Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 376450

1000 questions total · 14pages · All types, answers revealed

Page 5

Page 6 of 14

Page 7
376
MCQmedium

A FortiManager administrator wants to push policy package changes to a managed FortiGate, but wants to see what changes will be applied before committing. Which FortiManager feature should the administrator use?

A.Install preview
B.Meta fields
C.Automation stitch
D.Revision history
AnswerA

Why this answer

Install preview is the correct feature because it allows the administrator to simulate the installation of policy package changes on a managed FortiGate without actually applying them. This provides a detailed diff of what will be added, modified, or removed, enabling verification before committing the changes. It is specifically designed for pre-commit validation in FortiManager's centralized management workflow.

Exam trap

The trap here is that candidates confuse revision history (which shows past changes) with install preview (which shows future changes), leading them to select revision history as a way to see pending changes.

How to eliminate wrong answers

Option B is wrong because meta fields are used to store custom metadata (e.g., location, contact) for objects like policies or devices, not to preview pending changes. Option C is wrong because automation stitches trigger automated responses based on events (e.g., interface down), not for previewing policy package installations. Option D is wrong because revision history allows viewing and comparing past configuration backups, but it does not show what changes will be applied in the next commit; it is retrospective, not prospective.

377
Multi-Selectmedium

An administrator wants to create an automation stitch that responds to a high-severity IPS event by blocking the attacker IP. Which THREE components are required to build this automation stitch?

Select 3 answers
A.Trigger (e.g., IPS Event)
B.Schedule (e.g., run every hour)
C.Action (e.g., Block IP)
D.Target (e.g., FortiGate or FortiManager)
E.Condition (e.g., severity threshold)
AnswersA, C, D

Defines what event starts the stitch.

Why this answer

Option A is correct because an automation stitch in FortiOS requires a trigger to initiate the workflow. In this scenario, the IPS event trigger is specifically designed to fire when a high-severity IPS signature match occurs, providing the necessary event data (e.g., attacker IP) to pass to subsequent actions. Without a trigger, the stitch would have no starting point.

Exam trap

The trap here is that candidates often confuse 'Condition' as a separate component because they think of it like a firewall policy's 'if-then' logic, but in FortiOS automation stitches, filtering logic is embedded within the trigger definition, not a standalone object.

378
MCQhard

An administrator configures a session helper for FTP on FortiGate. After enabling the helper, FTP clients can establish control connections but data transfers fail. What is the most likely cause?

A.The firewall policy is configured to deny all FTP traffic
B.The FTP server's certificate is invalid
C.The FTP server is using active mode, which is not supported by the session helper
D.The session helper is not applied to the correct firewall policy or the traffic is not matching the helper
AnswerD

If the helper is not associated with the policy or the traffic doesn't match, the helper won't open data ports.

Why this answer

Option C is correct. FTP uses separate control and data connections. The session helper dynamically opens pinholes for data connections.

If the ALG/session helper is not correctly inspecting the control channel, it may not open the required data ports, causing transfers to fail. However, the question implies the helper is enabled but not working. Often this is due to asymmetric routing or the helper not seeing both directions.

But the most common cause is that the FTP ALG is not inspecting the traffic because the policy does not match the helper's expected traffic. Option C is the best fit.

379
MCQmedium

A FortiGate administrator is configuring a multi-peer IPsec VPN (dial-up) for remote users. The administrator wants to assign different IP pools to different groups of users based on their authentication group. Which configuration is required?

A.Use the 'set ipv4-start-ip' parameter in the phase1 interface
B.Configure a separate phase1 interface for each user group with a different IP pool
C.Configure a single phase1 interface with multiple IP pools and use group matching in the firewall policy
D.Use RADIUS to assign IP addresses per user
AnswerB

Each dial-up phase1 can have its own IP pool; by assigning different groups to different phase1 configurations, different pools are used.

Why this answer

FortiGate can assign IP pools based on user groups when using IKE with XAuth or IKEv2. The 'set ipv4-dns-server' and 'set ipv4-exclude-range' are not group-based. The 'set user-group' in phase1 associates a group with the tunnel, but IP pool per group requires separate phase1 configurations or using 'set ipv4-start-ip' with group mapping.

380
Multi-Selecthard

An administrator is troubleshooting an OSPF over IPsec VPN overlay. The OSPF neighbor state is stuck in EXSTART. The VPN tunnel is up. Which TWO issues could cause this?

Select 2 answers
A.IP fragmentation issue due to GRE/IPsec overhead
B.OSPF hello/dead interval mismatch
C.OSPF area ID mismatch
D.IPsec phase2 proposal mismatch
E.MTU mismatch on the tunnel interface
AnswersA, E

Why this answer

A stuck EXSTART state often indicates issues with the maximum transmission unit (MTU) or fragmentation, preventing OSPF packets from being exchanged properly. MTU mismatch or fragmentation due to encapsulation overhead can cause this.

381
MCQmedium

A FortiGate administrator wants to implement ZTNA to control access to an internal application server. Users will access the application via FortiClient. Which configuration step is REQUIRED to allow FortiClient to forward traffic to the ZTNA gateway?

A.Install a CA-signed certificate on FortiClient
B.Create a firewall policy from the WAN interface to the application server
C.Configure a ZTNA gateway on the FortiGate with an access proxy rule for the application
D.Configure the application server to accept connections from FortiClient's IP range
AnswerC

The ZTNA gateway receives traffic from FortiClient and forwards it to the internal application. The access proxy rule defines the mapping and access control.

Why this answer

FortiClient uses a ZTNA access proxy to forward traffic. The administrator must configure a ZTNA server on FortiGate and an access proxy rule that maps the external hostname/port to the internal application. The FortiClient connects to the ZTNA gateway's proxy IP/port.

Option D is correct: the FortiGate must be configured as a ZTNA gateway and have a ZTNA proxy rule for the application.

382
Multi-Selecthard

Which THREE of the following are valid methods to deliver ZTNA tags to FortiClient? (Select three.)

Select 3 answers
A.FortiClient configuration profiles
B.SNMP
C.DHCP options
D.FortiClient EMS
E.FortiGate ZTNA tag delivery
AnswersA, D, E

Profiles can include tag assignments.

Why this answer

FortiClient configuration profiles allow administrators to define and push ZTNA tags directly to FortiClient endpoints via the EMS-managed policy framework. This is a core method because tags are applied based on device posture and user identity, enabling granular access control without relying on network-layer attributes.

Exam trap

The trap here is that candidates often confuse network-layer provisioning methods (like DHCP options or SNMP) with application-layer tag delivery mechanisms, assuming any protocol that can carry data can deliver ZTNA tags, but only EMS, FortiClient profiles, and FortiGate ZTNA tag delivery are designed for this purpose.

383
MCQeasy

In FortiManager, what is an automation stitch?

A.A feature to stitch multiple ADOMs together
B.A set of scripts that run on a schedule
C.A method to combine multiple policy packages
D.A sequence of automated actions triggered by a specific event
AnswerD

Why this answer

Option D is correct because an automation stitch in FortiManager is a sequence of automated actions (such as running scripts, sending alerts, or executing CLI commands) that are triggered by a specific event (e.g., a log message, a SNMP trap, or a schedule). This allows administrators to automate incident response and policy changes without manual intervention, directly within the FortiManager fabric.

Exam trap

The trap here is that candidates confuse automation stitches with simple scheduled scripts (Option B), but the key distinction is that stitches are event-driven and can include multiple conditional actions, not just time-based execution.

How to eliminate wrong answers

Option A is wrong because ADOM stitching is not a feature; ADOMs (Administrative Domains) are separate management domains that cannot be stitched together—they are isolated by design. Option B is wrong because while automation stitches can include scheduled scripts, they are not merely a set of scripts that run on a schedule; they are event-driven sequences that can also be triggered by logs, SNMP traps, or other events. Option C is wrong because combining multiple policy packages is done via policy package import/export or policy objects, not through automation stitches, which focus on automated actions rather than policy merging.

384
MCQhard

A FortiGate is running OSPF with multiple areas. The administrator notices that routes from area 1 are not being redistributed into area 0. The ABR has the following configuration: 'config router ospf config area edit 0.0.0.0 set type nssa end config area edit 0.0.0.1 set type standard end end'. What is the issue?

A.The ABR must have 'set type standard' for area 0.
B.Area 0 is configured as NSSA, which does not accept type 3 LSAs from other areas.
C.The ABR is missing a 'redistribute connected' command.
D.Area 1 is not configured as NSSA, so routes cannot be redistributed.
AnswerB

NSSA areas do not allow type 3 summary LSAs. Routes from other areas are not injected into an NSSA area unless special options are used.

Why this answer

In OSPF, area 0 must be a standard area (or at least not NSSA) for inter-area routes to be advertised. NSSA areas block type 3 LSAs by default.

385
MCQmedium

An SD-WAN rule is configured to steer traffic based on SLA metrics. The administrator notices that traffic is not using the expected member interface even though the SLA is meeting thresholds. What should the administrator check FIRST?

A.Check the firewall policy to ensure SD-WAN is enabled
B.Verify the BGP configuration to ensure routes are being advertised
C.Run 'diagnose sys sdwan info' to verify the rule and member status
D.Restart the FortiGate to clear any stale sessions
AnswerC

This command shows detailed SD-WAN information.

Why this answer

Option A is correct. The 'diagnose sys sdwan info' command provides real-time information about SD-WAN rules, member status, SLA performance, and route selection. It is the first step to troubleshoot why traffic is not following the expected path.

386
MCQhard

You execute 'diagnose sys session filter dport 443' and see output: 'proto=6 proto_state=01 duration=3600 expire=3599'. What does 'proto_state=01' indicate about this session?

A.The session is in the SYN_SENT state, waiting for SYN-ACK
B.The session is in the FIN_WAIT state
C.The session has completed the three-way handshake
D.The session has been terminated with a RST
AnswerA

State 01 = SYN_SENT; the initial SYN has been sent but no SYN-ACK received yet.

Why this answer

In FortiGate session output, proto_state=01 for TCP (proto=6) means the session is in the 'SYN_SENT' state, indicating the three-way handshake has not completed.

387
MCQmedium

An administrator wants to automatically block a file that FortiSandbox has determined to be malicious. The FortiGate is configured with an antivirus profile that includes FortiSandbox submission. Which verdict action should be set to 'block' in the antivirus profile to achieve this?

A.Exempted
B.Unknown
C.Malicious
D.Clean
AnswerC

The 'Malicious' verdict action will block files determined malicious by FortiSandbox.

388
MCQeasy

An organization wants to implement Zero Trust Network Access (ZTNA) for remote users accessing an internal application. The application is hosted on a server that cannot have any client software installed. Which ZTNA deployment method is MOST appropriate?

A.FortiNAC with agent on the server
B.IPsec VPN with full tunnel
C.ZTNA proxy (reverse proxy) with FortiClient for posture
D.SSL VPN with web mode
AnswerC

In proxy mode, the FortiGate terminates the client connection and proxies it to the application server. The server does not require any software; all posture enforcement is on the client side via FortiClient.

Why this answer

ZTNA can be deployed in proxy-based or agent-based modes. For applications that cannot have a client software, the proxy-based method (where FortiGate acts as a reverse proxy) is ideal. The user's FortiClient can still provide posture data, but the application server does not need an agent.

389
Multi-Selectmedium

A FortiGate is configured with multiple VRFs to segregate traffic from different departments. The administrator needs to allow the Finance VRF to access a shared printer in the default VRF. Which TWO steps are required to enable inter-VRF communication?

Select 2 answers
A.Configure OSPF to redistribute routes between VRFs
B.Place both the Finance and default VRF interfaces into the same zone
C.Configure a leak route from the Finance VRF to the default VRF for the printer's subnet
D.Create a firewall policy between the VRF interfaces that permits the required traffic
E.Assign the printer's IP address to an interface in the Finance VRF
AnswersC, D

Why this answer

To route between VRFs, you need a route leak. This can be done using leak routes under config router vrf, or by using policy-based routing between VRFs. Firewall policies between VRFs are also required to permit the traffic.

Option B is correct: firewall policies must be configured between the two VRFs. Option D is correct: a route leak (or inter-VRF policy route) must be configured to enable routing between VRFs. Option A is not required if you leak routes.

Option C is not the primary method; a leak route is more appropriate. Option E is not necessary if you use route leaking.

390
MCQhard

An administrator wants to create an automation stitch that automatically blocks an IP address when a high-severity IPS alert is triggered. The administrator creates a trigger for 'IPS event' and an action of 'Add to Blocked IPs'. However, the action fails to execute. Which of the following is the most likely cause?

A.The automation stitch is set to execute every 5 minutes, not immediately
B.The blocked IP list has reached its maximum size
C.The IPS event trigger does not support IP address extraction
D.The admin account used to configure the stitch does not have permission to modify the blocked IP list
AnswerD

The stitch runs with the privileges of the admin who created it. If that admin lacks write access to address objects, the action fails.

Why this answer

Option D is correct because the admin account used to configure the automation stitch must have the necessary permissions to modify the blocked IP list. In FortiOS, the automation stitch action 'Add to Blocked IPs' requires write access to the firewall address object or the blocked IP list. If the admin account has read-only or restricted privileges, the action will fail silently, even if the trigger and action are correctly configured.

Exam trap

The trap here is that candidates often assume the issue is with the trigger's capability (Option C) or a configuration timing problem (Option A), but FortiOS automation stitches are designed to extract IPs from IPS events, and the real bottleneck is almost always admin permissions, which is a subtle but critical detail in NSE7 exams.

How to eliminate wrong answers

Option A is wrong because the automation stitch execution interval (e.g., every 5 minutes) does not prevent the action from executing; it only delays it. The action would still execute at the next scheduled interval, not fail entirely. Option B is wrong because the blocked IP list has a default maximum size of 16,384 entries in FortiOS, and reaching this limit would cause the action to fail with a specific error, but the question states the action 'fails to execute' without any indication of a full list.

More importantly, the most common cause is permission-related, not capacity. Option C is wrong because the IPS event trigger in FortiOS does support IP address extraction; it captures the source IP from the IPS event log and passes it to the action. The trigger is designed to extract the IP address for use in automation stitches.

391
MCQmedium

A multi-tenant FortiGate uses VDOMs. The administrator notices that logins via SSH to the management VDOM succeed, but attempts to SSH to a traffic VDOM's management IP fail. The traffic VDOM has an administrative user configured. What is the most likely cause?

A.The traffic VDOM does not have a license
B.The traffic VDOM is in transparent mode
C.The admin user is not in the correct trust group
D.SSH access is not enabled on the traffic VDOM's management interface
AnswerD

Administrative access protocols must be enabled per interface per VDOM.

Why this answer

Option D is correct because SSH access to a VDOM's management IP requires that the management interface explicitly permits SSH administrative access. In a multi-tenant FortiGate with VDOMs, each VDOM's management interface has its own independent administrative access settings. Even if the admin user exists and the VDOM is licensed, SSH will be rejected if the management interface does not have SSH access enabled under config system interface or via the GUI.

The fact that SSH to the management VDOM succeeds but fails to the traffic VDOM's management IP points directly to this per-interface access control.

Exam trap

The trap here is that candidates assume a configured admin user and a valid management IP are sufficient for SSH access, overlooking the per-interface administrative access control that must be explicitly enabled.

How to eliminate wrong answers

Option A is wrong because VDOM licensing is required for the VDOM to operate, but it does not affect SSH access to the management IP; an unlicensed VDOM would not forward traffic but would still allow administrative access. Option B is wrong because transparent mode VDOMs still support SSH management access to their management IP; the mode does not disable SSH. Option C is wrong because trust groups are used for RADIUS or LDAP authentication and are not relevant to local admin users; a local admin user configured in the VDOM does not require a trust group.

392
MCQmedium

An administrator is configuring a firewall policy on a FortiGate in transparent mode. The policy should allow HTTP traffic from internal users to the internet. Which source and destination addresses should be used in the policy?

A.Source: all, Destination: all
B.Source: the FortiGate's management IP, Destination: the web server's IP
C.Source: internal subnet, Destination: external subnet
D.Source: internal MAC addresses, Destination: external MAC addresses
AnswerA

In transparent mode, the policy can use 'all' for source/destination since the FortiGate does not have IP addresses in the path; it inspects all bridged traffic.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge and does not route traffic based on IP addresses. Therefore, firewall policies must use 'all' for both source and destination addresses because the FortiGate does not see the original source or destination IPs—it only sees MAC addresses and forwards frames transparently. Using specific IP subnets would break the policy as the FortiGate cannot match Layer 3 addresses in this mode.

Exam trap

The trap here is that candidates mistakenly apply NAT/routed mode logic to transparent mode, assuming they must specify IP subnets, when in fact transparent mode requires 'all' because the FortiGate operates at Layer 2 and does not see IP addresses for policy matching.

How to eliminate wrong answers

Option B is wrong because the FortiGate's management IP is only used for administrative access, not for forwarding user traffic; using it as the source would block all HTTP traffic from internal users. Option C is wrong because transparent mode does not perform IP routing, so specifying internal and external subnets would cause the policy to never match—the FortiGate cannot see Layer 3 addresses in the forwarded traffic. Option D is wrong because while transparent mode uses MAC addresses for forwarding, firewall policies in FortiOS do not support MAC address-based source/destination matching; policies are based on interfaces and IP addresses (or 'all').

393
MCQmedium

An administrator needs to integrate FortiGate with FortiNAC for network access control. The goal is to dynamically quarantine endpoints that have out-of-date antivirus software. Which component is responsible for enforcing the quarantine on the network?

A.FortiNAC's Network Access Policy (NAP)
B.The RADIUS server used for 802.1X
C.FortiGate firewall policies with ZTNA tags
D.FortiClient EMS compliance rules

Why this answer

FortiNAC enforces network access by dynamically changing VLANs or applying ACLs based on compliance. FortiNAC's NAP defines the conditions and actions, such as moving a non-compliant endpoint to a quarantine VLAN.

394
MCQeasy

An administrator is troubleshooting an HA cluster where both units show as primary after a link failure. What is the most likely cause of this split-brain scenario?

A.The HA heartbeat interface is down or misconfigured
B.The priority values are set identically
C.The HA uptime is mismatched between the two units
D.The session pickup feature is disabled
AnswerA

If the heartbeat link fails, each unit assumes the other is dead and transitions to primary.

Why this answer

Split-brain occurs when HA heartbeat communication fails, causing both units to believe they are the primary. A broken heartbeat link is the typical cause.

395
MCQhard

An administrator configures SD-WAN with multiple members. The SD-WAN rule uses the 'latency' strategy. The administrator notices that traffic is not switching to the best-performing member even when latency exceeds the threshold. What could be the issue?

A.The SLA target is not configured or not applied to the SD-WAN rule
B.The load balancing algorithm is set to 'source-ip-based'
C.The threshold is set too low
D.The SD-WAN members are in different VDOMs
AnswerA

Without SLA, performance monitoring is not active, so latency strategy has no data to act on.

Why this answer

Option D is correct. SD-WAN rules require performance SLA targets to be configured and linked to the SD-WAN rule. Without an SLA, the latency strategy has no performance benchmark to trigger failover.

396
MCQmedium

A FortiGate is configured with two SD-WAN members (port1 and port2). The administrator sets an SD-WAN rule with 'set load-balance-mode source-dst-ip' for all internal traffic. The source IP is 10.0.0.1 and destination IP is 172.16.0.1. Which factor determines the outgoing interface for this traffic?

A.The destination IP only
B.The combination of source IP and destination IP hashed to select an interface
C.The source IP only
D.The interface with the lowest current utilization
AnswerB

source-dst-ip mode uses a hash of both source and destination IPs to consistently select the same interface for the same flow.

397
Multi-Selecthard

An administrator is troubleshooting a ZTNA application access issue. Users can authenticate but cannot reach the internal application via the ZTNA proxy. The FortiGate's ZTNA rule uses a tag requiring 'OS Type = Windows' and 'Antivirus = running'. The device meets both conditions. Which THREE possible reasons could cause the access failure?

Select 3 answers
A.The ZTNA proxy's destination is pointing to the wrong internal IP or port.
B.The firewall policy for ZTNA traffic is not configured or is misordered.
C.The FortiGate's SSL certificate for the ZTNA proxy is not trusted by the client.
D.The user is not assigned the ZTNA tag in the FortiClient EMS portal.
E.The device does not have FortiClient installed.
AnswersA, B, C

Why this answer

If the tag is met, the device passes posture. Access failure can be due to wrong proxy destination (A), missing firewall policy (C), or untrusted certificate (D). Tag assignment (B) is irrelevant if tag is already satisfied; FortiClient EMS is not required for device posture if using other telemetry (E), but even if required, not having FortiClient would prevent the tag from being met, which contradicts the premise.

398
Multi-Selecthard

An admin needs to verify that a new firewall policy is performing SSL inspection. Which THREE CLI commands or steps should the admin use to confirm? (Choose three.)

Select 3 answers
A.Use 'diagnose wad filter' to check if traffic is being processed by the web proxy for SSL inspection
B.Run 'diagnose debug flow' to check if traffic is hitting the policy
C.Filter sessions with 'diagnose sys session filter dport 443' and list sessions to see if they are decrypted
D.Run 'get system performance status' to see SSL inspection statistics
E.Check the policy configuration with 'show firewall policy <id>' and look for 'ssl-ssh-profile'
AnswersA, C, E

SSL inspection in proxy mode goes through the WAD daemon; checking WAD confirms inspection.

Why this answer

To verify SSL inspection, check policy configuration, use session filter to see if sessions are decrypted, and use debug flow to inspect the traffic path. Option A, B, and D are correct.

399
Multi-Selectmedium

An administrator is troubleshooting a scenario where traffic from VLAN 100 to a server at 10.1.2.100 is being blocked. The FortiGate has an active security policy allowing the traffic and the routing table shows a correct route. Which TWO diagnostic commands should the administrator run to identify the cause of the blockage?

Select 2 answers
A.diagnose sniffer packet any 'host 10.1.2.100' 4
B.get system performance status
C.diagnose ip arp list
D.diagnose sys session list
E.diagnose debug flow
AnswersA, E

Captures packets to verify traffic reaches the FortiGate.

Why this answer

Option A is correct because 'diagnose sniffer packet any host 10.1.2.100 4' captures packets to/from the server at the interface level, allowing the administrator to see if traffic from VLAN 100 is actually arriving at the FortiGate and whether it is being dropped or forwarded. This command helps identify if the issue is at Layer 2 (e.g., VLAN misconfiguration) or Layer 3 (e.g., routing or firewall drops).

Exam trap

The trap here is that candidates often choose 'diagnose sys session list' thinking it shows blocked traffic, but it only lists established sessions, not dropped packets or failed session creation attempts.

400
MCQhard

Refer to the exhibit. A FortiGate is connected to the Security Fabric and registered with FortiManager. However, the administrator notices that the FortiGate is not receiving policy updates from FortiManager. What is the most likely cause?

A.The Fabric Root serial number is incorrect
B.The FortiGate is not registered with FortiManager
C.The policy package on FortiManager is not assigned to the correct device group or policy target
D.The Security Fabric is not fully connected
AnswerC

The device is in a fabric group, but policy must be assigned to that group.

Why this answer

Option C is correct because FortiManager uses policy packages that must be explicitly assigned to a device group or specific FortiGate. Even if the FortiGate is registered and part of the Security Fabric, if the policy package is not assigned to the correct device group or policy target, the FortiGate will not receive policy updates. This is a common misconfiguration where the policy package exists but is not linked to the device.

Exam trap

The trap here is that candidates assume registration and Fabric connectivity guarantee policy updates, but FortiManager requires explicit policy package assignment to the device group or policy target, which is a separate configuration step.

How to eliminate wrong answers

Option A is wrong because the Fabric Root serial number is used for Security Fabric topology discovery and does not affect FortiManager policy push; a mismatch would break Fabric connectivity, not policy updates. Option B is wrong because the scenario explicitly states the FortiGate is registered with FortiManager, so this option contradicts the given information. Option D is wrong because the Security Fabric being not fully connected would impact Fabric services like topology sharing, but FortiManager policy updates use a direct management tunnel (port 541/TCP) independent of Fabric connectivity.

401
MCQmedium

An administrator deploys a FortiGate in transparent mode within a Layer 2 network. They apply a firewall policy with an antivirus profile to inspect traffic between two VLANs. What is a key characteristic of transparent mode that affects policy application?

A.NAT is automatically applied to all traffic to preserve private IP addresses
B.Firewall policies are applied only to traffic entering the management interface
C.Each VDOM in transparent mode requires a unique IP address for management
D.Traffic is forwarded based on MAC addresses, and policies are applied transparently without changing the IP path
AnswerD

Transparent mode operates at Layer 2, so IP routing is not used.

Why this answer

In transparent mode, FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses rather than IP addresses. This allows firewall policies, including antivirus inspection, to be applied to traffic between VLANs without modifying the IP path or requiring NAT, ensuring seamless integration into existing Layer 2 networks.

Exam trap

The trap here is that candidates often assume transparent mode requires NAT or IP-based routing changes, but the key is that it operates purely at Layer 2, forwarding based on MAC addresses and applying policies without altering the IP path.

How to eliminate wrong answers

Option A is wrong because NAT is not automatically applied in transparent mode; NAT is a Layer 3 function and transparent mode operates at Layer 2, preserving the original IP addresses. Option B is wrong because firewall policies in transparent mode are applied to traffic passing through the FortiGate interfaces, not just the management interface; the management interface is used for administrative access only. Option C is wrong because VDOMs in transparent mode do not require a unique IP address for management; each VDOM can share the management IP or use a dedicated IP, but it is not a mandatory characteristic that affects policy application.

402
MCQeasy

A FortiGate administrator enables Dead Peer Detection (DPD) on an IPsec VPN tunnel. What is the primary purpose of DPD?

A.To dynamically adjust the tunnel MTU
B.To encrypt the IKE negotiation traffic
C.To automatically renegotiate the IKE SA before it expires
D.To detect when the remote peer is no longer reachable
AnswerD

DPD sends periodic messages to verify the peer is alive.

Why this answer

DPD is used to monitor the liveness of the remote peer. If the peer becomes unreachable, DPD detects it and can trigger a failover or tunnel teardown, ensuring traffic does not blackhole.

403
MCQhard

An administrator runs 'get router info bgp summary' and sees that the BGP session to a neighbor is in the 'Idle' state. The neighbor IP is reachable via ping. The BGP configuration uses loopback interfaces with 'update-source loopback1'. What is the MOST likely reason for the Idle state?

A.There is no route on the neighbor back to the FortiGate's loopback IP
B.The loopback interface is down or has no IP address assigned
C.The BGP neighbor's remote-as is misconfigured
D.The BGP timer values (keepalive/hold) are mismatched
AnswerA

BGP uses TCP; if the neighbor cannot reach the update-source IP, the TCP handshake fails, keeping the session in Idle.

Why this answer

BGP Idle state often indicates a TCP connection issue. If the update source is a loopback, the neighbor must have a route to that loopback IP, or the update-source must match the neighbor's configured remote-as and reachability.

404
Multi-Selecteasy

An administrator wants to use FortiAnalyzer to generate reports for compliance. Which two data sources can be included in a FortiAnalyzer report? (Choose two.)

Select 2 answers
A.Log data from FortiGate
B.Traffic statistics from FortiView
C.Routing table information from routers
D.Configuration backups from FortiManager
E.User authentication logs from LDAP servers
AnswersA, B

Log data is the primary source for reports.

Why this answer

FortiAnalyzer reports are built from log data collected from FortiGate devices, which includes traffic logs, event logs, and security logs. This log data is the primary source for compliance reporting because it provides detailed records of network activity. FortiView traffic statistics are also a valid data source, as they aggregate real-time and historical traffic data from FortiGate logs, allowing reports to include graphical summaries and top-talker information.

Exam trap

The trap here is that candidates assume FortiAnalyzer can directly ingest data from any network source (like routers or LDAP servers), but it only processes logs forwarded from FortiGate devices or other Fortinet products that support log forwarding, not arbitrary external systems.

405
MCQeasy

What is the function of a VRF (Virtual Routing and Forwarding) on a FortiGate?

A.To provide redundancy for routing protocols
B.To aggregate multiple physical interfaces into one logical interface
C.To create multiple independent routing tables
D.To encrypt traffic between different virtual domains
AnswerC

VRF maintains separate routing tables, providing path isolation.

Why this answer

VRF allows multiple independent routing tables to coexist on the same FortiGate, enabling traffic separation without separate physical devices.

406
MCQhard

A FortiGate has multiple IPsec VPNs to different branch offices. The administrator notices that one VPN tunnel is flapping (going up and down repeatedly). From the CLI, 'diagnose vpn ike gateway list' shows the gateway state as 'up' but then quickly goes to 'down'. What is the MOST likely cause?

A.The remote gateway's certificate is expired
B.The phase2 proposal is mismatched
C.Dead Peer Detection (DPD) retry interval is too short
D.The pre-shared key is incorrect
AnswerC

Aggressive DPD can cause false timeouts and tunnel flapping.

Why this answer

Tunnel flapping with IKEv2 is often due to DPD mismatches or aggressive DPD retry intervals. If DPD is configured with very short intervals, the tunnel may drop due to transient delays.

407
MCQmedium

A FortiGate is configured with OSPF over an IPsec VPN tunnel to exchange routes with a remote site. The OSPF neighbor states are stuck in 'INIT' and never progress to 'FULL'. What is the MOST likely cause?

A.The MTU on the VPN interface is too high
B.OSPF authentication is not configured on both sides
C.The IPsec phase 2 proposal does not include the OSPF multicast IP address (224.0.0.5)
D.The OSPF hello interval is too short
AnswerC

OSPF uses multicast address 224.0.0.5. The IPsec SA must be configured to allow this traffic; if the proxy ID does not include the multicast address, OSPF packets are dropped.

Why this answer

OSPF requires multicast support (224.0.0.5) to form adjacencies. Without multicast over the VPN tunnel, OSPF cannot exchange hello packets properly.

408
MCQmedium

An administrator configures two FortiGate units in an active-passive HA cluster. During a failover test, the administrator notices that the secondary unit becomes primary but the session table is empty, causing all existing connections to drop. Which configuration change should be made to preserve session information during failover?

A.Enable FGCP configuration synchronization
B.Configure dead gateway detection on the FortiGate units
C.Enable link-failover on the monitored interfaces
D.Enable session pickup and configure HA session synchronization
AnswerD

Session pickup synchronizes session tables between cluster members.

Why this answer

Option D is correct because session pickup and HA session synchronization are specifically designed to replicate the session table from the primary FortiGate to the secondary unit in an active-passive cluster. Without this feature, the secondary unit becomes primary but has no knowledge of existing sessions, causing all active connections to drop. Enabling session synchronization ensures that session state information is continuously mirrored to the standby unit, allowing seamless failover without disrupting established flows.

Exam trap

The trap here is that candidates often confuse configuration synchronization (which is automatic and covers settings) with session synchronization (which must be explicitly enabled), leading them to incorrectly select option A thinking it preserves sessions.

How to eliminate wrong answers

Option A is wrong because FGCP configuration synchronization (enabled by default in HA clusters) only synchronizes configuration changes, not the dynamic session table; it does not preserve active sessions during failover. Option B is wrong because dead gateway detection is a network monitoring feature used to detect upstream gateway failures and trigger route changes, not a mechanism for replicating session state between HA units. Option C is wrong because link-failover on monitored interfaces triggers a failover when a monitored interface goes down, but it does not address the preservation of session information; the session table remains empty on the standby unit unless session synchronization is enabled.

409
Multi-Selectmedium

A company wants to provide external contractors with access to a specific internal web application without granting full network access. The solution must authenticate the user, verify device compliance, and log all access. Which three Fortinet features should be combined to meet these requirements? (Choose THREE)

Select 3 answers
A.FortiNAC
B.SSL deep inspection
C.ZTNA proxy
D.FortiClient EMS with compliance enforcement
E.IPsec VPN with XAuth
AnswersB, C, D

Deep inspection decrypts HTTPS traffic for logging and security scanning.

Why this answer

ZTNA provides application-specific access with authentication and logging. FortiClient EMS enforces device compliance (posture). SSL deep inspection is required for decryption to log content.

This combination meets all requirements.

410
MCQhard

A company uses SSL VPN with FortiGate for remote access. Users report that after connecting, they can access internal web servers but cannot ping them. Which configuration is most likely missing?

A.Split tunneling settings
B.SSL VPN web portal settings
C.Firewall policy allowing ICMP
D.DNS server configuration
AnswerC

The firewall policy for SSL VPN traffic must permit ICMP protocol in addition to TCP/80 and TCP/443.

Why this answer

The correct answer is C. SSL VPN tunnels typically allow TCP-based traffic like HTTP/HTTPS to internal web servers, but ICMP (ping) is a separate protocol that requires explicit permission in the firewall policy. Without a firewall policy rule permitting ICMP from the SSL VPN interface to the internal network, the FortiGate will drop the ping requests, even though the tunnel is established and other traffic flows.

Exam trap

The trap here is that candidates assume split tunneling or DNS is the cause, but the real issue is that ICMP is a separate protocol that must be explicitly permitted in the firewall policy, unlike TCP-based web traffic.

How to eliminate wrong answers

Option A is wrong because split tunneling controls whether traffic to the internet goes through the VPN tunnel or directly, not the ability to ping internal servers; it does not affect ICMP traffic to internal resources. Option B is wrong because the SSL VPN web portal settings define the web-based interface and bookmarks for users, not the underlying firewall rules that govern ICMP or other protocols. Option D is wrong because DNS server configuration resolves hostnames to IP addresses, but the issue is that ping fails even when using the IP address, indicating a lack of ICMP permission rather than name resolution.

411
MCQmedium

A network admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session was established 1 hour ago and will expire in about 1 hour
B.The session is using UDP port 443
C.The session is for HTTP traffic and has 3599 seconds left
D.The session is for HTTPS traffic and is halfway through its expected lifetime
AnswerA

Duration=3600 seconds (1 hour), expire=3599 seconds (almost 1 hour remaining). Total session lifetime is about 2 hours.

Why this answer

The output shows `duration=3600`, meaning the session has been active for 3600 seconds (1 hour), and `expire=3599`, meaning the session will expire in 3599 seconds (approximately 1 hour). The `proto=6` indicates TCP (protocol 6), and `proto_state=01` corresponds to TCP state ESTABLISHED. Therefore, the session was established 1 hour ago and will expire in about 1 hour, making option A correct.

Exam trap

The trap here is that candidates often misinterpret `expire=3599` as the total session lifetime rather than the remaining time until expiry, leading them to incorrectly calculate the session's age or remaining duration.

How to eliminate wrong answers

Option B is wrong because `proto=6` indicates TCP, not UDP (which is protocol 17). Option C is wrong because `proto=6` and `dport 443` indicate HTTPS (TCP/443), not HTTP (which typically uses port 80), and the session has 3599 seconds left, not 3599 seconds total lifetime. Option D is wrong because while the session is for HTTPS traffic (TCP/443), the duration and expire values show it is at the beginning of its lifetime (3600 seconds elapsed, 3599 seconds remaining), not halfway through.

412
MCQhard

A FortiGate administrator receives an error when trying to create a new VDOM: 'Maximum number of VDOMs reached.' However, the FortiGate model supports more VDOMs. What could be the issue?

A.The VDOM license is not installed or is expired
B.The administrator is in the wrong VDOM context
C.The FortiGate is in transparent mode
D.The FortiGate needs a firmware upgrade
AnswerA

VDOM licenses are required to create additional VDOMs beyond the base limit.

Why this answer

The error 'Maximum number of VDOMs reached' occurs when the FortiGate attempts to exceed the licensed VDOM count, even if the hardware model supports more. FortiGate VDOM licensing is enforced via a separate license file; without a valid, non-expired license, the device restricts VDOM creation to the default (often 1 or 2) or previously licensed limit. This is a common issue when a license has expired or was never installed.

Exam trap

The trap here is that candidates assume the error is due to a hardware limitation or configuration mode, but Fortinet specifically tests the distinction between hardware capability and software licensing enforcement.

How to eliminate wrong answers

Option B is wrong because being in the wrong VDOM context would not generate a 'Maximum number of VDOMs reached' error; it would instead cause a permission or scope issue when trying to create a VDOM from a non-root or non-admin VDOM. Option C is wrong because transparent mode does not limit the maximum number of VDOMs; VDOMs can be created in both transparent and NAT modes, and the error is unrelated to the operational mode. Option D is wrong because a firmware upgrade does not increase the licensed VDOM limit; the limit is enforced by the license, not the firmware version, though a firmware upgrade might be needed to support newer license formats, but the error message specifically points to a licensing issue.

413
MCQeasy

What is the primary difference between using a Web Application Firewall (WAF) on FortiGate versus using FortiWeb?

A.There is no difference; they are the same.
B.FortiGate WAF is cloud-based, while FortiWeb is on-premises.
C.FortiWeb provides dedicated, advanced WAF features and higher performance for web traffic, while FortiGate WAF is a basic protection feature.
D.FortiGate WAF can protect multiple web servers simultaneously, while FortiWeb protects only one.
AnswerC

FortiWeb is a dedicated WAF appliance with more advanced capabilities; FortiGate includes a basic WAF profile.

414
MCQmedium

Refer to the exhibit. Users report that they cannot log in to the SSL VPN portal. The stats show 15 login failures with reason 'auth_fail'. What is the most likely cause?

A.The user 'user1' does not exist
B.The login-attempt-limit is too low
C.The encryption algorithm is set to low
D.The SSL VPN settings do not reference the user group
AnswerD

The configuration is missing 'set user-group' under config vpn ssl settings; thus no group is authorized for login, causing authentication failure.

Why this answer

The 'auth_fail' reason indicates that the authentication request was processed but rejected, typically because the SSL VPN portal is not configured to reference the user group that 'user1' belongs to. Without a group filter or group mapping in the SSL VPN settings, the FortiGate cannot match the user to any allowed group, causing the authentication to fail even if the user credentials are valid.

Exam trap

The trap here is that candidates often assume 'auth_fail' always means a wrong password or missing user, but Fortinet specifically uses 'auth_fail' to indicate a group mismatch when the user exists and the password is correct, testing your understanding of SSL VPN portal-to-group binding.

How to eliminate wrong answers

Option A is wrong because if 'user1' did not exist, the FortiGate would log a 'user not found' error, not 'auth_fail'; 'auth_fail' specifically indicates the user exists but the authentication was denied. Option B is wrong because a low login-attempt-limit would cause 'login-locked' or 'blocked' messages after exceeding attempts, not 'auth_fail' on each failure. Option C is wrong because the encryption algorithm setting (e.g., low, medium, high) affects the SSL cipher strength negotiated during the handshake, not the authentication phase; a mismatch would cause a connection failure, not an 'auth_fail' log.

415
Multi-Selecteasy

An administrator needs to troubleshoot an HA synchronization issue. Which TWO commands provide information about the HA synchronization status?

Select 2 answers
A.diagnose hardware sysinfo
B.show system ha
C.diagnose ha dump
D.get system ha status
E.diagnose sys session stat
AnswersC, D

Dumps detailed HA synchronization data.

Why this answer

The command 'get system ha status' shows the cluster status and synchronization state. The command 'diagnose ha dump' provides detailed synchronization information.

416
MCQmedium

A FortiGate admin runs 'diagnose debug application sslvpn -1' and sees repeated messages: 'SSL VPN tunnel establishment failed: no response from client.' The remote user reports that the FortiClient VPN connects but no traffic passes. What is the MOST likely cause?

A.The SSL VPN realm is misconfigured
B.The SSL VPN certificate has expired
C.The remote user's FortiClient version is incompatible
D.A firewall on the remote user's network is blocking UDP port 4500 or TCP port 443
AnswerD

SSL VPN tunnel establishment requires UDP 4500 (for NAT traversal) or TCP 443 for initial handshake. If blocked, the client cannot respond, leading to the 'no response from client' message.

Why this answer

The debug indicates the SSL VPN tunnel establishment fails because the client does not respond. This commonly occurs when the client is behind a NAT device that drops keepalive packets or blocks UDP/TCP ports needed for the tunnel. Option D correctly identifies a firewall blocking necessary ports.

417
MCQeasy

An administrator is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration uses certificates for authentication. The admin sees the following log message: 'Certificate validation failed: unable to get local issuer certificate.' What is the most likely cause?

A.The peer's certificate has expired
B.The CA certificate that signed the peer's certificate is not imported on the FortiGate
C.The certificate revocation list (CRL) is not configured
D.The local certificate does not match the peer's expected CN
AnswerB

The error 'unable to get local issuer certificate' means the issuing CA is missing.

Why this answer

The error indicates that the FortiGate cannot find the CA certificate that issued the peer's certificate. The CA certificate must be imported and trusted on the FortiGate.

418
MCQmedium

An organization uses FortiManager to manage multiple FortiGates. A junior admin accidentally deleted a critical firewall policy on one device and the change was auto-installed. How can the senior admin revert the device to the previous configuration?

A.Delete the ADOM and recreate it
B.Go to Device Manager -> Revision History and restore the previous revision
C.Use the 'restore' command on FortiManager
D.Manually recreate the policy on the FortiGate
AnswerB

Revision history stores configuration snapshots that can be restored.

Why this answer

FortiManager maintains revision history for managed devices. The admin can restore a previous revision to revert the configuration.

419
MCQmedium

An administrator configures inter-VDOM routing between VDOM-A and VDOM-B using a VDOM link. After configuration, traffic from VDOM-A cannot reach VDOM-B. Which configuration step is MOST likely missing?

A.Create a firewall policy on VDOM-A and VDOM-B allowing traffic over the VDOM link interface
B.Enable 'inter-vdom-routing' under system settings
C.Configure a static route on VDOM-A pointing to VDOM-B's subnet via the VDOM link
D.Assign both VDOM link interfaces to the same VDOM
AnswerA

Each VDOM must have a policy allowing traffic to/from the VDOM link interface, similar to any other interface.

Why this answer

VDOM links are special inter-VDOM interfaces that require firewall policies on both VDOMs to permit traffic. Without a policy on VDOM-A and VDOM-B that allows traffic over the VDOM link interface, packets will be dropped by the implicit deny rule. This is the most common missing step when inter-VDOM routing fails.

Exam trap

The trap here is that candidates often assume static routes or a global inter-VDOM routing toggle are required, overlooking that VDOM links function like physical interfaces and need firewall policies to permit traffic.

How to eliminate wrong answers

Option B is wrong because 'inter-vdom-routing' is not a configurable setting under system settings; inter-VDOM routing is inherently enabled when VDOMs are enabled and a VDOM link is created. Option C is wrong because static routes are not strictly required if the VDOM link is used as a transit link and the destination subnet is directly connected; the missing firewall policy is the primary issue. Option D is wrong because assigning both VDOM link interfaces to the same VDOM would defeat the purpose of inter-VDOM routing, as the link is designed to connect two different VDOMs.

420
Multi-Selectmedium

Which TWO features are part of FortiGate's Advanced Threat Protection (ATP) suite?

Select 2 answers
A.Data Leak Prevention (DLP)
B.SSL Inspection
C.FortiGuard Antivirus
D.FortiSandbox
E.Intrusion Prevention System (IPS)
AnswersC, D

Part of ATP for malware detection.

Why this answer

FortiGate's Advanced Threat Protection (ATP) suite is designed to detect and block advanced, unknown, and zero-day threats. FortiGuard Antivirus (C) is a core ATP component that uses signature-based and heuristics-based scanning to detect known malware at the gateway. FortiSandbox (D) extends this by detonating suspicious files in a virtual environment to identify unknown threats, making both integral to the ATP suite.

Exam trap

The trap here is that candidates often confuse core security functions (like IPS or DLP) with the specific ATP suite components, which are explicitly defined by Fortinet as FortiGuard Antivirus and FortiSandbox for advanced threat detection.

421
MCQeasy

What is the maximum number of VDOMs supported on a FortiGate 600F (assuming license)?

A.10
B.50
C.500
D.100
AnswerC

FortiGate 600F supports up to 500 VDOMs with license.

Why this answer

The FortiGate 600F, when properly licensed, supports up to 500 VDOMs. This is because the 600F is a mid-range enterprise appliance designed for large-scale multi-tenant environments, and its hardware resources (CPU, memory, and NP7 processors) are provisioned to handle the control-plane and data-plane overhead of up to 500 virtual domains. The license unlocks the VDOM feature, but the maximum count is a hardware-imposed limit, not a software cap.

Exam trap

The trap here is that candidates often confuse the default unlicensed limit (10 VDOMs) with the licensed maximum, or they assume the 600F shares the same VDOM limit as the 400F (100 VDOMs), failing to recognize that the 600F is a higher-spec model with a 500-VDOM ceiling.

How to eliminate wrong answers

Option A (10) is wrong because 10 VDOMs is the default unlicensed limit on many FortiGate models, but the 600F with a license supports far more. Option B (50) is wrong because 50 VDOMs is the maximum for lower-end models like the FortiGate 100F/200F, not the 600F. Option D (100) is wrong because 100 VDOMs is the limit for some mid-range models (e.g., FortiGate 400F), but the 600F is a higher-tier platform with a maximum of 500 VDOMs.

422
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is in SYN_SENT state and cannot be established
B.The session is an established TCP session with about one hour remaining before timeout
C.The session is a UDP session using port 443
D.The session has a duration of 3600 seconds and will expire immediately
AnswerB

Established TCP session (state 01), duration 3600s, expire 3599s (about 1 hour).

Why this answer

The output shows a TCP session (proto=6) with state 01, which in Fortinet's session table indicates an established TCP connection. The duration of 3600 seconds and expire value of 3599 seconds mean the session has been active for about one hour and has approximately one hour remaining before the idle timeout expires. This matches option B.

Exam trap

The trap here is that candidates often confuse the proto_state value 01 with SYN_SENT (which is 02) or assume the expire field indicates total session lifetime rather than remaining idle timeout.

How to eliminate wrong answers

Option A is wrong because proto_state=01 indicates an established TCP session, not SYN_SENT; SYN_SENT would be state 02. Option C is wrong because proto=6 is TCP, not UDP (UDP uses proto=17). Option D is wrong because expire=3599 means the session will expire in about 3599 seconds, not immediately; immediate expiry would show expire=0 or a very small value.

423
Multi-Selecteasy

An administrator is troubleshooting a VPN tunnel that fails to establish. The administrator has verified that pre-shared keys match and phase 1 parameters are correct. Which TWO additional items should be checked?

Select 2 answers
A.NAT traversal configuration
B.Firewall policies allowing UDP 500 and 4500
C.The phase 2 proposal
D.The NTP server configuration
E.The FortiGate's hostname
AnswersA, B

Why this answer

NAT traversal (NAT-T) is required when a VPN tunnel passes through a device performing Network Address Translation (NAT). NAT-T encapsulates ESP packets inside UDP 4500 to avoid issues with NAT modifying IP headers. Even if phase 1 parameters match, without NAT-T enabled on both peers, the tunnel may fail to establish if a NAT device is detected between them.

Exam trap

The trap here is that candidates often assume phase 2 parameters must be checked first, but the question specifies the tunnel fails to establish, meaning phase 1 has not completed, so phase 2 is irrelevant at this stage.

424
MCQmedium

An administrator connects a FortiExtender to the FortiGate's USB port. The FortiGate detects the FortiExtender and creates a virtual interface 'wwan1'. However, the link status shows 'down'. The SIM card is inserted and the cellular plan is active. What should the administrator check?

A.The APN settings are not configured under the FortiExtender interface
B.The FortiGate needs a security policy allowing traffic from wwan1
C.The FortiExtender firmware is not compatible with the FortiGate
D.The FortiExtender is not powered on
AnswerA

APN is required for cellular connectivity; without it, the link stays down.

Why this answer

FortiExtender requires provisioning from the FortiGate; the APN must be configured correctly, and the extender may need to be activated.

425
MCQmedium

An organization wants to prevent zero-day attacks by using Content Disarm and Reconstruction (CDR) on email attachments. Which Fortinet product provides this capability?

A.FortiWeb
B.FortiGate
C.FortiMail
D.FortiSandbox
AnswerC

FortiMail provides email security including CDR.

Why this answer

FortiMail is the correct answer because it natively integrates Content Disarm and Reconstruction (CDR) to sanitize email attachments by removing active content (e.g., macros, scripts, embedded objects) and rebuilding the file in a safe format. This prevents zero-day exploits that bypass signature-based detection, as CDR does not rely on threat intelligence but instead strips potentially malicious elements before delivery.

Exam trap

The trap here is that candidates often confuse FortiSandbox's dynamic analysis with CDR, assuming both provide proactive protection against zero-days, but FortiSandbox requires execution and detection, whereas CDR prevents exploitation by removing the attack surface entirely without relying on signatures or behavioral analysis.

How to eliminate wrong answers

Option A is wrong because FortiWeb is a web application firewall (WAF) that protects web servers from HTTP/HTTPS attacks (e.g., SQL injection, XSS) and does not process email attachments or provide CDR functionality. Option B is wrong because FortiGate is a next-generation firewall (NGFW) that can perform antivirus and sandboxing for traffic passing through it, but it does not include native CDR for email attachments; CDR is a feature specific to FortiMail's email security pipeline. Option D is wrong because FortiSandbox is a separate advanced threat detection appliance that uses dynamic analysis (e.g., detonating files in a sandbox) to identify unknown malware, but it does not perform CDR; CDR proactively disarms attachments without execution, whereas FortiSandbox relies on behavioral analysis after execution.

426
MCQmedium

An administrator is configuring SD-WAN on a FortiGate. They want traffic from the internal network to a specific SaaS application to use the MPLS link unless the latency exceeds 50 ms, in which case traffic should failover to the broadband link. Which configuration elements are required?

A.Configure policy-based routing to direct SaaS traffic to the MPLS link and rely on default routing for failover.
B.Add a static route for the SaaS IP with the MPLS interface as the gateway and a higher distance than the default route via broadband.
C.Create an SD-WAN member for each link, configure a performance SLA with jitter threshold 50 ms, and add an SD-WAN rule matching the SaaS traffic using the 'best-quality' strategy with the MPLS member.
D.Create an SD-WAN member for each link, configure a performance SLA with latency threshold 50 ms, and add an SD-WAN rule matching the SaaS traffic with the MPLS member as preferred and enable 'set failover enable'.
AnswerD

This correctly defines members, an SLA to measure latency, and a rule that uses the MPLS link with failover to the broadband when the SLA is not met.

427
MCQmedium

A network administrator runs the command 'diagnose debug application ssl -1' and sees the following output: 'ssl_generate_proxy_cert: cannot find CA certificate for issuer CN=www.example.com'. What is the MOST likely cause?

A.The FortiGate does not have an internet connection to reach the CA certificate authority
B.The firewall policy does not have SSL inspection enabled
C.The web server's certificate has expired
D.The SSL/SSH inspection profile is configured with an incorrect CA certificate
AnswerD

If the CA certificate used to sign proxy certificates is missing or invalid, FortiGate cannot generate a new certificate for the inspected site.

Why this answer

The error indicates that FortiGate cannot find the CA certificate used to generate a proxy certificate for the site. This happens when deep inspection is enabled but the CA certificate used for re-signing is missing or misconfigured.

428
MCQmedium

An administrator notices that after making changes to a policy package in FortiManager, the 'Install Preview' shows that the changes will modify policies on a FortiGate. However, the admin wants to verify what the exact changes will be before installing. What should the admin do?

A.Check the 'Audit Log' for recent changes
B.Run 'diagnose dvm device list' on FortiManager
C.Use the 'Revision History' to compare the current configuration with the previous version
D.Use the 'Install Preview' and then click 'View Details' on each device
AnswerC

Revision history allows comparing configurations to see exact changes.

Why this answer

Option C is correct because the Revision History feature in FortiManager allows an administrator to compare the current configuration of a policy package with a previous version, showing a detailed diff of exactly which policies will be added, removed, or modified. This provides a precise verification of changes before installation, unlike the Install Preview which only indicates that changes exist without showing the specific modifications.

Exam trap

The trap here is that candidates confuse the Install Preview's summary of changes (which only indicates that modifications exist) with the detailed comparison provided by Revision History, leading them to select Option D without realizing it lacks the granular diff needed to verify exact policy changes.

How to eliminate wrong answers

Option A is wrong because the Audit Log records administrative actions (e.g., who made changes and when) but does not show a side-by-side comparison of policy configurations or the exact modifications to individual policies. Option B is wrong because 'diagnose dvm device list' is a diagnostic command used to display the list of managed devices and their synchronization status, not to compare policy changes. Option D is wrong because the Install Preview's 'View Details' option only shows a summary of which objects will be installed (e.g., policy count changes) but does not provide a granular diff of the actual policy lines or attributes that will be modified.

429
MCQmedium

An administrator has configured a FortiGate HA cluster with two units. The cluster uses a virtual cluster for load balancing in active-active mode. The administrator notices that traffic from one VDOM is not being load-balanced and is only handled by one unit. What is the most likely cause?

A.Session pickup is disabled
B.The HA priority is set to 0 on the secondary unit
C.The VDOM is not assigned to any virtual cluster
D.The management interface is not configured on the VDOM
AnswerC

VDOMs must be assigned to a virtual cluster for load balancing.

Why this answer

In an active-active HA cluster with virtual clusters, each VDOM must be explicitly assigned to a virtual cluster to participate in load balancing. If a VDOM is not assigned to any virtual cluster, it defaults to being handled only by the primary unit, regardless of the cluster mode. This explains why traffic from that VDOM is not load-balanced.

Exam trap

The trap here is that candidates often assume active-active mode automatically load-balances all traffic across both units, overlooking the requirement that each VDOM must be explicitly assigned to a virtual cluster to enable load balancing for that VDOM.

How to eliminate wrong answers

Option A is wrong because session pickup is a feature for synchronizing existing sessions after failover, not a prerequisite for load balancing traffic across units in active-active mode. Option B is wrong because setting HA priority to 0 on the secondary unit would make it a standby unit, but the question states the cluster is in active-active mode, where both units should actively forward traffic; priority 0 would prevent load balancing entirely, not just for one VDOM. Option D is wrong because the management interface configuration is unrelated to VDOM traffic forwarding or load balancing; it only affects administrative access to the VDOM.

430
MCQeasy

Which FortiManager feature allows an administrator to roll back a policy package to a previous version?

A.Install preview
B.Revision history
C.Device manager
D.Automation stitch
AnswerB

Revision history allows an administrator to view and restore previous versions of policy packages or device configurations.

Why this answer

Option D is correct. Revision history stores previous versions of policy packages, allowing rollback. Install preview shows pending changes but does not roll back.

431
MCQmedium

A company with a hub-and-spoke SD-WAN topology uses FortiGates at each site. The hub has two WAN links: MPLS (10 Mbps) and broadband (100 Mbps). The spokes connect only via MPLS. The company deploys a new real-time application that requires low latency and low jitter. The network administrator creates an SD-WAN rule for this application with 'best quality' strategy and both MPLS and broadband as members. The SLA for MPLS is configured with latency < 10 ms and jitter < 5 ms. The SLA for broadband is configured with latency < 50 ms and jitter < 20 ms. The actual measured latency on MPLS is 12 ms, and jitter is 4 ms. The broadband latency is 25 ms, jitter 10 ms. Which path will the application traffic take?

A.The traffic will use the broadband link because MPLS SLA fails and broadband SLA is met.
B.The traffic will be load-balanced between MPLS and broadband.
C.The traffic will use the MPLS link because it is the preferred member.
D.The traffic will be dropped because no link meets the SLA.
AnswerA

SD-WAN failover to broadband.

Why this answer

The SD-WAN rule uses the 'best quality' strategy, which selects the member with the best SLA performance. The MPLS link fails its SLA because its measured latency of 12 ms exceeds the configured threshold of 10 ms, even though jitter is within limits. The broadband link meets both its latency (25 ms < 50 ms) and jitter (10 ms < 20 ms) thresholds, so it becomes the active path for the application traffic.

Exam trap

The trap here is that candidates assume MPLS is always preferred due to its lower latency profile, but the 'best quality' strategy strictly enforces SLA thresholds, and a link that fails its SLA is excluded from selection regardless of its absolute performance.

How to eliminate wrong answers

Option B is wrong because 'best quality' strategy does not perform load-balancing; it selects a single best path based on SLA compliance and performance metrics. Option C is wrong because MPLS is not inherently preferred; the rule treats both members equally, and MPLS is disqualified due to SLA failure. Option D is wrong because the broadband link meets its SLA thresholds, so traffic is not dropped.

432
MCQeasy

An administrator wants to enforce that only devices with antivirus software installed and running can access a sensitive application via ZTNA. Which ZTNA feature should be used to verify this requirement?

A.ZTNA inline CASB
B.NAC with FortiNAC
C.ZTNA tags with device posture checks
D.IPsec VPN with DPD
AnswerC

ZTNA tags can contain posture attributes like antivirus status. The FortiGate can check these tags in the access proxy rule to grant or deny access.

Why this answer

ZTNA uses tags to indicate device posture. The FortiGate or FortiClient EMS can check for antivirus status and include that information in the device's posture tag. The ZTNA access proxy rule can then require that tag for access.

433
MCQhard

A FortiGate is configured with an IPS sensor that has protocol anomaly detection enabled. The admin notices that legitimate VoIP traffic (SIP) is being blocked. Which action should the admin take to reduce false positives?

A.Change the IPS action from block to monitor
B.Add the VoIP servers to an IP exemption list in the IPS sensor
C.Disable protocol anomaly detection entirely
D.Tune the protocol anomaly thresholds to be more lenient for SIP
AnswerD

Tuning thresholds reduces false positives while maintaining security.

Why this answer

Option C is correct because protocol anomaly detection can have thresholds; adjusting them allows legitimate traffic to pass while still detecting anomalies.

434
Multi-Selectmedium

A company uses FortiManager to manage multiple FortiGates. The admin wants to use a global ADOM to manage certain policies across all devices while allowing local customization. Which two statements about global ADOM are true? (Choose two.)

Select 2 answers
A.Header/footer policies can only be configured in the global ADOM
B.Global ADOM supports per-device policy objects
C.Regular ADOMs can import policy packages from the global ADOM
D.Global ADOM requires a separate FortiManager license
E.Global ADOM policies are installed on all managed FortiGates in all ADOMs
AnswersA, C

Header and footer policies are typically defined in the global ADOM to enforce consistent security baselines.

Why this answer

Option A is correct because header and footer policies are global constructs that can only be created and managed within the global ADOM. These policies are automatically applied to all policy packages across all regular ADOMs, ensuring consistent enforcement at the top and bottom of the policy list without local modification.

Exam trap

The trap here is that candidates often assume global ADOM policies are automatically installed on all devices, but in reality they only apply to policy packages that are explicitly imported from the global ADOM into a regular ADOM.

435
MCQmedium

A network admin configures inter-VDOM routing between two VDOMs on a FortiGate. The admin creates a firewall policy in VDOM A allowing traffic to VDOM B, but traffic is still not passing. What additional step is required?

A.Configure a static route in VDOM B pointing back to VDOM A
B.Enable inter-VDOM routing under config system global
C.Assign the inter-VDOM link to both VDOMs
D.Create a firewall policy in VDOM B to permit the traffic from VDOM A
AnswerD

Inter-VDOM traffic requires policies on both VDOMs to allow the session. Without the return policy, the session is blocked.

Why this answer

Inter-VDOM routing on a FortiGate requires firewall policies in both VDOMs to permit traffic in both directions. Even if VDOM A has a policy allowing traffic to VDOM B, VDOM B must have a corresponding policy to allow the return traffic or the initial traffic from VDOM A to be processed. Without this, the FortiGate drops the packets due to asymmetric policy enforcement.

Exam trap

The trap here is that candidates assume a single firewall policy in the source VDOM is sufficient, but FortiGate requires policies in both VDOMs for inter-VDOM traffic to pass, mirroring the behavior of separate physical firewalls.

How to eliminate wrong answers

Option A is wrong because static routes are not inherently required for inter-VDOM routing; the inter-VDOM link is a direct connection, and routing is handled automatically if the link is configured correctly. Option B is wrong because inter-VDOM routing is enabled by default on FortiGate and does not require a global command; the relevant setting is 'set inter-vdom-routing enable' under config system global, but it is already enabled by default. Option C is wrong because the inter-VDOM link is automatically assigned to both VDOMs when created; no additional assignment step is needed.

436
Multi-Selectmedium

A security analyst wants to use automation stitches on FortiGate to automatically block an IP address when a critical severity event is logged. Which TWO components are essential to create this automation stitch? (Choose two.)

Select 2 answers
A.A FortiGuard subscription
B.A FortiAnalyzer to store logs
C.An action that adds the source IP to a firewall address group
D.A static route to the internet
E.A trigger that matches critical severity logs
AnswersC, E

The action defines the response, such as blocking the IP.

Why this answer

Options A and D are correct because triggers define what event starts the automation, and actions define what the automation does (e.g., block IP).

437
MCQeasy

A FortiGate administrator wants to check if the device is experiencing high CPU usage due to a specific process. Which command should they use to display real-time process CPU usage?

A.show system resource
B.diagnose sys top
C.get system performance status
D.diagnose debug application crashlog read
AnswerB

Shows real-time process list with CPU usage.

Why this answer

Option A is correct. 'diagnose sys top' shows real-time CPU and memory usage per process, similar to the Linux 'top' command. It helps identify which process is consuming CPU.

438
MCQmedium

A FortiGate administrator configures SAML SSO with FortiGate as the Identity Provider (IdP). Users are redirected to the FortiGate login page, but after successful authentication, they are not redirected back to the service provider. What is a likely cause?

A.SAML authentication timeout is too short
B.The assertion consumer service URL is misconfigured on the FortiGate
C.The ACS URL on the service provider does not match the FortiGate's SAML settings
D.The SP certificate is not imported on the FortiGate
AnswerB

Why this answer

When FortiGate is the IdP, it must have the correct Assertion Consumer Service (ACS) URL to which the SAML response is sent after authentication. A mismatch prevents the redirect back to the SP.

439
MCQmedium

An administrator needs to deploy a honeypot solution to detect and deceive attackers inside the network. Which Fortinet product is BEST suited for this purpose?

A.FortiDeceptor
B.FortiSandbox
C.FortiEDR
D.FortiNAC
AnswerA

FortiDeceptor provides honeypots and decoys to detect lateral movement.

Why this answer

FortiDeceptor is a dedicated deception-based security solution that deploys decoys (honeypots) and lures across the network to detect and misdirect attackers. It integrates with FortiGate and FortiSIEM to provide automated threat isolation and forensic data collection, making it the best choice for a honeypot deployment.

Exam trap

The trap here is that candidates may confuse FortiSandbox's file analysis with deception technology, but FortiSandbox does not deploy decoys or lures within the network for attacker interaction.

How to eliminate wrong answers

Option B (FortiSandbox) is wrong because it focuses on analyzing suspicious files and URLs in a sandboxed environment, not on deploying honeypots or decoys for attacker deception. Option C (FortiEDR) is wrong because it provides endpoint detection and response capabilities, including behavioral analysis and threat hunting, but does not include honeypot or deception technology. Option D (FortiNAC) is wrong because it is a network access control solution that manages device authentication and compliance, not a deception-based detection tool.

440
Multi-Selecthard

An administrator is configuring a hub-and-spoke ADVPN with IBGP as the overlay routing protocol. The hub is configured as a route reflector. Which two conditions must be met for a shortcut tunnel to be established between two spokes? (Choose TWO)

Select 2 answers
A.The hub must have a route to the spoke's subnet via the IPsec tunnel
B.The spokes must use overlapping IPsec proposal sets
C.The hub must have 'set auto-discovery-shortcut-mode both'
D.The spokes must be in the same VDOM
E.The spokes must have 'set auto-discovery-shortcut-mode client' enabled
AnswersA, E

The hub needs to have the route in its routing table to advertise to other spokes.

Why this answer

For shortcut tunnels to establish, the hub must send a shortcut offer to the spokes. This requires that the hub learns the route from one spoke via IBGP and reflects it to the other spoke. The spoke must also have auto-discovery-shortcut-mode enabled to accept the shortcut.

Additionally, the spokes must be able to communicate directly (no NAT between them).

441
Multi-Selecthard

A security administrator wants to implement automated threat response using FortiGate automation stitches. Which THREE components are mandatory when creating an automation stitch? (Choose three.)

Select 3 answers
A.Schedule (e.g., daily at midnight)
B.Stitch name
C.Action (e.g., 'CLI Script', 'Add IP to Blocklist')
D.Trigger (e.g., 'Event Log' or 'FortiOS CLI')
E.Condition (e.g., filter on event type)
AnswersC, D, E

What happens when the stitch fires.

Why this answer

Option C is correct because an automation stitch requires at least one action to execute when triggered. Actions define the actual response, such as running a CLI script, adding an IP to a blocklist, or sending an email. Without an action, the stitch would have no effect on the network.

Exam trap

The trap here is that candidates often confuse 'mandatory components' with 'required fields in the GUI' — the stitch name is a required field in the GUI but is not a functional component of the automation logic, while the condition is often overlooked as optional but is considered mandatory in the NSE7 exam because it is essential for practical threat response filtering.

442
Multi-Selectmedium

A company has two FortiGate devices at different sites connected via an IPsec VPN tunnel using IKEv2. The tunnel is established but intermittent packet loss is observed. Which two configuration changes should be applied to improve stability? (Choose two.)

Select 2 answers
A.Reduce the DPD retry interval to 3 seconds.
B.Increase the phase1 lifetime to 86400 seconds.
C.Change the IKE version to IKEv1.
D.Increase the phase2 rekey time to 8 hours.
E.Enable Dead Peer Detection (DPD) on the tunnel interface.
AnswersD, E

Longer rekey intervals reduce the frequency of rekeying, which can disrupt traffic.

Why this answer

Increasing the phase2 rekey time to 8 hours (Option D) reduces the frequency of rekey events, which can cause brief packet loss during key regeneration. This is especially beneficial for stability when the tunnel experiences intermittent loss due to rekey timing. A longer rekey interval minimizes disruptions, making it a correct choice.

Exam trap

The trap here is that candidates often think reducing DPD intervals or increasing lifetimes always improves stability, but in reality, aggressive DPD can cause flapping on lossy links, and IKEv2 is inherently more stable than IKEv1 for VPN tunnels.

443
Drag & Dropmedium

Drag and drop the steps to troubleshoot a FortiGate SSL VPN connection failure into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with basic configuration, then user authentication, then policies, then debug, then routing.

444
MCQeasy

In FortiGate's ZTNA, what is the purpose of a 'ZTNA tag'?

A.To identify a device's compliance status and attributes for policy enforcement.
B.To mark packets for quality of service (QoS) prioritization.
C.To label network interfaces for traffic steering.
D.To assign a security level to application traffic.
AnswerA

Why this answer

ZTNA tags are dynamic attributes (e.g., OS type, antivirus status) assigned to devices based on posture checks. They are used in firewall policies to grant access based on device compliance, not for routing or QoS.

445
Multi-Selecthard

An administrator uses FortiManager automation stitches to respond to an incident. The stitch includes a trigger, one or more actions, and conditions. Which THREE components are valid action types in an automation stitch?

Select 3 answers
A.CLI script execution
B.Remote script execution
C.FortiGate reboot
D.Email notification
E.FortiAnalyzer report generation
AnswersA, B, D

CLI scripts can be run on managed devices.

Why this answer

CLI script execution is a valid action type in FortiManager automation stitches because it allows the administrator to run a predefined CLI script on a managed FortiGate device directly from the stitch. This enables automated configuration changes or troubleshooting commands in response to a trigger, such as blocking an IP address after an intrusion detection event.

Exam trap

The trap here is that candidates may confuse 'remote script execution' with local device actions like reboot, or assume FortiAnalyzer integration is an action type, when in fact automation stitches only support CLI scripts, remote scripts, and email notifications as valid action types.

446
MCQeasy

What is the purpose of a Global ADOM in FortiManager?

A.To store backup configurations only
B.To manage all FortiGates in a single VDOM
C.To share common objects and policies across multiple ADOMs
D.To replace the root ADOM for system settings
AnswerC

Global ADOM allows sharing of objects like address objects, services, and policies across ADOMs.

Why this answer

A Global ADOM in FortiManager is a special administrative domain that stores objects and policies shared across multiple regular ADOMs. This allows administrators to define common objects (e.g., address groups, services, schedules) once in the Global ADOM and then reference them in per-ADOM policies, ensuring consistency and reducing duplication. It does not replace the root ADOM, nor is it limited to backups or single-VDOM management.

Exam trap

The trap here is that candidates often confuse the Global ADOM with the root ADOM or think it is for backup purposes, when in fact it is specifically designed for sharing objects and policies across multiple ADOMs to enforce consistency in multi-tenant or multi-region deployments.

How to eliminate wrong answers

Option A is wrong because the Global ADOM is not for storing backup configurations; backups are handled separately via the system backup feature or the CLI. Option B is wrong because the Global ADOM does not manage all FortiGates in a single VDOM; it manages shared objects across multiple ADOMs, each of which can contain multiple VDOMs. Option D is wrong because the Global ADOM does not replace the root ADOM for system settings; the root ADOM remains the administrative domain for system-level configuration (e.g., system admin, HA, firmware), while the Global ADOM focuses on shared policy objects.

447
Multi-Selectmedium

A network administrator is troubleshooting a scenario where remote users can connect via FortiClient VPN but cannot access internal resources. The FortiGate has a valid IPsec VPN configuration. Which THREE checks should the administrator perform to resolve the issue?

Select 3 answers
A.Check if there is a route on the internal network pointing back to the VPN subnet
B.Ensure that NAT is disabled on the VPN policy
C.Increase the MTU on the VPN interface
D.Disable DPD on the VPN phase 1
E.Verify that the firewall policy allows traffic from the VPN IP pool to the internal network
AnswersA, B, E

Without a return route, responses can't reach the VPN clients.

Why this answer

Common issues: firewall policies must allow traffic from VPN IP pool to internal network; routing must be correct; NAT should not be applied to VPN traffic (unless required). Checking these three areas typically resolves connectivity issues.

448
MCQmedium

A FortiGate administrator sees the following output: "diagnose sys session filter dport 443 diagnose sys session list session info: proto=6 proto_state=01 duration=3600 expire=3599" What does this session duration and expire time indicate?

A.The session has a timeout of 7200 seconds (2 hours)
B.The session is about to be torn down
C.The session is newly established
D.The session is using UDP protocol
AnswerA

Duration + expire = total timeout, 3600+3599=7199~7200.

Why this answer

Duration 3600 seconds (1 hour) and expire 3599 seconds means the session has been active for 1 hour and will expire in about 1 hour, total timeout 2 hours, which matches the default TCP session timeout.

449
MCQeasy

A network engineer is configuring a FortiGate HA cluster with two FortiGate 100F units in active-passive mode. The engineer wants to use VDOMs to separate guest and corporate traffic. After initial setup, the engineer configures two VDOMs: 'guest' and 'corp'. Both VDOMs have interfaces assigned. The HA status shows 'synchronized'. However, the engineer notices that traffic from the corporate network is not being forwarded correctly. Pings from the corporate LAN to the internet fail. The guest network works fine. The engineer checks the routing table on the active unit and sees that the default route is present in the 'corp' VDOM. What is the most likely cause of the issue?

A.The interface assigned to the corp VDOM is administratively down.
B.The default route in the corp VDOM has an incorrect gateway IP address.
C.The HA cluster must be in active-active mode for VDOMs to work.
D.The VDOM link between the root VDOM and corp VDOM is not configured.
AnswerB

If the gateway IP is wrong, traffic will not be forwarded, even though the route is present in the routing table.

Why this answer

The most likely cause is an incorrect gateway IP address in the default route for the 'corp' VDOM. Since the guest VDOM works correctly, the HA cluster and VDOM configuration are functional, and the issue is isolated to the corporate VDOM's routing. A misconfigured next-hop IP would prevent traffic from reaching the internet, even though the route itself is present in the routing table.

Exam trap

The trap here is that candidates may assume the issue is with HA synchronization or VDOM links, but the fact that one VDOM works and the other does not points directly to a per-VDOM configuration error, such as an incorrect default route gateway.

How to eliminate wrong answers

Option A is wrong because if the interface were administratively down, the 'corp' VDOM would not have a working link, but the engineer would typically see the interface status as 'down' in the GUI or CLI, and the default route would not be relevant; the issue is specifically with forwarding, not interface state. Option C is wrong because VDOMs work in both active-passive and active-active HA modes; there is no requirement for active-active mode to use VDOMs. Option D is wrong because VDOM links are only needed for inter-VDOM routing, not for forwarding traffic from a VDOM to the internet; the 'corp' VDOM has its own interfaces and default route, so a VDOM link is not required for this scenario.

450
MCQhard

A FortiGate has an SD-WAN configuration with two members (wan1, wan2). The performance SLA monitors latency to 8.8.8.8. The admin notices that even when the SLA is satisfied on both members, all traffic uses wan1. The SD-WAN rule is configured with 'strategy = best quality'. What is the most likely cause?

A.A firewall policy is overriding the SD-WAN rule
B.The best quality strategy selects the member with the best SLA metric, which is wan1 by default when both meet SLA
C.The performance SLA is incorrectly configured, causing wan2 to be ignored
D.The SD-WAN rule has 'set match-vip disable' which forces all traffic to wan1
AnswerB

Best quality uses a tie-breaking order; it does not load balance equally.

Why this answer

Option A is correct. In best quality mode, traffic uses the member with the best SLA metric. If both satisfy SLA, the default preference is the member with the lowest cost or the first member in the list (wan1).

To load balance, the admin should use a different strategy or enable 'update-static-route' to adjust routing metrics.

Page 5

Page 6 of 14

Page 7