Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 9761000

1000 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQeasy

Which command displays the current session count on a FortiGate?

A.get system performance status
B.diagnose sys session stat
C.show system session
D.diagnose hardware sysinfo session
AnswerA

This command shows session count under 'Session number'.

Why this answer

The 'get system performance status' command shows the number of current sessions among other performance statistics.

977
MCQmedium

A FortiGate administrator is configuring ZTNA to provide secure access to an internal application. The application is hosted on a server with IP 10.0.1.100 and port 8080. The administrator creates a ZTNA rule on the FortiGate as an access proxy. What is the correct configuration for the ZTNA rule's 'Application Access' entry?

A.External port: 0, Mapped port: 8080, Destination: 10.0.1.100
B.External port: 8080, Mapped port: 443, Destination: 10.0.1.100
C.External port: 443, Mapped port: 443, Destination: 10.0.1.100
D.External port: 443, Mapped port: 8080, Destination: 10.0.1.100
AnswerD

The client connects to the FortiGate on port 443, and the FortiGate forwards to the internal server on port 8080.

Why this answer

For ZTNA access proxy, the destination virtual IP maps the external address and port to the internal server. Option A is correct: the external port is the port that the client connects to (e.g., 443) and the mapped port is the internal server port (8080).

978
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the traffic?

A.The session is being blocked by the firewall
B.The session is in a half-open state, waiting for SYN-ACK
C.The session is an established TCP connection
D.The session is a UDP connection with a long timeout
AnswerC

proto=6 indicates TCP, and state 01 means established. The session is active and expected to continue.

Why this answer

The output shows a TCP session (proto=6), with proto_state=01 indicating the session is in the 'listen' or 'established' state? Actually, in FortiGate session diagnostics, proto_state=01 means the session is in the 'established' state (TCP state ESTABLISHED). The session has been up for 3600 seconds and will expire in 3599 seconds. Option A is correct because it's an established TCP session.

979
Matchingmedium

Match each FortiGate interface type to its usage.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hardware network port

Virtual LAN subinterface

Virtual interface for management or routing

Combines multiple physical links for redundancy

Link aggregation (LAG) for increased bandwidth

Why these pairings

These interface types are configurable on FortiGate.

980
MCQmedium

An organization wants to protect a public-facing web application against SQL injection and cross-site scripting (XSS) attacks. They have a FortiGate and a FortiWeb. What is the BEST deployment approach?

A.Place the web server in a DMZ and rely on firewall policies
B.Use FortiGate WAF profile only
C.Deploy FortiWeb in reverse proxy mode in front of the web server
D.Use FortiGate IPS signatures for SQL injection and XSS
AnswerC

FortiWeb provides comprehensive WAF features like signature-based detection, anomaly detection, and bot mitigation.

Why this answer

Option C is correct because FortiWeb is purpose-built for web application security and provides deep inspection and protection against OWASP Top 10 threats like SQLi and XSS.

981
Multi-Selectmedium

An administrator is troubleshooting a VPN tunnel that is not coming up. The remote peer is a third-party device. Which THREE actions should be taken to diagnose the issue?

Select 3 answers
A.Ensure that the pre-shared key matches on both sides.
B.Confirm that UDP ports 500 and 4500 are not blocked by any firewall.
C.Verify that the remote peer's IP address is reachable via ping.
D.Check the IPSec VPN logs with 'diag debug application ike -1'.
E.Review the routing table to ensure the remote subnet is reachable through the tunnel interface.
AnswersA, C, D

Mismatched PSK is a common cause of tunnel failure.

Why this answer

Option A is correct because IPsec IKE (Internet Key Exchange) uses the pre-shared key (PSK) during authentication phase 1 (Main Mode or Aggressive Mode). If the PSK does not match on both peers, the IKE SA will fail to establish, and the VPN tunnel will not come up. This is a fundamental prerequisite for any IPsec VPN, and mismatched PSKs are a common misconfiguration.

Exam trap

The trap here is that candidates often confuse post-tunnel routing checks (Option E) with pre-tunnel connectivity checks, or they assume firewall port blocking (Option B) is a direct diagnostic step rather than a prerequisite to verify after other checks fail.

982
Multi-Selecthard

Which TWO statements correctly describe the behavior of SD-WAN rules when using the 'maximize-bandwidth' strategy?

Select 2 answers
A.The strategy ensures that all traffic uses the member with the highest bandwidth.
B.The administrator can assign different weights to members to influence the proportion of traffic each handles.
C.If a member fails its health-check, it is removed from the set of eligible members for the rule.
D.Traffic from a single session can be split across multiple members for better performance.
E.Traffic is distributed based on session count to keep each link equally utilized.
AnswersB, C

Weights can be set per member to control the load-balancing ratio.

Why this answer

Option B is correct because the 'maximize-bandwidth' strategy in SD-WAN rules uses weighted load balancing, where the administrator assigns weights to each member link. The proportion of traffic each member handles is directly proportional to its assigned weight, allowing fine-grained control over bandwidth utilization across multiple WAN links.

Exam trap

The trap here is that candidates often confuse 'maximize-bandwidth' with simple 'load balancing' or assume it splits individual sessions, when in fact it uses weighted distribution while maintaining per-session stickiness and relying on health checks for member eligibility.

983
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is established but traffic is not passing. The administrator runs 'diagnose vpn ike log' and sees 'no matching policy for this IPsec SA'. What is the most likely cause?

A.The phase2 selectors do not match between peers
B.There is no firewall policy allowing traffic from the local network to the remote network via the VPN tunnel interface
C.The pre-shared key is mismatched
D.The tunnel interface is administratively down
AnswerB

Even if the tunnel is up, a firewall policy must explicitly permit traffic to use the tunnel. Without it, traffic is dropped.

Why this answer

The error indicates that the IKE SA exists but no firewall policy matches the traffic to use the tunnel. The tunnel interface is likely configured but the policy to allow traffic through the tunnel is missing or incorrect.

984
Multi-Selectmedium

An administrator needs to ensure that traffic between two VDOMs (VDOM_A and VDOM_B) is inspected by an IPS profile. Which TWO configuration elements are required? (Choose TWO.)

Select 2 answers
A.An inter-VDOM link with IP addresses in the same subnet
B.NAT enabled on the inter-VDOM link
C.A firewall policy on VDOM_B with the source as the inter-VDOM link
D.An IPsec VPN between the VDOMs
E.A firewall policy on VDOM_A with the inter-VDOM link as the destination interface and an IPS profile applied
AnswersA, E

Inter-VDOM links are necessary to route traffic between VDOMs.

Why this answer

An inter-VDOM link is required to route traffic between VDOMs, and placing IP addresses in the same subnet on both ends ensures direct Layer 2 connectivity without routing overhead. This allows the firewall policies in each VDOM to control traffic flow, and applying an IPS profile on the policy in VDOM_A (with the inter-VDOM link as the destination interface) ensures that all traffic leaving VDOM_A toward VDOM_B is inspected by IPS.

Exam trap

The trap here is that candidates often assume an IPsec VPN or NAT is needed for inter-VDOM communication, but FortiGate uses inter-VDOM links with same-subnet IPs and firewall policies to enable direct, inspectable traffic flow.

985
MCQeasy

A network administrator is deploying a FortiGate in transparent mode to replace an existing layer 2 switch. Which statement about transparent mode is true?

A.All interfaces operate at layer 2, and the FortiGate forwards traffic based on MAC addresses
B.Transparent mode only supports static routing
C.Transparent mode requires VDOMs to be enabled
D.The FortiGate acts as a router and requires IP addresses on its interfaces
AnswerA

Correct. The device behaves like a firewall bridge.

Why this answer

In transparent mode, the FortiGate operates as a layer 2 bridge, forwarding traffic based on MAC addresses without performing routing. All interfaces are in the same broadcast domain, and the FortiGate inspects traffic at layers 3–7 while remaining transparent to the network. This allows it to replace a layer 2 switch while adding firewall functionality.

Exam trap

The trap here is that candidates assume transparent mode disables all routing capabilities, but it actually supports routing when VDOMs are enabled, and the key distinction is that traffic forwarding is MAC-based, not IP-based.

How to eliminate wrong answers

Option B is wrong because transparent mode supports both static and dynamic routing (e.g., OSPF, BGP) when VDOMs are enabled, though it is often used without routing. Option C is wrong because VDOMs are not required for transparent mode; they are an optional feature for multi-tenancy or administrative separation. Option D is wrong because the FortiGate in transparent mode does not act as a router; its management IP is used for administrative access only, and traffic forwarding is based on MAC addresses, not IP addresses.

986
MCQmedium

A FortiGate administrator notices that files submitted to FortiSandbox are receiving verdicts but the firewall is not automatically blocking the detected malware. The FortiSandbox integration is configured under Security Fabric > External Connectors. What additional configuration is required to enforce blocking based on FortiSandbox verdicts?

A.Enable the 'fortisandbox' option in the antivirus profile applied to the firewall policy
B.Enable 'Inline Scan' on the FortiSandbox connector
C.Configure an automation stitch to quarantine files based on verdict
D.Enable 'Block malicious files' in the FortiSandbox connector settings
AnswerA

The antivirus profile with 'fortisandbox' enabled will use FortiSandbox verdicts to block malicious files.

Why this answer

Option A is correct because the FortiSandbox verdict integration requires the antivirus profile applied to the firewall policy to have the 'fortisandbox' option enabled. This option allows the FortiGate to query FortiSandbox for verdicts and automatically block files that are determined to be malicious. Without this setting in the antivirus profile, the FortiGate will receive verdicts but will not enforce blocking actions on the traffic.

Exam trap

The trap here is that candidates often confuse the FortiSandbox connector settings (like 'Block malicious files') with the actual enforcement mechanism, which is the antivirus profile's 'fortisandbox' option that must be explicitly enabled in the policy's security profile.

How to eliminate wrong answers

Option B is wrong because 'Inline Scan' is a feature for FortiGate's local inline scanning of files, not for enforcing blocking based on FortiSandbox verdicts; it controls how files are scanned, not the action taken on verdicts. Option C is wrong because automation stitches can be used to trigger actions like quarantine, but they are not the primary or required configuration to enforce blocking based on FortiSandbox verdicts; the verdict-based blocking is handled directly by the antivirus profile. Option D is wrong because the 'Block malicious files' setting in the FortiSandbox connector settings controls whether the FortiGate sends files to FortiSandbox for analysis, not whether it blocks files based on received verdicts; blocking is enforced at the antivirus profile level.

987
MCQeasy

A FortiGate administrator wants to ensure that only devices with an up-to-date antivirus and OS patch level can access a sensitive application published via ZTNA. Which ZTNA component should the administrator configure to enforce this requirement?

A.ZTNA proxy configuration
B.ZTNA tags with posture checks
C.SSL VPN portal settings
D.Firewall policy with application control
AnswerB

ZTNA tags can include posture attributes. Policies reference these tags to control access based on device compliance.

Why this answer

ZTNA tags are used to define conditions based on device posture (e.g., antivirus status, OS patch level). Tags are assigned via FortiClient EMS and referenced in ZTNA policies to grant or deny access.

988
MCQmedium

A FortiGate admin is configuring a multi-peer IPsec VPN where the remote site has two ISPs for redundancy. The admin wants to ensure that if the primary ISP fails, the VPN automatically fails over to the secondary ISP without manual intervention. Which feature should be enabled?

A.IPsec interface mode with DHCP
B.IKEv2 with mobility extension
C.Auto-negotiate phase 1 settings
D.Dead Peer Detection (DPD) with retry and failover
AnswerD

DPD detects when the peer is unreachable and can trigger failover to a secondary path or peer.

Why this answer

DPD (Dead Peer Detection) with auto-negotiation allows the FortiGate to detect peer unreachability and automatically re-establish the tunnel using an alternate path if configured.

989
MCQeasy

A FortiGate is configured with ECMP routing to balance traffic across two default routes via two ISPs. The administrator wants to ensure that traffic from the same source-destination pair always uses the same ISP. Which ECMP load balancing method should be configured?

A.source-dest-ip
B.source-ip
C.per-packet
D.session
AnswerA

Why this answer

ECMP in FortiGate supports several load balancing methods, including source-destination IP hash. To keep traffic from the same source-destination pair consistent, use source-dest-ip hashing. Option A is correct.

Option B is for source-only. Option C is session-based. Option D is per-packet (not typical).

990
MCQmedium

Which feature allows a FortiGate to use multiple VRFs to separate routing tables for different customers or departments on the same physical device?

A.SD-WAN
B.VDOM
C.VRF
D.Policy-based routing
AnswerC

VRF creates separate routing tables.

Why this answer

VRF (Virtual Routing and Forwarding) enables multiple independent routing table instances on a single FortiGate, allowing traffic separation without additional hardware.

991
MCQmedium

A FortiManager administrator wants to push a policy package that includes both global header/footer policies and VDOM-specific policies. Which statement about header/footer policies is correct?

A.Header/footer policies are only available when using per-device mapping
B.Header/footer policies can only be configured directly on the FortiGate, not via FortiManager
C.Header/footer policies are automatically generated and cannot be manually edited
D.Header policies are inserted before the VDOM's own policies; footer policies are appended after
AnswerD

Correct. This ensures consistent enforcement.

Why this answer

Option D is correct because in FortiManager, when a policy package includes both global header/footer policies and VDOM-specific policies, the header policies are inserted before the VDOM's own policies in the policy table, while footer policies are appended after them. This ensures that header policies are evaluated first for traffic matching, and footer policies serve as a catch-all or default set of rules at the end of the VDOM policy list.

Exam trap

The trap here is that candidates often assume header/footer policies are only for per-device mapping or must be configured locally on the FortiGate, but FortiManager fully supports creating and managing them centrally for consistent policy enforcement across VDOMs.

How to eliminate wrong answers

Option A is wrong because header/footer policies are available with both per-device mapping and policy package installation, not exclusively with per-device mapping. Option B is wrong because header/footer policies can be configured directly on FortiManager under the global policy package and then pushed to managed FortiGates, not only on the FortiGate itself. Option C is wrong because header/footer policies are manually created and edited by the administrator in FortiManager, not automatically generated; they are user-defined policies that provide a consistent set of rules across multiple VDOMs.

992
MCQmedium

An administrator wants to add custom fields to device objects in FortiManager to track location and contact info. Which feature should be used?

A.Meta fields
B.System templates
C.Custom reports
D.Dynamic mapping
AnswerA

Correct.

Why this answer

Meta fields in FortiManager allow administrators to define custom attributes (e.g., location, contact info) that can be attached to device objects. These fields are stored in the FortiManager database and can be used for filtering, reporting, and policy mapping, providing a flexible way to enrich device metadata without modifying the device configuration itself.

Exam trap

The trap here is that candidates confuse 'meta fields' with 'system templates' because both involve customization, but system templates apply configuration settings to devices, whereas meta fields add descriptive metadata without altering device configurations.

How to eliminate wrong answers

Option B is wrong because system templates are used to standardize configuration settings (e.g., SNMP, admin profiles) across devices, not to add custom fields to device objects. Option C is wrong because custom reports are used to generate tailored views of log and event data, not to define metadata fields on device objects. Option D is wrong because dynamic mapping is a feature for automatically assigning devices to ADOMs or groups based on criteria like IP address or hostname, not for adding custom fields.

993
MCQmedium

An administrator configured a firewall policy to inspect SMTP traffic using an antivirus profile. However, email attachments are not being scanned. The FortiGate is operating in proxy-based inspection mode. What is the most likely cause?

A.The policy is set to 'accept' instead of 'deny'
B.The email is sent over TLS encryption
C.The antivirus profile is set to flow-based inspection
D.The SMTP session helper is not enabled
AnswerD

Correct. The SMTP helper ensures FortiGate understands the SMTP protocol and can inspect email attachments.

Why this answer

SMTP traffic requires a specific session helper to be enabled for FortiGate to properly parse and scan email traffic. If the SMTP session helper is disabled, the antivirus profile may not scan the attachments correctly.

994
MCQmedium

A network administrator is troubleshooting a BGP session between a FortiGate and an ISP router. The administrator runs 'get router info bgp summary' and sees that the BGP state is 'Active'. What does this state indicate?

A.The BGP speaker is trying to establish a TCP connection with the peer
B.The BGP session is administratively down due to a configuration error
C.The BGP speaker is waiting for a routing update from the peer
D.The BGP session is fully established and exchanging routes
AnswerA

Why this answer

In BGP, the 'Active' state means that the router is trying to initiate a TCP connection to the peer but has not yet established it. This usually indicates a connectivity issue between the peers, such as a firewall blocking port 179 or incorrect IP addressing. Option A is correct.

Option B describes 'Established' state. Option C describes 'Connect' state. Option D is not a BGP state.

995
MCQmedium

An administrator notices that SD-WAN rule-based traffic is not failing over as expected when the primary link goes down. The SLA targets are configured correctly, and the interface health check is showing 'dead' for the primary link. What is the MOST likely reason for the failover not occurring?

A.The SD-WAN rule's 'set strategy' is 'manual' and the preferred member is still set to the primary interface
B.The SD-WAN rule's 'set status' is set to 'disable'
C.The secondary interface has a higher cost than the primary interface
D.The 'set update-static-route' is not enabled on the SD-WAN
AnswerA

When strategy is 'manual', the rule will not failover automatically; traffic continues to be sent to the preferred member even if the SLA is dead.

Why this answer

Option C is correct. Manual strategy does not automatically failover; the preferred member must be changed manually or via automation.

996
MCQmedium

A FortiGate administrator notices that traffic from a specific subnet is not being inspected by the Intrusion Prevention System (IPS) profile applied to the firewall policy. The policy is configured with the correct profile, and the IPS engine is enabled. What is the most likely cause?

A.The traffic is encrypted and SSL inspection is not enabled
B.The protocol in the IPS profile is not enabled for the application being used
C.The IPS profile is configured for signature-based detection only
D.The firewall policy is set to accept mode instead of explicit proxy
AnswerB

IPS profiles have protocol-specific settings; if the protocol is disabled, traffic is not inspected.

Why this answer

The most likely cause is that the protocol in the IPS profile is not enabled for the application being used. Even when an IPS profile is applied to a firewall policy and the IPS engine is running, the profile must have the specific protocol (e.g., HTTP, SMTP, FTP) enabled for inspection. If the protocol is disabled or not selected, the IPS engine will bypass traffic of that type, resulting in no intrusion detection or prevention for that traffic.

Exam trap

The trap here is that candidates often assume an IPS profile will inspect all traffic by default once applied, overlooking the need to enable specific protocol sensors within the profile for the traffic to be inspected.

How to eliminate wrong answers

Option A is wrong because encrypted traffic that is not decrypted by SSL inspection would simply be passed without deep inspection, but the question states traffic from a specific subnet is not inspected at all, which points to a protocol-level filtering issue rather than encryption. Option C is wrong because signature-based detection is the standard mode for IPS; if the profile were configured for signature-based detection only, it would still inspect traffic as long as the protocol is enabled. Option D is wrong because the firewall policy mode (accept vs. explicit proxy) affects how traffic is directed to the FortiGate, not whether IPS inspection is applied; IPS inspection is independent of the policy mode.

997
MCQhard

A FortiGate is configured with two WAN members in an SD-WAN zone. The performance SLA monitors latency to a probe server. The rule uses 'best quality' strategy. After some time, one member fails the SLA. Which action does the FortiGate take for existing sessions that were using that member?

A.All sessions are dropped and the member is removed from the zone
B.Existing sessions are re-evaluated and may be moved based on policy
C.Existing sessions are immediately moved to another member
D.Existing sessions continue on the failed member until they timeout
AnswerD

Only new sessions are affected.

Why this answer

When a member fails the SLA, only new sessions are redirected to other members that meet the SLA. Existing sessions continue on the failed member until they expire or are terminated. The 'best quality' strategy does not preemptively move existing sessions.

998
MCQmedium

When troubleshooting an IPsec VPN phase 1 failure, you run 'diagnose vpn ike config' and see that the remote gateway IP address is incorrect. Which command is used to correct the peer IP configuration?

A.set psksecret <secret>
B.execute vpn tunnel down <tunnel>
C.config vpn ipsec phase1-interface edit <name> set remote-gw <ip>
D.set certificate <name>
AnswerC

This sets the remote gateway IP address.

Why this answer

Option A is correct because the peer IP is configured under the phase1-interface settings using the 'set remote-gw' command. Option B is for PSK. Option C is for certificate.

Option D is a diagnose command, not configuration.

999
MCQeasy

A FortiGate administrator wants to use PKI certificates for IKEv2 authentication instead of pre-shared keys. Which phase1 configuration parameter must be changed to support certificate-based authentication?

A.Set the authentication method to 'signature'.
B.Set the proposal to include DH groups 14 or higher.
C.Configure 'local-gw' with the certificate's CN.
D.Enable 'peer-id-option' and set it to 'any'.

Why this answer

For PKI authentication, the phase1 authentication method must be set to 'signature' (RSA signature). This tells FortiGate to use the certificate's private key for IKE authentication.

1000
MCQmedium

A FortiGate administrator is integrating a FortiSwitch managed by the FortiGate. They want to configure a VLAN interface on the FortiSwitch for user traffic. Which configuration is required on the FortiGate?

A.Enable DHCP relay on the FortiSwitch VLAN
B.Configure a VLAN on the FortiSwitch under the switch controller and assign it to a port
C.Use the config system interface to create a VLAN on the FortiGate and tag it on the trunk
D.Create a VLAN subinterface on the FortiGate's port that connects to the FortiSwitch
AnswerB

Under config switch-controller, you create a VLAN and assign it to switch ports.

Page 13

Page 14 of 14