Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 151225

1000 questions total · 14pages · All types, answers revealed

Page 2

Page 3 of 14

Page 4
151
MCQeasy

What does FortiGuard Outbreak Prevention use to protect against newly discovered malware outbreaks before traditional signatures are available?

A.Outbreak signatures and hash-based blocking
B.IP reputation and URL filtering
C.Heuristic analysis and emulation
D.Artificial intelligence and behavior analysis
AnswerA

Outbreak prevention uses hashes of malicious files identified during outbreaks.

Why this answer

FortiGuard Outbreak Prevention uses outbreak alerts and hashes from FortiSandbox and other sources to quickly block files.

152
MCQhard

An administrator is troubleshooting an HA cluster (active-passive) where both units show 'primary' in 'get system ha status'. The cluster is not synchronizing configurations. What is the MOST likely cause?

A.The HA password is incorrect
B.The HA heartbeat interface is disconnected or misconfigured
C.The HA group ID is mismatched
D.The HA priority values are equal for both units
AnswerB

If heartbeat communication fails, each unit assumes the other is down and transitions to primary, causing a split-brain.

Why this answer

When both units claim to be primary, it indicates a split-brain scenario. This is typically caused by HA heartbeat failure, often due to a faulty or disconnected HA heartbeat interface.

153
Multi-Selectmedium

A company receives a threat intelligence feed that lists several IP addresses as malicious. The administrator wants to automatically block traffic from these IPs on FortiGate. Which TWO methods can achieve this? (Choose two.)

Select 2 answers
A.Enable FortiGuard Outbreak Prevention
B.Configure an external connector to a threat intelligence feed and map it to an address object
C.Use an automation stitch with a trigger that receives the feed and an action to update blocked IPs
D.Configure a firewall policy to deny all traffic from unknown sources
E.Create an address group and add the IPs manually
AnswersB, C

External connectors can pull threat feeds and update address objects automatically.

Why this answer

Threat feeds can be used to create dynamic address objects (via external connectors) or automation stitches can parse the feed and update a blocked IP list.

154
MCQeasy

What is the purpose of header and footer policies in a FortiManager policy package?

A.They are used for VDOM-specific policies that cannot be modified
B.They provide a way to group policies for reporting purposes
C.They define policies that are placed at the top (header) and bottom (footer) of the policy list when applied to a FortiGate
D.They allow policy packages to be installed in a specific sequence
AnswerC

Header policies are evaluated first, footer policies last, regardless of other policies.

Why this answer

Header and footer policies in FortiManager policy packages allow administrators to define policies that are automatically placed at the very top (header) and very bottom (footer) of the policy list when the package is installed on a FortiGate. This ensures that critical policies, such as default deny rules or inter-VDOM links, remain in a fixed position regardless of other policy changes. This mechanism is essential for maintaining a consistent security posture across managed FortiGates.

Exam trap

The trap here is that candidates often confuse header/footer policies with VDOM-specific policies or policy grouping, when in fact they are specifically designed to enforce a fixed policy order at the top and bottom of the policy list.

How to eliminate wrong answers

Option A is wrong because header and footer policies are not VDOM-specific; they are part of the policy package and can be modified like any other policy. Option B is wrong because header and footer policies are not used for grouping policies for reporting; reporting groups are handled via policy tags or separate grouping features. Option D is wrong because header and footer policies do not control the installation sequence of policy packages; installation sequence is managed by the 'Installation Order' setting in FortiManager, not by header/footer policies.

155
MCQmedium

An administrator wants to segment traffic between two departments (Engineering and Finance) using the same FortiGate. Each department must have its own routing table with overlapping IP addresses. Which feature should be enabled to achieve this without creating separate VDOMs?

A.VRF
B.Policy-based routing
C.Virtual IP (VIP)
D.Multiple VDOMs
AnswerA

VRF provides separate routing tables within a VDOM, allowing overlapping IP addresses.

Why this answer

VRF (Virtual Routing and Forwarding) allows multiple routing table instances within a single VDOM or global. It is ideal for network segmentation with overlapping IP spaces without the overhead of full VDOMs.

156
MCQeasy

What is the primary purpose of an administrative VDOM on a FortiGate?

A.To enable transparent mode operation
B.To increase the maximum number of firewall policies
C.To provide independent management and administrative access for different tenants or departments
D.To route traffic between different VDOMs
AnswerC

Why this answer

An administrative VDOM on a FortiGate provides independent management and administrative access for different tenants or departments. Each administrative VDOM has its own administrator accounts, authentication settings, and management interfaces (HTTPS, SSH, SNMP), allowing multi-tenant isolation without requiring separate physical firewalls. This is distinct from traffic-forwarding VDOMs, which handle data plane operations.

Exam trap

The trap here is confusing the management-plane isolation of an administrative VDOM with data-plane functions like inter-VDOM routing or transparent mode, leading candidates to select options that describe traffic forwarding or operational modes instead of administrative separation.

How to eliminate wrong answers

Option A is wrong because transparent mode operation is a per-VDOM setting (config system vdom edit <vdom> set mode transparent), not a purpose of an administrative VDOM; administrative VDOMs can operate in either transparent or NAT mode. Option B is wrong because the maximum number of firewall policies is limited by the FortiGate model and total VDOM resources, not by the presence of an administrative VDOM; an administrative VDOM does not increase policy limits. Option D is wrong because routing traffic between different VDOMs is accomplished via inter-VDOM links (config system vdom-link) or VDOM peering, not by an administrative VDOM, which is solely for management plane separation.

157
Multi-Selectmedium

A FortiGate administrator is troubleshooting a BGP session that fails to establish with a neighbor at 10.0.1.1. Running 'diagnose ip router bgp all' shows the neighbor state as 'Idle'. Which TWO commands should the administrator run NEXT to diagnose the issue?

Select 2 answers
A.show full-configuration router bgp
B.execute ping 10.0.1.1
C.diagnose ip router bgp all
D.diagnose sys session filter dport 179
E.get router info bgp summary
AnswersA, B

This displays the complete BGP configuration, including neighbor IP, remote AS, and update-source, helping identify misconfiguration.

Why this answer

To diagnose BGP neighbor establishment issues, the administrator should check both the BGP configuration (including neighbor settings) and the network connectivity (e.g., TCP port 179) between peers.

158
MCQeasy

Which FortiAnalyzer feature allows administrators to create automated response actions triggered by specific log events, such as blocking an IP address when an intrusion is detected?

A.FortiView
B.Reports
C.Incidents
D.Playbooks
AnswerD

Playbooks automate response actions based on triggers.

Why this answer

Playbooks in FortiAnalyzer define automated workflows triggered by events, enabling actions like blocking IPs via FortiGate API calls.

159
MCQeasy

What is the primary purpose of Content Disarm and Reconstruction (CDR) in FortiGate's antivirus features?

A.To remove potentially malicious content from documents and rebuild them as safe files
B.To convert files into PDF format for safer viewing
C.To detect zero-day malware using sandboxing
D.To block all files containing macros
AnswerA

CDR strips active content and reconstructs files to eliminate threats.

Why this answer

Content Disarm and Reconstruction (CDR) is designed to remove active or potentially malicious content—such as macros, scripts, embedded objects, and OLE links—from documents (e.g., Office files, PDFs) and then reconstruct them as sanitized, safe versions. This approach prevents threats like macro-based malware or exploit-laden attachments from reaching users, even if the file contains previously unknown (zero-day) payloads, by stripping the dangerous components rather than relying solely on signature-based detection.

Exam trap

The trap here is that candidates often confuse CDR with sandboxing or macro blocking, but CDR is a static sanitization technique that removes active content from files without detonating them, whereas sandboxing involves dynamic analysis and macro blocking is a simpler, all-or-nothing approach that CDR avoids by allowing safe use of the document.

How to eliminate wrong answers

Option B is wrong because CDR does not convert files to PDF format; it sanitizes the original file format (e.g., DOCX, XLSX, PDF) and returns a cleaned version in the same format, not a different one. Option C is wrong because CDR is not a sandboxing or dynamic analysis feature; it statically disarms content by removing active elements, whereas sandboxing (e.g., FortiSandbox) detonates files in a virtual environment to detect zero-day malware. Option D is wrong because CDR does not block all files containing macros; it removes the macros and other active content from the file and then delivers the sanitized file, allowing the document to be used safely without the macro functionality.

160
MCQmedium

An administrator wants to use BFD to detect failures in an OSPF neighbor relationship faster than OSPF hello timers. They configure 'config router ospf' and 'set bfd enable'. However, BFD sessions are not coming up. What is a possible reason?

A.The interface has 'set bfd enable' missing under config system interface
B.OSPF is configured with 'network point-to-multipoint'
C.The neighbor does not have BFD enabled on its OSPF configuration
D.The FortiGate's BFD transmit interval is set too high
AnswerA, C

Both global OSPF BFD and interface-level BFD must be enabled. Missing interface-level can prevent BFD session establishment.

Why this answer

BFD requires that the interface has BFD enabled at the interface level and that the OSPF neighbor also supports BFD.

161
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session has expired and is being removed
B.A UDP session on port 443 is being blocked
C.The firewall policy is incorrectly configured
D.A TCP session on port 443 has been active for 1 hour and will expire in 3599 seconds
AnswerD

The session is established and in state 01 (established).

Why this answer

Option D is correct because the output shows a TCP session (proto=6) on port 443 with a duration of 3600 seconds (1 hour) and an expire value of 3599 seconds, meaning the session has been active for 1 hour and will expire in 3599 seconds. The 'proto=6' indicates TCP, and 'proto_state=01' is the TCP established state, confirming an active TCP session.

Exam trap

The trap here is that candidates may misinterpret 'expire=3599' as the session expiring soon or already expired, when in fact it indicates the remaining time before timeout, and the session is still active with a duration of 3600 seconds.

How to eliminate wrong answers

Option A is wrong because the expire value of 3599 seconds indicates the session is still active and will expire in the future, not that it has expired and is being removed. Option B is wrong because proto=6 indicates TCP, not UDP, and the session is not being blocked; it is active. Option C is wrong because the output does not provide any information about firewall policy configuration; it only shows session state and timing details.

162
MCQeasy

An administrator wants to ensure that voice traffic (UDP 16384-32768) always uses the MPLS link, while internet-bound traffic uses broadband. Which SD-WAN feature should be configured to achieve this?

A.Performance SLA
B.SD-WAN member configuration
C.Load balancing algorithm
D.SD-WAN rule
AnswerD

SD-WAN rules control traffic steering based on criteria.

Why this answer

SD-WAN rules allow matching specific traffic patterns and forcing them to use particular members or strategies. The rule can match the voice traffic UDP port range and set the strategy to 'manual' or 'best quality' with preferred member as MPLS.

163
MCQmedium

A FortiGate administrator configures a hub-and-spoke ADVPN with OSPF over the VPN overlay. Spoke routers receive the OSPF default route from the hub, but cannot reach subnets behind other spokes. What configuration is missing?

A.IKEv2 is configured instead of IKEv1
B.The spokes have 'set auto-discovery-receiver enable' configured
C.OSPF is not configured to redistribute connected or static routes on the spokes
D.The hub has 'set auto-discovery-sender enable' configured
AnswerC

Each spoke must redistribute its local subnets into OSPF so the hub and other spokes learn them. Without redistribution, the hub only knows its own directly connected networks.

Why this answer

For ADVPN shortcut tunnels to be used for spoke-to-spoke traffic, the hub must have 'set auto-discovery-sender enable' and the spokes must have 'set auto-discovery-receiver enable'. Without these, traffic between spokes still goes through the hub, but if OSPF is not redistributing spoke routes properly, they may not be reachable.

164
MCQmedium

A FortiGate VPN tunnel shows 'phase1 negotiation failed' in the logs. The remote gateway is a third-party device. The debug command 'diagnose vpn ike config' shows mismatched proposals. Which setting is MOST likely incorrect on the FortiGate?

A.The pre-shared key
B.The local ID type
C.The encryption algorithm (e.g., AES256 vs 3DES)
D.The DPD configuration
AnswerC

Mismatched encryption algorithms cause phase1 failure.

Why this answer

Phase 1 negotiation fails when proposals do not match. Common causes include encryption algorithm, hash, DH group, or lifetime mismatch. Option A is correct because the encryption algorithm is a key part of the proposal.

165
MCQmedium

An administrator wants to use FortiManager to deploy a common set of firewall rules to all VDOMs on a single FortiGate. The rules will be the same except for the source and destination addresses, which differ per VDOM. What FortiManager feature allows the administrator to reuse a policy package and customize per-VDOM objects?

A.Policy package header/footer
B.Automation stitches
C.Global ADOM
D.Meta fields
AnswerD

Meta fields act as variables that can be populated per-device, allowing a common policy package to be installed with different object values.

Why this answer

Meta fields in FortiManager allow you to define custom variables that can be assigned to managed devices or VDOMs. When a policy package is installed, these meta fields are substituted with the per-VDOM values, enabling the reuse of a single policy package with different source and destination addresses for each VDOM. This avoids the need to create separate policy packages for each VDOM.

Exam trap

The trap here is that candidates confuse Global ADOM with meta fields, thinking that global objects can be used to achieve per-VDOM customization, but Global ADOM only provides shared objects without variable substitution, whereas meta fields enable true per-VDOM customization within a single policy package.

How to eliminate wrong answers

Option A is wrong because policy package header/footer is used to add common configuration lines at the beginning or end of the policy package, not to customize per-VDOM objects like addresses. Option B is wrong because automation stitches are used to automate responses to events (e.g., logging, script execution), not for policy package reuse or object customization. Option C is wrong because a Global ADOM is used to manage global objects shared across multiple ADOMs, but it does not provide per-VDOM variable substitution within a single policy package.

166
MCQeasy

A FortiGate administrator wants to use BFD to quickly detect link failures in an SD-WAN deployment. Which statement about BFD configuration on FortiGate is correct?

A.BFD is enabled by default on all FortiGate interfaces
B.BFD can be configured under the interface or routing protocol to detect forwarding path failures
C.BFD sessions are established automatically when OSPF neighbors form
D.BFD uses performance SLA probes to determine link health
AnswerB

Why this answer

BFD (Bidirectional Forwarding Detection) is configured under the interface or routing protocol to provide fast failure detection. It is not enabled by default. Option A is incorrect because BFD must be configured.

Option B is incorrect because BFD uses dedicated sessions, not sharing OSPF hello intervals. Option D is incorrect because BFD does not use performance SLA; SLAs are separate health checks.

167
MCQmedium

An enterprise FortiGate has multiple VDOMs. The administrator wants to allow traffic from VDOM A to reach servers in VDOM B without traversing an external router. Which configuration is required?

A.Place both VDOMs in the same VDOM group
B.Configure a static route in each VDOM pointing to the other VDOM's management IP
C.Create an inter-VDOM link using the 'config system interface' command with type 'vdom-link'
D.Enable VDOM forwarding in global settings
AnswerC

This creates a direct link between VDOMs, allowing routed traffic with firewall policies.

Why this answer

Option C is correct because inter-VDOM links are the native FortiGate mechanism for routing traffic between VDOMs without external hardware. Created via 'config system interface' with type 'vdom-link', they act as a direct Layer 3 connection between VDOMs, allowing traffic to flow internally through the FortiGate's backplane. This avoids the need for an external router or physical cabling.

Exam trap

The trap here is that candidates often confuse enabling VDOM forwarding (a global toggle) with creating the actual inter-VDOM link, assuming the toggle alone allows traffic to flow between VDOMs without an explicit interface configuration.

How to eliminate wrong answers

Option A is wrong because VDOM groups are used for administrative grouping or shared resources (like VDOMs in a security fabric), not for enabling Layer 3 traffic forwarding between VDOMs. Option B is wrong because static routes pointing to a VDOM's management IP would only reach the management interface, not forward data traffic to the other VDOM's networks; management IPs are not used for data-plane forwarding. Option D is wrong because VDOM forwarding (enabled via 'config system global' with 'vdom-forward') controls whether the FortiGate can forward traffic between VDOMs at all, but it does not create the actual link or interface needed for inter-VDOM communication; an inter-VDOM link is still required.

168
MCQmedium

A FortiGate is configured with SD-WAN and uses performance SLA to monitor link quality. The administrator sets the SLA threshold to jitter < 30ms. If a link has average jitter of 35ms, what is the status of that link in the SD-WAN health check?

A.Dead
B.Unavailable
C.Degraded
D.Alive
AnswerC

Degraded means the link does not meet one or more SLA thresholds.

Why this answer

When the measured jitter exceeds the threshold, the link is considered 'degraded' (or 'failed' depending on configuration) for that SLA. In SD-WAN, the member may still be used but with lower preference.

169
MCQmedium

A company uses FortiClient EMS for endpoint compliance and ZTNA tag assignment. An administrator wants to enforce that only endpoints with a ZTNA tag 'Compliant' can access a specific internal application through ZTNA. Which configuration is required on the FortiGate?

A.Create a ZTNA access proxy and a ZTNA policy that references the 'Compliant' tag
B.Add a firewall policy with source set to the tag object
C.Configure an SSL VPN portal and assign the tag as a group
D.Configure a security policy with FortiClient endpoint control
AnswerA

ZTNA access proxy and policy are used to publish applications; the policy can require specific tags.

Why this answer

ZTNA access proxy policies combine a firewall policy with ZTNA rules. The tag condition is defined in the ZTNA policy, which specifies the required ZTNA tags to allow access.

170
Multi-Selecthard

An administrator is configuring FortiManager to manage a multi-VDOM FortiGate. The administrator wants to ensure that policy changes are not accidentally applied without review. Which THREE measures should be taken? (Choose three.)

Select 3 answers
A.Use the same password for all devices
B.Configure meta fields to track device location
C.Use install preview to review changes before deploying
D.Disable automatic policy installation
E.Enable ADOM locking to prevent concurrent modifications
AnswersC, D, E

Install preview shows the exact configuration changes that will be applied, allowing review.

Why this answer

To prevent accidental deployment, the administrator should use revision history to track changes, enable install preview to review changes before applying, and use ADOM locking to prevent multiple administrators from making concurrent changes. These features provide control and visibility.

171
Multi-Selecthard

An administrator wants to implement ZTNA inline CASB to control access to a SaaS application (e.g., Office 365). Which three components are required for this setup? (Choose THREE)

Select 3 answers
A.FortiClient EMS for device posture and tag assignment
B.FortiGate with ZTNA proxy enabled
C.FortiNAC for network access control
D.A VPN tunnel between FortiGate and the SaaS provider
E.A ZTNA rule configured as an access proxy for the SaaS application
AnswersA, B, E

EMS provides device compliance and tags.

Why this answer

ZTNA inline CASB requires FortiGate as an inline proxy, FortiClient EMS for device posture and identity, and a ZTNA rule that proxies traffic to the SaaS application. Additionally, SSL deep inspection is required to decrypt and inspect traffic.

172
MCQeasy

A company has two internet connections: a primary fiber link (port1, 100 Mbps) and a backup DSL link (port2, 20 Mbps). They are using SD-WAN to load balance traffic based on volume, with a rule that sends 70% of traffic to port1 and 30% to port2. Recently, users report that video conferencing applications are experiencing high latency and jitter. The network team finds that the SD-WAN performance SLA for the fiber link shows 80% packet loss and high latency. The SD-WAN rule action is set to 'best quality' with a latency threshold of 150 ms. The current latency on port1 is 200 ms, and on port2 is 40 ms. What should the administrator do to ensure that video conferencing traffic uses the DSL link while the fiber link is degraded?

A.Increase the SLA latency threshold to 250 ms so that the fiber link is considered acceptable.
B.Change the SD-WAN rule action to 'lowest cost' to favor the DSL link.
C.Adjust the volume ratio to send 100% of traffic to port2 until the fiber link recovers.
D.No changes are needed; the SD-WAN rule with 'best quality' will automatically use port2 for new sessions because port1 does not meet the SLA.
AnswerD

Correct. With 'best quality' action, if a member fails SLA, new sessions will be directed to the best performing member.

Why this answer

Option D is correct because the SD-WAN rule action is set to 'best quality', which means the FortiGate will automatically steer new sessions away from any interface that fails the performance SLA. Since port1 has 80% packet loss and 200 ms latency (exceeding the 150 ms threshold), it is considered degraded, and new video conferencing traffic will be directed to port2 (40 ms latency) without manual intervention.

Exam trap

The trap here is that candidates often assume manual configuration (like changing thresholds or ratios) is required to fix a degraded link, when in fact the 'best quality' action with performance SLA already provides automatic failover to the best-performing link.

How to eliminate wrong answers

Option A is wrong because increasing the SLA latency threshold to 250 ms would make the degraded fiber link appear acceptable, causing traffic to continue using the high-latency, high-packet-loss link and defeating the purpose of SLA monitoring. Option B is wrong because changing the rule action to 'lowest cost' would select the link based on cost metrics (e.g., bandwidth cost), not performance, and the DSL link might not be the lowest cost; even if it were, this action does not consider SLA compliance for latency and jitter. Option C is wrong because manually adjusting the volume ratio to 100% on port2 is a static workaround that bypasses the dynamic SLA-based steering, which is less efficient and not necessary when the 'best quality' action already handles failover automatically.

173
MCQeasy

Which FortiGate command is used to view the current CPU usage of individual processes in real time?

A.diagnose sys session stat
B.get system performance status
C.diagnose sys top
D.diagnose hardware sysinfo memory
AnswerC

This shows real-time per-process CPU and memory usage.

Why this answer

Option C is correct. 'diagnose sys top' displays a top-like process list with CPU and memory usage.

174
MCQhard

A FortiGate administrator receives an error during IPsec VPN configuration: 'Certificate validation failed: certificate uses weak key.' The admin is using a PKI certificate with RSA 2048-bit key. The FortiGate firmware is up-to-date. What is the MOST likely reason for this error?

A.The certificate has expired or is not yet valid.
B.The certificate's private key is not imported on the FortiGate.
C.The FortiGate has a security policy that rejects certificates with keys less than 3072 bits.
D.The certificate authority is not trusted by the FortiGate.
AnswerC

Why this answer

In recent FortiOS versions, a security hardening setting may require minimum RSA key size of 3072 bits. RSA 2048 is considered weak by some compliance standards and may be blocked by the 'weak key' validation check. The admin can adjust the setting or use a stronger key.

175
MCQeasy

A FortiGate is configured with two ISPs in an SD-WAN. The administrator wants to use the link with the highest bandwidth for bulk downloads, but if that link fails, all traffic should automatically use the backup link. Which load balancing algorithm should be used?

A.Sessions
B.Volume
C.Spillover
D.Source-destination IP
AnswerC

Spillover uses a configured bandwidth threshold; traffic is sent to the primary link until it reaches the threshold, then spills over to the backup. If the primary fails, all traffic goes to backup.

176
Multi-Selecthard

A FortiGate administrator uses FortiManager automation stitches to respond to a security incident. Which THREE components must be defined in an automation stitch? (Choose THREE.)

Select 3 answers
A.Trigger condition (e.g., an event or log)
B.A report template
C.A schedule for the stitch to run
D.Target devices (e.g., specific FortiGates)
E.Action (e.g., execute a CLI command, send email)
AnswersA, D, E

The trigger defines when the stitch runs.

Why this answer

Option A is correct because an automation stitch in FortiManager requires a trigger condition to define when the stitch should be activated. The trigger can be based on specific events, such as a log matching a predefined pattern or a FortiGate incident, which initiates the automated response workflow.

Exam trap

The trap here is that candidates often confuse automation stitches with scheduled tasks or report generation, mistakenly assuming that a schedule or report template is required, when in fact stitches are purely event-driven and require only a trigger, action, and target devices.

177
MCQeasy

In a multi-VDOM deployment, an administrator needs to centralize logging for all VDOMs. Which FortiGate feature should be used to send logs to a central FortiAnalyzer?

A.FortiGate Cloud
B.Global log settings
C.Syslog server
D.Log configuration under each VDOM's settings
AnswerD

Each VDOM can independently send logs to FortiAnalyzer using the config log fortianalyzer setting within the VDOM.

Why this answer

Option D is correct because in a multi-VDOM FortiGate deployment, each VDOM operates as an independent virtual firewall with its own log settings. To centralize logging to a FortiAnalyzer, you must configure the log settings individually under each VDOM, specifying the FortiAnalyzer as the log destination. This ensures that logs from all VDOMs are forwarded to the central FortiAnalyzer, as global log settings do not apply across VDOMs.

Exam trap

The trap here is that candidates assume global log settings apply to all VDOMs, but FortiGate treats each VDOM as an independent firewall with its own log configuration, so logging to FortiAnalyzer must be set per VDOM.

How to eliminate wrong answers

Option A is wrong because FortiGate Cloud is a cloud-based log management service, not a feature for sending logs to a central FortiAnalyzer in a multi-VDOM deployment. Option B is wrong because global log settings apply only to the management VDOM and do not propagate to other VDOMs; each VDOM requires its own log configuration. Option C is wrong because a syslog server is a generic log receiver, not a FortiAnalyzer, and using syslog would lose FortiAnalyzer-specific features like log correlation and reporting.

178
Drag & Dropmedium

Drag and drop the steps to configure a FortiGate VDOM in multi-VDOM mode into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First enable VDOM mode globally, then create and assign interfaces, then configure each VDOM, then resource allocation.

179
MCQmedium

A FortiGate is configured with a WAF profile to protect a web server. The administrator notices that SQL injection attacks are still reaching the server despite the WAF being enabled. What is the MOST likely reason?

A.The SQL injection signature set is disabled in the WAF profile
B.The attack is coming from a trusted IP
C.The web server is using HTTPS without SSL inspection
D.The WAF profile is not applied to the correct policy
AnswerA

WAF signatures are organized in groups; SQL injection must be enabled.

Why this answer

The WAF profile contains signature sets that detect and block common attack patterns, including SQL injection. If the SQL injection signature set is disabled within the profile, the WAF will not inspect traffic for those patterns, allowing attacks to pass through. This is the most direct and likely reason why SQL injection attacks are reaching the server despite the WAF being enabled.

Exam trap

The trap here is that candidates often assume a WAF profile is a monolithic block of protection, but FortiGate allows granular disabling of individual signature sets, and the exam tests whether you understand that a disabled signature set is the most direct cause of a specific attack type bypassing the WAF.

How to eliminate wrong answers

Option B is wrong because a trusted IP exception would only bypass WAF inspection for traffic from that specific source; it would not explain why SQL injection attacks from other sources are still reaching the server. Option C is wrong because HTTPS without SSL inspection means the WAF cannot decrypt the payload, but FortiGate can still inspect encrypted traffic using certificate-based inspection or flow-based inspection with SSL offloading; the lack of SSL inspection would block all inspection, not just SQL injection. Option D is wrong because if the WAF profile were not applied to the correct policy, no WAF inspection would occur at all, and the administrator would likely see no WAF-related logs or blocking; the question states the WAF is enabled, implying it is applied somewhere.

180
MCQmedium

A FortiGate running FortiOS 7.4.1 has two VDOMs: CustomerA and CustomerB. The administrator wants CustomerA to access an HTTP server in CustomerB. Both VDOMs have appropriate policies. What additional configuration is required?

A.Configure a VDOM link between CustomerA and CustomerB
B.Create a policy allowing traffic from CustomerA to CustomerB
C.Enable inter-VDOM routing under system settings
D.Assign both VDOMs to the same administrative domain in FortiManager
AnswerA

A VDOM link is a virtual interface pair that connects VDOMs.

Why this answer

A VDOM link is required to enable Layer-2 or Layer-3 connectivity between two VDOMs on the same FortiGate. Without a VDOM link, the VDOMs are isolated from each other, even if policies exist. The VDOM link acts as a virtual interface pair that forwards traffic between CustomerA and CustomerB, allowing the HTTP server access.

Exam trap

The trap here is that candidates assume inter-VDOM policies alone suffice, forgetting that VDOMs are fully isolated routing domains requiring a dedicated link (VDOM link) to exchange traffic.

How to eliminate wrong answers

Option B is wrong because policies alone cannot forward traffic between VDOMs; inter-VDOM traffic requires a VDOM link to provide the physical or logical path. Option C is wrong because inter-VDOM routing is not a global setting that can be enabled; it is inherently provided by configuring VDOM links or inter-VDOM links under each VDOM. Option D is wrong because FortiManager administrative domains are management constructs for centralized device management, not for enabling data-plane traffic between VDOMs on a single FortiGate.

181
MCQeasy

A FortiGate administrator needs to identify which process is consuming the most memory. Which command should be used?

A.diagnose sys top
B.show system resource usage
C.diagnose hardware sysinfo memory
D.get system performance status
AnswerA

This command displays processes and memory usage; pressing 'm' sorts by memory.

Why this answer

The 'diagnose sys top' command shows processes sorted by CPU usage by default; pressing 'm' changes sort to memory usage.

182
Multi-Selectmedium

An administrator is troubleshooting a BGP session that is not establishing between two FortiGates. The administrator has verified that the neighbor IP is reachable. Which TWO commands should be used to further diagnose the issue? (Choose two.)

Select 2 answers
A.get router info bgp neighbor <IP>
B.diagnose debug flow filter daddr <IP>
C.get router info routing-table bgp
D.diagnose sys session filter dport 179
E.diagnose ip router bgp all enable
AnswersA, E

This command shows BGP session state and counters, useful for troubleshooting.

Why this answer

Options A and B are correct. 'get router info bgp neighbor' shows session state, and 'diagnose ip router bgp all enable' provides debug output for negotiation.

183
MCQhard

A FortiGate administrator observes the following CLI output from 'diagnose vpn ike gateway list': vd: root/0 name: VPN_TO_HUB version: IKEv2 status: up mode: main DPD: on ... Number of IPsec tunnels: 1 name: phase2_tunnel status: up inbound: 0 bytes outbound: 0 bytes The tunnel shows up but no traffic is passing. What is the MOST likely cause?

A.Firewall policies are not configured to permit traffic through the VPN tunnel
B.Dead Peer Detection is disabled
C.The phase1 proposal is mismatched
D.The tunnel is in 'down' status
AnswerA

Without policies, traffic is dropped, resulting in zero bytes.

Why this answer

The output shows the IKE gateway is up but the IPsec tunnel has zero traffic. This often indicates a policy or routing misconfiguration. The most common cause is missing firewall policies to allow traffic through the tunnel.

184
Multi-Selectmedium

A FortiGate is configured as the SAML Identity Provider (IdP) for a cloud application. The administrator wants to enforce device compliance as part of authentication. Which THREE steps must be taken?

Select 3 answers
A.Enable 'require-device-compliance' in the SAML IdP settings
B.Configure a ZTNA tag for compliance
C.Create a firewall policy allowing SAML traffic
D.Set up a VPN tunnel to the cloud application
E.Integrate FortiClient EMS with the FortiGate
AnswersA, B, E

Why this answer

To enforce device compliance during SAML authentication, the FortiGate IdP must have device compliance enabled, integrate with FortiClient EMS to receive posture data, and use ZTNA tags to define compliance requirements.

185
Multi-Selecthard

A FortiGate is in a multi-area OSPF environment. The administrator needs to redistribute connected routes from area 1 into OSPF. Which THREE steps are required? (Choose three.)

Select 3 answers
A.Configure the connected interfaces as OSPF passive interfaces.
B.Configure 'redistribute connected' under the OSPF configuration.
C.Create a route map to filter which connected routes are redistributed.
D.Set the 'redistribute connected' metric and metric-type.
E.Enable 'default-information originate' to advertise a default route.
AnswersB, C, D

Redistribution of connected routes must be enabled in the OSPF process.

Why this answer

To redistribute connected routes into OSPF, you need to enable redistribution, optionally filter with a route map, and set the metric and metric-type to ensure proper route advertisement.

186
MCQhard

An organization has multiple ADOMs in FortiManager. The admin wants to share a set of firewall objects across all ADOMs. What is the best approach?

A.Create a meta field and assign objects
B.Use the Global ADOM to create global objects
C.Manually recreate the objects in each ADOM
D.Enable object sharing in the system settings
AnswerB

Global ADOM objects are accessible from regular ADOMs.

Why this answer

The Global ADOM in FortiManager is specifically designed to create and manage global objects (such as address objects, services, and schedules) that can be shared across all regular ADOMs. When an object is created in the Global ADOM, it is automatically available in all ADOMs that are linked to it, eliminating the need for duplication. This is the only native, supported method for sharing objects across multiple ADOMs in FortiManager.

Exam trap

The trap here is that candidates may confuse the Global ADOM with a regular ADOM or think that a simple system setting can enable object sharing, when in fact the Global ADOM is a distinct, purpose-built feature for cross-ADOM object sharing.

How to eliminate wrong answers

Option A is wrong because meta fields are used for custom metadata tagging and filtering of objects within an ADOM, not for sharing objects across ADOMs. Option C is wrong because manually recreating objects in each ADOM is inefficient, error-prone, and defeats the purpose of centralized management with FortiManager. Option D is wrong because FortiManager does not have a system-level 'object sharing' toggle; object sharing is achieved exclusively through the Global ADOM mechanism.

187
Multi-Selecteasy

A FortiGate administrator wants to use FortiAnalyzer to view traffic logs from multiple VDOMs. Which TWO steps must the administrator perform on FortiAnalyzer?

Select 2 answers
A.Install a security profile on FortiAnalyzer
B.Add the FortiGate as a device in FortiAnalyzer
C.Create a separate ADOM for each VDOM
D.Configure the FortiGate to send logs to FortiAnalyzer
E.Enable FortiAnalyzer's built-in firewall
AnswersB, D

Device registration is required.

Why this answer

Option B is correct because FortiAnalyzer must have the FortiGate added as a managed device in order to receive and process logs from it. This registration establishes the trust relationship and log-receiving configuration between the two systems.

Exam trap

The trap here is that candidates often think a separate ADOM is mandatory for each VDOM, but FortiAnalyzer can consolidate logs from multiple VDOMs into a single ADOM, and the key requirement is simply adding the FortiGate as a device and configuring log forwarding.

188
MCQmedium

A security administrator wants to block email spoofing attacks against their organization's domain. They configure SPF, DKIM, and DMARC records. Which protocol authenticates the domain of the email sender by verifying the email's signature against a public key published in DNS?

A.SPF
B.ARC
C.DKIM
D.DMARC
AnswerC

DKIM signs emails with a private key; the public key in DNS verifies the signature.

Why this answer

DKIM (DomainKeys Identified Mail) is the correct answer because it provides email authentication by allowing the sender to cryptographically sign an email with a private key. The receiving mail server then retrieves the sender's public key from a DNS TXT record and verifies the signature, confirming that the email was not tampered with and originates from a domain the sender is authorized to use.

Exam trap

The trap here is that candidates often confuse SPF's IP-based verification with DKIM's cryptographic signature verification, or they assume DMARC performs the actual authentication, when in fact DMARC only enforces policies based on SPF and DKIM results.

How to eliminate wrong answers

Option A is wrong because SPF (Sender Policy Framework) authenticates the sending server's IP address against a list of authorized IPs published in DNS, not by verifying a cryptographic signature. Option B is wrong because ARC (Authenticated Received Chain) is a protocol that preserves email authentication results across intermediate hops (forwarders or mailing lists), but it does not itself authenticate the original sender's domain via a signature. Option D is wrong because DMARC (Domain-based Message Authentication, Reporting & Conformance) is a policy framework that uses SPF and DKIM results to instruct receivers on how to handle unauthenticated email (e.g., quarantine or reject), but it does not perform signature verification itself.

189
Multi-Selectmedium

An enterprise FortiGate has multiple VDOMs. The security policy requires that all traffic between VDOMs must be inspected by a next-generation firewall profile. Which three steps are necessary to achieve this? (Choose three.)

Select 3 answers
A.Ensure routing is properly configured to forward traffic through the inter-VDOM link
B.Place both VDOMs in the same ADOM in FortiManager
C.Enable VDOM inspection mode in global settings
D.Configure a firewall policy on the inter-VDOM link with the required security profile
E.Create an inter-VDOM link between the VDOMs
AnswersA, D, E

Routes direct traffic to the link interface.

Why this answer

Option A is correct because for traffic to traverse between VDOMs via an inter-VDOM link, proper routing must be configured in each VDOM to forward traffic through the inter-VDOM link interface. Without correct routing entries (static or dynamic), packets will not be directed to the inter-VDOM link, and the next-generation firewall profile cannot be applied.

Exam trap

The trap here is that candidates often assume VDOM inspection mode must be enabled globally to apply security profiles on inter-VDOM links, but in reality, the inspection mode only affects how VDOMs handle traffic at the kernel level and does not control policy-based inspection on inter-VDOM links.

190
MCQeasy

Which feature on FortiGate uses machine learning to detect never-before-seen malware based on file characteristics?

A.Machine Learning Engine
B.Outbreak Prevention
C.FortiSandbox
D.Content Disarm and Reconstruction
AnswerA

ML engine detects unknown malware based on file features.

Why this answer

The Machine Learning (ML) Engine in FortiGate's antivirus uses ML to detect unknown malware.

191
MCQmedium

An administrator uses FortiManager to deploy a new security policy to a remote FortiGate. The administrator selects 'Install Preview' and sees that the policy will be created. After confirming, the installation fails with 'Device not reachable'. What is the most likely reason?

A.The FortiGate has insufficient memory
B.The policy package is locked by another administrator
C.The FortiGate's configuration revision has changed since the last sync
D.The FortiGate is behind a NAT device that blocks FGFM traffic
AnswerD

FGFM uses TCP 541, which must be allowed and reachable.

Why this answer

The 'Device not reachable' error during an Install Preview operation indicates that FortiManager cannot establish or maintain the FGFM (FortiGate-to-FortiManager) tunnel with the remote FortiGate. When the FortiGate is behind a NAT device, the NAT may alter the source IP or port of FGFM traffic, causing the tunnel to break or preventing the FortiManager from reaching the FortiGate's management IP. This is the most common cause of such reachability failures in remote deployments.

Exam trap

The trap here is that candidates often confuse a 'Device not reachable' error with configuration or policy issues, such as memory or lock conflicts, when the root cause is almost always a network connectivity problem, specifically related to NAT or firewall rules blocking FGFM traffic.

How to eliminate wrong answers

Option A is wrong because insufficient memory on the FortiGate would typically cause a different error, such as 'out of memory' or a failure during policy installation, not a 'Device not reachable' error which is a connectivity issue. Option B is wrong because a locked policy package prevents changes or installation, but the error would be 'Policy package locked' or similar, not a device reachability failure. Option C is wrong because a configuration revision change since the last sync would cause a 'revision conflict' or 'out of sync' error during installation, not a 'Device not reachable' error, which is purely about network connectivity.

192
MCQmedium

A FortiGate has two equal-cost paths to a destination network through two different ISPs. The administrator wants to load balance traffic across both links using ECMP, but notices that all traffic uses only one link. What should the administrator check first?

A.Check that both routes have the same administrative distance and priority
B.Configure 'set v4-ecmp-mode' to 'source-ip-based'
C.Verify that 'set load-balance-eligible' is enabled on both WAN interfaces
D.Disable 'anti-replay' on the security policy
AnswerA

ECMP requires equal cost; if distances differ, the lower distance route is preferred.

Why this answer

ECMP requires that routes have the same distance and priority. Additionally, FortiGate uses source-destination IP hash by default; if sessions are sticky, one link may carry all traffic.

193
Multi-Selectmedium

A FortiGate administrator wants to integrate FortiClient EMS with FortiGate for ZTNA. Which TWO components must be configured on FortiGate to enable ZTNA access?

Select 2 answers
A.A ZTNA proxy policy
B.A firewall policy to allow traffic from ZTNA proxy to internal servers
C.A ZTNA proxy (gateway) configuration
D.A ZTNA tag on the application server
E.FortiClient EMS registration on FortiGate
AnswersA, C

The proxy policy defines which users and devices can access which applications based on tags.

Why this answer

ZTNA requires a proxy policy to define access rules and a ZTNA proxy/gateway to terminate user connections. Tags and EMS are configured separately.

194
MCQmedium

An administrator configures FortiSandbox inline scanning for HTTP traffic. They notice that files uploaded via HTTP are being scanned but no verdict is being returned, causing delays. What is the MOST likely cause?

A.The FortiSandbox has reached its maximum storage capacity
B.The FortiSandbox is not registered with the FortiGate
C.The file scan timeout is too short, causing FortiGate to pass the file before a verdict is received
D.The file type is not supported by FortiSandbox
AnswerC

If FortiSandbox takes longer than the configured timeout, FortiGate allows the file to pass without a verdict.

Why this answer

When FortiGate sends a file to FortiSandbox for inline scanning, it waits for a verdict before allowing the traffic to proceed. If the file scan timeout is too short, FortiGate will stop waiting for the verdict and pass the file anyway, causing the observed delay without a final verdict. This is the most likely cause because the administrator sees scanning occurring but no verdict returned, which aligns with a premature timeout rather than a failure to scan.

Exam trap

The trap here is that candidates often assume a missing verdict is due to a registration or capacity issue, but the question specifically states scanning is occurring, which eliminates options A and B, and the delay points directly to a timeout configuration problem.

How to eliminate wrong answers

Option A is wrong because if the FortiSandbox had reached maximum storage capacity, it would typically reject new submissions or fail to store results, but the file would still be scanned or an error would be returned, not a delay without verdict. Option B is wrong because if the FortiSandbox were not registered with the FortiGate, the FortiGate would not be able to send files for scanning at all, so no scanning would occur. Option D is wrong because if the file type were not supported, FortiSandbox would either skip the file or return an unsupported verdict quickly, not cause a delay without a verdict.

195
MCQmedium

An administrator is configuring SD-WAN with multiple members. When a rule matches, traffic is not being load-balanced as expected. Which command should the admin use to verify the SD-WAN rule selection for a specific flow?

A.diagnose sys session list
B.get system sdwan status
C.diagnose netlink interface list
D.diagnose sys sdwan info
AnswerD

This command displays SD-WAN rules, members, and their status, aiding in rule selection verification.

Why this answer

The command 'diagnose sys sdwan info' shows SD-WAN configuration and rule mapping, helping verify which rule is applied.

196
MCQhard

An administrator has configured two VDOMs on a FortiGate. One VDOM is in NAT mode and the other in transparent mode. The administrator wants traffic from the transparent mode VDOM to be routed through the NAT mode VDOM. What must be configured to allow inter-VDOM routing?

A.Use a physical interface to connect the VDOMs
B.Create an inter-VDOM link
C.Enable NPU offloading
D.Configure firewall policies between the VDOMs
AnswerB

Inter-VDOM links enable routing between VDOMs.

Why this answer

Inter-VDOM routing between VDOMs in different modes (NAT and transparent) requires a dedicated inter-VDOM link (IVL), which is a virtual internal connection that allows traffic to pass between VDOMs without consuming physical ports. The IVL creates a pair of virtual interfaces, one in each VDOM, and firewall policies must be configured to permit traffic across them. This is the only method that supports routing between VDOMs of different modes on the same FortiGate.

Exam trap

The trap here is that candidates assume firewall policies alone can route traffic between VDOMs, but without an inter-VDOM link, the VDOMs are completely isolated and cannot exchange any traffic regardless of policy configuration.

How to eliminate wrong answers

Option A is wrong because using a physical interface to connect VDOMs is unnecessary and inefficient; inter-VDOM links are virtual and avoid wasting physical ports. Option C is wrong because NPU offloading is a hardware acceleration feature for packet processing, not a mechanism for enabling inter-VDOM routing. Option D is wrong because firewall policies alone cannot enable inter-VDOM routing; they are required after the inter-VDOM link is created to allow traffic, but the link itself is the fundamental connectivity component.

197
Multi-Selecthard

A FortiGate is configured with OSPF in a multi-area design. An administrator needs to redistribute static routes from another router into OSPF on the FortiGate, but only for prefixes that match a route map. The administrator has configured 'config router ospf' with 'redistribute static route-map RM_STATIC'. However, the static routes are not appearing in the OSPF database. Which THREE troubleshooting steps should the administrator take?

Select 3 answers
A.Verify that OSPF is enabled on at least one interface (config router ospf -> network)
B.Verify that the route map 'RM_STATIC' exists and has appropriate match and set statements
C.Check if a prefix-list is applied that filters the redistributed routes
D.Run 'get router info ospf route' to see the redistributed routes in the routing table
E.Confirm that 'redistribute' is configured under the OSPF process, not just under the router
AnswersB, D, E

If the route map doesn't exist or lacks match conditions, redistribution fails.

Why this answer

Common issues: The route map may not exist, might not have the correct match conditions, or the redistribute command might be missing 'set metric' or 'set metric-type' parameters (though not always required, missing them can cause routes not to be advertised). More importantly, OSPF redistribution must be enabled at the process level (option B). Option D is needed to verify the route map contents.

Option A is irrelevant because the OSPF process must be enabled. Option C is about prefix-lists which may be used but is not the most direct step. Option E is a valid step to check if the static routes are actually redistributed.

198
MCQhard

You are troubleshooting a BGP session between FortiGate and an ISP router. The FortiGate shows BGP state 'Active' and the debug output shows 'No route to peer'. The ISP router's loopback IP is 203.0.113.1, and the next-hop interface is port1 (10.0.0.1/30). The FortiGate has a static route to 203.0.113.1 via port1. What is the MOST likely cause?

A.The BGP neighbor IP is not reachable due to an ACL on the ISP router
B.The BGP update-source is set to a different interface
C.The static route's outgoing interface (port1) is administratively down
D.The BGP configuration has 'next-hop-self' disabled
AnswerC

If port1 is down, the static route is removed from the routing table, causing 'No route to peer'.

Why this answer

The 'No route to peer' message indicates FortiGate cannot find a route to the peer IP. Even though a static route exists, if the route's outgoing interface is down, it's not in the routing table. Option C is correct because a down interface invalidates the static route.

199
MCQhard

A FortiGate in transparent mode is deployed between a router and a switch. The administrator needs to apply a deep inspection profile to HTTP traffic. What is the correct configuration for the interfaces?

A.Configure a management IP on the VDOM and apply the inspection profile to the policy
B.Place both interfaces in the same VDOM and enable DHCP
C.Switch to NAT mode to enable deep inspection
D.Assign IPs to both interfaces and create a policy from LAN to WAN
AnswerA

The VDOM management IP provides connectivity; policies inspect traffic on the bridge.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge, so interfaces do not require IP addresses. Deep inspection of HTTP traffic is applied via a firewall policy that references a deep inspection profile, and a management IP must be configured on the VDOM to allow the FortiGate to participate in management traffic (e.g., DNS, NTP, or proxy operations). Option A correctly identifies that the management IP is set on the VDOM and the inspection profile is applied to the policy.

Exam trap

The trap here is that candidates assume transparent mode cannot perform deep inspection because it lacks routed interfaces, but FortiGate supports full UTM inspection in transparent mode via the management IP and policy-based profiles.

How to eliminate wrong answers

Option B is wrong because placing both interfaces in the same VDOM is correct for transparent mode, but enabling DHCP is unnecessary and irrelevant—transparent mode interfaces do not require IP addresses or DHCP services. Option C is wrong because deep inspection is fully supported in transparent mode; switching to NAT mode is not required and would change the FortiGate's Layer 2 behavior. Option D is wrong because assigning IPs to both interfaces is not valid in transparent mode—interfaces remain without IPs, and policies are created using the management IP, not LAN-to-WAN direction.

200
MCQhard

A FortiGate is configured with an SD-WAN rule using 'spillover' algorithm. The primary member has a spillover threshold of 100 Mbps. Traffic of 80 Mbps is currently flowing through the primary member. A new session requiring 30 Mbps arrives. What will happen?

A.The new session is sent to the primary member because the current load is below the threshold.
B.The new session is sent to the secondary member because the primary threshold would be exceeded.
C.The new session is dropped because no member can handle it.
D.The primary member's threshold is dynamically increased.
AnswerB

Spillover sends the session to the next available member when adding it would exceed the threshold.

Why this answer

Spillover algorithm will direct the new session to the secondary member because the primary's current load (80 Mbps) plus the new session (30 Mbps) would exceed the threshold (100 Mbps).

201
MCQmedium

An administrator is configuring a firewall policy for web traffic to a critical web application. They want to protect against SQL injection and cross-site scripting. Which security profile should they apply?

A.Antivirus profile with CDR
B.Application control profile
C.Web Application Firewall (WAF) profile
D.IPS sensor with pre-defined signatures
AnswerC

WAF is built for web application threats including SQL injection and XSS.

Why this answer

Option B is correct. Web Application Firewall (WAF) on FortiGate provides signature-based and anomaly-based detection for web application attacks like SQL injection and XSS.

202
MCQmedium

A FortiGate has multiple VDOMs. The administrator notices that traffic from VDOM-1 to VDOM-2 is allowed by inter-VDOM policies but is not being inspected by the security profiles. What is the most likely cause?

A.The security profiles are applied only on the egress VDOM
B.The traffic is using a bypass path due to asymmetric routing
C.The VDOMs are in different virtual routers
D.The VDOM link is configured as a signal interface
AnswerA

Correct.

Why this answer

When inter-VDOM traffic flows through a VDOM link, security profiles are applied only on the egress VDOM by default. This is because the VDOM link acts as a logical wire, and inspection occurs at the point where traffic exits the link. If the administrator has applied security profiles only on the ingress VDOM (VDOM-1), they will not be enforced on traffic leaving VDOM-1 toward VDOM-2, resulting in no inspection.

Exam trap

The trap here is that candidates assume security profiles are applied symmetrically on both sides of an inter-VDOM link, but FortiGate only inspects traffic on the egress VDOM, so profiles must be configured on the destination VDOM's policy.

How to eliminate wrong answers

Option B is wrong because asymmetric routing would cause session setup failures or packet drops, not a bypass of security profiles; inter-VDOM policies still enforce inspection regardless of routing symmetry. Option C is wrong because different virtual routers do not prevent inter-VDOM traffic from being inspected; they only affect routing decisions, not security profile application. Option D is wrong because a signal interface is used for heartbeat or management traffic between VDOMs, not for data traffic, and would not cause security profiles to be skipped.

203
Multi-Selectmedium

An administrator wants to deploy FortiSwitch and FortiAP using LAN edge management from a FortiGate. Which TWO conditions must be met? (Choose two.)

Select 2 answers
A.The FortiSwitch and FortiAP must be factory reset before connecting.
B.The FortiGate must be configured with the FortiLink interface for FortiSwitch and a CAPWAP interface for FortiAP.
C.The FortiSwitch and FortiAP must be in the same broadcast domain as the FortiGate management interface.
D.The FortiGate must have a valid FortiCare contract for unified management.
E.The FortiGate must have the 'set allowaccess' command enabled for HTTPS or SSH on the managing interface.
AnswersB, C

FortiSwitch uses FortiLink (a dedicated interface or VLAN), and FortiAP uses a CAPWAP interface for management.

Why this answer

LAN edge management requires L2 connectivity between the FortiGate and devices, and proper interface configuration: FortiLink for switches and CAPWAP for APs.

204
MCQeasy

An administrator wants to use FortiAnalyzer to generate weekly compliance reports for all managed FortiGates. Which FortiAnalyzer feature should be used?

A.Incidents
B.Reports
C.FortiView
D.Log Analytics
AnswerB

Reports enable scheduled and on-demand report generation.

Why this answer

FortiAnalyzer's Reports feature is specifically designed to generate scheduled, customizable compliance reports that aggregate data from multiple managed FortiGates. This allows administrators to produce weekly reports aligned with regulatory standards (e.g., PCI DSS, HIPAA) without manual effort, leveraging pre-defined or custom report templates.

Exam trap

The trap here is that candidates often confuse FortiView's real-time dashboards with the scheduled, template-driven reporting capability of the Reports module, assuming that visualization tools can substitute for formal compliance report generation.

How to eliminate wrong answers

Option A is wrong because Incidents in FortiAnalyzer are used for tracking and managing security events and alerts, not for generating scheduled compliance reports. Option C is wrong because FortiView provides real-time and historical data visualization for monitoring and troubleshooting, but it lacks the scheduling and template-based reporting required for weekly compliance reports. Option D is wrong because Log Analytics focuses on searching, correlating, and analyzing log data, not on producing formatted, scheduled compliance reports.

205
Multi-Selecthard

An administrator notices that after upgrading FortiOS, some traffic that was previously inspected by the antivirus profile is now bypassing scanning. The administrator suspects the session helper configuration may be interfering. Which TWO session helper protocols are known to potentially affect traffic inspection if improperly configured?

Select 2 answers
A.TFTP
B.FTP
C.PPTP
D.HTTP
E.SIP
AnswersB, E

FTP helper manages data channels; improper configuration can lead to inspection gaps.

Why this answer

Session helpers like SIP and FTP can alter sessions (e.g., opening dynamic ports) which can cause traffic to bypass security profiles if not handled correctly. TFTP and HTTP helpers are less likely to cause such issues; PPTP is less common.

206
MCQmedium

A network administrator is troubleshooting a FortiGate that is not appearing in the Security Fabric topology on FortiManager. The FortiGate is reachable from FortiManager via ping. What is the most likely cause?

A.The FortiGate is not authorized in FortiManager
B.FortiAnalyzer is not configured on the FortiGate
C.SNMP community string is mismatched
D.The FortiGate firewall policy is blocking traffic to FortiManager
AnswerA

Authorization is required for the device to appear in the fabric.

Why this answer

For a FortiGate to appear in the Security Fabric topology on FortiManager, it must first be authorized in FortiManager. Even if the FortiGate is reachable via ping, without authorization, FortiManager will not accept its registration or include it in the topology view. This is a prerequisite step that must occur before any fabric communication can be established.

Exam trap

The trap here is that candidates assume Layer 3 reachability (ping) implies full application-layer communication, but FortiManager requires explicit authorization before it will accept a FortiGate into the Security Fabric, even when network connectivity is perfect.

How to eliminate wrong answers

Option B is wrong because FortiAnalyzer is not required for a FortiGate to appear in the Security Fabric topology on FortiManager; FortiAnalyzer is used for logging and reporting, not for topology discovery. Option C is wrong because SNMP community strings are irrelevant to FortiManager-FortiGate Security Fabric communication, which uses FortiGate's proprietary JSON-based API over HTTPS, not SNMP. Option D is wrong because if a firewall policy were blocking traffic to FortiManager, the FortiGate would not be reachable via ping, but the question states it is reachable, indicating Layer 3 connectivity is fine and the issue is at the application/authorization layer.

207
Multi-Selectmedium

An administrator is troubleshooting a FortiGate in transparent mode where clients cannot reach the internet. The FortiGate has two interfaces in the same VLAN. Which two items must be checked? (Choose two.)

Select 2 answers
A.SSL inspection is enabled on the policy
B.The default gateway is configured on the FortiGate's management IP
C.The two interfaces are members of the same software switch or VDOM
D.The management IP is on a different subnet from the bridged network
E.Firewall policies are present that allow traffic from internal to external zones
AnswersC, E

For transparent mode to work, interfaces must be in the same layer 2 broadcast domain, typically via a software switch or VDOM configuration.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge, so traffic must flow through a single broadcast domain. If the two interfaces are not in the same software switch or VDOM, they are isolated, breaking the Layer 2 path between clients and the upstream router. Option C is correct because both interfaces must be logically bridged to forward traffic within the same VLAN.

Exam trap

The trap here is that candidates assume transparent mode still requires a default gateway on the FortiGate (like in NAT mode), but in transparent mode, clients use their own default gateway, and the FortiGate simply bridges traffic at Layer 2.

208
MCQeasy

A FortiGate administrator wants to enable load balancing for equal-cost paths to the same destination. The FortiGate has two equal-cost routes via two different next-hop routers. Which feature should the admin enable to load balance traffic across both paths?

A.BFD (Bidirectional Forwarding Detection)
B.ECMP (Equal Cost Multi-Path)
C.Policy-based routing
D.SD-WAN load balancing
AnswerB

ECMP distributes traffic across multiple routes with the same metric and administrative distance.

Why this answer

Option A is correct. ECMP (Equal Cost Multi-Path) is the feature that allows a router to load balance traffic across multiple equal-cost paths. FortiGate supports ECMP by default for routing protocols like OSPF and BGP.

209
MCQhard

An administrator configures ZTNA inline CASB to control access to a SaaS application. The goal is to block uploads of files with credit card numbers. The administrator configures a CASB profile with a DLP rule for credit card numbers. However, uploads are not being blocked. What is the most likely reason?

A.The CASB profile is not applied to the ZTNA policy
B.SSL inspection is not enabled for the traffic
C.The DLP rule is configured to monitor instead of block
D.The SaaS application is not supported by CASB
AnswerB

Without SSL deep inspection, the DLP engine sees only encrypted content and cannot detect credit card numbers.

Why this answer

Inline CASB requires the traffic to be decrypted via SSL inspection; otherwise, the DLP engine cannot inspect the content of encrypted HTTPS traffic.

210
MCQmedium

A BGP route from an ISP is not appearing in the FortiGate's routing table. The BGP session is established and 'show ip bgp' shows the route as valid but not best. Which command should the admin use to investigate why the route is not selected as best?

A.execute router bgp show
B.diagnose ip router bgp routes
C.get router info bgp summary
D.diagnose ip router bgp network
AnswerB

This command shows BGP route details and best path selection reasons.

Why this answer

The 'diagnose ip router bgp routes' command provides detailed BGP route information, including the reason why a route is not best (e.g., weight, local preference, AS path, MED). Option A is correct.

211
Multi-Selectmedium

An administrator needs to configure advanced email security on FortiMail to protect against phishing and spoofing. Which THREE features should be enabled to achieve comprehensive email authentication?

Select 3 answers
A.DKIM signing and verification
B.SPF checking
C.DMARC policy enforcement
D.Anti-spam Bayesian filtering
E.TLS encryption for inbound/outbound
AnswersA, B, C

DKIM provides digital signatures for email integrity.

212
MCQeasy

An administrator wants to integrate a FortiExtender with a FortiGate to provide WAN connectivity. Which interface type is used on the FortiGate to connect to the FortiExtender?

A.wan
B.lan
C.dmz
D.loopback
AnswerA

The FortiExtender connects to a WAN interface, and FortiGate creates a wwan interface.

Why this answer

FortiExtender connects via a WAN interface, typically configured as a 'wan' or 'vlan' interface. The FortiGate automatically detects the FortiExtender and creates a 'wwan' interface for the cellular link.

213
MCQhard

A multinational corporation is implementing ZTNA for remote access to a critical internal application hosted on a server with IP 10.0.1.200:8443. The FortiGate is deployed at the edge with WAN IP 203.0.113.50. The administrator configures a ZTNA rule with proxy destination 10.0.1.200:8443, a firewall policy allowing traffic from the ZTNA gateway to the internal server, and a VIP for port forwarding for testing. However, remote users report that they can establish a ZTNA connection to the gateway but the application page fails to load, showing a blank page after a long delay. The FortiGate logs show no errors, and the debug output indicates that the proxy successfully forwarded the request to 10.0.1.200:8443 and received a response. The internal server team confirms the application is working correctly for on-site users. What is the most likely cause?

A.The ZTNA proxy is not configured to support HTTPS.
B.The internal server is not reachable from the FortiGate.
C.The client's ZTNA tags are expired.
D.The application uses hardcoded IP addresses or internal hostnames that are not resolvable externally.
AnswerD

This causes partial page loading or blank pages.

Why this answer

Option D is correct because the application uses hardcoded IP addresses or internal hostnames that are not resolvable externally. When the ZTNA proxy forwards the request to the internal server, the server responds with HTML content that references internal resources (e.g., images, scripts, or links) using private IP addresses (like 10.0.1.200) or internal DNS names. The remote client cannot resolve or reach these internal addresses, causing the page to load partially or display a blank page after a delay, even though the initial proxy connection and response are successful.

Exam trap

The trap here is that candidates see the proxy successfully forwarding and receiving a response and assume the issue is network connectivity or proxy configuration, overlooking the fact that the application's embedded content (hardcoded IPs/hostnames) can break the client-side rendering even when the initial proxy transaction succeeds.

How to eliminate wrong answers

Option A is wrong because the ZTNA proxy is configured with a proxy destination of 10.0.1.200:8443, which implies HTTPS (port 8443 is commonly used for HTTPS), and the debug output confirms the proxy successfully forwarded the request and received a response, indicating HTTPS support is present. Option B is wrong because the debug output explicitly states the proxy forwarded the request to 10.0.1.200:8443 and received a response, proving the internal server is reachable from the FortiGate. Option C is wrong because if the client's ZTNA tags were expired, the client would not be able to establish a ZTNA connection to the gateway at all; the question states remote users can establish the connection, so tags are valid.

214
MCQmedium

An admin needs to configure a FortiGate to send logs to FortiAnalyzer for a specific VDOM only. How can this be achieved?

A.Set the FortiAnalyzer IP in the specific VDOM's log settings
B.Create a separate ADOM in FortiAnalyzer for that VDOM
C.Configure log forwarding globally; it applies to all VDOMs
D.Use a firewall policy to filter logs to FortiAnalyzer
AnswerA

Per-VDOM log setting overrides global for that VDOM.

Why this answer

Option A is correct because FortiGate allows per-VDOM log configuration, including the FortiAnalyzer IP address, under the VDOM's log settings. This ensures that only logs from that specific VDOM are sent to the designated FortiAnalyzer, while other VDOMs remain unaffected.

Exam trap

The trap here is that candidates often confuse global log forwarding with per-VDOM log settings, assuming that a global configuration can be selectively applied to a single VDOM, which is not supported in FortiGate's VDOM architecture.

How to eliminate wrong answers

Option B is wrong because creating a separate ADOM in FortiAnalyzer is a management and administrative grouping on the FortiAnalyzer side, not a configuration on the FortiGate to control which VDOM's logs are sent. Option C is wrong because configuring log forwarding globally applies to all VDOMs, which does not meet the requirement of sending logs for a specific VDOM only. Option D is wrong because firewall policies are used for traffic filtering and not for selecting which logs are forwarded to FortiAnalyzer; log forwarding is controlled by log settings, not firewall policies.

215
MCQeasy

A company is implementing a Security Fabric with multiple FortiGate devices. They want to use FortiAnalyzer for centralized logging and FortiManager for centralized management. Which of the following is a prerequisite for adding a FortiGate to the Security Fabric?

A.The FortiGate must have FortiAnalyzer configured as a log device
B.The FortiGate's management IP must be configured via DHCP
C.The FortiGate must have network connectivity to the FortiManager
D.The FortiGate must be operating in transparent mode
AnswerC

Connectivity is required for management.

Why this answer

For a FortiGate to join a Security Fabric, it must have network connectivity to the FortiManager that manages the fabric. FortiManager acts as the fabric root or controller, and the FortiGate registers with it using the FortiManager IP or FQDN. Without this connectivity, the FortiGate cannot be added to the Security Fabric topology.

Exam trap

The trap here is that candidates often confuse the prerequisite for logging (FortiAnalyzer) with the prerequisite for fabric management (FortiManager), assuming both must be configured before adding a FortiGate, but only FortiManager connectivity is required for fabric membership.

How to eliminate wrong answers

Option A is wrong because configuring FortiAnalyzer as a log device is not a prerequisite for adding a FortiGate to the Security Fabric; logging can be configured after the FortiGate joins the fabric. Option B is wrong because the FortiGate's management IP can be static or DHCP, but DHCP is not a requirement; the prerequisite is simply that the FortiGate has a reachable management IP. Option D is wrong because the FortiGate can operate in NAT/route mode or transparent mode when joining the Security Fabric; transparent mode is not a requirement.

216
MCQmedium

An administrator wants to use FortiGate to automatically block traffic if FortiEDR detects a threat on an endpoint. Which feature should the administrator configure?

A.Configure a VPN tunnel between FortiGate and FortiEDR
B.Enable FortiGuard Outbreak Prevention on the antivirus profile
C.Configure a static route to the FortiEDR management IP
D.Create an automation stitch with a trigger from FortiEDR and an action to block the source IP
AnswerD

Automation stitches allow FortiGate to respond to events from FortiEDR.

Why this answer

Option D is correct because FortiGate integrates with FortiEDR via automation stitches, which allow events from FortiEDR (such as a detected threat) to trigger automated actions on FortiGate, such as blocking the source IP of the compromised endpoint. This provides real-time, policy-driven threat response without manual intervention, leveraging the Fortinet Security Fabric.

Exam trap

The trap here is that candidates often confuse integration methods, assuming a VPN or routing change is needed for communication, when in fact FortiEDR and FortiGate communicate via the Security Fabric's REST API and automation stitches, not traditional network tunnels.

How to eliminate wrong answers

Option A is wrong because a VPN tunnel is used for secure site-to-site or remote access connectivity, not for receiving threat events from FortiEDR; FortiEDR communicates with FortiGate via REST API or Fabric connector, not VPN. Option B is wrong because FortiGuard Outbreak Prevention is a signature-based feature within antivirus profiles that blocks known outbreaks based on FortiGuard threat intelligence, not a mechanism to receive and act on FortiEDR-specific endpoint detections. Option C is wrong because a static route is used for IP routing and does not enable event-driven communication or automation between FortiEDR and FortiGate; the integration requires API-based triggers, not routing entries.

217
Multi-Selectmedium

An administrator is configuring a FortiGate in transparent mode for a retail store. The store has a flat network with a single subnet. Which TWO of the following statements about transparent mode are correct? (Select TWO.)

Select 2 answers
A.Virtual IPs (VIPs) can be used for destination NAT
B.The FortiGate uses a management IP address for administrative access
C.The FortiGate will perform routing between VLANs
D.The FortiGate requires a default route to forward user traffic
E.Firewall policies can be applied to control traffic between bridge interfaces
AnswersB, E

A management IP is needed for GUI/CLI access and can be on the same subnet as the bridged traffic.

Why this answer

In transparent mode, the FortiGate acts as a Layer 2 bridge and does not participate in routing. A management IP address is required for administrative access (e.g., SSH, HTTPS) because the device does not have an IP on the bridged interfaces by default. This management IP is assigned to a dedicated management interface or a VLAN interface and allows the administrator to reach the FortiGate from the same subnet.

Exam trap

The trap here is that candidates often assume transparent mode still requires a default route for management traffic or that VIPs can be used for inbound access, but in reality, transparent mode operates purely at Layer 2 and does not support NAT or routing functions.

218
MCQeasy

A FortiGate administrator wants to use PKI certificates for IPsec VPN authentication instead of pre-shared keys. Which phase1 parameter must be set to 'signature' to enable certificate-based authentication?

A.set authmethod signature
B.set cert-validation enable
C.set ike-version 2
D.set peer-id certificate
AnswerA

This configures the IKE phase1 to use certificate authentication.

Why this answer

The IKE peer authentication method is controlled by the 'authmethod' parameter. Setting it to 'signature' enables RSA signature-based authentication using certificates.

219
MCQmedium

An organization wants to protect against unknown malware by using machine learning on FortiGate. Which antivirus setting should be enabled to achieve this?

A.Enable 'Outbreak Prevention' under FortiGuard settings
B.Set 'av-engine' to 'flow' under system settings
C.Enable 'Machine Learning Engine' in the antivirus profile
D.Enable 'FortiSandbox inline scanning' in the antivirus profile
AnswerC

This enables the ML engine to detect unknown malware based on behavioral analysis.

Why this answer

Option C is correct because the 'Machine Learning Engine' in the antivirus profile uses on-device machine learning models to detect unknown malware based on file characteristics, without requiring signature updates. This provides proactive protection against zero-day threats directly on the FortiGate, aligning with the requirement to protect against unknown malware using machine learning.

Exam trap

The trap here is that candidates often confuse 'FortiSandbox inline scanning' with machine learning, but FortiSandbox uses behavioral analysis in a sandbox environment, not on-device ML, and requires additional licensing and infrastructure.

How to eliminate wrong answers

Option A is wrong because 'Outbreak Prevention' under FortiGuard settings is a cloud-based service that uses outbreak signatures and heuristics, not on-device machine learning, and requires internet connectivity to FortiGuard. Option B is wrong because setting 'av-engine' to 'flow' changes the antivirus scanning mode from proxy-based to flow-based, which affects performance and inspection depth but does not enable machine learning for unknown malware detection. Option D is wrong because 'FortiSandbox inline scanning' in the antivirus profile sends files to an external FortiSandbox appliance for dynamic analysis, which is not on-device machine learning and introduces latency; it is a separate feature from the Machine Learning Engine.

220
MCQmedium

A FortiGate with SD-WAN configured has a Performance SLA monitoring Google DNS (8.8.8.8). The SLA is configured with latency threshold 100 ms and jitter threshold 20 ms. The link is currently meeting both thresholds. The administrator wants to ensure that if the SLA fails, traffic moves to another link. Which SD-WAN rule strategy should be used?

A.Best quality
B.Manual selection
C.Maximize bandwidth (SLA)
D.Failover (SLA)
AnswerD

Failover strategy uses the first member that meets SLA; if that fails, it moves to the next member in the list.

221
MCQeasy

An administrator wants to block a zero-day malware outbreak detected by FortiGuard. Which feature should be configured to automatically block the threat across all enabled FortiGate devices?

A.FortiSandbox Cloud
B.IPS Custom Signatures
C.FortiGuard Outbreak Prevention
D.Application Control
AnswerC

This feature automatically blocks zero-day outbreaks using FortiGuard threat intelligence.

Why this answer

FortiGuard Outbreak Prevention automatically blocks new threats by pushing updated signatures or indicators. It requires an active FortiGuard subscription and can be enabled globally.

222
MCQmedium

Refer to the exhibit. A FortiGate is configured with the above settings. The FortiManager at 192.168.1.100 cannot establish a management connection to the FortiGate. What is the most likely cause?

A.HTTPS access is not enabled on port1
B.The admin user 'admin' is not configured correctly
C.The FortiGate's port1 IP is not in the same subnet as the FortiManager
D.The trusthost configuration does not include the FortiManager IP
AnswerC

The management IP is 10.0.1.1, but FortiManager is on 192.168.1.0/24, so they are on different subnets.

Why this answer

The FortiGate's port1 IP (192.168.2.1/24) is on a different subnet (192.168.2.0/24) than the FortiManager's IP (192.168.1.100), which is on the 192.168.1.0/24 subnet. For a management connection to be established, the FortiGate and FortiManager must be able to route to each other, typically requiring them to be on the same subnet unless a gateway or static route is configured. Since no routing is mentioned, the subnet mismatch is the most likely cause of the failure.

Exam trap

The trap here is that candidates may focus on the HTTPS access or trusthost settings, but the exhibit clearly shows the subnet mismatch, which is the fundamental Layer 3 connectivity issue that prevents the management session from being established.

How to eliminate wrong answers

Option A is wrong because HTTPS access is enabled on port1 (as shown by 'set allowaccess https' in the configuration), so this is not the issue. Option B is wrong because the admin user 'admin' is configured with the correct password and permissions (super_admin profile), and there is no indication of a misconfiguration. Option D is wrong because the trusthost configuration is not present in the exhibit; if trusthost were configured, it would appear under the admin user settings, and its absence means it is not blocking the FortiManager.

223
MCQmedium

A company uses FortiMail and wants to ensure that incoming emails are authenticated using SPF, DKIM, and DMARC. Which profile should the administrator configure to enforce these checks?

A.Session Profile
B.Antispam Profile
C.IP Policy
D.Authentication Profile
AnswerD

This profile configures email authentication checks.

Why this answer

FortiMail uses an 'Authentication Profile' to configure SPF, DKIM, and DMARC verification for incoming emails.

224
MCQhard

An administrator configures an ALG for SIP traffic but notices that some SIP calls are failing. The admin suspects the ALG is modifying SIP headers incorrectly. Which debug command can help verify the ALG's actions on SIP packets?

A.diagnose debug application sip -1
B.diagnose debug application alg -1
C.get system performance status
D.diagnose sys session filter proto 17
AnswerA

This enables detailed SIP ALG debug output.

Why this answer

'diagnose debug application sip -1' enables SIP ALG debugging, showing how the ALG processes SIP messages.

225
MCQmedium

A FortiGate administrator runs the following command and sees the output: diagnose sys session filter dport 443 diagnose sys session list Output shows sessions with proto=6 and expire time decreasing. What does this indicate?

A.The sessions are using UDP protocol
B.The FortiGate is performing deep packet inspection on these sessions
C.The sessions are being blocked by a firewall policy
D.The sessions are TCP sessions and are active
AnswerD

proto=6 indicates TCP. The sessions are listed, meaning they are active and being tracked.

Why this answer

The command 'diagnose sys session filter dport 443' filters sessions with destination port 443, and 'diagnose sys session list' displays them. The output shows 'proto=6', which is the protocol number for TCP (per IANA protocol numbers). The 'expire time decreasing' indicates that the session timer is counting down, which is normal behavior for an active TCP session that is being refreshed by ongoing traffic.

Therefore, the sessions are TCP and active.

Exam trap

The trap here is that candidates may confuse 'expire time decreasing' with a session being blocked or expiring, when in fact it is a normal indicator of an active TCP session that is being refreshed by traffic.

How to eliminate wrong answers

Option A is wrong because proto=6 specifically indicates TCP, not UDP (UDP is protocol 17). Option B is wrong because the command output does not show any deep packet inspection (DPI) status; DPI would require additional configuration and is not indicated by session list output. Option C is wrong because blocked sessions would not appear in the session list with a decreasing expire time; blocked traffic is denied by the firewall policy and does not create a session entry.

Page 2

Page 3 of 14

Page 4