Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 526600

1000 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQhard

A multi-VDOM FortiGate is running low on memory. The administrator suspects that the management VDOM is consuming excessive resources. How can the administrator limit the memory usage of the management VDOM?

A.Convert the management VDOM to a traffic VDOM
B.Enable VDOM resource limits and configure a memory cap for the management VDOM
C.Move the management VDOM to a separate physical FortiGate
D.Disable unused features in the management VDOM
AnswerB

Why this answer

Option B is correct because FortiGate VDOM resource limits allow an administrator to set a specific memory cap for each VDOM, including the management VDOM. By enabling VDOM resource limits and configuring a memory cap, the management VDOM is prevented from consuming excessive memory, ensuring fair resource allocation across all VDOMs. This is the only option that directly limits memory usage at the VDOM level without requiring hardware changes or disabling features.

Exam trap

The trap here is that candidates may think disabling unused features (Option D) is sufficient to limit memory usage, but FortiGate's VDOM resource limits provide a hard enforcement mechanism that is the only way to guarantee a VDOM does not exceed a specified memory threshold.

How to eliminate wrong answers

Option A is wrong because converting the management VDOM to a traffic VDOM does not impose any memory limit; it merely changes the VDOM's role, which does not address excessive memory consumption. Option C is wrong because moving the management VDOM to a separate physical FortiGate is an expensive and unnecessary hardware solution that does not leverage the built-in resource management capabilities of the existing device. Option D is wrong because disabling unused features may reduce memory usage but does not guarantee a hard limit; the management VDOM could still consume excessive memory from enabled features, and this approach lacks the precision and enforcement of a configured memory cap.

527
MCQhard

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a TCP session that has been idle for 1 hour
B.The session is a UDP flow
C.The session was established 1 hour ago and will expire in about 1 hour
D.The session is in a half-open state
AnswerC

Correct.

Why this answer

The output shows `duration=3600` and `expire=3599`, meaning the session was established 3600 seconds (1 hour) ago and has 3599 seconds remaining before timeout. The `proto=6` indicates TCP (protocol 6), and `proto_state=01` corresponds to TCP state ESTABLISHED. Therefore, the session is active and will expire in about 1 hour from the current time, making option C correct.

Exam trap

The trap here is confusing `duration` (time since session started) with idle time, leading candidates to incorrectly assume the session has been idle for 1 hour instead of active for 1 hour.

How to eliminate wrong answers

Option A is wrong because `duration=3600` indicates the session has been active for 1 hour, not idle; idle time is tracked separately (e.g., via `idle` field in the full output). Option B is wrong because `proto=6` explicitly indicates TCP, not UDP (UDP uses protocol 17). Option D is wrong because `proto_state=01` represents TCP state ESTABLISHED (0x01), not a half-open state (which would be SYN_SENT or SYN_RECV, typically state 0x02 or 0x04).

528
MCQmedium

A network administrator configures an IPsec VPN between two FortiGates using IKEv2. The tunnel establishes, but after a period of inactivity, traffic stops passing and the logs show 'IPsec phase 1 down'. The administrator wants to ensure the tunnel is quickly re-established when traffic resumes. Which setting should be configured?

A.Set the phase1 proposal to use AES-256-GCM.
B.Configure the phase1 to use main mode instead of aggressive mode.
C.Enable Dead Peer Detection (DPD) with 'on-idle' mode.
D.Set the IKE idle timeout to 0 (disabled).

Why this answer

DPD with 'on-idle' sends periodic probes during idle periods to detect a dead peer, allowing quick re-negotiation if needed. Option D disables idle timeout but does not probe; the tunnel may still go down if the peer disappears.

529
MCQmedium

A FortiGate with SD-WAN has two members: MPLS (port1) and Broadband (port2). The performance SLA is configured to monitor latency and packet loss. The administrator notices that after a brief outage on the MPLS link, traffic fails over to Broadband but does not fail back when MPLS recovers. What is the likely cause?

A.The SD-WAN rule for the traffic has 'set failback disable'.
B.The SLA threshold is set too aggressively, causing the link to be considered down long after recovery.
C.The Broadband link has a higher cost, so the FortiGate prefers to keep traffic there.
D.The SLA probe interval is longer than the outage duration, so the SLA never detected the outage.
AnswerA

The 'failback' setting controls whether traffic returns to the preferred member when it becomes healthy again. If disabled, traffic stays on the backup link.

530
MCQeasy

What is the primary function of Content Disarm and Reconstruction (CDR) in FortiGate's antivirus profile?

A.To detect and block zero-day malware using machine learning
B.To reconstruct files that were corrupted during transmission
C.To compress files for faster scanning
D.To remove active content and rebuild files to eliminate hidden threats
AnswerD

CDR strips potentially malicious elements and reconstructs a sanitized file.

Why this answer

CDR removes potentially dangerous content (like macros, scripts) from documents and then reconstructs a safe version, preventing exploits that might bypass signature-based detection.

531
MCQhard

An administrator is troubleshooting a scenario where IPSec VPN tunnels between two FortiGates are flapping. The logs show Phase 1 is up but Phase 2 fails with 'no proposal chosen'. The remote FortiGate has multiple Phase 2 selectors configured. What is the most likely cause?

A.Mismatched Phase 2 proxy IDs (local/remote subnets).
B.Mismatched pre-shared keys.
C.Dead Peer Detection (DPD) settings are too aggressive.
D.Certificate validation failure.
AnswerA

The error 'no proposal chosen' is often due to mismatched proxy IDs in Phase 2.

Why this answer

The 'no proposal chosen' error during Phase 2, despite Phase 1 being up, indicates a mismatch in the IPsec security association (SA) parameters. Since the remote FortiGate has multiple Phase 2 selectors configured, the most likely cause is that the local and remote proxy IDs (local and remote subnets) do not match any of the configured selectors. Phase 2 negotiation uses these proxy IDs to define which traffic should be encrypted; if they don't align, the IKE SA cannot be established.

Exam trap

The trap here is that candidates often confuse Phase 1 and Phase 2 failures, assuming any 'no proposal chosen' error is due to Phase 1 misconfigurations like PSK or certificates, when in fact Phase 1 is already up, isolating the issue to Phase 2 proxy ID mismatches.

How to eliminate wrong answers

Option B is wrong because mismatched pre-shared keys would cause Phase 1 to fail, not Phase 2; Phase 1 is already up in this scenario. Option C is wrong because aggressive Dead Peer Detection (DPD) settings can cause tunnels to flap (go up and down), but they do not produce a 'no proposal chosen' error; that error is specific to Phase 2 proposal mismatches. Option D is wrong because certificate validation failure would also prevent Phase 1 from completing, as certificates are used during IKE authentication in Phase 1, not Phase 2.

532
MCQeasy

What is the purpose of Dead Peer Detection (DPD) in an IPsec VPN?

A.Detect loss of connectivity to the remote VPN peer
B.Detect if the VPN tunnel is using the correct encryption algorithm
C.Detect duplicate IP addresses on the network
D.Detect packet loss over the VPN tunnel
AnswerA

DPD monitors the liveness of the remote VPN peer. If the peer becomes unreachable, DPD detects it and the tunnel can be torn down.

Why this answer

DPD is used to detect if the remote peer is still alive. It sends periodic messages and if no response is received, the tunnel is considered down. Option A is correct.

533
MCQhard

An administrator is troubleshooting a ZTNA connection issue where a user can access the ZTNA gateway but the connection to the internal application fails after a few seconds. The FortiGate logs show 'ZTNA session timeout' but the timeout value is set to 30 minutes. What could be the reason?

A.The internal application is not responding to the proxy request.
B.The ZTNA proxy idle timeout is set to a lower value than the global timeout.
C.The internal application has a 5-second timeout.
D.The client's FortiClient is not receiving the ZTNA tags.
AnswerB

The proxy idle timeout can be configured separately and may be shorter.

Why this answer

The ZTNA proxy has its own idle timeout setting that operates independently of the global timeout. Even though the global timeout is set to 30 minutes, if the per-proxy idle timeout is configured to a lower value (e.g., 30 seconds), the proxy will terminate the session after that idle period, logging 'ZTNA session timeout'. This explains why the connection fails after a few seconds despite the long global timeout.

Exam trap

The trap here is that candidates assume 'ZTNA session timeout' refers to the global timeout value, overlooking that the ZTNA proxy has its own independent idle timeout that defaults to a much shorter interval.

How to eliminate wrong answers

Option A is wrong because if the internal application were not responding, the FortiGate would log a different error such as 'connection refused' or 'upstream timeout', not a 'ZTNA session timeout'. Option C is wrong because a 5-second timeout on the internal application would cause an upstream timeout or 504 error, not a ZTNA session timeout, and the log message specifically points to the proxy's idle timeout. Option D is wrong because if FortiClient were not receiving ZTNA tags, the user would not be able to access the ZTNA gateway at all; the issue occurs after successful gateway access, ruling out tag delivery problems.

534
MCQmedium

A network administrator wants to ensure that files downloaded from the internet are analyzed by FortiSandbox before being delivered to the client. The FortiGate is configured with a FortiSandbox connection and an antivirus profile. Which setting must be enabled in the antivirus profile to submit files to FortiSandbox?

A.FortiSandbox inline scanning
B.Enable Content Disarm and Reconstruction (CDR)
C.Enable Outbreak Prevention
D.Submit files to FortiSandbox
AnswerD

The antivirus profile includes a setting to submit files to FortiSandbox for analysis.

535
MCQeasy

A network administrator wants to configure SD-WAN on a FortiGate with two internet connections (port1 and port2). The requirement is to use the link with the lowest cost as the primary path for all traffic, unless it exceeds a threshold. Which SD-WAN load balancing algorithm should the administrator choose?

A.Spillover
B.Sessions
C.Lowest-cost
D.Volume
AnswerC

Lowest-cost selects the member with the lowest cost. If the cost exceeds a threshold, the next best member is used.

Why this answer

The lowest-cost algorithm selects the member with the lowest cost value. If the cost exceeds a configurable threshold, traffic is sent to the next best member. This matches the requirement.

536
MCQhard

An administrator has configured BGP on a FortiGate with two upstream ISPs. They notice that traffic to a specific prefix is not load-balanced as expected; all traffic goes through ISP1 even though both paths are available. 'get router info bgp network' shows the prefix with two next hops. What is the MOST likely cause?

A.The prefix is being learned via an IGP with a lower administrative distance
B.The BGP multi-path is disabled
C.The administrative distance of BGP is higher than OSPF
D.The eBGP multihop is not configured
AnswerB

BGP load balancing requires multi-path to be enabled. Even with multiple paths, if multi-path is off, only the best path is installed.

537
MCQmedium

A FortiGate administrator notices that after upgrading the firmware, some BGP sessions to a service provider are flapping. The administrator runs 'diagnose ip router bgp all' and sees that the BGP neighbor state is Active. What is the MOST likely cause of this issue?

A.A configuration checksum mismatch between the two peers
B.The BGP hold timer has expired
C.The BGP neighbor is not reachable due to a routing issue
D.The BGP password is incorrect
AnswerA

Firmware upgrades can introduce new defaults that change the update message, causing checksum mismatch and flapping.

Why this answer

Option B is correct because a configuration checksum mismatch between peers is a common post-upgrade issue that causes BGP sessions to flap. A new default setting or changed behavior in the new firmware can alter the update message, leading to a checksum mismatch.

538
MCQmedium

A FortiGate administrator is configuring inter-VDOM routing between two VDOMs: VDOM-A and VDOM-B. The administrator wants to allow traffic from VDOM-A to reach a server in VDOM-B while keeping the VDOMs logically separated. Which configuration step is REQUIRED?

A.Configure a static route in VDOM-A pointing to the server's subnet via the VDOM-B gateway
B.Create a VDOM link between VDOM-A and VDOM-B and configure firewall policies on both sides
C.Enable inter-VDOM routing under system settings globally
D.Assign the same physical interface to both VDOMs and configure routing
AnswerB

A VDOM link is the standard method for inter-VDOM routing. Each VDOM needs a policy to allow traffic out and in.

Why this answer

Inter-VDOM routing on FortiGate requires a VDOM link, which is a logical interface pair that connects two VDOMs. Firewall policies must be configured on both sides of the VDOM link to explicitly allow traffic between the VDOMs, ensuring logical separation while enabling controlled communication. Without these policies, traffic will be dropped even if routes exist.

Exam trap

The trap here is that candidates assume inter-VDOM routing is automatically enabled or can be achieved with static routes alone, overlooking the mandatory VDOM link and firewall policies that enforce logical separation.

How to eliminate wrong answers

Option A is wrong because configuring a static route in VDOM-A pointing to the server's subnet via the VDOM-B gateway is insufficient; a VDOM link and firewall policies are required to establish the inter-VDOM connection, and the gateway must be the VDOM link interface, not the VDOM-B gateway. Option C is wrong because there is no global 'inter-VDOM routing' toggle under system settings; inter-VDOM routing is enabled implicitly by creating a VDOM link and configuring policies. Option D is wrong because a physical interface cannot be assigned to two VDOMs simultaneously; each VDOM requires its own dedicated interfaces, and sharing a physical interface would break logical separation.

539
MCQeasy

What is the purpose of using a prefix list in route redistribution?

A.To match routes based on IP prefix and prefix length
B.To define a list of allowed source IPs for management access
C.To specify the next-hop for a set of routes
D.To set BGP community values on matched prefixes
AnswerA

Prefix lists match routes by network and subnet mask.

Why this answer

Prefix lists are used to match specific IP prefixes and prefix lengths, commonly used in route maps to filter routes.

540
MCQhard

A FortiGate administrator runs the following command on a FortiGate and sees the output: diagnose sys session filter dport 443 diagnose sys session list proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate about the session?

A.The session is in SYN_SENT state; the three-way handshake is incomplete
B.The session has been terminated due to inactivity
C.The session is a UDP session
D.The session is fully established and has been active for 3600 seconds
AnswerA

proto_state=01 corresponds to TCP SYN_SENT, meaning the session is waiting for SYN-ACK.

Why this answer

proto_state=01 indicates TCP SYN_SENT state, meaning the session has not completed three-way handshake.

541
MCQhard

You run 'diagnose vpn ike gateway list' on a FortiGate hub and see the following output for a spoke connection: IKE SA state: ESTABLISHED, IPsec SA state: UP, but the spoke cannot route traffic to other spokes. The ADVPN shortcut tunnel is not being established. What is the MOST likely cause?

A.DPD is not configured on the hub
B.The hub has a static route for the spoke subnet pointing to the tunnel interface
C.The spoke's phase2 proposal does not match the hub's proposal
D.The spoke is using a different IKE version than the hub
AnswerB

When the hub has a static route for a spoke subnet, it becomes the next hop for traffic between spokes, preventing shortcut establishment. ADVPN requires the hub to not have static routes for spoke subnets; it should rely on dynamic routing to propagate routes but not as a next-hop.

Why this answer

In ADVPN, the hub must not include static routes for the spoke subnets, otherwise the spokes will use the hub as next-hop and not attempt shortcut establishment. The hub should use dynamic routing (BGP/OSPF) to propagate routes but not install a route with a next-hop of the hub itself for other spoke subnets. Option B is correct.

542
MCQmedium

A BGP session between FortiGate and a neighbor is in 'Active' state. The administrator has verified IP connectivity and that the neighbor IP is reachable. What is the MOST likely cause?

A.The firewall policy is blocking BGP port 179
B.The remote AS number is misconfigured on either side
C.The BGP hold timer is set too high
D.The BGP network statement is missing
AnswerB

A mismatch in the remote AS number prevents BGP from establishing the session, resulting in 'Active' state.

Why this answer

The 'Active' state means the router is trying to initiate a TCP connection but is not receiving a response. Common causes include BGP configuration mismatch, especially the remote AS number.

543
MCQhard

An administrator configures a firewall policy with an application control profile to block social media. The administrator observes that some social media traffic is still passing through. The traffic is HTTPS. What additional configuration is REQUIRED for application control to effectively block HTTPS-based social media?

A.Set application control to proxy-based inspection
B.Enable 'allow-ssl-inspection' under system settings
C.Add a DNS filter to block social media domains
D.Enable 'ssl-ssh-profile' with deep inspection on the policy
AnswerD

Deep inspection decrypts HTTPS, allowing application control to inspect the application layer.

Why this answer

Application control requires visibility into the application layer to identify HTTPS-based traffic. Without SSL inspection, the firewall cannot decrypt the HTTPS payload to inspect the application signatures. Enabling an 'ssl-ssh-profile' with deep inspection on the policy allows the FortiGate to decrypt the traffic, apply the application control profile, and effectively block social media applications.

Exam trap

The trap here is that candidates may think proxy-based inspection alone is sufficient for HTTPS traffic, but without SSL decryption, the firewall cannot inspect the encrypted payload, so application control signatures are ineffective.

How to eliminate wrong answers

Option A is wrong because setting application control to proxy-based inspection alone does not enable SSL decryption; it only changes the inspection mode, but the firewall still cannot see inside encrypted HTTPS traffic without a decryption policy. Option B is wrong because 'allow-ssl-inspection' is not a valid system setting in FortiOS; SSL inspection is configured via SSL/SSH profiles and applied to firewall policies, not a global toggle. Option C is wrong because a DNS filter blocks based on domain names, but social media applications can use IP addresses, alternate domains, or bypass DNS resolution, so it does not reliably block the application traffic itself.

544
MCQeasy

A FortiGate is experiencing high CPU usage. The administrator runs 'diagnose sys top' and sees that the process 'ipsengine' is using the most CPU. What is the most likely cause?

A.The firewall is experiencing a memory leak.
B.A large volume of traffic is being inspected by IPS, possibly due to a DoS attack.
C.The antivirus engine is scanning large files.
D.There is a routing loop causing packet bouncing.
AnswerB

IPS engine uses CPU for deep packet inspection; high volume or many signatures increases load.

Why this answer

The ipsengine process handles Intrusion Prevention System (IPS) inspection. High CPU usage by ipsengine typically indicates that the FortiGate is processing a large volume of traffic through IPS signatures, which is computationally intensive. This is often triggered by a DoS attack or a sudden surge in traffic that requires deep packet inspection, overwhelming the CPU.

Exam trap

The trap here is that candidates may confuse ipsengine with avengine or assume high CPU is always due to a memory leak, but the specific process name directly points to IPS inspection overload.

How to eliminate wrong answers

Option A is wrong because a memory leak would manifest as steadily increasing memory consumption over time, not as high CPU usage by ipsengine; the 'diagnose sys top' output shows CPU usage, not memory. Option C is wrong because antivirus scanning is handled by the 'avengine' process, not 'ipsengine'; the question explicitly states ipsengine is the culprit. Option D is wrong because a routing loop causes packet bouncing and high CPU due to routing table lookups (handled by the kernel or 'fwd' process), not by the IPS engine, which inspects application-layer traffic.

545
MCQeasy

An administrator needs to monitor FortiGate session count and CPU usage over time using FortiAnalyzer. Which log type should be configured for this?

A.Security logs
B.Performance logs
C.Event logs
D.Traffic logs
AnswerB

Correct. Performance logs provide periodic CPU, memory, and session data.

Why this answer

Performance monitoring logs contain periodic samples of system resource usage, including session count and CPU. The administrator should enable performance logging on FortiGate and send it to FortiAnalyzer.

546
MCQhard

An administrator configures OSPF over an IPsec VPN overlay between two FortiGates. The OSPF neighbors show a state of 'EXSTART/EXCHANGE' but never reach 'FULL'. The IPsec tunnel is up and passes ICMP traffic. What is the MOST likely cause?

A.The MTU on the tunnel interface is too large
B.OSPF is not enabled on the tunnel interface
C.The IPsec tunnel is using ESP with authentication
D.The OSPF hello interval is mismatched
AnswerA

Large MTU causes OSPF packet fragmentation and neighbor stuck in EXSTART/EXCHANGE.

Why this answer

OSPF over IPsec often requires adjusting the MTU to avoid fragmentation. The default MTU of 1500 can cause OSPF packets to be fragmented, leading to neighbor state issues.

547
MCQhard

A FortiGate is configured with ZTNA inline CASB to control access to a SaaS application. The administrator wants to block uploads of files containing credit card numbers. Which ZTNA inline CASB feature should be used?

A.Web filter profile
B.Data leak prevention (DLP) profile
C.Antivirus profile
D.Application control profile
AnswerB

DLP can detect sensitive data like credit card numbers and block or log the action.

Why this answer

ZTNA inline CASB can apply DLP (Data Loss Prevention) profiles to inspect content. To block uploads with credit card numbers, a DLP profile with a credit card number sensor should be applied to the ZTNA proxy rule. Option B is correct.

548
MCQmedium

A network admin is configuring a hub-and-spoke ADVPN. The spoke FortiGates are behind NAT. After configuring IKE phase 1 with aggressive mode, the spokes can establish VPN tunnels to the hub, but shortcut tunnels between spokes are not forming. What is the MOST likely cause?

A.The hub FortiGate is not using IKEv2 for the phase 1 configuration
B.The spoke FortiGates are using main mode instead of aggressive mode for IKE phase 1
C.The spoke FortiGates have 'set net-device disable' on the phase 1 interface
D.The hub FortiGate is not configured with 'set add-route enable' on the phase 1 interface
AnswerB

Aggressive mode is required when spokes are behind NAT so the hub learns the spoke's public IP and port for shortcut tunnel negotiation.

Why this answer

Aggressive mode is required for IKE behind NAT when using ADVPN shortcut tunnels. Without it, the hub cannot learn the public IP/port of each spoke to facilitate the shortcut.

549
MCQmedium

An HA cluster (active-passive) is configured. The administrator wants to perform a failover test without causing service disruption. Which command should be used?

A.diagnose ha reset-uptime
B.execute shutdown on the primary
C.execute ha synchronize
D.execute ha failover
AnswerD

This command triggers a graceful failover, making the primary become secondary.

Why this answer

To gracefully test failover, the administrator can execute 'execute ha failover' on the primary unit. This forces the primary to become secondary, and the passive unit takes over.

550
MCQmedium

A FortiGate administrator configures a hub-and-spoke VPN with OSPF routing. The spoke FortiGates are learning routes from the hub, but inter-spoke traffic is being routed through the hub instead of using shortcut tunnels. What configuration is missing on the hub to allow ADVPN shortcut establishment?

A.Set the VPN interface type to 'tunnel' instead of 'vlan'
B.Disable route redistribution from OSPF into the VPN tunnel interface on the hub
C.Enable 'auto-discovery-sender' on the hub and 'auto-discovery-forwarder' on spokes
D.Configure a static route for inter-spoke traffic on the hub
AnswerB

If the hub redistributes routes between spokes, traffic will always go through hub. ADVPN requires that OSPF does not redistribute; shortcuts are triggered by IKE.

Why this answer

For ADVPN to work, the hub must have 'auto-discovery-sender' enabled and also must not redistribute spoke routes back to other spokes in a way that prevents shortcut. Typically, the hub should not redistribute OSPF routes learned from one spoke into another; ADVPN relies on IKE shortcuts.

551
MCQeasy

A network administrator is configuring SD-WAN on a FortiGate. The organization has two internet links: MPLS (primary) and broadband (backup). The administrator wants all traffic to use the MPLS link unless it fails, in which case traffic should fail over to the broadband link. Which SD-WAN configuration best achieves this requirement?

A.Set the MPLS link priority to 10 and the broadband link priority to 5, then configure an SD-WAN rule with the 'best quality' strategy.
B.Enable 'set role' on the MPLS link as 'primary' and on the broadband link as 'standby' with the 'redundant' strategy.
C.Configure both links in the SD-WAN zone with equal priority and use the 'lowest cost' strategy.
D.Create two static routes: one with higher distance for MPLS and one with lower distance for broadband.
AnswerA

Higher priority for MPLS ensures it is preferred. The 'best quality' strategy selects the member with the highest priority when available, providing failover.

Why this answer

Option A is correct because setting the MPLS link priority to 10 (higher) and broadband to 5 (lower) ensures the SD-WAN rule with 'best quality' strategy selects the MPLS link as the preferred path. The 'best quality' strategy evaluates link quality metrics and, when priorities differ, prefers the higher-priority link. If the MPLS link fails, the strategy automatically fails over to the broadband link, meeting the requirement.

Exam trap

The trap here is that candidates often confuse SD-WAN failover with traditional static route failover using administrative distance, or incorrectly assume that role-based 'primary/standby' settings exist in FortiGate SD-WAN, leading them to choose options B or D instead of understanding that SD-WAN uses priority and strategy-based path selection.

How to eliminate wrong answers

Option B is wrong because 'set role' with 'primary' and 'standby' is not a valid SD-WAN configuration; FortiGate SD-WAN uses priority values and strategies, not role-based primary/standby assignments, and the 'redundant' strategy is for load balancing, not failover. Option C is wrong because equal priority with 'lowest cost' strategy would load-balance traffic across both links based on cost, not enforce MPLS as primary and broadband as backup. Option D is wrong because static routes with different distances control routing table selection, not SD-WAN link failover; SD-WAN rules override static route behavior and require SD-WAN-specific configuration to achieve policy-based failover.

552
MCQmedium

An enterprise uses multiple VDOMs on a FortiGate. The administrator needs to route traffic between VDOM-A and VDOM-B using a firewall policy. What is the correct configuration step?

A.Place both VDOMs in the same virtual router and use regular policies
B.Create a static route in each VDOM pointing to the other VDOM's virtual interface
C.Configure a VDOM link between the two VDOMs and create a policy allowing traffic
D.Enable inter-VDOM routing globally under system settings
AnswerC

A VDOM link creates a logical connection; policies then control traffic flow.

Why this answer

Option C is correct because a VDOM link creates a direct Layer 2 or Layer 3 connection between two VDOMs, allowing traffic to be controlled by firewall policies. This is the only method that enables policy-based inter-VDOM routing without requiring external cables or complex routing configurations.

Exam trap

The trap here is that candidates assume inter-VDOM routing is automatic or can be achieved with static routes alone, but FortiGate requires an explicit VDOM link or inter-VDOM link to pass traffic between VDOMs through firewall policies.

How to eliminate wrong answers

Option A is wrong because VDOMs operate in separate virtual routers by default; placing them in the same virtual router would merge their routing tables, defeating isolation and requiring inter-VDOM routing to be explicitly configured. Option B is wrong because static routes alone cannot forward traffic between VDOMs without a physical or logical interface connecting them; the route would have no valid next-hop interface. Option D is wrong because there is no global 'inter-VDOM routing' toggle; inter-VDOM traffic must be explicitly allowed via a VDOM link or inter-VDOM link policy, not a global setting.

553
MCQmedium

A FortiGate administrator runs 'diagnose debug application sslvpn -1' and sees repeated messages: 'SSL VPN tunnel error: no response from client'. What is the most likely cause?

A.The authentication server is unreachable
B.The tunnel mode is configured for web mode instead of tunnel mode
C.The client cannot reach the FortiGate's SSL VPN IP or port
D.The SSL VPN certificate has expired
AnswerC

No response from client suggests a connectivity problem between client and FortiGate.

Why this answer

This error typically indicates the SSL VPN client is not responding during tunnel setup, often due to network connectivity issues or a firewall blocking the required ports.

554
MCQeasy

Which of the following is the primary purpose of BFD (Bidirectional Forwarding Detection) on a FortiGate?

A.To synchronize routing tables between peers
B.To load balance traffic across multiple paths
C.To provide fast detection of link failures
D.To encrypt routing updates between peers
AnswerC

BFD detects failures in sub-second intervals, much faster than routing protocol timers.

Why this answer

BFD provides fast failure detection between adjacent routers, enabling quicker convergence than routing protocol hellos.

555
MCQhard

An administrator configures BFD on a BGP session between two FortiGates. After enabling BFD, the BGP session flaps intermittently. What is the most likely cause?

A.The BFD failure detection intervals are too low, causing false positives
B.BFD is incompatible with BGP and should not be used together
C.BGP hold timer is shorter than BFD detection time
D.The BFD minimum transmit and receive intervals are set too high
AnswerA

Low intervals cause premature detection of failure.

Why this answer

BFD detects failures faster than BGP keepalives. If the network has high latency or occasional packet loss, BFD may time out and declare the peer down, causing BGP to reset. The BFD timers might be too aggressive for the network conditions.

556
MCQmedium

An administrator sees the following output from 'get router info routing-table': S 0.0.0.0/0 [10/0] via 192.168.1.1, port1 S 0.0.0.0/0 [10/0] via 192.168.2.1, port2 They have configured ECMP load balancing. However, traffic to a specific destination IP is always using port1. What is the likely reason?

A.The firewall policy only allows traffic on port1
B.ECMP uses per-packet load balancing by default and the traffic is a single flow
C.One of the static routes has a lower administrative distance
D.The destination IP hash results in the same link for all sessions due to the load balancing algorithm
AnswerD

FortiGate's ECMP uses a hash of source/dest IP and port. If only one flow exists, it will consistently use the same link.

557
MCQeasy

Which feature in FortiOS enables a FortiGate to act as a proxy for client-initiated connections to internal applications without requiring a VPN client, by verifying device posture and user identity?

A.IPsec VPN with XAuth authentication
B.SSL VPN with web mode portal
C.FortiGate's explicit web proxy
D.ZTNA (Zero Trust Network Access) proxy
AnswerD

Why this answer

ZTNA proxy provides application-level access without full network connectivity, enforcing identity and posture checks. IPsec and SSL VPN give full network access. Explicit proxy is for web traffic only.

558
MCQhard

An administrator runs 'diagnose ips anomaly list' and sees many 'data_leak' events from a specific internal IP address. The IPS sensor has the default pre-defined signatures enabled. What additional step should the administrator take to block this specific anomaly?

A.Enable protocol anomaly detection in the antivirus profile
B.Create a custom IPS signature to match the anomaly pattern and apply it to the IPS sensor
C.Enable the 'data_leak' signature in the IPS sensor and set action to 'block'
D.Configure a firewall policy with application control to block the traffic
AnswerB

Custom signatures allow precise detection of protocol anomalies beyond pre-defined signatures.

Why this answer

Option B is correct because protocol anomalies require custom signatures to define the precise pattern or threshold, as pre-defined signatures may not cover specific behavior.

559
MCQmedium

A network admin needs to apply a common set of firewall rules at the beginning of every policy package for all VDOMs managed by FortiManager. The rules should be automatically inserted and not editable within each VDOM. What should be configured?

A.VDOM policy templates
B.Global policy objects
C.Policy package header policies
D.Central management policies
AnswerC

Header policies are prepended to all policy packages in the ADOM.

Why this answer

Header policies in policy packages allow global policies that apply before VDOM-specific policies. They are defined at the ADOM level and cannot be modified within individual VDOMs.

560
Multi-Selectmedium

An administrator needs to integrate a FortiSwitch with a FortiGate for LAN edge management. The FortiGate will manage the switch via the LAN interface. Which TWO steps are required? (Choose two.)

Select 2 answers
A.Enable switch controller on the FortiGate.
B.Assign an IP address to the FortiSwitch's management VLAN on the FortiGate.
C.Configure the FortiSwitch in standalone mode.
D.Disable STP on the FortiSwitch ports connected to the FortiGate.
E.Connect the FortiSwitch to a port configured as a 'switch' interface type.
AnswersA, E

The switch controller feature must be enabled to manage FortiSwitch devices.

561
MCQmedium

A FortiGate administrator is configuring a site-to-site IPsec VPN with IKEv2. The remote peer supports multiple proposals. The administrator wants to ensure that the VPN tunnel uses AES256-GCM for encryption and SHA256 for integrity. Which configuration setting should be used to enforce this preference?

A.Set the 'proposal' list with AES256-GCM and SHA256 as the first entry
B.Enable 'set proposal-mode strict'
C.Use IKEv2 rekey to change the proposal after initial handshake
D.Configure a phase2 selectors with the exact traffic of interest
AnswerA

The order of proposals defines priority; the first matching proposal is selected. Placing AES256-GCM/SHA256 first ensures it is preferred.

Why this answer

In IKEv2, the proposal order determines the preference. The first matching proposal is used. To enforce AES256-GCM and SHA256, the administrator should set those as the first proposal in the phase1 and phase2 configuration.

562
Multi-Selectmedium

An administrator needs to enable automation stitches to automatically block a malicious IP address detected by FortiSandbox. Which two components are required? (Choose two.)

Select 2 answers
A.A trigger that detects the FortiSandbox verdict
B.A static route to the malicious IP
C.An SSL certificate for the FortiGate
D.An action that adds the IP to a local threat feed
E.A firewall policy that allows the traffic
AnswersA, D

Trigger initiates the automation stitch.

Why this answer

Option A is correct because automation stitches require a trigger to initiate the workflow. In this scenario, the trigger must detect the FortiSandbox verdict (e.g., malicious or clean) to start the automated response. Without a trigger, the stitch has no event to react to, making it non-functional.

Exam trap

The trap here is that candidates often confuse the trigger requirement with other network components like routing or certificates, or mistakenly think a firewall policy allowing traffic is needed for the automation to work, when in fact the action modifies security policies to block the IP.

563
MCQhard

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a TCP connection that has been active for 3600 seconds and will expire in 3599 seconds
B.The session is a UDP DNS request
C.The session is being blocked by a firewall policy
D.The session is an SSL VPN tunnel
AnswerA

Correct interpretation of fields.

Why this answer

Option A is correct because the output shows 'proto=6' which indicates TCP (protocol 6), 'duration=3600' means the session has been active for 3600 seconds (1 hour), and 'expire=3599' means the session will expire in 3599 seconds. The 'proto_state=01' is a TCP state code indicating an established connection. This is a standard FortiGate diagnostic session output.

Exam trap

The trap here is that candidates may misinterpret 'proto=6' as a generic protocol number without recalling that protocol 6 is specifically TCP, leading them to incorrectly associate the output with UDP-based services like DNS or SSL VPN tunnels.

How to eliminate wrong answers

Option B is wrong because UDP uses protocol 17, not protocol 6, and DNS requests typically use UDP port 53, not TCP port 443. Option C is wrong because the output shows an active session with a duration and expiry, indicating the session is allowed and tracked, not blocked; a blocked session would not have a duration or expire value. Option D is wrong because an SSL VPN tunnel is typically encapsulated in UDP (port 443) or uses a different session type, and the output shows a raw TCP session (proto=6) with no indication of VPN encapsulation or tunnel ID.

564
MCQeasy

An administrator needs to configure a site-to-site IPsec VPN with a remote FortiGate that has a dynamic IP address. Which phase1 parameter must be set to support this?

A.Enable Perfect Forward Secrecy (PFS)
B.Enable NAT traversal
C.Use certificate-based authentication
D.Set mode to aggressive and use a pre-shared key
AnswerD

Aggressive mode allows the responder to initiate without knowing the peer IP; pre-shared key is used for authentication.

Why this answer

When the remote FortiGate has a dynamic IP address, the local FortiGate cannot initiate the VPN because it does not know the remote peer's IP. Setting the phase1 mode to aggressive and using a pre-shared key allows the remote peer to initiate the connection by sending its identity (ID) in the first exchange, enabling the local FortiGate to identify and authenticate the peer without requiring a static IP address for the remote side.

Exam trap

The trap here is that candidates often confuse NAT traversal (which handles NAT devices) with the need for a dynamic IP peer, or they assume certificate-based authentication alone solves the issue, but the key requirement is the ability to identify the peer without a known IP address, which aggressive mode enables.

How to eliminate wrong answers

Option A is wrong because Perfect Forward Secrecy (PFS) is a phase2 parameter that ensures that if a private key is compromised, past session keys are not exposed; it does not address dynamic IP peer identification. Option B is wrong because NAT traversal is used to handle IPsec packets traversing NAT devices by encapsulating them in UDP, not to support a peer with a dynamic IP address. Option C is wrong because certificate-based authentication can be used with either main or aggressive mode, but it does not solve the problem of a dynamic IP peer; aggressive mode with a pre-shared key is specifically required to allow the peer to initiate without a known IP.

565
Multi-Selectmedium

Which TWO actions are appropriate when troubleshooting a slow network connection through a FortiGate?

Select 2 answers
A.Increase the session TTL to reduce session setup overhead.
B.Check the CPU and memory utilization on the FortiGate.
C.Verify the routing table for correct next-hop entries.
D.Disable flow control on the WAN interface.
E.Disable all security profiles to free resources.
AnswersB, C

High resource usage can cause slowdowns; checking this is a standard diagnostic step.

Why this answer

High CPU or memory utilization on a FortiGate can directly cause packet drops, queuing delays, and slow throughput, especially under load. Checking these resources is a fundamental first step in troubleshooting performance issues, as resource exhaustion often manifests as a slow network connection.

Exam trap

The trap here is that candidates may assume disabling security features (Option E) or adjusting session timers (Option A) are quick fixes, but the NSE7 exam expects systematic troubleshooting starting with resource utilization and routing verification.

566
MCQmedium

An administrator observes that traffic from a specific subnet is being dropped by the FortiGate. The session table shows the sessions with 'proto_state=01' and 'expire=0'. What does this indicate?

A.The sessions have expired and are being cleaned up
B.The antivirus scanning is causing a delay
C.The sessions are being offloaded to the NPU
D.The firewall policy is blocking the traffic
AnswerA

Expire=0 means the session has timed out.

Why this answer

Option A is correct. 'expire=0' and 'proto_state=01' indicate that the session has expired and is in a cleanup state. The traffic is being dropped because the session is no longer valid.

567
MCQhard

An administrator configures a FortiGate with a management VDOM. Which of the following is true about the management VDOM?

A.The management VDOM supports inter-VDOM routing
B.The management VDOM can be used to route production traffic
C.The management VDOM can be shared across multiple FortiGates in a HA cluster
D.The management VDOM cannot have any firewall policies
AnswerD

The management VDOM is used solely for management; it does not process data traffic and therefore does not have firewall policies.

Why this answer

The management VDOM is a special-purpose VDOM used exclusively for out-of-band management traffic (e.g., GUI, SSH, SNMP). It operates in a separate management plane and cannot contain firewall policies because it is not designed to inspect or forward data-plane traffic. This isolation ensures that management access remains available even if the data-plane VDOMs are overloaded or misconfigured.

Exam trap

The trap here is that candidates confuse the management VDOM with a regular VDOM that can have firewall policies and route traffic, but Fortinet explicitly restricts the management VDOM to a non-data-plane role with no policy enforcement.

How to eliminate wrong answers

Option A is wrong because inter-VDOM routing is a data-plane function that requires firewall policies and routing configurations, which the management VDOM explicitly does not support. Option B is wrong because the management VDOM is strictly for management traffic (e.g., HTTPS, SSH, SNMP) and cannot be used to route production or user data traffic. Option C is wrong because the management VDOM is a per-FortiGate construct; in an HA cluster, each unit maintains its own management VDOM configuration and cannot share it across cluster members.

568
MCQeasy

Which SD-WAN load balancing algorithm distributes traffic based on the number of active sessions per SD-WAN member?

A.Sessions
B.Source-dest-IP
C.Spillover
D.Volume
AnswerA

Sessions balances by number of active sessions.

Why this answer

The sessions algorithm bases distribution on the current session count on each member.

569
MCQhard

An administrator is integrating a FortiExtender with a FortiGate. The FortiExtender is connected to port5 and configured with a cellular WAN connection. What must be configured on the FortiGate to allow the FortiExtender to provide WAN connectivity as an SD-WAN member?

A.Create a static route to the FortiExtender's management IP to use it as a gateway.
B.Configure port5 as a physical member and assign the FortiExtender's SIM card details.
C.Enable the 'fortiextender' option on port5 and configure the FortiExtender as an SD-WAN member using the virtual wan interface.
D.Use the FortiExtender as a standalone router and configure policy-based routing on the FortiGate.
AnswerC

The FortiExtender creates a virtual interface (e.g., wan or lte) that can be added as an SD-WAN member. Port5 must have the FortiExtender feature enabled.

570
MCQmedium

A customer reports intermittent connectivity issues between two internal subnets separated by a FortiGate firewall. The traffic is allowed by the policy, but users experience timeouts during peak hours. Which troubleshooting step should you take first?

A.Run a packet sniffer on the FortiGate to capture traffic between the subnets.
B.Check the session table for session limits and session congestion.
C.Disable hardware acceleration on the FortiGate.
D.Configure SNAT on the policy to translate the source IP.
AnswerB

Peak hour timeouts often indicate session table exhaustion; checking this is the quickest diagnostic step.

Why this answer

Option B is correct because intermittent connectivity during peak hours strongly suggests session table exhaustion or session congestion. The FortiGate's session table has a finite capacity, and when it fills up, new sessions are dropped, causing timeouts. Checking the session table for limits and congestion is the fastest, least intrusive first step to confirm whether the firewall is running out of session resources before performing more complex diagnostics.

Exam trap

The trap here is that candidates often jump to packet capture or hardware acceleration as the first step, overlooking the session table as the most common cause of intermittent peak-hour connectivity issues.

How to eliminate wrong answers

Option A is wrong because running a packet sniffer is a reactive, resource-intensive step that should be taken only after ruling out session table issues; it does not directly reveal session limits or congestion. Option C is wrong because disabling hardware acceleration is a drastic step that can degrade performance and is only warranted if a specific hardware offload bug is suspected, not as a first troubleshooting step for peak-hour timeouts. Option D is wrong because configuring SNAT does not resolve session table exhaustion; it changes the source IP but does not increase the session table capacity or address congestion.

571
MCQmedium

A FortiGate is configured with a ZTNA access proxy rule for a web application. The administrator wants to enforce that only devices with a specific FortiClient tag (e.g., 'Compliant') can access the application. Where is this tag-based access control configured?

A.In the FortiClient EMS policy
B.In the firewall policy that permits traffic from the ZTNA gateway to the application
C.In the SSL inspection profile
D.In the ZTNA access proxy rule under the ZTNA gateway configuration
AnswerD

The access proxy rule includes conditions such as device tags (e.g., Compliant) to determine if access is allowed.

Why this answer

In ZTNA, device posture tags from FortiClient are used in access proxy rules to grant or deny access. The tags are matched in the ZTNA proxy rule (access proxy rule) under the ZTNA gateway configuration. Option C is correct.

572
Multi-Selectmedium

An HA cluster is configured with two FortiGates in active-passive mode. The administrator wants to ensure that the secondary unit automatically takes over if the primary unit fails. Which TWO settings must be configured?

Select 2 answers
A.Set ha-mode to active-passive
B.Set ha-priority to 100 on primary
C.Set ha-mode to active-active
D.Enable configuration synchronization
E.Enable session-pickup
AnswersA, D

active-passive mode ensures one unit is standby.

Why this answer

Option A is correct because setting ha-mode to active-passive configures the HA cluster so that only the primary unit actively processes traffic while the secondary remains in standby, ready to take over upon failure. This mode is essential for the automatic failover behavior described in the question, as it defines the operational roles of the cluster members.

Exam trap

The trap here is that candidates often confuse session-pickup (which preserves active sessions) with the fundamental failover mechanism, leading them to select it as a requirement for takeover, when in fact the takeover occurs automatically in active-passive mode without session-pickup.

573
MCQeasy

Which FortiGate IPS feature allows administrators to create rules that detect network traffic patterns deviating from normal protocol behavior?

A.Rate-based signatures
B.Custom signatures
C.Protocol anomaly
D.Geo-IP blocking
AnswerC

Protocol anomaly detection is specifically for detecting deviations from protocol standards.

Why this answer

Protocol anomaly detection in FortiGate IPS allows administrators to define rules that identify deviations from standard protocol behavior as defined by RFCs. Unlike signature-based detection, which matches known attack patterns, protocol anomaly detection flags traffic that violates expected protocol structures, such as malformed packets or illegal flag combinations. This enables the detection of zero-day exploits and protocol abuse without requiring a pre-existing signature.

Exam trap

The trap here is that candidates confuse 'protocol anomaly' with 'custom signatures' or 'rate-based signatures,' assuming any custom rule or threshold-based detection can identify protocol deviations, but FortiGate specifically reserves protocol anomaly for RFC-based behavioral analysis, not pattern matching or volumetric thresholds.

How to eliminate wrong answers

Option A is wrong because rate-based signatures are designed to detect traffic patterns based on thresholds (e.g., connections per second) rather than deviations from normal protocol behavior; they focus on volume anomalies, not protocol compliance. Option B is wrong because custom signatures are user-defined patterns (e.g., using the FSL language) that match specific content or byte sequences, not protocol deviations; they rely on known attack signatures, not behavioral analysis. Option D is wrong because Geo-IP blocking filters traffic based on geographic source or destination IP addresses, which is unrelated to protocol behavior or anomaly detection.

574
MCQmedium

A company uses FortiMail for email security. They want to prevent email spoofing by verifying that incoming emails originate from authorized servers. Which email authentication method should be configured on FortiMail to check the sending server's IP against a published SPF record?

A.SPF verification
B.DKIM verification
C.DMARC verification
D.Sender Policy Framework (SPF) is not supported on FortiMail
AnswerA

SPF checks if the sending IP is authorized by the domain's SPF record.

575
MCQhard

A FortiGate is running OSPF with multiple areas. The admin wants to redistribute a static route for 192.168.100.0/24 into OSPF. After configuring 'config router ospf' with 'redistribute static' enabled, the route appears in the OSPF database but is not being advertised to other areas. What is the most likely cause?

A.The 'redistribute static' command needs a route map to filter the route correctly.
B.The static route's administrative distance is too high for OSPF.
C.The router is an ABR and the static route is being redistributed as a type 5 LSA, which is not flooded into stub areas.
D.OSPF must be configured with 'default-information originate' to allow redistribution.
AnswerC

Type 5 LSAs are blocked in stub areas. To redistribute into stub areas, the route must be advertised as a type 7 LSA.

Why this answer

By default, OSPF does not redistribute external routes into other areas unless the redistributing router is an ASBR and the route is a type 5 LSA. However, type 5 LSAs are not flooded into stub areas or NSSAs. If the router is in a NSSA or stub area, redistribution must be handled differently.

The most common reason is that the router is an ABR and the external route is not being advertised into other areas because the router is not acting as an ASBR for those areas.

576
MCQeasy

An organization wants to implement Network Access Control (NAC) using FortiNAC. The goal is to automatically quarantine any device that does not have the latest antivirus definitions. Which FortiNAC component enforces this policy?

A.FortiNAC Collector
B.FortiNAC Profiler
C.FortiNAC Enforcement Engine
D.FortiNAC Portal
AnswerC

The Enforcement Engine applies the policy actions (e.g., quarantine) based on compliance state.

Why this answer

FortiNAC uses policies to define security requirements. The Enforcement Engine applies the policy by changing the VLAN or applying ACLs on network devices to quarantine non-compliant endpoints.

577
MCQmedium

A FortiGate administrator configures a ZTNA access proxy rule to allow access to an internal application only if the user's device has the tag 'Compliant'. The tag is assigned by FortiClient EMS. However, a user with a compliant device is still blocked. The admin sees in the ZTNA logs that the tag is not being received. What should the administrator check FIRST?

A.Verify that the FortiClient is connected to the internet
B.Confirm that the ZTNA rule is enabled and using the correct port
C.Check if the application server is reachable from the FortiGate
D.Ensure the EMS connector is configured under Security Fabric > External Connectors
AnswerD

The Endpoint Control connector to EMS must be configured and authorized. Without this, FortiGate cannot receive any tags from EMS.

Why this answer

For ZTNA tags to be sent to FortiGate, the FortiClient must be registered with EMS and the EMS must be configured as an endpoint control connector on FortiGate. If the connector is missing or misconfigured, FortiGate cannot retrieve tags.

578
MCQmedium

You run the following command on a FortiGate: 'diagnose vpn ike gateway list' and see that the DPD status for a VPN peer is 'dead'. What does this indicate?

A.The remote peer has been manually disconnected from the network
B.The VPN tunnel is still up but the peer is not responding to DPD messages
C.The IKE SA is still active but the IPsec SA has expired
D.The VPN peer has been detected as unreachable and the tunnel is considered down
AnswerD

DPD status 'dead' means the peer is not responding, so FortiGate marks the tunnel as down.

Why this answer

DPD (Dead Peer Detection) is used to check the liveness of a VPN peer. 'Dead' means the peer is not responding to DPD messages, indicating the tunnel is down.

579
Multi-Selectmedium

A FortiGate is deployed as a LAN edge switch with multiple FortiSwitch units connected. The administrator wants to configure VLANs and manage the switches centrally. Which TWO features must be enabled on the FortiGate to achieve this? (Select TWO.)

Select 2 answers
A.LLDP-MED
B.Configure a separate management VRF
C.Create VLAN interfaces on the FortiGate and assign them to the FortiLink interface
D.FortiLink on the interface connecting to the FortiSwitch
E.STP (Spanning Tree Protocol) on the FortiGate
AnswersC, D

VLANs are defined on the FortiGate and communicated to switches via FortiLink.

Why this answer

Options A and D are correct. FortiLink is required for central management of FortiSwitch. The FortiGate must have a dedicated FortiLink interface (e.g., internal) configured under Network > Interfaces.

VLANs are created on the FortiGate and propagated to switches via FortiLink.

580
MCQmedium

An administrator is deploying FortiClient with ATP features. They want to ensure that if a process is detected as malicious by the FortiClient machine learning engine, the endpoint is isolated from the network. Which configuration should they use?

A.Create a firewall policy to block traffic from that endpoint
B.Enable 'auto-network-access' in the FortiClient profile
C.Configure an automation stitch with trigger 'FortiClient event' and action 'quarantine endpoint'
D.Enable 'FortiClient quarantine' in the antivirus profile
AnswerC

Automation stitches can respond to FortiClient events and isolate the endpoint.

Why this answer

Option A is correct. Automation stitches allow triggering an action (like endpoint isolation) when a specific event (malicious process detected) occurs. The ML engine can generate a log event that triggers the stitch.

581
MCQhard

A FortiGate administrator runs the following CLI command: 'diagnose ips anomaly log' The output shows numerous 'tcp_syn_flood' events from a single source IP. To mitigate this, the administrator wants to block the source IP automatically. Which feature should be used?

A.IPS Custom Signature
B.Local-in Policy
C.IP Block List
D.Automation Stitch
AnswerD

Automation stitches can automate responses to events like syn flood.

Why this answer

Automation stitches can trigger an action (like adding the source IP to a threat feed or blocking it) based on a condition such as IPS anomaly events.

582
Multi-Selecthard

A network security team is evaluating options for web application security. They need to protect a critical web application from SQL injection and cross-site scripting (XSS) attacks, and they require granular control over HTTP request parameters. Which THREE factors should influence their decision between using FortiGate's WAF profiles versus deploying a dedicated FortiWeb appliance?

Select 3 answers
A.FortiGate's WAF supports integration with FortiSandbox for file upload inspection
B.FortiGate's WAF profiles offer the same level of customization as FortiWeb for signature creation
C.FortiWeb can perform SSL offloading and load balancing, reducing load on the web servers
D.FortiWeb provides dedicated hardware and software optimized for web application security, offering higher throughput and lower latency for WAF processing
E.FortiWeb allows creation of custom signatures for application-layer attacks like SQL injection and XSS with greater flexibility
AnswersC, D, E

FortiWeb can handle SSL termination and distribute traffic, which is beneficial for performance.

Why this answer

FortiWeb provides deep application-layer inspection, custom signatures, and high throughput for WAF without impacting other security functions. FortiGate's built-in WAF is limited in comparison.

583
MCQeasy

An administrator wants to enforce that only managed FortiClient endpoints with up-to-date antivirus and a specific OS version can access a sensitive internal network via IPsec VPN. Which feature should be used to achieve this?

A.ZTNA tags
B.FortiNAC
C.SAML SSO
D.FortiClient EMS compliance enforcement
AnswerD

FortiClient EMS allows the administrator to define compliance rules and enforce them during VPN connection.

Why this answer

FortiClient EMS can enforce compliance rules such as requiring up-to-date antivirus and specific OS version. When a FortiClient connects to the FortiGate VPN, the FortiGate can check the endpoint's posture via FortiClient EMS and apply a matching firewall policy.

584
MCQhard

An administrator runs 'diagnose ips anomaly http' and sees many entries with 'type=SQLi' and 'score=0'. What does a score of 0 indicate?

A.The anomaly detection is disabled
B.The traffic showed suspicious patterns but did not meet the threshold
C.The IPS sensor is not applied to any policy
D.The traffic is definitely an SQL injection attack
AnswerB

Score 0 means no anomaly above threshold; it's a low-confidence event.

Why this answer

In Fortinet's IPS anomaly detection, a score of 0 indicates that the traffic exhibited suspicious patterns (e.g., SQLi signatures) but did not accumulate enough anomaly points to meet the configured threshold for triggering an action. This means the traffic was flagged as potentially malicious but was not deemed severe enough to warrant logging or blocking, so it remains in a 'monitoring' state without enforcement.

Exam trap

The trap here is that candidates assume a score of 0 means 'no threat' or 'disabled', but Fortinet uses 0 to indicate a sub-threshold detection that is still tracked, not a lack of detection.

How to eliminate wrong answers

Option A is wrong because a score of 0 does not indicate that anomaly detection is disabled; if detection were disabled, the 'diagnose ips anomaly http' command would not show any entries for that traffic. Option C is wrong because the IPS sensor not being applied to any policy would result in no IPS inspection at all, not a score of 0 with SQLi type entries; the presence of entries proves the sensor is applied. Option D is wrong because a score of 0 explicitly means the traffic did not meet the threshold to be classified as a definite attack; a score above the threshold would indicate a confirmed SQL injection attempt.

585
MCQhard

A FortiGate admin runs 'diagnose ips anomaly list' and sees many 'tcp_src_session' events from a single internal IP. The admin suspects a scanning attack. What action should be taken to block this traffic without affecting legitimate traffic?

A.Create a firewall rule to block the IP address entirely
B.Create a custom IPS signature to detect and block the scanning pattern
C.Enable 'tcp_src_session' anomaly action to 'block' in the IPS sensor
D.Use a WAF profile to block the IP based on rate
AnswerB

A custom signature can precisely target the scan behavior.

Why this answer

Option B is correct because creating a custom IPS signature allows you to define specific patterns (e.g., multiple TCP SYN packets to different ports from the same source) that match scanning behavior, and then set the action to 'block'. This granular approach blocks only the malicious scanning traffic while permitting legitimate traffic from the same IP, unlike a blanket IP block or a global anomaly action that could impact normal sessions.

Exam trap

The trap here is that candidates often confuse anomaly-based detection (which triggers on aggregate session counts) with signature-based detection (which matches specific packet patterns), leading them to choose Option C, not realizing that blocking the anomaly would indiscriminately drop all traffic from the source IP, including legitimate sessions.

How to eliminate wrong answers

Option A is wrong because blocking the entire IP address would also drop any legitimate traffic from that host, which is too aggressive and not required if only scanning behavior needs to be stopped. Option C is wrong because enabling 'tcp_src_session' anomaly action to 'block' in the IPS sensor would block all traffic from that source IP once the anomaly threshold is exceeded, including legitimate sessions, and does not differentiate between scanning and normal traffic. Option D is wrong because a WAF profile is designed for HTTP/HTTPS web application traffic and cannot block TCP-based scanning patterns at the network layer; it would not inspect or rate-limit raw TCP SYN floods or port scans.

586
Multi-Selecthard

An administrator is configuring FortiMail to improve email security. Which three of the following features are part of FortiMail's advanced threat protection? (Choose three.)

Select 3 answers
A.Web Filtering
B.Application Control
C.Email Authentication (SPF, DKIM, DMARC)
D.Content Disarm and Reconstruction (CDR)
E.Sandboxing (integration with FortiSandbox)
AnswersC, D, E

FortiMail supports email authentication protocols.

Why this answer

Email Authentication (SPF, DKIM, DMARC) is part of FortiMail's advanced threat protection because it verifies sender identity and prevents email spoofing and phishing. SPF checks the sending server's IP against authorized records, DKIM uses cryptographic signatures to ensure message integrity, and DMARC provides policy enforcement for alignment. These mechanisms collectively reduce the risk of domain impersonation and are integral to FortiMail's anti-phishing capabilities.

Exam trap

The trap here is that candidates confuse FortiGate's UTM features (Web Filtering, Application Control) with FortiMail's specialized email security features, leading them to select options that are not part of FortiMail's advanced threat protection.

587
MCQmedium

A FortiGate admin configures automation stitches in FortiManager to trigger a script when a specific incident occurs. The script runs but does not produce the expected result. Which FortiAnalyzer feature should the admin use to verify the automation stitch executed correctly?

A.Reports
B.FortiView
C.Playbooks
D.Incident Management
AnswerD

Incidents show automation stitch execution logs.

Why this answer

Option D is correct because Incident Management in FortiAnalyzer provides a detailed log of automation stitch execution, including trigger events, script actions, and any errors. This allows the admin to verify whether the stitch ran as expected and to diagnose why the script did not produce the intended result.

Exam trap

The trap here is that candidates confuse FortiAnalyzer's Incident Management with FortiSOAR's Playbooks, or assume FortiView's real-time logs are sufficient for post-execution verification, when in fact Incident Management provides the persistent, searchable audit trail needed for automation stitch debugging.

How to eliminate wrong answers

Option A is wrong because Reports in FortiAnalyzer are used for scheduled or ad-hoc summary data (e.g., traffic trends, security summaries) and do not provide real-time or per-incident execution logs of automation stitches. Option B is wrong because FortiView is a real-time monitoring dashboard for traffic and security events, not a tool for reviewing automation stitch execution history or script output. Option C is wrong because Playbooks are a feature of FortiSOAR, not FortiAnalyzer, and are used for orchestrated incident response workflows, not for verifying FortiManager automation stitch execution.

588
Multi-Selectmedium

An administrator needs to configure VRF to separate traffic for two departments. Which THREE components must be configured for each VRF?

Select 3 answers
A.A VRF instance
B.Interface binding to the VRF
C.A dedicated VDOM
D.Route leaking configuration
E.A separate firewall policy for each VRF
AnswersA, B, D

Each VRF needs its own routing table instance.

Why this answer

Each VRF requires a virtual routing table (VRF instance), interfaces assigned to it, and optionally route leaking between VRFs.

589
MCQeasy

Which FortiAnalyzer feature allows an administrator to create a sequence of automated response actions triggered by a specific log event?

A.Reports
B.Incidents
C.Playbooks
D.FortiView
AnswerC

Playbooks define automated response actions based on triggers such as log events.

Why this answer

Playbooks in FortiAnalyzer allow administrators to define a sequence of automated response actions that are triggered by specific log events. This feature enables event-driven automation, such as executing CLI scripts, sending alerts, or integrating with external systems via webhooks, directly from the FortiAnalyzer interface.

Exam trap

The trap here is that candidates often confuse Playbooks with Incidents, assuming Incidents can automate responses, but Incidents are purely for manual or semi-automated case management, not for defining automated action sequences triggered by log events.

How to eliminate wrong answers

Option A is wrong because Reports are used for generating scheduled or on-demand summaries of log data and traffic trends, not for triggering automated responses to individual log events. Option B is wrong because Incidents are containers for grouping related alerts and logs for investigation, but they do not themselves define automated action sequences. Option D is wrong because FortiView provides real-time and historical visualization of network traffic and security events, but it lacks the capability to execute automated response actions based on log triggers.

590
Multi-Selectmedium

A FortiGate administrator wants to use threat intelligence feeds to block known malicious IP addresses. Which TWO steps are required to accomplish this? (Choose two.)

Select 2 answers
A.Create an external threat feed connector pointing to the IoC source
B.Enable IPS on all policies
C.Configure FortiGuard to push feeds automatically
D.Create a firewall policy with the threat feed as the source or destination
E.Subscribe to FortiSandbox
AnswersA, D

The connector fetches the list of malicious IPs.

Why this answer

Options D and E are correct because first the feed must be configured (D), then a firewall policy using that feed must be created (E) to block traffic.

591
MCQeasy

A network engineer is deploying FortiGate VDOMs and needs to limit the number of VDOMs per FortiGate to comply with licensing. Which command can be used to check the maximum VDOMs allowed?

A.get system status
B.show system vdom
C.execute vdom limit
D.diagnose sys vdom list
AnswerA

Includes 'Max VDOMs' information.

Why this answer

The 'get system status' command displays the current FortiGate system status, including the maximum number of VDOMs allowed by the installed license. This is the correct command to verify the licensed VDOM limit before deploying additional VDOMs.

Exam trap

The trap here is that candidates confuse operational commands like 'show system vdom' or 'diagnose sys vdom list' with the license-aware command 'get system status', which is the only one that shows the licensed VDOM cap.

How to eliminate wrong answers

Option B is wrong because 'show system vdom' is a FortiOS command that lists configured VDOMs and their status, but it does not display the licensed maximum VDOM limit. Option C is wrong because 'execute vdom limit' is not a valid FortiOS command; there is no such command to check or set the VDOM limit. Option D is wrong because 'diagnose sys vdom list' is a diagnostic command that shows operational VDOM information, such as IDs and states, but it does not reveal the licensed maximum number of VDOMs.

592
MCQmedium

An administrator configures two VDOMs as shown in the exhibit. They create an inter-VDOM link between VDOM1 and VDOM2. They then add a firewall policy in VDOM1 allowing traffic from port1 to the inter-VDOM link, and a policy in VDOM2 allowing traffic from the inter-VDOM link to port2. However, traffic from 192.168.1.10 to 10.10.10.50 fails. What is the most likely cause?

A.Firewall policies are not correctly configured
B.The inter-VDOM link is not configured
C.Missing route in VDOM1 for the 10.10.10.0/24 network
D.The allowaccess setting on port2 does not include ping
AnswerC

VDOM1 needs a route to the destination network via the inter-VDOM link.

Why this answer

Option C is correct because inter-VDOM link traffic requires routing in both VDOMs. Even with correct firewall policies, VDOM1 must have a route to the destination network (10.10.10.0/24) pointing to the inter-VDOM link interface. Without this route, VDOM1 drops the packet before it can be forwarded across the link, causing the failure.

Exam trap

The trap here is that candidates assume firewall policies alone control inter-VDOM traffic, overlooking that routing is a prerequisite for forwarding packets across the inter-VDOM link.

How to eliminate wrong answers

Option A is wrong because the firewall policies are correctly configured: VDOM1 allows traffic from port1 to the inter-VDOM link, and VDOM2 allows traffic from the inter-VDOM link to port2. Option B is wrong because the inter-VDOM link is explicitly stated as created, so it exists. Option D is wrong because the allowaccess setting on port2 controls management access (e.g., ping, HTTPS) to the interface itself, not transit traffic passing through the interface; transit traffic is governed by firewall policies and routing.

593
MCQhard

An administrator runs 'get router info routing-table bgp' and sees that a route for 10.20.0.0/16 is learned via BGP from a neighbor. However, the route does not appear in the routing table. The administrator checks the BGP configuration and sees that 'network 10.20.0.0 255.255.0.0' is not configured under BGP. What is the most likely reason?

A.A route map is filtering the received route
B.The route is a default route (0.0.0.0/0) and is being suppressed
C.The BGP neighbor is not in the Established state
D.The route is not in the routing table because BGP requires the network statement to originate the route
AnswerA

Even though the route is learned, it may be filtered by an inbound route map before being installed in the routing table.

594
MCQhard

An admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is being blocked by a firewall policy
B.The session is in SYN_SENT state, waiting for a reply
C.The session is established and has been active for 1 hour
D.The session is in TIME_WAIT state after a FIN
AnswerC

State '01' means established; duration is 3600 seconds = 1 hour.

Why this answer

Option C is correct because the output shows `proto=6` (TCP), `proto_state=01` (ESTABLISHED in Fortinet's session table), `duration=3600` seconds (1 hour), and `expire=3599` seconds (remaining lifetime). This combination indicates a fully established TCP session that has been active for one hour and is still valid, not blocked or in a transitional state.

Exam trap

The trap here is that candidates confuse `proto_state=01` with a blocking state or a handshake-in-progress state, when in fact it specifically indicates an established TCP connection in Fortinet's session table.

How to eliminate wrong answers

Option A is wrong because a blocked session would not show a `proto_state=01` (ESTABLISHED) or have a non-zero duration/expire; blocked sessions are typically dropped before a session entry is created or show a different state. Option B is wrong because `proto_state=01` corresponds to ESTABLISHED, not SYN_SENT; SYN_SENT is represented by `proto_state=02` in FortiOS session table. Option D is wrong because TIME_WAIT is represented by `proto_state=04` or `05` after a FIN exchange, not `01`, and the duration/expire values indicate an active session, not one in a closing state.

595
MCQmedium

An administrator configures a WAF profile on FortiGate to protect a web application. However, the administrator notices that SQL injection attacks are not being blocked. What should the administrator check first?

A.The SQL injection signatures are enabled in the WAF profile
B.The WAF profile is attached to the correct firewall policy
C.The FortiGate has a valid Advanced Web Protection subscription
D.The web application is using HTTPS and SSL inspection is configured
AnswerA

WAF profiles have signature sets; SQL injection must be enabled.

Why this answer

WAF signatures must be enabled in the WAF profile. If SQL injection signatures are disabled, they will not be detected.

596
MCQmedium

A network administrator has configured FortiGate to send files to FortiSandbox for analysis. However, files are not being submitted. The administrator checks the FortiGate configuration and sees that the FortiSandbox server IP is correctly entered. What is the most likely cause of the issue?

A.A firewall policy is blocking communication to FortiSandbox on port 514
B.The FortiSandbox is not licensed for file submission
C.The file type is not supported by FortiSandbox
D.The FortiGate antivirus profile is set to flow-based inspection
AnswerA

FortiGate communicates with FortiSandbox via TCP port 514 (or custom). A missing or blocking policy would prevent file submission.

Why this answer

The most likely cause is that a firewall policy is blocking communication to FortiSandbox on port 514. FortiGate uses port 514 (syslog) to submit files to FortiSandbox, and if this port is blocked by an intermediate firewall or an implicit deny policy, the submission will fail even if the server IP is correctly configured. The administrator should verify that traffic to the FortiSandbox IP on UDP/TCP 514 is permitted by all relevant policies.

Exam trap

The trap here is that candidates often assume the issue is with the FortiSandbox configuration (licensing or file support) rather than a basic network connectivity problem, especially since the FortiGate's own policy may not show a block if the blocking occurs upstream.

How to eliminate wrong answers

Option B is wrong because FortiSandbox licensing is not required for file submission; licensing is only needed for cloud-based FortiSandbox or advanced features, and the question does not specify a cloud deployment. Option C is wrong because unsupported file types would be skipped or logged, not prevent all files from being submitted; the issue is that no files are being submitted at all. Option D is wrong because flow-based inspection does not block file submission to FortiSandbox; it affects how antivirus scanning is performed but does not impact the connectivity or submission protocol to the sandbox.

597
MCQhard

A FortiGate administrator configures a ZTNA rule with inline CASB to control access to a SaaS application. Users can access the application but the CASB controls are not being applied. What is the most likely reason?

A.The firewall policy is configured for flow-based inspection
B.SSL inspection is not enabled
C.The CASB profile is not applied to the ZTNA rule
D.The SaaS application is not supported by FortiGate CASB
AnswerA

Inline CASB requires proxy-based inspection; flow-based mode bypasses CASB processing.

Why this answer

Inline CASB requires a proxy-based firewall policy that intercepts traffic to the SaaS application. If the policy is using flow-based inspection, CASB will not be invoked. Inline CASB works only with proxy-based inspection.

598
MCQeasy

Which of the following best describes the function of FortiDeceptor in an enterprise network?

A.It provides endpoint detection and response (EDR) capabilities on workstations.
B.It deploys decoys and lures to detect attackers inside the network.
C.It acts as a web application firewall for protecting web servers.
D.It provides sandboxing for advanced malware analysis.
AnswerB

FortiDeceptor uses deception technology to detect lateral movement.

599
Multi-Selectmedium

An administrator notices that some traffic through the FortiGate is not being inspected by the application control profile. Which TWO reasons could explain this? (Choose two.)

Select 2 answers
A.The inspection mode is set to proxy-based
B.The application control signatures are outdated
C.The FortiGate has high memory usage
D.The application control profile is disabled
E.Traffic matches a different policy without the application control profile
AnswersA, E

Application control works only in flow-based mode.

Why this answer

Options B and D are correct. If the policy uses proxy-based inspection mode (B), application control may not work correctly. If the traffic matches a policy before the one with the profile (D), it bypasses inspection.

Option A is irrelevant. Option C would affect all traffic, not some. Option E is not a reason.

600
MCQhard

An administrator configures an HA cluster with two FortiGates using an FGCP active-passive configuration. After a failover, the new primary FortiGate shows all sessions are lost. The administrator has 'sync session' enabled in the HA configuration. What is the MOST likely reason sessions were not synchronized?

A.The HA heartbeat interface is overloaded, causing session synchronization packets to be dropped
B.The passive unit's 'session-pickup' setting is disabled
C.The 'failover-monitor' interface is down on the active unit, preventing session sync
D.The 'session-ttl' setting is set to zero on the active unit
AnswerA

Session synchronization uses the heartbeat link; if it is overloaded or has high latency, session sync packets can be lost, leading to session loss after failover.

Why this answer

Option B is correct because session synchronization relies on the heartbeat link; congestion can cause loss of session sync packets, leading to session loss during failover.

Page 7

Page 8 of 14

Page 9