Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 451525

1000 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
MCQmedium

An administrator is configuring a FortiGate in transparent mode for an enterprise network. The existing gateway firewall must remain in place. How should the administrator configure the FortiGate's interfaces to ensure minimal disruption?

A.Enable VDOMs and separate the interfaces into different VDOMs
B.Place both interfaces in the same VDOM and assign a shared management IP
C.Assign each interface a unique IP address on different subnets
D.Use 802.1Q trunking on a single physical interface
AnswerB

Transparent mode requires both interfaces to be in the same VDOM with a single management IP.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge, so both interfaces must belong to the same VDOM and share a single management IP to allow administrative access without breaking the Layer 2 path. This configuration ensures the existing gateway firewall remains in place and traffic flows uninterrupted, as the FortiGate does not perform routing between its interfaces.

Exam trap

The trap here is that candidates often assume transparent mode requires unique IPs on each interface (like in NAT/route mode), leading them to choose Option C, but in transparent mode all interfaces share a single management IP to maintain Layer 2 transparency.

How to eliminate wrong answers

Option A is wrong because enabling VDOMs and separating interfaces into different VDOMs would break the Layer 2 bridging required in transparent mode, causing traffic to be routed between VDOMs and disrupting the existing gateway firewall. Option C is wrong because assigning each interface a unique IP address on different subnets would force the FortiGate to route between them, which is incompatible with transparent mode's Layer 2 operation and would disrupt the existing network topology. Option D is wrong because 802.1Q trunking on a single physical interface is used for VLAN segmentation in NAT/route mode, not for transparent mode, and does not provide the required Layer 2 bridge between two separate interfaces.

452
MCQmedium

You want to use policy-based routing (PBR) to send traffic from a specific subnet to a different next-hop than the default route. Which configuration is required?

A.Configure a route map under 'config router policy'
B.Create a firewall policy with 'set policy-based-route enable'
C.Enable 'set pbr-enforce-symmetric' on the interface
D.Configure a prefix list and apply to the static route
AnswerA

PBR uses route maps with set-next-hop in the policy route configuration.

Why this answer

Policy-based routing is configured under 'config router policy' with source/destination addresses and a set-next-hop action.

453
MCQmedium

A FortiGate administrator wants to use FortiManager to manage multiple FortiGates in different geographic regions. To isolate configuration changes, the administrator creates separate ADOMs for each region. Which type of ADOM should be used to allow some common objects (like address groups) to be shared across all regions?

A.Per-Device ADOM
B.Global ADOM
C.Regular ADOM
D.Meta ADOM
AnswerB

Correct. Global ADOM objects are available to all regular ADOMs.

Why this answer

The Global ADOM is designed to store and share common objects, such as address groups, policies, and schedules, across all ADOMs in a FortiManager deployment. When an administrator creates separate ADOMs for each region, the Global ADOM acts as a central repository for objects that need to be consistent everywhere, allowing per-region ADOMs to reference these shared objects without duplicating them. This ensures configuration isolation for region-specific settings while maintaining a single source of truth for global resources.

Exam trap

The trap here is that candidates often confuse 'Global ADOM' with 'Regular ADOM' or assume that a 'Per-Device ADOM' can be configured to share objects, when in fact only the Global ADOM provides a centralized, cross-ADOM object repository in FortiManager.

How to eliminate wrong answers

Option A is wrong because a Per-Device ADOM is used when each managed FortiGate requires its own independent ADOM with no sharing of objects, which defeats the purpose of sharing common objects across regions. Option C is wrong because a Regular ADOM (also called a per-ADOM ADOM) is the default type that isolates all objects within that ADOM and does not inherently support sharing objects with other ADOMs; it would require manual duplication or import/export to share objects. Option D is wrong because Meta ADOM is not a valid ADOM type in FortiManager; the correct term is 'Global ADOM' for cross-ADOM object sharing, and 'Meta ADOM' is a distractor that does not exist in the FortiManager architecture.

454
MCQmedium

An administrator configures two SD-WAN members (port1, port2) with performance SLAs. The SD-WAN rule uses 'best-quality' strategy. During a failover test, the primary member port1 becomes unavailable but traffic does not switch to port2. What should the administrator check first?

A.The SD-WAN rule is not configured to use the performance SLA.
B.The 'set status' on the performance SLA is 'passive'.
C.The performance SLA's failover threshold is not met.
D.The 'update-static-route' is enabled on port1.
AnswerC

The SLA must fail (e.g., latency threshold exceeded) to trigger failover. If port1 is physically down, SLA may still show as down but if the failover threshold is not configured, it may not switch.

455
MCQmedium

A FortiGate administrator needs to manage multiple FortiGate devices centrally. They want to deploy policy packages from FortiManager to specific VDOMs on each device. Which FortiManager object must be configured first?

A.Device Group
B.Install Preview
C.Policy Package
D.Administrative Domain (ADOM)
AnswerD

ADOMs provide the logical grouping for devices and VDOMs.

Why this answer

The Administrative Domain (ADOM) is the top-level container in FortiManager that defines the management boundary for a set of FortiGate devices and their VDOMs. Before you can create or assign policy packages to specific VDOMs on managed devices, you must first configure the ADOM to enable multi-tenancy and VDOM-level management. Without an ADOM, FortiManager cannot isolate or target individual VDOMs for policy deployment.

Exam trap

The trap here is that candidates often think a Policy Package (Option C) is the first object to configure, overlooking that FortiManager requires the ADOM to be set up first to establish the management scope and VDOM mapping before any policy package can be created or linked to a specific VDOM.

How to eliminate wrong answers

Option A is wrong because a Device Group is a logical grouping of FortiGate devices used for bulk operations or installation targets, but it does not provide the necessary VDOM-level isolation or management context required to deploy policy packages to specific VDOMs. Option B is wrong because Install Preview is a verification step that shows the changes to be installed after a policy package has been configured and assigned; it is not a prerequisite object. Option C is wrong because a Policy Package contains the firewall policies and objects, but it cannot be created or assigned to a specific VDOM until the ADOM is configured to define the management domain and enable VDOM-level policy targeting.

456
MCQmedium

In a hub-and-spoke VPN, spokes cannot communicate with each other directly. The administrator wants to allow direct spoke-to-spoke traffic without routing through the hub. Which technology should be configured?

A.Static routes on spokes
B.IKEv1 with mode-config
C.GRE over IPsec
D.ADVPN with IKEv2
AnswerD

ADVPN uses IKEv2 to dynamically establish shortcut tunnels.

Why this answer

ADVPN (Auto Discovery VPN) enables shortcut tunnels between spokes after initial hub communication, allowing direct traffic.

457
MCQhard

An administrator configures an automation stitch in FortiManager to execute a CLI script on a FortiGate when a specific event is triggered. The automation stitch is enabled but does not run when the event occurs. What is the most likely cause?

A.The event trigger is set to high severity only
B.The FortiGate does not support automation stitches
C.The automation stitch has not been installed to the FortiGate
D.The CLI script contains an invalid command
AnswerC

Automation stitches must be installed (pushed) to the FortiGate before they become active.

Why this answer

Option C is correct because in FortiManager, automation stitches are created and stored in the central management database but must be explicitly installed to the managed FortiGate via the 'Install Wizard' or a direct policy/object install. Until the stitch is installed, the FortiGate does not have the configuration locally, so even if the stitch is enabled in FortiManager and the event occurs, the FortiGate will not execute the CLI script. This is a common oversight where administrators assume enabling the stitch in FortiManager automatically pushes it to the device.

Exam trap

The trap here is that candidates assume enabling the automation stitch in FortiManager is sufficient for it to run on the FortiGate, overlooking the critical step of installing the configuration to the managed device, which is a common point of failure in centralized management workflows.

How to eliminate wrong answers

Option A is wrong because the event trigger in FortiManager can be configured for any severity level (low, medium, high, or any), and by default, triggers are not restricted to high severity only; if the trigger were set to high severity only, the event would still run if the event matched that severity, so this would not prevent the stitch from running entirely. Option B is wrong because FortiGate devices running FortiOS 6.0 or later fully support automation stitches, and the question states the stitch is configured in FortiManager, implying the FortiGate is a supported model. Option D is wrong because an invalid command in the CLI script would cause the script to fail during execution, not prevent the automation stitch from being triggered; the stitch would still run and attempt to execute the script, but the script would produce an error.

458
MCQmedium

When troubleshooting an IPsec VPN phase 1 negotiation failure, which debug command should the administrator run to see detailed IKE negotiation messages?

A.diagnose vpn ike log
B.diagnose debug application ike -1
C.get vpn ipsec tunnel details
D.diagnose debug application ipsec -1
AnswerB

This enables IKE debug with level -1 for verbose output.

Why this answer

The command 'diagnose debug application ike -1' enables detailed IKE debugging, showing phase 1 and phase 2 negotiation steps.

459
Multi-Selectmedium

A FortiGate administrator is configuring a multi-VDOM deployment. The administrator wants to use a single physical interface for multiple VDOMs. Which TWO methods allow this?

Select 2 answers
A.Use the same physical interface in multiple VDOMs directly
B.Use NP6 virtual interfaces (e.g., virtual wire) on supported models
C.Configure VLAN subinterfaces and assign each to a different VDOM
D.Create a software switch interface and assign it to multiple VDOMs
E.Configure inter-VDOM routing to share the same IP subnet
AnswersB, C

Some FortiGate models with NP6 processors support virtual interfaces that can be assigned to different VDOMs.

Why this answer

Option B is correct because on supported FortiGate models with NP6 processors, you can create NP6 virtual interfaces (e.g., virtual wire pairs) that allow a single physical interface to be shared across multiple VDOMs without VLAN tagging. Option C is correct because VLAN subinterfaces can be created on a physical interface and each subinterface assigned to a different VDOM, enabling multi-VDOM use of the same physical port.

Exam trap

The trap here is that candidates often assume a physical interface can be directly shared among VDOMs (Option A), not realizing that FortiGate requires either VLAN subinterfaces or NP6 virtual interfaces to achieve this separation.

460
Multi-Selecteasy

A FortiGate administrator is planning to use policy packages in FortiManager to manage firewall policies for multiple devices. Which TWO statements about policy packages are true?

Select 2 answers
A.Header and footer policies can be used to enforce common rules across all policies
B.Policy packages are automatically applied to the device upon creation
C.Policy packages cannot include NAT policies
D.A policy package can be shared among multiple FortiGate devices
E.A policy package can contain policies for different VDOMs
AnswersA, D

Header policies are processed first, footer policies last, allowing consistent enforcement.

Why this answer

Options A and C are correct. Policy packages can be shared across multiple devices of the same type (e.g., FortiGate) within the same ADOM. Header and footer policies allow common policy rules (like logging or NAT) to be applied consistently across all policies in the package.

461
MCQhard

An administrator configured FortiGate to forward suspected malicious files to FortiSandbox. They set the action to 'block' for malicious verdicts. Some files are being blocked, but others with a 'clean' verdict are allowed. However, they notice that some files that should have been sent to FortiSandbox are not being forwarded. Which reason is MOST likely?

A.The FortiGate antivirus engine is set to proxy-based mode
B.The FortiGate has insufficient disk space for temporary files
C.The file size exceeds the maximum size configured for FortiSandbox scanning
D.The FortiSandbox device is overloaded and rejecting submissions
AnswerC

File size limits in the scanning profile prevent oversized files from being submitted to FortiSandbox.

Why this answer

Option C is correct. FortiGate uses a scanning profile that includes file size and type limits; if the file exceeds the maximum size configured for FortiSandbox submission, it will not be forwarded.

462
MCQhard

Based on the exhibit, what can be concluded about the session?

A.The session is a one-way session with only outbound traffic.
B.The session is not being logged.
C.The session is offloaded to the NPU for hardware acceleration.
D.The session is in the 'npu' state, meaning it is being processed by the CPU.
AnswerC

The 'npu' flag indicates hardware offloading to the network processor.

Why this answer

The session state 'npu' indicates that the session has been offloaded to the Network Processor Unit (NPU) for hardware acceleration. This is a normal and expected state for traffic that matches hardware-offloadable profiles, allowing the NPU to process packets at wire speed without CPU intervention.

Exam trap

The trap here is that candidates often confuse the 'npu' state with CPU processing, assuming it means 'NPU processing by CPU' rather than recognizing it as hardware offload, leading them to select Option D incorrectly.

How to eliminate wrong answers

Option A is wrong because the session state 'npu' does not imply one-way or only outbound traffic; it simply indicates hardware offload, and sessions can be bidirectional. Option B is wrong because the session state 'npu' does not indicate whether logging is enabled or disabled; logging is configured separately via firewall policies or session log settings. Option D is wrong because the 'npu' state means the session is offloaded to the NPU for hardware acceleration, not that it is being processed by the CPU; CPU processing would be indicated by states like 'tcp' or 'udp' without offload.

463
MCQmedium

An administrator is troubleshooting a split-brain situation in an HA cluster. They run 'get system ha status' and see that both FortiGates report themselves as primary. Which command should they run to force the secondary unit to take over as primary?

A.execute ha failover
B.reboot the primary unit
C.diagnose sys ha reset-uptime
D.diagnose sys ha stop
AnswerC

Resets the uptime, which can trigger a priority re-evaluation and failover.

Why this answer

Option D is correct. The 'diagnose sys ha reset-uptime' command resets the HA uptime on the unit, causing it to recalculate priority. If the other unit has a higher priority, this can force a failover.

Alternatively, 'execute ha failover' is not a valid command. The correct command to force a failover is 'execute ha failover set'? Actually, FortiGate does not have a direct failover command. The standard method is to reboot the primary or use 'diagnose sys ha reset-uptime'.

Option D is the most appropriate.

464
Multi-Selecthard

A security engineer wants to implement advanced threat protection for email using FortiMail. Which THREE features should be enabled to provide comprehensive protection against sophisticated email threats? (Choose three.)

Select 3 answers
A.URL rewriting and click-time protection
B.FortiSandbox integration for email attachments
C.Anti-Spam filter
D.DMARC verification
E.Attachment size limits
AnswersA, B, D

URL rewriting protects against phishing links.

Why this answer

URL rewriting and click-time protection (A) is correct because it proactively neutralizes malicious URLs in emails by rewriting them to route through FortiMail's proxy, enabling real-time inspection at the time of click. This defends against phishing and credential-harvesting attacks that use URLs to deliver payloads or steal credentials, even if the URL was benign at delivery time.

Exam trap

The trap here is that candidates often mistake basic anti-spam or administrative controls (like attachment size limits) for advanced threat protection features, overlooking that sophisticated threats require dynamic, behavior-based defenses such as URL rewriting, sandboxing, and email authentication protocols.

465
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is timed out
B.The session is closing (FIN_WAIT)
C.The session is in SYN_SENT state, waiting for SYN-ACK
D.The session is fully established (proto_state=01 means established)
AnswerC

proto_state=01 indicates SYN_SENT.

Why this answer

The output shows `proto=6` (TCP), `proto_state=01`, `duration=3600`, and `expire=3599`. In Fortinet's session table, `proto_state=01` for TCP indicates the session is in the SYN_SENT state, meaning the firewall has forwarded a SYN packet and is waiting for a SYN-ACK from the remote host. The session is not yet established, as the three-way handshake has not completed.

Exam trap

The trap here is that candidates often misinterpret `proto_state=01` as an established session because they associate '01' with a binary 'on' or 'active' state, but in Fortinet's TCP state encoding, 01 specifically means SYN_SENT, not established.

How to eliminate wrong answers

Option A is wrong because the session has an expire value of 3599 seconds, meaning it is still active and not timed out. Option B is wrong because a FIN_WAIT state would be represented by a different proto_state value (e.g., 04 or 05), not 01; proto_state=01 specifically indicates SYN_SENT, not a closing state. Option D is wrong because proto_state=01 does not mean established; an established TCP session would show proto_state=02 (SYN_RCVD) or proto_state=03 (ESTABLISHED) in Fortinet's session table.

466
MCQhard

During a ZTNA deployment, an administrator notices that traffic from a specific internal application is being routed through the ZTNA gateway but is not reaching the destination server. The FortiGate policy allows the traffic, and the client has a valid ZTNA connection. What is the most likely cause of the issue?

A.The ZTNA proxy rule on the FortiGate is misconfigured, pointing to the wrong destination IP or port.
B.The client's FortiClient agent is not connected to the EMS server.
C.The destination server does not have internet connectivity.
D.The FortiGate policy is set to deny traffic from the client's subnet.
AnswerA

A misconfigured proxy rule would cause traffic to be sent to the wrong destination.

Why this answer

Option A is correct because in a ZTNA deployment, the FortiGate acts as a reverse proxy for internal applications. If the ZTNA proxy rule is misconfigured with an incorrect destination IP or port, the FortiGate will forward the traffic to the wrong backend server or service, causing the connection to fail even though the client has a valid ZTNA connection and the firewall policy permits the traffic.

Exam trap

The trap here is that candidates often assume the issue is with the client's connectivity or the firewall policy, but the key is that a valid ZTNA connection and permissive policy do not guarantee correct proxy forwarding—the proxy rule itself must accurately point to the destination server.

How to eliminate wrong answers

Option B is wrong because the client already has a valid ZTNA connection, which requires the FortiClient agent to be connected to the EMS server for authentication and posture checks; if it were disconnected, the ZTNA connection would not be established. Option C is wrong because the destination server does not need internet connectivity; ZTNA traffic is proxied through the FortiGate, and the server only needs reachability from the FortiGate, not the public internet. Option D is wrong because the question explicitly states that the FortiGate policy allows the traffic, so a deny policy for the client's subnet would contradict that condition.

467
Multi-Selectmedium

A FortiGate is configured as a ZTNA proxy. The administrator wants to ensure that only devices with a specific ZTNA tag assigned by FortiClient EMS are allowed to access the application. Which two configuration steps are required? (Choose two.)

Select 2 answers
A.Configure a firewall policy with the ZTNA proxy as destination and enable 'allow only ZTNA'
B.Create a firewall policy allowing all traffic to the ZTNA proxy
C.Enable 'set ztna-tag' on the FortiGate interface
D.Create a ZTNA access rule with a condition matching the tag
E.Import the ZTNA tag from EMS into FortiGate
AnswersD, E

Why this answer

To restrict access based on ZTNA tags, the tag must be imported from EMS (D) and then used in a ZTNA access rule condition (A).

468
Multi-Selectmedium

An administrator is investigating a security incident where a workstation is communicating with a known command and control (C2) server. The FortiGate has IPS enabled but did not block the traffic. Which TWO configuration issues could explain why the IPS did not detect the C2 communication? (Choose two.)

Select 2 answers
A.The firewall policy does not have SSL deep inspection enabled
B.The IPS sensor is configured in 'Inline' mode
C.The IPS sensor has 'Logging' disabled
D.The IPS sensor does not include signatures for the C2 protocol or pattern
E.The FortiGate is operating in 'Transparent' mode
AnswersA, D

Without SSL inspection, encrypted C2 traffic is invisible to IPS.

Why this answer

Option A is correct because without SSL deep inspection, the FortiGate cannot decrypt HTTPS traffic to inspect the payload for C2 signatures. IPS operates on decrypted content; if the C2 communication uses TLS, the IPS engine only sees encrypted packets and cannot match application-layer signatures. Enabling SSL deep inspection with a valid CA certificate is required to decrypt and inspect the traffic.

Exam trap

The trap here is that candidates often assume 'Inline' mode or 'Transparent' mode inherently affect detection capability, when in fact they only affect traffic flow or logging, not the IPS engine's ability to inspect decrypted content.

469
MCQmedium

An administrator configures a route map on a FortiGate to redistribute connected routes into OSPF. The route map sets a metric of 100. After applying, the redistributed routes appear with metric 20. What is the most likely reason?

A.The route map is applied to the wrong direction
B.OSPF does not allow metric setting via route maps
C.The route map is not applied to the redistribution configuration
D.The metric type is set to type 1
AnswerC

If the route map is not referenced in the 'redistribute connected' command, it has no effect.

Why this answer

When redistributing into OSPF, the metric type can be set to type 1 or type 2. Type 2 (default) does not add internal cost, but the metric set in the route map should still apply. However, if the route map is not applied correctly or OSPF's default metric (20 for redistributed routes) overrides, the route map might be misconfigured.

Option D is correct: the route map might not be applied to redistribution.

470
MCQmedium

An administrator configures a route-map to match prefix-list 'PREFIX' and set metric 20. Which OSPF route redistribution uses this route-map correctly?

A.config router ospf config redistribute "connected" set route-map "RM" end
B.config router policy config route-map edit "RM" config rule set match-ip-address "PREFIX" set set-metric 20 end end
C.config router ospf set route-map "RM"
D.config router prefix-list edit "PREFIX" set rule permit 10.0.0.0/8 end
AnswerA

Route-map is applied in the redistribute configuration.

471
MCQhard

An administrator runs 'diagnose debug application fnbam 3' and sees many entries with state 'sctp'. The FortiGate has flow-based inspection enabled. What is being indicated?

A.Traffic is being fast-forwarded without security profile inspection
B.The FortiGate is performing SCTP deep inspection
C.The FortiGate is using proxy-based inspection
D.There is an SCTP-based attack in progress
AnswerA

fnbam entries with 'sctp' indicate sessions that bypass full scanning.

Why this answer

The 'diagnose debug application fnbam 3' command shows the FortiGate's flow-based Network Processor (NPU) session offload status. When entries show state 'sctp', it indicates that the traffic is being handled by the SCTP (Session Control Traffic Path) fast-path, meaning the session is offloaded to the NPU for hardware acceleration and bypasses security profile inspection. This is normal for flow-based inspection when traffic matches fast-path criteria, not an indication of SCTP protocol inspection or attacks.

Exam trap

The trap here is that candidates see 'sctp' and immediately think of the Stream Control Transmission Protocol (SCTP) rather than recognizing it as a FortiGate-specific acronym for 'Session Control Traffic Path' in the NPU offload context.

How to eliminate wrong answers

Option B is wrong because SCTP deep inspection would require explicit SCTP inspection profiles and would show different debug states (e.g., 'deep_inspect'), not 'sctp' in fnbam output. Option C is wrong because proxy-based inspection would show states like 'proxy' or 'deep' in fnbam debug, not 'sctp', and the question explicitly states flow-based inspection is enabled. Option D is wrong because 'sctp' state in fnbam indicates normal fast-path offloading, not an attack; attack indicators would appear in IPS logs or as 'drop' states, not as 'sctp'.

472
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees 'proto=6 proto_state=01 duration=3600 expire=3599'. What does this indicate?

A.The session is a UDP flow
B.The session is in TCP SYN_SENT state
C.The session will expire in 3599 milliseconds
D.The session has been idle for 3600 seconds
AnswerB

proto_state=01 is TCP SYN_SENT.

Why this answer

The output shows 'proto=6', which is TCP (protocol 6), and 'proto_state=01', which in FortiGate's session table indicates the TCP SYN_SENT state (the first step of the three-way handshake). The 'duration=3600' means the session has been alive for 3600 seconds, and 'expire=3599' means it will expire in 3599 seconds if no further packets are seen. Therefore, the session is in the TCP SYN_SENT state, making option B correct.

Exam trap

The trap here is that candidates confuse 'duration' with idle time or misinterpret 'expire' as milliseconds, when in fact FortiGate uses seconds for both and 'proto_state=01' is a direct indicator of the TCP SYN_SENT state.

How to eliminate wrong answers

Option A is wrong because 'proto=6' explicitly indicates TCP, not UDP (UDP is protocol 17). Option C is wrong because the 'expire' value is in seconds, not milliseconds; 3599 seconds remain before the session times out. Option D is wrong because 'duration=3600' represents the total time the session has existed since creation, not idle time; idle time is tracked separately via the 'idle' field in the session dump.

473
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel that is not coming up. The configuration uses IKEv2 with pre-shared keys. The administrator runs 'diagnose vpn ike log-filter' and sees no logs. What is the most likely cause?

A.IKE debug is not enabled
B.The pre-shared key does not match
C.The tunnel name is misspelled in the filter
D.The remote gateway is unreachable
AnswerA

Why this answer

Without enabling IKE debug, the diagnose command will not show any output even if the tunnel is failing. The log-filter only filters the debug output; debug must be started first.

474
MCQmedium

A FortiGate is configured with VRF. Which statement about VRF is true?

A.Interfaces can belong to multiple VRFs simultaneously.
B.VRF allows multiple routing tables to coexist on the same FortiGate.
C.Routes from different VRFs can be automatically redistributed without configuration.
D.VRF can only be used when OSPF is enabled.
AnswerB

VRF creates separate routing tables for segmentation.

475
MCQmedium

An administrator configures inter-VDOM routing between VDOMs A and B using a VDOM link. The administrator can ping from VDOM A to an interface in VDOM B, but traffic from VDOM B to VDOM A times out. What is the most likely cause?

A.VDOM B has no traffic VDOM capability
B.The route back to the source subnet is missing in VDOM A
C.The firewall policy in VDOM B is blocking traffic
D.The VDOM link's MTU is set too high
AnswerB

For traffic from B to A to succeed, VDOM A must have a route back to the source subnet. Without it, return traffic is dropped.

Why this answer

The correct answer is B because inter-VDOM routing requires a route in both directions. Since the administrator can ping from VDOM A to VDOM B, the forward path works, but the return traffic from VDOM B to VDOM A fails due to a missing route back to the source subnet in VDOM A. This is a classic asymmetric routing issue where the destination VDOM (A) does not know how to reach the source subnet of VDOM B.

Exam trap

The trap here is that candidates assume a successful ping in one direction implies full bidirectional connectivity, overlooking that each VDOM maintains an independent routing table and the return path must be explicitly configured.

How to eliminate wrong answers

Option A is wrong because VDOMs do not have a 'traffic VDOM capability' setting; all VDOMs can forward traffic by default, and the ability to ping in one direction proves VDOM B is capable of processing traffic. Option C is wrong because if a firewall policy in VDOM B were blocking traffic, the ping from VDOM A to VDOM B would also fail, as the policy would block the forward direction as well. Option D is wrong because an MTU mismatch would cause fragmentation issues or packet drops for large packets, but ICMP echo requests and replies are typically small and would not be affected by a high MTU setting; moreover, the symptom is a complete timeout, not partial or intermittent failure.

476
MCQeasy

A FortiGate is set up in a high availability (HA) cluster. The administrator notices that the primary unit is not synchronizing configuration changes to the secondary unit. The HA status shows 'synchronization failed'. What is the most likely cause?

A.The firmware versions are different on the two units.
B.The HA heartbeat interface is down.
C.NAT policies are misconfigured.
D.The configuration has not been saved on the primary unit.
AnswerD

HA sync only occurs after the configuration is saved; unsaved changes are not synchronized.

Why this answer

Option D is correct because FortiGate HA requires the configuration to be saved (via 'execute backup config' or 'write memory') on the primary unit before it can be synchronized to the secondary unit. If the configuration is not saved, the primary unit does not have a committed configuration to push, leading to a 'synchronization failed' status even though the HA cluster is otherwise healthy.

Exam trap

The trap here is that candidates often assume HA synchronization issues are always caused by network or heartbeat problems, overlooking the fundamental requirement that the configuration must be saved before it can be synchronized.

How to eliminate wrong answers

Option A is wrong because FortiGate HA requires both units to run the same firmware version; if they differ, the cluster will not form at all or will show 'version mismatch', not just a synchronization failure. Option B is wrong because if the HA heartbeat interface is down, the cluster would show 'heartbeat lost' or 'standalone' status, not 'synchronization failed'—the units would not be able to communicate at all. Option C is wrong because NAT policies are a data-plane configuration and do not affect HA configuration synchronization, which is a control-plane function.

477
MCQhard

You are troubleshooting BFD on a FortiGate SD-WAN deployment. BFD is configured on two WAN interfaces (wan1, wan2) with a minimum transmit interval of 100 ms and a multiplier of 3. The network experiences occasional jitter causing packet loss. After a brief outage, the BFD session does not recover. Which setting should be adjusted to improve BFD resilience without significantly increasing failover time?

A.Disable BFD and rely on route timers.
B.Enable BFD on the management interface.
C.Increase the BFD minimum transmit interval on both interfaces.
D.Increase the BFD multiplier to 4 or higher.
AnswerD

A higher multiplier allows more missed packets, making BFD more tolerant to transient jitter.

Why this answer

Increasing the multiplier allows more consecutive missed BFD packets before declaring the session down, making it more tolerant to jitter. Decreasing the interval would make it more sensitive. The multiplier of 3 means 3 * 100 ms = 300 ms before declaring down; increasing to 4 would give 400 ms tolerance, improving resilience.

478
MCQmedium

An organization is deploying SD-WAN across multiple sites with two internet links (MPLS and broadband) at the main branch. They want voice traffic to use the MPLS link unless it fails, in which case failover to broadband should occur. Which SD-WAN rule configuration achieves this?

A.Configure an SD-WAN rule for voice with strategy 'maximize bandwidth' and members MPLS and broadband.
B.Configure an SD-WAN rule for voice with strategy 'lowest cost' and members MPLS and broadband.
C.Configure an SD-WAN rule for voice with strategy 'best quality', set MPLS as preferred member, and define SLA targets for MPLS.
D.Configure an SD-WAN rule for voice with strategy 'manual' and members MPLS and broadband.
AnswerC

Best quality with preferred member and SLA ensures MPLS used unless SLA fails.

Why this answer

Option C is correct because the 'best quality' strategy with a preferred member and SLA targets allows voice traffic to use the MPLS link as long as it meets the defined SLA (e.g., latency, jitter, packet loss). If the MPLS link fails or degrades below the SLA threshold, the SD-WAN rule automatically fails over to the broadband link, ensuring voice traffic continuity.

Exam trap

The trap here is that candidates often confuse 'best quality' with 'lowest cost' or 'maximize bandwidth', not realizing that 'best quality' with a preferred member provides the exact active/passive failover behavior required for voice traffic.

How to eliminate wrong answers

Option A is wrong because 'maximize bandwidth' strategy load-balances traffic across all members, not providing the required active/passive failover behavior. Option B is wrong because 'lowest cost' strategy selects the link with the lowest cost metric, which does not guarantee MPLS as the primary link or failover based on link health. Option D is wrong because 'manual' strategy requires explicit user intervention to switch links, lacking automatic failover based on link failure or SLA degradation.

479
MCQmedium

A FortiGate is configured with a route map named RM_OSPF that sets a metric of 100 for redistributed routes. The route map is applied to redistribution into OSPF. After applying, the redistributed routes have a metric of 20. What could be the cause?

A.The route map does not have a match statement and therefore is not applied
B.The route map is applied in the wrong direction
C.The OSPF process has a default-metric of 20 that overrides the route map
D.The redistributed route is already in OSPF with a metric of 20
AnswerA

If a route map has no match statements, it matches nothing, and the default metric (20) is used.

480
Multi-Selectmedium

An administrator is configuring SD-WAN on a FortiGate to route traffic between two internet connections (ISP1 and ISP2). The SD-WAN rules use performance SLA to measure latency. Which TWO statements are true about SD-WAN rule matching and failover?

Select 2 answers
A.When the SD-WAN rule action is set to 'best quality' and no member meets the SLA, the FortiGate will still forward traffic using the member with the best SLA status.
B.SD-WAN rules can use multiple members and the best member is selected based on performance SLA measurements.
C.SD-WAN automatically fails over all sessions to the backup member if the primary member exceeds the SLA threshold.
D.If multiple SD-WAN rules match, the rule with the highest bandwidth member is used.
E.When the SD-WAN rule action is set to 'lowest cost' and no member meets the SLA, the FortiGate drops the traffic.
AnswersA, B

Correct. If no member meets the SLA, the FortiGate uses the member with the best SLA status (least bad) to forward traffic.

Why this answer

Option A is correct because when an SD-WAN rule is configured with 'best quality' strategy, the FortiGate selects the member with the best SLA status even if no member fully meets the SLA threshold. This ensures traffic is still forwarded using the least-bad option rather than being dropped, maintaining connectivity under degraded conditions.

Exam trap

The trap here is that candidates often assume 'best quality' or 'lowest cost' actions will drop traffic when no member meets the SLA, but FortiGate always forwards traffic using the best available member to avoid connectivity loss.

481
Multi-Selecteasy

An administrator is investigating a security incident using FortiAnalyzer logs. The admin wants to identify all traffic that matched a specific firewall policy. Which TWO log fields should the admin use to filter the logs?

Select 2 answers
A.policyid
B.user
C.appid
D.dstip
E.srcintf
AnswersA, E

The policy ID directly identifies the firewall policy that processed the traffic.

Why this answer

In FortiAnalyzer logs, the policy ID (usually 'policyid' or 'policy_id') and source interface (e.g., 'srcintf') are key fields to identify which firewall policy matched the traffic. Other fields like destination IP or user name are not directly tied to the policy ID.

482
MCQmedium

An administrator notices that after upgrading FortiOS, the ADVPN shortcut tunnels are no longer being established. The hub and spokes have the same ADVPN configuration as before. What is the most likely cause?

A.The spokes do not have routes to each other's networks via the hub
B.The IKE version changed to IKEv1
C.Dead Peer Detection (DPD) is disabled on the tunnel
D.The hub's ADVPN configuration was reset during upgrade
AnswerA

Shortcut tunnels are triggered when a spoke has traffic to another spoke's network but no direct route; if routing is not working (e.g., BGP not advertising), shortcuts won't be negotiated.

Why this answer

ADVPN shortcut tunnel initiation may require proper routing. If dynamic routing (e.g., BGP or OSPF) is not advertising the spoke networks to each other, spokes won't have routes to trigger shortcuts.

483
MCQeasy

A network administrator is configuring VDOMs on a FortiGate and wants to separate management traffic from production data traffic. What is the best practice when using a management VDOM?

A.Disable management access on all VDOMs except the root VDOM
B.Use inter-VDOM routing to route management traffic to the root VDOM
C.Create a dedicated management VDOM and assign only management interfaces to it
D.Assign all interfaces to the management VDOM
AnswerC

This isolates management traffic.

Why this answer

Creating a dedicated management VDOM and assigning only management interfaces to it is the best practice because it isolates management traffic from production data traffic, reducing the attack surface and preventing management access from being exposed to untrusted networks. This aligns with Fortinet's security best practices for VDOM administration, ensuring that management functions are logically separated from data-plane operations.

Exam trap

The trap here is that candidates often confuse the root VDOM's default management role with a best-practice isolation strategy, assuming that disabling management on other VDOMs is sufficient, when in fact a dedicated management VDOM provides true separation and is the recommended approach in the NSE7 curriculum.

How to eliminate wrong answers

Option A is wrong because disabling management access on all VDOMs except the root VDOM does not inherently separate management traffic from production data; the root VDOM itself may still carry production traffic, and this approach does not create a dedicated management plane. Option B is wrong because using inter-VDOM routing to route management traffic to the root VDOM mixes management and production traffic at the routing layer, defeating the purpose of isolation and introducing potential security risks. Option D is wrong because assigning all interfaces to the management VDOM would collapse all traffic—including production data—into the management domain, eliminating any separation and exposing management functions to production threats.

484
MCQmedium

A FortiGate administrator wants to use FortiManager automation stitches to automatically block an IP address when a specific threat is detected. Which components must be configured within the automation stitch?

A.A trigger and a connector to an external threat feed
B.An action only, since the trigger is predefined
C.A trigger, at least one action, and optionally conditions
D.A schedule and a script
AnswerC

Trigger defines when to run; action defines what to do; conditions filter.

Why this answer

An automation stitch in FortiManager requires a trigger (e.g., an event or log match) to start the workflow, at least one action (e.g., a CLI script to block an IP via firewall address creation), and optionally conditions to filter when the trigger fires. This three-part structure is mandatory because the trigger defines the event, the action executes the response, and conditions provide granular control without which the stitch would fire on every trigger occurrence.

Exam trap

The trap here is that candidates assume the trigger is implicit or predefined (like a schedule) and only an action is needed, but FortiManager requires explicit trigger configuration even for event-based automation, and conditions are optional but often necessary to avoid false positives.

How to eliminate wrong answers

Option A is wrong because a connector to an external threat feed is not a required component of an automation stitch; the stitch uses a trigger (like a log event) and actions, not an external feed connector. Option B is wrong because the trigger is not predefined; the administrator must configure a trigger (e.g., event handler or schedule) and at least one action, so an action alone is insufficient. Option D is wrong because a schedule is only one type of trigger (time-based) and a script is one type of action; the stitch requires a trigger and action, but not exclusively a schedule and script—other triggers (e.g., event-based) and actions (e.g., email, webhook) are valid.

485
MCQmedium

An administrator configures an automation stitch on FortiGate to automatically block an IP address when a specific IPS signature triggers. What must be configured as the trigger and action?

A.Trigger: 'Event Log' with filter for the IPS signature; Action: 'Add IP to Blocklist'
B.Trigger: 'Incoming Webhook'; Action: 'CLI Script'
C.Trigger: 'FortiOS CLI'; Action: 'Alert Email'
D.Trigger: 'Schedule'; Action: 'Banned IP'
AnswerA

Event log triggers on specific log IDs; action adds IP to blocklist.

Why this answer

Option A is correct because an automation stitch in FortiGate requires a trigger that defines the event that starts the automation, and an action that defines what happens when the trigger fires. For automatically blocking an IP when a specific IPS signature triggers, the trigger must be 'Event Log' with a filter for that IPS signature, and the action must be 'Add IP to Blocklist', which directly adds the source IP to the FortiGate's blocklist (banned IP list). This combination ensures that when the IPS signature is logged, the stitch extracts the source IP and applies a block.

Exam trap

The trap here is that candidates confuse 'Banned IP' (a status or list) with the actual action name 'Add IP to Blocklist', or they mistakenly think a CLI script or webhook can directly react to an IPS event without the proper log-based trigger.

How to eliminate wrong answers

Option B is wrong because 'Incoming Webhook' is a trigger that waits for an external HTTP request, not for an IPS signature event; it cannot directly react to local IPS logs. Option C is wrong because 'FortiOS CLI' is not a valid trigger type in automation stitches; triggers are events like 'Event Log', 'Incoming Webhook', or 'Schedule', not CLI commands. Option D is wrong because 'Schedule' is a time-based trigger (e.g., daily at 2 AM), not an event-driven trigger for an IPS signature; 'Banned IP' is not a valid action name—the correct action is 'Add IP to Blocklist'.

486
MCQeasy

What is the purpose of a header policy in a FortiManager policy package?

A.To apply policies to the management VDOM
B.To create policies that bypass security profiles
C.To define policies that are inserted at the beginning of the policy list
D.To specify the name of the policy package
AnswerC

Header policies are placed at the top of the policy list in the target device.

Why this answer

A header policy in a FortiManager policy package is used to define policies that are inserted at the beginning of the policy list, before any other policies. This ensures that certain traffic matching criteria (e.g., from specific sources or to specific destinations) is evaluated first, which is critical for enforcing high-priority rules like allowlisting or blocking specific traffic before more general policies are applied.

Exam trap

The trap here is that candidates often confuse header policies with policies that bypass security profiles or think they apply only to the management VDOM, when in fact they are simply a mechanism to control policy order within any VDOM's policy list.

How to eliminate wrong answers

Option A is wrong because header policies apply to the policy list within a VDOM, not specifically to the management VDOM; the management VDOM is a separate administrative domain used for managing the FortiGate, not for applying traffic policies. Option B is wrong because header policies do not bypass security profiles; they are simply positioned at the top of the policy list and still enforce all configured security profiles (e.g., antivirus, IPS) unless explicitly disabled in the policy. Option D is wrong because the name of the policy package is defined when creating the package, not by a header policy; header policies are entries within the package, not a naming mechanism.

487
Multi-Selectmedium

A FortiGate in an HA cluster is experiencing intermittent session synchronization failures. The administrator runs 'diagnose sys ha dump sync-status' and sees that sessions are not being synchronized properly. Which TWO potential causes should the administrator investigate?

Select 2 answers
A.Mismatched HA group IDs
B.Excessive number of sessions exceeding the session sync limit
C.Incorrect BGP route advertisements
D.High packet loss or latency on the heartbeat interface
E.Mismatched HA passwords
AnswersB, D

If the session table is too large, session synchronization may fail due to resource constraints.

Why this answer

Session sync failures in HA can be caused by network issues on the heartbeat link or session table overload. Authentication or routing issues are less direct causes.

488
Multi-Selectmedium

An administrator is troubleshooting an HA cluster issue. The cluster consists of two FortiGate units in active-passive mode. The passive unit is showing a 'heartbeat lost' error in the logs. Which TWO configuration checks should the administrator perform to resolve this issue?

Select 2 answers
A.Check that the HA password is the same on both units
B.Ensure the heartbeat interface is physically connected and has a valid IP address in the same subnet
C.Verify that HA override is enabled on both units
D.Confirm that the management interface IP addresses are on the same subnet
E.Verify that the heartbeat interface is configured identically on both units
AnswersB, E

Physical connectivity and IP configuration are necessary for heartbeat.

Why this answer

Option B is correct because the heartbeat interface must be physically connected and have a valid IP address on the same subnet for the two FortiGates to exchange HA heartbeat packets (typically UDP port 703). If the interface is down or the IPs are not in the same subnet, the passive unit will log 'heartbeat lost' and fail to maintain cluster synchronization.

Exam trap

The trap here is that candidates confuse the heartbeat interface's IP subnet requirement with the management interface IP subnet, leading them to incorrectly select Option D, while the actual issue is the heartbeat link's physical or IP connectivity.

489
MCQeasy

Which FortiGate feature allows the creation of multiple virtual routing tables within a single VDOM?

A.VRF
B.Policy-based routing
C.VDOM
D.ECMP
AnswerA

VRF (Virtual Routing and Forwarding) allows multiple routing tables within a VDOM.

490
MCQeasy

An administrator wants to isolate tenant traffic in a single FortiGate by creating separate virtual firewalls with independent routing tables, administrators, and policies. Which feature should the administrator use?

A.Virtual Domains (VDOMs)
B.Policy-based routing (PBR)
C.Virtual Router Redundancy Protocol (VRRP)
D.Virtual LANs (VLANs)
AnswerA

Correct.

Why this answer

VDOMs (Virtual Domains) are the correct feature because they partition a single FortiGate into multiple independent virtual firewalls, each with its own routing table, administrator access, and security policies. This allows complete tenant isolation within one physical appliance, meeting the administrator's requirement for separate virtual firewalls with independent routing, administration, and policy control.

Exam trap

The trap here is confusing VLANs (Layer 2 segmentation) with VDOMs (Layer 3+ virtual firewall isolation), leading candidates to pick VLANs because they think network segmentation alone achieves tenant isolation, but VLANs lack independent routing tables and administrative domains.

How to eliminate wrong answers

Option B (Policy-based routing) is wrong because it only controls traffic forwarding based on policies, not creating separate virtual firewalls with independent routing tables and administrators. Option C (VRRP) is wrong because it provides high availability and redundancy between FortiGates, not isolation of tenant traffic within a single device. Option D (VLANs) is wrong because VLANs segment Layer 2 broadcast domains and can be used with VDOMs, but alone they do not provide independent routing tables, administrators, or security policies for each tenant.

491
MCQmedium

You are troubleshooting an SD-WAN rule where traffic is not matching the expected SLA. The FortiGate shows 'SLA mismatch' in logs. What is the MOST likely cause?

A.The interface is down
B.The SLA probe server is unreachable
C.The measured SLA values exceed the configured thresholds
D.The SD-WAN rule is not enabled
AnswerC

SLA mismatch occurs when the probe results do not meet the thresholds.

Why this answer

Option C is correct because an SLA mismatch typically indicates the interface's measured SLA parameters (latency, jitter, packet loss) do not meet the thresholds defined in the SLA rule. Option A would prevent rule matching entirely. Option B would not directly cause SLA mismatch.

Option D is not relevant.

492
MCQmedium

An administrator runs 'diagnose debug vd case <vdom_name>' and receives the error 'VDOM not found'. The VDOM exists and is configured. What is the most likely cause?

A.The VDOM is a traffic VDOM and requires a different command
B.The VDOM is administratively disabled
C.The administrator is in the wrong VDOM context
D.The VDOM name is misspelled or has incorrect case
AnswerD

The debug command is case-sensitive and requires exact spelling.

Why this answer

The 'diagnose debug vd case' command is case-sensitive and expects the exact VDOM name as configured. Even if the VDOM exists, a mismatch in letter case (e.g., typing 'VDOM1' instead of 'vdom1') will cause the 'VDOM not found' error because the command performs a literal string comparison without case normalization.

Exam trap

The trap here is that candidates assume the error means the VDOM does not exist or is misconfigured, overlooking FortiOS's strict case sensitivity for VDOM names in CLI commands.

How to eliminate wrong answers

Option A is wrong because the 'diagnose debug vd case' command works for both traffic and management VDOMs; there is no separate command for traffic VDOMs. Option B is wrong because an administratively disabled VDOM still exists in the configuration and can be referenced by name; the command would not return 'VDOM not found' but would instead show the VDOM as disabled. Option C is wrong because the VDOM context of the administrator does not affect the ability to reference another VDOM by name in this debug command; the error is about the VDOM name not being found, not about context permissions.

493
MCQhard

During a ZTNA implementation, the administrator configures a ZTNA rule for an internal application but users cannot connect. The FortiGate policy is correct and the application is reachable from the FortiGate. What is the most likely misconfiguration?

A.The firewall policy is set to deny traffic from the ZTNA gateway.
B.The client does not have a route to the internal application.
C.The client's FortiClient agent is not authenticated.
D.The ZTNA rule's proxy destination IP or port is wrong.
AnswerD

The proxy must correctly forward to the internal server.

Why this answer

Option D is correct because the ZTNA rule defines the mapping between the external proxy address and the internal application's actual IP and port. If the proxy destination IP or port is misconfigured, the FortiGate's ZTNA proxy cannot forward traffic to the correct internal server, even though the firewall policy and network connectivity are otherwise valid. This is a common misconfiguration when the internal application's IP or service port differs from what is specified in the ZTNA rule.

Exam trap

The trap here is that candidates often confuse ZTNA rule misconfiguration with firewall policy issues or client-side routing, but the exam specifically tests that the ZTNA rule's proxy destination must exactly match the internal application's IP and port for the proxy to forward traffic correctly.

How to eliminate wrong answers

Option A is wrong because the firewall policy for ZTNA must permit traffic from the ZTNA gateway (the proxy IP) to the internal application; a deny rule would explicitly block the proxy, but the question states the policy is correct. Option B is wrong because the client does not need a direct route to the internal application; in ZTNA, the client connects only to the FortiGate's external proxy IP, and the FortiGate handles routing to the internal application. Option C is wrong because while FortiClient authentication is required for ZTNA access, the question states users cannot connect despite a correct policy and reachable application, implying the authentication is likely successful; the issue is specifically with the ZTNA rule's proxy destination mapping.

494
MCQeasy

What is the difference between a global ADOM and a regular ADOM in FortiManager?

A.Global ADOM manages only FortiGates in transparent mode
B.Regular ADOM cannot use meta fields
C.Global ADOM allows sharing policy packages and objects across multiple ADOMs
D.Global ADOM has unlimited device capacity
AnswerC

Correct.

Why this answer

In FortiManager, a Global ADOM is a special administrative domain that allows you to centrally manage and share policy packages, objects, and templates across multiple regular ADOMs. This enables consistent security policies and objects (like addresses, services, and schedules) to be pushed to all managed FortiGates, regardless of which ADOM they belong to. Regular ADOMs are isolated and cannot share objects or policies with other ADOMs, making the Global ADOM essential for large-scale, multi-tenant deployments.

Exam trap

The trap here is that candidates often confuse the Global ADOM with a 'super ADOM' that has unlimited resources or special device modes, when in fact its key differentiator is the ability to share objects and policies across ADOMs, not any hardware or licensing advantage.

How to eliminate wrong answers

Option A is wrong because Global ADOMs manage FortiGates in any mode (transparent, NAT/route, or VDOM), not just transparent mode; the transparent mode limitation is a misconception. Option B is wrong because regular ADOMs do support meta fields; meta fields are a feature available in both regular and Global ADOMs for adding custom metadata to objects. Option D is wrong because Global ADOMs do not have unlimited device capacity; device limits are determined by the FortiManager model and license, not by the ADOM type.

495
Multi-Selectmedium

A company wants to use FortiMail to implement email authentication to prevent spoofing. Which THREE mechanisms should be configured in FortiMail's Authentication Profile?

Select 3 answers
A.DMARC
B.DKIM
C.S/MIME
D.TLS
E.SPF
AnswersA, B, E

Domain-based Message Authentication, Reporting & Conformance.

Why this answer

SPF, DKIM, and DMARC are the three standard email authentication methods.

496
MCQhard

Based on the debug flow output, what is the reason the packet is dropped?

A.The route to the destination is missing.
B.There is no firewall policy that matches the traffic.
C.The packet has an invalid source IP address.
D.The session table is full.
AnswerB

The message 'no matching policy' clearly states this.

Why this answer

The debug flow output indicates that the packet was dropped because no firewall policy matched the traffic. In FortiGate, even if a valid route exists, the packet must be evaluated against firewall policies; if no policy permits the traffic based on source, destination, service, and interface, the packet is silently dropped. The debug flow will show a message like 'no matching policy' or 'deny by policy' in such cases.

Exam trap

The trap here is that candidates often assume a packet drop is due to a missing route when the debug flow shows a policy drop, because they overlook that FortiGate processes routing before policies and the debug flow output explicitly indicates the stage where the drop occurred.

How to eliminate wrong answers

Option A is wrong because a missing route would cause a different debug flow message, such as 'no route to destination' or 'route lookup failed', and the packet would be dropped at the routing stage, not at the firewall policy stage. Option C is wrong because an invalid source IP address (e.g., RFC 1918 on a public interface) would typically be dropped by antispoofing checks or a specific firewall policy, not by a generic 'no matching policy' message; the debug flow would show 'invalid source' or 'reverse path check failed'. Option D is wrong because a full session table would cause a 'session table full' or 'no session available' message in the debug flow, and the drop would occur during session creation, not during policy lookup.

497
MCQhard

An administrator configures a WAF profile on FortiGate to protect a web application. They notice that SQL injection attacks are not being blocked. What is the MOST likely reason?

A.The web application uses HTTPS without SSL inspection
B.The FortiGuard Web Filtering subscription is inactive
C.The WAF profile is set to monitor mode
D.The WAF profile is applied to the wrong firewall policy
AnswerB

WAF signatures are part of FortiGuard Web Filtering; without subscription, updates stop.

Why this answer

Option B is correct because the FortiGuard Web Filtering subscription provides the signature database required to detect and block SQL injection attacks within a WAF profile. Without an active subscription, the WAF profile cannot update or use the latest attack signatures, rendering it unable to identify SQL injection patterns even if the profile is enabled and applied correctly.

Exam trap

The trap here is that candidates often assume a WAF profile in monitor mode is the most likely cause of attacks not being blocked, but the question emphasizes 'most likely' and the inactive subscription is a more fundamental prerequisite for signature-based detection to function at all.

How to eliminate wrong answers

Option A is wrong because HTTPS without SSL inspection does not prevent the WAF from inspecting HTTP traffic; FortiGate can still inspect the decrypted traffic if SSL inspection is configured, but the WAF operates on the application layer and can block SQL injection regardless of encryption as long as the traffic is decrypted. Option C is wrong because a WAF profile set to monitor mode would log attacks but not block them, which would be a plausible reason for SQL injection not being blocked, but the question asks for the 'most likely' reason, and an inactive FortiGuard subscription is a more fundamental issue that prevents signature-based detection entirely. Option D is wrong because applying the WAF profile to the wrong firewall policy would mean the profile is not applied to the traffic at all, but the administrator has already configured the profile and noticed it is not blocking attacks, implying the profile is applied; the issue is with the signature database, not policy application.

498
Multi-Selectmedium

A FortiGate administrator needs to configure a new FortiGate in FortiManager for centralized management. Which TWO steps are required to add the device to an ADOM?

Select 2 answers
A.Create a policy package before adding the device
B.Configure a VDOM link on the FortiGate
C.Add the device to the ADOM using the device manager
D.Enable automation stitches on the FortiGate
E.Authorize the device in FortiManager
AnswersC, E

Devices are added to an ADOM for management.

Why this answer

Option C is correct because the Device Manager in FortiManager is the interface used to add a device to an ADOM. After adding the device, it must be authorized (Option E) to establish a management tunnel and allow configuration synchronization. Without authorization, the device remains in a pending state and cannot be managed.

Exam trap

The trap here is that candidates often confuse the device authorization step with initial configuration steps like creating policy packages or VDOM links, but FortiManager requires explicit authorization after adding the device to enable centralized management.

499
MCQmedium

A FortiGate is configured with ECMP load balancing for equal-cost routes. The administrator wants to ensure that all traffic from a specific source IP uses the same next hop. Which ECMP load balancing method should be selected?

A.Destination-IP-based
B.Source-IP-based
C.Weighted random
D.Round-robin
AnswerB

Source-IP-based ECMP hashes the source IP to select a next hop, ensuring all traffic from the same source uses the same path.

500
MCQeasy

An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal web application. The current network uses FortiGate as the firewall. Which component is required to enforce ZTNA policies on the FortiGate?

A.FortiSandbox for content inspection
B.FortiAnalyzer for log analysis
C.FortiGate ZTNA proxy configuration
D.FortiAuthenticator for RADIUS authentication
AnswerC

The FortiGate acts as a ZTNA proxy/gateway that authenticates users and checks device posture before allowing access.

Why this answer

ZTNA on FortiGate requires the FortiGate to act as a ZTNA proxy (gateway) that intercepts traffic to internal applications. Option B is correct because the FortiGate must be configured as a ZTNA proxy to receive and forward traffic according to access rules.

501
MCQhard

During a security incident, the SOC team receives an alert from FortiSIEM about a user accessing a known malicious IP. The team wants to automatically block the IP on the FortiGate. Which FortiGate feature can be used to create an automated response based on a threat intelligence feed?

A.Automation Stitch
B.Local-in Policy
C.FortiGuard Outbreak Prevention
D.FortiGate VPN
AnswerA

Automation Stitches combine triggers (e.g., threat feed update) with actions (e.g., add address to block list) to automate responses.

Why this answer

Option A is correct because Automation Stitch in FortiOS allows you to create automated responses triggered by events such as threat intelligence feeds. By configuring an Automation Stitch with a trigger from FortiSIEM (e.g., via a webhook or syslog) and an action to add a block entry to the FortiGate's local address group or dynamic block list, the SOC team can automatically block the malicious IP without manual intervention.

Exam trap

The trap here is that candidates often confuse Automation Stitch with FortiGuard Outbreak Prevention, thinking the latter can be directly triggered by a third-party alert, when in fact Outbreak Prevention is a passive, subscription-based feed that does not support custom automation from external sources like FortiSIEM.

How to eliminate wrong answers

Option B is wrong because Local-in Policy controls traffic destined to the FortiGate itself (e.g., management access), not traffic passing through the FortiGate, so it cannot block outbound traffic to a malicious IP. Option C is wrong because FortiGuard Outbreak Prevention is a subscription service that provides real-time threat intelligence and blocking for known outbreaks, but it does not allow custom automated responses based on a specific alert from FortiSIEM; it operates independently via FortiGuard updates. Option D is wrong because FortiGate VPN is a feature for secure remote access and site-to-site connectivity, not for automated threat response or IP blocking based on threat intelligence feeds.

502
MCQhard

A FortiGate administrator is configuring automation stitches in FortiManager to trigger a script when a specific log event occurs. The automation stitch includes a trigger, a set of conditions, and an action. The administrator wants the script to run only if the event is generated by devices in a specific ADOM. Which element should be configured in the trigger condition?

A.Add a condition for the ADOM name in the trigger
B.Configure the script to check the ADOM at runtime
C.Use a meta field to tag the devices and filter by meta field
D.Assign the automation stitch to a specific ADOM in the settings
AnswerA

Conditions can be added to restrict the trigger to specific ADOMs.

Why this answer

Option A is correct. Automation stitches in FortiManager can include conditions that filter on ADOM, device group, or device name. To restrict to a specific ADOM, the condition should specify the ADOM name.

This ensures only events from that ADOM trigger the action.

503
MCQmedium

A FortiGate has two VDOMs: Root and CustomerA. The administrator wants to manage the CustomerA VDOM from FortiManager. What must be configured on FortiManager to allow management of the CustomerA VDOM?

A.Configure an automation stitch on FortiManager
B.Add the FortiGate to the global ADOM
C.Enable VDOM management on FortiGate
D.Add the FortiGate's VDOM to an ADOM
AnswerD

FortiManager can manage individual VDOMs by adding them as separate devices to an ADOM (or using per-VDOM management).

Why this answer

Option D is correct because FortiManager uses Administrative Domains (ADOMs) to logically group and manage VDOMs. To manage the CustomerA VDOM, the administrator must add that specific VDOM to an ADOM on FortiManager, which then allows FortiManager to push policies, objects, and configuration to that VDOM. Without this mapping, FortiManager cannot target the VDOM for management, even if the FortiGate itself is registered.

Exam trap

The trap here is that candidates confuse enabling VDOM management on the FortiGate (which is already active) with the necessary ADOM mapping on FortiManager, leading them to select Option C instead of D.

How to eliminate wrong answers

Option A is wrong because automation stitches are used for event-triggered automated responses (e.g., quarantine actions), not for enabling VDOM management on FortiManager. Option B is wrong because adding the FortiGate to the global ADOM only allows management of the global VDOM (Root), not individual customer VDOMs like CustomerA. Option C is wrong because VDOM management is enabled on FortiGate by default when VDOMs are created; the missing piece is the ADOM configuration on FortiManager, not a toggle on the FortiGate.

504
MCQmedium

A FortiManager administrator is configuring ADOMs to manage multiple FortiGates. The administrator wants to ensure that changes to the central management policy package are automatically pushed to managed devices. Which setting should be enabled?

A.Enable 'Auto-link' on the device
B.Enable 'Auto-update' in the policy package
C.Configure a schedule for policy installation
D.Enable 'Central Management' on the FortiGate
AnswerB

Auto-update automatically installs policy package changes to assigned devices.

Why this answer

Option B is correct because enabling 'Auto-update' in the policy package on FortiManager ensures that any changes made to the central management policy package are automatically pushed to all managed FortiGates. This setting triggers an immediate installation of the policy package to the devices whenever a change is committed, eliminating the need for manual installation. It is specifically designed for centralized policy management in ADOM environments.

Exam trap

The trap here is that candidates often confuse 'Auto-update' with scheduling or device-level settings, mistakenly thinking that enabling 'Central Management' on the FortiGate alone will trigger automatic policy pushes, when in fact it only authorizes management, not automatic updates.

How to eliminate wrong answers

Option A is wrong because 'Auto-link' is not a valid FortiManager setting; it likely confuses with 'Auto-update' or device-level linking, which does not control automatic policy push. Option C is wrong because configuring a schedule for policy installation only automates the push at predefined times, not immediately upon change, which does not meet the requirement for automatic push on every change. Option D is wrong because enabling 'Central Management' on the FortiGate is a device-level setting that allows the FortiGate to be managed by FortiManager, but it does not control automatic policy package updates from FortiManager.

505
MCQmedium

A FortiGate in NAT mode has multiple VDOMs. The administrator wants to centralize logging from all VDOMs to a single FortiAnalyzer. What configuration is required on the FortiGate to ensure logs from all VDOMs are sent?

A.Configure the FortiAnalyzer IP under system global settings
B.Configure FortiAnalyzer logging in each VDOM individually
C.Use the management VDOM as a log relay to FortiAnalyzer
D.Enable centralized logging under config log setting
AnswerB

Each VDOM has its own log settings. You must add the FortiAnalyzer server in each VDOM's log configuration.

Why this answer

In a multi-VDOM FortiGate, each VDOM operates as an independent firewall with its own logging configuration. To send logs from all VDOMs to a single FortiAnalyzer, you must configure the FortiAnalyzer IP and logging settings within each VDOM individually. This ensures that each VDOM's logs are forwarded directly to the FortiAnalyzer, as there is no global or centralized log-forwarding mechanism that aggregates logs across VDOMs.

Exam trap

The trap here is that candidates assume a global setting or the management VDOM can centralize log forwarding, but FortiGate requires per-VDOM configuration because each VDOM is a logically separate firewall instance with its own logging subsystem.

How to eliminate wrong answers

Option A is wrong because configuring the FortiAnalyzer IP under system global settings only applies to the management VDOM (or the global context in non-VDOM mode), not to all VDOMs; logs from other VDOMs would not be sent. Option C is wrong because the management VDOM cannot act as a log relay for other VDOMs; each VDOM must independently send its logs to the FortiAnalyzer. Option D is wrong because there is no 'centralized logging' command under config log setting; logging is always configured per VDOM, and the concept of centralized logging refers to the FortiAnalyzer receiving logs from multiple sources, not a FortiGate-side setting.

506
MCQeasy

An HA cluster of two FortiGates is experiencing split-brain. Which command should the administrator use to check the current HA status and identify which unit is the primary?

A.diagnose debug application had 0
B.diagnose sys ha dump
C.get system ha status
D.show system ha
AnswerC

Standard command to show HA status and role.

Why this answer

Option B is correct. The 'get system ha status' command displays detailed HA information including the cluster status, primary/secondary roles, and synchronization state. It helps identify split-brain when both units show themselves as primary.

507
MCQeasy

An administrator wants to configure a multi-peer IPsec VPN where one FortiGate (hub) connects to multiple remote FortiGates (spokes) using a single phase 1 interface with dynamic IP addresses. Which configuration is required on the hub?

A.Set psksecret to a group password and enable XAuth
B.Set mode to aggressive and use pre-shared keys
C.Set type to static and configure each peer's IP in separate phase1
D.Set type to dynamic and set remote-gw 0.0.0.0
AnswerD

Dynamic type with remote-gw 0.0.0.0 allows any peer to initiate the tunnel.

Why this answer

To allow multiple peers to connect with dynamic IPs, the hub must use a phase 1 interface with mode-cfg enabled to assign IPs to clients and accept connections from any remote IP (set remote-gw 0.0.0.0). This is commonly called a dial-up VPN configuration.

508
MCQmedium

An administrator wants to integrate a FortiExtender with a FortiGate to provide additional WAN connectivity. Which configuration is required on the FortiGate to enable the FortiExtender to operate as a secondary WAN interface?

A.Configure the FortiExtender under Network > FortiExtender and assign it to a WAN interface
B.Enable LLDP on the port connected to the FortiExtender
C.Set the FortiExtender to bridge mode
D.Create a VLAN interface for the FortiExtender
AnswerA

The FortiGate creates a virtual interface for the FortiExtender.

Why this answer

Option B is correct. FortiExtender connects to the FortiGate via USB or Ethernet and is configured under Network > FortiExtender. A dedicated interface extension is created to use it as a WAN interface.

509
MCQmedium

Which FortiMail advanced feature allows the administrator to rewrite URLs in email bodies to redirect users to a safe scanning service when they click on a link?

A.URL Rewriting
B.Attachment Filtering
C.Bounce Verification
D.Anti-Spam
AnswerA

URL Rewriting replaces links with rewritten URLs that go through FortiMail's link scanning.

Why this answer

URL Rewriting is the correct answer because it is a FortiMail advanced feature specifically designed to replace URLs in email bodies with rewritten links that redirect users through FortiMail's scanning service. When a user clicks the rewritten URL, FortiMail inspects the destination in real time for malicious content, such as phishing or malware sites, before allowing the redirect. This provides proactive protection against zero-hour threats by leveraging FortiGuard's web filtering and threat intelligence.

Exam trap

The trap here is that candidates often confuse URL Rewriting with Attachment Filtering, assuming both deal with malicious content, but URL Rewriting specifically targets links in the email body, not file attachments.

How to eliminate wrong answers

Option B (Attachment Filtering) is wrong because it focuses on scanning email attachments for malware or prohibited file types, not on rewriting URLs in email bodies. Option C (Bounce Verification) is wrong because it validates the authenticity of bounce messages to prevent backscatter spam, not URL manipulation. Option D (Anti-Spam) is wrong because it uses techniques like RBLs, greylisting, and heuristic analysis to filter unwanted bulk email, not to rewrite or scan URLs for malicious content.

510
Multi-Selecthard

A FortiGate is configured with BGP and OSPF. The administrator wants to ensure that routes learned via BGP are redistributed into OSPF, but only specific prefixes. Which three components are needed? (Select THREE.)

Select 3 answers
A.A route map that references the prefix list and sets OSPF parameters
B.Redistribution of BGP into OSPF under router ospf with the route map applied
C.A VRF to separate the routing tables
D.A prefix list to match the desired BGP routes
E.A distribute list in OSPF to filter incoming routes
AnswersA, B, D

Route map ties together match (prefix list) and set actions (metric, tag).

511
MCQmedium

A network admin configures FortiGate to submit files to FortiSandbox for analysis. After submission, the FortiGate logs show that files are being sent but no verdict is returned. The FortiSandbox is reachable and licensed. What is the most likely cause?

A.The FortiGate is using proxy-based inspection instead of flow-based
B.The FortiSandbox server's IP is not added to the FortiGate's trusted hosts
C.The FortiGate does not have a FortiGuard Security Rating subscription
D.The antivirus profile is set to block without scanning
AnswerC

FortiSandbox verdicts are delivered via FortiGuard rating; without the subscription, verdicts are not returned.

Why this answer

Option C is correct because FortiGate requires a valid FortiGuard Security Rating subscription to receive verdicts from FortiSandbox. Without this subscription, the FortiGate can submit files and see them as sent in logs, but it cannot process the returned verdicts, resulting in no action taken on the files. The Security Rating subscription enables the communication channel for verdict retrieval, distinct from the basic FortiSandbox license.

Exam trap

The trap here is that candidates assume a licensed FortiSandbox alone is sufficient for verdict delivery, overlooking that FortiGate requires an additional FortiGuard Security Rating subscription to consume those verdicts.

How to eliminate wrong answers

Option A is wrong because proxy-based inspection does not prevent verdict retrieval; FortiGate can receive and act on FortiSandbox verdicts regardless of inspection mode, as verdicts are handled at the FortiGate-FortiSandbox communication level, not the inspection engine. Option B is wrong because trusted hosts are used for administrative access control to the FortiGate GUI/CLI, not for FortiSandbox communication; FortiSandbox connectivity relies on IP reachability and API keys, not trusted host lists. Option D is wrong because setting an antivirus profile to block without scanning would prevent file submission entirely, not cause a scenario where files are sent but no verdict is returned; the logs confirm submission occurred, ruling out this option.

512
MCQmedium

A FortiGate administrator is troubleshooting an issue where a legitimate application is being blocked by the IPS. The administrator wants to ensure the application works while maintaining protection for other traffic. What is the best action?

A.Disable the IPS sensor on the firewall policy
B.Apply an application control profile to allow the application
C.Create a custom IPS signature to pass the specific application traffic
D.Change the IPS signature action to 'monitor' for all signatures
AnswerC

Custom signature with 'pass' action allows the application while keeping other protections.

Why this answer

Option C is correct. Creating a custom IPS signature with a 'pass' action for the specific application traffic will allow it, while the default action (block) applies to others.

513
MCQmedium

An administrator needs to create a custom IPS signature to detect a specific exploit that sends a unique string 'EXPLOIT_2024' in the HTTP User-Agent header. Which IPS signature syntax should the administrator use?

A.F-SBID(--name "Custom_Exploit"; --protocol tcp; --pattern "EXPLOIT_2024"; --context http-header;)
B.F-SBID(--name "Custom_Exploit"; --protocol tcp; --pattern "User-Agent: EXPLOIT"; --service HTTP;)
C.F-SBID(--name "Custom_Exploit"; --protocol tcp; --pattern "EXPLOIT_2024"; --service HTTP;)
D.F-SBID(--name "Custom_Exploit"; --protocol tcp; --pattern "User-Agent: EXPLOIT_2024"; --service HTTP;)
AnswerD

This pattern matches the exact User-Agent header content.

Why this answer

Option D is correct because it uses the `--pattern` to match the exact string 'User-Agent: EXPLOIT_2024' within the HTTP header context, and `--service HTTP` ensures the signature only inspects HTTP traffic. This syntax precisely detects the exploit string in the User-Agent header as required.

Exam trap

The trap here is that candidates often assume `--context http-header` is a valid keyword (like in Snort), but FortiGate IPS uses `--service HTTP` to scope header inspection, and the pattern must include the full header field to match precisely.

How to eliminate wrong answers

Option A is wrong because `--context http-header` is not a valid keyword in FortiGate IPS signatures; the correct approach is to use `--service HTTP` to scope the signature to HTTP traffic. Option B is wrong because the pattern 'User-Agent: EXPLOIT' is incomplete—it does not include the full string 'EXPLOIT_2024', so it would fail to detect the specific exploit. Option C is wrong because the pattern 'EXPLOIT_2024' alone would match the string anywhere in the HTTP payload, not specifically in the User-Agent header, leading to false positives or missed detections.

514
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.SSL/TLS deep inspection is not enabled on the firewall policy
B.The web server's certificate is self-signed and FortiGate is rejecting the connection
C.The FortiGuard antivirus subscription has expired
D.The antivirus profile is configured for flow-based inspection instead of proxy-based
AnswerA

HTTPS traffic is encrypted. FortiGate cannot inspect the payload without SSL deep inspection decrypting the TLS session. The antivirus profile requires inspection mode to be enabled.

Why this answer

Option B is correct because HTTPS uses TLS encryption. Without SSL deep inspection enabled on the policy, FortiGate cannot decrypt and inspect the content of HTTPS traffic. The antivirus profile will only scan unencrypted traffic or traffic where deep inspection has decrypted it first.

515
MCQmedium

During a failover test in an HA cluster, the administrator observes that the secondary unit becomes primary but does not have the latest configuration. What is the most likely cause?

A.The password encryption is mismatched
B.Config sync is not enabled
C.The HA priority is set too low
D.session-pickup is disabled
AnswerB

Config sync must be enabled to replicate configuration changes.

Why this answer

Config sync is the mechanism that replicates configuration changes from the primary unit to the secondary unit in a FortiGate HA cluster. If config sync is not enabled, the secondary unit will not receive configuration updates, so when it becomes primary after a failover, it will operate with an outdated or default configuration. This directly explains why the secondary unit lacks the latest configuration after the failover.

Exam trap

The trap here is that candidates often confuse session-pickup (which handles session state) with config sync (which handles configuration replication), leading them to incorrectly select option D when the actual issue is the missing config sync mechanism.

How to eliminate wrong answers

Option A is wrong because password encryption mismatch (e.g., different private keys or encryption settings) would cause authentication or decryption failures, not a failure to sync the configuration itself. Option C is wrong because HA priority determines which unit becomes primary during an election, but it does not affect whether configuration synchronization occurs; a low priority unit can still receive config sync if it is enabled. Option D is wrong because session-pickup is a feature for preserving stateful sessions during failover, not for synchronizing the configuration; disabling it would cause sessions to drop, not prevent config sync.

516
Multi-Selecthard

A FortiManager administrator is planning to deploy a new policy package to a FortiGate that has multiple VDOMs. To ensure the policy package is applied correctly to the target VDOM, which THREE steps should the administrator take?

Select 3 answers
A.Install the policy package to the FortiGate, selecting the correct VDOM
B.Create a new policy package in the ADOM corresponding to the target VDOM
C.Configure a revision history to track changes
D.Assign the FortiGate to the policy package
E.Enable central management on the FortiGate
AnswersA, B, D

During installation, the target VDOM must be specified.

Why this answer

Option A is correct because when installing a policy package to a FortiGate with multiple VDOMs, the administrator must select the correct target VDOM in the installation wizard. This ensures the policy package is applied to the intended VDOM and not to the global or another VDOM, which could cause policy conflicts or security gaps.

Exam trap

The trap here is that candidates may think enabling central management (Option E) is sufficient to direct policies to a specific VDOM, but the VDOM selection must be explicitly made during installation, and central management only enables communication, not VDOM targeting.

517
MCQeasy

Which of the following is a required step when enabling VDOMs on a FortiGate for the first time?

A.Create at least two VDOMs before enabling the VDOM feature
B.Disable all firewall policies
C.Reboot the FortiGate after enabling VDOMs
D.Configure inter-VDOM routing
AnswerC

A reboot is necessary for the change to take effect.

Why this answer

When enabling VDOMs on a FortiGate for the first time, the device must be rebooted to restructure the internal data plane and control plane to support multiple virtual domains. This reboot is mandatory because the firmware transitions from a single-VDOM mode to a multi-VDOM mode, which requires reinitializing kernel structures and memory allocation for VDOM-specific resources.

Exam trap

The trap here is that candidates assume VDOMs can be enabled and used immediately without a reboot, similar to other features like interface configuration, but FortiGate specifically requires a reboot to activate the multi-VDOM architecture.

How to eliminate wrong answers

Option A is wrong because you do not need to create any VDOMs before enabling the feature; you can enable VDOMs first, then create them after the reboot. Option B is wrong because disabling firewall policies is not a prerequisite; the FortiGate will automatically flush all policies when VDOMs are enabled and the device reboots. Option D is wrong because inter-VDOM routing is an optional configuration that can be set up after VDOMs are enabled and created, not a required step during the initial enablement process.

518
MCQmedium

An administrator is troubleshooting a ZTNA access issue. Remote users can connect to the FortiGate's ZTNA proxy, but when they try to access the internal application, they receive a 403 Forbidden error. The administrator has verified that the user is authenticated and the ZTNA rule is configured correctly. What is the most likely cause?

A.The FortiGate firewall policy allowing ZTNA traffic is missing
B.The user's device does not have the required ZTNA tags from EMS
C.The application server does not have a valid certificate
D.The ZTNA proxy is configured with the wrong port for the application
AnswerB

ZTNA rules evaluate device posture via tags. If the device lacks the required tag (e.g., antivirus enabled), the rule denies access with a 403.

Why this answer

A 403 Forbidden error in ZTNA typically indicates that the access control rule denied the request. This can happen if the device does not meet the required posture checks (ZTNA tags). Option B is correct because the ZTNA rule likely requires a specific tag that the device does not have, resulting in denial.

519
MCQeasy

What is the purpose of configuring BFD (Bidirectional Forwarding Detection) on a FortiGate?

A.To provide rapid failure detection between two forwarding engines.
B.To load balance traffic across multiple links.
C.To encrypt BGP updates between peers.
D.To authenticate OSPF neighbors.
AnswerA

BFD provides sub-second detection of link failures, complementing routing protocol convergence.

Why this answer

BFD is a lightweight protocol that detects forwarding path failures quickly, allowing routing protocols to converge faster.

520
MCQmedium

An administrator configures SD-WAN with two members (port1 and port2). A performance SLA monitors latency to 8.8.8.8. The SD-WAN rule uses 'Best Quality' strategy based on latency. When the link on port1 becomes slow, the FortiGate continues using port1 even though port2 has lower latency. What is the most likely cause?

A.The FortiGate is not receiving ICMP replies from 8.8.8.8
B.The SD-WAN rule is configured with 'Manual' strategy
C.The performance SLA is not associated with the SD-WAN members
D.The load balancing algorithm is set to 'volume' instead of 'lowest-latency'
AnswerC

If the performance SLA is not applied to the SD-WAN member interface, the FortiGate does not know the latency status and cannot failover.

521
MCQmedium

A network admin notices that files submitted to FortiSandbox from FortiGate are not being analyzed. The FortiGate has a valid FortiSandbox license and the device is reachable. What configuration step is most likely missing?

A.The FortiSandbox feature is not enabled in the VDOM settings
B.The antivirus profile has 'FortiSandbox Inline Scan' disabled
C.The FortiSandbox server IP is not configured under Security Fabric > Fabric Connectors
D.The FortiGate is not registered with FortiCloud
AnswerB

Inline scan must be enabled in the antivirus profile to send files to FortiSandbox.

Why this answer

FortiSandbox integration requires an antivirus profile with FortiSandbox inline scan enabled and the FortiSandbox server IP configured. If the profile is not applied to the firewall policy or the scan option is disabled, files will not be submitted.

522
MCQhard

A FortiGate is configured with OSPF in multiple areas and redistributes connected routes into OSPF. The administrator notices that routes from area 1 are not appearing in area 0. The area 0 routers show the routes as 'O E2' but with an invalid metric. What is the most likely cause?

A.OSPF network type is broadcast on one side and point-to-point on the other
B.Redistribution is configured without a route map
C.The interface costs are misconfigured
D.The ABR has 'area 0 stub' configured
AnswerB

Without a route map, redistributed routes may get default metric values that can be invalid.

Why this answer

Redistributed routes are external (O E2). For an ABR to propagate a Type 5 LSA into another area, route summarization or a route map is needed; otherwise, external routes are not injected into other areas by default. However, if the ABR is not performing redistribution properly, the metric may be incorrect.

The most common cause is missing a route map to set the metric.

523
MCQhard

A FortiGate is configured with ECMP load balancing for multiple equal-cost routes. The administrator wants to ensure that all packets belonging to the same session go out the same interface. Which ECMP load balancing method should be used?

A.Weighted
B.Source-dest-IP-based
C.Source-IP-based
D.Spillover
AnswerB

Source-dest-IP hashing ensures that all packets in a session (same src/dst) go through the same interface, maintaining session integrity.

Why this answer

For ECMP, FortiGate supports source-dest-ip hashing to keep sessions on the same path. Other methods like round-robin may break sessions.

524
MCQhard

A FortiGate is configured with FortiClient EMS to enforce ZTNA posture checks. The administrator finds that some Windows 10 clients are not reporting their antivirus status correctly, causing them to be blocked. However, the clients have antivirus installed and running. What is the most likely cause?

A.The FortiClient EMS connector is disabled on the endpoints
B.The clients are not connected to the corporate network
C.The antivirus definitions are outdated
D.FortiGate is using the wrong EMS tag
AnswerA

If the EMS connector is disabled, FortiClient cannot communicate posture information to the FortiGate.

Why this answer

FortiClient requires the EMS connector to be enabled and the correct compliance profile must be applied. If the antivirus status is not reported, the connector might be disabled or the profile not assigned.

525
MCQeasy

An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal application. The application is hosted on a server with IP 10.1.1.100. Which component acts as the intermediary between users and the application in FortiGate ZTNA?

A.FortiClient EMS
B.ZTNA agent on the application server
C.ZTNA proxy on FortiGate
D.ZTNA tags assigned to the application server
AnswerC

FortiGate acts as a ZTNA gateway, hosting the proxy that terminates user connections and forwards to internal apps.

Why this answer

FortiGate ZTNA uses a reverse proxy to forward user connections to internal applications. Users connect to the proxy, which verifies identity and posture before proxying traffic to the application server.

Page 6

Page 7 of 14

Page 8