Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 76150

1000 questions total · 14pages · All types, answers revealed

Page 1

Page 2 of 14

Page 3
76
Multi-Selectmedium

An administrator is troubleshooting why a custom IPS signature for protocol anomaly detection is not triggering. The signature is designed to detect abnormal DNS query lengths. Which TWO steps should the administrator take to verify the signature is working? (Choose two.)

Select 2 answers
A.Reboot the FortiGate to reset the IPS engine
B.Disable the firewall policy to see if the signature triggers
C.Verify that the IPS sensor containing the signature is applied to the correct firewall policy
D.Generate traffic that matches the signature and check the IPS logs for alerts
E.Increase the signature's severity to see it in logs
AnswersC, D

If the sensor is not applied, the signature will not inspect traffic.

Why this answer

To verify a custom IPS signature, the administrator should test it with matching traffic and check the IPS log to confirm detection. Also, ensuring the IPS sensor includes the signature and is applied to a policy is necessary.

77
MCQhard

During a routine audit, a FortiGate administrator discovers that all traffic from a specific user group is being denied by a firewall policy. The policy uses a ZTNA rule that requires the device tag 'Compliant'. The administrator checks the user's device in EMS and sees it is tagged as 'Compliant'. However, the traffic is still denied. What could be the problem?

A.The FortiGate's EMS connector is not syncing tag information in real-time
B.The user's IP address has changed and the tag is mapped to a different IP
C.The ZTNA rule is configured with the wrong application port
D.The device posture compliance check requires additional criteria not met
AnswerA

ZTNA tags are pulled from EMS periodically. If the connector hasn't synced recently, the FortiGate might still have old tag information for that device.

Why this answer

Even if the tag exists, the FortiGate may not have updated tag information from EMS or the session may have been established before the tag was applied. Option A is correct because the FortiGate must re-evaluate tags for new connections; if the EMS connector is not syncing or the session is cached with old tags, it may deny.

78
MCQmedium

A multi-area OSPF network includes a FortiGate as an ABR. The administrator needs to redistribute a static route into OSPF. Which command is required on the FortiGate to achieve this?

A.config router ospf config redistribute edit 'static' set status enable end
B.config router prefix-list edit 'static' set action permit end
C.config router policy set src 0.0.0.0/0 set dst 0.0.0.0/0 end
D.config router static set redistribute ospf enable end
AnswerA

Correct method to enable redistribution of static into OSPF.

Why this answer

Redistribution of static routes into OSPF is done under the OSPF process configuration using 'redistribute static' with optional metric and metric-type. The command 'config router ospf' then 'redistribute static' enables redistribution.

79
MCQmedium

An administrator sees the following log entry: 'id=13593 msg="CDR: File attachment sanitized"' Which feature generated this log?

A.Content Disarm and Reconstruction
B.FortiSandbox
C.Machine Learning Engine
D.Outbreak Prevention
AnswerA

CDR sanitizes attachments and logs such events.

Why this answer

Content Disarm and Reconstruction (CDR) sanitizes attachments by removing active content. It is part of the antivirus profile feature set on FortiGate.

80
Multi-Selecthard

A FortiGate in a multi-area OSPF network is not learning routes from area 1. Which THREE items could be causing this?

Select 3 answers
A.The ABR is not configured with 'set type' for area 1.
B.The 'set redistribute' option is missing on the ABR.
C.There is a firewall policy blocking OSPF traffic between areas.
D.Area 1 is configured as a stub area and does not accept external routes.
E.The interface in area 1 is administratively down.
AnswersC, D, E

OSPF uses multicast and may be blocked by policies.

81
MCQmedium

An administrator wants to integrate a FortiExtender with a FortiGate to provide cellular WAN connectivity. Which configuration step is required on the FortiGate to use the FortiExtender as an SD-WAN member?

A.Enable BGP on the FortiExtender interface
B.Create a firewall policy allowing traffic from the FortiExtender
C.Add the FortiExtender's interface to the SD-WAN zone
D.Configure a static route pointing to the FortiExtender
AnswerC

The interface representing the FortiExtender must be added as an SD-WAN member.

Why this answer

The FortiExtender must be registered and configured as an SD-WAN member, typically by enabling it as an interface and adding it to the SD-WAN zone.

82
MCQmedium

A company wants to use FortiGate as a SAML service provider (SP) for authenticating administrators to the FortiGate GUI. The identity provider (IdP) is Azure AD. After configuration, administrators are redirected to Azure AD login but receive an error that the SAML request is invalid. What is the most likely misconfiguration?

A.The IdP's entity ID or SSO URL is incorrectly entered on FortiGate
B.The FortiGate's SP entity ID does not match the Azure AD application's identifier
C.The administrator's account is not synchronized with Azure AD
D.The certificate used for signing is not trusted by the IdP
AnswerA

If the IdP entity ID or SSO URL is wrong, the SAML request will be considered invalid by the IdP.

Why this answer

As an SP, FortiGate must be configured with the correct IdP entity ID and SSO URL. If the IdP entity ID is incorrect, the IdP rejects the SAML request.

83
Multi-Selectmedium

A FortiGate in HA mode has two VDOMs: VDOM1 and VDOM2. The administrator needs to ensure that if the active unit fails, the standby unit takes over with minimal disruption. Which TWO steps should be taken?

Select 2 answers
A.Enable session synchronization
B.Set the HA mode to active-active
C.Enable HA on each VDOM individually
D.Configure the same VDOMs on both units
E.Use VDOM link for inter-VDOM traffic
AnswersA, D

Session sync ensures active sessions are preserved on failover.

Why this answer

Option A is correct because session synchronization ensures that stateful firewall sessions (e.g., TCP/UDP connections) are replicated from the active FortiGate to the standby unit. In HA active-passive mode, this allows the standby to seamlessly take over active sessions upon failover, minimizing disruption. Without session synchronization, all existing connections would be dropped and must be re-established.

Exam trap

The trap here is that candidates may think enabling HA on each VDOM individually is required (Option C), but FortiGate HA is a global feature that automatically synchronizes all VDOM configurations across cluster members, and per-VDOM HA configuration does not exist.

84
MCQeasy

Which load balancing algorithm in SD-WAN distributes new sessions based on the source and destination IP addresses, ensuring that all sessions from a given source-destination pair go to the same member?

A.Lowest cost
B.Volume
C.Source-dest IP
D.Sessions
AnswerC

Hashes source and destination IP.

Why this answer

The source-destination IP algorithm uses a hash of source and destination IP to consistently select the same member for the same pair, which is useful for stateful applications or to avoid asymmetric routing.

85
MCQeasy

In FortiAnalyzer, which tool provides real-time traffic monitoring and allows drilling down into details such as top talkers, applications, and threats?

A.Reports
B.Incidents
C.FortiView
D.Log Viewer
AnswerC

FortiView provides real-time dashboards and drill-down for traffic analysis.

Why this answer

FortiView in FortiAnalyzer provides real-time traffic monitoring with drill-down capabilities into top talkers, applications, and threats. It aggregates data from FortiGate logs and presents it in an interactive dashboard, allowing administrators to identify and investigate network anomalies instantly without generating reports.

Exam trap

The trap here is that candidates confuse the Log Viewer's ability to display logs in real time with FortiView's purpose-built aggregation and drill-down features, leading them to select Log Viewer instead of FortiView.

How to eliminate wrong answers

Option A is wrong because Reports in FortiAnalyzer are scheduled or on-demand summaries of historical data, not real-time monitoring tools. Option B is wrong because Incidents are correlated event groupings for security analysis, not a tool for live traffic inspection. Option D is wrong because Log Viewer displays raw log entries in a tabular format without real-time aggregation or drill-down into top talkers, applications, or threats.

86
Multi-Selectmedium

An administrator is deploying ZTNA with FortiClient EMS to secure access to a corporate web application. Which THREE components are required for a successful ZTNA deployment? (Choose three.)

Select 3 answers
A.FortiSandbox for threat analysis
B.FortiClient EMS server
C.FortiClient installed on endpoint devices
D.FortiGate configured as ZTNA access proxy
E.FortiAnalyzer for logging
AnswersB, C, D

EMS manages compliance rules, ZTNA tags, and pushes policies to FortiClient.

Why this answer

ZTNA requires FortiClient for endpoint posture, EMS for policy/tag management, and FortiGate with ZTNA proxy to enforce access control.

87
MCQmedium

A FortiGate admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a UDP session that has been idle for 1 hour
B.The session has a problem because duration and expire are not equal
C.The session has been active for 1 hour and will expire in about 1 hour
D.The session is a short-lived connection that started 3600 seconds ago
AnswerC

duration is the time since creation, expire is remaining lifetime.

Why this answer

The 'duration=3600' shows the session has been active for 3600 seconds (1 hour). 'expire=3599' indicates the session will expire in 3599 seconds, which is typical for a long-lived HTTPS session that is about to age out.

88
MCQhard

A FortiGate has an IPsec VPN with a remote peer that uses IKEv2. The administrator wants to ensure that child SA rekeying uses PFS (Perfect Forward Secrecy) with Diffie-Hellman group 14. Which CLI command should the administrator configure on the FortiGate's phase 2 proposal?

A.set auto-negotiate enable; set dh-group 14
B.set pfs enable; set dhgrp 14
C.set proposal aes256-sha256 dh-group 14
D.set pfs enable; set dh-group 14
AnswerB

This correctly enables PFS and sets the Diffie-Hellman group to 14.

Why this answer

To enable PFS with DH group 14 on the phase 2 proposal, the correct CLI command is 'set pfs enable' and 'set dhgrp 14'. The command 'set proposal aes256-sha256' defines encryption/integrity, not PFS. The other options do not set PFS correctly.

89
MCQhard

A FortiGate is configured with an IPsec VPN that uses certificate-based authentication. The VPN fails to establish. The administrator checks the phase1 debug and sees the message: 'no suitable certificate found'. What is the most likely cause?

A.The peer's certificate is not trusted
B.The certificate revocation list (CRL) is outdated
C.The CA certificate is missing
D.The local certificate is not imported or does not match the certificate name
AnswerD

The FortiGate needs a local certificate with a subject that matches the local ID; otherwise it cannot present a certificate.

Why this answer

The 'no suitable certificate found' error in IPsec phase1 debug indicates that the FortiGate cannot locate a local certificate that matches the peer's expected certificate name (often the peer's ID or the configured local certificate name). This typically occurs when the local certificate is not imported or the certificate's Common Name (CN) or Subject Alternative Name (SAN) does not match the configured local ID or peer's expected identifier. Without a matching local certificate, the IKE exchange cannot proceed to authenticate the FortiGate to the remote peer.

Exam trap

The trap here is that candidates often confuse 'no suitable certificate found' with trust or revocation issues, but the error specifically points to a missing or mismatched local certificate, not problems with the peer's certificate or CA chain.

How to eliminate wrong answers

Option A is wrong because 'no suitable certificate found' refers to the local certificate not being found or matching, not the peer's certificate trust; a lack of trust in the peer's certificate would produce a different error like 'certificate validation failed' or 'untrusted certificate'. Option B is wrong because an outdated CRL would cause a certificate validation failure (e.g., 'certificate revoked' or 'CRL not checked'), not a failure to find a suitable local certificate. Option C is wrong because a missing CA certificate would prevent validation of the peer's certificate, resulting in a trust-related error, not the 'no suitable certificate found' message which is about the local certificate selection.

90
Multi-Selecthard

A FortiGate administrator is investigating a slow network performance issue. The administrator suspects that session table limits are being reached. Which TWO metrics should be monitored to confirm this? (Choose two.)

Select 2 answers
A.Interface bandwidth utilization
B.Session fail rate
C.Current session count
D.CPU usage
E.Memory usage
AnswersB, C

A high session fail rate may indicate that new session creation is being denied due to table limits.

Why this answer

Options A and D are correct. Current session count shows how many sessions exist, and session fail rate indicates if new sessions are being dropped.

91
MCQeasy

A network administrator wants to block known malicious IP addresses using threat intelligence feeds on FortiGate. Which feature should they use?

A.FortiGuard Web Filtering
B.External Threat Intelligence
C.Application Control
D.IP Reputation
AnswerB

This feature enables importing third-party threat feeds and using them in firewall policies.

Why this answer

FortiGate's External Threat Intelligence feature allows administrators to import and consume threat intelligence feeds (e.g., STIX/TAXII, CSV, or custom URLs) to block known malicious IP addresses. This is the correct feature because it is specifically designed to ingest external threat data and apply it to firewall policies for dynamic blocking, unlike the other options which serve different purposes.

Exam trap

The trap here is that candidates often confuse IP Reputation (a built-in FortiGuard service) with External Threat Intelligence (a feature for importing custom feeds), leading them to select IP Reputation when the question explicitly mentions 'threat intelligence feeds' from external sources.

How to eliminate wrong answers

Option A is wrong because FortiGuard Web Filtering is used to control access to web categories and URLs based on FortiGuard's cloud database, not to block specific IP addresses from external threat feeds. Option C is wrong because Application Control identifies and controls application traffic (e.g., Facebook, Skype) based on signatures, not IP-based threat intelligence. Option D is wrong because IP Reputation is a built-in FortiGuard service that rates IP addresses based on FortiGuard's own threat data, not a feature to import custom external threat intelligence feeds.

92
MCQmedium

A FortiGate is configured as a SAML Identity Provider (IdP) for a remote user accessing a web application via ZTNA. The user authenticates successfully, but the ZTNA proxy logs show 'access denied' for the user. Which configuration element is most likely missing or misconfigured?

A.The ZTNA access proxy application is not enabled for HTTPS.
B.The SAML user group is not added to the ZTNA rule's allowed groups.
C.A firewall policy with ZTNA tags as source is missing.
D.ZTNA tags are not assigned to the user in FortiClient EMS.

Why this answer

ZTNA rules restrict access based on user groups. Even if the user authenticates via SAML, they must be a member of a group that is explicitly allowed in the ZTNA rule. Tags are for client posture, not authentication groups.

93
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN tunnel that establishes phase 1 but fails to establish phase 2. The phase 2 configuration shows 'set proposal aes128-sha256' on both sides. Which TWO configuration items should the administrator verify?

Select 2 answers
A.PFS (Perfect Forward Secrecy) settings
B.The local authentication method (certificate vs pre-shared key)
C.The encryption algorithm for phase 2
D.The local and remote subnets defined in phase 2 (proxy IDs)
E.The pre-shared key
AnswersA, D

If one side has PFS enabled and the other does not, or they use different DH groups, phase 2 will fail.

Why this answer

Even if phase 1 succeeds, phase 2 can fail due to mismatched proxy IDs (local/remote subnets) or mismatched PFS settings. Authentication method and encryption algorithm are phase 1 parameters.

94
MCQhard

In an HA cluster, after a failover, some established sessions are not being synchronized to the new primary unit. Which setting must be enabled to ensure session synchronization?

A.set override enable
B.set sync-sessions enable
C.set priority <value>
D.set session-pickup enable
AnswerD

This enables session synchronization in HA.

Why this answer

Option B is correct because 'set session-pickup enable' under config system ha enables session synchronization between HA members. Option A controls failover order. Option C is for priority.

Option D is not a valid setting.

95
MCQhard

During a security audit, it is found that traffic between two VDOMs is allowed even though no inter-VDOM routing policy is configured. The VDOMs are connected via a VDOM link. What could explain this behavior?

A.The FortiGate is in NAT mode
B.The VDOMs are in the same administrative domain
C.The VDOM link is using the same interface IP
D.The VDOM link is operating in transparent mode
AnswerD

If the VDOM link is in transparent mode, it bridges traffic without routing, so inter-VDOM routing policies are not required.

Why this answer

If the VDOM link is configured with the same VLAN ID and IP subnet, traffic may be bridged at Layer 2, bypassing Layer 3 policies. Alternatively, a policy might be implicitly allowing traffic.

96
Multi-Selecteasy

A FortiGate administrator wants to monitor performance thresholds to be alerted when the firewall is under heavy load. Which THREE metrics can be monitored using the built-in performance monitoring features (e.g., 'diagnose sys top' or SNMP)?

Select 3 answers
A.CPU utilization percentage
B.Interface speed
C.Number of concurrent sessions
D.Disk space utilization
E.Memory utilization percentage
AnswersA, C, E

CPU usage is a critical performance indicator.

Why this answer

Common performance metrics include CPU usage, memory usage, and session count. Disk usage is not a direct performance metric for firewall throughput, and interface speed is a capacity metric rather than load.

97
Multi-Selecthard

An administrator is troubleshooting an IPsec VPN Phase 2 negotiation failure. The debug shows 'no matching phase 2 proposal' from the remote peer. Which TWO of the following are likely causes? (Choose two.)

Select 2 answers
A.The local and remote proxy IDs (subnets) are not matching
B.The pre-shared key is incorrect
C.The firewall policy does not allow UDP port 500
D.The encryption algorithm (e.g., AES256 vs AES128) does not match between peers
E.The IKE version (IKEv1 vs IKEv2) is different
AnswersA, D

Phase 2 requires matching proxy IDs to establish SAs.

Why this answer

Options B and D are correct. Phase 2 proposal mismatch is usually due to incompatible encryption/authentication algorithms (B) or mismatched proxy IDs (local/remote subnets) (D). Options A and C would not cause a proposal mismatch.

98
MCQeasy

What is the purpose of BFD on a FortiGate?

A.To load balance traffic across multiple paths.
B.To provide fast detection of link failures.
C.To authenticate OSPF neighbors.
D.To encrypt traffic between two FortiGates.
AnswerB

BFD detects failures faster than routing protocol hello timers.

99
MCQeasy

An administrator needs to isolate customer traffic in a FortiGate deployed at a service provider. Each customer should have independent administrators and security policies. Which feature should be used?

A.VLAN interfaces
B.Policy packages
C.Administrative domains (ADOMs)
D.Virtual domains (VDOMs)
AnswerD

VDOMs provide complete separation of management and traffic.

Why this answer

Virtual domains (VDOMs) allow a single FortiGate to be partitioned into multiple independent virtual firewalls, each with its own administrators, security policies, routing tables, and interfaces. This is the correct feature for isolating customer traffic at a service provider because it provides complete administrative and policy separation per customer, which VLAN interfaces alone cannot achieve.

Exam trap

The trap here is confusing VLAN interfaces (Layer 2 segmentation) with VDOMs (full virtual firewall instances), leading candidates to choose VLANs when the question explicitly requires independent administrators and security policies.

How to eliminate wrong answers

Option A is wrong because VLAN interfaces only provide Layer 2 segmentation of traffic on a physical port; they do not create independent administrative domains or separate security policy contexts. Option B is wrong because policy packages are containers for firewall policies within a single VDOM or non-VDOM mode; they do not isolate administrators or provide independent routing and management. Option C is wrong because administrative domains (ADOMs) are a FortiManager concept for managing multiple FortiGate devices centrally, not a feature on the FortiGate itself for local isolation.

100
MCQmedium

A FortiGate admin configures an automation stitch to send an email alert when a high-severity IPS event occurs. The trigger is 'IPS Event' and the action is 'Email'. After testing, no email is sent despite events being logged. What is the most likely cause?

A.The IPS event severity threshold is set too low
B.The automation stitch is disabled
C.No SMTP server is configured in the FortiGate
D.The IPS engine is in monitor mode
AnswerC

Email action requires an SMTP server to be configured under System > Settings.

Why this answer

Automation stitches require a valid mail server configuration in the FortiGate's email settings. Without it, the email action cannot be executed.

101
MCQmedium

An administrator wants to configure FortiGate to use the machine learning engine for advanced antivirus detection. Which setting must be enabled in the antivirus profile?

A.Enable 'Machine Learning Engine' in the antivirus profile
B.Enable 'Detect All' in the antivirus profile
C.Set 'Scan Mode' to 'Quick' in the antivirus profile
D.Enable 'Use FortiSandbox' in the antivirus profile
AnswerA

The machine learning engine must be enabled in the antivirus profile to use AI-based detection.

Why this answer

Option A is correct because the machine learning engine for advanced antivirus detection is a dedicated feature within the antivirus profile that must be explicitly enabled. This engine uses behavioral analysis and heuristics to detect unknown or zero-day malware without relying solely on signature-based detection. Enabling this setting allows FortiGate to leverage on-device ML models to identify malicious files based on patterns and anomalies.

Exam trap

The trap here is that candidates may confuse the machine learning engine with FortiSandbox integration, assuming that sandboxing is required for ML-based detection, when in fact the ML engine is a standalone on-device feature that must be enabled separately in the antivirus profile.

How to eliminate wrong answers

Option B is wrong because 'Detect All' is not a valid setting in the antivirus profile; it is a misconception that such a toggle exists for enabling ML-based detection. Option C is wrong because setting 'Scan Mode' to 'Quick' reduces scanning depth and may skip certain file types or archives, which would not enable the machine learning engine and could actually decrease detection accuracy. Option D is wrong because 'Use FortiSandbox' integrates with an external sandbox for file detonation and analysis, but it is a separate feature from the on-device machine learning engine and does not enable local ML-based detection.

102
MCQhard

A FortiGate in a multi-VDOM environment has a management VDOM (mgmt-vdom) and a traffic VDOM (corp-vdom). The admin wants to access the FortiGate GUI using IP 10.0.1.1 assigned to port1 in mgmt-vdom. However, the GUI is unreachable. The admin can SSH into mgmt-vdom. What is the most likely cause?

A.The admin must enable 'set allowaccess https' under the interface configuration
B.The management VDOM has an implicit deny policy blocking inbound HTTPS
C.The FortiGate is in transparent mode and requires a management IP
D.The traffic VDOM's routing table is incorrect
AnswerB

Even in the management VDOM, a policy must explicitly allow HTTPS access. Without it, the GUI is blocked.

Why this answer

In a multi-VDOM FortiGate, each VDOM has its own independent firewall policies. Even if HTTPS access is enabled on the interface (set allowaccess https), the management VDOM (mgmt-vdom) still requires an explicit firewall policy to permit inbound HTTPS traffic from the source to the FortiGate's own IP. Without such a policy, the implicit deny rule at the end of the policy list blocks the GUI connection.

SSH works because it is typically allowed by a separate policy or by default administrative access rules, but HTTPS is not implicitly permitted.

Exam trap

The trap here is that candidates assume enabling 'allowaccess' on the interface alone is sufficient for GUI access, overlooking the fact that FortiGate's implicit deny in the VDOM's policy layer blocks all inbound traffic unless an explicit permit policy exists.

How to eliminate wrong answers

Option A is wrong because enabling 'set allowaccess https' on the interface is necessary but not sufficient; without a firewall policy in mgmt-vdom permitting inbound HTTPS, the traffic is still dropped by the implicit deny. Option C is wrong because transparent mode is irrelevant here; the FortiGate is in multi-VDOM mode, and the issue is policy-based, not mode-based. Option D is wrong because the traffic VDOM's routing table does not affect management access to the mgmt-vdom interface; management traffic is handled within the mgmt-vdom itself.

103
Multi-Selectmedium

A network administrator is troubleshooting a split-brain scenario in an HA cluster. Which TWO conditions can cause split-brain? (Choose two.)

Select 2 answers
A.Loss of heartbeat link between HA members
B.One unit has a higher priority
C.Firmware version mismatch
D.Mismatched HA configuration (e.g., different HA mode)
E.Session pickup is disabled
AnswersA, D

Without heartbeat, each unit assumes the other is down and becomes primary.

Why this answer

Options A and D are correct. Loss of HA heartbeat communication (A) causes both units to think they are primary. Mismatched HA configuration (D) can also cause split-brain.

Option B causes failover but not split-brain. Option C is irrelevant.

104
Multi-Selectmedium

A FortiGate administrator is configuring NAC (Network Access Control) integration with FortiNAC. The goal is to control access for wired clients based on device compliance. Which TWO configurations are required on the FortiGate to support this integration?

Select 2 answers
A.Configure a RADIUS server pointing to FortiNAC.
B.Create a security group tag (SGT) mapping.
C.Enable '802.1x' authentication on the interface.
D.Enable 'nac-policy' on the switch-facing interface.
E.Set the 'nac-mode' to 'global-vlan' under the interface.
AnswersA, D

Why this answer

FortiGate integrates with FortiNAC via RADIUS (B) to query device compliance and NAC policies (A) on the interface to enforce access. 802.1x is typically handled by the switch, not FortiGate directly. SGT and nac-mode are not standard for this integration.

105
MCQeasy

A FortiGate administrator is designing a VDOM configuration for a multi-tenant environment. Each tenant requires its own routing table and firewall policies. Which VDOM type should be used for each tenant?

A.TP mode VDOM
B.Router mode VDOM
C.Transparent mode VDOM
D.NAT mode VDOM
AnswerD

NAT mode VDOM provides independent routing and policies.

Why this answer

In a multi-tenant VDOM environment where each tenant requires its own routing table and firewall policies, NAT mode VDOM (option D) is the correct choice because it operates as a Layer 3 routing entity with its own independent routing table, interfaces, and firewall policies. This mode allows each tenant VDOM to perform NAT, route between subnets, and enforce security policies autonomously, which is essential for tenant isolation and policy control.

Exam trap

The trap here is that candidates often confuse 'Router mode' (a non-existent term) with NAT mode, or assume Transparent mode can provide Layer 3 routing isolation, but only NAT mode VDOMs support independent routing tables and firewall policies for multi-tenant environments.

How to eliminate wrong answers

Option A is wrong because TP mode VDOM (Transparent mode) does not maintain its own routing table; it forwards traffic at Layer 2 and relies on the root VDOM or external router for routing, making it unsuitable for tenants needing independent routing. Option B is wrong because 'Router mode VDOM' is not a standard FortiGate VDOM type; the correct term is NAT mode or Transparent mode, and Router mode is a misnomer that does not exist in FortiOS. Option C is wrong because Transparent mode VDOM operates at Layer 2 without its own routing table, so it cannot provide each tenant with an independent routing table, which is a core requirement for multi-tenant routing isolation.

106
Drag & Dropmedium

Drag and drop the steps to configure a FortiGate to send logs to a FortiAnalyzer into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Add log device, set IP and auth, choose log types, apply filters, then test.

107
Multi-Selecthard

A FortiGate administrator is troubleshooting a ZTNA problem where users are unable to connect to an internal application via FortiClient. FortiClient reports 'Connection refused'. The FortiGate ZTNA gateway is configured correctly. Which THREE steps should the administrator take to diagnose the issue?

Select 3 answers
A.Check the FortiGate's antivirus update status
B.Verify that FortiClient can reach the ZTNA gateway's IP and port
C.Examine the ZTNA access proxy rule to ensure the application mapping is correct
D.Reboot the FortiClient computer
E.Verify that the application server is reachable from the FortiGate (e.g., ping or telnet)
AnswersB, C, E

Network connectivity between FortiClient and the ZTNA gateway is fundamental.

Why this answer

To diagnose ZTNA connection issues, the administrator should verify network connectivity to the ZTNA gateway, check the ZTNA proxy rule configuration, and verify the application server is reachable from the FortiGate. Option A, C, and D are correct.

108
MCQeasy

An administrator wants to load balance traffic across two WAN links by session count. Which SD-WAN load balancing algorithm should they use?

A.Sessions
B.Spillover
C.Lowest-cost
D.Volume
AnswerA

The sessions algorithm distributes sessions based on the number of active sessions per interface.

109
Multi-Selectmedium

An administrator is configuring a new VDOM on a FortiGate and needs to ensure that certain system resources are isolated for that VDOM. Which TWO settings must be configured to achieve resource isolation?

Select 2 answers
A.Set disk quota
B.Set memory quota
C.Set CPU quota
D.Set bandwidth limit
E.Set session limit
AnswersB, C

Memory quota limits the memory usage for the VDOM.

Why this answer

Option B is correct because setting a memory quota on a VDOM limits the amount of physical memory (RAM) the VDOM can consume, preventing it from starving other VDOMs or the root system. Option C is correct because setting a CPU quota caps the percentage of CPU time the VDOM can use, ensuring fair scheduling across VDOMs. Together, these two settings enforce resource isolation at the system level, which is required for multi-tenant or segmented environments.

Exam trap

The trap here is that candidates confuse 'resource isolation' with 'traffic control' or 'storage limits', leading them to select bandwidth limit or disk quota instead of the correct system-level quotas (memory and CPU).

110
Multi-Selectmedium

An admin is troubleshooting an IPsec VPN tunnel that is failing phase 2. The IKE debug shows 'no matching proposal'. Which TWO settings should the admin verify on both sides? (Choose two.)

Select 2 answers
A.Dead Peer Detection interval
B.Encryption algorithm (e.g., AES128, AES256)
C.Diffie-Hellman group for PFS
D.Pre-shared key
E.Local and remote gateway IP addresses
AnswersB, C

Part of phase 2 proposal.

Why this answer

Phase 2 uses different proposals than phase 1. The correct proposals are encryption algorithm (ESP), authentication algorithm, and perfect forward secrecy (PFS). Option A and B are correct because they are part of the phase 2 proposal.

111
MCQmedium

An administrator wants to ensure that traffic from a specific source IP uses a particular SD-WAN member regardless of performance SLA results. Which SD-WAN configuration element should be used?

A.SD-WAN rule with manual strategy
B.Route map
C.Policy-based routing on the firewall policy
D.Performance SLA
AnswerA

SD-WAN rules can use manual strategy to force traffic to a specific member.

Why this answer

SD-WAN rules allow matching traffic based on source/destination, and can set the 'strategy' to 'manual' or explicitly select a member, overriding SLA-based choices.

112
Matchingmedium

Match each Fortinet component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall

Centralized management platform

Logging and reporting server

Advanced threat detection and analysis

Web application firewall

Why these pairings

These are key products in the Fortinet Security Fabric.

113
MCQmedium

A FortiGate is configured as a SAML service provider (SP) for user authentication. Users report they are redirected to the identity provider (IdP) for authentication, but after successful login, they are not allowed access to the requested resource. What is the MOST likely cause?

A.The FortiGate is configured as an IdP instead of SP
B.SAML single logout is enabled and causing session termination
C.The IdP certificate is not trusted by the FortiGate
D.The SAML user group is not configured with the correct IdP attribute mapping
AnswerD

Without proper group mapping, the FortiGate cannot assign the user to a group, and the firewall policy requiring that group will deny access.

Why this answer

After SAML authentication, the FortiGate must have a matching user group and firewall policy that allows traffic from authenticated users. If the IdP sends the correct attributes but the FortiGate does not have a group mapping or policy, access will be denied.

114
MCQhard

A security engineer is troubleshooting a scenario where FortiGate is not blocking a known malicious URL categorized as 'Malware'. The web filtering profile is configured with 'monitor all' for the Malware category. What change should be made to block the URL?

A.Configure traffic shaping to rate limit the URL
B.Add a static URL filter with the exact URL and action 'block'
C.Enable DNS filter with botnet C2 domain blocking
D.Change the action for Malware category from 'monitor' to 'block' in the web filter profile
AnswerD

Setting the category action to 'block' will block all URLs in that category.

Why this answer

The web filtering profile currently has the Malware category set to 'monitor all', which logs but does not block traffic. To block the URL, the action must be changed from 'monitor' to 'block' within the same web filter profile. This directly enforces the blocking action for all URLs categorized as Malware, including the known malicious URL.

Exam trap

The trap here is that candidates may think a static URL filter is required for blocking, overlooking that category-based actions in the web filter profile can directly block all URLs in a category without needing individual entries.

How to eliminate wrong answers

Option A is wrong because traffic shaping only rate-limits bandwidth and does not block URLs; it cannot enforce a block on malicious content. Option B is wrong because adding a static URL filter is unnecessary and less efficient when the category-based action can be changed; it also requires manual entry of every specific URL, which is not scalable. Option C is wrong because DNS filter with botnet C2 domain blocking targets command-and-control domains at the DNS level, not HTTP/HTTPS URL categories like Malware; it addresses a different threat vector.

115
MCQhard

A company has deployed two FortiGate-600Es in an active-passive HA cluster. The cluster is configured with three VDOMs: VDOM-A (corporate LAN), VDOM-B (guest Wi-Fi), and VDOM-C (DMZ). Each VDOM has its own set of interfaces and policies. The cluster is also configured to use FGCP with session pickup enabled. Recently, the network team noticed that after a failover event, some user sessions in VDOM-B are not being picked up, causing disruption for guest users. The session pickup feature is enabled globally. The administrator checks the configuration and finds the following settings on the primary FortiGate: - config system ha set session-pickup enable set session-pickup-connectionless enable end - config vdom edit VDOM-A config system ha set session-pickup enable end next edit VDOM-B config system ha set session-pickup disable end next edit VDOM-C config system ha set session-pickup enable end next Based on this configuration, what is the most likely reason that sessions in VDOM-B are not being picked up?

A.The HA priority of the cluster is set too low, causing session pickup to fail for VDOM-B.
B.Session pickup for connectionless protocols is not enabled, so UDP sessions in VDOM-B are not picked up.
C.Session pickup is disabled specifically for VDOM-B in the per-VDOM HA configuration.
D.The interfaces assigned to VDOM-B do not have session pickup enabled.
AnswerC

The per-VDOM setting overrides the global setting, so session pickup is disabled for VDOM-B.

Why this answer

Option C is correct because the per-VDOM HA configuration for VDOM-B explicitly disables session pickup with 'set session-pickup disable'. Even though the global HA settings enable session pickup, the per-VDOM setting overrides the global setting for that VDOM. As a result, after a failover, sessions in VDOM-B are not synchronized to the standby FortiGate and are not picked up, causing disruption for guest users.

Exam trap

The trap here is that candidates assume global session pickup settings apply uniformly to all VDOMs, overlooking that per-VDOM HA settings override the global configuration, which is a common misconfiguration in multi-VDOM HA deployments.

How to eliminate wrong answers

Option A is wrong because HA priority affects which unit becomes primary, not whether session pickup functions per VDOM; session pickup is controlled by explicit enable/disable settings, not priority. Option B is wrong because 'session-pickup-connectionless' is enabled globally, which would allow UDP and other connectionless sessions to be picked up, but this global setting is overridden by the per-VDOM disable for VDOM-B. Option D is wrong because session pickup is configured at the VDOM level, not per interface; interfaces inherit the VDOM's session pickup setting, so disabling it on the VDOM prevents pickup regardless of interface configuration.

116
MCQeasy

An administrator is reviewing the HA configuration shown in the exhibit. The primary unit has failed, and the secondary unit (with priority 100) has taken over. However, the administrator notices that the secondary unit has an IP address of 10.10.10.2 on port3, but cannot ping the management gateway 10.10.10.1. What is the most likely cause?

A.The HA management interface IP is not active on the secondary
B.The hbdev configuration is incorrect
C.The override setting is preventing the secondary from taking over management
D.session-pickup is not enabled
AnswerA

The management IP is active only on the primary unit; the secondary uses the same IP after failover, but the network may not have updated.

Why this answer

When the secondary unit takes over in an HA cluster, the HA management interface IP (configured under config system ha) is only active on the primary unit by default. Even after failover, the secondary unit does not automatically activate this IP unless the 'management-interface-ip' is explicitly configured to be active on the secondary. Since the secondary unit has IP 10.10.10.2 on port3 but cannot ping the management gateway 10.10.10.1, the most likely cause is that the HA management interface IP is not active on the secondary, meaning the secondary unit is using its own port3 IP (10.10.10.2) but the gateway expects the management IP to be reachable from that subnet, which it is not.

Exam trap

The trap here is that candidates often assume the secondary unit automatically inherits all IP addresses from the primary after failover, but FortiGate HA specifically requires explicit configuration for the management interface IP to be active on the secondary.

How to eliminate wrong answers

Option B is wrong because hbdev (heartbeat device) configuration affects HA heartbeat communication between units, not the activation of the management IP on the secondary after failover. Option C is wrong because the override setting controls whether a higher-priority unit can preempt the current primary after it recovers; it does not prevent the secondary from taking over management functions after the primary fails. Option D is wrong because session-pickup is a feature for synchronizing firewall sessions between HA members; it has no impact on whether the management interface IP is active on the secondary unit.

117
MCQeasy

Which feature allows a FortiGate to maintain separate routing tables for different customers or departments on the same device?

A.Route maps
B.VDOM
C.VRF (Virtual Routing and Forwarding)
D.Policy-based routing
AnswerC

VRF allows multiple independent routing table instances on the same FortiGate.

118
Multi-Selecthard

A security analyst wants to use automation stitches on FortiGate to automatically block IP addresses that trigger an IPS signature for 'SSH Brute Force'. Which two components are required to create this automation stitch? (Choose two.)

Select 2 answers
A.Action: 'Add to Block List'
B.FortiAnalyzer log query
C.Action: 'Email Notification'
D.Trigger: 'IPS Event'
E.FortiGuard category
AnswersA, D

The action should block the source IP.

Why this answer

An automation stitch requires a trigger (e.g., IPS event) and an action (e.g., add to block list). The trigger defines when the stitch fires, and the action defines what to do.

119
MCQmedium

A FortiGate administrator is troubleshooting a VPN tunnel that connects to a remote site. The tunnel is up, but traffic is not passing. The administrator checks the Phase 2 settings and sees that the local and remote subnets are correctly defined. What is the next step to diagnose the issue?

A.Check the firewall policies that reference the VPN interface
B.Check the routing table for the remote subnet
C.Run 'diagnose vpn ike log' to check for Phase 1 errors
D.Restart the VPN tunnel
AnswerA

Even if the tunnel is up, traffic must be allowed by a firewall policy from the VPN interface to the destination zone.

Why this answer

Option A is correct. Missing or incorrect firewall policies are a common cause of traffic not passing through an established VPN.

120
Multi-Selecthard

A FortiGate is deployed in multi-VDOM mode. The administrator wants to use FortiAnalyzer to centralize logging from all VDOMs. Which THREE steps must be performed? (Choose three.)

Select 3 answers
A.Enable log forwarding on the management VDOM only
B.Ensure that the FortiAnalyzer can reach the FortiGate's management IP
C.Add the FortiGate as a device in FortiAnalyzer
D.Configure FortiAnalyzer settings in each VDOM to point to the FortiAnalyzer IP
E.Enable 'log-all-vdoms' feature on the FortiGate
AnswersB, C, D

Correct.

Why this answer

Option B is correct because the FortiAnalyzer must be able to reach the FortiGate's management IP to establish the logging connection. In multi-VDOM mode, the management VDOM handles all management traffic, including FortiAnalyzer communication, so reachability to that specific IP is essential for centralized logging.

Exam trap

The trap here is that candidates assume a single global setting like 'log-all-vdoms' exists, when in reality FortiOS requires per-VDOM configuration or the use of the 'central-log' feature to aggregate logs from all VDOMs.

121
Multi-Selectmedium

A FortiGate administrator is configuring a hub-and-spoke ADVPN with BGP. The hub has multiple spokes. Which TWO configuration steps are REQUIRED on the hub FortiGate for shortcut tunnels to be established between spokes?

Select 2 answers
A.Configure BGP to redistribute connected or static routes to the spokes
B.Enable 'set auto-discovery-receiver' on the hub's phase1 interface
C.Enable 'set auto-discovery-sender' on the hub's phase1 interface
D.Disable DPD on the hub's phase1 interface
E.Set the IKE version to IKEv1 on the hub
AnswersA, C

Without route redistribution, spokes will not learn about other spoke subnets, so shortcut tunnels would have no traffic to trigger.

Why this answer

For ADVPN shortcut tunnels, the hub must enable auto-discovery sender and must also advertise the spoke routes to other spokes. Without route advertisement, spokes cannot know about each other's networks.

122
Multi-Selectmedium

An organization wants to implement multiple layers of defense against advanced persistent threats. Which three Fortinet solutions would be most effective in an ATP strategy? (Choose three.)

Select 3 answers
A.FortiMail
B.FortiSandbox
C.FortiWeb
D.FortiEDR
E.FortiDeceptor
AnswersB, D, E

FortiSandbox detects unknown malware via behavioral analysis.

Why this answer

FortiSandbox provides advanced threat detection, FortiEDR provides endpoint detection and response, and FortiDeceptor provides deception-based threat detection. Together they cover multiple attack stages.

123
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel that fails to establish. The remote gateway logs show a proposal mismatch. On FortiGate, the administrator runs 'diagnose vpn ike config' and sees 'proposal: aes128-sha1, aes256-sha256'. The remote side expects 'aes256-sha1'. What is the most likely cause?

A.The Phase 1 proposal list does not include the algorithm combination the remote gateway requires
B.The pre-shared key is incorrect
C.The Phase 2 selectors are misconfigured
D.The IKE version is set to 1 but remote uses 2
AnswerA

Correct. The local proposal list must contain at least one matching algorithm set that the remote gateway supports.

Why this answer

The proposal mismatch occurs because the FortiGate's IKE proposal includes aes256-sha256 but not aes256-sha1, and the remote gateway expects aes256-sha1. The correct action is to add aes256-sha1 to the proposal list.

124
MCQhard

A FortiGate running FortiOS 7.2 has multiple VDOMs. The administrator notices that inter-VDOM routing between two VDOMs is not working. Configuration shows a firewall policy allowing the traffic, and the route table shows routes to the destination VDOM. What additional configuration is required?

A.Configure a static route with a gateway IP in the destination VDOM
B.Create a VDOM link interface pair and assign them to the respective VDOMs
C.Assign an IP address to the VLAN interface on the source VDOM
D.Enable 'inter-vdom' under config system global
AnswerB

Inter-VDOM routing requires a VDOM link (logical interface pair) connecting the VDOMs.

Why this answer

Inter-VDOM routing requires a VDOM link, which is a pair of logical interfaces (one in each VDOM) that are directly connected. Without this link, the VDOMs cannot exchange traffic even if firewall policies and routes exist, because they operate as separate virtual firewalls with isolated forwarding tables.

Exam trap

The trap here is that candidates assume a firewall policy and routes are sufficient for inter-VDOM traffic, overlooking the mandatory VDOM link interface pair that provides the actual Layer 3 adjacency between the VDOMs.

How to eliminate wrong answers

Option A is wrong because a static route with a gateway IP in the destination VDOM is not possible; the gateway must be reachable via an interface that belongs to the source VDOM, and inter-VDOM routing requires a direct link (VDOM link) rather than a next-hop in another VDOM. Option C is wrong because assigning an IP to a VLAN interface on the source VDOM does not create a path to the destination VDOM; VLAN interfaces are used for Layer 2 segmentation within a single VDOM, not for inter-VDOM connectivity. Option D is wrong because there is no 'inter-vdom' toggle under config system global; inter-VDOM routing is enabled by default when VDOMs are enabled, and the missing piece is the VDOM link interface pair, not a global setting.

125
MCQeasy

An administrator wants to monitor the session count on a FortiGate in real time. Which CLI command provides this information?

A.diagnose sys top
B.get system performance status
C.diagnose sys session stat
D.diagnose debug enable
AnswerC

This command displays current session statistics including total session count.

Why this answer

Option A is correct. 'diagnose sys session stat' shows session statistics.

126
MCQhard

A FortiGate administrator configures a VDOM with a limit on the number of firewall policies. The VDOM has 200 policies, and the limit is set to 250. The administrator attempts to add a new policy but receives an error indicating the limit has been reached. What is the MOST likely reason?

A.The administrator must reboot the FortiGate for the limit to take effect
B.The limit includes IPv4, IPv6, and other policy types
C.The VDOM has reached the maximum number of objects, not policies
D.The limit is per VDOM and cannot be changed
AnswerB

VDOM policy limits apply to the total number of policies across all types (IPv4, IPv6, etc.). If 200 IPv4 policies exist, plus IPv6 policies, the total may exceed 250.

Why this answer

The FortiGate VDOM policy limit includes all policy types—IPv4, IPv6, and others (e.g., local-in policies, authentication policies). Even if the administrator has only 200 IPv4 policies, the total count of all policy types combined may already reach the 250 limit, preventing the addition of a new policy. This is why the error occurs despite the VDOM appearing to have room under the configured limit.

Exam trap

The trap here is that candidates assume the limit applies only to IPv4 firewall policies, ignoring that FortiGate counts all policy types (IPv4, IPv6, local-in, etc.) against the same limit, leading them to choose an incorrect answer like C or D.

How to eliminate wrong answers

Option A is wrong because policy limits take effect immediately without requiring a reboot; FortiGate enforces the limit dynamically upon policy creation. Option C is wrong because the error specifically references the policy limit, not the object limit; FortiGate has separate limits for objects (e.g., addresses, services) and policies, and the error message would differ if it were an object limit issue. Option D is wrong because the limit can be changed per VDOM via the config vdom command (e.g., set firewall-policy-limit), and it is not immutable.

127
MCQmedium

A FortiGate has multiple VRFs configured. An administrator wants to allow traffic from VRF 1 to reach a server in VRF 2. What configuration is required?

A.Use a single VDOM and enable inter-VDOM links.
B.Place both interfaces in the same VRF.
C.Create a static route from one VRF to another.
D.Configure a VRF leak policy using route maps or policy routes.
AnswerD

VRF leaking can be achieved by using route maps with the 'set vrf' command or by using policy routes to forward traffic between VRFs.

Why this answer

VRF leaking is the process of sharing routes between VRFs. This is done by configuring route maps that match specific routes and setting the target VRF, or by using policy routes that override the VRF lookup.

128
MCQhard

A FortiGate HA cluster is configured with two units in active-passive mode. The administrator needs to perform a firmware upgrade on the cluster with minimal downtime. The current firmware version is 7.2.5 and the target is 7.2.7. The cluster uses FGCP with session synchronization enabled. Which procedure should the administrator follow?

A.Upgrade only the primary unit and let the secondary synchronize automatically
B.Disable HA, upgrade both units, then re-enable HA
C.Upgrade both units at the same time by connecting to each via console
D.Upgrade the passive unit first, perform a graceful failover, then upgrade the new passive unit
AnswerD

This procedure ensures minimal downtime and maintains session synchronization.

Why this answer

Option D is correct because it follows the recommended upgrade procedure for an active-passive FGCP cluster with session synchronization. By upgrading the passive unit first, then performing a graceful failover (which preserves existing sessions via FGCP session sync), and finally upgrading the new passive unit, the administrator ensures that the cluster remains operational throughout the process with minimal traffic disruption. This method avoids a full cluster outage and maintains session continuity.

Exam trap

The trap here is that candidates assume firmware synchronization works like configuration synchronization, leading them to choose Option A, but FGCP does not automatically replicate firmware images between cluster members.

How to eliminate wrong answers

Option A is wrong because upgrading only the primary unit does not cause the secondary to synchronize firmware; FGCP synchronizes configuration and session state, not firmware images, so the secondary would remain on the old version and the cluster would break. Option B is wrong because disabling HA removes redundancy and causes a full traffic outage during the upgrade, which contradicts the goal of minimal downtime. Option C is wrong because upgrading both units simultaneously via console without a failover sequence would likely cause a split-brain scenario or traffic loss, as both units would reboot at the same time, dropping all sessions.

129
MCQeasy

An administrator applies the above policy but users from 10.0.1.0/24 cannot access web servers at 10.0.2.0/24. However, they can ping the servers. What is the most likely cause?

A.The service 'HTTP' does not include port 443 or the web application is using HTTPS.
B.The destination address is incorrect.
C.The schedule 'always' is not correctly configured.
D.The source interface is incorrect.
AnswerA

The service 'HTTP' only covers port 80; if the web server uses HTTPS (port 443), the policy won't match.

Why this answer

The policy allows HTTP traffic (port 80), but the web servers are likely using HTTPS (port 443). Since the service object 'HTTP' in FortiGate typically only includes TCP/80, HTTPS traffic is denied by default. The administrator can ping the servers because ICMP is permitted by an implicit or explicit policy, confirming that routing and connectivity are functional.

Exam trap

The trap here is that candidates assume 'HTTP' covers all web traffic, but FortiGate strictly matches the defined ports in the service object, so HTTPS (port 443) is blocked unless explicitly permitted.

How to eliminate wrong answers

Option B is wrong because the destination address 10.0.2.0/24 is correct for the web servers, and ping success confirms reachability. Option C is wrong because the schedule 'always' is a default, always-active schedule that cannot be misconfigured; if it were invalid, no traffic would pass. Option D is wrong because the source interface is correctly set to the interface connected to 10.0.1.0/24, as evidenced by successful ping traffic from that subnet.

130
MCQeasy

Refer to the exhibit. A FortiGate administrator has configured an IPsec VPN tunnel to a branch office. The tunnel fails to establish. What is the most likely cause?

A.Phase 2 proposal (aes256-sha1) is not compatible with Phase 1 proposal (aes256-sha256)
B.The pre-shared key is encrypted in the configuration
C.The 'net-device disable' setting prevents tunnel creation
D.The phase2 interface name does not match the phase1 name
AnswerA

Phase 2 encryption must be a subset of Phase 1; SHA1 vs SHA256 mismatch causes failure.

Why this answer

The tunnel fails because the Phase 2 proposal (aes256-sha1) is not compatible with the Phase 1 proposal (aes256-sha256). In IPsec VPN, Phase 1 establishes the ISAKMP SA using a set of encryption and authentication algorithms, while Phase 2 negotiates the IPsec SA for data traffic. The authentication algorithm must match between Phase 1 and Phase 2; here, Phase 1 uses SHA-256 but Phase 2 uses SHA-1, causing a mismatch that prevents the tunnel from establishing.

Exam trap

The trap here is that candidates often assume Phase 1 and Phase 2 proposals are independent, but FortiGate requires the authentication algorithm to match between phases, and the exam tests this subtle interoperability constraint.

How to eliminate wrong answers

Option B is wrong because the pre-shared key being encrypted in the configuration is normal behavior in FortiGate (it is always displayed as asterisks or encrypted text) and does not prevent tunnel establishment. Option C is wrong because the 'net-device disable' setting only prevents the tunnel interface from being treated as a network device for routing purposes; it does not block IPsec tunnel creation or negotiation. Option D is wrong because the Phase 2 interface name does not need to match the Phase 1 name; Phase 2 references the Phase 1 configuration via the 'set phase1name' parameter, not by interface name.

131
MCQeasy

A network administrator wants to logically separate two departments on a single FortiGate. Each department must have its own firewall policies, routing table, and administrators. Which feature should be used?

A.Virtual Domains (VDOMs)
B.Policy Packages
C.Administrative Domains (ADOMs)
D.VLANs
AnswerA

VDOMs create separate virtual firewalls within a single chassis.

Why this answer

Virtual Domains (VDOMs) allow a single FortiGate to be partitioned into multiple independent virtual firewalls, each with its own firewall policies, routing table, and administrative access. This meets the requirement for logical separation of departments with isolated policy and routing domains.

Exam trap

The trap here is confusing VLANs with VDOMs: VLANs segment Layer 2 traffic but do not provide independent routing tables or administrative domains, so candidates often pick VLANs when the question explicitly requires separate routing and administrators.

How to eliminate wrong answers

Option B is wrong because Policy Packages are used to group firewall policies within a VDOM or a non-VDOM FortiGate, but they do not provide separate routing tables or independent administrators. Option C is wrong because Administrative Domains (ADOMs) are a FortiManager concept for managing multiple FortiGates or VDOMs, not a feature on a single FortiGate for local separation. Option D is wrong because VLANs operate at Layer 2 to segment broadcast domains and require a Layer 3 interface or VDOM to enforce separate routing tables and firewall policies; they do not inherently provide independent routing or administrative isolation.

132
MCQhard

An administrator is investigating a security incident and needs to view raw logs from a FortiAnalyzer for a specific time range. The administrator wants to ensure the logs are not aggregated or summarized. Which type of log view should be used?

A.Event Management
B.FortiView
C.Reports
D.Log View
AnswerD

Log View displays raw, unaggregated logs from the FortiAnalyzer, ideal for detailed incident investigation.

Why this answer

Option C is correct. Log View provides access to raw logs without aggregation.

133
MCQhard

A FortiGate VDOM is configured with a WAN interface (port1) and LAN interface (internal). The admin creates a policy allowing HTTP from internal to WAN with an antivirus profile applied. Users report that HTTP throughput is very slow. The admin checks the session table and sees many sessions with state 11 (TCP_CLOSE_WAIT). What is causing the performance issue?

A.The antivirus profile is performing file scanning, causing delays
B.The policy is missing a timeout setting for TCP half-close
C.The HTTP server is not properly closing connections, and the FortiGate is waiting for FIN from client
D.The FortiGate is using proxy-based inspection, which delays session closure
AnswerC

CLOSE_WAIT means the server has closed the connection (FIN received) but the client hasn't. The FortiGate waits for the client's FIN and holds the session.

Why this answer

State 11 (TCP_CLOSE_WAIT) indicates that the FortiGate has received a FIN from the server (WAN side) and is waiting for a FIN from the client (internal side) to complete the TCP connection closure. When the HTTP server does not properly close connections, the FortiGate holds these sessions open, consuming session table resources and causing performance degradation. The antivirus profile is not the direct cause; the issue is the accumulation of sessions stuck in CLOSE_WAIT due to incomplete TCP teardown.

Exam trap

The trap here is that candidates often attribute slow throughput to antivirus scanning (Option A) or proxy inspection (Option D), but the session state TCP_CLOSE_WAIT directly points to a TCP closure problem, not a content inspection issue.

How to eliminate wrong answers

Option A is wrong because antivirus file scanning can introduce latency but does not cause sessions to remain in TCP_CLOSE_WAIT state; that state is specific to TCP connection closure, not scanning delays. Option B is wrong because FortiGate does not have a configurable 'TCP half-close timeout' for policies; session timeouts are handled by the TCP session timeout settings (e.g., default-tcp-timeout), and the issue is not a missing timeout but the server not sending FIN. Option D is wrong because proxy-based inspection may affect session handling but does not cause sessions to stay in CLOSE_WAIT; CLOSE_WAIT is a standard TCP state indicating the device is waiting for the client to close, regardless of inspection mode.

134
Multi-Selecthard

A FortiGate administrator is troubleshooting an IPsec VPN that uses IKEv2 with certificate authentication. The VPN fails to establish. The administrator runs 'diagnose vpn ike gateway list' and sees the gateway state is 'IKE_INIT'. Which three possible causes should the administrator investigate? (Choose three.)

Select 3 answers
A.The certificate of the remote peer is not trusted by the local FortiGate
B.The pre-shared key is incorrect
C.The phase 1 proposal (encryption, hash, DH group) does not match
D.The phase 2 proxy ID is incorrect
E.The remote peer's certificate has expired
AnswersA, C, E

Certificate validation failure would cause IKE to stay in INIT.

Why this answer

IKE_INIT state indicates phase 1 has not completed. Certificate trust issues (A), proposal mismatch (B), and expired certificate (D) can all cause phase 1 failure.

135
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a multicast session with a duration of 3600 seconds.
B.The session is a TCP session in established state that has been up for 3600 seconds and will expire in 3599 seconds.
C.The session is in SYN_SENT state and has timed out after 3600 seconds.
D.The session is a UDP session that has been active for 3600 seconds.
AnswerB

proto=6 means TCP, proto_state=01 typically indicates established state. Duration is the time since session creation, expire is the remaining time before the session is removed if idle.

Why this answer

The output shows a TCP session in established state (proto_state=01) that has been alive for 3600 seconds and the idle timeout will expire in 3599 seconds if no packets are sent.

136
MCQhard

An administrator configures a multi-VDOM FortiGate in transparent mode. The admin notices that the management IP is reachable from both interfaces, but traffic passing through the device is not being inspected. What is the likely issue?

A.Inter-VDOM routing is misconfigured
B.The VDOM is in transparent mode, but no firewall policy is applied to the traffic
C.The FortiGate needs a default route
D.The management IP is assigned to the wrong VDOM
AnswerB

In transparent mode, traffic is bridged by default; policies must be created to inspect traffic.

Why this answer

In transparent mode, a FortiGate acts as a Layer 2 bridge, and traffic passing through the device is controlled by firewall policies, not by routing. Even though the management IP is reachable (because it is a separate IP on the bridge interface), no traffic inspection occurs unless an explicit firewall policy is configured to allow and inspect the traffic between the bridge interfaces. Option B correctly identifies that the missing firewall policy is the root cause.

Exam trap

The trap here is that candidates assume transparent mode automatically inspects all traffic or that management IP reachability implies full functionality, but in reality, a firewall policy is mandatory for traffic inspection even in Layer 2 mode.

How to eliminate wrong answers

Option A is wrong because inter-VDOM routing is not relevant in a single-VDOM transparent mode setup; the issue is about intra-VDOM traffic passing through the bridge, not between VDOMs. Option C is wrong because a default route is used for management traffic originating from the FortiGate itself, not for transit traffic passing through the device in transparent mode; transit traffic is bridged and does not require a routing table. Option D is wrong because the management IP being reachable from both interfaces indicates it is correctly assigned to the VDOM; the problem is the lack of a firewall policy to inspect transit traffic, not a misassignment of the management IP.

137
MCQhard

An administrator configures inter-VDOM routing between VDOM-A and VDOM-B using a VDOM link. The default route in VDOM-A points to a next-hop router, and VDOM-B has a static route to a subnet behind VDOM-A. Users in VDOM-B cannot reach that subnet. The administrator runs 'diagnose ip route list' in both VDOMs and sees the routes are present. What is the most likely cause?

A.The VDOM link MTU is too small for the traffic
B.The VDOM link interfaces are administratively down
C.Firewall policies are missing on the VDOMs to permit traffic between the VDOM link and the destination interfaces
D.The VDOMs are in different administrative domains (ADOMs) on FortiManager
AnswerC

Correct.

Why this answer

Even though the routes are present in both VDOMs, inter-VDOM routing via a VDOM link requires explicit firewall policies on each VDOM to permit traffic between the VDOM link interface and the destination interface. Without these policies, the FortiGate drops the traffic at the firewall layer, even though the routing table is correct. This is a common misconfiguration because VDOM links behave like physical interfaces and are subject to firewall policy enforcement.

Exam trap

The trap here is that candidates assume that because routes are present and the VDOM link is up, traffic should flow automatically, forgetting that FortiGate enforces firewall policies even for inter-VDOM traffic.

How to eliminate wrong answers

Option A is wrong because an MTU mismatch would cause fragmentation issues or packet drops, but the routes would still be present and the administrator would typically see ICMP fragmentation-needed messages or packet loss, not a complete inability to reach the subnet. Option B is wrong because if the VDOM link interfaces were administratively down, the routes would not appear in the routing table (the interface would be down, making the next-hop unreachable), and the administrator would see the interfaces in a 'down' state. Option D is wrong because ADOMs on FortiManager are a management-plane concept that controls visibility and administrative access, not data-plane forwarding; inter-VDOM routing is handled locally on the FortiGate and is unaffected by FortiManager ADOM configuration.

138
MCQmedium

A FortiGate has multiple equal-cost routes to the same destination via two different interfaces. ECMP load balancing is enabled. What determines how traffic is distributed among the routes?

A.The interface speed
B.A hash of source and destination IP addresses
C.Round-robin per packet
D.The route metric
AnswerB

Default ECMP uses source-dest-ip hashing.

Why this answer

ECMP uses a hash algorithm based on source/destination IP and optionally ports to distribute sessions. The 'load-balance' setting in the routing configuration determines the method (e.g., source-dest-ip, source-dest-port).

139
MCQmedium

A network administrator configures an SD-WAN zone with two members (port1 and port2) and sets the load balancing algorithm to 'spillover'. The spillover threshold is set to 100 Mbps on port1. If traffic reaches 120 Mbps on port1, what happens to new sessions?

A.All traffic is dropped because the threshold exceeded
B.New sessions are sent to port2 until port1 drops below the threshold
C.Port1 continues to receive all new sessions but packets are queued
D.New sessions are distributed equally between port1 and port2
AnswerB

Correct spillover behavior.

Why this answer

Spillover algorithm sends traffic to the preferred member (lowest cost or first in order) until its bandwidth exceeds the threshold. When the threshold is exceeded, new sessions are sent to the next available member. Port2 will handle new sessions until port1 drops below the threshold.

140
Multi-Selecteasy

An administrator is troubleshooting why a FortiAnalyzer report is not showing expected data. Which TWO potential causes should the administrator investigate?

Select 2 answers
A.The log data is in a different datastore than the one configured for the report
B.The report schedule is not set
C.The FortiAnalyzer is in a different ADOM
D.The FortiGate is not configured to send logs to FortiAnalyzer
E.The FortiAnalyzer license has expired
AnswersA, D

Reports must point to the correct datastore containing the logs.

Why this answer

Option A is correct because FortiAnalyzer organizes logs into datastores based on device groups or ADOMs. If the report is configured to query a datastore that does not contain the relevant logs, the report will not display the expected data, even if the logs exist elsewhere on the same FortiAnalyzer.

Exam trap

The trap here is that candidates often confuse ADOMs with datastores, assuming an ADOM mismatch would block data, when in fact ADOMs only affect administrative visibility, not the underlying log storage or report query scope.

141
MCQeasy

A FortiGate is configured as a SAML service provider (SP) for SSO. Users authenticate via an external IdP. After successful authentication, the FortiGate should enforce a firewall policy based on the user's group membership. Which FortiGate setting must be enabled to receive group information from the IdP?

A.Enable 'Require IdP Certificate Validation'
B.Create a separate firewall policy for each user
C.Enable 'Auto-Provision Users' on FortiGate
D.Configure the 'user-group' attribute in the SAML SP settings
AnswerD

FortiGate allows mapping of group membership from a SAML attribute. The administrator must specify which attribute (e.g., group) carries the group information.

Why this answer

FortiGate as SAML SP can receive user attributes from the IdP, including group membership, through SAML assertions. The IdP must send the group attribute, and FortiGate must be configured to accept it. Option B is correct: 'Set single-sign-on-identity-attribute' or similar? Actually, the correct setting is to enable 'SAML User Group' in the SAML SP configuration to map the group attribute from the IdP.

Option B is the best: 'Set the SAML user group attribute in the SP configuration'.

142
MCQhard

An administrator is troubleshooting an ADVPN scenario where spoke FortiGates are behind NAT. The shortcut tunnels are not forming between spokes. The hub has the appropriate ADVPN stage settings. What is the most likely cause of the shortcut failure?

A.The spokes are using dynamic IP addresses.
B.The spokes have the same IKE ID.
C.NAT traversal is not enabled on the hub's phase1 interfaces.
D.The shortcut tunnel uses a different encryption algorithm than the hub-spoke tunnel.

Why this answer

NAT traversal must be enabled on the hub's phase1 to allow spoke-to-spoke shortcut negotiations through NAT devices. Without it, the short-cut tunnel cannot be established because the public IP and port mappings are not properly exchanged.

143
MCQmedium

An administrator configures a ZTNA proxy rule to allow access to an internal application. Users can connect to the FortiGate ZTNA gateway but receive a '403 Forbidden' error. Which step should the administrator take to resolve the issue?

A.Disable the 'require ZTNA tag' option on the proxy rule
B.Check that the ZTNA proxy rule's action is set to 'accept' and the correct tags are specified
C.Ensure the application is reachable from the FortiGate with a ping
D.Verify that the application's firewall policy has an SSL inspection profile applied
AnswerB

The proxy rule controls access based on tags. Missing tags cause forbidden errors.

Why this answer

A 403 error on ZTNA typically indicates that the user's device does not have the required ZTNA tags. The administrator must ensure the FortiClient has the correct tags assigned based on compliance.

144
MCQhard

A FortiGate is configured with an antivirus profile that has the machine learning engine enabled. An administrator notices that some files are being detected by the ML engine but the verdict is 'probably clean'. What does this verdict indicate?

A.The file is clean and safe to pass.
B.The file is definitely malicious and should be blocked.
C.The ML engine has detected an outbreak but needs FortiGuard to confirm.
D.The ML engine has low confidence that the file is malicious; it may be a false positive.
AnswerD

'Probably clean' indicates low malicious confidence, often requiring further analysis.

145
MCQeasy

Which FortiGate feature allows an administrator to define a granular policy based on the security posture of the endpoint device, such as OS version, antivirus status, and disk encryption, before granting access to a protected application?

A.Web filtering profile
B.SSL VPN portal
C.IPsec phase 1 configuration
D.ZTNA access proxy
AnswerD

ZTNA access proxy enforces access based on device posture and user identity.

Why this answer

ZTNA (Zero Trust Network Access) uses device posture checks to evaluate endpoint security before granting access to applications.

146
MCQhard

An administrator configures automation stitches on FortiManager to trigger a script when a specific event log is received. The script should block the source IP on the firewall. However, the script does not run when the event occurs. What is a likely cause?

A.The event handler filter does not match the log
B.The FortiGate is in transparent mode
C.The script is not compiled
D.The script is set to run on all managed devices
AnswerA

Correct.

Why this answer

Option A is correct because automation stitches on FortiManager rely on event handler filters to match specific log IDs or patterns. If the filter does not match the incoming event log (e.g., wrong log ID, incorrect field value, or mismatched severity), the trigger condition is never met, and the script will not execute. This is the most common misconfiguration when setting up event-driven automation.

Exam trap

The trap here is that candidates may assume the script itself has a syntax error or that transparent mode disables automation, but the real issue is almost always a filter mismatch in the event handler configuration.

How to eliminate wrong answers

Option B is wrong because FortiGate transparent mode does not prevent automation stitches from running; the script execution is independent of the firewall's operational mode. Option C is wrong because FortiManager scripts are interpreted, not compiled, so there is no compilation step required. Option D is wrong because setting the script to run on all managed devices would not prevent it from running; it would simply apply the script to every device, which could cause unintended behavior but does not block execution.

147
Multi-Selecthard

A FortiGate is configured with multiple VRFs. An administrator notices that routes from VRF A are not being advertised to VRF B via BGP, even though the BGP configuration is correct. Which TWO actions could resolve this issue?

Select 2 answers
A.Enable 'route-flap damping' on the BGP session between VRFs
B.Configure a route leak from VRF A to VRF B under config router vrf
C.Disable 'bgp enforce-first-as' to allow cross-VRF advertisements
D.Configure 'set import-route' under the BGP VRF configuration
E.Use 'set next-hop-self' on the BGP neighbor in each VRF
AnswersB, E

Why this answer

BGP by default does not advertise routes between VRFs. You must enable route leaking, either by using 'config router vrf' and 'leak-route' (option B) or by configuring 'next-hop-self' and using BGP multipath (option D) in certain topologies. Option A is not directly related.

Option C is unnecessary. Option E is incorrect because you don't need to import routes.

148
MCQhard

A network administrator is troubleshooting a FortiGate IPS sensor that is not generating alerts for a custom signature they created. The custom signature uses the pattern 'malicious. The signature is enabled and applied to a firewall policy. What is the MOST likely cause of the issue?

A.The signature severity is set to 'Low' and logging is disabled for low severity
B.The custom signature is missing the 'protocol' parameter
C.The IPS sensor is configured in 'Passive' mode
D.The firewall policy is using 'Flow-based' inspection
AnswerB

Custom signatures must specify a protocol decoder (e.g., HTTP, FTP) to be evaluated; without it, the signature is ignored.

Why this answer

The custom signature is missing the 'protocol' parameter, which is mandatory for FortiGate custom IPS signatures. Without specifying the protocol (e.g., TCP, UDP, HTTP), the IPS engine cannot match the pattern against any traffic flow, so no alerts are generated even if the signature is enabled and applied to a policy.

Exam trap

The trap here is that candidates assume a missing protocol parameter would cause a syntax error or prevent the signature from being saved, but FortiGate allows saving incomplete custom signatures that simply never match traffic.

How to eliminate wrong answers

Option A is wrong because even if severity is 'Low' and logging is disabled for low severity, the IPS sensor would still generate alerts (just not log them); the question states no alerts are generated, not just no logs. Option C is wrong because 'Passive' mode only prevents the IPS from dropping traffic but still allows alert generation and logging; it does not suppress alerts entirely. Option D is wrong because 'Flow-based' inspection supports custom signatures and can generate alerts; the issue is not the inspection mode but the missing protocol parameter in the signature definition.

149
MCQeasy

A company wants to detect and block phishing emails that contain malicious links. Which FortiGate security profile should be used?

A.Antivirus profile
B.Web Filtering profile
C.Data Leak Prevention profile
D.Email Filtering profile
AnswerD

Email filtering can block phishing emails based on content and reputation.

Why this answer

Option D is correct because FortiGate's Email Filtering profile is specifically designed to inspect SMTP, POP3, and IMAP traffic for phishing indicators, including malicious URLs in email bodies and attachments. It can block or quarantine emails based on URL reputation, sender authentication (SPF/DKIM/DMARC), and content analysis, directly addressing the requirement to detect and block phishing emails with malicious links.

Exam trap

The trap here is that candidates often confuse Web Filtering (which handles web traffic) with Email Filtering (which handles email protocols), assuming URL reputation checks in web filtering can block phishing links in emails, but FortiGate requires the Email Filtering profile to inspect SMTP/IMAP/POP3 traffic and apply email-specific actions like quarantine.

How to eliminate wrong answers

Option A is wrong because the Antivirus profile scans for malware signatures in file attachments and does not analyze URLs or email-specific phishing patterns; it would miss malicious links that do not contain executable payloads. Option B is wrong because the Web Filtering profile controls HTTP/HTTPS traffic based on URL categories and reputation, but it operates on web proxy traffic, not on email protocols like SMTP, and cannot inspect or block emails before they reach the user's inbox. Option C is wrong because the Data Leak Prevention profile monitors and prevents unauthorized data exfiltration (e.g., credit card numbers, SSNs) and has no capability to detect phishing links or email-based threats.

150
MCQmedium

A FortiGate administrator notices that traffic classified as 'unknown' by the antivirus is being allowed. The administrator wants to ensure that such files are submitted to FortiSandbox for analysis and blocked until a verdict is received. Which configuration is required?

A.Create a custom IPS signature for unknown files
B.Enable FortiSandbox in the antivirus profile and set 'Action for unknown files' to 'Block'
C.Enable outbreak prevention in the antivirus profile
D.Enable FortiSandbox in the antivirus profile and set 'Action for known files' to 'Block'
AnswerB

This configuration submits unknown files to FortiSandbox and blocks them until a verdict is returned.

Why this answer

Option B is correct because when FortiSandbox is enabled in the antivirus profile and 'Action for unknown files' is set to 'Block', the FortiGate will submit files that cannot be identified by the local antivirus engine to FortiSandbox for analysis. While the file is being analyzed, it is blocked from reaching the client, ensuring that no potentially malicious content is delivered until a verdict (clean or malicious) is received. This directly addresses the administrator's requirement to block unknown files pending sandbox analysis.

Exam trap

The trap here is that candidates often confuse 'Action for unknown files' with 'Action for known files' or mistakenly think that outbreak prevention (which uses FortiGuard outbreak signatures) is sufficient to block unknown files, when in fact only the sandbox integration with the 'Block' action provides the required submission and blocking behavior.

How to eliminate wrong answers

Option A is wrong because custom IPS signatures are designed to detect and block network-level attacks based on traffic patterns, not to handle unknown files identified by the antivirus engine; IPS does not integrate with FortiSandbox for file submission. Option C is wrong because outbreak prevention in the antivirus profile uses FortiGuard outbreak alerts to block files based on known outbreak signatures, but it does not submit unknown files to FortiSandbox or block them pending analysis; it relies on pre-existing outbreak intelligence. Option D is wrong because setting 'Action for known files' to 'Block' would block files that are already identified by the antivirus engine, which is the opposite of the requirement; the administrator needs to block unknown files, not known ones.

Page 1

Page 2 of 14

Page 3