Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 226300

1000 questions total · 14pages · All types, answers revealed

Page 3

Page 4 of 14

Page 5
226
Multi-Selectmedium

An administrator needs to restrict inter-VDOM traffic between two VDOMs on a FortiGate. Which TWO configurations are required?

Select 2 answers
A.Create firewall policies in each VDOM to allow/deny traffic
B.Enable inter-VDOM routing globally
C.Assign an IP address to the VDOM link in each VDOM
D.Configure a VDOM link between the two VDOMs
E.Configure static routes on each VDOM
AnswersA, D

Policies are necessary to control traffic flow.

Why this answer

Option A is correct because inter-VDOM traffic on a FortiGate is controlled by firewall policies within each VDOM. By creating policies in each VDOM that specify the VDOM link as the interface, the administrator can explicitly allow or deny traffic between the VDOMs, enforcing security boundaries. Without these policies, traffic would be implicitly denied by the default firewall behavior.

Exam trap

The trap here is that candidates often assume inter-VDOM routing requires a global enablement or IP addressing on the VDOM link, but FortiGate handles this automatically, and the key requirement is the firewall policies to enforce restrictions.

227
MCQeasy

A FortiGate administrator wants to integrate ZTNA with FortiClient EMS to control access to an internal application based on device posture. The admin has configured a ZTNA tag in EMS for 'AntiVirus enabled' and created a ZTNA rule in FortiGate. What additional configuration is required on the FortiGate to enforce access based on the ZTNA tag?

A.Configure SSL VPN to authenticate users and assign tags
B.Install a client certificate on each FortiClient from the FortiGate
C.Enable ZTNA inline CASB in the antivirus profile
D.Configure the FortiGate as an EMS connector and import the tag
AnswerD

The FortiGate must connect to EMS to receive tag definitions and assign them to users/devices. Then ZTNA rules can reference the tag.

Why this answer

ZTNA uses tags from EMS to make access decisions. The FortiGate must be configured to receive these tags via the EMS connector and then use them in firewall policies (via ZTNA rules). Option C is correct because the FortiGate needs to connect to EMS to pull tag information and then apply it in security policies.

228
Multi-Selectmedium

An administrator is configuring FortiGate automation stitches to respond to a detected ransomware outbreak. The trigger is a high severity event from FortiSandbox. Which TWO actions can be used in an automation stitch to contain the threat?

Select 2 answers
A.Create a new FortiGate administrator account
B.Send an SNMP trap to a monitoring system
C.Change the SSID of a wireless network
D.Execute a CLI script to block the infected host's IP address
E.Quarantine the endpoint using FortiClient EMS integration
AnswersD, E

CLI scripts can be used to block IPs via firewall policies or blacklist.

Why this answer

Automation stitches can execute CLI commands or quarantine compromised hosts via EMS. These actions help contain the outbreak.

229
MCQmedium

An organization wants to protect against zero-day malware by using FortiGate's outbreak prevention feature. Which configuration is required to enable outbreak prevention in the antivirus profile?

A.Enable 'Machine Learning Engine' in the antivirus profile
B.Enable 'FortiSandbox Inline Scan'
C.Select 'Outbreak Prevention' under Antivirus profile settings
D.Configure a web filter profile to block malicious URLs
AnswerC

This directly enables outbreak prevention, which uses outbreak signatures.

Why this answer

Outbreak prevention uses FortiGuard's outbreak alert database to block files that match outbreak criteria. It must be enabled in the antivirus profile under 'Outbreak Prevention'.

230
MCQmedium

A company uses FortiGate as a web application firewall (WAF) to protect a public web server. The security team wants to block SQL injection attacks. Which WAF signature category should the administrator enable?

A.Server-Side Request Forgery
B.Command Injection
C.SQL Injection
D.Cross-Site Scripting
AnswerC

SQL injection signatures detect and block SQL injection attempts.

Why this answer

The correct answer is C because SQL injection attacks specifically target database queries by injecting malicious SQL statements through input fields. FortiGate's WAF signature category for SQL Injection is designed to detect and block these patterns, such as 'OR 1=1' or UNION-based injections, by matching against known attack signatures in the HTTP request payload.

Exam trap

The trap here is that candidates may confuse SQL Injection with Command Injection (Option B) because both involve injection attacks, but SQL Injection targets database layers via SQL syntax, while Command Injection targets the OS shell via system commands.

How to eliminate wrong answers

Option A is wrong because Server-Side Request Forgery (SSRF) is an attack that forces a server to make internal requests, not directly related to SQL injection; FortiGate's WAF has a separate signature category for SSRF. Option B is wrong because Command Injection involves executing system commands (e.g., via shell metacharacters) on the server, not database queries, and is covered by a different WAF signature category. Option D is wrong because Cross-Site Scripting (XSS) injects client-side scripts into web pages viewed by other users, targeting browsers rather than the database backend, and is handled by its own WAF signature category.

231
Multi-Selectmedium

A FortiGate administrator wants to use FortiManager automation stitches to automatically block IP addresses that trigger multiple intrusion prevention events. Which two components are required to configure an automation stitch? (Choose two.)

Select 2 answers
A.Trigger
B.Playbook
C.Destination
D.Schedule
E.Action
AnswersA, E

Defines the event that starts the stitch.

Why this answer

An automation stitch consists of a trigger (event condition) and one or more actions. The trigger defines when the stitch runs; the action defines what happens (e.g., CLI script, email).

232
Multi-Selectmedium

Which TWO statements about the Security Fabric and FortiManager are correct? (Choose two.)

Select 2 answers
A.FortiManager can manage multiple Security Fabrics.
B.FortiGate devices must be in transparent mode to join the fabric.
C.FortiAnalyzer must be deployed to use the Security Fabric.
D.The first FortiGate added to the Security Fabric becomes the root FortiGate.
E.A FortiGate can be part of multiple Security Fabrics simultaneously.
AnswersA, D

FortiManager can manage multiple fabrics.

Why this answer

FortiManager can manage multiple Security Fabrics because it is designed as a centralized management platform that can oversee multiple independent FortiGate clusters or fabric topologies. Each Security Fabric is a logical grouping of FortiGate devices that share a common root FortiGate, and FortiManager can be configured to manage several such fabrics simultaneously, each with its own root and member devices, without requiring separate management servers.

Exam trap

The trap here is that candidates often assume FortiAnalyzer is mandatory for the Security Fabric, but the fabric only requires FortiGate devices; FortiAnalyzer is an optional add-on for enhanced logging and analytics.

233
Multi-Selectmedium

An administrator is troubleshooting a scenario where VoIP traffic is not being properly handled by the FortiGate. The SIP ALG is enabled. Which THREE commands should the administrator run to diagnose the SIP traffic flow?

Select 2 answers
A.get router info routing-table all
B.diagnose sys session filter dport 5060
C.diagnose debug application sip -1
D.diagnose debug application sip -1
AnswersB, C

SIP typically uses UDP 5060; filtering sessions on this port helps see if SIP sessions are being created.

Why this answer

To diagnose SIP ALG issues, the administrator should check SIP-specific debug, session table for UDP 5060, and application control logs. Viewing general traffic logs is less specific, and checking the routing table is not directly relevant to ALG processing.

234
MCQeasy

Which of the following is a valid command to check the status of all BGP neighbors on a FortiGate?

A.diagnose router bgp summary
B.get router info bgp summary
C.show bgp neighbors
D.diagnose ip router bgp all
AnswerB

This is the correct command to display BGP neighbor status.

Why this answer

Option D is correct. 'get router info bgp summary' displays a summary of all BGP neighbors and their states.

235
MCQmedium

An administrator wants to integrate a FortiExtender with a FortiGate for LTE backup. The FortiGate is using SD-WAN. What is the correct way to add the FortiExtender as an SD-WAN member?

A.Connect the FortiExtender to a physical port on the FortiGate and configure that port as an SD-WAN member.
B.Configure the FortiExtender as a standalone firewall and use IPsec between them.
C.Configure the FortiExtender as a separate VDOM and route between VDOMs.
D.Use a virtual-wire pair to connect the FortiExtender.
AnswerA

The FortiExtender appears as a physical interface (e.g., wwan) on the FortiGate when connected. That interface can be added as an SD-WAN member.

Why this answer

FortiExtender connects to a physical port (e.g., USB or Ethernet) and appears as a WAN interface. This interface can be added to the SD-WAN interface table as a member.

236
MCQmedium

A FortiGate has two VDOMs: 'root' and 'customer'. The admin wants to route traffic from 'customer' to the internet via 'root', which has a BGP connection to an ISP. What is the required configuration?

A.Enable VDOM forwarding on the WAN interface in 'root'
B.Configure a static route in 'customer' pointing to the 'root' VDOM's management IP
C.Place both VDOMs in the same VDOM group and enable route leak
D.Create an inter-VDOM link between 'customer' and 'root', and configure policies to allow traffic
AnswerD

Correct. The link provides connectivity; policies control traffic.

Why this answer

Option D is correct because inter-VDOM links are the only supported method for routing traffic between VDOMs on the same FortiGate. An inter-VDOM link creates a virtual point-to-point connection between two VDOMs, allowing traffic to flow through firewall policies. Without this link, VDOMs are isolated and cannot exchange traffic, even if static routes or BGP are configured.

Exam trap

The trap here is that candidates often assume VDOMs can route traffic to each other simply by configuring static routes or using a shared interface, but FortiGate requires a dedicated inter-VDOM link with firewall policies to enable inter-VDOM traffic.

How to eliminate wrong answers

Option A is wrong because VDOM forwarding on a WAN interface is not a feature; interfaces belong to a single VDOM and cannot forward traffic to another VDOM without an inter-VDOM link. Option B is wrong because a static route in 'customer' pointing to the 'root' VDOM's management IP would only route control traffic to the management interface, not data-plane traffic between VDOMs. Option C is wrong because VDOM groups are used for administrative grouping and configuration sharing, not for routing traffic between VDOMs; route leaking is not a supported feature between VDOMs on the same FortiGate.

237
MCQeasy

An organization is designing a Zero Trust Network Access solution with Fortinet. They want to ensure that only devices with up-to-date antivirus software can access sensitive applications. Which component is responsible for enforcing this requirement?

A.FortiAnalyzer
B.FortiClient EMS
C.FortiAuthenticator
D.FortiGate ZTNA gateway
AnswerB

FortiClient EMS applies compliance rules and tags devices accordingly.

Why this answer

FortiClient EMS is the correct component because it manages endpoint compliance policies, including antivirus status. It enforces the requirement by checking that devices have up-to-date antivirus software before issuing a ZTNA access token, which the FortiGate ZTNA gateway then validates to grant access.

Exam trap

The trap here is that candidates often confuse the FortiGate ZTNA gateway as the sole enforcement point, overlooking that FortiClient EMS is the component responsible for performing the actual endpoint posture check and issuing the compliance token.

How to eliminate wrong answers

Option A is wrong because FortiAnalyzer is a logging and analytics platform, not an enforcement point for endpoint compliance; it cannot check or enforce antivirus status on devices. Option C is wrong because FortiAuthenticator handles identity and authentication (e.g., RADIUS, LDAP), not endpoint posture checks like antivirus version. Option D is wrong because the FortiGate ZTNA gateway enforces access decisions based on tokens and policies, but it relies on FortiClient EMS to provide the endpoint compliance verification; the gateway itself does not directly check antivirus status.

238
Multi-Selectmedium

Which TWO statements about Security Fabric deployment are correct? (Choose two.)

Select 2 answers
A.A Security Fabric can contain a maximum of 50 FortiGate devices.
B.The root FortiGate must have a management IP address that is reachable from all downstream devices.
C.Each FortiGate device in the Fabric must have a unique FortiGate serial number.
D.All FortiGate devices in the Fabric must be managed by the same FortiManager.
E.A FortiGate can only belong to one Security Fabric at a time.
AnswersB, C

Downstream devices need to reach the root for fabric synchronization.

Why this answer

Option B is correct because the root FortiGate acts as the central coordination point for the Security Fabric. All downstream FortiGate devices must be able to reach the root FortiGate's management IP address to establish and maintain the Fabric communication, which uses TCP port 8013 (HTTPS) for the initial handshake and subsequent keepalive messages. Without this reachability, downstream devices cannot join or synchronize with the Fabric.

Exam trap

The trap here is that candidates often assume a FortiGate can only belong to one Security Fabric, but FortiGate supports multi-fabric membership through the use of different fabric groups or VDOMs, allowing a single device to participate in multiple logical fabrics.

239
Multi-Selecthard

Which THREE actions can an administrator perform using FortiManager in a Security Fabric environment? (Choose three.)

Select 3 answers
A.Upgrade the firmware of multiple FortiGates at once
B.View logs from all managed FortiGates in a single dashboard
C.Terminate IPsec VPN tunnels on the FortiManager
D.Configure FortiGate to manage the FortiManager
E.Push firewall policies to multiple FortiGates simultaneously
AnswersA, B, E

Firmware upgrade can be done centrally.

Why this answer

Option A is correct because FortiManager supports centralized firmware management, allowing administrators to upgrade the firmware of multiple FortiGates simultaneously via the 'Firmware Upgrade' wizard in the Device Manager. This leverages the FortiManager's role as a central management point, which can stage and push firmware images to managed devices in a Security Fabric, reducing downtime and ensuring consistency across the fabric.

Exam trap

The trap here is that candidates confuse FortiManager's ability to configure VPN settings with the ability to terminate active tunnels, or they mistakenly think the FortiGate can manage the FortiManager (reversing the management relationship), which is a common misconception in centralized management architectures.

240
MCQeasy

A FortiGate administrator wants to ensure that files in email attachments are disarmed before delivery. Which security feature should be configured in the antivirus profile?

A.Content Disarm and Reconstruction (CDR)
B.FortiSandbox inline scanning
C.Machine Learning Engine
D.Outbreak Prevention
AnswerA

CDR strips active content and rebuilds files to a safe state.

Why this answer

Option C is correct. Content Disarm and Reconstruction (CDR) is specifically designed to remove active content and rebuild files, making them safe for delivery.

241
MCQmedium

An administrator configures a performance SLA for SD-WAN health checks. The SLA uses a ping probe to 8.8.8.8 every 2 seconds with a latency threshold of 150 ms and jitter threshold of 20 ms. After some time, the SD-WAN rule still shows the member as 'dead'. Which command should the administrator use to verify the probe results?

A.show system sdwan health-check
B.diagnose sys sdwan health-check
C.diagnose sys session list
D.execute ping-options source 8.8.8.8
AnswerB

This command displays real-time health check statistics.

Why this answer

The 'diagnose npu np6 sdf-wan health-check' command shows detailed probe statistics per member, including latency, jitter, and packet loss, helping to identify why the SLA is failing.

242
MCQhard

An administrator configures a session helper for FTP but notices that active FTP data connections are not being allowed through the firewall. The FTP control session establishes fine. What is the MOST likely cause?

A.The FTP server is using passive mode
B.The FTP session helper is not enabled on the firewall policy
C.The ALG is configured to use proxy-based inspection instead of flow-based
D.The firewall policy has NAT enabled
AnswerB

Without the session helper enabled, FortiGate will not inspect FTP control traffic and will not open pinholes for data connections.

Why this answer

Active FTP requires the server to initiate a data connection back to the client. The session helper should dynamically create pinholes for these connections. If the session helper is not enabled for the policy, the data connection will be blocked.

243
Multi-Selectmedium

An organization wants to implement email authentication to prevent spoofing and phishing attacks. They use FortiMail as their email security gateway. Which THREE mechanisms should they configure to achieve comprehensive email authentication?

Select 3 answers
A.Transport Layer Security (TLS) for SMTP
B.FortiGuard Antispam
C.Sender Policy Framework (SPF)
D.Domain-based Message Authentication, Reporting and Conformance (DMARC)
E.DomainKeys Identified Mail (DKIM)
AnswersC, D, E

SPF verifies that the sending server is authorized by the domain owner.

Why this answer

SPF, DKIM, and DMARC are the three standard email authentication methods that work together to verify sender authenticity and prevent spoofing.

244
MCQhard

An administrator configures FortiSandbox to quarantine files that are rated 'malicious'. They notice that some files are being quarantined even though the verdict is 'clean'. What could explain this?

A.The quarantine action is set to apply to files with a risk level above a certain threshold, and clean files have been incorrectly rated
B.FortiSandbox uses a whitelist that includes those files
C.The files were submitted by a different FortiGate with different settings
D.The administrator has enabled 'aggressive mode' which quarantines all files
AnswerA

Risk level thresholds can cause false positives if set too aggressively.

Why this answer

The correct answer is A because FortiSandbox's quarantine action can be configured based on a risk score threshold, not solely on the verdict. If the risk score for a file rated 'clean' exceeds the configured threshold, the file may still be quarantined. This occurs because the verdict and risk score are separate attributes; a 'clean' verdict indicates no known malware, but the file's behavior or heuristics may still generate a high risk score that triggers quarantine.

Exam trap

The trap here is that candidates assume quarantine is strictly tied to the verdict, overlooking that FortiSandbox's quarantine action can be independently triggered by a risk score threshold, leading to quarantine of 'clean' files with high risk scores.

How to eliminate wrong answers

Option B is wrong because a whitelist would prevent quarantine, not cause it; whitelisted files are explicitly allowed and bypass scanning. Option C is wrong because files submitted by different FortiGate devices are evaluated independently by FortiSandbox based on its own analysis, not on the submitting device's settings; the quarantine decision is local to the FortiSandbox configuration. Option D is wrong because 'aggressive mode' in FortiSandbox does not exist; FortiSandbox uses configurable risk thresholds and verdicts, not an all-or-nothing aggressive mode.

245
Multi-Selectmedium

A network engineer needs to collect logs from multiple FortiGates and generate compliance reports. Which TWO FortiAnalyzer features should be used?

Select 2 answers
A.ADOM configuration
B.Log analytics
C.Reports
D.Automation stitches
E.Policy packages
AnswersB, C

Why this answer

Log analytics (option B) is correct because it provides the ability to search, filter, and visualize logs from multiple FortiGates, enabling the identification of trends and anomalies necessary for compliance reporting. Reports (option C) is correct because FortiAnalyzer includes a dedicated reporting engine that can generate scheduled or on-demand compliance reports based on collected logs, with pre-defined templates for standards like PCI DSS, HIPAA, and SOX.

Exam trap

The trap here is that candidates confuse FortiAnalyzer's ADOM feature (which is for administrative separation) with log collection or reporting, or they mistakenly associate automation stitches or policy packages with compliance reporting, which are actually features of FortiGate or FortiManager, not FortiAnalyzer.

246
MCQhard

An administrator configures policy-based routing (PBR) on a FortiGate to route traffic from a specific subnet through an MPLS link. The PBR is configured under config router policy. However, traffic from that subnet is still using the default route. What is the most likely issue?

A.The PBR policy does not have a set tos or set dscp value
B.The PBR policy has a higher priority number than the default route
C.The firewall policy is not allowing traffic to use the PBR
D.The MPLS link is down
AnswerC

PBR requires that the firewall policy has 'set pbr-enable enable' or the policy must be matched before PBR is applied. Without it, PBR may not be applied to the traffic.

247
Multi-Selecteasy

Which TWO of the following can be used to authenticate users in a ZTNA connection? (Select two.)

Select 2 answers
A.LDAP authentication
B.FortiToken
C.IPsec authentication
D.SAML authentication
E.Certificate authentication
AnswersD, E

SAML is supported for SSO.

Why this answer

In a ZTNA connection, authentication can be performed using SAML (Security Assertion Markup Language) because it enables federated identity management and single sign-on (SSO), allowing the FortiGate to verify user identity via an external identity provider (IdP) without direct password handling. Certificate authentication is also valid because ZTNA leverages client certificates (X.509) to establish mutual TLS (mTLS) between the user device and the FortiGate, ensuring device identity and trust before granting access.

Exam trap

The trap here is that candidates often confuse authentication methods used in traditional VPNs (like LDAP or FortiToken) with the identity-centric methods required for ZTNA, forgetting that ZTNA mandates integration with an IdP or certificate-based trust rather than direct password or token verification.

248
MCQeasy

What is the purpose of a route map when used with route redistribution on a FortiGate?

A.To create a prefix list for BGP
B.To define the administrative distance of redistributed routes
C.To enable the redistribution process
D.To filter or modify route attributes during redistribution
AnswerD

Route maps allow granular control over which routes are redistributed and how.

Why this answer

Route maps are used with route redistribution to filter which routes are redistributed and to modify route attributes (such as metric, tag, or next-hop) as they are injected from one routing protocol into another. Option D is correct because route maps provide granular control over the redistribution process, allowing administrators to match specific routes using prefix lists or ACLs and then set attributes like metric or tag before the routes are redistributed.

Exam trap

The trap here is that candidates often confuse the route map's role as a filter or modifier with the enabling of redistribution itself, thinking the route map is required to start redistribution, when in fact redistribution is enabled by the 'redistribute' command and the route map is an optional parameter.

How to eliminate wrong answers

Option A is wrong because a prefix list is a separate tool used to match IP prefixes, not a route map; route maps can reference prefix lists, but the route map itself is not a prefix list. Option B is wrong because administrative distance is a property of the routing protocol or static route, not something set by a route map during redistribution; route maps can set metric, tag, or next-hop, but not administrative distance. Option C is wrong because the redistribution process is enabled by the 'redistribute' command under the routing protocol configuration, not by a route map; the route map is an optional filter applied to that redistribution.

249
MCQmedium

A FortiManager administrator creates an ADOM for the root VDOM and regular VDOMs. The administrator wants to manage only the regular VDOMs from FortiManager. Which ADOM type should be used?

A.Regular ADOM (non-root)
B.Management VDOM ADOM
C.Root ADOM
D.Global ADOM
AnswerA

Regular ADOM can be assigned to specific VDOMs, excluding the root if not needed.

Why this answer

A Regular ADOM (non-root) is the correct choice because it allows the administrator to manage only the regular VDOMs (non-root VDOMs) on a FortiGate, excluding the root VDOM. This ADOM type is designed for managing individual VDOMs as separate entities, providing granular control without affecting the root VDOM's global settings or other VDOMs.

Exam trap

The trap here is that candidates often confuse the 'Root ADOM' with managing only the root VDOM, but it actually manages all VDOMs (root and regular) together, which is not suitable when only regular VDOMs need to be managed.

How to eliminate wrong answers

Option B (Management VDOM ADOM) is wrong because it is not a standard ADOM type in FortiManager; the correct term is 'Management VDOM' for a VDOM that handles management traffic, but it does not define an ADOM type for managing regular VDOMs. Option C (Root ADOM) is wrong because it manages the root VDOM and all regular VDOMs together, which contradicts the requirement to manage only regular VDOMs. Option D (Global ADOM) is wrong because it is used for global policy objects and settings that apply across all ADOMs, not for managing individual VDOMs.

250
MCQmedium

A healthcare provider is deploying ZTNA to secure access to an internal electronic health records (EHR) system. The EHR system is composed of multiple web services running on different ports behind a load balancer with IP 10.0.10.100. The load balancer listens on ports 443, 8443, and 9090. The administrator configures a single ZTNA rule with proxy destination 10.0.10.100:443, expecting that the other ports will be accessed via the same rule. However, users report that they can only access the service on port 443; connections to ports 8443 and 9090 fail. The FortiGate logs show that requests to other ports are being dropped. What should the administrator do to resolve this?

A.Configure the load balancer to redirect all traffic to port 443.
B.Configure the ZTNA gateway to allow all ports to the load balancer.
C.Create separate ZTNA rules for each port (8443 and 9090).
D.Ask users to change the port in their browser to 443.
AnswerC

ZTNA rules are port-specific.

Why this answer

Option C is correct because each ZTNA rule maps to a single proxy destination port. The rule configured with proxy destination 10.0.10.100:443 only forwards traffic for that specific port. To access services on ports 8443 and 9090, separate ZTNA rules must be created for each port, each with its own proxy destination and access proxy configuration.

Exam trap

The trap here is that candidates assume a single ZTNA rule with a destination IP will automatically forward traffic to all ports on that IP, overlooking that ZTNA rules are port-specific and require separate rules for each service port.

How to eliminate wrong answers

Option A is wrong because redirecting all traffic to port 443 would break the intended functionality of the separate web services running on ports 8443 and 9090, and the load balancer is not designed to redirect traffic arbitrarily. Option B is wrong because the ZTNA gateway does not support a wildcard 'allow all ports' configuration; ZTNA rules require explicit proxy destination IP and port pairs. Option D is wrong because asking users to change the port in their browser does not address the underlying ZTNA rule limitation; the gateway would still drop connections to ports not defined in the rule.

251
MCQeasy

In a Fortinet ZTNA deployment, which component is responsible for forwarding decrypted traffic to the internal application server after the FortiGate proxy has performed SSL inspection?

A.FortiClient EMS
B.ZTNA proxy on FortiGate
C.IPsec VPN tunnel
D.FortiNAC
AnswerB

The ZTNA proxy terminates the client connection and creates a new connection to the server.

Why this answer

ZTNA proxy receives client requests, performs SSL inspection, and forwards the decrypted traffic to the internal server.

252
MCQmedium

A network administrator is troubleshooting an ADVPN deployment. Spoke FortiGates can communicate with the hub, but shortcut tunnels between spokes are not being established. The administrator verifies that IKE and IPsec settings are correct on all devices. What is the MOST likely cause?

A.Dead Peer Detection (DPD) is disabled on the hub
B.The hub's phase2 configuration has 'auto-negotiate' disabled
C.The hub's phase1 configuration has 'auto-negotiate' disabled
D.The spokes have different IKE versions configured
AnswerB

Without auto-negotiate, the hub will not propose shortcut tunnels to spokes.

Why this answer

In ADVPN, shortcut tunnels require IKEv2 with the 'add-route' option and auto-negotiate. If the hub's phase2 configuration does not have 'auto-negotiate' enabled, it will not initiate shortcut tunnels.

253
Drag & Dropmedium

Drag and drop the steps to configure a site-to-site IPsec VPN on a FortiGate firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Phase 1 establishes the IKE SA, Phase 2 creates the IPsec SA, then routing and policies are applied to allow traffic through the tunnel.

254
MCQmedium

A network administrator is configuring SD-WAN on a FortiGate. They have multiple WAN links and want to ensure that traffic for a critical application uses the link with the lowest latency. Which SD-WAN configuration component should be used to achieve this?

A.Performance SLA with latency threshold and SD-WAN rule using best-quality strategy
B.SD-WAN rule with spillover load balancing
C.SD-WAN members with static priority
D.Load balancing algorithm set to lowest-cost (SLA)
AnswerA

Performance SLA measures latency, and a best-quality rule selects the link with lowest latency within the threshold.

255
MCQeasy

A company wants to protect its internal users from malicious files attached to emails. Which FortiGate feature should be configured to inspect SMTP traffic for malware?

A.Antivirus
B.Email Filter
C.Web Filter
D.IPS
AnswerA

Antivirus profiles can scan SMTP, POP3, and IMAP traffic for malware.

Why this answer

FortiGate's Antivirus feature is designed to scan SMTP traffic for malware by inspecting email attachments and body content against virus signatures. When configured in a security policy, it intercepts SMTP sessions, buffers the email data, and performs real-time scanning to block or quarantine malicious files before delivery to internal users.

Exam trap

The trap here is that candidates confuse 'Email Filter' (which handles spam and content filtering) with antivirus scanning, assuming email security is solely about filtering, when in fact malware detection requires the dedicated Antivirus feature to inspect SMTP payloads at the file level.

How to eliminate wrong answers

Option B (Email Filter) is wrong because it focuses on spam filtering, content blocking, and email address/domain blacklisting, not on malware detection in attachments. Option C (Web Filter) is wrong because it controls HTTP/HTTPS traffic to block malicious URLs and web content, not SMTP email traffic. Option D (IPS) is wrong because it detects and prevents network-level attacks (e.g., exploits, buffer overflows) based on signatures, but it does not perform file-level malware scanning on email attachments.

256
MCQhard

You are troubleshooting a VPN phase 2 negotiation failure. The logs show 'no proposal chosen'. What is the MOST likely cause?

A.The remote gateway IP is incorrect
B.The pre-shared key mismatch
C.The IKE version mismatch
D.The phase 2 proposal settings differ between the peers
AnswerD

Mismatched algorithms cause 'no proposal chosen'.

Why this answer

Option C is correct because 'no proposal chosen' indicates that the encryption/authentication algorithms proposed by the initiator do not match the responder's configured settings. Option A would cause phase 1 failure. Option B would cause phase 1 failure.

Option D is not a direct cause.

257
MCQmedium

A FortiGate administrator wants to use FortiAnalyzer to generate a report on top talkers in the network. Which FortiView feature should be used?

A.Log Analytics
B.FortiView
C.Playbooks
D.Incidents
AnswerB

FortiView provides traffic analytics including top talkers.

Why this answer

FortiView is the correct feature because it provides real-time and historical traffic visibility, including top talkers, directly from the FortiGate's session table and logs. FortiView's 'Top Talkers' widget aggregates traffic by source IP, destination IP, or application, allowing the administrator to generate reports on the highest bandwidth consumers without needing to run complex queries in Log Analytics.

Exam trap

The trap here is that candidates confuse FortiView with Log Analytics, assuming that any log-based reporting must go through Log Analytics, but FortiView provides the pre-built, aggregated top talkers view without requiring SQL-like queries.

How to eliminate wrong answers

Option A is wrong because Log Analytics is a FortiAnalyzer feature for running SQL-like queries against indexed logs, not a dedicated FortiView feature for visualizing top talkers; it requires manual query construction and lacks the pre-built, real-time top talker widgets. Option C is wrong because Playbooks are automation workflows in FortiSOAR or FortiAnalyzer for incident response, not a reporting or traffic visibility feature. Option D is wrong because Incidents are security event aggregations in FortiAnalyzer's Incident Management module, used for threat investigation and response, not for generating top talker reports.

258
MCQeasy

A FortiGate is configured with ECMP load balancing. What is the default behavior when multiple routes have equal cost?

A.The route with the lowest metric is always preferred
B.The administrator must enable per-packet load balancing
C.Traffic is load balanced across the routes using a hash algorithm
D.All traffic is sent over the first route until it fails
AnswerC

ECMP uses source-destination hashing to distribute sessions.

Why this answer

ECMP (Equal-Cost Multi-Path) by default uses a hash-based method to distribute traffic across the equal-cost paths.

259
MCQmedium

During a failover test in an active-passive HA cluster, the administrator notices that the secondary unit does not take over the primary role after a link failure on the primary. The 'get system ha status' shows both units in 'standalone' mode. What is the MOST likely cause?

A.The session pickup feature is disabled
B.The HA heartbeat interface is down or misconfigured on one unit
C.The cluster is running in active-active mode
D.The HA override feature is disabled
AnswerB

Heartbeat failure causes units to operate independently as standalone.

Why this answer

Option C is correct. If both units show standalone, the HA heartbeat is not functioning. The most common cause is that the HA heartbeat interface is not configured correctly or is down on one unit.

260
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN where phase 1 is up but phase 2 fails. Which two debug commands would be MOST helpful in diagnosing the phase 2 issue? (Choose TWO.)

Select 2 answers
A.diagnose sys session list
B.diagnose debug application ipsec -1
C.diagnose vpn ipsec phase2-config
D.get vpn ipsec tunnel details
E.diagnose debug application ike -1
AnswersC, E

This shows the configured phase 2 parameters, helpful for mismatch detection.

Why this answer

Phase 2 uses IPsec SA negotiation, which is logged by IKE debug. Additionally, checking the phase 2 configuration can reveal mismatches. The correct commands are A and D.

261
MCQmedium

An administrator configures an automation stitch on FortiManager to trigger a script when a specific log message is received. After saving, the stitch does not execute. What is a likely cause?

A.The FortiGate is not in the same ADOM
B.The log message is not being sent to FortiManager
C.The script is not uploaded to the FortiGate
D.The automation stitch is not enabled
AnswerD

Automation stitches must be enabled to run.

Why this answer

Option D is correct because automation stitches on FortiManager are disabled by default after creation. The administrator must explicitly enable the stitch before it will trigger on incoming log events. Without enabling, the stitch remains inactive regardless of other configurations.

Exam trap

The trap here is that candidates assume saving a configuration automatically activates it, but FortiManager requires an explicit enable step for automation stitches, unlike some other FortiManager objects that are active by default.

How to eliminate wrong answers

Option A is wrong because the FortiGate does not need to be in the same ADOM for the automation stitch to execute; FortiManager can manage devices across ADOMs as long as the device is properly assigned. Option B is wrong because the question states the stitch does not execute after saving, implying the log message is expected to be received; if logs were not sent, the issue would be a missing log forwarding configuration, not a disabled stitch. Option C is wrong because the script is executed from FortiManager, not uploaded to the FortiGate; automation stitches on FortiManager run scripts stored locally on the FortiManager, not on the managed device.

262
MCQmedium

An organization wants to deploy a web application firewall (WAF) to protect a public-facing web application. They are evaluating FortiGate versus FortiWeb. Which of the following is a key advantage of using FortiWeb over FortiGate for WAF functionality?

A.FortiWeb offers advanced bot detection and positive security model
B.FortiGate can perform SSL deep inspection without performance impact
C.FortiGate supports a larger number of web servers behind a single policy
D.FortiGate can automatically patch web application vulnerabilities
AnswerA

FortiWeb includes machine learning bot detection and positive security model (whitelisting), which FortiGate lacks.

Why this answer

FortiWeb is a dedicated web application firewall that provides advanced bot detection and a positive security model, which allows only explicitly allowed traffic based on a whitelist of known good patterns. This is a key advantage over FortiGate, which primarily uses a negative security model (signature-based) and lacks the same depth of bot mitigation and positive enforcement for web-specific threats.

Exam trap

The trap here is that candidates assume FortiGate's integrated WAF features are equivalent to a dedicated WAF, but FortiWeb's positive security model and advanced bot detection are unique differentiators that FortiGate lacks.

How to eliminate wrong answers

Option B is wrong because FortiGate, like any device performing SSL deep inspection, incurs performance overhead due to decryption/re-encryption, and FortiGate does not claim zero performance impact. Option C is wrong because FortiGate does not inherently support a larger number of web servers behind a single policy; both platforms can scale, but FortiWeb is specifically optimized for high-volume web server pools with granular per-server policies. Option D is wrong because neither FortiGate nor FortiWeb automatically patches web application vulnerabilities; they detect and block exploit attempts but do not modify application code.

263
MCQhard

A FortiGate administrator is configuring Auto Discovery VPN (ADVPN) in a hub-and-spoke topology. Spokes are FortiGates with dynamic public IPs. Which setting is required on the spoke for it to automatically initiate shortcut tunnels to other spokes when needed?

A.set net-device disable
B.set mode aggressive
C.set add-route enable
D.set shortcut-station enable
AnswerC

This command on the phase1-interface allows dynamic route injection for shortcut tunnels.

Why this answer

ADVPN shortcut tunnels require the spoke to accept shortcut offers from the hub. Setting 'set add-route enable' on the phase1 interface allows the spoke to install routes for shortcuts. Without this, the spoke will not create shortcut tunnels even if it receives the offer.

264
MCQmedium

A FortiGate administrator configures an antivirus profile with the machine learning engine enabled and applies it to a policy inspecting HTTP traffic. After deployment, the admin notices that some files are being allowed that should have been detected. What is the MOST likely cause?

A.The ML engine is in monitor-only mode
B.FortiGuard outbreak prevention is disabled
C.The antivirus profile is using flow-based inspection instead of proxy-based
D.The file size exceeds the maximum scanning limit
AnswerA

Monitor mode logs detections but does not block. To block, the engine must be in protect mode.

Why this answer

The most likely cause is that the machine learning engine is configured in monitor-only mode. In this mode, the ML engine will log detections and generate alerts but will not take any action to block the file, allowing it to pass through the policy. This is a common initial deployment strategy to assess the ML engine's impact before enabling active blocking.

Exam trap

The trap here is that candidates often assume the ML engine always blocks threats by default, overlooking the distinct monitor-only mode that logs detections without enforcement.

How to eliminate wrong answers

Option B is wrong because FortiGuard outbreak prevention is a separate feature that provides real-time updates for zero-day threats; disabling it would not cause the ML engine to allow files it should detect, as the ML engine operates independently of FortiGuard updates. Option C is wrong because flow-based inspection supports the ML engine and can perform detection; the issue is not the inspection mode but the action configured for the ML engine. Option D is wrong because if the file size exceeded the maximum scanning limit, the file would typically be skipped entirely or passed without any scanning, not allowed after being evaluated by the ML engine.

265
Multi-Selecthard

A company is deploying ZTNA to protect an internal application. They want to ensure that only users with devices that have disk encryption enabled and the latest OS patches can access the application. Which THREE components must be configured to achieve this?

Select 3 answers
A.FortiNAC for network admission control
B.IPsec VPN to encrypt traffic between client and FortiGate
C.FortiClient on the endpoint device
D.FortiGate ZTNA access proxy with tag-based rules
E.FortiClient EMS to define compliance policies and assign tags
AnswersC, D, E

FortiClient collects device posture information such as disk encryption status and OS patch level.

Why this answer

To enforce device posture requirements like disk encryption and OS patch level, you need FortiClient on the device to report posture, FortiClient EMS to define compliance policies and generate tags, and FortiGate ZTNA proxy to check those tags before granting access.

266
MCQmedium

A company wants to receive threat intelligence feeds from external sources to enhance their FortiGate's protection. Which method should be used to integrate external threat feeds into FortiGate?

A.Use FortiGuard Threat Intelligence Service which automatically pulls feeds.
B.Manually add IP addresses to local address objects.
C.Configure an external threat feed connector in FortiGate, such as using a URL to a STIX/TAXII feed.
D.Use FortiAnalyzer to push feeds to FortiGate.
AnswerC

FortiGate supports external threat feeds via indicators of compromise (IOC) using STIX/TAXII or via the 'config system external-resource' command.

267
Multi-Selectmedium

An administrator is configuring SD-WAN rules to steer traffic based on application performance. The requirement is to use VoIP traffic over the WAN link that has the lowest latency, but if latency exceeds 100ms, fail over to a backup link. The administrator has already created performance SLAs for both links. Which THREE configuration steps are required?

Select 3 answers
A.Set the 'failover-threshold' on each SD-WAN member to 100
B.Configure the SLA metric to 'latency' in the performance SLA
C.Create an SD-WAN rule for VoIP traffic and set the load balancing method to 'best quality'
D.Add both WAN interfaces to the rule as members and set weight based on latency
E.In the SD-WAN rule, set the 'sla-constraint' to 'sla' and define the latency threshold of 100ms
AnswersB, C, E

Why this answer

To achieve the requirement: first, create an SD-WAN rule that matches VoIP traffic (option A). Then, set the strategy to 'best quality' and select the latency SLA metric (option C). Finally, configure the failover threshold by setting the SLA trigger (option E).

Option B is not needed because the rule matches the application, not the interface. Option D is incorrect because the threshold is set in the SLA, not the interface.

268
MCQmedium

An organization deploys FortiEDR to protect endpoints. Which component is responsible for collecting and sending telemetry data to the FortiEDR management console?

A.FortiGate firewall
B.FortiEDR Sensor (Agent)
C.FortiAnalyzer
D.FortiClient EMS
AnswerB

The sensor is installed on endpoints to gather data.

Why this answer

The FortiEDR Sensor (Agent) is the endpoint-resident component that collects telemetry data—such as process creation, network connections, file system changes, and registry modifications—and securely transmits it to the FortiEDR management console (Controller) for analysis and threat detection. Without the sensor, the management console has no visibility into endpoint activity.

Exam trap

The trap here is that candidates often confuse FortiClient EMS (which manages endpoint policies) with the FortiEDR Sensor, assuming that EMS handles telemetry collection, when in fact the sensor is a separate, dedicated agent for endpoint detection and response.

How to eliminate wrong answers

Option A is wrong because FortiGate is a next-generation firewall that provides network security and can integrate with FortiEDR via API or syslog, but it does not collect or send endpoint telemetry data to the FortiEDR management console. Option C is wrong because FortiAnalyzer is a centralized logging and reporting appliance that aggregates logs from Fortinet devices (e.g., FortiGate, FortiMail) but does not act as the telemetry collection agent for FortiEDR endpoints. Option D is wrong because FortiClient EMS manages endpoint compliance, VPN, and web filtering policies, and while it can integrate with FortiEDR, it is not the component that collects and sends endpoint telemetry to the FortiEDR console.

269
Multi-Selectmedium

A network admin is troubleshooting an SD-WAN rule that should steer VoIP traffic to a low-latency link. The rule matches traffic from the VoIP subnet to any destination and uses the 'best-quality' strategy with SLA monitoring. However, traffic is still using the other link. Which TWO checks should the admin perform? (Choose two.)

Select 2 answers
A.Ensure that the FortiGate has a default route via each SD-WAN member.
B.Check that the SD-WAN rule has a higher priority than other rules that might match the traffic.
C.Disable the other SD-WAN members temporarily to force traffic to the desired link.
D.Confirm that the VoIP subnet is included in the SD-WAN zone.
E.Verify that the performance SLA is correctly configured and the VoIP traffic matches the SLA's server.
AnswersB, E

SD-WAN rules are evaluated in order; a rule with higher priority (lower number) takes precedence.

270
Matchingmedium

Match each FortiGate routing concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manually configured route

Link-state dynamic routing protocol

Path-vector dynamic routing protocol

Routes traffic based on policy criteria

Load balancing across multiple paths

Why these pairings

These are routing features in FortiOS.

271
Multi-Selectmedium

A FortiGate administrator is troubleshooting slow network performance. The administrator runs the command 'diagnose sys session filter dst 10.0.0.1' and sees many sessions in a 'proto_state=0a' state. What does this state indicate? (Select TWO.)

Select 2 answers
A.The session has been reset
B.The session is in FIN_WAIT_2 state
C.The session is in TIME_WAIT state
D.The session is actively transferring data
E.The session is in SYN_RECEIVED state
AnswersB, C

FIN_WAIT_2 is a common state during TCP teardown.

Why this answer

In FortiOS, the 'proto_state=0a' value in session diagnostics indicates the session is in the TCP FIN_WAIT_2 state (hex 0x0a = decimal 10). This state occurs after the local side has sent a FIN and received an ACK, but is still waiting for the remote side to close its connection. It is a normal part of TCP connection teardown, but an excessive number of sessions in this state can indicate that the remote peer is not properly closing connections, potentially contributing to slow performance due to resource exhaustion.

Exam trap

The trap here is that candidates often confuse FIN_WAIT_2 (0x0a) with TIME_WAIT (0x0b) or assume any non-ESTABLISHED state indicates a problem, but the question specifically asks for the meaning of 'proto_state=0a', which is FIN_WAIT_2, not TIME_WAIT.

272
MCQmedium

A FortiGate administrator needs to configure a policy that allows traffic from VDOM A to VDOM B using inter-VDOM routing. Which configuration is required?

A.A single policy in VDOM A with destination VDOM B
B.A static route in VDOM A pointing to VDOM B
C.Policies in both VDOMs allowing traffic to and from the inter-VDOM link
D.Disable VDOM security features
AnswerC

Correct: policies in both VDOMs are required to allow bidirectional traffic.

Why this answer

Inter-VDOM routing requires explicit policy enforcement on both sides of the inter-VDOM link. A single policy in VDOM A cannot control return traffic from VDOM B, and FortiGate does not implicitly allow traffic between VDOMs. Therefore, policies must be configured in both VDOMs to permit traffic in both directions, ensuring stateful inspection and security controls are applied consistently.

Exam trap

The trap here is that candidates assume a single policy in the source VDOM is sufficient, forgetting that FortiGate treats each VDOM as a separate virtual firewall requiring its own policy for return traffic.

How to eliminate wrong answers

Option A is wrong because a single policy in VDOM A only controls outbound traffic from VDOM A; return traffic from VDOM B would be dropped without a corresponding policy in VDOM B. Option B is wrong because static routes direct traffic but do not provide firewall policy enforcement; inter-VDOM traffic still requires explicit allow policies in both VDOMs. Option D is wrong because disabling VDOM security features would bypass all security controls, which is not a valid or secure configuration for inter-VDOM routing.

273
MCQeasy

An administrator wants to limit the number of VDOMs that can be created on a FortiGate. What should the administrator configure?

A.Use the 'config vdom' command to delete unused VDOMs
B.Set the 'max-vdom' option under 'config system global'
C.Configure the VDOM license on FortiManager
D.Set the 'vdom-admin' option to 'enable'
AnswerB

The 'max-vdom' parameter in system global sets the maximum number of VDOMs.

Why this answer

The 'max-vdom' option under 'config system global' directly limits the number of VDOMs that can be created on a FortiGate. This setting enforces a hard cap on the total VDOM count, regardless of licensing or administrative roles. By default, the value is set to 10 on most models, but it can be increased up to the maximum supported by the platform or license.

Exam trap

The trap here is that candidates often confuse the FortiGate's local 'max-vdom' limit with FortiManager licensing or the 'vdom-admin' toggle, mistakenly thinking those options control the creation cap when they actually address management scope or administrative access.

How to eliminate wrong answers

Option A is wrong because deleting unused VDOMs reduces the current count but does not prevent future creation of additional VDOMs; it is a reactive action, not a proactive limit. Option C is wrong because the VDOM license on FortiManager controls the number of VDOMs that can be managed centrally, but it does not enforce a creation limit on the FortiGate itself; the FortiGate's local 'max-vdom' setting is independent of FortiManager licensing. Option D is wrong because the 'vdom-admin' option enables or disables VDOM administration mode (allowing VDOM configuration), but it does not impose any numerical limit on how many VDOMs can be created.

274
Multi-Selecthard

A security analyst notices that an automation stitch in FortiManager did not trigger when a specific event occurred on a managed FortiGate. Which three possible reasons could explain why the stitch did not fire? (Choose three.)

Select 3 answers
A.The trigger event type does not match the actual event
B.The FortiGate has reached its license limit for automation stitches
C.The automation stitch was configured with a condition that was not met
D.The automation stitch is disabled
E.The FortiManager had a temporary network connectivity issue with the FortiGate
AnswersA, D, E

If the trigger is set for a different event type, it will not fire.

Why this answer

Option A is correct because an automation stitch in FortiManager triggers only when the event type defined in the stitch matches the actual event generated by the FortiGate. If the event type (e.g., 'event-log' vs. 'traffic-log') does not match, the stitch will not fire. This is a fundamental condition for stitch execution.

Exam trap

The trap here is confusing a condition (which is checked after the trigger fires) with the trigger itself, leading candidates to incorrectly select Option C as a reason the stitch did not fire at all.

275
Multi-Selectmedium

A FortiGate is acting as an ABR between OSPF area 0 and area 1. The administrator needs to redistribute a static route into OSPF so that it appears as an inter-area route (Type 3 LSA). Which three steps are required? (Choose THREE.)

Select 3 answers
A.Disable route summarization on the ABR
B.Configure a route map to set the metric type to Type 1
C.Verify the OSPF process has network statements covering all interfaces
D.Configure 'redistribute static' under OSPF on the ABR
E.Ensure the static route is present in the routing table
AnswersC, D, E

Necessary for OSPF adjacency and LSA propagation.

Why this answer

Redistribution is configured under OSPF process. The static route must exist. To propagate as Type 3, the redistribution must occur on the ABR and the route should be injected into area 0 so it can be converted to Type 3.

Optionally, a route map can filter.

276
MCQhard

An administrator configures email authentication (SPF, DKIM, DMARC) on FortiMail. They find that legitimate emails are being marked as spam by FortiMail. The SPF check passes but DKIM fails. What could be the issue?

A.The SPF record is too strict
B.The email was forwarded by an intermediary that strips the DKIM signature
C.FortiMail has a bug in the DKIM verification module
D.The DMARC policy is set to reject
AnswerB

Forwarding often breaks DKIM, causing it to fail.

Why this answer

Option B is correct because when an email is forwarded by an intermediary (e.g., a mailing list or forwarding service), the intermediary often modifies the message headers or body, which invalidates the DKIM signature. Since DKIM relies on a cryptographic hash of the original message content and selected headers, any alteration—even by a legitimate forwarder—causes the signature verification to fail. The SPF check passes because the forwarding server may be authorized in the SPF record, but DKIM failure triggers spam classification if the DMARC policy is not aligned.

Exam trap

The trap here is that candidates assume DKIM failure is always due to a misconfiguration on the sending side, rather than recognizing that forwarding or intermediary modification is a common and legitimate cause of DKIM breakage.

How to eliminate wrong answers

Option A is wrong because a strict SPF record (e.g., -all) would cause SPF to fail, not pass; the question states SPF passes, so this is irrelevant. Option C is wrong because FortiMail's DKIM verification module is RFC 6376 compliant and does not have a known bug that would cause legitimate DKIM signatures to fail; this is a red herring. Option D is wrong because DMARC policy (p=reject) only dictates how receivers handle messages that fail both SPF and DKIM alignment; it does not cause DKIM to fail—it is an action based on the result, not the cause of the failure.

277
Multi-Selecthard

An organization is deploying FortiEDR to enhance endpoint protection. Which THREE capabilities does FortiEDR provide? (Choose three.)

Select 3 answers
A.Forensic investigation and root cause analysis
B.Decoy deployment to lure attackers
C.Real-time threat detection using behavioral analysis
D.Automated response to isolate compromised endpoints
E.Email security filtering
AnswersA, C, D

FortiEDR provides detailed forensic data for investigation.

Why this answer

Options A, B, and D are correct because FortiEDR provides real-time detection, automated response, and forensic investigation capabilities.

278
Multi-Selectmedium

A FortiGate administrator is troubleshooting a scenario where remote users can connect to the VPN but cannot access internal resources. The VPN policy is configured correctly. Which TWO steps should the administrator take to diagnose the issue?

Select 2 answers
A.Verify that the routing table on the FortiGate includes the remote networks
B.Check the firewall policy to ensure it allows traffic from the VPN to internal networks
C.Restart the IKE daemon on the FortiGate
D.Disable NAT on the VPN policy
E.Increase the DPD retry count
AnswersA, B

Without routes to the remote networks, traffic will not be forwarded through the tunnel.

Why this answer

Check routing and firewall policies. If the tunnel is up but traffic is not forwarded, routing may be missing or firewall policies may be blocking or not matching.

279
MCQhard

Refer to the exhibit. A tunnel interface is configured with IP 10.0.1.1/30 and remote-ip 10.0.1.2/30. The phase2 defines src-subnet as 10.0.1.0/30 and dst-subnet as 10.0.2.0/30. What is the most likely problem with this configuration?

A.The phase2 src-subnet includes the tunnel interface IP
B.The remote gateway is set to a static IP but the peer might be dynamic
C.The tunnel interface is missing the 'ip' command
D.The phase2 dst-subnet overlaps with the remote gateway
AnswerA

The tunnel interface IP (10.0.1.1) is inside the src-subnet (10.0.1.0/30), which is incorrect. The src-subnet should be the local LAN subnet, not the tunnel subnet.

Why this answer

The phase2 src-subnet is set to 10.0.1.0/30, which includes the tunnel interface IP 10.0.1.1/30. In IPsec VPN configurations, the phase2 selector must not include the tunnel interface IP itself because the tunnel interface is used for routing encapsulated traffic; including it can cause routing loops or prevent the tunnel from establishing correctly. The correct src-subnet should be the protected internal network behind the FortiGate, not the tunnel subnet.

Exam trap

The trap here is that candidates often confuse the tunnel interface subnet with the protected local subnet, assuming the phase2 selectors should match the tunnel IPs, when in fact they must specify the actual internal networks behind the VPN gateways.

How to eliminate wrong answers

Option B is wrong because the question does not provide any information about the peer being dynamic; the remote-ip is statically configured, and a static peer is valid. Option C is wrong because the tunnel interface is configured with an IP address (10.0.1.1/30), which implies the 'ip' command is present; the issue is not a missing command. Option D is wrong because the phase2 dst-subnet (10.0.2.0/30) does not overlap with the remote gateway (10.0.1.2/30); they are on different subnets, so no overlap exists.

280
MCQmedium

A FortiGate admin configures a policy package with header and footer policies in FortiManager. What is the purpose of header policies?

A.They are used for NAT policies only
B.They provide default logging for all traffic
C.They apply only to the root VDOM
D.They are evaluated before other policies in the same policy package
AnswerD

Header policies have higher priority and are evaluated first.

Why this answer

Header policies in FortiManager are evaluated before any other policies in the same policy package. This allows administrators to enforce mandatory rules—such as blocking specific traffic or applying global inspection—that must be processed first, ensuring they are not bypassed by more specific policies later in the sequence.

Exam trap

The trap here is that candidates often confuse header policies with global policies or default settings, assuming they apply only to NAT or root VDOMs, when in fact they are simply policies that are evaluated first within a specific policy package.

How to eliminate wrong answers

Option A is wrong because header policies are not limited to NAT policies; they can include any firewall policy type, including security, authentication, or traffic shaping. Option B is wrong because header policies do not automatically provide default logging; logging must be explicitly configured within each policy. Option C is wrong because header policies apply to the entire policy package, not just the root VDOM; they affect all VDOMs that use that package.

281
MCQmedium

An administrator configured a new policy package in FortiManager and assigned it to a FortiGate. After installing the policy package, the FortiGate shows the new policies, but traffic is not matching them. What could be the reason?

A.The policy package is installed to the root VDOM instead of the target VDOM
B.The policy package has not been committed
C.The FortiGate has not been added to the ADOM
D.The FortiGate is in transparent mode
AnswerA

Policy packages are installed per VDOM; if the wrong VDOM is selected, policies won't affect the correct traffic.

Why this answer

If the policy package uses a different ADOM or the device is not properly synchronized, the policies may not apply correctly. The most common issue is that the policy package is not installed to the correct VDOM on the FortiGate.

282
MCQeasy

What is the purpose of a management VDOM in a multi-VDOM FortiGate?

A.To apply security profiles for all VDOMs
B.To route all inter-VDOM traffic
C.To provide a dedicated VDOM for system administration and management traffic
D.To host customer-facing services
AnswerC

The management VDOM handles GUI/CLI access, SNMP, etc.

Why this answer

A management VDOM is a dedicated administrative VDOM that isolates system management traffic (e.g., SSH, HTTPS, SNMP, syslog) from data-plane VDOMs. This ensures that administrative access and logging remain available even if a data VDOM fails or is misconfigured, and it prevents management traffic from competing with production traffic for resources.

Exam trap

The trap here is that candidates often confuse the management VDOM with a 'super-VDOM' that controls all others, but in reality it only handles administrative traffic and has no data-plane forwarding role.

How to eliminate wrong answers

Option A is wrong because security profiles (e.g., antivirus, web filtering) are applied per VDOM or per policy, not centrally by a management VDOM; each VDOM has its own independent security policy engine. Option B is wrong because inter-VDOM traffic is routed by the VDOM link or inter-VDOM link feature, not by the management VDOM; the management VDOM does not participate in data-plane forwarding. Option D is wrong because customer-facing services (e.g., web servers, application hosting) are typically placed in a separate data VDOM, not the management VDOM, which is reserved strictly for administrative access and monitoring.

283
Multi-Selectmedium

A FortiGate is configured as a ZTNA proxy for an internal application. Users authenticate via SAML with FortiGate as the IdP. The administrator wants to enforce that only devices with a valid ZTNA tag can access the application. Which TWO configurations are required?

A.Install a client certificate on each device for authentication.
B.Configure FortiClient EMS to push compliance tags to FortiGate.
C.Set the ZTNA proxy to require FortiClient on the client device.
D.Create a ZTNA rule with tag conditions.
E.Enable ZTNA tags on the firewall policy that permits access to the application.

Why this answer

FortiClient EMS must send tags to FortiGate (B). ZTNA rules must include tag conditions to filter access based on those tags (C). Option A is not correct because tags are used in ZTNA rules, not directly on firewall policies.

Option D is not specifically required if tags are used. Option E is not needed if SAML is used.

284
Matchingmedium

Match each Fortinet security feature to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Detects and prevents network attacks

Identifies and controls application traffic

Blocks access to malicious or unwanted websites

Scans and removes malware from traffic

Prevents sensitive data from leaving the network

Why these pairings

These are core UTM features in FortiOS.

285
Multi-Selecthard

A FortiGate HA cluster is configured in active-passive mode with VDOMs. The administrator wants to ensure that a specific VDOM (VDOM1) always runs on the primary unit unless that unit fails. Additionally, the administrator wants to minimize disruption during a failover. Which THREE configuration steps should be taken?

Select 3 answers
A.Set the HA priority of the primary unit to a higher value (e.g., 200) than the secondary unit
B.Disable session pickup to speed up failover
C.Configure VDOM load balance with 'prefer' setting for VDOM1 on the primary unit
D.Enable session pickup and ensure session synchronization is configured
E.Enable active-active HA mode
AnswersA, C, D

Higher priority makes the unit preferred to be primary.

Why this answer

Option A is correct because in an active-passive HA cluster, setting a higher HA priority (e.g., 200) on the primary unit ensures it is elected as the active unit. This guarantees that VDOM1, which is not load-balanced, will run on the primary unit under normal conditions, as the higher priority value makes the primary unit preferred during the election process.

Exam trap

The trap here is that candidates often confuse active-passive with active-active HA mode, incorrectly assuming that active-active is required for VDOM-specific control, when in fact the 'prefer' setting within active-passive mode achieves the desired behavior without allowing VDOMs to run on both units simultaneously.

286
MCQeasy

A FortiGate administrator wants to see the current number of active sessions. Which command provides this information?

A.show system session-info
B.diagnose sys session stat
C.diagnose sys session list
D.get system performance status
AnswerB

This command shows session count and other statistics.

Why this answer

The 'diagnose sys session stat' command displays session statistics, including the total number of sessions.

287
Multi-Selecteasy

A company is deploying ZTNA to replace their legacy VPN. They want to ensure that only users with a valid certificate and compliant antivirus can access the internal application. Which TWO components are required on the FortiGate for this deployment?

Select 2 answers
A.ZTNA proxy rule with access proxy
B.Dynamic routing protocol (BGP)
C.Firewall policy with ZTNA tags matching
D.SSL-VPN portal
E.IPsec phase1 with certificate authentication
AnswersA, C

Why this answer

ZTNA uses a proxy rule (access proxy) to publish the application, and a firewall policy that references ZTNA tags and the access proxy to enforce access based on identity and posture.

288
MCQhard

A network engineer is troubleshooting an SD-WAN setup where traffic from a specific subnet is not being load-balanced as expected. The SD-WAN rule uses 'source IP' hashing. The engineer notices that the traffic originates from multiple hosts in the same /24 subnet. What is the most likely cause of poor load distribution?

A.The SD-WAN rule is not matching the traffic.
B.The SD-WAN members have different bandwidths.
C.Traffic is using a single destination IP and port.
D.The source IP hashing algorithm causes multiple hosts in the same subnet to map to the same member.
AnswerD

Source IP hashing can lead to poor distribution for similar IPs.

Why this answer

Source IP hashing in SD-WAN uses a hash of the source IP address to select a member for each flow. When multiple hosts reside in the same /24 subnet, their source IPs share the same first 24 bits, which can cause the hash algorithm to map them to the same SD-WAN member if the hash function is not sufficiently granular or if the number of members is small. This results in poor load distribution despite multiple sources.

Exam trap

The trap here is that candidates assume multiple hosts in the same subnet automatically distribute traffic evenly, forgetting that source IP hashing can produce identical hash values for IPs sharing the same network prefix, leading to poor load balancing.

How to eliminate wrong answers

Option A is wrong because if the SD-WAN rule were not matching the traffic, no load balancing would occur at all, not just poor distribution. Option B is wrong because different bandwidths among members affect capacity but do not cause the hash algorithm to map multiple hosts in the same subnet to the same member; bandwidth differences are handled by weighted load balancing, not source IP hashing. Option C is wrong because using a single destination IP and port would affect per-flow load balancing (e.g., session-based hashing), but source IP hashing is independent of destination; the issue here is specifically about source IPs in the same subnet mapping identically.

289
Multi-Selectmedium

An administrator is using FortiAnalyzer to generate a compliance report. The report should include logs from multiple FortiGates in different ADOMs. Which three actions must the administrator take? (Choose three.)

Select 3 answers
A.Configure a meta field to tag the devices for report filtering
B.Ensure the FortiGates are logging to the same ADOM or multiple ADOMs
C.Create a new ADOM that spans all the FortiGates
D.Use the 'device groups' feature in FortiAnalyzer to aggregate logs
E.Select the appropriate ADOM scope when configuring the report
AnswersA, B, E

Meta fields allow grouping of devices across ADOMs for reporting.

Why this answer

Option A is correct because meta fields in FortiAnalyzer allow you to tag devices with custom attributes, which can then be used as filters when generating compliance reports. This enables the report to include logs from multiple FortiGates across different ADOMs by filtering based on the meta field value, rather than being restricted to a single ADOM's scope.

Exam trap

The trap here is that candidates often assume that logs from different ADOMs must be aggregated into a single ADOM or use device groups, but FortiAnalyzer's meta fields and ADOM scope selection provide a more flexible and secure method for cross-ADOM reporting without compromising ADOM boundaries.

290
Matchingmedium

Match each IPsec VPN term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Internet Key Exchange version 1

Internet Key Exchange version 2

Encapsulating Security Payload

Authentication Header

Perfect Forward Secrecy

Why these pairings

These are fundamental IPsec VPN concepts.

291
MCQhard

An administrator configures VDOMs on a FortiGate and assigns port1 to VDOM-A and port2 to VDOM-B. The administrator then creates a firewall policy in VDOM-A to allow traffic from port1 to the VDOM link. Traffic from VDOM-A to VDOM-B is still failing. What is the most likely missing configuration?

A.An inter-VDOM routing policy under system settings
B.A policy in VDOM-B allowing traffic from the VDOM link to port2
C.A static route in VDOM-A pointing to VDOM-B's subnet
D.A VDOM link connecting VDOM-A and VDOM-B
AnswerD

The VDOM link is required for inter-VDOM communication.

Why this answer

The most likely missing configuration is a VDOM link, which is the logical interconnecting interface required to route traffic between VDOMs. Without a VDOM link, VDOM-A and VDOM-B are isolated from each other, and no firewall policy or route can forward traffic between them. The administrator must create a VDOM link (e.g., using the 'config system vdom-link' command) to establish the Layer 3 adjacency needed for inter-VDOM communication.

Exam trap

The trap here is that candidates often assume a firewall policy alone is sufficient for inter-VDOM traffic, overlooking the mandatory requirement of a VDOM link to create the logical path between VDOMs before any policy or route can be applied.

How to eliminate wrong answers

Option A is wrong because an inter-VDOM routing policy is not a valid configuration object under system settings; inter-VDOM routing is achieved via VDOM links and policies, not a separate routing policy. Option B is wrong because while a policy in VDOM-B is eventually required to permit traffic from the VDOM link to port2, the immediate missing element is the VDOM link itself—without it, no traffic can reach VDOM-B to even be evaluated by a policy. Option C is wrong because a static route in VDOM-A pointing to VDOM-B's subnet is unnecessary until the VDOM link is created and the next-hop interface (the VDOM link) is defined; the route cannot function without the link.

292
MCQmedium

In FortiManager, an administrator wants to apply a set of firewall policies to multiple FortiGates in different ADOMs. The policies must be centrally managed. What is the best approach?

A.Use the Global ADOM to define global policies that apply to all ADOMs
B.Create a policy package in each ADOM and use the same policies
C.Configure the policies directly on each FortiGate
D.Use automation stitches to copy policies between ADOMs
AnswerA

Global ADOM policies are inherited by all ADOMs, providing central management.

Why this answer

The Global ADOM in FortiManager allows administrators to define firewall policies that are automatically inherited by all ADOMs, ensuring consistent, centrally managed policy enforcement across multiple FortiGates without manual duplication. This approach leverages FortiManager's hierarchical policy model, where global policies are pushed to each ADOM's policy packages and take precedence over local policies unless overridden.

Exam trap

The trap here is that candidates often confuse the Global ADOM with a simple 'global policy' feature, not realizing it is a dedicated administrative domain with its own policy database and inheritance rules, leading them to choose option B (manual duplication) or D (automation stitches) as workarounds.

How to eliminate wrong answers

Option B is wrong because creating a policy package in each ADOM with the same policies duplicates configuration effort and defeats centralized management, as each ADOM's policies must be individually maintained and pushed. Option C is wrong because configuring policies directly on each FortiGate bypasses FortiManager's centralized control, leading to configuration drift and no single source of truth. Option D is wrong because automation stitches are designed for event-triggered actions (e.g., dynamic responses), not for replicating static policy sets between ADOMs, and they lack the inheritance and revision control of Global ADOM policies.

293
MCQmedium

An administrator notices that when a BGP session goes down, failover to the backup path takes about 30 seconds. The admin wants to reduce the failover time to less than 1 second. Which technology should the administrator implement?

A.Configure BGP fast external failover
B.Increase the BGP keepalive timer to 1 second
C.Use policy-based routing with SLA monitoring
D.Enable BFD on the BGP neighbor and the associated interface
AnswerD

BFD provides fast failure detection (milliseconds) for routing protocols.

Why this answer

Option B is correct. BFD (Bidirectional Forwarding Detection) provides sub-second failure detection. It can be configured to monitor the BGP session and trigger faster convergence.

294
Multi-Selectmedium

An administrator is planning a FortiManager deployment to manage multiple FortiGates with multiple VDOMs. The administrator wants to use ADOMs to separate configurations. Which TWO statements about ADOMs are correct? (Choose two.)

Select 2 answers
A.ADOMs support revision history for tracking configuration changes
B.Regular ADOMs can only contain devices with a single VDOM
C.A Global ADOM can manage all VDOMs on a managed FortiGate
D.Policy packages in an ADOM can be shared across different ADOMs
E.ADOMs cannot be renamed after creation
AnswersA, C

Each ADOM maintains its own revision history for managed devices/VDOMs.

Why this answer

Option A is correct because ADOMs in FortiManager maintain a revision history for each managed device or VDOM, allowing administrators to track configuration changes over time, compare revisions, and roll back to previous states if needed. This revision control is essential for auditing and troubleshooting in multi-VDOM environments.

Exam trap

The trap here is that candidates often assume regular ADOMs can only contain single-VDOM devices (Option B) because of the word 'regular,' but FortiManager allows multi-VDOM devices to be split across ADOMs or grouped together, and the Global ADOM is specifically designed for cross-VDOM management.

295
Multi-Selecthard

An administrator wants to ensure that traffic between two VDOMs on the same FortiGate is properly inspected. Which THREE configurations must be in place?

Select 3 answers
A.Inspection profiles applied to the policies
B.Enable SSL inspection on the inter-VDOM link interface
C.A firewall policy in each VDOM permitting traffic across the link
D.An inter-VDOM link between the VDOMs
E.Static routes on both VDOMs pointing to the inter-VDOM link
AnswersA, C, D

Why this answer

Option A is correct because inspection profiles (such as antivirus, web filtering, and IPS) must be explicitly applied to the firewall policies that govern traffic traversing the inter-VDOM link. Without these profiles, the FortiGate will forward traffic between VDOMs based solely on the policy action (accept/deny) without performing any deep packet inspection, leaving the traffic unexamined for threats. This is a fundamental requirement for UTM inspection in a multi-VDOM architecture.

Exam trap

The trap here is that candidates often assume SSL inspection must be enabled on the inter-VDOM link interface itself, but FortiGate requires SSL inspection to be configured as part of the inspection profile applied to the firewall policy, not on the interface.

296
MCQmedium

An organization uses FortiGate's WAF feature (not FortiWeb) to protect a web server. The admin configures an inline WAF profile but notices that the WAF is not inspecting traffic. What is the most likely cause?

A.The WAF profile is not applied to a firewall policy
B.SSL Inspection is not enabled on the firewall policy
C.The firewall policy uses flow-based inspection
D.The WAF profile is configured in monitor mode
AnswerB

Without decryption, FortiGate cannot inspect encrypted traffic for WAF rules.

Why this answer

FortiGate's WAF feature requires SSL inspection to decrypt HTTPS traffic. Without an SSL inspection profile applied to the policy, the WAF cannot see the plaintext HTTP content.

297
MCQhard

An organization uses FortiManager to manage multiple FortiGate devices in a Security Fabric. The administrator wants to push a new firewall policy that includes an FQDN address object. Which statement is true regarding FQDN objects in FortiManager policies?

A.FQDN objects must be defined on each managed FortiGate individually
B.The FQDN resolution is done automatically every 60 seconds by FortiManager
C.FortiManager resolves the FQDN to IP addresses at installation time and updates the policy accordingly
D.FQDN objects cannot be used in policies pushed from FortiManager
AnswerC

This ensures the FortiGate has the resolved IPs.

Why this answer

When an administrator pushes a policy containing an FQDN address object from FortiManager, FortiManager resolves the FQDN to its current IP addresses at installation time. The resolved IPs are then written into the policy on the managed FortiGate, ensuring the policy is immediately effective without requiring the FortiGate to perform DNS resolution. This behavior is specific to FortiManager-managed policies and differs from locally configured FQDN objects on FortiGate.

Exam trap

The trap here is that candidates confuse FortiManager's installation-time resolution with FortiGate's built-in FQDN caching and periodic re-resolution (default 60 seconds), leading them to incorrectly select Option B.

How to eliminate wrong answers

Option A is wrong because FQDN objects can be defined centrally in FortiManager and pushed to multiple FortiGates, eliminating the need for individual definition on each device. Option B is wrong because FortiManager does not perform automatic FQDN resolution every 60 seconds; resolution occurs only at installation time, and subsequent updates require a re-install or a scheduled policy push. Option D is wrong because FQDN objects are fully supported in policies pushed from FortiManager, with the resolution handled during installation as described.

298
MCQeasy

An administrator wants to ensure that all traffic from VDOM 'Guest' is logged to a FortiAnalyzer that is managed by FortiManager. What must be configured in FortiManager to achieve this?

A.Enable FortiView on the FortiGate
B.Configure a log forwarding policy in the Global ADOM
C.Create an automation stitch to forward logs
D.Configure the VDOM's log settings and assign the device to an ADOM with log forwarding enabled
AnswerD

Proper log settings on the VDOM and correct ADOM configuration ensure logs are sent to FortiAnalyzer.

Why this answer

Option D is correct because FortiManager manages log forwarding at the ADOM level. To forward logs from a specific VDOM (Guest) to FortiAnalyzer, the administrator must configure the VDOM's log settings to send logs to FortiAnalyzer and assign the FortiGate to an ADOM that has log forwarding enabled. This ensures that logs from the Guest VDOM are properly forwarded to the FortiAnalyzer managed by FortiManager.

Exam trap

The trap here is that candidates often confuse log forwarding with automation stitches or global policies, thinking that a global setting or event-triggered action can replace the need for per-VDOM log configuration within an ADOM.

How to eliminate wrong answers

Option A is wrong because enabling FortiView on the FortiGate only provides local traffic visualization and does not forward logs to FortiAnalyzer; FortiView is a monitoring tool, not a log forwarding mechanism. Option B is wrong because a log forwarding policy in the Global ADOM applies to all VDOMs globally, not specifically to the Guest VDOM, and it does not handle per-VDOM log forwarding granularity. Option C is wrong because an automation stitch is used for automated responses to events (e.g., triggering scripts or sending alerts), not for forwarding logs to FortiAnalyzer; log forwarding is configured via log settings and ADOM policies.

299
MCQhard

A FortiGate has VDOMs enabled. An administrator runs 'get system status' and sees only one VDOM listed. However, the administrator configured two VDOMs earlier. What is the most likely cause?

A.The second VDOM was deleted by another administrator
B.VDOM mode is not enabled globally
C.The second VDOM has a different name and is hidden due to a bug
D.The command only shows the management VDOM; use 'config vdom' to see all
AnswerD

'get system status' displays only the current VDOM (usually management). To list all VDOMs, use 'show vdom' or 'config vdom'.

Why this answer

When VDOMs are enabled, the 'get system status' command displays only the management VDOM (the VDOM from which the administrator is currently logged in). To see all configured VDOMs, the administrator must use the 'config vdom' command followed by 'show' or 'get system status' within the global context. Option D correctly identifies this behavior, as the second VDOM is not deleted or hidden by a bug; it simply is not shown by that command.

Exam trap

The trap here is that candidates assume 'get system status' shows all configured VDOMs, when in fact it only displays the current management VDOM, leading them to incorrectly suspect deletion, misconfiguration, or a bug.

How to eliminate wrong answers

Option A is wrong because if the second VDOM had been deleted by another administrator, the 'config vdom' command would also show only one VDOM, but the question states the administrator configured two VDOMs earlier, and the issue is specifically with the output of 'get system status', not with the actual existence of the VDOM. Option B is wrong because if VDOM mode were not enabled globally, the 'get system status' command would not show any VDOM at all, and the administrator would not be able to configure VDOMs; the fact that one VDOM is listed indicates VDOM mode is enabled. Option C is wrong because there is no known bug in FortiOS that hides a VDOM due to its name; the 'get system status' command consistently shows only the current management VDOM, regardless of naming.

300
MCQmedium

A network administrator is configuring a hub-and-spoke ADVPN with FortiGates. The spokes are behind NAT and use dynamic IPs. The hub has a static IP. Which IKEv2 configuration is REQUIRED to allow the spokes to initiate the VPN and receive shortcut tunnels?

A.Set the phase1 remote-gateway to 0.0.0.0 and enable 'accept-any-remote-gateway' on the hub
B.Set IKE version 2 to aggressive mode to allow rapid negotiation
C.Configure the hub with a static IP in the phase1 local-gateway interface
D.Use a preshared key and set the local ID to the spoke's public IP
AnswerA

The hub must accept connections from any source IP since spokes have dynamic IPs. This is achieved by setting remote-gateway 0.0.0.0 and optionally enabling accept-any-remote-gateway.

Why this answer

Aggressive mode is not supported in IKEv2 (only main mode). Setting the local ID is not sufficient for NAT traversal. Allowing IKE and ESP from any source is required because spokes may have dynamic IPs, and the hub must accept incoming connections from unknown source IPs.

However, the key requirement for ADVPN is that the hub must accept connections from any source, which is achieved by setting the interface to 'any' or allowing 0.0.0.0/0. Option C is the common practice: the hub uses a wildcard selector and accepts connections from any peer ID. But the question asks for 'REQUIRED' – the most accurate is that the hub must be configured to accept connections from any source IP, which is done by setting the remote gateway to 0.0.0.0 or using a peer ID with accept-any.

Option C is the best answer.

Page 3

Page 4 of 14

Page 5