standard way to view the full routing context on FortiGate.

Exam trap

The trap here is that candidates familiar with Cisco IOS often default to 'show ip route' (Option A), not realizing that FortiGate uses a completely different CLI syntax where 'get router info' is the equivalent operational command for viewing routing tables.

How to eliminate wrong answers

Option A is wrong because 'show ip route' is a Cisco IOS command, not a FortiGate command; FortiGate uses a different CLI syntax and does not support 'show' for routing table display. Option C is wrong because 'diagnose ip route list' is a FortiGate diagnostic command used for debugging or troubleshooting the routing table, but it is not the standard operational command to view the current routing table including VRF instances; it may show additional internal details but is not the intended production command. Option D is wrong because 'execute router list' is not a valid FortiGate command; FortiGate uses 'execute' for actions like ping or traceroute, not for listing routing tables.

945
MCQmedium

An administrator configures a VDOM link between VDOMs A and B. In VDOM A, the VDOM link interface is assigned IP 10.10.10.1/24, and in VDOM B, it is assigned 10.10.10.2/24. A firewall policy on VDOM A allows traffic from a subnet in VDOM A to a subnet in VDOM B. However, traffic fails. The admin checks the routing table in VDOM A and sees a route to the destination subnet via 10.10.10.2. What is the most likely cause?

A.No firewall policy in VDOM B to allow traffic from the VDOM link
B.The VDOM link is not administratively up in VDOM B
C.Inter-VDOM routing is disabled globally
D.The subnet in VDOM B is not defined as an address object in VDOM A's policy
AnswerA

Traffic entering VDOM B must be permitted by a policy. If missing, packets are dropped.

Why this answer

Option A is correct. In VDOM B, there must be a firewall policy allowing inbound traffic from the VDOM link. Without it, the traffic will be dropped upon entering VDOM B.

946
MCQhard

A network administrator is troubleshooting an IPsec VPN between two FortiGates. The phase1 is up, but phase2 keeps failing to establish. The administrator runs 'diagnose vpn ike log' and sees: 'no proposal chosen'. Both sides have the same phase2 configuration: AES256-SHA256, DH group 14, 3600 seconds lifetime. What is the MOST likely cause?

A.The NAT traversal setting is inconsistent
B.The IKE version is different on each side
C.The phase2 local and remote subnets do not match on both sides
D.The pre-shared key is incorrect
AnswerC

The 'no proposal chosen' error in phase2 usually indicates a mismatch in the traffic selectors (subnets). Both sides must have mirroring subnet definitions.

Why this answer

Even if the encryption/authentication proposals match, a common issue is a mismatch in the local and remote subnets (selectors). The phase2 negotiation requires matching traffic selectors. If one side has 192.168.1.0/24 and the other has 10.0.0.0/8, the proposals will be rejected.

Option D is correct.

947
MCQmedium

An administrator configures a VDOM on a FortiGate and assigns two interfaces (port1, port2) to it. The administrator wants to route traffic between two different subnets within the same VDOM. Which configuration is required?

A.Configure a VDOM link
B.Create a policy with inter-VDOM link
C.Enable inter-VDOM routing
D.Configure static or dynamic routing
AnswerD

Standard routing within the VDOM is sufficient to route between subnets on different interfaces.

Why this answer

Option D is correct because routing between two subnets within the same VDOM is standard intra-VDOM routing. Since both interfaces (port1, port2) belong to the same VDOM, no inter-VDOM constructs are needed; the FortiGate simply requires a route (static or dynamic) to forward packets between the subnets. A firewall policy allowing the traffic is also necessary, but the question specifically asks for the routing configuration.

Exam trap

The trap here is that candidates confuse intra-VDOM routing (within the same VDOM) with inter-VDOM routing (between VDOMs) and incorrectly assume that a VDOM link or inter-VDOM routing must be enabled, when in fact standard routing is sufficient.

How to eliminate wrong answers

Option A is wrong because a VDOM link is used to connect two different VDOMs, not to route between subnets within the same VDOM. Option B is wrong because a policy with inter-VDOM link is a firewall rule that references a VDOM link, again for inter-VDOM traffic, not intra-VDOM routing. Option C is wrong because inter-VDOM routing is a global setting that enables routing between VDOMs; it is irrelevant when both interfaces reside in the same VDOM.

948
MCQeasy

A FortiGate is connected to a FortiSwitch via a trunk port. The administrator wants to manage the FortiSwitch using FortiLink. Which of the following is a prerequisite for FortiLink to function?

A.The FortiSwitch must be running a firmware version that supports CAPWAP
B.The FortiSwitch must be configured with a DHCP server to assign IP addresses
C.The FortiSwitch must have a management IP in the same subnet as the FortiGate's management IP
D.A dedicated FortiLink interface (physical or VLAN) must be configured on the FortiGate
AnswerD

Why this answer

FortiLink requires a dedicated interface or VLAN for management. The FortiGate must have a FortiLink interface configured, typically using a physical interface or a VLAN interface for management traffic. Option A is correct because a dedicated FortiLink interface must be created.

Option B is unnecessary; DHCP is not required. Option C is optional. Option D is not required; FortiSwitch can use the same management IP.

949
MCQeasy

Which of the following is a requirement for FortiGate to act as a SAML Identity Provider (IdP) for ZTNA?

A.A public IP address on the WAN interface
B.A configured user database and SAML IdP settings
C.Integration with FortiClient EMS
D.An SSL certificate from a public CA
AnswerB

FortiGate needs users to authenticate and SAML configuration.

Why this answer

FortiGate can be a SAML IdP, providing authentication to service providers. It requires a configured user database (e.g., local users, LDAP) and a SAML IdP profile.

950
Multi-Selectmedium

A FortiGate administrator is troubleshooting a VPN tunnel that uses IKEv2 with certificate authentication. The tunnel fails to establish, and the IKE debug shows 'no acceptable proposal' for the initial exchange. Which TWO configuration mismatches could cause this error? (Choose two.)

Select 2 answers
A.Mismatched encryption algorithms between the two peers
B.Mismatched phase2 encryption algorithms
C.Mismatched IKE version (IKEv1 vs IKEv2)
D.Incorrect local certificate configuration on one peer
E.Mismatched authentication methods (pre-shared key vs certificate)
AnswersA, E

IKEv2 phase1 encryption must match; e.g., AES256 vs AES128.

Why this answer

'No acceptable proposal' typically indicates a mismatch in phase1 parameters such as encryption, hash, DH group, or authentication method. Options A and B are correct because IKEv2 proposal includes encryption and authentication algorithms.

951
MCQmedium

A FortiGate is configured with SD-WAN and has two WAN members: Member1 (ISP1) with priority 10, and Member2 (ISP2) with priority 5. The SD-WAN rule for traffic from the internal network uses the 'best quality' strategy. During normal operation, traffic flows through Member1. After a link failure on Member1, traffic correctly fails over to Member2. However, when Member1 is restored, traffic does not fail back. What is the most likely cause?

A.The static route for Member1 has a higher administrative distance than Member2.
B.The health-check for Member1 is configured with 'set probe-mode passive' and 'set update-static-route disable'.
C.The SD-WAN rule is configured with 'set fallback' disabled.
D.The priority of Member2 is higher than Member1.
AnswerB

Passive monitoring does not trigger fallback; update-static-route must be enabled for the route to be reinstated when the link recovers.

Why this answer

Option B is correct because when 'set probe-mode passive' is configured, the health-check server only monitors the link without actively generating probe traffic, and 'set update-static-route disable' prevents the static route associated with Member1 from being re-enabled after the link is restored. This means the route remains inactive, so SD-WAN cannot fail back to Member1 even though the physical link is up.

Exam trap

The trap here is that candidates assume failback is automatic with SD-WAN, but FortiGate requires explicit configuration of route updates or probe modes to re-enable a restored link; the 'best quality' strategy alone does not handle failback without proper health-check settings.

How to eliminate wrong answers

Option A is wrong because a higher administrative distance would make the route less preferred, but the question states traffic flows through Member1 normally, so its route must have a lower or equal AD; the issue is about failback, not initial selection. Option C is wrong because 'set fallback' is not a valid SD-WAN rule parameter; the correct parameter for controlling failback behavior is 'set update-static-route' or 'set probe-mode', not a 'fallback' toggle. Option D is wrong because priority 10 is higher than 5, making Member1 preferred; if Member2 had higher priority, traffic would not have flowed through Member1 initially.

952
Multi-Selectmedium

An administrator is configuring a FortiGate to inspect SMTP traffic for spam and viruses. The traffic must be decrypted to inspect the content. Which THREE elements are required for this configuration? (Choose three.)

Select 3 answers
A.A spam filter profile applied to the firewall policy
B.A web filter profile applied to the firewall policy
C.An antivirus profile applied to the firewall policy
D.An application control profile applied to the firewall policy
E.A firewall policy that allows SMTP traffic and has SSL inspection enabled
AnswersA, C, E

Spam filtering is needed to identify and block spam.

Why this answer

Options A, B, and C are correct. SSL inspection decrypts traffic, antivirus scans for viruses, and spam filter blocks spam.

953
MCQmedium

An administrator is troubleshooting BGP with SD-WAN. They have configured BGP on the FortiGate and the SD-WAN rule uses 'best quality' strategy. However, failover does not happen when a WAN link goes down. The BGP session is still up. What is the most likely reason?

A.The performance SLA is not configured to track the BGP next hop.
B.The SD-WAN rule is configured with 'set update-static-route disable'.
C.The BGP session is using eBGP multihop.
D.The load balancing algorithm is set to 'volume'.
AnswerA

For SD-WAN to detect link failure, the performance SLA must monitor the actual path to the BGP next hop or internet. BGP session may remain up via an alternate path, but the link may be degraded.

Why this answer

SD-WAN failover relies on performance SLA probes to measure link quality. If the BGP session is still up but the link is slow or lossy, the SLA will detect the degradation and trigger failover. Without SLA monitoring, link down events might not be detected if BGP session stays up via a backup path.

954
MCQmedium

A security analyst notices repeated failed login attempts from a specific IP address to the FortiGate management interface. The administrator wants to automatically blacklist the IP after 3 failed attempts within 60 seconds. Which feature should be configured?

A.Intrusion Prevention System (IPS) with custom signature
B.FortiGate's built-in DoS policy and blacklist
C.Admin lockdown and intruder lockout settings
D.Administrative access trusted hosts
AnswerC

FortiGate can be configured to lock out IPs after failed admin login attempts via 'config system admin' settings or via 'config system global' set admin-lockout-threshold and admin-lockout-duration.

955
Multi-Selectmedium

Which TWO of the following are required for FortiGate to successfully obtain file verdicts from FortiSandbox? (Choose two.)

Select 2 answers
A.Proxy-based inspection mode enabled on the policy
B.Valid FortiSandbox license on FortiGate
C.FortiSandbox inline scanning enabled in antivirus profile
D.FortiGuard Security Rating subscription
E.Network connectivity between FortiGate and FortiSandbox
AnswersB, E

Needed to enable the sandbox feature.

Why this answer

A valid FortiSandbox license on the FortiGate is required to authenticate and authorize communication with the FortiSandbox appliance or cloud service. Without this license, the FortiGate cannot register with the FortiSandbox or submit files for verdict analysis, even if network connectivity exists.

Exam trap

The trap here is that candidates often assume proxy-based inspection or inline scanning is mandatory for sandbox integration, but FortiGate can use flow-based inspection and retrieve verdicts asynchronously without inline mode enabled.

956
MCQhard

A FortiGate is blocking HTTP traffic from 10.0.1.5 to 10.0.2.100, despite an explicit allow policy. The exhibit shows the configuration and debug flow output. What is the most likely cause?

A.The policy is applied to the wrong source interface.
B.The policy action is set to deny.
C.TCP SYN flood protection is dropping the incomplete session.
D.The source address object does not include 10.0.1.5.
AnswerC

The 'state proto not ready' indicates TCP handshake incomplete; often due to DoS protection thresholds.

Why this answer

The debug flow output shows the session is in a 'SYN_RECV' state and never transitions to 'ESTABLISHED', which is characteristic of TCP SYN flood protection. When the FortiGate's SYN flood protection threshold is exceeded, it drops incomplete sessions before they can be fully established, even if an explicit allow policy exists. This explains why HTTP traffic from 10.0.1.5 to 10.0.2.100 is blocked despite the policy being correctly configured.

Exam trap

The trap here is that candidates often assume a policy issue (wrong interface, wrong action, or wrong address object) when the debug flow shows a session being created but not completing, but the real cause is a DoS protection mechanism that drops the session after the initial SYN.

How to eliminate wrong answers

Option A is wrong because if the policy were applied to the wrong source interface, the debug flow would typically show a 'no matching policy' message or a policy lookup failure, not a session stuck in SYN_RECV. Option B is wrong because if the policy action were set to deny, the debug flow would show an explicit deny action or a 'deny' flag in the session table, not a session that is being tracked but never completes. Option D is wrong because if the source address object did not include 10.0.1.5, the policy lookup would fail to match, resulting in a 'no matching policy' or implicit deny, not a session that reaches SYN_RECV and then stalls.

957
Multi-Selectmedium

A network engineer wants to deploy a FortiGate in transparent mode and have it managed by FortiManager. The FortiGate should not participate in routing, but must be able to send logs to FortiAnalyzer. Which two settings must be configured on the FortiGate to achieve this?

Select 2 answers
A.Enable DHCP client on the management interface
B.Configure a management IP address on the FortiGate
C.Enable NAT on the management interface
D.Add a static route to reach FortiManager and FortiAnalyzer
E.Set the interface IP address in the same subnet as the upstream router
AnswersB, D

In transparent mode, the management IP is used for management and logging.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge and does not participate in routing. However, to be managed by FortiManager and send logs to FortiAnalyzer, the FortiGate must have a management IP address (option B) so that it can be reached as a management endpoint. Additionally, a static route (option D) is required to direct traffic to the management and logging servers, since the FortiGate cannot rely on dynamic routing protocols in transparent mode.

Exam trap

The trap here is that candidates assume transparent mode requires no IP configuration at all, but FortiManager and FortiAnalyzer communication still needs a management IP and a static route to function correctly.

958
MCQhard

A large enterprise operates two FortiGate 600E firewalls in an HA active-passive cluster. They have enabled VDOMs to isolate traffic for different business units: Finance, HR, and Engineering. Each VDOM has its own internet connection through separate ISPs. The cluster has been running smoothly for months. Recently, the IT team noticed that users in the Finance VDOM experience intermittent connectivity drops to their cloud-based ERP system. The drops last 30-60 seconds and occur several times a day. During these drops, ping to the ERP IP address fails. The HA cluster status shows 'synchronized' and no failover events are logged. The Finance VDOM uses a static default route pointing to the primary ISP gateway. The other VDOMs are unaffected. What is the most likely cause of the issue?

A.The HA cluster is in active-active mode, causing routing loops for the Finance VDOM.
B.The heartbeat interface is oversubscribed, causing intermittent HA synchronization failures.
C.The 'set ha-mgmt-status enable' command is configured on the passive unit, preventing route synchronization.
D.The VDOM link configuration is not synchronized between the two units, causing asymmetric routing for the Finance VDOM.
AnswerD

VDOM links must be identical on both HA units; a mismatch can cause intermittent traffic drops.

Why this answer

Option D is correct because VDOM link configurations are stored per-VDOM and must be synchronized independently. If the VDOM link configuration is not synchronized between the HA units, the passive unit may have a different or missing VDOM link, causing asymmetric routing when traffic is processed by the passive unit during a transient state (e.g., session ownership change or link flap). This leads to intermittent connectivity drops for the Finance VDOM only, as its traffic is isolated and uses a static default route.

Exam trap

The trap here is that candidates often assume HA synchronization covers all configurations uniformly, but VDOM-specific objects like VDOM links require explicit synchronization and can cause asymmetric routing issues when mismatched between HA peers.

How to eliminate wrong answers

Option A is wrong because the cluster is explicitly described as active-passive, not active-active, so routing loops due to active-active mode are impossible. Option B is wrong because heartbeat interface oversubscription would cause HA synchronization failures or split-brain scenarios, but the cluster status shows 'synchronized' and no failover events are logged, ruling out heartbeat issues. Option C is wrong because 'set ha-mgmt-status enable' only allows management access to the passive unit via dedicated management interfaces; it does not affect route synchronization or cause connectivity drops for a specific VDOM.

959
MCQmedium

A FortiGate administrator wants to use SAML SSO to authenticate VPN users. The FortiGate will act as the service provider (SP) and an external identity provider (IdP) will be used. Which of the following must be configured on the FortiGate to enable SAML authentication for SSL VPN?

A.A RADIUS server pointing to the IdP and an authentication rule.
B.An LDAP server with the IdP's certificate and a matching policy.
C.A user group with SAML authentication method and an SSL VPN portal referencing that group.
D.A local user with SAML attributes and a firewall policy referencing that user.
AnswerC

Why this answer

For SAML SSO on SSL VPN, you must configure a user group with SAML authentication, then assign an SSL VPN portal that uses that group. The FortiGate acts as SP. RADIUS/LDAP are not required.

960
MCQeasy

Which Fortinet product provides endpoint detection and response (EDR) capabilities, including automated threat containment?

A.FortiClient
B.FortiEDR
C.FortiSandbox
D.FortiGuard
AnswerB

FortiEDR provides EDR functionality.

Why this answer

FortiEDR is the correct answer because it is Fortinet's dedicated endpoint detection and response solution that provides real-time behavioral analysis, automated threat containment, and forensic investigation capabilities. Unlike traditional antivirus, FortiEDR uses machine learning and pre-execution analysis to detect and block advanced threats, and it can automatically isolate compromised endpoints from the network to prevent lateral movement.

Exam trap

The trap here is that candidates often confuse FortiClient's basic endpoint protection features (like antivirus and web filtering) with the advanced EDR capabilities that are exclusive to FortiEDR, especially since FortiClient can be managed by FortiEDR but does not itself provide automated threat containment.

How to eliminate wrong answers

Option A (FortiClient) is wrong because FortiClient is a unified endpoint agent that provides VPN, web filtering, and basic antivirus, but it does not include full EDR capabilities such as automated threat containment or deep forensic analysis; it relies on FortiEDR or FortiSandbox for advanced detection. Option C (FortiSandbox) is wrong because FortiSandbox is a network-based sandboxing appliance that detonates suspicious files and URLs in a virtual environment to identify zero-day threats, but it does not run on endpoints or provide endpoint-level automated containment. Option D (FortiGuard) is wrong because FortiGuard is Fortinet's global threat intelligence and security services subscription (including antivirus signatures, web filtering categories, and IP reputation), not a product that performs endpoint detection or response actions.

961
MCQmedium

A network administrator is configuring inter-VDOM routing between two VDOMs: VDOM-A and VDOM-B. The administrator creates a inter-VDOM link and adds routes pointing to the link. However, traffic from VDOM-A to VDOM-B fails. What is the most likely missing configuration?

A.Both VDOMs must be in transparent mode
B.A firewall policy must be created in each VDOM to permit traffic across the inter-VDOM link
C.The inter-VDOM link must be in the same VDOM
D.The management VDOM must be enabled
AnswerB

Why this answer

In FortiGate, inter-VDOM routing requires firewall policies in each VDOM to explicitly permit traffic across the inter-VDOM link. Without these policies, the FortiGate drops the traffic even if routes are correctly configured, because the inter-VDOM link behaves like a virtual interface that requires policy-based access control.

Exam trap

The trap here is that candidates assume routing alone is sufficient for inter-VDOM communication, overlooking FortiGate's requirement for explicit firewall policies to permit traffic across VDOM boundaries, similar to how policies are needed between physical interfaces.

How to eliminate wrong answers

Option A is wrong because inter-VDOM routing works in both transparent and NAT/route modes; both VDOMs do not need to be in transparent mode. Option C is wrong because the inter-VDOM link is a cross-VDOM connection, not a single-VDOM interface; placing it in the same VDOM would defeat the purpose of inter-VDOM routing. Option D is wrong because the management VDOM is only required for administrative access and has no bearing on inter-VDOM traffic forwarding.

962
Multi-Selecthard

An administrator is troubleshooting a VPN tunnel between two FortiGates. The phase 1 fails to come up. The administrator runs 'diagnose vpn ike log' and sees the error 'no proposal chosen'. Which THREE configuration mismatches could cause this error?

Select 3 answers
A.Different Diffie-Hellman groups (e.g., DH5 vs DH14)
B.Different encryption algorithms (e.g., AES128 vs 3DES)
C.Mismatched local and remote gateway IPs
D.Mismatched pre-shared keys
E.Different IKE mode (main vs aggressive)
AnswersA, B, E

DH group is a key component of the IKE proposal; mismatch results in 'no proposal chosen'.

Why this answer

The 'no proposal chosen' error in IKE phase 1 indicates that the two peers cannot agree on the IKE SA parameters. Common mismatches include encryption algorithm, authentication method, and Diffie-Hellman group.

963
MCQmedium

A company is deploying FortiClient ATP to protect endpoints. They want to block ransomware behavior in real time. Which FortiClient feature should be enabled?

A.Real-Time Protection
B.Vulnerability Scan
C.Web Filtering
D.Application Firewall
AnswerA

This feature monitors processes and file operations for malicious behavior.

Why this answer

Option C is correct. FortiClient's Real-Time Protection includes behavior-based detection that can identify and block ransomware patterns.

964
MCQeasy

A FortiGate administrator is troubleshooting why a new firewall policy is not being applied to traffic. The policy has been created and installed via FortiManager. What is the quickest way to verify the current state of the policy on the FortiGate?

A.Use 'diagnose debug flow'
B.Run 'execute fortimanager reindex'
C.Check FortiManager revision history
D.Run 'show firewall policy'
AnswerD

This shows the current policy configuration on the FortiGate.

Why this answer

Option D is correct because running 'show firewall policy' on the FortiGate CLI displays the currently active policy set in the kernel, including the policy ID and its enabled/disabled status. This is the quickest way to confirm whether the policy installed via FortiManager is actually present and active on the FortiGate, without generating debug logs or querying the management plane.

Exam trap

The trap here is that candidates confuse the management plane (FortiManager revision history) with the data plane (FortiGate kernel policy table), leading them to choose an option that checks the manager instead of the actual device state.

How to eliminate wrong answers

Option A is wrong because 'diagnose debug flow' is a packet-level debugging tool used to trace traffic matching and policy decisions in real time, not a method to verify the static state of a policy. Option B is wrong because 'execute fortimanager reindex' forces FortiManager to rebuild its database indexes, which does not affect or verify the policy state on the FortiGate. Option C is wrong because checking FortiManager revision history shows past configuration changes stored on the manager, not the current runtime state of the policy on the managed FortiGate.

965
MCQeasy

A FortiGate is configured with SD-WAN using load balancing algorithm 'source-dest-ip'. What is the primary characteristic of this algorithm?

A.Traffic is sent to the member with the highest bandwidth.
B.Traffic is sent to the member with the lowest cost metric.
C.Traffic is distributed evenly across all SD-WAN members regardless of source or destination.
D.All traffic from the same source IP to the same destination IP uses the same SD-WAN member.
AnswerD

Source-dest-ip hashing ensures that traffic belonging to the same source-destination pair is consistently sent over the same link, preserving session affinity.

Why this answer

The source-dest-ip algorithm uses a hash of source and destination IP addresses to select the outgoing interface, ensuring that all packets of a given session go through the same link.

966
MCQmedium

A network administrator is configuring FortiManager to manage multiple FortiGates with different VDOMs. The admin needs to ensure that each FortiGate's VDOMs can be independently managed. What is the correct configuration step?

A.Enable per-VDOM ADOM mode in FortiManager to manage each VDOM as a separate ADOM
B.Use a single ADOM for all FortiGates
C.Configure each FortiGate as a separate device in the Global ADOM
D.Use the same policy package for all VDOMs
AnswerA

Per-VDOM ADOM mode allows each VDOM on a FortiGate to be managed as an independent ADOM, enabling granular control.

Why this answer

Option A is correct because FortiManager's per-VDOM ADOM mode allows each VDOM on a FortiGate to be treated as an independent ADOM, enabling separate management of policies, objects, and settings per VDOM. This is essential when different VDOMs serve distinct tenants or departments and must not share configuration contexts.

Exam trap

The trap here is that candidates often confuse per-VDOM ADOM mode with simply adding multiple FortiGates to a single ADOM, failing to realize that independent VDOM management requires a separate ADOM per VDOM, not just per device.

How to eliminate wrong answers

Option B is wrong because using a single ADOM for all FortiGates would merge all VDOMs into one management domain, preventing independent per-VDOM control and violating the requirement. Option C is wrong because configuring each FortiGate as a separate device in the Global ADOM still treats the entire FortiGate as one unit, not allowing per-VDOM separation; the Global ADOM is intended for system-level settings, not VDOM-level management. Option D is wrong because using the same policy package for all VDOMs would force identical firewall policies across VDOMs, contradicting the need for independent management.

967
MCQhard

A FortiGate is configured as a SAML IdP for a partner's cloud application. After configuring the application as a service provider, users report that they are prompted for credentials every time they access the application, even though they already authenticated to FortiGate. What is the MOST likely cause?

A.The SAML single logout URL is misconfigured
B.The SAML assertion is not signed
C.The IdP session timeout is set to a lower value than the SP session timeout
D.The FortiGate is not configured to generate a Name ID
AnswerC

If the IdP session expires, FortiGate will require re-authentication even if the SP session is still active.

Why this answer

SAML SSO requires consistent session timeout settings. If the IdP session timeout is shorter than the SP session, users may need to re-authenticate frequently.

968
MCQmedium

In FortiManager, what is the purpose of header and footer policies in a policy package?

A.To create policy groups for better organization
B.To apply policies only during specific times of the day
C.To ensure specific policies are always placed at the top (header) or bottom (footer) of the policy list
D.To separate IPv4 and IPv6 policies
AnswerC

Header/footer policies provide a way to enforce mandatory policies.

Why this answer

Header and footer policies in FortiManager are special policy types that enforce a fixed position within the policy list. Header policies are always placed at the top (before all other policies), and footer policies are always placed at the bottom (after all other policies). This ensures that critical security rules, such as default-deny or global allow rules, remain in their intended position regardless of policy package changes or reordering operations.

Exam trap

The trap here is that candidates confuse header/footer policies with policy ordering or scheduling, assuming they are just a way to organize or time-limit policies, rather than understanding they enforce a fixed position in the policy list.

How to eliminate wrong answers

Option A is wrong because header and footer policies are not used for organizational grouping; policy groups (or policy sections) are created using policy packages or policy folders, not header/footer policies. Option B is wrong because time-based policy enforcement is handled by schedule objects within individual policy rules, not by the header/footer policy mechanism. Option D is wrong because IPv4 and IPv6 policies are separated by policy type (IPv4 vs IPv6) within the policy package, not by header/footer policies.

969
MCQmedium

An administrator needs to apply different routing policies for traffic based on source IP address, overriding the normal routing table. Which feature should be configured?

A.Prefix list
B.SD-WAN rule
C.Route map
D.Policy-based routing
AnswerD

PBR enables routing based on policies.

Why this answer

Policy-based routing (PBR) allows routing decisions based on criteria like source IP, protocol, etc., overriding the routing table.

970
MCQeasy

A network administrator runs 'diagnose sys top' and sees that the 'ipsengine' process is consistently using 99% CPU. What is the BEST immediate action to reduce CPU load?

A.Reboot the FortiGate
B.Increase the session limit
C.Disable IPS inspection on policies that don't require it
D.Change IPS engine to flow-based mode
AnswerC

Disabling IPS reduces CPU usage by the ipsengine process.

Why this answer

Option B is correct because disabling IPS inspection will stop the IPS engine from processing traffic, thus reducing CPU load. Option A would not help if the issue is CPU load. Option C might help but is less direct.

Option D is not relevant.

971
MCQmedium

An administrator runs the CLI command 'diagnose vpn ike gateway list' and sees that a phase1 gateway is in 'UP' state, but the 'DPD' field shows 'disabled'. The tunnel is working. What is the implication?

A.DPD is only used for phase2, so phase1 is unaffected.
B.DPD is disabled but the tunnel will still detect peer failure via IKE keepalives.
C.The FortiGate is using NAT-T, which disables DPD automatically.
D.The tunnel will never detect if the remote peer goes down.
AnswerD

Why this answer

DPD is the mechanism to detect peer liveness. If disabled, the FortiGate will not proactively check if the peer is reachable, so a dead peer will not be detected until traffic fails. IKE keepalives are not a separate mechanism; DPD is the standard method.

NAT-T does not inherently disable DPD.

972
MCQmedium

An administrator has configured FortiGate as a SAML service provider (SP) for VPN authentication. Users are prompted for credentials but authentication fails even though they can authenticate directly at the IdP portal. What is the most likely misconfiguration?

A.The IdP is using HTTP-POST binding while FortiGate expects HTTP-Redirect
B.The IdP certificate is not imported on FortiGate
C.The FortiGate's entity ID or ACS URL registered at the IdP is incorrect
D.SAML authentication is not enabled in the VPN portal
AnswerC

Mismatched endpoints prevent the IdP from sending the SAML assertion to the correct location.

Why this answer

If users can authenticate at the IdP but not via FortiGate SP, the problem is likely that the FortiGate entity ID or ACS URL does not match what is registered at the IdP.

973
MCQhard

An administrator runs 'diagnose debug application sslvpn -1' and sees repeated 'SSL_ERROR_SSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate'. The SSL-VPN is configured to require client certificates. What is the cause?

A.The client is not sending a client certificate
B.The SSL-VPN server certificate is expired
C.The SSL-VPN tunnel mode is misconfigured
D.The CA certificate is not imported on FortiGate
AnswerA

Correct. The error 'peer did not return a certificate' means the client did not provide the required certificate.

Why this answer

The error indicates that the SSL-VPN server expects a client certificate (mutual authentication) but the client did not provide one. The administrator should check the client certificate configuration on the user's machine.

974
MCQhard

An organization has two FortiGate firewalls in an HA active-passive cluster. They notice that after a failover event, some users cannot access external resources. The administrator checks the HA configuration and finds that failover occurred correctly. What is the most likely cause of the connectivity issue?

A.VDOM links are not synchronized
B.session-pickup is disabled
C.HA override is enabled
D.Gratuitous ARP is disabled
AnswerA

If VDOM links are not synchronized, the backup unit may have incorrect link status, causing routing issues.

Why this answer

In an HA active-passive cluster, VDOM links are not automatically synchronized between peers. After a failover, the new primary FortiGate may lack the VDOM link configurations required to route traffic between VDOMs, causing connectivity loss for users relying on inter-VDOM routing. This is a common misconfiguration because VDOM links are treated as local objects and must be explicitly replicated or re-created on the peer.

Exam trap

The trap here is that candidates assume all HA configurations are fully synchronized, but FortiGate explicitly excludes VDOM links from HA sync, requiring manual replication or use of a configuration-only sync method.

How to eliminate wrong answers

Option B is wrong because session-pickup, when enabled, synchronizes existing sessions to the standby unit, but it does not affect the ability to establish new sessions after failover; the issue described is about persistent connectivity, not session state loss. Option C is wrong because HA override controls which unit becomes primary after a failure (e.g., preempting based on priority), but it does not impact connectivity after failover; the administrator confirmed failover occurred correctly. Option D is wrong because gratuitous ARP (GARP) is sent by the new primary to update switch MAC tables; disabling it would cause temporary traffic blackholing until ARP caches time out, but the question states users cannot access external resources persistently, not just transiently.

975
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees output indicating sessions with state 'proto=6 proto_state=01 duration=3600 expire=3598'. What does this output indicate about the session?

A.The session is an expired TCP session that is being removed
B.The session is a UDP session to port 443 that has been idle for 3600 seconds
C.The session is an established TCP session to port 443, lasting 3600 seconds with 3598 seconds remaining
D.The session is blocked by a firewall policy and has been logged
AnswerC

Correct interpretation of the diagnose output.

Why this answer

Option A is correct. The output shows a TCP session (proto=6) with state 01 (TCP session established). Duration and expire values are in seconds.

This indicates an active TCP session that has been established for 3600 seconds (1 hour) and will expire in 3598 seconds.

Page 12

Page 13 of 14

Page 14