Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 301375

1000 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQmedium

A site-to-site IPsec VPN tunnel is failing. The administrator runs 'diagnose vpn ike config' and sees that phase 1 parameters are correct. However, phase 2 negotiation fails with 'no proposal chosen'. What is the MOST likely cause?

A.The pre-shared key is incorrect
B.The phase 2 encryption/authentication algorithms do not match between peers
C.The firewall policy allowing IKE traffic is missing
D.The remote gateway IP address is wrong
AnswerB

Phase 2 negotiation fails when proposals do not match.

Why this answer

Option A is correct. The 'no proposal chosen' error in phase 2 indicates a mismatch in the phase 2 parameters (encryption, authentication, PFS, etc.) between the two peers. The administrator should verify that the phase 2 selectors and proposals match on both ends.

302
MCQmedium

An administrator configures an SD-WAN rule to steer traffic from a specific subnet to an SD-WAN member with the lowest cost. Which load balancing algorithm should be selected in the SD-WAN rule to achieve this behavior?

A.Lowest-cost
B.Volume
C.Sessions
D.Source-dest-IP
AnswerA

Lowest-cost uses the member with the best performance SLA metric.

Why this answer

Lowest-cost algorithm selects the member with the lowest cost (from performance SLA) for each session. Other algorithms do not consider cost.

303
Drag & Dropmedium

Drag and drop the steps to configure OSPF on a FortiGate firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create virtual router, define areas and networks, set router ID, enable on interfaces, then verify.

304
MCQhard

An administrator configures FortiAnalyzer to receive logs from multiple FortiGates. They want to create a report that shows only incidents involving 'critical' severity and specific attack types. Which FortiAnalyzer feature allows the administrator to define such a custom report?

A.Incident management
B.Playbooks
C.FortiView dashboards
D.Report datasets and charts
AnswerD

Datasets define the data source and filters; charts visualize it.

Why this answer

Option D is correct: FortiAnalyzer reports use SQL-like queries and dataset definitions to filter and aggregate log data based on severity, attack type, etc.

305
MCQhard

A FortiGate administrator runs 'diagnose sys session list' and sees a session for which the destination interface is 'sdwan'. The session is marked with 'state=01000048'. What does this state indicate about the session?

A.The session is being held until the SD-WAN load balancing decision is made
B.The session is bypassing SD-WAN load balancing and using policy-based routing
C.The session has completed load balancing and is being forwarded out the sdwan interface
D.The session has been dropped because the selected SD-WAN member is down
AnswerA

Why this answer

In FortiGate session states, the hex value '01000048' corresponds to flags including 'dest_valid' and 'likely_proto'. The flag '01000000' typically indicates the session is using ECMP. In the context of an SD-WAN interface, this state suggests that the session is undergoing load balancing and is waiting for the route to be resolved.

More specifically, a session state like this often means the session is in 'ECMP pending' state. Among the options, the closest is that the session is waiting for SD-WAN load balancing decision. Option C is the correct interpretation.

306
MCQmedium

An administrator wants to troubleshoot why specific traffic is not matching a configured firewall policy. Which debug command should be used?

A.diagnose sys session list
B.get firewall policy <id>
C.diagnose netlink interface list
D.diagnose debug flow
AnswerD

This traces packet flow and shows policy matching.

Why this answer

Option D is correct because 'diagnose debug flow' shows packet flow and policy matching decisions. Option A shows current sessions. Option B shows interfaces.

Option C shows firewall statistics.

307
MCQeasy

A FortiGate administrator wants to use Fortinac for network access control. Which of the following is the PRIMARY function of Fortinac in a network?

A.Perform deep packet inspection on all traffic
B.Act as a VPN concentrator for remote access
C.Provide network access control by enforcing policies based on device identity and posture
D.Provide a cloud-based sandbox for malware analysis
AnswerC

FortiNAC's core function is NAC: controlling network access based on device identity, compliance, and user role.

Why this answer

FortiNAC is the Network Access Control solution from Fortinet. It provides visibility, control, and automated response for endpoints on the network, including device profiling, guest management, and policy enforcement. Option A is correct.

308
MCQeasy

A company is deploying FortiGate with Advanced Threat Protection (ATP) and wants to block advanced malware that uses encrypted C2 communications. Which security profile should be configured to perform SSL inspection and detect malicious traffic?

A.Data Leak Prevention profile
B.Antivirus profile with SSL inspection
C.Web Filtering profile
D.Intrusion Prevention profile
AnswerB

Antivirus profiles can be configured with SSL inspection to detect malware in encrypted C2 traffic.

Why this answer

Option B is correct because an Antivirus profile with SSL inspection enabled is required to decrypt encrypted C2 (command-and-control) traffic so that FortiGate can inspect the payload for malware signatures, heuristics, and behavioral patterns. Without SSL inspection, the ATP engine cannot see inside the encrypted tunnel, rendering the antivirus and other security profiles ineffective against encrypted C2 communications.

Exam trap

The trap here is that candidates often assume IPS or Web Filtering alone can block encrypted C2 traffic, but without SSL inspection, these profiles cannot see inside the encrypted tunnel, making the Antivirus profile with SSL inspection the only correct choice for detecting malware in encrypted communications.

How to eliminate wrong answers

Option A is wrong because a Data Leak Prevention (DLP) profile focuses on detecting and preventing unauthorized transmission of sensitive data (e.g., credit card numbers, PII) and does not perform SSL inspection or detect advanced malware C2 traffic. Option C is wrong because a Web Filtering profile controls access to URLs and categories (e.g., blocking malicious sites) but does not decrypt or inspect the content of encrypted sessions for malware payloads. Option D is wrong because an Intrusion Prevention profile (IPS) detects and blocks network-level exploits and vulnerabilities, but without SSL inspection, it cannot analyze encrypted C2 traffic; IPS relies on decrypted traffic to match signatures.

309
MCQmedium

A FortiGate administrator is using FortiNAC to enforce network access control for wired endpoints. The administrator wants to quarantine any endpoint that fails antivirus compliance. Which action should be configured in the FortiNAC policy to achieve this?

A.Disable the switch port
B.Send a SNMP trap to the admin
C.Assign the endpoint to a quarantine VLAN
D.Block the MAC address at the switch port
AnswerC

This is the standard method to isolate non-compliant endpoints while allowing limited remediation access.

Why this answer

FortiNAC policies can enforce compliance by moving endpoints to a quarantine VLAN or applying a quarantine ACL. The typical action is to place the endpoint in a quarantine VLAN where access is restricted.

310
MCQmedium

An administrator is troubleshooting a scenario where FortiAnalyzer is not receiving logs from a FortiGate. The FortiGate shows 'log-fortianalyzer setting status: disconnected'. Which step should be taken first to resolve this?

A.Check the FortiGate's DNS resolution for the FortiAnalyzer hostname
B.Verify that the FortiGate can reach the FortiAnalyzer IP address and that the FortiAnalyzer service is running
C.Restart the FortiGate's logging service
D.Disable and re-enable logging to FortiAnalyzer
AnswerB

Connectivity is the most basic check; ping and service status should be verified first.

Why this answer

The 'disconnected' status indicates that the FortiGate cannot establish a TCP connection to the FortiAnalyzer. The first step is to verify basic Layer 3 reachability (ping) and that the FortiAnalyzer service is listening on the default port (TCP 514 or 3000 for encrypted). Without confirming these, further troubleshooting is premature.

Exam trap

The trap here is that candidates often jump to reconfiguring logging or restarting services (options C or D) without first verifying the most fundamental Layer 3 connectivity and service availability, which is the logical starting point for any 'disconnected' status.

How to eliminate wrong answers

Option A is wrong because DNS resolution is only relevant if the FortiGate is configured to use a hostname instead of an IP address; the status 'disconnected' points to a connectivity or service issue, not name resolution. Option C is wrong because restarting the FortiGate's logging service does not address underlying network or server-side problems; it only restarts the local logging daemon. Option D is wrong because disabling and re-enabling logging to FortiAnalyzer merely toggles the configuration without fixing the root cause of the disconnection; it is a reactive step that should be taken only after connectivity and service status are confirmed.

311
MCQhard

An enterprise uses FortiGate as an SD-WAN edge device with three WAN links: Link A (MPLS), Link B (broadband), and Link C (LTE). The SD-WAN rule for VoIP traffic uses the 'best quality' strategy with link-quality-measurement enabled. The VoIP traffic is routed via Link A. During peak hours, users report poor voice quality. The administrator checks the SD-WAN performance SLA logs and sees that Link A's jitter and latency are within acceptable thresholds, but packet loss is slightly elevated. Which action would most likely improve VoIP quality without manual intervention?

A.Increase the priority of Link A to ensure it remains the preferred link.
B.Configure a performance SLA for VoIP traffic with jitter < 10ms, latency < 100ms, and packet-loss < 0.5% and apply it to the SD-WAN rule.
C.Disable link-quality-measurement to reduce overhead on Link A.
D.Add a new SD-WAN rule with 'lowest cost' strategy for VoIP traffic.
AnswerB

Applying a performance SLA with strict thresholds will cause the SD-WAN rule to select a link that meets the criteria, switching away from Link A if it fails the SLA.

Why this answer

Option B is correct because configuring a performance SLA with specific thresholds for jitter, latency, and packet loss allows FortiGate to dynamically failover VoIP traffic to another WAN link when Link A's packet loss exceeds the defined threshold (e.g., 0.5%). Since the 'best quality' strategy uses link-quality-measurement to select the link with the best SLA compliance, applying a performance SLA with a packet-loss threshold ensures that even if jitter and latency are acceptable, elevated packet loss triggers a switch to a healthier link, improving voice quality without manual intervention.

Exam trap

The trap here is that candidates assume 'best quality' automatically handles all quality metrics, but without a performance SLA with explicit thresholds, FortiGate only uses link-quality-measurement for ordering and does not failover based on packet loss alone.

How to eliminate wrong answers

Option A is wrong because increasing the priority of Link A would force it to remain the preferred link, preventing failover to a better-performing link when packet loss is elevated, which would not resolve the poor voice quality. Option C is wrong because disabling link-quality-measurement would stop FortiGate from monitoring link quality altogether, removing the ability to detect packet loss and make dynamic routing decisions, likely worsening VoIP quality. Option D is wrong because using the 'lowest cost' strategy for VoIP traffic would select links based on cost rather than quality, which could route traffic over a cheaper but lower-quality link, failing to address the packet loss issue on Link A.

312
MCQeasy

Which routing technique allows a FortiGate to forward packets based on source IP address, destination IP address, or other criteria, in addition to the destination IP alone?

A.Policy-Based Routing (PBR)
B.RIP
C.OSPF route redistribution
D.ECMP
AnswerA

PBR uses policies to route traffic based on various attributes.

Why this answer

Option C is correct. Policy-Based Routing (PBR) allows forwarding decisions based on source IP, destination IP, protocol, port, etc., overriding the destination-based routing table.

313
MCQmedium

A FortiGate administrator configures SAML SSO with FortiGate as the Service Provider (SP) and an external IdP. Users report that they are prompted for credentials repeatedly without successful authentication. What is the most likely cause?

A.The SAML attribute mapping is incorrect
B.The FortiGate's clock is synchronized via NTP
C.The firewall policy does not allow SAML traffic
D.The IdP certificate is not imported or trusted on the FortiGate
AnswerD

FortiGate must trust the IdP's signing certificate to validate SAML responses; otherwise, authentication fails.

Why this answer

SAML SSO requires certificate trust. If the IdP certificate is not trusted by the FortiGate, the SAML assertion will not be validated, causing authentication failures. The clock skew is another common issue.

314
MCQmedium

An administrator configures OSPF over an IPsec VPN overlay between two FortiGates. The OSPF neighbors form, but routes learned from the remote site are not appearing in the routing table. What is the most likely cause?

A.The firewall policy allows OSPF traffic (protocol 89) but not IPsec ESP.
B.The IPsec interface MTU is too low for OSPF packets.
C.The OSPF network type is not set to point-to-point.
D.The 'allowaccess' setting on the IPsec interface does not include OSPF.

Why this answer

FortiGate's IPsec virtual interfaces require the 'allowaccess' command to specify which dynamic routing protocols are allowed. Without 'allowaccess ospf', OSPF packets are dropped even if the tunnel is up.

315
Multi-Selectmedium

A FortiGate is configured with OSPF and BGP. The administrator wants to redistribute OSPF routes into BGP. Which TWO steps are required?

Select 2 answers
A.Configure a route map to filter the routes being redistributed
B.Set the BGP table version to 2
C.Use the 'redistribute ospf' command under the BGP configuration
D.Ensure the OSPF routes are present in the routing table
E.Disable OSPF on the interface
AnswersC, D

This enables redistribution of OSPF routes into BGP.

316
MCQmedium

An administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is up, but traffic is not passing. The administrator runs 'diagnose vpn tunnel list' and sees that both phase 1 and phase 2 are up. The policy allows traffic from both sides. What should the administrator check next?

A.Check the routing table for routes to the remote subnet
B.Increase the phase 2 keylife
C.Check the FortiGate's NTP status
D.Disable DPD
AnswerA

Routes are needed to send traffic into the tunnel.

Why this answer

Since both phases are up and policies are correct, the issue is likely routing. The administrator should verify that the correct routes are pointing to the VPN interface (tunnel interface) on both sides. Without proper routes, traffic will not be forwarded into the tunnel.

317
MCQhard

An administrator has configured an OSPF overlay over an IPsec VPN between two FortiGates. The OSPF neighbors are established, but routes from one side are not being installed in the routing table on the other side. 'get router info ospf neighbor' shows FULL state. What is the most likely cause?

A.The IPsec tunnel is using transport mode instead of tunnel mode
B.The route's OSPF cost is higher than an existing route with a lower administrative distance
C.OSPF authentication is mismatched
D.The OSPF network type is not set to point-to-point
AnswerB

OSPF routes have an AD of 110. If a static route (AD 10) or other protocol has a lower AD, the OSPF route may not be installed.

Why this answer

Even though OSPF neighbors are FULL, routes may not be installed if they are not selected as best paths. One common reason is that the OSPF cost is higher than a static route or another routing protocol's metric. The other options would prevent neighbor from reaching FULL state.

318
MCQhard

An organization is deploying multiple FortiGate devices across different geographic locations. The central IT team manages all devices from a single FortiManager. The remote FortiGates connect to FortiManager over a WAN link. Which feature should be enabled on FortiManager to ensure that configuration changes are applied consistently and without interruption to the remote FortiGates?

A.Enable auto-link configuration on the FortiManager
B.Use the 'Install on Next Reboot' option in the install wizard
C.Use 'Install Wizard' with 'Immediate Install' option
D.Enable 'Configuration Override' on the managed FortiGates
AnswerB

This ensures changes are applied after reboot, avoiding disruption.

Why this answer

Option B is correct because the 'Install on Next Reboot' option ensures that configuration changes are staged on the remote FortiGate and applied atomically when the device reboots. This prevents partial or inconsistent application over an unreliable WAN link, as the FortiManager pushes the full configuration revision to the device, which then applies it during the boot process without requiring a persistent management session.

Exam trap

The trap here is that candidates often choose 'Immediate Install' (Option C) thinking it is the fastest method, but they overlook the risk of configuration corruption or incomplete application over an unreliable WAN link, which 'Install on Next Reboot' specifically avoids.

How to eliminate wrong answers

Option A is wrong because 'auto-link configuration' is not a standard FortiManager feature; the correct term is 'auto-link' for FortiGate interfaces, not for configuration deployment. Option C is wrong because 'Immediate Install' attempts to apply changes in real time over the WAN, which can cause interruptions or partial updates if the link is unstable or the device reboots mid-install. Option D is wrong because 'Configuration Override' allows a managed FortiGate to reject or overwrite FortiManager policies, which would defeat the purpose of consistent centralized management.

319
MCQmedium

An administrator sees the following output from 'diagnose sys session list' for a particular session: proto=6 proto_state=01 duration=3600 expire=3599. What does this indicate about the session?

A.The session is an ICMP session
B.The session is a TCP session that is still open and will expire in 3599 seconds
C.The session is a TCP session in TIME_WAIT state
D.The session is for UDP traffic and has been up for 3600 seconds
AnswerB

proto=6 is TCP, duration=3600 seconds, expire=3599 seconds remaining.

320
MCQhard

An admin configures Content Disarm and Reconstruction (CDR) on FortiGate to protect against malicious macros in Office documents. After applying the CDR profile to a firewall policy, users complain that documents are not being delivered. What is the most likely cause?

A.The CDR profile has 'File Filter' enabled that blocks the file type
B.The FortiGate is running in transparent mode
C.The firewall policy is configured for flow-based inspection
D.The antivirus profile is not applied to the same policy
AnswerC

CDR requires proxy-based inspection mode. Flow mode does not support CDR, so documents may be dropped.

Why this answer

CDR requires proxy-based inspection to intercept, disarm, and reconstruct documents. Flow-based inspection bypasses the deep inspection engine, so CDR cannot process the files, causing delivery failures. FortiGate must use proxy-based inspection mode for CDR to function correctly.

Exam trap

The trap here is that candidates assume CDR is a simple file-filtering feature that works regardless of inspection mode, but Fortinet explicitly restricts CDR to proxy-based inspection, making flow-based mode a common misconfiguration that causes silent delivery failures.

How to eliminate wrong answers

Option A is wrong because File Filter in a CDR profile controls which files are submitted for disarming, not whether they are blocked; if enabled, it would filter files before CDR, not prevent delivery after processing. Option B is wrong because transparent mode does not affect CDR functionality; CDR works in both transparent and NAT modes as long as proxy-based inspection is used. Option D is wrong because CDR operates independently of antivirus; while AV profiles can complement CDR, they are not required for CDR to deliver documents, and their absence would not cause delivery failure.

321
Multi-Selectmedium

An administrator is configuring FortiGate automation stitches to respond to a detected brute-force attack against an internal web server. The trigger is set to 'Event' with a condition matching repeated failed login attempts. Which TWO actions are appropriate to mitigate the attack? (Choose two.)

Select 2 answers
A.Add the source IP to a local address group that is used in a block policy
B.Send an email notification to the SOC team
C.Enable quarantine on the web server
D.Shut down the web server interface
E.Run a CLI script to disable the user account
AnswersA, B

This blocks traffic from the attacker IP.

Why this answer

Option A is correct because adding the source IP to a local address group that is referenced in a block policy dynamically updates the firewall rule set to drop all traffic from that IP. This is a common automation stitch action in FortiGate that leverages the local address object and policy to enforce immediate blocking without manual intervention.

Exam trap

The trap here is that candidates may confuse 'quarantine' (a FortiClient/EMS endpoint concept) with network-level blocking, or assume that disabling a user account via CLI is a valid automation stitch action, when FortiGate stitches primarily handle network and security fabric actions, not OS-level account management.

322
MCQhard

A FortiGate is configured with two SD-WAN members (wan1, wan2) and a performance SLA for each. The SD-WAN rule uses 'Maximize Bandwidth' strategy with volume-based load balancing. The administrator notices that traffic is only using wan1, even though both links have capacity. The SLA status for wan2 shows 'alive'. What could be the problem?

A.The link cost for wan2 is too high.
B.The SD-WAN rule has a 'set member' statement that lists only wan1.
C.The performance SLA for wan2 is not associated with the SD-WAN rule.
D.The bandwidth weight for wan2 is set to 0.
AnswerB

If the rule explicitly includes only wan1, traffic will not use wan2 even if the SLA is alive.

Why this answer

The 'Maximize Bandwidth' strategy distributes traffic based on volume, but if the algorithm is set to 'Volume' and the bandwidth ratio settings (set bandwidth-weight) are imbalanced, one link might be preferred. However, the most common cause is that the SD-WAN rule's 'dst' or 'src' match criteria are restricting traffic to only wan1, or the rule's 'set member' includes only wan1. Another possibility: the rule might have 'set priority' or 'set input-device' that forces traffic to wan1.

323
Multi-Selectmedium

An administrator needs to configure a FortiGate to use two WAN links for internet traffic with failover and load balancing. Which TWO steps are required?

Select 2 answers
A.Configure a performance SLA for each SD-WAN member.
B.Set the SD-WAN zone to 'spillover' mode.
C.Enable NAT on the SD-WAN zone.
D.Define SD-WAN rules to match internet-bound traffic.
E.Add both WAN interfaces as SD-WAN members.
AnswersD, E

Rules determine how traffic is load-balanced.

324
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a UDP session for DNS
B.The session is in a half-open state (SYN_RCVD)
C.The session is blocked because duration exceeds the timeout
D.The session has been active for 1 hour and will expire in approximately 1 hour
AnswerD

Why this answer

Option D is correct because the output shows 'duration=3600' and 'expire=3599', meaning the session has been active for 3600 seconds (1 hour) and will expire in 3599 seconds (approximately 1 hour). The 'proto=6' indicates TCP, and 'proto_state=01' is the TCP state code for an established connection (ESTABLISHED), not a half-open state. This is a normal, healthy session.

Exam trap

The trap here is that candidates confuse 'proto_state=01' with a half-open state (like SYN_RCVD) or misinterpret the 'duration' and 'expire' fields as indicating a blocked or expired session, when in fact they show a normal established TCP session with remaining lifetime.

How to eliminate wrong answers

Option A is wrong because 'proto=6' indicates TCP (protocol number 6), not UDP (protocol 17), and DNS typically uses UDP port 53, not TCP port 443. Option B is wrong because 'proto_state=01' represents the TCP ESTABLISHED state (SYN_SENT/SYN_RCVD states are '02' or '03' in FortiOS), so the session is fully connected, not half-open. Option C is wrong because the session is not blocked; the 'expire' counter shows the remaining time before timeout, and the duration (3600 seconds) is well within typical TCP session timeouts (default 3600 seconds for FortiGate), so no blocking occurs.

325
MCQhard

An administrator runs 'diagnose debug application fnbam -1' and sees messages like 'LB_SELECT: selected server 10.0.0.2:80' but the client connection fails. The FortiGate is configured with server load balancing. What could be the issue?

A.The real server is not reachable or is down
B.The load balancing algorithm is set to least-connection
C.The persistence setting is misconfigured
D.The virtual server IP is overlapping with a physical interface
AnswerA

Correct. The debug shows selection, but the server may not be listening or reachable.

Why this answer

The debug shows the load balancer selected a server, but the connection fails. This indicates the server is not responding or the health check is failing. The administrator should check the server's health and ensure the real server is up.

326
MCQeasy

An administrator wants to enforce that only devices with up-to-date antivirus software can access corporate resources via ZTNA. Which FortiClient feature should be used to enforce this requirement?

A.VPN tunnel
B.Web filter
C.Application firewall
D.ZTNA tags
AnswerD

Why this answer

ZTNA tags are used to define device posture requirements, such as antivirus status. FortiClient reports compliance, and the FortiGate uses these tags to allow or deny access.

327
Multi-Selecthard

A company has a FortiGate with multiple VDOMs. The security team wants to use FortiManager to manage policies centrally. Which three steps are necessary to set up VDOM management via FortiManager? (Choose three.)

Select 3 answers
A.Enable VDOMs on the FortiGate and configure them for FortiManager management
B.Configure a static route on FortiManager to reach the FortiGate's management IP
C.Disable VDOM configuration locking on FortiManager
D.Add the FortiGate to FortiManager and assign it an appropriate ADOM
E.Ensure the FortiGate can reach the FortiManager server (network connectivity)
AnswersA, D, E

VDOMs must be enabled and each VDOM's management must be set to FortiManager.

Why this answer

Option A is correct because VDOMs must be enabled on the FortiGate and each VDOM must be configured to allow FortiManager management. This is done by setting the 'set vdom mgmt' parameter within each VDOM or globally, which permits FortiManager to push policy and object changes to the specific VDOM context. Without this step, FortiManager cannot authenticate or communicate with the VDOMs, even if the device is added to the ADOM.

Exam trap

The trap here is that candidates often assume FortiManager needs a static route to the FortiGate, but in reality the FortiGate must initiate the FGFM tunnel, so network connectivity must be from the FortiGate to FortiManager, not the other way around.

328
MCQeasy

An administrator wants to integrate FortiClient EMS with FortiGate for ZTNA. Which protocol must be allowed between FortiGate and FortiClient EMS?

A.HTTPS (TCP/443)
B.LDAP (TCP/389)
C.SNMP (UDP/161)
D.Syslog (UDP/514)
AnswerA

EMS API uses HTTPS for communication.

Why this answer

FortiGate communicates with FortiClient EMS using HTTPS (TCP/443) to retrieve tags and endpoint posture information.

329
MCQeasy

An administrator wants to enforce that only devices with corporate-owned certificates can establish an IPsec VPN tunnel. Which IPsec authentication method should be configured?

A.Pre-shared keys
B.Extended Authentication (XAuth)
C.Aggressive mode
D.X.509 certificates
AnswerD

X.509 certificates enable certificate-based authentication, ensuring only devices with the corporate certificate can connect.

Why this answer

PKI certificates allow the FortiGate to verify the identity of remote peers using digital certificates issued by a trusted Certificate Authority.

330
MCQmedium

A network admin is deploying a FortiGate in transparent mode to inspect traffic between two Layer 2 switches. Which of the following statements about transparent mode is correct?

A.Transparent mode can only inspect traffic in one VLAN
B.Transparent mode requires an IP address on each interface for management purposes
C.Transparent mode supports NAT policies
D.Transparent mode requires VDOMs to be enabled
AnswerB

Management IPs are configured on the interfaces or a dedicated management VLAN. Traffic forwarding uses MAC addresses.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge and does not require IP addresses on its interfaces for forwarding traffic. However, to manage the device (e.g., via SSH, HTTPS, or SNMP), an IP address must be assigned to each interface or to a management VLAN. This allows administrative access while the firewall remains invisible to the Layer 2 network.

Option B correctly identifies this requirement.

Exam trap

The trap here is that candidates often assume transparent mode requires no IP addresses at all, forgetting that management access still needs an IP, or they confuse transparent mode with Layer 3 mode where NAT is commonly used.

How to eliminate wrong answers

Option A is wrong because transparent mode can inspect traffic across multiple VLANs using VLAN subinterfaces or by bridging multiple VLANs, as long as the FortiGate is configured with the appropriate VLAN tags. Option C is wrong because transparent mode does not support NAT policies; NAT is a Layer 3 function and transparent mode operates at Layer 2, so NAT is not available. Option D is wrong because VDOMs are not required for transparent mode; transparent mode can be enabled on a standalone FortiGate without VDOMs, though VDOMs can be used to segment management domains if desired.

331
MCQmedium

A network admin wants to use FortiClient's advanced threat protection features to detect ransomware behavior on endpoints. Which FortiClient feature should be enabled?

A.Advanced Threat Protection
B.Web Filtering
C.Application Firewall
D.Vulnerability Scan
AnswerA

ATP includes behavior-based detection for ransomware.

Why this answer

FortiClient's Advanced Threat Protection (ATP) includes endpoint detection and response capabilities such as ransomware behavior detection.

332
MCQmedium

A FortiGate is configured with multiple BGP peers. One of the peers is not receiving the expected routes. The administrator runs 'get router info bgp neighbors <IP>' and sees that the 'State/PfxRcd' field is 'Active'. What does this indicate?

A.The BGP peer has reached the maximum prefix limit
B.The BGP peer has been administratively shut down
C.The BGP session is in the Active state, meaning the FortiGate is trying to establish a TCP connection to the peer
D.The BGP session has been established and routes are being exchanged
AnswerC

Active state indicates the router is actively trying to initiate a TCP connection to the peer, but the session is not yet up.

Why this answer

Option B is correct. The Active state in BGP means the router is attempting to establish a TCP connection; the session is not yet up.

333
Multi-Selectmedium

An administrator is configuring a new branch office VPN using IKEv2 with PKI certificates. Which TWO steps are essential to ensure the VPN tunnel establishes successfully?

Select 2 answers
A.Set the phase 1 proposal to use AES-256-GCM only
B.Import the remote peer's certificate into the FortiGate's trusted CA list
C.Assign the local certificate to the phase 1 interface
D.Enable DPD on the phase 1 interface
E.Configure the phase 2 selector to include all traffic (0.0.0.0/0)
AnswersB, C

The FortiGate must trust the CA that signed the remote peer's certificate for validation.

Why this answer

Certificate-based authentication requires both sides to have valid certificates and the CA must be trusted. Without these, IKE negotiation fails.

334
MCQmedium

An administrator notices high CPU usage on a FortiGate. To identify which process is consuming the most CPU, which command should be used?

A.diagnose sys top
B.diagnose sys session stat
C.get system performance status
D.diagnose hardware sysinfo
AnswerA

This displays a list of processes sorted by CPU usage.

Why this answer

'diagnose sys top' provides a real-time view of process CPU usage, similar to Linux 'top', allowing identification of resource-intensive processes.

335
MCQmedium

Which Fortinet solution collects and correlates security events from multiple sources to provide a unified view of threats across the network?

A.FortiSIEM
B.FortiSandbox
C.FortiDeceptor
D.FortiEDR
AnswerA

FortiSIEM collects and correlates events from various sources.

Why this answer

FortiSIEM (or FortiSOAR) provides security information and event management. FortiSOC is a service, but the product that correlates events is FortiSIEM.

336
MCQhard

A FortiGate administrator is troubleshooting a scenario where users in VDOM-1 cannot reach a server in VDOM-2. Inter-VDOM routing is configured using a VDOM link. The administrator checks the session table and sees that packets are arriving on the VDOM link interface but are not being forwarded. What is the MOST likely cause?

A.The VDOM link is in the wrong VDOM
B.A firewall policy is blocking the traffic from the VDOM link to the destination
C.The routing table in VDOM-1 does not have a default route
D.The VDOM link is not administratively up
AnswerB

Traffic entering a VDOM must match a policy. If no policy permits the traffic, it is dropped. The session table would show the packet arriving but no forward decision.

Why this answer

When packets arrive on the VDOM link interface but are not forwarded, the issue is typically a missing or misconfigured firewall policy in the destination VDOM (VDOM-2). Even though inter-VDOM routing is correctly set up via the VDOM link, FortiGate requires an explicit firewall policy in the destination VDOM to permit traffic from the VDOM link interface to the destination server. Without this policy, the FortiGate drops the packets after routing, which matches the symptom of packets arriving but not being forwarded.

Exam trap

The trap here is that candidates assume inter-VDOM routing bypasses firewall policies, but FortiGate still enforces policies in each VDOM, so a missing policy in the destination VDOM is the most likely cause when packets arrive but are not forwarded.

How to eliminate wrong answers

Option A is wrong because if the VDOM link were in the wrong VDOM, packets would not even arrive on the VDOM link interface in VDOM-2; the link would be misassociated, causing a different failure mode. Option C is wrong because the routing table in VDOM-1 does not need a default route; it only needs a route to the destination subnet in VDOM-2, which is typically provided by the VDOM link configuration or static routes, and the symptom of packets arriving on the VDOM link interface indicates routing is working. Option D is wrong because if the VDOM link were not administratively up, the interface would be down and packets would not arrive on it at all; the symptom explicitly states packets are arriving, ruling out this cause.

337
MCQhard

An administrator configures a route map named RMAP_EXPORT that sets a community for routes redistributed into BGP. The route map is applied to the 'redistribute connected' statement under BGP. However, the connected routes are not being advertised to BGP peers. What is the most likely cause?

A.The BGP neighbor is not configured with 'route-map in'
B.Connected routes are not in the routing table
C.The route map does not have a 'match ip address' statement
D.The route map is missing a 'set community' action
AnswerC

Without a match, the route map may not permit any routes.

Why this answer

Route maps used for redistribution require a 'match' statement to select routes. If the route map has only a 'set' action without a 'match', it may not match any routes, resulting in no redistribution. A common mistake is omitting the 'match' clause.

338
MCQeasy

A FortiGate administrator notices that after installing a new policy package from FortiManager, the firewall policies on the managed FortiGate do not match what was configured in FortiManager. What feature should the administrator use to review the exact changes before committing?

A.Revision history
B.Device manager log
C.Install preview
D.Policy consistency check
AnswerC

Install preview generates the CLI script that will be pushed to the device, allowing review.

Why this answer

Option C, Install preview, is correct because it allows the administrator to review the exact configuration changes that FortiManager will push to the managed FortiGate before the changes are committed. This feature compares the current running configuration on the FortiGate with the intended policy package in FortiManager and displays a detailed diff of additions, deletions, and modifications. It is specifically designed to prevent unexpected policy mismatches by providing a pre-commit review step.

Exam trap

The trap here is that candidates often confuse Revision history (which shows past snapshots) with the pre-commit review feature, but Revision history does not show the pending changes that will be applied in the next install operation.

How to eliminate wrong answers

Option A is wrong because Revision history shows past configuration snapshots on FortiManager, not the pending changes about to be installed. Option B is wrong because Device manager log records historical events and errors, not a pre-commit diff of policy changes. Option D is wrong because Policy consistency check compares policies between FortiGates or against a baseline, but does not show the exact changes that will be applied during an install operation.

339
Multi-Selectmedium

A FortiGate administrator wants to use FortiAnalyzer to generate reports on traffic patterns for each VDOM separately. Which TWO configuration steps are required? (Choose two.)

Select 2 answers
A.Configure each VDOM to send logs to a different FortiAnalyzer
B.Disable logging on the FortiGate system
C.Enable per-VDOM logging on the FortiGate
D.Create separate ADOMs for each VDOM on FortiAnalyzer
E.Configure log forwarding from each VDOM to FortiAnalyzer
AnswersC, E

This adds a VDOM identifier to logs.

Why this answer

Option C is correct because per-VDOM logging must be enabled on the FortiGate to allow each VDOM to generate its own independent log stream. Without this setting, all VDOMs share a single log stream, making it impossible to separate traffic patterns per VDOM on FortiAnalyzer. Option E is correct because log forwarding from each VDOM to FortiAnalyzer is required to send the per-VDOM logs to the FortiAnalyzer for reporting.

Exam trap

The trap here is that candidates often confuse per-VDOM logging (a FortiGate setting) with ADOMs (a FortiAnalyzer setting), and incorrectly select Option D as a required step on the FortiGate, when in fact ADOMs are configured solely on FortiAnalyzer.

340
Multi-Selectmedium

A network admin is troubleshooting why FortiGate's antivirus is not detecting a known malware sample. The sample is detected by other scanners. Which two checks should the admin perform? (Choose two.)

Select 2 answers
A.Verify that the FortiGuard Antivirus subscription is active
B.Check that the file is not excluded by a file filter
C.Ensure the firewall policy is configured for proxy-based inspection
D.Check the antivirus database version against the latest available
E.Confirm that the antivirus profile has 'Scan on Delivery' enabled
AnswersA, D

Without a valid subscription, signatures are not updated.

Why this answer

The antivirus engine may be outdated (AV database) or the feature (FortiGuard AV) may not be enabled on the profile. Scanning mode (flow vs proxy) can affect detection but is less likely than these two.

341
MCQeasy

An administrator wants to ensure that only devices with up-to-date antivirus software can access a sensitive application via ZTNA. Which FortiGate feature should be used to enforce this requirement?

A.ZTNA tags from FortiClient EMS
B.SSL deep inspection profile
C.Application control profile
D.AntiVirus profile on the firewall policy

Why this answer

ZTNA tags reflect device posture, including antivirus status. FortiClient EMS reports compliance, and FortiGate can use those tags in ZTNA rules to permit or deny access based on antivirus status.

342
Matchingmedium

Match each Fortinet command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays CPU and memory usage

Packet flow debugging

Tests network connectivity

Displays entire configuration

Packet capture for troubleshooting

Why these pairings

These are common CLI commands used in FortiOS.

343
Multi-Selecthard

A FortiGate is experiencing asymmetric routing due to route leaking between VRFs. The administrator wants to ensure that traffic using a specific VRF returns via the same path. Which THREE actions should be taken? (Choose three.)

Select 3 answers
A.Enable 'set pbr-enforce-symmetric' on the VRF interfaces
B.Configure policy-based routing with set-next-hop to force return traffic through the same interface
C.Use a route map to set the next-hop on routes leaked into the VRF
D.Disable route leaking between VRFs
E.Increase the administrative distance of the leaked routes
AnswersA, B, C

This feature forces symmetric routing for policy-based routes.

Why this answer

To handle asymmetric routing, the administrator can enable 'set pbr-enforce-symmetric', configure policy-based routing to enforce symmetric paths, or use route maps to influence route selection.

344
Multi-Selecthard

A FortiGate administrator is troubleshooting an issue where certain traffic is not being logged despite having a firewall policy with logging enabled. The administrator checks the policy and confirms logging is set to 'All Sessions'. Which THREE reasons could explain why the traffic is not being logged?

Select 3 answers
A.The log disk is full
B.The traffic is denied by a local-in policy
C.The log device (FortiAnalyzer or syslog) is not reachable and the FortiGate is configured to drop logs when the remote server is unavailable
D.The traffic is hardware-accelerated and not sent to the CPU for logging
E.The FortiGate is experiencing high session rate and logging is rate-limited
AnswersC, D, E

If the log destination is unreachable, the FortiGate may discard logs if configured to do so.

Why this answer

Option C is correct because when a FortiGate is configured to drop logs when the remote logging server (FortiAnalyzer or syslog) is unreachable, the logs are discarded locally rather than queued or buffered. This behavior is controlled by the 'log-drop-packet' setting or the 'reliable' vs 'unreliable' logging mode, and if the remote server is down, the logs never leave the FortiGate, resulting in no logging despite the policy being set to log all sessions.

Exam trap

The trap here is that candidates often assume a full disk or unreachable log server will always cause log loss, but FortiGate's behavior depends on specific configuration settings like log rotation and reliable logging mode, which are explicitly tested in the NSE7 exam.

345
Matchingmedium

Match each FortiGate authentication method to its protocol.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lightweight Directory Access Protocol

Remote Authentication Dial-In User Service

Terminal Access Controller Access-Control System Plus

Fortinet Single Sign-On

Public Key Infrastructure

Why these pairings

These are authentication methods supported on FortiGate.

346
Multi-Selectmedium

A security administrator is configuring FortiSandbox integration to automatically block malicious files detected in email attachments. Which TWO actions are required to achieve this integration?

Select 2 answers
A.Configure FortiGate to submit files to FortiSandbox for analysis
B.Deploy FortiClient endpoints with full disk encryption
C.Configure FortiSandbox to send SNMP traps when a file is malicious
D.Enable FortiGate's machine learning engine on the antivirus profile
E.Enable 'Block malicious files detected by FortiSandbox' in the antivirus profile
AnswersA, E

File submission is required so FortiSandbox can analyze files.

Why this answer

To block malicious files detected by FortiSandbox in email, the FortiGate must submit files to FortiSandbox and then use the verdict to update its local block list. Option A and D are the correct steps.

347
MCQmedium

A FortiGate is operating in transparent mode and is deployed in an enterprise network. The administrator needs to apply a security policy to control traffic between two VLANs. What is a key consideration when configuring policies in transparent mode?

A.Transparent mode does not support firewall policies
B.The policy is applied to the Layer 2 interface where the traffic enters
C.The policy must be applied to the management IP address
D.Policies must be configured using MAC addresses only
AnswerB

In transparent mode, traffic is bridged, and policies are applied on ingress interfaces.

Why this answer

In transparent mode, the FortiGate acts as a Layer 2 bridge, and security policies are applied to the ingress interface where traffic enters the device. This allows the firewall to filter traffic between VLANs based on Layer 3 and Layer 4 criteria without requiring IP addresses on the interfaces, as the device is transparent to the network.

Exam trap

The trap here is that candidates often assume transparent mode policies must be based on MAC addresses or that the management IP is used for policy matching, but FortiGate transparent mode policies work identically to route mode policies except for the absence of NAT and routing.

How to eliminate wrong answers

Option A is wrong because transparent mode fully supports firewall policies, including stateful inspection, just like NAT/route mode, but without routing. Option C is wrong because the management IP address is used only for administrative access (e.g., SSH, HTTPS) and is not involved in policy matching for transit traffic; policies are applied to data interfaces. Option D is wrong because transparent mode policies can use IP addresses, ports, and other Layer 3/4 criteria, not just MAC addresses; MAC addresses are only relevant for Layer 2 features like MAC-based policies or transparent proxy.

348
Multi-Selecteasy

A FortiGate administrator needs to use FortiManager to deploy a new security policy to all firewalls in a specific ADOM. Which two steps are part of the installation process? (Choose two.)

Select 2 answers
A.Configure revision history to track changes
B.Run the install preview to see the changes that will be applied
C.Select the target devices and click 'Install'
D.Create a new ADOM for the policy package
E.Enable automation stitches to push the policy
AnswersB, C

Install preview shows the differences between the current and new configuration.

Why this answer

Option B is correct because the install preview in FortiManager allows the administrator to review the exact configuration changes (adds, deletes, modifications) that will be pushed to the target devices before committing the installation. This step is critical to avoid unintended policy disruptions, as it shows a diff of the policy package against the current device configuration. Option C is correct because selecting target devices and clicking 'Install' is the final manual step that triggers the actual deployment of the policy package to the chosen firewalls within the ADOM.

Exam trap

The trap here is that candidates often confuse the 'install preview' (a read-only verification step) with the actual 'install' action, or they mistakenly think that revision history or automation stitches are mandatory prerequisites for deploying a policy package.

349
Multi-Selecthard

A FortiGate HA cluster is experiencing persistent split-brain even after both units are rebooted. Which THREE actions should the administrator take to resolve this issue? (Choose three.)

Select 3 answers
A.Verify that the heartbeat interfaces are properly connected and configured
B.Increase the HA failover threshold (hold time) to avoid flapping
C.Reduce the priority on the secondary unit
D.Configure HA to operate in active-passive mode
E.Disable HA on both units and re-enable
AnswersA, B, D

Ensures reliable heartbeat exchange.

Why this answer

Options A, B, and E are correct. Changing the HA mode to active-passive ensures no concurrent primaries. Increasing the failover threshold (hold time) can prevent flapping.

Verifying heartbeat interface connectivity ensures proper communication. Option C (disabling HA) is not a resolution; option D (reducing priority) does not fix split-brain root cause.

350
MCQeasy

What is the purpose of a prefix list in FortiGate routing?

A.To match routes based on their network prefix and subnet mask.
B.To configure NAT rules.
C.To define SD-WAN members.
D.To assign IP addresses to interfaces.
AnswerA

Prefix lists are used to match specific routes for filtering or redistribution based on prefix length.

Why this answer

A prefix list in FortiGate is used to match routes based on their network prefix and subnet mask (prefix length). It is commonly applied in route maps or BGP configurations to filter or manipulate routing information, such as in redistribution or neighbor policy statements. Unlike access lists, prefix lists match the exact prefix and length, providing more granular control over route advertisement and acceptance.

Exam trap

The trap here is that candidates often confuse prefix lists with access lists or route maps, assuming they can be used for general packet filtering or interface configuration, but prefix lists are strictly for route prefix matching in routing policy contexts.

How to eliminate wrong answers

Option B is wrong because NAT rules are configured using firewall policies or central NAT tables, not prefix lists. Option C is wrong because SD-WAN members are defined in the SD-WAN configuration under the 'config system sdwan' context, where interfaces and their roles are specified, not via prefix lists. Option D is wrong because IP addresses are assigned to interfaces using the 'config system interface' command with the 'set ip' directive, not through prefix lists.

351
MCQhard

You run 'diagnose vpn ike gateway list' and see the following: gateway name: HUB_GW version: IKEv2 state: UP mode: main local: 10.0.0.1:500 remote: 203.0.113.5:500 auth: psk dpd: on rekey: 86400 num_peers: 2 total_tunnels: 2 auto-discovery: enabled What does the 'auto-discovery: enabled' indicate about this VPN gateway?

A.The gateway will automatically create new phase2 selectors for any remote subnet
B.The gateway is acting as an ADVPN hub and will advertise routes to spokes for shortcut tunnel creation
C.The gateway will automatically renegotiate IKEv2 keys before expiration
D.The gateway will discover other VPN gateways on the same network and form peer relationships
AnswerB

When auto-discovery is enabled on a gateway, it can act as an ADVPN hub, sending route information to spokes to allow direct spoke-to-spoke tunnels.

Why this answer

In an ADVPN setup, enabling auto-discovery on the hub allows it to send shortcut route advertisements to spokes, which then can establish direct tunnels. The output confirms the gateway is configured to participate in ADVPN as a hub or as a spoke that can initiate shortcuts.

352
Multi-Selectmedium

A FortiGate administrator needs to ensure that only devices with an updated antivirus can access a sensitive internal application via ZTNA. The administrator has created a ZTNA tag 'AV_Updated' in EMS and configured a ZTNA rule on FortiGate that requires this tag. Which TWO additional steps are necessary to enforce this access control? (Choose two.)

Select 2 answers
A.Configure the application server to use HTTPS
B.Enable SSL VPN on the FortiGate for ZTNA traffic
C.Create a firewall policy that references the ZTNA rule
D.Configure the FortiGate as an EMS connector and import the ZTNA tag
E.Install a client certificate on each device for authentication
AnswersC, D

The ZTNA rule must be included in a firewall policy to permit or deny traffic based on the tag.

Why this answer

To enforce ZTNA tag-based access, the FortiGate must import the tag from EMS (A) and the ZTNA rule must be referenced in a firewall policy (D). Without the firewall policy, the rule is not applied to traffic.

353
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel between Site A (FortiGate) and Site B (third-party VPN peer). The tunnel fails to establish. On FortiGate, phase1 status shows 'up' but phase2 status remains 'down'. What is the MOST likely cause?

A.The phase2 proposal (encryption, authentication, etc.) does not match.
B.The firewall policies at Site B are blocking UDP port 500.
C.The pre-shared key does not match on both sides.
D.The DPD settings are incompatible between the peers.
AnswerA

Why this answer

Phase1 being up indicates IKE SA is established. Phase2 down indicates IPsec SA negotiation failed, typically due to mismatched proposals (encryption, integrity, PFS) or traffic selector mismatch.

354
MCQmedium

A ZTNA rule is configured to allow access to an internal application only if the client device has the ZTNA tag 'Compliant' and the user is authenticated via SAML. The FortiGate is acting as ZTNA proxy. A user successfully authenticates but the device is not tagged. What happens when the user tries to access the application?

A.The user is denied access
B.The FortiGate dynamically assigns the 'Compliant' tag to the device
C.The user is redirected to a device registration portal
D.The user is granted access because authentication succeeded
AnswerA

The ZTNA rule requires the tag; without it, access is blocked.

Why this answer

ZTNA rules can require both authentication and device posture (ZTNA tags). If the device tag is missing or does not match, the access will be denied. The user may see an access denied page or a generic error.

355
MCQhard

An administrator is configuring a hub-and-spoke ADVPN with FortiGates. The spoke sites use dynamic public IP addresses. The administrator has enabled auto-discovery on the spoke and hub. However, shortcut tunnels are not being established between spokes that communicate frequently. What is the most likely missing configuration?

A.Auto-discovery is not enabled on the spoke's phase1 configuration
B.The spoke's phase2 proposal includes a different encryption algorithm than the hub
C.The hub does not have a route to the spoke's local subnets
D.The spoke's VPN interface is not in the same VDOM as the hub
AnswerA

Auto-discovery must be enabled in the phase1 settings on both hub and spoke to allow shortcut negotiation. Without it, the spoke will not send or respond to shortcut requests.

Why this answer

For shortcut tunnels to be established in ADVPN, each spoke must have a tunnel interface with an IP address in the same subnet as other spokes, and the 'auto-discovery' setting must be enabled on the spoke's phase1 configuration. Additionally, a firewall policy must allow the shortcut traffic. Option D is correct because without enabling auto-discovery on the spoke's phase1, the spoke will not initiate shortcut negotiation.

356
MCQhard

A FortiGate is connected to a FortiExtender via USB. The administrator wants to use LTE as a backup WAN link in an SD-WAN setup. After configuring the FortiExtender, the LTE interface is not showing up as an SD-WAN member. What is the most likely reason?

A.The FortiExtender is not in managed mode
B.The FortiGate does not have a valid FortiExtender license
C.The LTE SIM card is not activated
D.The LTE interface must be configured as a WAN link in the FortiExtender first
AnswerB

A valid license is required for FortiExtender integration; without it, the interface may not be recognized as an SD-WAN member.

357
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a UDP session with a short timeout.
B.The session is a UDP session that has been active for 1 hour.
C.The session is a TCP session in established state that has been active for 1 hour and will expire in about 1 hour.
D.The session is a TCP session that has timed out and is being removed.
AnswerC

The output matches a TCP established session with durations.

Why this answer

proto=6 indicates TCP. proto_state=01 means the session is in 'established' state (TCP state established). duration=3600 seconds means the session has been active for 1 hour. expire=3599 means it will expire in 3599 seconds (almost 1 hour more). This indicates a healthy long-lived TCP session that is still active.

358
Multi-Selecthard

Which TWO features are required to implement an always-on SSL VPN tunnel with FortiGate that automatically reconnects when the user's network changes?

Select 2 answers
A.Tunnel mode enabled
B.DTLS enabled
C.Auto-connect setting in FortiClient
D.Web mode portal
E.Split tunneling configured
AnswersA, C

Tunnel mode provides a virtual interface for always-on connectivity.

Why this answer

Option A is correct because tunnel mode is required for an always-on SSL VPN tunnel, as it encapsulates all traffic at the network layer (TUN) and maintains a persistent virtual interface on the client. This allows the VPN to stay active and automatically reconnect when the user's network changes, such as switching from Wi-Fi to cellular, without manual intervention.

Exam trap

The trap here is that candidates often confuse DTLS (which improves performance but is optional) with a requirement for always-on connectivity, or they mistakenly think split tunneling is needed for automatic reconnection, when in fact the core requirements are tunnel mode and the auto-connect client setting.

359
MCQhard

An administrator wants to load-balance traffic across two WAN links using ECMP. The routes have equal distances and metrics. However, traffic is only using one of the links. What could be the cause?

A.The routes are learned via different routing protocols with different administrative distances.
B.ECMP is not enabled globally under config system settings.
C.The firewall policy is configured to use a specific egress interface.
D.The traffic is session-based and ECMP uses per-packet load balancing.
AnswerA

ECMP requires equal distances; if one route has a lower distance, it will be preferred.

360
Multi-Selecthard

An organization uses FortiNAC for network access control. They want to enforce that only corporate-managed devices with up-to-date patches can access the production VLAN. Which THREE components must be integrated or configured?

Select 3 answers
A.ZTNA proxy on FortiGate
B.FortiClient EMS with compliance rules
C.SNMP read/write community on network devices
D.IPsec VPN between FortiNAC and FortiGate
E.RADIUS authentication on switches
AnswersB, C, E

Why this answer

For NAC enforcement, FortiNAC typically uses SNMP to query switch port status and RADIUS to authenticate devices. FortiClient EMS provides endpoint compliance data that FortiNAC can use to determine access rights.

361
MCQmedium

An administrator configures BFD on a FortiGate to improve convergence time for OSPF. What is the primary purpose of BFD in this context?

A.To reduce the number of OSPF neighbors
B.To encrypt OSPF packets
C.To detect link failures faster than OSPF hello timers
D.To load balance OSPF traffic across multiple links
AnswerC

BFD provides rapid failure detection, often sub-second, improving convergence.

Why this answer

BFD provides fast failure detection (sub-second) for routing protocols like OSPF, triggering quicker route convergence.

362
Multi-Selecthard

A FortiGate running FortiOS 7.2 has multiple WAN interfaces. The administrator is configuring SD-WAN load balancing with the 'volume' algorithm. The requirement is that each interface carries a percentage of total traffic based on its bandwidth capacity. The administrator sets the 'weight' of each interface accordingly. However, traffic distribution is not as expected. Which TWO factors could cause this discrepancy?

Select 2 answers
A.The interface bandwidth settings (speed) do not reflect actual link capacity
B.The weight values are not in the range 1-100
C.The traffic is dominated by a few large-volume sessions, causing imbalance
D.The load balancing algorithm is set to 'per-packet' instead of 'volume'
E.The performance SLA is set to 'disable' on some interfaces, causing them to be excluded
AnswersA, C

Why this answer

The volume algorithm uses weight and interface bandwidth to distribute traffic. If the interface bandwidth is misconfigured (option B), the distribution will be wrong. Also, per-packet load balancing is not used; the algorithm works on sessions.

However, if the traffic consists of few large sessions, the volume distribution may not be even. Option D is correct because the algorithm works at session level, not per-packet, so volume imbalance can occur if sessions vary greatly in size. Option A is irrelevant.

Option C is incorrect because the algorithm does not use per-packet. Option E is a possible issue with health checks if traffic is diverted.

363
MCQeasy

An administrator wants to see the current number of active sessions on a FortiGate. Which command should the admin use?

A.diagnose sys session list
B.diagnose sys session stat
C.get system performance status
D.get system ha status
AnswerB

This command shows session count and other metrics.

Why this answer

'diagnose sys session stat' displays session statistics including total active sessions.

364
Multi-Selectmedium

A FortiGate administrator is planning a multi-VDOM deployment for a service provider. Which TWO statements are true about VDOM limitations and best practices?

Select 2 answers
A.There is no limit to the number of VDOMs supported
B.All VDOMs must share the same routing table
C.It is recommended to use a dedicated management VDOM
D.Each VDOM can have its own independent administrator accounts
E.VDOMs cannot operate in transparent mode
AnswersC, D

Best practice to separate management traffic.

Why this answer

Option C is correct because using a dedicated management VDOM is a best practice in multi-VDOM deployments. It isolates administrative traffic (e.g., HTTPS, SSH, SNMP) from data-plane VDOMs, ensuring that management access remains available even if a data VDOM fails or is misconfigured. This also simplifies auditing and RBAC by centralizing admin access without exposing production traffic.

Exam trap

The trap here is that candidates often assume VDOMs share a routing table or that transparent mode is unsupported, but FortiGate allows full routing isolation and both Layer 2 and Layer 3 operation per VDOM.

365
MCQmedium

An administrator wants to use BFD with OSPF to detect link failures faster. What must be configured on the FortiGate?

A.Enable BFD only on the OSPF interfaces using 'set bfd enable' under the interface configuration.
B.BFD is automatically enabled when OSPF is configured; no additional steps are needed.
C.Enable BFD globally and under the OSPF process with 'set bfd enable'.
D.Create a BFD template and apply it to the OSPF process.
AnswerC

BFD must be enabled globally under config system interface and also enabled for OSPF under config router ospf with 'set bfd enable'.

366
MCQhard

A FortiGate administrator is troubleshooting a ZTNA access proxy issue. The ZTNA rule is configured to require the tag 'AV_Installed' and 'OS_Updated'. Users with compliant devices are still denied access. The admin checks the ZTNA connection monitor and sees 'Tag mismatch'. What is the MOST likely cause?

A.The FortiGate does not have a valid PKI certificate for the ZTNA proxy
B.The user is not authenticated via SAML
C.The FortiClient EMS is not configured as an endpoint control source on the FortiGate
D.The ZTNA rule is using the wrong port number
AnswerC

The FortiGate must have EMS configured under Security Fabric > External Connectors > Endpoint Control. Without this, it cannot retrieve and verify tags from EMS.

Why this answer

ZTNA tags are assigned by FortiClient EMS based on device posture. If the FortiGate does not trust the EMS server or the tag names are mismatched, the tag check fails. The EMS must be configured as an endpoint control source and the tags must exactly match those defined in EMS.

367
MCQmedium

A FortiGate is configured as a SAML service provider (SP) for ZTNA. Users authenticate via an external IdP. After authentication, users are not able to access applications even though the ZTNA proxy rule lists them. What should the administrator check FIRST?

A.The FortiClient EMS license is invalid
B.The application server is unreachable from FortiGate
C.The ZTNA proxy rule's allowed group does not include the user's group
D.The SAML IdP certificate is expired
AnswerC

After authentication, the user must be in an allowed group to access resources.

Why this answer

When using SAML, the FortiGate needs to map the SAML attributes (e.g., username) to a user group. If the user is not in the correct group, access will be denied.

368
MCQmedium

An enterprise deploys a FortiGate in transparent mode to bridge two broadcast domains. The administrator needs to apply a web filter to HTTP traffic between these domains. Which configuration is required?

A.Apply the web filter profile directly to the bridge interface
B.Configure a security policy with source and destination interfaces as the bridge, action ACCEPT, and a web filter profile
C.Enable web filtering globally under Config -> Features
D.Create a policy with action SET_PERMIT and enable web filtering
AnswerB

Correct.

Why this answer

In transparent mode, FortiGate bridges traffic at Layer 2, so security policies must use the bridge interface as both source and destination. Option B correctly configures a security policy with source and destination interfaces set to the bridge, action ACCEPT, and a web filter profile applied. This allows the FortiGate to inspect HTTP traffic between the two broadcast domains and apply the web filter.

Exam trap

The trap here is that candidates often think web filter profiles can be applied directly to interfaces (like in NAT/route mode) or that global settings enable filtering, but in transparent mode, all Layer 7 inspection must be configured via security policies with the bridge interface as both source and destination.

How to eliminate wrong answers

Option A is wrong because web filter profiles cannot be applied directly to a bridge interface; they must be applied via a security policy. Option C is wrong because web filtering is not enabled globally under Config -> Features; it is enabled per policy or per profile, and the 'Features' menu is for toggling feature visibility, not for enabling web filtering. Option D is wrong because SET_PERMIT is not a valid action in FortiGate security policies; the correct action is ACCEPT, and the web filter profile is applied within the policy, not as a separate action.

369
Multi-Selectmedium

An administrator notices that an application-based SD-WAN rule is not steering traffic as expected. The SLA targets are configured correctly. Which TWO debug commands should the administrator use to diagnose the issue? (Choose two.)

Select 2 answers
A.diagnose debug application sslvpn -1
B.get system performance status
C.diagnose sys sdwan info
D.diagnose sys sdwan rule list
E.diagnose sys session filter dport 443 ; diagnose sys session list
AnswersC, E

Displays SD-WAN configuration, member status, and SLA compliance.

Why this answer

Options A and C are correct. 'diagnose sys sdwan info' shows SD-WAN configuration and SLA status. 'diagnose sys session list' with filters shows the session details including SD-WAN member selection. Option B is invalid, D shows overall status but not per-rule, E is unrelated.

370
Drag & Dropmedium

Drag and drop the steps to perform a firmware upgrade on a FortiGate device into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Always back up config before upgrade, then upload, confirm, and verify.

371
MCQmedium

A FortiManager administrator wants to deploy a policy package that contains shared header and footer policies across multiple devices. How should these policies be configured in FortiManager?

A.Define the policies in the ADOM's default policy package
B.Configure the policies as header/footer policies within the policy package
C.Create a global policy package and assign it to all devices
D.Use the 'install preview' feature to merge policies
AnswerB

Header/footer policies are defined in the policy package and applied universally.

Why this answer

In FortiManager, header and footer policies are specifically designed to be shared across multiple devices within a policy package. By configuring them as header/footer policies, the administrator ensures that these common rules are applied consistently at the top and bottom of the device-specific policy tables, while the middle policies can vary per device. This is the correct method for deploying shared policies without duplicating them in each device's policy set.

Exam trap

The trap here is that candidates often confuse header/footer policies with global policy packages or assume that the default policy package can serve the same purpose, but FortiManager's architecture explicitly separates these concepts to enforce policy ordering and sharing.

How to eliminate wrong answers

Option A is wrong because the ADOM's default policy package is a starting template for new devices, not a mechanism for sharing header/footer policies across already deployed devices; it does not enforce shared policies at the top or bottom of the policy table. Option C is wrong because FortiManager does not support a 'global policy package' that spans ADOMs or devices; policy packages are ADOM-scoped and header/footer policies are the intended feature for sharing policies across multiple devices within the same ADOM. Option D is wrong because the 'install preview' feature is used to review and validate changes before installation, not to merge or share policies across devices.

372
MCQeasy

An administrator is troubleshooting an IPsec VPN tunnel that connects a branch office to the main office. The tunnel is down. The administrator runs 'diagnose vpn ike gateway list' and sees the following output: IKE gateway: branch state: down DPD: enabled DPD retrycount: 3 DPD retryinterval: 10 What does the DPD configuration indicate?

A.The tunnel will be brought down immediately after the first DPD timeout
B.The tunnel will stay up indefinitely because DPD is disabled
C.The tunnel will be brought down after 3 unanswered DPD probes, each 10 seconds apart
D.DPD will send probes every 30 seconds
AnswerC

This is the correct interpretation of the DPD retrycount and retryinterval.

Why this answer

DPD (Dead Peer Detection) is configured with a retry count of 3 and a retry interval of 10 seconds. This means the FortiGate will send DPD probes every 10 seconds and after 3 consecutive failures (30 seconds total without response), it will consider the peer dead. The tunnel is currently down, likely because DPD detected the peer as unreachable.

373
MCQeasy

In FortiManager, what is the difference between a Global ADOM and a regular ADOM?

A.Global ADOM allows sharing of global objects across all ADOMs
B.Regular ADOM supports automation stitches while Global ADOM does not
C.Regular ADOM can only manage one FortiGate
D.Global ADOM is used for managing FortiGates in a single VDOM environment
AnswerA

Global ADOM provides a central repository for common objects.

Why this answer

In FortiManager, a Global ADOM is a special administrative domain that stores global objects (such as address objects, services, and policies) that can be shared and referenced by all regular ADOMs. This centralizes management of common resources, reducing duplication and ensuring consistency across multiple ADOMs. Regular ADOMs are isolated from each other by default, but they can import objects from the Global ADOM, which is the key distinction.

Exam trap

The trap here is that candidates often confuse the Global ADOM with a 'super ADOM' that manages devices, when in fact its sole purpose is to share objects, not to manage devices or VDOMs directly.

How to eliminate wrong answers

Option B is wrong because automation stitches are supported in both Global ADOM and regular ADOMs; there is no restriction that Global ADOM lacks this feature. Option C is wrong because a regular ADOM can manage multiple FortiGates, not just one; it is a logical grouping that can contain many devices. Option D is wrong because a Global ADOM is not used for managing FortiGates in a single VDOM environment; it is used for sharing objects across ADOMs, regardless of VDOM configuration.

374
MCQhard

An HA cluster of two FortiGates is experiencing split-brain. After investigation, you find that the heartbeat link is down on the primary unit. Which action will resolve the split-brain condition?

A.Disable HA on both units and re-enable
B.Restore the heartbeat link by checking cables, interfaces, and VLAN configuration
C.Increase the HA priority on the primary unit
D.Reboot the secondary unit
AnswerB

Split-brain is caused by heartbeat failure; restoring the link resolves it.

Why this answer

Split-brain occurs when heartbeat communication fails, and both units assume primary role. Restoring the heartbeat link (Option C) allows them to re-establish communication and elect a single primary.

375
MCQmedium

A network administrator configured a hub-and-spoke ADVPN with IKEv2. Spoke sites can establish tunnels to the hub, but shortcut tunnels are not being created between spokes. What is the MOST likely cause?

A.Dead Peer Detection is disabled on the hub
B.Auto-discovery is disabled on the hub FortiGate
C.The spokes are using different IKE versions
D.The IKEv2 authentication method is not set to pre-shared key
AnswerB

Without auto-discovery enabled on the hub, it will not send route advertisements that trigger shortcut tunnel setup between spokes.

Why this answer

For ADVPN shortcut tunnels to form, the hub must have 'set auto-discovery-sender enable' and spokes must have 'set auto-discovery-receiver enable'. If the hub does not advertise its ability to relay shortcut routes, spokes will not attempt to create direct tunnels.

Page 4

Page 5 of 14

Page 6