Fortinet NSE 7 Advanced Security NSE7 (NSE7) — Questions 601675

1000 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
Multi-Selecthard

A FortiGate is configured with OSPF and multiple areas. The administrator wants to prevent type 3 LSAs from entering a specific area, while still allowing inter-area routing. Which TWO configurations can achieve this?

Select 3 answers
A.Configure the area as a stub area
B.Configure the area as an NSSA
C.Use an area filter list with 'prefix-list' to deny specific prefixes
D.Set the OSPF network type to point-to-multipoint
E.Configure the area as a totally stubby area
AnswersA, C, E

Stub areas block type 5 LSAs but also prevent type 3 from entering? Actually, stub areas block type 5 but allow type 3. To block type 3, use NSSA or totally stubby. Option A is not fully correct; need to reconsider.

Why this answer

Type 3 LSAs are summary LSAs. To block them, you can configure the area as a stub area (which blocks type 5 as well) or use an area filter list to filter specific prefixes.

602
Multi-Selecthard

An organization uses FortiGate with OSPF and BGP. Recently, routes from BGP are not being preferred over OSPF routes, causing suboptimal routing. The administrator wants to ensure BGP routes are preferred. Which two actions can achieve this? (Choose two.)

Select 2 answers
A.Decrease the administrative distance of BGP routes to 5.
B.Configure route-map to set metric to 1 on BGP routes.
C.Increase the administrative distance of OSPF routes to 120.
D.Set a higher weight on BGP routes for the prefixes.
AnswersA, C

Decreasing BGP AD to 5 makes it more preferred over OSPF AD 110.

Why this answer

Option A is correct because decreasing the administrative distance (AD) of BGP routes to 5 makes them more trustworthy than OSPF routes (default AD 110). Since a lower AD is preferred, BGP routes will be installed in the routing table over OSPF routes, ensuring BGP is preferred for forwarding decisions.

Exam trap

The trap here is that candidates confuse inter-protocol route selection (governed by administrative distance) with intra-protocol BGP path selection attributes (like weight, local preference, or metric), leading them to incorrectly choose options that modify BGP-specific attributes that have no effect on OSPF vs. BGP preference.

603
Multi-Selecthard

Which THREE actions should be taken to optimize FortiGate ATP performance while maintaining security?

Select 3 answers
A.Implement allow lists for trusted IP addresses to bypass scanning
B.Disable unnecessary security profiles to reduce CPU load
C.Enable proxy-based inspection for all traffic
D.Enable flow-based inspection for antivirus and IPS
E.Use SSL certificate inspection only for trusted categories
AnswersA, D, E

Bypassing scanning for trusted sources improves performance.

Why this answer

Implementing allow lists for trusted IP addresses to bypass scanning (Option A) reduces unnecessary processing of traffic that is known to be safe, thereby optimizing FortiGate ATP performance without compromising security. This approach leverages the FortiGate's ability to exempt trusted sources from deep inspection, which lowers CPU and memory load while maintaining protection for untrusted traffic.

Exam trap

The trap here is that candidates often assume disabling security profiles (Option B) is acceptable for performance optimization, but the question explicitly requires maintaining security, making this a violation of the core constraint.

604
MCQhard

A FortiGate is deployed with two ISPs and SD-WAN. The organization uses OSPF to exchange routes with a remote branch. The administrator notices that the FortiGate is not installing OSPF-learned routes into the routing table. The OSPF configuration is verified to be correct, and neighbors are established. Which configuration could be causing the issue?

A.The SD-WAN health-check is configured with 'update-static-route' and is overriding OSPF routes.
B.The administrative distance of OSPF is set to 200, which is higher than the default 110.
C.A distribute-list configured under OSPF is filtering the routes from being installed.
D.The OSPF interface is configured as 'passive', which prevents route exchange.
AnswerC

A distribute-list in OSPF can filter which routes are installed into the routing table, even if neighbors are up.

Why this answer

Option C is correct because a distribute-list applied under OSPF can filter routes from being installed into the routing table even when OSPF neighbors are fully established and the OSPF database contains the routes. This is a common cause of routes being learned but not installed, as the filter operates after the SPF calculation and before route insertion.

Exam trap

The trap here is that candidates assume OSPF neighbors being up and routes appearing in the OSPF database guarantee route installation, but a distribute-list can silently block installation without affecting neighbor adjacency or the LSDB.

How to eliminate wrong answers

Option A is wrong because the SD-WAN health-check with 'update-static-route' only affects static routes, not OSPF-learned routes; it cannot override OSPF routes in the routing table. Option B is wrong because the default administrative distance for OSPF is 110, and setting it to 200 would make OSPF routes less preferred but would not prevent them from being installed if no better route exists; the question states routes are not installed at all, not that they are overridden. Option D is wrong because a passive OSPF interface prevents sending or receiving OSPF hellos and thus prevents neighbor formation, but the question states neighbors are established, so passive configuration cannot be the issue.

605
MCQmedium

A FortiGate is configured with multiple VRF instances. The administrator needs to ensure that traffic from VRF 10 can reach a server in VRF 20. Which configuration is required?

A.Enable inter-VRF routing by setting 'vrf-leak enable' on the VRF instances
B.Configure a firewall policy that allows traffic between the VRFs
C.Place both interfaces in the same VRF
D.Use static routes with the appropriate VRF tags to leak routes between VRFs
AnswerD

Route leaking can be done with static routes or redistribution.

Why this answer

To route between VRFs, you must configure route leaking. This is done using 'config router leak' or by using route redistribution with VRF tags. Without route leaking, VRFs are isolated.

606
MCQmedium

A FortiGate is running OSPF with multiple areas. The administrator needs to redistribute a static route into OSPF. Which command will correctly configure redistribution of static routes into OSPF process 10?

A.config router ospf config redistribute edit static set status enable next end end
B.config router policy set redistribute static end
C.config router static set redistribute ospf end
D.config router ospf set redistribute static enable end
AnswerD

This is the correct syntax to enable redistribution of static routes into OSPF.

607
Multi-Selecthard

A FortiGate is configured with BGP to an SD-WAN member link. The administrator wants to prefer one link over another for specific routes based on AS path length. Which THREE configurations can influence BGP path selection? (Choose three.)

Select 3 answers
A.Set the metric (MED) to a lower value on the desired link.
B.Use a route map to prepend AS numbers to the AS path for the less preferred link.
C.Configure the 'set aspath' command in a route map to change the AS path.
D.Set a higher local preference on the desired link.
E.Configure weight on the neighbor to prefer routes from that neighbor.
AnswersB, D, E

AS path prepending makes the path longer, thus less preferred.

608
Multi-Selecteasy

An administrator wants to enforce that only devices with the latest antivirus signatures and a corporate disk encryption solution can access a sensitive application via ZTNA. Which two FortiClient EMS components must be configured? (Choose two.)

Select 2 answers
A.Device posture checks
B.VPN tunnels
C.SAML SSO
D.ZTNA tags
AnswersA, D

Device posture checks verify compliance criteria like AV signatures and encryption.

Why this answer

ZTNA tags define compliance requirements, and device posture checks evaluate endpoint security state. Together they enable conditional access based on endpoint compliance.

609
Drag & Dropmedium

Drag and drop the steps to configure a FortiGate as a DHCP server into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Select interface, enable DHCP, set scope, configure options, then apply.

610
MCQmedium

An administrator configures inter-VDOM routing between VDOMs A and B. Both VDOMs are on the same FortiGate. The admin creates a policy allowing traffic from VDOM A to VDOM B. Traffic from VDOM A to VDOM B fails. What is the most likely cause?

A.VDOM A and VDOM B must be in the same administrative VDOM
B.The VDOMs are in transparent mode
C.There is no firewall policy in VDOM B to allow the return traffic
D.The inter-VDOM link is not configured
AnswerC

Inter-VDOM traffic requires policies in both VDOMs. The policy in VDOM A allows traffic to VDOM B, but a policy in VDOM B must permit the return traffic.

Why this answer

In a FortiGate inter-VDOM routing setup, traffic initiated from VDOM A to VDOM B requires a firewall policy in VDOM B to permit the return traffic. Without this policy, the FortiGate's stateful inspection engine drops the return packets because no session exists in VDOM B's session table. This is a common misconfiguration where administrators only create a policy in the source VDOM.

Exam trap

The trap here is that candidates assume a single policy in the source VDOM is sufficient, overlooking that FortiGate's stateful inspection requires explicit policies in both VDOMs for bidirectional traffic flow.

How to eliminate wrong answers

Option A is wrong because administrative VDOMs are a management concept and do not affect inter-VDOM routing; VDOMs A and B can be in different administrative domains. Option B is wrong because transparent mode VDOMs can still participate in inter-VDOM routing if configured with inter-VDOM links, and the question does not indicate transparent mode is the issue. Option D is wrong because the administrator explicitly configured inter-VDOM routing, implying the inter-VDOM link is already set up; the failure is due to missing return traffic policy, not the link itself.

611
MCQeasy

Which Fortinet product is designed specifically to detect and deceive attackers by creating decoy systems and luring them away from real assets?

A.FortiDeceptor
B.FortiSandbox
C.FortiEDR
D.FortiWeb
AnswerA

FortiDeceptor uses decoys to detect and divert attackers.

Why this answer

FortiDeceptor is Fortinet's dedicated deception-based threat detection solution. It creates realistic decoy systems (honeypots) and lures attackers away from real assets, providing early detection and threat intelligence without relying on signatures. This aligns with the question's specific requirement for a product designed to detect and deceive attackers using decoys.

Exam trap

The trap here is that candidates often confuse FortiSandbox's sandboxing (which also uses isolated environments) with deception technology, but sandboxing analyzes files while deception lures attackers with decoys.

How to eliminate wrong answers

Option B (FortiSandbox) is wrong because it is a malware analysis and detection platform that executes suspicious files in a sandboxed environment to identify threats, not a deception technology that creates decoy systems. Option C (FortiEDR) is wrong because it focuses on endpoint detection, response, and real-time threat hunting on endpoints, not on deploying decoys to lure attackers. Option D (FortiWeb) is wrong because it is a web application firewall (WAF) that protects web servers from application-layer attacks, not a deception-based system for luring attackers away from assets.

612
MCQhard

A network engineer is designing a FortiGate HA cluster with two units operating in active-active mode. The cluster will be placed in a VDOM-enabled environment. The engineer wants to ensure that traffic from a specific VDOM is load-balanced across both units based on source IP address. Which setting must be configured on the cluster to achieve this?

A.Configure randomize-vip under config system ha
B.Configure a virtual cluster with load-balance method source IP
C.Configure vdom-load-balance under config system ha
D.Enable session pickup and set session-pickup-delay to 0
AnswerB

Virtual cluster with load-balance method distributes traffic per source IP.

Why this answer

In a VDOM-enabled active-active HA cluster, per-VDOM load balancing is achieved by configuring a virtual cluster and setting the load-balance method to source IP. This allows the cluster to distribute traffic for that specific VDOM across both units based on the source IP hash, ensuring session persistence while balancing the load.

Exam trap

The trap here is that candidates often confuse 'vdom-load-balance' with a real command, or assume that session pickup alone can distribute traffic, when in fact virtual clusters with an explicit load-balance method are required for per-VDOM source IP-based load balancing.

How to eliminate wrong answers

Option A is wrong because 'randomize-vip' randomizes the unit that handles traffic for a virtual IP (VIP) across the cluster, but it does not provide per-VDOM source IP-based load balancing; it is used for VIP load distribution without VDOM awareness. Option C is wrong because 'vdom-load-balance' is not a valid command under 'config system ha'; the correct approach is to use virtual clusters with a specified load-balance method. Option D is wrong because session pickup and session-pickup-delay relate to session synchronization and failover behavior, not to load balancing traffic across units in active-active mode.

613
MCQhard

An SD-WAN rule has two members: port1 (SLA target latency < 10ms) and port2 (SLA target latency < 20ms). The administrator runs 'diagnose sys sdwan sla-check' and sees that both members meet SLA. However, all traffic is going through port2. What is the MOST likely reason?

A.The SD-WAN strategy is set to 'load balancing' and the load balancing algorithm is 'spillover'
B.The SD-WAN strategy is set to 'manual'
C.The SD-WAN rule is configured with 'set service' that does not match the traffic
D.The 'update-static-route' is disabled on the SD-WAN
AnswerC

If the rule's service (application) does not match the traffic, the rule is not applied, and traffic uses the default route or another rule.

Why this answer

SD-WAN uses a strategy to select the best path. If the strategy is set to 'best quality' or 'lowest latency', it should prefer the lower latency path. But if the strategy is 'load balancing' or 'manual', it might not automatically prefer port1.

The most common cause is that the strategy does not consider SLA, or the load balancing mode distributes traffic regardless of SLA.

614
MCQhard

A FortiGate administrator notices that the traffic log shows sessions being dropped due to 'policy deny' even though a permit policy exists. The administrator checks the policy list and sees the policy is in the correct order. What could be a reason for this?

A.The session is already established and the policy change is not applied to existing sessions
B.The policy is disabled
C.The policy has an incorrect schedule
D.The traffic is being processed by a different VDOM than expected
AnswerD

If traffic is entering the wrong VDOM, it may not match the intended policy.

Why this answer

Option D is correct because FortiGate VDOMs operate as independent virtual firewalls with separate routing and policy tables. If traffic enters a VDOM that does not contain the permit policy, the FortiGate will evaluate it against the policies within that VDOM only, resulting in a 'policy deny' drop even though a permit policy exists in a different VDOM. The administrator must verify that the traffic is being processed by the correct VDOM, typically by checking the ingress interface's VDOM association.

Exam trap

The trap here is that candidates assume a permit policy anywhere in the system applies to all traffic, forgetting that VDOMs create strict administrative boundaries where policies are not shared or visible across VDOMs.

How to eliminate wrong answers

Option A is wrong because existing sessions are not affected by policy changes; the question states the traffic log shows sessions being dropped, implying new sessions are being evaluated against the current policy set, not that old sessions are being disrupted. Option B is wrong because if the policy were disabled, it would not appear in the policy list as a permit policy, or the administrator would have noticed it is grayed out or marked as disabled in the GUI; the question explicitly says a permit policy exists. Option C is wrong because an incorrect schedule would cause the policy to be inactive at the time of the traffic, but the traffic log would typically show 'policy deny (schedule)' or a similar specific message, not a generic 'policy deny'; moreover, the administrator would likely check the schedule as part of troubleshooting.

615
MCQmedium

An administrator configures a prefix list to filter routes received from a BGP neighbor. The prefix list permits 192.168.0.0/16 le 24. Which routes are permitted?

A.Only routes with prefix length exactly 16 within 192.168.0.0/16
B.Only routes with prefix length exactly 24 within 192.168.0.0/16
C.Any route with prefix length greater than 24 within 192.168.0.0/16
D.Any route with prefix length between 16 and 24 inclusive, starting with 192.168
AnswerD

The prefix list allows 192.168.0.0/16 and any more specific route up to /24 (i.e., le 24).

616
MCQhard

A FortiGate has two VDOMs: Sales and Engineering. The admin wants to allow the Engineering VDOM to manage the Sales VDOM's administrator accounts. What configuration is required?

A.Set the management VDOM to Engineering and configure Sales to accept admin connections from Engineering's IP
B.Use inter-VDOM routing to forward admin traffic
C.Enable VDOM sharing on the local-in policy
D.Create a super_admin account in Sales VDOM
AnswerA

This allows Engineering to manage Sales admins.

Why this answer

To allow the Engineering VDOM to manage the Sales VDOM's administrator accounts, the management VDOM must be set to Engineering, and the Sales VDOM must be configured to accept admin connections from Engineering's IP address. This is done via the 'set management-vdom' command under the Sales VDOM and ensuring the Sales VDOM's local-in policy permits HTTPS/SSH traffic from the Engineering VDOM's management IP. This enables cross-VDOM administrative management without requiring inter-VDOM routing or shared policies.

Exam trap

The trap here is that candidates confuse inter-VDOM routing (data plane) with management-plane cross-VDOM admin access, leading them to select Option B, or they assume a super_admin account in the target VDOM is sufficient, missing the requirement for the management VDOM to be set on the source VDOM.

How to eliminate wrong answers

Option B is wrong because inter-VDOM routing forwards data traffic between VDOMs, not management or administrative control traffic; admin connections use the management plane, not the data plane. Option C is wrong because VDOM sharing on a local-in policy does not exist; local-in policies control traffic destined to the FortiGate itself, and VDOM sharing is a separate feature for resources like routes or firewall policies, not for admin access. Option D is wrong because a super_admin account in the Sales VDOM would only grant full privileges within Sales, not allow the Engineering VDOM to manage Sales accounts; cross-VDOM admin management requires the management VDOM configuration.

617
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN tunnel that fails to establish Phase 1. The debug output shows 'no acceptable proposal'. Which TWO configuration parameters should be checked to resolve this issue?

Select 2 answers
A.Encryption algorithm
B.Diffie-Hellman group
C.IKE version
D.Pre-shared key
E.Local and remote subnets
AnswersA, B

Mismatched encryption algorithms cause proposal failure.

Why this answer

Phase 1 proposal mismatch is typically due to differences in encryption algorithms, authentication methods, Diffie-Hellman groups, or key lifetimes.

618
MCQhard

A company runs a FortiGate 600E in NAT/Route mode. They have a site-to-site VPN to a partner using route-based VPN with BGP. Recently, they added a new subnet 192.168.50.0/24 behind the FortiGate. The BGP session is up, and the route is being advertised to the partner. However, traffic from the partner to the new subnet fails. The FortiGate's routing table shows the route to 192.168.50.0/24 is present via the VPN interface. Firewall policies allow the traffic. A packet capture on the FortiGate's internal interface shows the partner's traffic arriving but no SYN-ACK being sent back. The FortiGate's session table shows sessions in 'SYN_RECV' state for the new subnet. What is the most likely cause?

A.The reverse path forwarding (RPF) check is dropping the incoming SYN.
B.The firewall policy is not configured with the correct source interface.
C.The BGP route advertisement is being filtered by a route map on the partner side.
D.The Phase 2 selector for the VPN does not include the new subnet, so the FortiGate does not encrypt the reply traffic.
AnswerD

The SYN is received but the return traffic cannot be encrypted because the Phase 2 selector does not match the new subnet, causing asymmetric routing.

Why this answer

The correct answer is D. In a route-based VPN, the Phase 2 selectors define which traffic is allowed to be encrypted and decrypted. Even though BGP advertises the new subnet 192.168.50.0/24, if the Phase 2 selector on either side does not include this subnet, the FortiGate will not encrypt the reply traffic.

The packet capture shows the SYN arriving, but no SYN-ACK is sent because the FortiGate cannot find a matching Phase 2 proposal to encrypt the response, causing the session to remain in SYN_RECV state.

Exam trap

The trap here is that candidates assume BGP route advertisement alone ensures traffic flow, overlooking that IPsec Phase 2 selectors must explicitly match the new subnet for encryption to occur.

How to eliminate wrong answers

Option A is wrong because the RPF check would drop the incoming SYN packet itself, but the packet capture shows the SYN arriving successfully, and the session table shows SYN_RECV, indicating the SYN was accepted and a SYN-ACK should be generated. Option B is wrong because the firewall policy is already allowing the traffic (as stated), and the source interface is correctly set to the VPN interface; otherwise, the SYN would not have been processed and the session would not be in SYN_RECV. Option C is wrong because the BGP route is being advertised and the BGP session is up; if a route map were filtering the advertisement, the partner would not have the route to 192.168.50.0/24, but the FortiGate's routing table shows the route is present, and the partner's traffic is reaching the FortiGate.

619
MCQeasy

An administrator wants to ensure that FortiGate validates the identity of the remote VPN peer using a certificate during IKEv2 phase 1. Which authentication method should the administrator select in the IPsec phase 1 configuration?

A.Aggressive mode
B.Pre-shared key
C.EAP
D.Signature (RSA)
AnswerD

Signature authentication uses digital certificates to verify identity.

Why this answer

IKEv2 supports certificate-based authentication (RSA signature) for peer identity verification.

620
Multi-Selectmedium

An administrator is troubleshooting a FortiGate in transparent mode. The FortiGate is not forwarding traffic between two segments connected to port1 and port2. The administrator checks the interface configuration. Which TWO configurations are REQUIRED for a transparent mode VDOM to forward traffic? (Choose two.)

Select 2 answers
A.Spanning Tree Protocol (STP) must be enabled on both interfaces
B.Both interfaces must be assigned IP addresses in the same subnet
C.Both interfaces must be members of the same hardware switch (or software bridge)
D.A firewall policy must allow all traffic between the two interfaces
E.The VDOM must be configured in transparent mode
AnswersC, E

Traffic is forwarded between interfaces that are part of the same bridge.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge, so traffic must be switched between interfaces. Both interfaces must be members of the same hardware switch or software bridge to create a single broadcast domain, allowing frames to be forwarded based on MAC addresses. Without this, the interfaces are isolated and cannot forward traffic at Layer 2.

Exam trap

The trap here is that candidates often think IP addressing or firewall policies are the primary requirements for forwarding, but in transparent mode, the critical Layer 2 bridging configuration is what enables traffic to pass between interfaces.

621
MCQmedium

An administrator needs to ensure that all firewall policies in a FortiGate VDOM have a common set of inspection profiles added at the end of the policy list. Which FortiManager feature best achieves this?

A.ADOM overrides
B.Central SNAT
C.Revision history
D.Policy package header/footer policies
AnswerD

Why this answer

Policy package header/footer policies in FortiManager allow you to define a set of policies that are automatically appended (or prepended) to every policy package within an ADOM or VDOM. This ensures that all firewall policies in the VDOM share a common set of inspection profiles at the end of the policy list, without manually editing each policy. It is the only feature designed specifically for this use case.

Exam trap

The trap here is that candidates often confuse ADOM overrides (which manage per-ADOM exceptions) with the ability to insert common policies, but only header/footer policies guarantee automatic placement at the end of every policy list in a VDOM.

How to eliminate wrong answers

Option A is wrong because ADOM overrides are used to apply configuration changes across multiple ADOMs or VDOMs, not to insert common inspection profiles at the end of a policy list. Option B is wrong because Central SNAT is a feature for centralized source NAT policy management, unrelated to inspection profiles or policy ordering. Option C is wrong because Revision history is a versioning and rollback feature, not a mechanism for adding common policies or profiles.

622
MCQeasy

A network administrator needs to configure SD-WAN on a FortiGate to distribute traffic across two WAN links based on session count. Which load balancing algorithm should be selected in the SD-WAN rule?

A.Volume
B.Lowest-cost
C.Spillover
D.Sessions
AnswerD

Sessions algorithm balances based on the number of active sessions.

Why this answer

The 'sessions' algorithm distributes new sessions across members proportionally to the number of active sessions, achieving session-based load balancing.

623
MCQmedium

A company has deployed a Security Fabric with a root FortiGate 600E and two downstream FortiGate 200E devices. The network also includes a FortiAnalyzer and a FortiManager. The administrator notices that the Security Fabric topology in FortiGate is not showing the downstream devices. The root FortiGate can ping the management IPs of the downstream devices. Additionally, the administrator has configured the downstream devices with the correct root IP and authorization mode is set to 'none'. However, when running 'diagnose sys fabric list' on the root, it shows the downstream devices with status 'Pending'. The root FortiGate's firewall policy allows all traffic from the downstream subnets. What is the most likely cause of the issue?

A.The downstream devices are missing the root FortiGate's serial number in the 'downstream-authorization' configuration.
B.The FortiAnalyzer is not configured to receive logs from the downstream devices.
C.The downstream devices are using a different management port than the root.
D.The root FortiGate's firewall policy is blocking the downstream devices' Fabric traffic.
AnswerA

When authorization mode is 'none', the root does not automatically authorize; the downstream must have the root's serial in the configuration.

Why this answer

The 'Pending' status in the output of 'diagnose sys fabric list' indicates that the root FortiGate has discovered the downstream devices but they have not completed the authorization handshake. Even though the authorization mode is set to 'none', each downstream FortiGate must still have the root FortiGate's serial number explicitly listed in its 'downstream-authorization' configuration to be accepted into the Security Fabric. Without this entry, the root will not finalize the adjacency, leaving the downstream devices in a pending state.

Exam trap

The trap here is that candidates assume setting authorization mode to 'none' removes all authorization requirements, but in reality, the downstream device must still explicitly list the root's serial number to complete the Fabric handshake.

How to eliminate wrong answers

Option B is wrong because FortiAnalyzer log reception is irrelevant to Security Fabric topology discovery; the Fabric adjacency is established between FortiGates via TCP port 8013/8014, independent of logging. Option C is wrong because the management port mismatch would prevent ping and connectivity, but the root can already ping the downstream devices, proving Layer 3 reachability regardless of the port used for management. Option D is wrong because the root's firewall policy already allows all traffic from the downstream subnets, and Fabric heartbeat traffic (TCP/8013) is permitted by default; the issue is not a firewall block but an authorization configuration gap.

624
MCQmedium

A FortiGate is configured as a SAML identity provider (IdP) for a partner's SaaS application (SP). Users authenticate via FortiGate's local user database. The administrator successfully tests the SAML flow, but after some time, users are prompted to re-authenticate frequently. What is the most likely cause?

A.The FortiGate's SAML service provider certificate has expired
B.The SAML assertion lifetime is configured too short
C.The FortiGate's clock is not synchronized with NTP
D.The SP is using HTTP-POST binding instead of redirect
AnswerB

The assertion lifetime controls how long the SAML assertion is valid. If set too low, users need to re-authenticate when it expires.

Why this answer

SAML assertions have a validity period. If the IdP (FortiGate) sets a short assertion lifetime or the SP's session timeout is shorter, users will be prompted to re-authenticate. The most common cause is the assertion lifetime being too short.

625
MCQhard

An administrator is configuring ZTNA inline CASB for a SaaS application. The goal is to block upload of files containing credit card numbers. Which configuration components are required?

A.Use FortiClient to enforce DLP on endpoints
B.Configure an IPsec VPN between FortiGate and the SaaS provider
C.Configure a ZTNA application with a CASB profile and SSL inspection
D.Configure a web filter profile with DLP sensor
AnswerC

CASB requires the proxy to decrypt traffic and apply CASB policies.

Why this answer

ZTNA inline CASB uses a ZTNA proxy with SSL inspection and a CASB profile that includes a data leak prevention (DLP) rule to detect credit card numbers.

626
MCQmedium

A FortiGate is managed by FortiManager. The administrator creates a new policy package for VDOM 'Sales' and installs it. Later, they find that the previous configuration has been overwritten. What should the administrator do to avoid this in the future?

A.Set the FortiGate to backup mode
B.Enable auto-lock on the policy package
C.Use the install preview before applying the changes
D.Enable revision history
AnswerC

Correct.

Why this answer

Option C is correct because using the install preview allows the administrator to review the exact changes that will be applied to the FortiGate before committing them. This prevents accidental overwrites by showing a diff of the configuration, enabling the administrator to verify that the new policy package will not replace existing settings unintentionally.

Exam trap

The trap here is that candidates confuse revision history (which is post-hoc) with install preview (which is proactive), or mistakenly think auto-lock prevents overwrites when it only serializes administrative edits.

How to eliminate wrong answers

Option A is wrong because backup mode on FortiGate is used for disaster recovery or firmware upgrades, not for preventing configuration overwrites during policy package installation from FortiManager. Option B is wrong because auto-lock on a policy package prevents concurrent edits by multiple administrators, but does not prevent the installation process from overwriting the existing configuration. Option D is wrong because revision history tracks changes over time for rollback purposes, but does not provide a pre-installation review to avoid overwriting the current configuration.

627
Multi-Selectmedium

A network admin needs to configure a FortiGate to load balance traffic across two ISP links using SD-WAN. The requirement is to use both links simultaneously for different sessions based on source-destination IP hash. Which two settings are required? (Select TWO.)

Select 2 answers
A.Create an SD-WAN zone with both WAN members
B.Configure an SD-WAN rule with load balancing algorithm 'source-dest-ip-hash'
C.Add a performance SLA for each member
D.Set the rule strategy to 'best quality'
E.Enable 'spillover' under the SD-WAN rule
AnswersA, B

Members must be added to the SD-WAN zone.

628
MCQmedium

An administrator runs the following command on a FortiGate: 'diagnose sys session filter dport 443' and sees output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is fully established and has been active for 1 hour
B.The session will expire in 3600 seconds and has been active for 3599 seconds
C.The session is in a TCP SYN-SENT state and has not completed the three-way handshake
D.The session is using UDP on port 443
AnswerC

proto_state=01 corresponds to TCP SYN-SENT (the first packet). The handshake is incomplete.

Why this answer

The output shows 'proto=6' (TCP) and 'proto_state=01', which in FortiGate's session table corresponds to TCP state SYN-SENT (the first step of the three-way handshake). The 'duration=3600' indicates the session has existed for 3600 seconds, but 'expire=3599' shows it will expire in 3599 seconds because the handshake was never completed. This confirms the session is not fully established, making option C correct.

Exam trap

The trap here is that candidates confuse the 'duration' and 'expire' values or assume 'proto=6' and a long duration imply an established session, but FortiGate's 'proto_state' field is the key to identifying the TCP handshake phase.

How to eliminate wrong answers

Option A is wrong because 'proto_state=01' indicates TCP SYN-SENT, not an established connection; a fully established TCP session would show 'proto_state=02' (ESTABLISHED). Option B is wrong because it misinterprets the fields: 'duration=3600' is the time the session has been active (3600 seconds), and 'expire=3599' is the remaining time before timeout, not the other way around. Option D is wrong because 'proto=6' explicitly indicates TCP, not UDP; UDP would show 'proto=17'.

629
Multi-Selectmedium

A FortiGate is experiencing high memory usage due to a large number of UDP sessions. The administrator wants to reduce memory consumption without dropping legitimate traffic. Which THREE actions could help? (Choose three.)

Select 3 answers
A.Increase the maximum session limit
B.Enable session-ttl to enforce idle timeout
C.Reduce the UDP session timeout
D.Disable unnecessary session helpers for UDP
E.Upgrade the FortiGate hardware
AnswersB, C, D

Session-ttl removes sessions that exceed idle time.

Why this answer

High session memory can be mitigated by reducing session timeouts, enabling session-ttl, or using session helper timeouts. Also, increasing memory is not practical. Filtering sessions may drop legitimate traffic.

630
MCQhard

An administrator deploys a FortiGate in transparent mode with two VDOMs: one for the internal network and one for DMZ. The admin notices that ARP requests from internal hosts are not reaching the DMZ servers even though they are on the same VLAN. What is the most likely cause?

A.The FortiGate is not configured to proxy ARP
B.VDOMs in transparent mode are isolated layer 2 domains; inter-VDOM routing is required for communication
C.The internal and DMZ VDOMs are in different VLANs on the same physical interface
D.Transparent mode does not support VDOMs
AnswerB

Correct. VDOMs separate broadcast domains.

Why this answer

In transparent mode, each VDOM acts as an independent Layer 2 forwarding domain with its own MAC address table and VLAN database. ARP requests are broadcast frames that are confined to the VDOM where they originate; they are not forwarded to other VDOMs. Therefore, even if the internal and DMZ interfaces are on the same VLAN, the ARP request from an internal host will never reach a DMZ server unless inter-VDOM routing (Layer 3 forwarding between VDOMs) is explicitly configured.

Exam trap

The trap here is that candidates assume transparent mode operates as a simple bridge that forwards all Layer 2 traffic between all interfaces, forgetting that VDOMs create strict Layer 2 isolation boundaries even in transparent mode.

How to eliminate wrong answers

Option A is wrong because proxy ARP is a Layer 3 feature used to respond to ARP requests on behalf of another device, and it is not required for Layer 2 forwarding within the same VLAN; the issue here is Layer 2 isolation between VDOMs. Option C is wrong because the scenario states the hosts are on the same VLAN, and VDOMs in transparent mode can share the same physical interface with different VLANs, but that would not cause ARP requests to fail between VDOMs—the failure is due to VDOM isolation, not VLAN mismatch. Option D is wrong because transparent mode fully supports VDOMs; in fact, VDOMs are commonly used in transparent mode to segment Layer 2 traffic.

631
MCQmedium

An administrator runs 'diagnose debug application ssl-helper -1' and sees that sessions to certain HTTPS sites are being terminated by the FortiGate. What is the MOST likely cause?

A.The FortiGate's certificate authority (CA) certificate has expired, causing SSL inspection to fail
B.The antivirus profile is blocking the HTTPS connections due to a virus signature match
C.The FortiGate is performing TCP RST injection due to a mismatch in the SSL/TLS handshake as part of deep inspection
D.The SSL deep inspection policy is set to 'certificate-inspection' which blocks sessions with mismatched certificates
AnswerC

The ssl-helper process performs deep inspection by injecting RST packets when the handshake is invalid or certificate errors occur, causing session termination.

Why this answer

Option B is correct because ssl-helper is involved in deep inspection and can terminate sessions by sending RST packets when handshake issues are detected.

632
MCQmedium

In a hub-and-spoke VPN using OSPF over the overlay, the hub FortiGate learns routes from spoke1 and advertises them to spoke2. However, spoke2's routing table shows the route with a next-hop of the hub's tunnel IP, not spoke1's tunnel IP. What should the administrator configure to allow spoke2 to reach spoke1 directly (using ADVPN shortcut)?

A.Increase the OSPF metric on the hub's loopback interface
B.Configure the hub as an OSPF route reflector
C.Enable 'set auto-discovery-sender' on both spokes' phase 1
D.Disable OSPF on the hub and use static routes instead
AnswerC

Spokes must be configured as auto-discovery senders to initiate shortcut tunnels.

Why this answer

To enable direct spoke-to-spoke communication, ADVPN must be enabled and the OSPF configuration should not prevent the shortcut.

633
MCQmedium

An organization uses FortiWeb to protect its web applications. The security team wants to block requests that contain a specific custom pattern in the URL. Which feature should be used?

A.Inline Protection Profile
B.Custom Attack Signature
C.URL Access Rule
D.Web Application Firewall Policy
AnswerB

Custom signatures define patterns to block.

Why this answer

FortiWeb allows creating custom attack signatures to match specific patterns in requests.

634
MCQmedium

A network engineer is configuring SD-WAN on a FortiGate. They have three WAN interfaces (wan1, wan2, lte) and want traffic to the primary datacenter (10.10.10.0/24) to use wan1 unless its latency exceeds 50 ms, in which case failover to wan2. The engineer created an SD-WAN rule with a strategy of 'Manual' and selected 'wan1' as the preferred member. What additional configuration is required to achieve automatic failover based on latency?

A.Create a route map to prefer wan1 and apply it to the SD-WAN rule.
B.Set the SD-WAN rule strategy to 'Best Quality' and select latency as the metric.
C.Enable BFD on wan1 and wan2 with a minimum interval of 50 ms.
D.Configure a performance SLA for wan1 with a latency threshold of 50 ms and associate it with the SD-WAN rule.
AnswerD

The performance SLA measures latency and triggers failover when the threshold is exceeded.

Why this answer

For automatic failover based on latency, a performance SLA must be configured to measure latency on wan1. The SD-WAN rule uses the SLA to determine if the preferred member meets the threshold; if not, traffic switches to the next available member. Option A correctly identifies this requirement.

635
MCQeasy

What is the primary purpose of Content Disarm and Reconstruction (CDR) in advanced antivirus protection?

A.To detect and block known malware using signature-based detection
B.To reconstruct files by removing potentially malicious active content such as macros and scripts
C.To submit files to FortiSandbox for behavioral analysis
D.To encrypt files in transit to prevent interception
AnswerB

CDR strips active content and rebuilds files to prevent exploits.

636
MCQeasy

A FortiGate administrator sees the following kernel log: 'kernel: [pid 1234] received packet with unknown or unsupported protocol 0x0800 on interface port1, drop'. What does this log indicate?

A.The packet is an ARP request that failed.
B.The packet has an invalid MAC address.
C.The interface is not configured with an IP address or is in the wrong VDOM.
D.The packet has IP options set that are not supported.
AnswerC

The kernel drops packets when the interface is not configured to handle that protocol.

Why this answer

The kernel log indicates that the interface port1 received an Ethernet frame with EtherType 0x0800 (IPv4) but the FortiGate dropped it because the interface is either not configured with an IP address or is bound to the wrong VDOM. Without an IP address or proper VDOM assignment, the kernel cannot process the packet at Layer 3, so it logs the packet as having an 'unknown or unsupported protocol' even though 0x0800 is standard IPv4.

Exam trap

The trap here is that candidates see 'unknown or unsupported protocol 0x0800' and assume it refers to an exotic or malformed protocol, when in fact 0x0800 is standard IPv4 and the issue is a missing IP address or VDOM assignment on the interface.

How to eliminate wrong answers

Option A is wrong because ARP requests use EtherType 0x0806, not 0x0800, and the log specifically mentions protocol 0x0800 (IPv4). Option B is wrong because invalid MAC addresses would generate a different log entry related to MAC filtering or source address validation, not a protocol drop. Option D is wrong because IP options are handled at a higher layer within the IP stack, and the kernel drop occurs before any IP header parsing; the log indicates the interface itself does not recognize the protocol, not that options are unsupported.

637
MCQhard

A BGP peering between two FortiGates is not establishing. The administrator runs 'get router info bgp neighbor' and sees that the neighbor state is 'Idle' and the BGP configuration appears correct. What should the administrator check next?

A.Run 'diagnose ip router bgp all enable' to enable debug
B.Check the BGP AS number configuration
C.Verify that the BGP neighbor IP is reachable via the routing table
D.Increase the BGP timers
AnswerC

If the neighbor is unreachable, BGP stays in Idle state.

Why this answer

Option D is correct. A neighbor state of 'Idle' often indicates that BGP is administratively disabled or there is a problem with the underlying connectivity. The most common cause is that the BGP neighbor is not reachable via a valid route or the interface is down.

Checking the routing table and connectivity is the next step.

638
MCQeasy

Which BFD mode is used to detect forwarding path failures between two FortiGates that are directly connected?

A.Synchronous mode
B.Echo mode
C.Demand mode
D.Asynchronous mode
AnswerD

Default mode with periodic hello packets.

Why this answer

BFD operates in asynchronous mode by default, where both peers send hello packets. If a certain number of packets are missed, the session is considered down. This is the standard mode for directly connected FortiGates.

639
MCQmedium

During a failover test in an HA cluster, the primary FortiGate fails over to the secondary. After failover, some existing TCP sessions are dropped. What is the MOST likely reason?

A.The failover caused a routing change
B.The session TTL expired during failover
C.The HA mode is active-passive
D.Session pickup is not enabled on the HA cluster
AnswerD

Without session pickup, TCP sessions are lost on failover.

Why this answer

By default, FortiGate HA does not synchronize session states unless session-pickup is enabled. Without it, existing sessions are lost during failover. Option C is correct.

640
MCQmedium

An organization wants to implement a solution that can detect and automatically respond to threats across multiple Fortinet security products. Which product should they use?

A.FortiManager
B.FortiSIEM
C.FortiSOAR
D.FortiAnalyzer
AnswerC

FortiSOAR orchestrates and automates incident response workflows across security tools.

Why this answer

Option C is correct because FortiSOAR provides security orchestration, automation, and response (SOAR) to coordinate responses across different products.

641
MCQmedium

An administrator is troubleshooting an IPsec VPN tunnel that fails to establish. The administrator runs 'diagnose vpn ike log' and sees the message 'no matching proposal found'. What is the MOST likely cause?

A.The remote gateway's IP address is unreachable
B.The Phase 1 parameters (encryption, authentication, DH group) do not match between peers
C.The firewall policy allowing the VPN traffic is missing or has the wrong interface
D.The pre-shared key is incorrect on one side
AnswerB

'No matching proposal found' indicates that during IKE negotiation, the two peers could not agree on a common set of Phase 1 parameters.

Why this answer

Option C is correct because the error 'no matching proposal found' is a standard IKE message indicating incompatible Phase 1 proposals.

642
MCQeasy

What is the primary purpose of FortiGuard Outbreak Prevention service?

A.To provide proactive protection against zero-day and fast-spreading threats
B.To provide real-time threat intelligence feeds to third-party SIEM systems
C.To automatically patch vulnerabilities in FortiGate firmware
D.To block all traffic from IP addresses listed in a community-based blocklist
AnswerA

Outbreak Prevention uses AI and heuristics to detect and block emerging threats quickly.

Why this answer

FortiGuard Outbreak Prevention is designed to provide proactive protection against zero-day and fast-spreading threats by leveraging real-time threat intelligence from FortiGuard Labs. It automatically updates security policies and signatures to block emerging threats before they become widespread, reducing the window of vulnerability.

Exam trap

The trap here is that candidates often confuse Outbreak Prevention with general threat intelligence feeds or community blocklists, but the service specifically targets automated, proactive blocking of fast-spreading threats before signatures are fully developed.

How to eliminate wrong answers

Option B is wrong because FortiGuard Outbreak Prevention is not primarily for feeding threat intelligence to third-party SIEM systems; that function is served by FortiSIEM or FortiAnalyzer via syslog or API integrations. Option C is wrong because FortiGuard Outbreak Prevention does not patch FortiGate firmware; firmware patching is handled through FortiGuard Firmware Update service or manual upgrade processes. Option D is wrong because it does not rely on a community-based blocklist; instead, it uses curated, dynamic threat intelligence from FortiGuard Labs, not user-contributed lists.

643
Multi-Selecthard

A network engineer is troubleshooting an ADVPN scenario where shortcut tunnels between spokes are not forming. The hub has IKEv2 configured and the spokes are behind NAT. Which THREE conditions must be met for shortcut tunnels to establish?

Select 3 answers
A.NAT traversal is enabled on all gateways
B.Spokes are configured with 'set auto-discovery' enabled
C.IKEv1 is used for the spoke-to-hub tunnels
D.The hub's phase2 configuration has 'auto-negotiate' enabled
E.The hub's phase2 configuration includes 'add-route'
AnswersB, D, E

Spokes need auto-discovery to accept shortcut proposals.

Why this answer

ADVPN shortcut tunnels require: IKEv2 (not IKEv1), auto-negotiate enabled on the hub phase2, and the hub's phase2 must have 'add-route' set to enable route injection. NAT traversal is automatically handled by IKEv2.

644
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is up but traffic is not passing. The administrator runs 'diagnose vpn ike gateway list' and sees that the IKE SA has been established. However, 'diagnose vpn tunnel list' shows no IPsec SA entries. What is the most likely cause?

A.The firewall policies are not configured to allow traffic through the tunnel
B.The phase 2 proposal (encryption, authentication, etc.) does not match between peers
C.The pre-shared key on both sides does not match
D.The interface MTU is set too low
AnswerB

Phase 2 negotiations fail if the proposal is mismatched, leading to no IPsec SA.

Why this answer

IKE SA established but no IPsec SA indicates that phase 2 parameters are misconfigured or the proposal is not matching.

645
Multi-Selectmedium

An administrator is troubleshooting an SD-WAN rule that is not matching expected traffic. The SD-WAN rule uses a custom application category and has a performance SLA attached. Which two conditions must be true for the traffic to be matched by the SD-WAN rule? (Select TWO.)

Select 2 answers
A.The performance SLA must be marked as 'up' for at least one member in the SD-WAN zone
B.The destination port must be 80 or 443
C.The traffic must be identified by the application control sensor as the configured application category
D.The source IP must be in the same subnet as the SD-WAN member's IP
E.The traffic must match the firewall policy that has SD-WAN enabled
AnswersC, E

If the rule matches on application category, the traffic must be identified accordingly by App Control.

646
MCQhard

An administrator configures a hub-and-spoke ADVPN with FortiGate at the hub and multiple remote sites. After setup, spokes establish shortcuts directly. However, traffic between two spokes consistently goes through the hub even though shortcuts should exist. Running 'diagnose npu np6 ipsec peercache' shows no shortcut entries. What is the MOST likely reason?

A.The spokes are not running BGP over the ADVPN tunnels.
B.The firewall policies on the spokes do not allow shortcut traffic.
C.Shortcut tunnels are disabled on the hub phase1 configuration.
D.The network processor (NP6) is not enabled for IPsec acceleration.
AnswerA

Why this answer

ADVPN shortcut tunnels require dynamic routing (e.g., BGP/OSPF) to exchange routes; otherwise, traffic continues via hub. The command output indicates no shortcut entries (peercache), typically because routes are not learned via routing protocol.

647
Multi-Selectmedium

A FortiGate administrator needs to configure a hub-and-spoke ADVPN with OSPF as the routing protocol over the VPN tunnels. Which TWO steps are required on the hub FortiGate to enable shortcut tunnels?

Select 2 answers
A.Set 'add-route' to 'disable' on the phase2 configuration.
B.Enable 'shortcut' option under the phase2 configuration.
C.Enable 'auto-discovery-sender' on the hub's phase1 configuration.
D.Enable 'auto-discovery-receiver' on the hub's phase1 configuration.
E.Configure OSPF network type as 'broadcast' on the hub's tunnel interface.
AnswersB, C

Why this answer

For ADVPN, the hub must be configured as auto-discovery-sender (to advertise shortcut capability) and the phase2 must have the 'shortcut' option enabled. Receiver is for spokes. OSPF network type can be point-to-multipoint; broadcast is not required. 'add-route' is unrelated.

648
MCQhard

In a hub-and-spoke ADVPN deployment, the spoke FortiGates are configured with IKEv2 and the hub has ADVPN enabled. After initial setup, spokes communicate through the hub. The administrator wants to enable shortcut tunnels so that spokes can directly communicate. What additional configuration is required on the spokes?

A.Enable 'set auto-discovery-sender' on the spoke's phase 1 interface
B.Enable 'set add-route' on the hub's phase 1 configuration
C.Set 'set dpd retrycount' to a higher value on the spoke
D.Configure a static route on the spoke pointing to the hub
AnswerA

The spoke must be configured as auto-discovery sender to initiate shortcut tunnels.

Why this answer

ADVPN shortcut negotiation requires that the spokes have 'set add-route enable' to install the learned shortcut route, and also the phase 2 configuration should accept shortcut tunnels.

649
MCQeasy

An organization wants to prevent users from downloading malicious files from the internet. Which FortiGate security profile should be applied to the outbound firewall policy to block files based on their hash if they have been identified as malicious by FortiSandbox?

A.Application Control profile
B.IPS profile
C.Antivirus profile
D.Web Filter profile
AnswerC

Antivirus profile can use FortiSandbox verdicts to block files by hash.

Why this answer

FortiSandbox verdicts (malicious/clean) are stored and checked by the antivirus profile. When a file hash matches a malicious verdict, the antivirus profile blocks it.

650
MCQhard

An administrator configures a FortiGate in transparent mode with two VDOMs. Each VDOM is assigned to a different VLAN. The administrator wants to apply a common security policy to traffic between the VLANs. What is the correct approach?

A.Assign both VLANs to the same VDOM and apply a policy there
B.Apply the policy on the management VDOM
C.Configure a single policy on the root VDOM that matches all VLANs
D.Use inter-VDOM routing linked to a policy in the global policy set
AnswerD

Traffic between VDOMs must go through inter-VDOM routing; a policy in the respective VDOMs is needed.

Why this answer

In transparent mode, FortiGate VDOMs are isolated by default, and traffic between VLANs assigned to different VDOMs must traverse an inter-VDOM link. The correct approach is to use inter-VDOM routing and apply a security policy in the global policy set, which allows a common policy to govern traffic crossing VDOM boundaries. This ensures that the policy is evaluated once for inter-VDOM traffic, rather than requiring separate policies in each VDOM.

Exam trap

The trap here is that candidates often assume a single VDOM or the root VDOM can handle inter-VLAN policies in transparent mode, but FortiGate requires explicit inter-VDOM routing and global policy sets for cross-VDOM traffic, even in transparent mode.

How to eliminate wrong answers

Option A is wrong because assigning both VLANs to the same VDOM would merge them into a single broadcast domain, defeating the purpose of using separate VDOMs for isolation. Option B is wrong because the management VDOM is used for administrative access and management traffic, not for applying security policies to data-plane traffic between VLANs. Option C is wrong because the root VDOM in transparent mode does not handle data-plane traffic between VLANs; it is a special VDOM for global management and does not support direct policy application for inter-VLAN traffic.

651
MCQeasy

An organization uses FortiClient EMS to enforce compliance on endpoints. They want to ensure that only devices with updated antivirus definitions can access the corporate VPN. Which FortiClient configuration should be applied?

A.Create a compliance rule in FortiClient EMS to check antivirus definitions
B.Use a firewall policy to block traffic from non-compliant devices
C.Configure a ZTNA tag that requires updated antivirus
D.Enable CASB in the ZTNA proxy
AnswerA

EMS allows creating compliance rules that check endpoint posture parameters like antivirus version.

Why this answer

Compliance rules in FortiClient EMS check endpoint posture, such as antivirus status. The rule can be configured to require up-to-date antivirus definitions before allowing VPN access.

652
MCQhard

A company is deploying a Security Fabric with multiple FortiGate devices managed by FortiManager. The administrator wants to apply a policy package to multiple FortiGate devices in the Fabric. However, after assigning the policy package to the devices in FortiManager and installing the configuration, the policies are not applied consistently across all devices. The administrator notices that some devices have local policies that override the policy package. What is the best practice to ensure that the policy package is enforced on all devices?

A.Enable 'Central Management' in FortiManager and use 'Install On Policy Package' to push policies.
B.Disable the 'Auto Update' feature on the managed devices.
C.Use the same policy package name on all devices and manually sync them.
D.Ensure that the Security Fabric is fully established and all devices are visible in the topology.
AnswerA

Central management enforces that only policies from FortiManager are active.

Why this answer

Option A is correct because enabling 'Central Management' in FortiManager ensures that the policy package is the authoritative source for all managed FortiGate devices. When 'Install On Policy Package' is used, FortiManager overwrites any local policies on the devices, enforcing consistent policy application across the Security Fabric. Without central management, local policies can persist and override the pushed policy package, leading to inconsistencies.

Exam trap

The trap here is that candidates may assume that simply installing a policy package via FortiManager is enough to override local policies, without realizing that 'Central Management' must be explicitly enabled to prevent local policy edits from persisting and overriding the pushed configuration.

How to eliminate wrong answers

Option B is wrong because disabling 'Auto Update' on managed devices would prevent them from receiving any updates from FortiManager, including policy changes, which would not solve the override issue. Option C is wrong because using the same policy package name and manually syncing devices is error-prone and does not leverage FortiManager's centralized control; local policies would still override unless central management is enabled. Option D is wrong because ensuring the Security Fabric is established and devices are visible in the topology is necessary for communication but does not address the root cause of local policies overriding the policy package; central management is required to enforce the policy package.

653
MCQhard

An administrator configures a multi-peer IPsec VPN on FortiGate for redundancy. The primary peer is 10.1.1.1 and secondary is 10.1.1.2. The administrator notices that when the primary peer goes down, the FortiGate does not fail over to the secondary peer until the IKE SA times out (about 60 seconds). Which setting can reduce this failover time?

A.Configure 'idle-timeout' to 30 seconds.
B.Set 'dpd-retryinterval' to 5 and 'dpd-retrycount' to 3.
C.Use aggressive mode for IKE negotiation.
D.Enable 'auto-negotiate' on the phase1 interface.

Why this answer

DPD retry interval and count control how quickly FortiGate detects a dead peer. With retryinterval=5 and retrycount=3, the peer is declared dead after 15 seconds of no response, triggering failover to the secondary.

654
MCQhard

An administrator runs the following command on a FortiGate and sees the output: diagnose sys session filter dport 443 diagnose sys session list proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The TCP handshake has not completed; the client sent SYN and is waiting for SYN-ACK
B.The session is fully established and has been idle for 1 hour
C.The session is in FIN_WAIT state and is closing
D.The session is using UDP protocol
AnswerA

proto_state=01 is TCP SYN_SENT state, indicating the initial SYN has been sent but no SYN-ACK received.

Why this answer

The session has been active for 3600 seconds (1 hour) and will expire in 3599 seconds. Proto_state=01 indicates TCP SYN_SENT state, meaning the TCP handshake hasn't completed. This could be due to the server not responding.

655
Multi-Selecthard

A network administrator is troubleshooting a scenario where FortiView in FortiAnalyzer shows no traffic data for a specific FortiGate, but logs are being received. Which two possible causes should the administrator investigate? (Choose two.)

Select 2 answers
A.The FortiGate's clock is not synchronized with FortiAnalyzer
B.The FortiAnalyzer ADOM is configured as a global ADOM
C.The FortiGate is not sending traffic logs; only event logs are being forwarded
D.The FortiView database is corrupted or needs to be rebuilt
E.The FortiAnalyzer disk is full and not indexing new logs
AnswersC, D

FortiView requires traffic logs to populate.

Why this answer

Option C is correct because FortiView relies on traffic logs (e.g., traffic, firewall, or application control logs) to generate its visualizations. If the FortiGate is only forwarding event logs (e.g., admin, system, or VPN logs) but not traffic logs, FortiView will show no traffic data even though logs are being received. This is a common misconfiguration in log forwarding policies on the FortiGate.

Exam trap

The trap here is that candidates assume any log reception implies traffic data is available for FortiView, but FortiView specifically requires traffic logs, not just any log type, and a corrupted database can silently break FortiView while other log viewing features remain functional.

656
Multi-Selectmedium

A FortiGate administrator is troubleshooting an issue where IPsec VPN traffic is not being forwarded correctly in a multi-VDOM environment. Which TWO factors should the administrator verify?

Select 2 answers
A.The firewall policy for the VPN traffic is present in the correct VDOM
B.The VPN tunnel is configured in the correct VDOM
C.Inter-VDOM routing is enabled globally
D.The management VDOM has an IPsec policy
E.The FortiGate is in transparent mode
AnswersA, B

Policy must be in the VDOM where traffic flows.

Why this answer

A is correct because firewall policies are VDOM-scoped; even if the VPN tunnel is up, traffic will not be forwarded unless a policy explicitly permits it within the VDOM that owns the VPN interface. The administrator must verify that the policy allowing the IPsec traffic exists in the correct VDOM, as policies from one VDOM cannot control traffic in another.

Exam trap

The trap here is that candidates often assume inter-VDOM routing is a global feature that must be enabled, when in fact it is handled by per-VDOM configurations such as inter-VDOM links or policies.

657
MCQmedium

A FortiGate is configured as a ZTNA proxy for an internal web application. The client's device posture check fails due to an outdated antivirus definition. The administrator wants to block access but still display a warning page. Which ZTNA access rule action should be used?

A.set action block
B.set action redirect
C.set action authenticate
D.set action allow
AnswerA

Block action denies access; combined with a warning portal configuration, the user sees a warning.

Why this answer

ZTNA access rules can block or allow with optional warning. 'Allow with warning' is not available; to show a warning while blocking, the action should be 'Block' with a redirect to a warning portal.

658
Multi-Selectmedium

An administrator is configuring SD-WAN rules to direct specific traffic types. Which TWO of the following criteria can be used in an SD-WAN rule to match traffic?

Select 2 answers
A.Source interface
B.Time of day
C.Destination IP address
D.Application
E.URL category
AnswersC, D

Destination IP can be used as a match criterion.

659
Multi-Selecthard

A FortiGate administrator is troubleshooting why a custom IPS signature is not triggering on traffic matching the pattern. Which TWO checks should be performed?

Select 2 answers
A.Check the signature's severity level in the IPS sensor
B.Ensure the FortiGate is in proxy-based inspection mode
C.Confirm the IPS sensor is applied to the correct firewall policy
D.Verify the signature uses correct protocol decoder
E.Verify that the custom signature is enabled in the IPS sensor
AnswersC, E

Without policy attachment, no inspection occurs.

Why this answer

Custom IPS signatures must be enabled in the IPS sensor and applied to a firewall policy that processes the traffic.

660
Multi-Selecthard

An administrator has a FortiGate hub with multiple spoke FortiGates in an ADVPN topology. The spokes are behind NAT and have dynamic public IPs. The hub is configured with a static IP. Which THREE steps are necessary for the spokes to establish a shortcut tunnel between each other?

A.Enable 'auto-discovery-receiver' on the hub's phase1.
B.Set the phase1 authentication method to 'signature' on all devices.
C.Configure the spokes with the hub's public IP as the remote gateway.
D.Enable 'auto-discovery-sender' on the spokes' phase1.
E.Enable NAT traversal on the hub's phase1 configuration.

Why this answer

NAT traversal (A) is needed to handle NAT between spokes. The spokes must point to the hub's static IP (B). Spokes must have 'auto-discovery-sender' enabled to initiate shortcut negotiation (E).

The hub needs 'auto-discovery-receiver' (D), but the question asks for steps necessary for the spokes to establish shortcut - so spokes need sender. Option C is not required.

661
Multi-Selecthard

An administrator deploys a FortiGate in a remote office with a FortiSwitch and FortiAP. The LAN edge management features are used to manage these devices. The FortiGate is configured as a controller. Which three steps are required to manage the FortiAP via the FortiGate? (Choose THREE.)

Select 3 answers
A.Configure DHCP option 138 or DNS to point FortiAP to FortiGate
B.Authorize the FortiAP by serial number on the FortiGate
C.Enable CAPWAP on the FortiGate
D.Enable LLDP on the FortiSwitch
E.Configure an SSID under the FortiAP profile
AnswersA, B, C

FortiAP discovers the controller via DHCP or DNS.

Why this answer

The FortiGate must have CAPWAP enabled to act as a wireless controller. The FortiAP must be authorized (by serial number). The FortiGate must be reachable by the FortiAP via Layer 3 connectivity (e.g., DHCP option 138).

662
MCQeasy

A multinational company uses FortiGate devices as VPN gateways to connect its headquarters (HQ) and branch offices via IPsec VPN tunnels. The company is migrating its remote access solution from IPsec VPN to SSL VPN using FortiClient. Currently, 500 remote users connect via IPsec VPN with pre-shared keys and XAuth authentication. The migration must be seamless with minimal downtime, and users must continue to authenticate using their existing Active Directory credentials. The SSL VPN portal must provide access to internal web applications and some legacy TCP-based applications that do not support HTTP. The security team requires that all traffic between remote users and the internal network be encrypted and that the SSL VPN use a certificate from a public CA to avoid certificate warnings on client devices. The IT team wants to use FortiToken for two-factor authentication (2FA) for all VPN users. Which of the following is the most appropriate course of action to meet all requirements?

A.Configure SSL VPN with a self-signed certificate and use the local password database for authentication. Enable FortiToken and configure the portal to provide both web and TCP forwarding applications.
B.Deploy SSL VPN with a public CA certificate, configure LDAP authentication against Active Directory, enable FortiToken for 2FA, and create a split-tunneling policy that uses both SSL VPN web mode and tunnel mode via FortiClient.
C.Set up SSL VPN with a public CA certificate, use LDAP for authentication, but do not enable FortiToken because it would require a separate token per user.
D.Create a new IPsec VPN configuration using certificate-based authentication and FortiToken, and gradually move users to the new IPsec VPN.
AnswerB

This meets all requirements: appropriate authentication, public CA, 2FA, and access to both web and legacy TCP applications.

Why this answer

Option B is correct because it meets all requirements: a public CA certificate avoids client certificate warnings, LDAP authentication against Active Directory allows seamless credential reuse, FortiToken provides the required 2FA, and combining SSL VPN web mode (for web apps) with tunnel mode via FortiClient (for legacy TCP applications) ensures full coverage. This approach minimizes downtime by migrating users gradually without changing their authentication backend.

Exam trap

The trap here is that candidates may think SSL VPN cannot handle non-HTTP applications, but FortiClient's tunnel mode with split tunneling or full tunneling can encapsulate any TCP/UDP traffic, making it suitable for legacy applications.

How to eliminate wrong answers

Option A is wrong because a self-signed certificate would cause certificate warnings on client devices, violating the requirement to avoid such warnings, and using the local password database does not integrate with existing Active Directory credentials. Option C is wrong because it explicitly disables FortiToken, failing the two-factor authentication requirement; the statement that FortiToken requires a separate token per user is incorrect—FortiToken can be assigned per user via the FortiGate or FortiAuthenticator. Option D is wrong because it proposes continuing with IPsec VPN instead of migrating to SSL VPN, and certificate-based authentication does not address the need for SSL VPN portal access to web and legacy TCP applications.

663
MCQmedium

A FortiGate with multiple VDOMs is experiencing inter-VDOM routing issues. The admin has created inter-VDOM links between VDOMs and configured firewall policies allowing traffic. However, traffic from VDOM_A to VDOM_B is not reaching the destination. What is the most likely cause?

A.The inter-VDOM link's administrative status is down
B.The routing table in VDOM_A does not have a route to VDOM_B's subnet via the inter-VDOM link
C.VDOM_B does not have an interface in the same subnet as the inter-VDOM link
D.The traffic is blocked by an implicit deny policy in VDOM_B
AnswerB

Without a route, traffic cannot be forwarded to the inter-VDOM link.

Why this answer

Inter-VDOM routing requires explicit routes in each VDOM's routing table pointing to the destination subnet via the inter-VDOM link interface. Even with inter-VDOM links and firewall policies configured, if VDOM_A lacks a route to VDOM_B's subnet through that link, traffic will be dropped or forwarded incorrectly. The routing table must contain a static or dynamic route for the destination network with the next-hop set to the inter-VDOM link's IP address on the VDOM_A side.

Exam trap

The trap here is that candidates assume inter-VDOM links and firewall policies alone are sufficient for traffic flow, overlooking the fundamental requirement of explicit routing entries in each VDOM's routing table, which is a common misstep in NSE7 scenarios.

How to eliminate wrong answers

Option A is wrong because if the inter-VDOM link's administrative status were down, the link would not be operational and the admin would likely see the interface status as 'down' in the CLI or GUI, which is a more obvious issue than a missing route. Option C is wrong because inter-VDOM links are point-to-point connections that do not require both VDOMs to have interfaces in the same subnet; each side of the link has its own IP address, and routing is based on next-hop IPs, not shared subnet membership. Option D is wrong because inter-VDOM traffic that matches an explicit allow policy in VDOM_A is forwarded to VDOM_B, where it is subject to VDOM_B's policies; however, the implicit deny in VDOM_B would only block traffic if no explicit policy allows it, but the question states policies are configured, so the issue is more likely a missing route in VDOM_A.

664
MCQmedium

A network admin is configuring SD-WAN on a FortiGate with two WAN members (port1, port2). The requirement is that traffic for Office 365 (source IP 10.1.1.0/24, destination IP 132.245.0.0/16) should use port1 primarily unless it fails the performance SLA, in which case it should use port2. Which SD-WAN rule configuration should the admin use?

A.Configure the rule with 'strategy = spillover' and set spillover thresholds
B.Configure the rule with 'strategy = source-dest-ip' and include port1 and port2
C.Configure the rule with 'strategy = best quality', and enable 'set match-vip enable'. Use performance SLA to monitor port1
D.Configure the rule with 'strategy = manual' and set the preferred member to port1
AnswerC

Best quality uses the performance SLA to select the best member. When the primary member fails SLA, traffic moves to the next best.

Why this answer

Option C is correct because the 'best quality' strategy with 'set match-vip enable' applies the SLA to the selected traffic. The rule matches the Office 365 traffic and selects the best-quality member (port1) based on the SLA. If port1 fails, traffic switches to port2.

665
Multi-Selectmedium

An administrator needs to configure a FortiGate to act as a SAML identity provider (IdP) for a third-party cloud application (SP). Which TWO settings must be configured on the FortiGate to function as an IdP?

Select 2 answers
A.LDAP server configuration
B.SAML IdP user group
C.Service provider configuration with ACS URL and entity ID
D.SP metadata import
E.SSL VPN portal
AnswersB, C

Defines the users that can authenticate via SAML.

Why this answer

FortiGate as IdP requires a SAML IdP user group to authenticate users and a service provider configuration that includes the SP's ACS URL and entity ID.

666
MCQhard

A FortiGate admin sees the following log: 'Action=blocked, Service=HTTP, Application=Outbreak, File=invoice.doc, ThreatScore=95'. What is the MOST likely explanation for this block?

A.The file was blocked by FortiGuard outbreak prevention
B.The file was blocked by the machine learning engine
C.The file was blocked by FortiSandbox verdict
D.The file was blocked by a custom IPS signature
AnswerA

Outbreak prevention uses threat scores and is logged as 'Outbreak' in the application field.

Why this answer

The log entry shows 'Application=Outbreak' and 'ThreatScore=95', which are specific indicators of FortiGuard outbreak prevention. FortiGuard outbreak prevention uses real-time threat intelligence to block files associated with widespread malware campaigns before traditional signatures are updated. The 'Outbreak' application tag and high threat score directly correspond to this feature, not to machine learning, sandbox verdicts, or custom IPS signatures.

Exam trap

The trap here is that candidates confuse 'Outbreak' with a generic malware detection term, not realizing it is a specific FortiGuard feature with its own log field, distinct from machine learning, sandbox, or IPS-based blocks.

How to eliminate wrong answers

Option B is wrong because the machine learning engine in FortiGate uses behavioral analysis and static file analysis to detect unknown malware, but it does not generate an 'Application=Outbreak' tag; that tag is specific to FortiGuard outbreak prevention. Option C is wrong because a FortiSandbox verdict would appear in logs as 'Action=blocked' with 'Application=Sandbox' or 'Verdict=malicious', not 'Application=Outbreak'. Option D is wrong because a custom IPS signature would log 'Action=blocked' with 'Signature=...' or 'IPS=...', not 'Application=Outbreak' or 'ThreatScore=95'.

667
Multi-Selecthard

A FortiGate administrator wants to use automation stitches to respond to a detected threat. The trigger is 'event' and the action is to quarantine the source IP. Which TWO actions can be used in FortiGate automation stitches to achieve IP quarantine?

Select 2 answers
A.Send an email to the administrator
B.CLI script that runs 'diagnose user quarantine add'
C.Execute a CLI script that adds a firewall address object and policy to block the IP
D.Use the 'execute fortishield' command in a CLI script
E.Log the event to FortiAnalyzer
AnswersB, C

This command adds an IP to the quarantine list.

668
MCQhard

A FortiGate in transparent mode with multiple VDOMs is deployed at a customer site. The customer reports that traffic between two VLANs on the same physical segment is not being forwarded. The administrator verifies that the firewall policies are configured correctly. What is the most likely cause?

A.The VDOMs are not configured with management IP addresses
B.The FortiGate is in transparent mode and does not route between VLANs without a VLAN interface
C.The VDOM limit has been exceeded
D.Inter-VDOM routing is disabled between the VDOMs
AnswerB

Transparent mode requires VLAN subinterfaces and policies to allow inter-VLAN traffic, and by default does not route.

Why this answer

In transparent mode, a FortiGate acts as a Layer 2 bridge and does not perform IP routing. To forward traffic between VLANs on the same physical segment, you must create VLAN subinterfaces on the FortiGate and assign them to the appropriate VDOMs. Without these VLAN interfaces, the FortiGate cannot distinguish or forward traffic between the VLANs, even if firewall policies are correctly configured.

Exam trap

The trap here is that candidates often assume transparent mode FortiGates can route between VLANs automatically, forgetting that VLAN interfaces must be explicitly created to enable Layer 2 forwarding between VLANs on the same physical segment.

How to eliminate wrong answers

Option A is wrong because management IP addresses are only required for administrative access (e.g., GUI/SSH) and do not affect Layer 2 forwarding between VLANs. Option C is wrong because exceeding the VDOM limit would prevent creation of new VDOMs or cause operational errors, but the scenario describes traffic not being forwarded, which is unrelated to VDOM count limits. Option D is wrong because inter-VDOM routing is a Layer 3 feature that controls traffic between VDOMs; in transparent mode, traffic between VLANs on the same physical segment is handled within a single VDOM via VLAN interfaces, not between VDOMs.

669
MCQmedium

An administrator configures OSPF over an IPsec VPN tunnel between two FortiGates. The OSPF adjacency does not form. The tunnel is up and ping works between the loopback interfaces used for OSPF. What is the MOST likely issue?

A.OSPF is not enabled on the tunnel interface.
B.The OSPF network type on the tunnel interface is set to point-to-point but the remote side is broadcast.
C.The MTU on the tunnel interface is too large for OSPF packets.
D.The firewall policy allowing OSPF traffic (protocol 89) over the tunnel is missing.
AnswerD

Why this answer

Even if the tunnel is up, OSPF packets (protocol 89) must be explicitly permitted by a firewall policy on the tunnel. Without that policy, OSPF Hellos are dropped and adjacency fails. Network type mismatch can also cause issues, but the most common is missing policy.

670
MCQeasy

An administrator needs to back up the configuration of a FortiGate managed by FortiManager before making major changes. Which feature in FortiManager should the administrator use?

A.Policy package import/export
B.Automation stitch
C.Install preview
D.Revision history
AnswerD

Revision history stores previous configurations and allows restore.

Why this answer

Revision History in FortiManager allows administrators to create, view, and restore previous configuration versions of managed FortiGate devices. This is the correct feature for backing up a configuration before making major changes, as it provides a point-in-time snapshot that can be rolled back if needed.

Exam trap

The trap here is that candidates may confuse 'Install preview' (which shows changes to be applied) with a backup mechanism, but it does not save the current state for rollback, whereas Revision History explicitly provides that capability.

How to eliminate wrong answers

Option A is wrong because Policy package import/export is used to transfer policy packages between FortiManager and FortiGate or between FortiManager instances, not to back up the entire device configuration before changes. Option B is wrong because Automation stitch is a FortiGate feature that automates responses to events (e.g., triggering scripts or sending alerts), not a configuration backup mechanism. Option C is wrong because Install preview shows the pending changes that will be applied during an install operation, but it does not create a backup or allow rollback of the current configuration.

671
MCQeasy

Which Fortinet product is designed to deploy decoy systems to lure attackers and detect lateral movement within the network?

A.FortiSandbox
B.FortiDeceptor
C.FortiSOAR
D.FortiEDR
AnswerB

FortiDeceptor deploys decoys to detect and deceive attackers.

Why this answer

Option A is correct because FortiDeceptor creates decoys (honeypots) to attract and detect attackers, providing early warning of breaches.

672
MCQhard

An administrator runs 'diagnose sys session list' and sees sessions with 'proto=6 proto_state=02' and a long duration. The administrator is troubleshooting why sessions are not being terminated after a policy change that should block the traffic. What does 'proto_state=02' indicate?

A.The session is in TIME_WAIT state
B.The session is in SYN_SENT state, waiting for a SYN-ACK
C.The session is in established state (TCP connection active)
D.The session is in FIN_WAIT state, closing the connection
AnswerC

proto_state=02 means ESTABLISHED. Existing sessions are not affected by policy changes; they continue until timeout or explicit termination.

Why this answer

In Fortinet's 'diagnose sys session list' output, 'proto=6' indicates TCP, and 'proto_state=02' maps to the TCP established state (ESTABLISHED). This means the session has completed the three-way handshake and is actively passing data. A long duration in this state explains why the session persists even after a policy change that should block new traffic—the existing session remains in the kernel session table until it times out or is explicitly cleared, because FortiGate's stateful inspection does not retroactively terminate established sessions upon policy modification.

Exam trap

The trap here is that candidates confuse the numeric 'proto_state' values with generic TCP states from RFC 793, but Fortinet uses its own mapping where '02' specifically means ESTABLISHED, not TIME_WAIT or FIN_WAIT, leading to incorrect assumptions about session termination behavior.

How to eliminate wrong answers

Option A is wrong because TIME_WAIT is represented by proto_state=05, not 02, and indicates a session waiting for a potential delayed packet after a connection close. Option B is wrong because SYN_SENT corresponds to proto_state=01, which is the initial state before the handshake completes, not a long-duration established session. Option D is wrong because FIN_WAIT is represented by proto_state=03 or 04 (depending on direction), not 02, and indicates an active closure sequence, not an ongoing data transfer.

673
MCQmedium

An administrator wants to create an automation stitch that sends a webhook notification when an IPS attack is detected. Which trigger and action should be used?

A.Trigger: 'IPS Event'; Action: 'Webhook'
B.Trigger: 'FortiGuard'; Action: 'Quarantine'
C.Trigger: 'System Event'; Action: 'Email'
D.Trigger: 'Incoming Webhook'; Action: 'IPS Event'
AnswerA

IPS event triggers the stitch, and webhook action sends the notification.

Why this answer

The correct answer is A because an automation stitch requires a trigger that matches the event type and an action that performs the desired response. 'IPS Event' is the correct trigger for detecting an IPS attack, and 'Webhook' is the action that sends an HTTP POST request to a configured endpoint, which is the standard method for webhook notifications in FortiOS.

Exam trap

The trap here is that candidates confuse 'IPS Event' with 'System Event' or 'FortiGuard', or mistakenly think 'Incoming Webhook' is a trigger for outbound notifications, when in fact it is for receiving external triggers.

How to eliminate wrong answers

Option B is wrong because 'FortiGuard' is a trigger for FortiGuard threat intelligence updates, not for IPS events, and 'Quarantine' is an action for isolating compromised hosts, not for sending webhook notifications. Option C is wrong because 'System Event' is a trigger for system-level events like interface status changes, not for IPS attacks, and 'Email' is an action for sending email alerts, not webhook notifications. Option D is wrong because 'Incoming Webhook' is a trigger for receiving external webhooks, not for detecting IPS attacks, and 'IPS Event' is a trigger, not an action.

674
MCQhard

You run 'diagnose sys session filter dport 179' on a FortiGate and see many sessions with proto=6 and proto_state=01. What does this indicate about the BGP sessions?

A.BGP sessions are fully established and exchanging routes.
B.BGP sessions are being actively torn down.
C.BGP sessions are in the process of being established, but not yet fully up.
D.BGP sessions are using TCP port 179 but are idle.
AnswerC

proto_state=01 means SYN_SENT, indicating TCP handshake is incomplete.

Why this answer

proto_state=01 indicates TCP session establishment (SYN_SENT). Persistent sessions in this state suggest BGP peers are not reaching Established state, possibly due to misconfiguration or firewall blocking.

675
MCQeasy

Which FortiGate feature is used to detect link failures within milliseconds, allowing rapid convergence for routing protocols like OSPF and BGP?

A.ECMP
B.OSPF Fast Hello
C.BFD
D.Route tagging
AnswerC

BFD offers fast failure detection.

Why this answer

Bidirectional Forwarding Detection (BFD) provides sub-second link failure detection independent of the routing protocol. It is commonly used with OSPF, BGP, and SD-WAN to speed up convergence.

Page 8

Page 9 of 14

Page 10