CCNA Enterprise Firewall and VDOMs Questions

75 of 264 questions · Page 3/4 · Enterprise Firewall and VDOMs · Answers revealed

151
Multi-Selectmedium

A FortiGate administrator needs to configure a new FortiGate in FortiManager for centralized management. Which TWO steps are required to add the device to an ADOM?

Select 2 answers
A.Create a policy package before adding the device
B.Configure a VDOM link on the FortiGate
C.Add the device to the ADOM using the device manager
D.Enable automation stitches on the FortiGate
E.Authorize the device in FortiManager
AnswersC, E

Devices are added to an ADOM for management.

Why this answer

Option C is correct because the Device Manager in FortiManager is the interface used to add a device to an ADOM. After adding the device, it must be authorized (Option E) to establish a management tunnel and allow configuration synchronization. Without authorization, the device remains in a pending state and cannot be managed.

Exam trap

The trap here is that candidates often confuse the device authorization step with initial configuration steps like creating policy packages or VDOM links, but FortiManager requires explicit authorization after adding the device to enable centralized management.

152
MCQhard

A FortiGate administrator is configuring automation stitches in FortiManager to trigger a script when a specific log event occurs. The automation stitch includes a trigger, a set of conditions, and an action. The administrator wants the script to run only if the event is generated by devices in a specific ADOM. Which element should be configured in the trigger condition?

A.Add a condition for the ADOM name in the trigger
B.Configure the script to check the ADOM at runtime
C.Use a meta field to tag the devices and filter by meta field
D.Assign the automation stitch to a specific ADOM in the settings
AnswerA

Conditions can be added to restrict the trigger to specific ADOMs.

Why this answer

Option A is correct. Automation stitches in FortiManager can include conditions that filter on ADOM, device group, or device name. To restrict to a specific ADOM, the condition should specify the ADOM name.

This ensures only events from that ADOM trigger the action.

153
MCQmedium

A FortiGate has two VDOMs: Root and CustomerA. The administrator wants to manage the CustomerA VDOM from FortiManager. What must be configured on FortiManager to allow management of the CustomerA VDOM?

A.Configure an automation stitch on FortiManager
B.Add the FortiGate to the global ADOM
C.Enable VDOM management on FortiGate
D.Add the FortiGate's VDOM to an ADOM
AnswerD

FortiManager can manage individual VDOMs by adding them as separate devices to an ADOM (or using per-VDOM management).

Why this answer

Option D is correct because FortiManager uses Administrative Domains (ADOMs) to logically group and manage VDOMs. To manage the CustomerA VDOM, the administrator must add that specific VDOM to an ADOM on FortiManager, which then allows FortiManager to push policies, objects, and configuration to that VDOM. Without this mapping, FortiManager cannot target the VDOM for management, even if the FortiGate itself is registered.

Exam trap

The trap here is that candidates confuse enabling VDOM management on the FortiGate (which is already active) with the necessary ADOM mapping on FortiManager, leading them to select Option C instead of D.

How to eliminate wrong answers

Option A is wrong because automation stitches are used for event-triggered automated responses (e.g., quarantine actions), not for enabling VDOM management on FortiManager. Option B is wrong because adding the FortiGate to the global ADOM only allows management of the global VDOM (Root), not individual customer VDOMs like CustomerA. Option C is wrong because VDOM management is enabled on FortiGate by default when VDOMs are created; the missing piece is the ADOM configuration on FortiManager, not a toggle on the FortiGate.

154
MCQmedium

A FortiManager administrator is configuring ADOMs to manage multiple FortiGates. The administrator wants to ensure that changes to the central management policy package are automatically pushed to managed devices. Which setting should be enabled?

A.Enable 'Auto-link' on the device
B.Enable 'Auto-update' in the policy package
C.Configure a schedule for policy installation
D.Enable 'Central Management' on the FortiGate
AnswerB

Auto-update automatically installs policy package changes to assigned devices.

Why this answer

Option B is correct because enabling 'Auto-update' in the policy package on FortiManager ensures that any changes made to the central management policy package are automatically pushed to all managed FortiGates. This setting triggers an immediate installation of the policy package to the devices whenever a change is committed, eliminating the need for manual installation. It is specifically designed for centralized policy management in ADOM environments.

Exam trap

The trap here is that candidates often confuse 'Auto-update' with scheduling or device-level settings, mistakenly thinking that enabling 'Central Management' on the FortiGate alone will trigger automatic policy pushes, when in fact it only authorizes management, not automatic updates.

How to eliminate wrong answers

Option A is wrong because 'Auto-link' is not a valid FortiManager setting; it likely confuses with 'Auto-update' or device-level linking, which does not control automatic policy push. Option C is wrong because configuring a schedule for policy installation only automates the push at predefined times, not immediately upon change, which does not meet the requirement for automatic push on every change. Option D is wrong because enabling 'Central Management' on the FortiGate is a device-level setting that allows the FortiGate to be managed by FortiManager, but it does not control automatic policy package updates from FortiManager.

155
MCQmedium

A FortiGate in NAT mode has multiple VDOMs. The administrator wants to centralize logging from all VDOMs to a single FortiAnalyzer. What configuration is required on the FortiGate to ensure logs from all VDOMs are sent?

A.Configure the FortiAnalyzer IP under system global settings
B.Configure FortiAnalyzer logging in each VDOM individually
C.Use the management VDOM as a log relay to FortiAnalyzer
D.Enable centralized logging under config log setting
AnswerB

Each VDOM has its own log settings. You must add the FortiAnalyzer server in each VDOM's log configuration.

Why this answer

In a multi-VDOM FortiGate, each VDOM operates as an independent firewall with its own logging configuration. To send logs from all VDOMs to a single FortiAnalyzer, you must configure the FortiAnalyzer IP and logging settings within each VDOM individually. This ensures that each VDOM's logs are forwarded directly to the FortiAnalyzer, as there is no global or centralized log-forwarding mechanism that aggregates logs across VDOMs.

Exam trap

The trap here is that candidates assume a global setting or the management VDOM can centralize log forwarding, but FortiGate requires per-VDOM configuration because each VDOM is a logically separate firewall instance with its own logging subsystem.

How to eliminate wrong answers

Option A is wrong because configuring the FortiAnalyzer IP under system global settings only applies to the management VDOM (or the global context in non-VDOM mode), not to all VDOMs; logs from other VDOMs would not be sent. Option C is wrong because the management VDOM cannot act as a log relay for other VDOMs; each VDOM must independently send its logs to the FortiAnalyzer. Option D is wrong because there is no 'centralized logging' command under config log setting; logging is always configured per VDOM, and the concept of centralized logging refers to the FortiAnalyzer receiving logs from multiple sources, not a FortiGate-side setting.

156
MCQmedium

During a failover test in an HA cluster, the administrator observes that the secondary unit becomes primary but does not have the latest configuration. What is the most likely cause?

A.The password encryption is mismatched
B.Config sync is not enabled
C.The HA priority is set too low
D.session-pickup is disabled
AnswerB

Config sync must be enabled to replicate configuration changes.

Why this answer

Config sync is the mechanism that replicates configuration changes from the primary unit to the secondary unit in a FortiGate HA cluster. If config sync is not enabled, the secondary unit will not receive configuration updates, so when it becomes primary after a failover, it will operate with an outdated or default configuration. This directly explains why the secondary unit lacks the latest configuration after the failover.

Exam trap

The trap here is that candidates often confuse session-pickup (which handles session state) with config sync (which handles configuration replication), leading them to incorrectly select option D when the actual issue is the missing config sync mechanism.

How to eliminate wrong answers

Option A is wrong because password encryption mismatch (e.g., different private keys or encryption settings) would cause authentication or decryption failures, not a failure to sync the configuration itself. Option C is wrong because HA priority determines which unit becomes primary during an election, but it does not affect whether configuration synchronization occurs; a low priority unit can still receive config sync if it is enabled. Option D is wrong because session-pickup is a feature for preserving stateful sessions during failover, not for synchronizing the configuration; disabling it would cause sessions to drop, not prevent config sync.

157
Multi-Selecthard

A FortiManager administrator is planning to deploy a new policy package to a FortiGate that has multiple VDOMs. To ensure the policy package is applied correctly to the target VDOM, which THREE steps should the administrator take?

Select 3 answers
A.Install the policy package to the FortiGate, selecting the correct VDOM
B.Create a new policy package in the ADOM corresponding to the target VDOM
C.Configure a revision history to track changes
D.Assign the FortiGate to the policy package
E.Enable central management on the FortiGate
AnswersA, B, D

During installation, the target VDOM must be specified.

Why this answer

Option A is correct because when installing a policy package to a FortiGate with multiple VDOMs, the administrator must select the correct target VDOM in the installation wizard. This ensures the policy package is applied to the intended VDOM and not to the global or another VDOM, which could cause policy conflicts or security gaps.

Exam trap

The trap here is that candidates may think enabling central management (Option E) is sufficient to direct policies to a specific VDOM, but the VDOM selection must be explicitly made during installation, and central management only enables communication, not VDOM targeting.

158
MCQeasy

Which of the following is a required step when enabling VDOMs on a FortiGate for the first time?

A.Create at least two VDOMs before enabling the VDOM feature
B.Disable all firewall policies
C.Reboot the FortiGate after enabling VDOMs
D.Configure inter-VDOM routing
AnswerC

A reboot is necessary for the change to take effect.

Why this answer

When enabling VDOMs on a FortiGate for the first time, the device must be rebooted to restructure the internal data plane and control plane to support multiple virtual domains. This reboot is mandatory because the firmware transitions from a single-VDOM mode to a multi-VDOM mode, which requires reinitializing kernel structures and memory allocation for VDOM-specific resources.

Exam trap

The trap here is that candidates assume VDOMs can be enabled and used immediately without a reboot, similar to other features like interface configuration, but FortiGate specifically requires a reboot to activate the multi-VDOM architecture.

How to eliminate wrong answers

Option A is wrong because you do not need to create any VDOMs before enabling the feature; you can enable VDOMs first, then create them after the reboot. Option B is wrong because disabling firewall policies is not a prerequisite; the FortiGate will automatically flush all policies when VDOMs are enabled and the device reboots. Option D is wrong because inter-VDOM routing is an optional configuration that can be set up after VDOMs are enabled and created, not a required step during the initial enablement process.

159
MCQhard

A multi-VDOM FortiGate is running low on memory. The administrator suspects that the management VDOM is consuming excessive resources. How can the administrator limit the memory usage of the management VDOM?

A.Convert the management VDOM to a traffic VDOM
B.Enable VDOM resource limits and configure a memory cap for the management VDOM
C.Move the management VDOM to a separate physical FortiGate
D.Disable unused features in the management VDOM
AnswerB

Why this answer

Option B is correct because FortiGate VDOM resource limits allow an administrator to set a specific memory cap for each VDOM, including the management VDOM. By enabling VDOM resource limits and configuring a memory cap, the management VDOM is prevented from consuming excessive memory, ensuring fair resource allocation across all VDOMs. This is the only option that directly limits memory usage at the VDOM level without requiring hardware changes or disabling features.

Exam trap

The trap here is that candidates may think disabling unused features (Option D) is sufficient to limit memory usage, but FortiGate's VDOM resource limits provide a hard enforcement mechanism that is the only way to guarantee a VDOM does not exceed a specified memory threshold.

How to eliminate wrong answers

Option A is wrong because converting the management VDOM to a traffic VDOM does not impose any memory limit; it merely changes the VDOM's role, which does not address excessive memory consumption. Option C is wrong because moving the management VDOM to a separate physical FortiGate is an expensive and unnecessary hardware solution that does not leverage the built-in resource management capabilities of the existing device. Option D is wrong because disabling unused features may reduce memory usage but does not guarantee a hard limit; the management VDOM could still consume excessive memory from enabled features, and this approach lacks the precision and enforcement of a configured memory cap.

160
MCQhard

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is a TCP session that has been idle for 1 hour
B.The session is a UDP flow
C.The session was established 1 hour ago and will expire in about 1 hour
D.The session is in a half-open state
AnswerC

Correct.

Why this answer

The output shows `duration=3600` and `expire=3599`, meaning the session was established 3600 seconds (1 hour) ago and has 3599 seconds remaining before timeout. The `proto=6` indicates TCP (protocol 6), and `proto_state=01` corresponds to TCP state ESTABLISHED. Therefore, the session is active and will expire in about 1 hour from the current time, making option C correct.

Exam trap

The trap here is confusing `duration` (time since session started) with idle time, leading candidates to incorrectly assume the session has been idle for 1 hour instead of active for 1 hour.

How to eliminate wrong answers

Option A is wrong because `duration=3600` indicates the session has been active for 1 hour, not idle; idle time is tracked separately (e.g., via `idle` field in the full output). Option B is wrong because `proto=6` explicitly indicates TCP, not UDP (UDP uses protocol 17). Option D is wrong because `proto_state=01` represents TCP state ESTABLISHED (0x01), not a half-open state (which would be SYN_SENT or SYN_RECV, typically state 0x02 or 0x04).

161
MCQmedium

A FortiGate administrator is configuring inter-VDOM routing between two VDOMs: VDOM-A and VDOM-B. The administrator wants to allow traffic from VDOM-A to reach a server in VDOM-B while keeping the VDOMs logically separated. Which configuration step is REQUIRED?

A.Configure a static route in VDOM-A pointing to the server's subnet via the VDOM-B gateway
B.Create a VDOM link between VDOM-A and VDOM-B and configure firewall policies on both sides
C.Enable inter-VDOM routing under system settings globally
D.Assign the same physical interface to both VDOMs and configure routing
AnswerB

A VDOM link is the standard method for inter-VDOM routing. Each VDOM needs a policy to allow traffic out and in.

Why this answer

Inter-VDOM routing on FortiGate requires a VDOM link, which is a logical interface pair that connects two VDOMs. Firewall policies must be configured on both sides of the VDOM link to explicitly allow traffic between the VDOMs, ensuring logical separation while enabling controlled communication. Without these policies, traffic will be dropped even if routes exist.

Exam trap

The trap here is that candidates assume inter-VDOM routing is automatically enabled or can be achieved with static routes alone, overlooking the mandatory VDOM link and firewall policies that enforce logical separation.

How to eliminate wrong answers

Option A is wrong because configuring a static route in VDOM-A pointing to the server's subnet via the VDOM-B gateway is insufficient; a VDOM link and firewall policies are required to establish the inter-VDOM connection, and the gateway must be the VDOM link interface, not the VDOM-B gateway. Option C is wrong because there is no global 'inter-VDOM routing' toggle under system settings; inter-VDOM routing is enabled implicitly by creating a VDOM link and configuring policies. Option D is wrong because a physical interface cannot be assigned to two VDOMs simultaneously; each VDOM requires its own dedicated interfaces, and sharing a physical interface would break logical separation.

162
MCQhard

An administrator configures a firewall policy with an application control profile to block social media. The administrator observes that some social media traffic is still passing through. The traffic is HTTPS. What additional configuration is REQUIRED for application control to effectively block HTTPS-based social media?

A.Set application control to proxy-based inspection
B.Enable 'allow-ssl-inspection' under system settings
C.Add a DNS filter to block social media domains
D.Enable 'ssl-ssh-profile' with deep inspection on the policy
AnswerD

Deep inspection decrypts HTTPS, allowing application control to inspect the application layer.

Why this answer

Application control requires visibility into the application layer to identify HTTPS-based traffic. Without SSL inspection, the firewall cannot decrypt the HTTPS payload to inspect the application signatures. Enabling an 'ssl-ssh-profile' with deep inspection on the policy allows the FortiGate to decrypt the traffic, apply the application control profile, and effectively block social media applications.

Exam trap

The trap here is that candidates may think proxy-based inspection alone is sufficient for HTTPS traffic, but without SSL decryption, the firewall cannot inspect the encrypted payload, so application control signatures are ineffective.

How to eliminate wrong answers

Option A is wrong because setting application control to proxy-based inspection alone does not enable SSL decryption; it only changes the inspection mode, but the firewall still cannot see inside encrypted HTTPS traffic without a decryption policy. Option B is wrong because 'allow-ssl-inspection' is not a valid system setting in FortiOS; SSL inspection is configured via SSL/SSH profiles and applied to firewall policies, not a global toggle. Option C is wrong because a DNS filter blocks based on domain names, but social media applications can use IP addresses, alternate domains, or bypass DNS resolution, so it does not reliably block the application traffic itself.

163
MCQmedium

An enterprise uses multiple VDOMs on a FortiGate. The administrator needs to route traffic between VDOM-A and VDOM-B using a firewall policy. What is the correct configuration step?

A.Place both VDOMs in the same virtual router and use regular policies
B.Create a static route in each VDOM pointing to the other VDOM's virtual interface
C.Configure a VDOM link between the two VDOMs and create a policy allowing traffic
D.Enable inter-VDOM routing globally under system settings
AnswerC

A VDOM link creates a logical connection; policies then control traffic flow.

Why this answer

Option C is correct because a VDOM link creates a direct Layer 2 or Layer 3 connection between two VDOMs, allowing traffic to be controlled by firewall policies. This is the only method that enables policy-based inter-VDOM routing without requiring external cables or complex routing configurations.

Exam trap

The trap here is that candidates assume inter-VDOM routing is automatic or can be achieved with static routes alone, but FortiGate requires an explicit VDOM link or inter-VDOM link to pass traffic between VDOMs through firewall policies.

How to eliminate wrong answers

Option A is wrong because VDOMs operate in separate virtual routers by default; placing them in the same virtual router would merge their routing tables, defeating isolation and requiring inter-VDOM routing to be explicitly configured. Option B is wrong because static routes alone cannot forward traffic between VDOMs without a physical or logical interface connecting them; the route would have no valid next-hop interface. Option D is wrong because there is no global 'inter-VDOM routing' toggle; inter-VDOM traffic must be explicitly allowed via a VDOM link or inter-VDOM link policy, not a global setting.

164
MCQmedium

A network admin needs to apply a common set of firewall rules at the beginning of every policy package for all VDOMs managed by FortiManager. The rules should be automatically inserted and not editable within each VDOM. What should be configured?

A.VDOM policy templates
B.Global policy objects
C.Policy package header policies
D.Central management policies
AnswerC

Header policies are prepended to all policy packages in the ADOM.

Why this answer

Header policies in policy packages allow global policies that apply before VDOM-specific policies. They are defined at the ADOM level and cannot be modified within individual VDOMs.

165
MCQhard

An administrator configures a FortiGate with a management VDOM. Which of the following is true about the management VDOM?

A.The management VDOM supports inter-VDOM routing
B.The management VDOM can be used to route production traffic
C.The management VDOM can be shared across multiple FortiGates in a HA cluster
D.The management VDOM cannot have any firewall policies
AnswerD

The management VDOM is used solely for management; it does not process data traffic and therefore does not have firewall policies.

Why this answer

The management VDOM is a special-purpose VDOM used exclusively for out-of-band management traffic (e.g., GUI, SSH, SNMP). It operates in a separate management plane and cannot contain firewall policies because it is not designed to inspect or forward data-plane traffic. This isolation ensures that management access remains available even if the data-plane VDOMs are overloaded or misconfigured.

Exam trap

The trap here is that candidates confuse the management VDOM with a regular VDOM that can have firewall policies and route traffic, but Fortinet explicitly restricts the management VDOM to a non-data-plane role with no policy enforcement.

How to eliminate wrong answers

Option A is wrong because inter-VDOM routing is a data-plane function that requires firewall policies and routing configurations, which the management VDOM explicitly does not support. Option B is wrong because the management VDOM is strictly for management traffic (e.g., HTTPS, SSH, SNMP) and cannot be used to route production or user data traffic. Option C is wrong because the management VDOM is a per-FortiGate construct; in an HA cluster, each unit maintains its own management VDOM configuration and cannot share it across cluster members.

166
Multi-Selectmedium

An HA cluster is configured with two FortiGates in active-passive mode. The administrator wants to ensure that the secondary unit automatically takes over if the primary unit fails. Which TWO settings must be configured?

Select 2 answers
A.Set ha-mode to active-passive
B.Set ha-priority to 100 on primary
C.Set ha-mode to active-active
D.Enable configuration synchronization
E.Enable session-pickup
AnswersA, D

active-passive mode ensures one unit is standby.

Why this answer

Option A is correct because setting ha-mode to active-passive configures the HA cluster so that only the primary unit actively processes traffic while the secondary remains in standby, ready to take over upon failure. This mode is essential for the automatic failover behavior described in the question, as it defines the operational roles of the cluster members.

Exam trap

The trap here is that candidates often confuse session-pickup (which preserves active sessions) with the fundamental failover mechanism, leading them to select it as a requirement for takeover, when in fact the takeover occurs automatically in active-passive mode without session-pickup.

167
MCQmedium

A FortiGate admin configures automation stitches in FortiManager to trigger a script when a specific incident occurs. The script runs but does not produce the expected result. Which FortiAnalyzer feature should the admin use to verify the automation stitch executed correctly?

A.Reports
B.FortiView
C.Playbooks
D.Incident Management
AnswerD

Incidents show automation stitch execution logs.

Why this answer

Option D is correct because Incident Management in FortiAnalyzer provides a detailed log of automation stitch execution, including trigger events, script actions, and any errors. This allows the admin to verify whether the stitch ran as expected and to diagnose why the script did not produce the intended result.

Exam trap

The trap here is that candidates confuse FortiAnalyzer's Incident Management with FortiSOAR's Playbooks, or assume FortiView's real-time logs are sufficient for post-execution verification, when in fact Incident Management provides the persistent, searchable audit trail needed for automation stitch debugging.

How to eliminate wrong answers

Option A is wrong because Reports in FortiAnalyzer are used for scheduled or ad-hoc summary data (e.g., traffic trends, security summaries) and do not provide real-time or per-incident execution logs of automation stitches. Option B is wrong because FortiView is a real-time monitoring dashboard for traffic and security events, not a tool for reviewing automation stitch execution history or script output. Option C is wrong because Playbooks are a feature of FortiSOAR, not FortiAnalyzer, and are used for orchestrated incident response workflows, not for verifying FortiManager automation stitch execution.

168
MCQeasy

Which FortiAnalyzer feature allows an administrator to create a sequence of automated response actions triggered by a specific log event?

A.Reports
B.Incidents
C.Playbooks
D.FortiView
AnswerC

Playbooks define automated response actions based on triggers such as log events.

Why this answer

Playbooks in FortiAnalyzer allow administrators to define a sequence of automated response actions that are triggered by specific log events. This feature enables event-driven automation, such as executing CLI scripts, sending alerts, or integrating with external systems via webhooks, directly from the FortiAnalyzer interface.

Exam trap

The trap here is that candidates often confuse Playbooks with Incidents, assuming Incidents can automate responses, but Incidents are purely for manual or semi-automated case management, not for defining automated action sequences triggered by log events.

How to eliminate wrong answers

Option A is wrong because Reports are used for generating scheduled or on-demand summaries of log data and traffic trends, not for triggering automated responses to individual log events. Option B is wrong because Incidents are containers for grouping related alerts and logs for investigation, but they do not themselves define automated action sequences. Option D is wrong because FortiView provides real-time and historical visualization of network traffic and security events, but it lacks the capability to execute automated response actions based on log triggers.

169
MCQeasy

A network engineer is deploying FortiGate VDOMs and needs to limit the number of VDOMs per FortiGate to comply with licensing. Which command can be used to check the maximum VDOMs allowed?

A.get system status
B.show system vdom
C.execute vdom limit
D.diagnose sys vdom list
AnswerA

Includes 'Max VDOMs' information.

Why this answer

The 'get system status' command displays the current FortiGate system status, including the maximum number of VDOMs allowed by the installed license. This is the correct command to verify the licensed VDOM limit before deploying additional VDOMs.

Exam trap

The trap here is that candidates confuse operational commands like 'show system vdom' or 'diagnose sys vdom list' with the license-aware command 'get system status', which is the only one that shows the licensed VDOM cap.

How to eliminate wrong answers

Option B is wrong because 'show system vdom' is a FortiOS command that lists configured VDOMs and their status, but it does not display the licensed maximum VDOM limit. Option C is wrong because 'execute vdom limit' is not a valid FortiOS command; there is no such command to check or set the VDOM limit. Option D is wrong because 'diagnose sys vdom list' is a diagnostic command that shows operational VDOM information, such as IDs and states, but it does not reveal the licensed maximum number of VDOMs.

170
MCQmedium

An administrator configures two VDOMs as shown in the exhibit. They create an inter-VDOM link between VDOM1 and VDOM2. They then add a firewall policy in VDOM1 allowing traffic from port1 to the inter-VDOM link, and a policy in VDOM2 allowing traffic from the inter-VDOM link to port2. However, traffic from 192.168.1.10 to 10.10.10.50 fails. What is the most likely cause?

A.Firewall policies are not correctly configured
B.The inter-VDOM link is not configured
C.Missing route in VDOM1 for the 10.10.10.0/24 network
D.The allowaccess setting on port2 does not include ping
AnswerC

VDOM1 needs a route to the destination network via the inter-VDOM link.

Why this answer

Option C is correct because inter-VDOM link traffic requires routing in both VDOMs. Even with correct firewall policies, VDOM1 must have a route to the destination network (10.10.10.0/24) pointing to the inter-VDOM link interface. Without this route, VDOM1 drops the packet before it can be forwarded across the link, causing the failure.

Exam trap

The trap here is that candidates assume firewall policies alone control inter-VDOM traffic, overlooking that routing is a prerequisite for forwarding packets across the inter-VDOM link.

How to eliminate wrong answers

Option A is wrong because the firewall policies are correctly configured: VDOM1 allows traffic from port1 to the inter-VDOM link, and VDOM2 allows traffic from the inter-VDOM link to port2. Option B is wrong because the inter-VDOM link is explicitly stated as created, so it exists. Option D is wrong because the allowaccess setting on port2 controls management access (e.g., ping, HTTPS) to the interface itself, not transit traffic passing through the interface; transit traffic is governed by firewall policies and routing.

171
MCQhard

An admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is being blocked by a firewall policy
B.The session is in SYN_SENT state, waiting for a reply
C.The session is established and has been active for 1 hour
D.The session is in TIME_WAIT state after a FIN
AnswerC

State '01' means established; duration is 3600 seconds = 1 hour.

Why this answer

Option C is correct because the output shows `proto=6` (TCP), `proto_state=01` (ESTABLISHED in Fortinet's session table), `duration=3600` seconds (1 hour), and `expire=3599` seconds (remaining lifetime). This combination indicates a fully established TCP session that has been active for one hour and is still valid, not blocked or in a transitional state.

Exam trap

The trap here is that candidates confuse `proto_state=01` with a blocking state or a handshake-in-progress state, when in fact it specifically indicates an established TCP connection in Fortinet's session table.

How to eliminate wrong answers

Option A is wrong because a blocked session would not show a `proto_state=01` (ESTABLISHED) or have a non-zero duration/expire; blocked sessions are typically dropped before a session entry is created or show a different state. Option B is wrong because `proto_state=01` corresponds to ESTABLISHED, not SYN_SENT; SYN_SENT is represented by `proto_state=02` in FortiOS session table. Option D is wrong because TIME_WAIT is represented by `proto_state=04` or `05` after a FIN exchange, not `01`, and the duration/expire values indicate an active session, not one in a closing state.

172
MCQmedium

An administrator configures inter-VDOM routing between VDOMs A and B. Both VDOMs are on the same FortiGate. The admin creates a policy allowing traffic from VDOM A to VDOM B. Traffic from VDOM A to VDOM B fails. What is the most likely cause?

A.VDOM A and VDOM B must be in the same administrative VDOM
B.The VDOMs are in transparent mode
C.There is no firewall policy in VDOM B to allow the return traffic
D.The inter-VDOM link is not configured
AnswerC

Inter-VDOM traffic requires policies in both VDOMs. The policy in VDOM A allows traffic to VDOM B, but a policy in VDOM B must permit the return traffic.

Why this answer

In a FortiGate inter-VDOM routing setup, traffic initiated from VDOM A to VDOM B requires a firewall policy in VDOM B to permit the return traffic. Without this policy, the FortiGate's stateful inspection engine drops the return packets because no session exists in VDOM B's session table. This is a common misconfiguration where administrators only create a policy in the source VDOM.

Exam trap

The trap here is that candidates assume a single policy in the source VDOM is sufficient, overlooking that FortiGate's stateful inspection requires explicit policies in both VDOMs for bidirectional traffic flow.

How to eliminate wrong answers

Option A is wrong because administrative VDOMs are a management concept and do not affect inter-VDOM routing; VDOMs A and B can be in different administrative domains. Option B is wrong because transparent mode VDOMs can still participate in inter-VDOM routing if configured with inter-VDOM links, and the question does not indicate transparent mode is the issue. Option D is wrong because the administrator explicitly configured inter-VDOM routing, implying the inter-VDOM link is already set up; the failure is due to missing return traffic policy, not the link itself.

173
MCQhard

A network engineer is designing a FortiGate HA cluster with two units operating in active-active mode. The cluster will be placed in a VDOM-enabled environment. The engineer wants to ensure that traffic from a specific VDOM is load-balanced across both units based on source IP address. Which setting must be configured on the cluster to achieve this?

A.Configure randomize-vip under config system ha
B.Configure a virtual cluster with load-balance method source IP
C.Configure vdom-load-balance under config system ha
D.Enable session pickup and set session-pickup-delay to 0
AnswerB

Virtual cluster with load-balance method distributes traffic per source IP.

Why this answer

In a VDOM-enabled active-active HA cluster, per-VDOM load balancing is achieved by configuring a virtual cluster and setting the load-balance method to source IP. This allows the cluster to distribute traffic for that specific VDOM across both units based on the source IP hash, ensuring session persistence while balancing the load.

Exam trap

The trap here is that candidates often confuse 'vdom-load-balance' with a real command, or assume that session pickup alone can distribute traffic, when in fact virtual clusters with an explicit load-balance method are required for per-VDOM source IP-based load balancing.

How to eliminate wrong answers

Option A is wrong because 'randomize-vip' randomizes the unit that handles traffic for a virtual IP (VIP) across the cluster, but it does not provide per-VDOM source IP-based load balancing; it is used for VIP load distribution without VDOM awareness. Option C is wrong because 'vdom-load-balance' is not a valid command under 'config system ha'; the correct approach is to use virtual clusters with a specified load-balance method. Option D is wrong because session pickup and session-pickup-delay relate to session synchronization and failover behavior, not to load balancing traffic across units in active-active mode.

174
MCQhard

A FortiGate administrator notices that the traffic log shows sessions being dropped due to 'policy deny' even though a permit policy exists. The administrator checks the policy list and sees the policy is in the correct order. What could be a reason for this?

A.The session is already established and the policy change is not applied to existing sessions
B.The policy is disabled
C.The policy has an incorrect schedule
D.The traffic is being processed by a different VDOM than expected
AnswerD

If traffic is entering the wrong VDOM, it may not match the intended policy.

Why this answer

Option D is correct because FortiGate VDOMs operate as independent virtual firewalls with separate routing and policy tables. If traffic enters a VDOM that does not contain the permit policy, the FortiGate will evaluate it against the policies within that VDOM only, resulting in a 'policy deny' drop even though a permit policy exists in a different VDOM. The administrator must verify that the traffic is being processed by the correct VDOM, typically by checking the ingress interface's VDOM association.

Exam trap

The trap here is that candidates assume a permit policy anywhere in the system applies to all traffic, forgetting that VDOMs create strict administrative boundaries where policies are not shared or visible across VDOMs.

How to eliminate wrong answers

Option A is wrong because existing sessions are not affected by policy changes; the question states the traffic log shows sessions being dropped, implying new sessions are being evaluated against the current policy set, not that old sessions are being disrupted. Option B is wrong because if the policy were disabled, it would not appear in the policy list as a permit policy, or the administrator would have noticed it is grayed out or marked as disabled in the GUI; the question explicitly says a permit policy exists. Option C is wrong because an incorrect schedule would cause the policy to be inactive at the time of the traffic, but the traffic log would typically show 'policy deny (schedule)' or a similar specific message, not a generic 'policy deny'; moreover, the administrator would likely check the schedule as part of troubleshooting.

175
MCQhard

A FortiGate has two VDOMs: Sales and Engineering. The admin wants to allow the Engineering VDOM to manage the Sales VDOM's administrator accounts. What configuration is required?

A.Set the management VDOM to Engineering and configure Sales to accept admin connections from Engineering's IP
B.Use inter-VDOM routing to forward admin traffic
C.Enable VDOM sharing on the local-in policy
D.Create a super_admin account in Sales VDOM
AnswerA

This allows Engineering to manage Sales admins.

Why this answer

To allow the Engineering VDOM to manage the Sales VDOM's administrator accounts, the management VDOM must be set to Engineering, and the Sales VDOM must be configured to accept admin connections from Engineering's IP address. This is done via the 'set management-vdom' command under the Sales VDOM and ensuring the Sales VDOM's local-in policy permits HTTPS/SSH traffic from the Engineering VDOM's management IP. This enables cross-VDOM administrative management without requiring inter-VDOM routing or shared policies.

Exam trap

The trap here is that candidates confuse inter-VDOM routing (data plane) with management-plane cross-VDOM admin access, leading them to select Option B, or they assume a super_admin account in the target VDOM is sufficient, missing the requirement for the management VDOM to be set on the source VDOM.

How to eliminate wrong answers

Option B is wrong because inter-VDOM routing forwards data traffic between VDOMs, not management or administrative control traffic; admin connections use the management plane, not the data plane. Option C is wrong because VDOM sharing on a local-in policy does not exist; local-in policies control traffic destined to the FortiGate itself, and VDOM sharing is a separate feature for resources like routes or firewall policies, not for admin access. Option D is wrong because a super_admin account in the Sales VDOM would only grant full privileges within Sales, not allow the Engineering VDOM to manage Sales accounts; cross-VDOM admin management requires the management VDOM configuration.

176
Multi-Selectmedium

An administrator is troubleshooting a FortiGate in transparent mode. The FortiGate is not forwarding traffic between two segments connected to port1 and port2. The administrator checks the interface configuration. Which TWO configurations are REQUIRED for a transparent mode VDOM to forward traffic? (Choose two.)

Select 2 answers
A.Spanning Tree Protocol (STP) must be enabled on both interfaces
B.Both interfaces must be assigned IP addresses in the same subnet
C.Both interfaces must be members of the same hardware switch (or software bridge)
D.A firewall policy must allow all traffic between the two interfaces
E.The VDOM must be configured in transparent mode
AnswersC, E

Traffic is forwarded between interfaces that are part of the same bridge.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge, so traffic must be switched between interfaces. Both interfaces must be members of the same hardware switch or software bridge to create a single broadcast domain, allowing frames to be forwarded based on MAC addresses. Without this, the interfaces are isolated and cannot forward traffic at Layer 2.

Exam trap

The trap here is that candidates often think IP addressing or firewall policies are the primary requirements for forwarding, but in transparent mode, the critical Layer 2 bridging configuration is what enables traffic to pass between interfaces.

177
MCQmedium

An administrator needs to ensure that all firewall policies in a FortiGate VDOM have a common set of inspection profiles added at the end of the policy list. Which FortiManager feature best achieves this?

A.ADOM overrides
B.Central SNAT
C.Revision history
D.Policy package header/footer policies
AnswerD

Why this answer

Policy package header/footer policies in FortiManager allow you to define a set of policies that are automatically appended (or prepended) to every policy package within an ADOM or VDOM. This ensures that all firewall policies in the VDOM share a common set of inspection profiles at the end of the policy list, without manually editing each policy. It is the only feature designed specifically for this use case.

Exam trap

The trap here is that candidates often confuse ADOM overrides (which manage per-ADOM exceptions) with the ability to insert common policies, but only header/footer policies guarantee automatic placement at the end of every policy list in a VDOM.

How to eliminate wrong answers

Option A is wrong because ADOM overrides are used to apply configuration changes across multiple ADOMs or VDOMs, not to insert common inspection profiles at the end of a policy list. Option B is wrong because Central SNAT is a feature for centralized source NAT policy management, unrelated to inspection profiles or policy ordering. Option C is wrong because Revision history is a versioning and rollback feature, not a mechanism for adding common policies or profiles.

178
MCQmedium

A company has deployed a Security Fabric with a root FortiGate 600E and two downstream FortiGate 200E devices. The network also includes a FortiAnalyzer and a FortiManager. The administrator notices that the Security Fabric topology in FortiGate is not showing the downstream devices. The root FortiGate can ping the management IPs of the downstream devices. Additionally, the administrator has configured the downstream devices with the correct root IP and authorization mode is set to 'none'. However, when running 'diagnose sys fabric list' on the root, it shows the downstream devices with status 'Pending'. The root FortiGate's firewall policy allows all traffic from the downstream subnets. What is the most likely cause of the issue?

A.The downstream devices are missing the root FortiGate's serial number in the 'downstream-authorization' configuration.
B.The FortiAnalyzer is not configured to receive logs from the downstream devices.
C.The downstream devices are using a different management port than the root.
D.The root FortiGate's firewall policy is blocking the downstream devices' Fabric traffic.
AnswerA

When authorization mode is 'none', the root does not automatically authorize; the downstream must have the root's serial in the configuration.

Why this answer

The 'Pending' status in the output of 'diagnose sys fabric list' indicates that the root FortiGate has discovered the downstream devices but they have not completed the authorization handshake. Even though the authorization mode is set to 'none', each downstream FortiGate must still have the root FortiGate's serial number explicitly listed in its 'downstream-authorization' configuration to be accepted into the Security Fabric. Without this entry, the root will not finalize the adjacency, leaving the downstream devices in a pending state.

Exam trap

The trap here is that candidates assume setting authorization mode to 'none' removes all authorization requirements, but in reality, the downstream device must still explicitly list the root's serial number to complete the Fabric handshake.

How to eliminate wrong answers

Option B is wrong because FortiAnalyzer log reception is irrelevant to Security Fabric topology discovery; the Fabric adjacency is established between FortiGates via TCP port 8013/8014, independent of logging. Option C is wrong because the management port mismatch would prevent ping and connectivity, but the root can already ping the downstream devices, proving Layer 3 reachability regardless of the port used for management. Option D is wrong because the root's firewall policy already allows all traffic from the downstream subnets, and Fabric heartbeat traffic (TCP/8013) is permitted by default; the issue is not a firewall block but an authorization configuration gap.

179
MCQmedium

A FortiGate is managed by FortiManager. The administrator creates a new policy package for VDOM 'Sales' and installs it. Later, they find that the previous configuration has been overwritten. What should the administrator do to avoid this in the future?

A.Set the FortiGate to backup mode
B.Enable auto-lock on the policy package
C.Use the install preview before applying the changes
D.Enable revision history
AnswerC

Correct.

Why this answer

Option C is correct because using the install preview allows the administrator to review the exact changes that will be applied to the FortiGate before committing them. This prevents accidental overwrites by showing a diff of the configuration, enabling the administrator to verify that the new policy package will not replace existing settings unintentionally.

Exam trap

The trap here is that candidates confuse revision history (which is post-hoc) with install preview (which is proactive), or mistakenly think auto-lock prevents overwrites when it only serializes administrative edits.

How to eliminate wrong answers

Option A is wrong because backup mode on FortiGate is used for disaster recovery or firmware upgrades, not for preventing configuration overwrites during policy package installation from FortiManager. Option B is wrong because auto-lock on a policy package prevents concurrent edits by multiple administrators, but does not prevent the installation process from overwriting the existing configuration. Option D is wrong because revision history tracks changes over time for rollback purposes, but does not provide a pre-installation review to avoid overwriting the current configuration.

180
MCQmedium

An administrator runs the following command on a FortiGate: 'diagnose sys session filter dport 443' and sees output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is fully established and has been active for 1 hour
B.The session will expire in 3600 seconds and has been active for 3599 seconds
C.The session is in a TCP SYN-SENT state and has not completed the three-way handshake
D.The session is using UDP on port 443
AnswerC

proto_state=01 corresponds to TCP SYN-SENT (the first packet). The handshake is incomplete.

Why this answer

The output shows 'proto=6' (TCP) and 'proto_state=01', which in FortiGate's session table corresponds to TCP state SYN-SENT (the first step of the three-way handshake). The 'duration=3600' indicates the session has existed for 3600 seconds, but 'expire=3599' shows it will expire in 3599 seconds because the handshake was never completed. This confirms the session is not fully established, making option C correct.

Exam trap

The trap here is that candidates confuse the 'duration' and 'expire' values or assume 'proto=6' and a long duration imply an established session, but FortiGate's 'proto_state' field is the key to identifying the TCP handshake phase.

How to eliminate wrong answers

Option A is wrong because 'proto_state=01' indicates TCP SYN-SENT, not an established connection; a fully established TCP session would show 'proto_state=02' (ESTABLISHED). Option B is wrong because it misinterprets the fields: 'duration=3600' is the time the session has been active (3600 seconds), and 'expire=3599' is the remaining time before timeout, not the other way around. Option D is wrong because 'proto=6' explicitly indicates TCP, not UDP; UDP would show 'proto=17'.

181
MCQhard

An administrator deploys a FortiGate in transparent mode with two VDOMs: one for the internal network and one for DMZ. The admin notices that ARP requests from internal hosts are not reaching the DMZ servers even though they are on the same VLAN. What is the most likely cause?

A.The FortiGate is not configured to proxy ARP
B.VDOMs in transparent mode are isolated layer 2 domains; inter-VDOM routing is required for communication
C.The internal and DMZ VDOMs are in different VLANs on the same physical interface
D.Transparent mode does not support VDOMs
AnswerB

Correct. VDOMs separate broadcast domains.

Why this answer

In transparent mode, each VDOM acts as an independent Layer 2 forwarding domain with its own MAC address table and VLAN database. ARP requests are broadcast frames that are confined to the VDOM where they originate; they are not forwarded to other VDOMs. Therefore, even if the internal and DMZ interfaces are on the same VLAN, the ARP request from an internal host will never reach a DMZ server unless inter-VDOM routing (Layer 3 forwarding between VDOMs) is explicitly configured.

Exam trap

The trap here is that candidates assume transparent mode operates as a simple bridge that forwards all Layer 2 traffic between all interfaces, forgetting that VDOMs create strict Layer 2 isolation boundaries even in transparent mode.

How to eliminate wrong answers

Option A is wrong because proxy ARP is a Layer 3 feature used to respond to ARP requests on behalf of another device, and it is not required for Layer 2 forwarding within the same VLAN; the issue here is Layer 2 isolation between VDOMs. Option C is wrong because the scenario states the hosts are on the same VLAN, and VDOMs in transparent mode can share the same physical interface with different VLANs, but that would not cause ARP requests to fail between VDOMs—the failure is due to VDOM isolation, not VLAN mismatch. Option D is wrong because transparent mode fully supports VDOMs; in fact, VDOMs are commonly used in transparent mode to segment Layer 2 traffic.

182
MCQhard

An administrator configures a FortiGate in transparent mode with two VDOMs. Each VDOM is assigned to a different VLAN. The administrator wants to apply a common security policy to traffic between the VLANs. What is the correct approach?

A.Assign both VLANs to the same VDOM and apply a policy there
B.Apply the policy on the management VDOM
C.Configure a single policy on the root VDOM that matches all VLANs
D.Use inter-VDOM routing linked to a policy in the global policy set
AnswerD

Traffic between VDOMs must go through inter-VDOM routing; a policy in the respective VDOMs is needed.

Why this answer

In transparent mode, FortiGate VDOMs are isolated by default, and traffic between VLANs assigned to different VDOMs must traverse an inter-VDOM link. The correct approach is to use inter-VDOM routing and apply a security policy in the global policy set, which allows a common policy to govern traffic crossing VDOM boundaries. This ensures that the policy is evaluated once for inter-VDOM traffic, rather than requiring separate policies in each VDOM.

Exam trap

The trap here is that candidates often assume a single VDOM or the root VDOM can handle inter-VLAN policies in transparent mode, but FortiGate requires explicit inter-VDOM routing and global policy sets for cross-VDOM traffic, even in transparent mode.

How to eliminate wrong answers

Option A is wrong because assigning both VLANs to the same VDOM would merge them into a single broadcast domain, defeating the purpose of using separate VDOMs for isolation. Option B is wrong because the management VDOM is used for administrative access and management traffic, not for applying security policies to data-plane traffic between VLANs. Option C is wrong because the root VDOM in transparent mode does not handle data-plane traffic between VLANs; it is a special VDOM for global management and does not support direct policy application for inter-VLAN traffic.

183
MCQhard

A company is deploying a Security Fabric with multiple FortiGate devices managed by FortiManager. The administrator wants to apply a policy package to multiple FortiGate devices in the Fabric. However, after assigning the policy package to the devices in FortiManager and installing the configuration, the policies are not applied consistently across all devices. The administrator notices that some devices have local policies that override the policy package. What is the best practice to ensure that the policy package is enforced on all devices?

A.Enable 'Central Management' in FortiManager and use 'Install On Policy Package' to push policies.
B.Disable the 'Auto Update' feature on the managed devices.
C.Use the same policy package name on all devices and manually sync them.
D.Ensure that the Security Fabric is fully established and all devices are visible in the topology.
AnswerA

Central management enforces that only policies from FortiManager are active.

Why this answer

Option A is correct because enabling 'Central Management' in FortiManager ensures that the policy package is the authoritative source for all managed FortiGate devices. When 'Install On Policy Package' is used, FortiManager overwrites any local policies on the devices, enforcing consistent policy application across the Security Fabric. Without central management, local policies can persist and override the pushed policy package, leading to inconsistencies.

Exam trap

The trap here is that candidates may assume that simply installing a policy package via FortiManager is enough to override local policies, without realizing that 'Central Management' must be explicitly enabled to prevent local policy edits from persisting and overriding the pushed configuration.

How to eliminate wrong answers

Option B is wrong because disabling 'Auto Update' on managed devices would prevent them from receiving any updates from FortiManager, including policy changes, which would not solve the override issue. Option C is wrong because using the same policy package name and manually syncing devices is error-prone and does not leverage FortiManager's centralized control; local policies would still override unless central management is enabled. Option D is wrong because ensuring the Security Fabric is established and devices are visible in the topology is necessary for communication but does not address the root cause of local policies overriding the policy package; central management is required to enforce the policy package.

184
Multi-Selecthard

A network administrator is troubleshooting a scenario where FortiView in FortiAnalyzer shows no traffic data for a specific FortiGate, but logs are being received. Which two possible causes should the administrator investigate? (Choose two.)

Select 2 answers
A.The FortiGate's clock is not synchronized with FortiAnalyzer
B.The FortiAnalyzer ADOM is configured as a global ADOM
C.The FortiGate is not sending traffic logs; only event logs are being forwarded
D.The FortiView database is corrupted or needs to be rebuilt
E.The FortiAnalyzer disk is full and not indexing new logs
AnswersC, D

FortiView requires traffic logs to populate.

Why this answer

Option C is correct because FortiView relies on traffic logs (e.g., traffic, firewall, or application control logs) to generate its visualizations. If the FortiGate is only forwarding event logs (e.g., admin, system, or VPN logs) but not traffic logs, FortiView will show no traffic data even though logs are being received. This is a common misconfiguration in log forwarding policies on the FortiGate.

Exam trap

The trap here is that candidates assume any log reception implies traffic data is available for FortiView, but FortiView specifically requires traffic logs, not just any log type, and a corrupted database can silently break FortiView while other log viewing features remain functional.

185
Multi-Selectmedium

A FortiGate administrator is troubleshooting an issue where IPsec VPN traffic is not being forwarded correctly in a multi-VDOM environment. Which TWO factors should the administrator verify?

Select 2 answers
A.The firewall policy for the VPN traffic is present in the correct VDOM
B.The VPN tunnel is configured in the correct VDOM
C.Inter-VDOM routing is enabled globally
D.The management VDOM has an IPsec policy
E.The FortiGate is in transparent mode
AnswersA, B

Policy must be in the VDOM where traffic flows.

Why this answer

A is correct because firewall policies are VDOM-scoped; even if the VPN tunnel is up, traffic will not be forwarded unless a policy explicitly permits it within the VDOM that owns the VPN interface. The administrator must verify that the policy allowing the IPsec traffic exists in the correct VDOM, as policies from one VDOM cannot control traffic in another.

Exam trap

The trap here is that candidates often assume inter-VDOM routing is a global feature that must be enabled, when in fact it is handled by per-VDOM configurations such as inter-VDOM links or policies.

186
MCQmedium

A FortiGate with multiple VDOMs is experiencing inter-VDOM routing issues. The admin has created inter-VDOM links between VDOMs and configured firewall policies allowing traffic. However, traffic from VDOM_A to VDOM_B is not reaching the destination. What is the most likely cause?

A.The inter-VDOM link's administrative status is down
B.The routing table in VDOM_A does not have a route to VDOM_B's subnet via the inter-VDOM link
C.VDOM_B does not have an interface in the same subnet as the inter-VDOM link
D.The traffic is blocked by an implicit deny policy in VDOM_B
AnswerB

Without a route, traffic cannot be forwarded to the inter-VDOM link.

Why this answer

Inter-VDOM routing requires explicit routes in each VDOM's routing table pointing to the destination subnet via the inter-VDOM link interface. Even with inter-VDOM links and firewall policies configured, if VDOM_A lacks a route to VDOM_B's subnet through that link, traffic will be dropped or forwarded incorrectly. The routing table must contain a static or dynamic route for the destination network with the next-hop set to the inter-VDOM link's IP address on the VDOM_A side.

Exam trap

The trap here is that candidates assume inter-VDOM links and firewall policies alone are sufficient for traffic flow, overlooking the fundamental requirement of explicit routing entries in each VDOM's routing table, which is a common misstep in NSE7 scenarios.

How to eliminate wrong answers

Option A is wrong because if the inter-VDOM link's administrative status were down, the link would not be operational and the admin would likely see the interface status as 'down' in the CLI or GUI, which is a more obvious issue than a missing route. Option C is wrong because inter-VDOM links are point-to-point connections that do not require both VDOMs to have interfaces in the same subnet; each side of the link has its own IP address, and routing is based on next-hop IPs, not shared subnet membership. Option D is wrong because inter-VDOM traffic that matches an explicit allow policy in VDOM_A is forwarded to VDOM_B, where it is subject to VDOM_B's policies; however, the implicit deny in VDOM_B would only block traffic if no explicit policy allows it, but the question states policies are configured, so the issue is more likely a missing route in VDOM_A.

187
MCQhard

A FortiGate in transparent mode with multiple VDOMs is deployed at a customer site. The customer reports that traffic between two VLANs on the same physical segment is not being forwarded. The administrator verifies that the firewall policies are configured correctly. What is the most likely cause?

A.The VDOMs are not configured with management IP addresses
B.The FortiGate is in transparent mode and does not route between VLANs without a VLAN interface
C.The VDOM limit has been exceeded
D.Inter-VDOM routing is disabled between the VDOMs
AnswerB

Transparent mode requires VLAN subinterfaces and policies to allow inter-VLAN traffic, and by default does not route.

Why this answer

In transparent mode, a FortiGate acts as a Layer 2 bridge and does not perform IP routing. To forward traffic between VLANs on the same physical segment, you must create VLAN subinterfaces on the FortiGate and assign them to the appropriate VDOMs. Without these VLAN interfaces, the FortiGate cannot distinguish or forward traffic between the VLANs, even if firewall policies are correctly configured.

Exam trap

The trap here is that candidates often assume transparent mode FortiGates can route between VLANs automatically, forgetting that VLAN interfaces must be explicitly created to enable Layer 2 forwarding between VLANs on the same physical segment.

How to eliminate wrong answers

Option A is wrong because management IP addresses are only required for administrative access (e.g., GUI/SSH) and do not affect Layer 2 forwarding between VLANs. Option C is wrong because exceeding the VDOM limit would prevent creation of new VDOMs or cause operational errors, but the scenario describes traffic not being forwarded, which is unrelated to VDOM count limits. Option D is wrong because inter-VDOM routing is a Layer 3 feature that controls traffic between VDOMs; in transparent mode, traffic between VLANs on the same physical segment is handled within a single VDOM via VLAN interfaces, not between VDOMs.

188
MCQeasy

An administrator needs to back up the configuration of a FortiGate managed by FortiManager before making major changes. Which feature in FortiManager should the administrator use?

A.Policy package import/export
B.Automation stitch
C.Install preview
D.Revision history
AnswerD

Revision history stores previous configurations and allows restore.

Why this answer

Revision History in FortiManager allows administrators to create, view, and restore previous configuration versions of managed FortiGate devices. This is the correct feature for backing up a configuration before making major changes, as it provides a point-in-time snapshot that can be rolled back if needed.

Exam trap

The trap here is that candidates may confuse 'Install preview' (which shows changes to be applied) with a backup mechanism, but it does not save the current state for rollback, whereas Revision History explicitly provides that capability.

How to eliminate wrong answers

Option A is wrong because Policy package import/export is used to transfer policy packages between FortiManager and FortiGate or between FortiManager instances, not to back up the entire device configuration before changes. Option B is wrong because Automation stitch is a FortiGate feature that automates responses to events (e.g., triggering scripts or sending alerts), not a configuration backup mechanism. Option C is wrong because Install preview shows the pending changes that will be applied during an install operation, but it does not create a backup or allow rollback of the current configuration.

189
MCQhard

An administrator runs 'diagnose sys session list' and sees sessions with 'proto=6 proto_state=02' and a long duration. The administrator is troubleshooting why sessions are not being terminated after a policy change that should block the traffic. What does 'proto_state=02' indicate?

A.The session is in TIME_WAIT state
B.The session is in SYN_SENT state, waiting for a SYN-ACK
C.The session is in established state (TCP connection active)
D.The session is in FIN_WAIT state, closing the connection
AnswerC

proto_state=02 means ESTABLISHED. Existing sessions are not affected by policy changes; they continue until timeout or explicit termination.

Why this answer

In Fortinet's 'diagnose sys session list' output, 'proto=6' indicates TCP, and 'proto_state=02' maps to the TCP established state (ESTABLISHED). This means the session has completed the three-way handshake and is actively passing data. A long duration in this state explains why the session persists even after a policy change that should block new traffic—the existing session remains in the kernel session table until it times out or is explicitly cleared, because FortiGate's stateful inspection does not retroactively terminate established sessions upon policy modification.

Exam trap

The trap here is that candidates confuse the numeric 'proto_state' values with generic TCP states from RFC 793, but Fortinet uses its own mapping where '02' specifically means ESTABLISHED, not TIME_WAIT or FIN_WAIT, leading to incorrect assumptions about session termination behavior.

How to eliminate wrong answers

Option A is wrong because TIME_WAIT is represented by proto_state=05, not 02, and indicates a session waiting for a potential delayed packet after a connection close. Option B is wrong because SYN_SENT corresponds to proto_state=01, which is the initial state before the handshake completes, not a long-duration established session. Option D is wrong because FIN_WAIT is represented by proto_state=03 or 04 (depending on direction), not 02, and indicates an active closure sequence, not an ongoing data transfer.

190
MCQeasy

What is the purpose of header and footer policies in a FortiManager policy package?

A.To separate IPv4 and IPv6 policies
B.To apply policies at the top and bottom of the policy list that are not affected by reordering within the package
C.To create backup policies
D.To define policies that are only used during installation
AnswerB

Correct.

Why this answer

Header and footer policies in FortiManager policy packages allow administrators to define policies that are automatically placed at the very top (header) and very bottom (footer) of the policy list. These policies remain fixed in position and are not affected by any reordering operations performed on the regular policies within the package, ensuring that critical security controls (e.g., deny-all or allow-specific traffic) are always enforced in the correct order.

Exam trap

The trap here is that candidates often confuse header/footer policies with simple policy ordering or backup mechanisms, failing to recognize that their key purpose is to provide immutable positioning that survives reordering operations within the policy package.

How to eliminate wrong answers

Option A is wrong because header and footer policies are not used to separate IPv4 and IPv6 policies; IPv4 and IPv6 policies are managed separately within their own policy tables or via policy types, not through header/footer mechanisms. Option C is wrong because header and footer policies are not backup policies; they are active, enforced policies that maintain a fixed position, whereas backup policies would be inactive or stored separately. Option D is wrong because header and footer policies are not only used during installation; they are installed and enforced as part of the policy package and remain active on the FortiGate after installation, just like regular policies.

191
MCQmedium

A FortiGate is configured with multiple VDOMs. The administrator needs to allow traffic from a VDOM named 'CustomerA' to reach a server in VDOM 'SharedServices'. Both VDOMs are on the same FortiGate. Which configuration is necessary?

A.Place both VDOMs in the same ADOM in FortiManager
B.Enable inter-VDOM routing and create policies allowing traffic between the VDOMs
C.Create a VDOM link between the two VDOMs
D.Configure the FortiGate in transparent mode
AnswerB

Inter-VDOM routing is required, and policies control the flow.

Why this answer

Inter-VDOM routing is required to route traffic between VDOMs on the same FortiGate. This is enabled globally via the CLI command 'config system global' and 'set inter-vdom-routing enable'. Once enabled, you must create firewall policies between the VDOMs (using the VDOM link or directly referencing the VDOMs in policies) to permit the traffic.

Without inter-VDOM routing, VDOMs are isolated Layer 3 domains and cannot communicate.

Exam trap

The trap here is that candidates often think a VDOM link is mandatory for inter-VDOM communication, but FortiOS actually allows direct policy-based routing between VDOMs once inter-VDOM routing is enabled globally, making the VDOM link optional.

How to eliminate wrong answers

Option A is wrong because ADOMs in FortiManager are management domains for grouping devices, not a mechanism for enabling traffic flow between VDOMs on a single FortiGate. Option C is wrong because a VDOM link is a type of interface used for inter-VDOM routing, but it is not strictly necessary; inter-VDOM routing can be achieved with policies directly referencing VDOMs after enabling the global setting. Option D is wrong because transparent mode operates at Layer 2 and does not change the requirement for inter-VDOM routing; VDOMs in transparent mode still need inter-VDOM routing enabled and policies to allow traffic between them.

192
MCQhard

A FortiGate admin configures a firewall policy with an antivirus profile in flow-based inspection mode. The admin notices that some large files are being scanned but others are allowed without scanning. What is the most likely cause?

A.The antivirus signatures are outdated
B.The antivirus profile has an exemption for certain file types
C.The FortiGate's antivirus buffer size is exceeded, causing some files to bypass scanning
D.Flow-based inspection cannot scan files larger than 10 MB
AnswerC

If the file is larger than the buffer, scanning may not complete.

Why this answer

In flow-based inspection, FortiGate uses a buffer to reassemble files before scanning. When a file exceeds the configured antivirus buffer size (default 1 MB for flow-based), the FortiGate cannot buffer the entire file for scanning and allows it to pass without inspection. This explains why some large files bypass scanning while smaller ones are scanned.

Exam trap

The trap here is that candidates assume flow-based inspection can scan any file size, overlooking the buffer size limitation that causes large files to bypass scanning entirely.

How to eliminate wrong answers

Option A is wrong because outdated signatures would cause missed detections, not selective bypassing of large files; all files would still be scanned. Option B is wrong because file-type exemptions would consistently skip those file types regardless of size, not selectively allow only large files. Option D is wrong because flow-based inspection does not have a hard 10 MB limit; the buffer size is configurable and defaults to 1 MB, and files larger than the buffer are bypassed, not blocked.

193
MCQeasy

An administrator needs to view real-time traffic logs and top applications for a specific VDOM on FortiAnalyzer. Which tool should be used?

A.FortiView
B.Playbooks
C.Incident Management
D.Reports
AnswerA

FortiView provides real-time dashboards and analytics.

Why this answer

FortiView is the correct tool because it provides real-time traffic logs and top applications per VDOM on FortiAnalyzer. It uses live data streams from FortiGate logs to display current network activity, allowing administrators to filter by VDOM and view metrics like top applications, sources, and destinations without running a report or script.

Exam trap

The trap here is that candidates confuse FortiView's real-time monitoring with Reports' historical analysis, assuming both can show live data, but only FortiView provides sub-second updates without requiring a scheduled or on-demand report generation.

How to eliminate wrong answers

Option B is wrong because Playbooks are used for automated threat response and remediation workflows, not for real-time log viewing or application monitoring. Option C is wrong because Incident Management focuses on investigating and managing security incidents from events like IPS or malware, not on displaying live traffic logs or top applications. Option D is wrong because Reports generate historical, scheduled summaries of log data, not real-time views; they require processing time and cannot show live traffic.

194
Multi-Selecthard

A FortiGate administrator wants to use FortiManager to push configuration changes to a managed FortiGate. To ensure changes are applied correctly, the administrator wants to review the exact CLI commands that will be sent. Which TWO tools can be used for this purpose?

Select 2 answers
A.Device manager dashboard
B.Policy consistency check
C.Install preview
D.Revision history
E.ADOM lock
AnswersC, D

Install preview shows the exact CLI commands that will be executed on the device.

Why this answer

Option C is correct because the Install Preview feature in FortiManager generates a detailed list of the exact CLI commands that will be pushed to the managed FortiGate during an installation. This allows the administrator to review and verify the changes before they are applied, ensuring accuracy and preventing unintended configuration errors.

Exam trap

The trap here is that candidates may confuse the Install Preview with the Policy Consistency Check, as both involve reviewing configurations, but only the Install Preview shows the exact CLI commands that will be executed during the push.

195
MCQmedium

An organization wants to use FortiManager to manage multiple FortiGate devices. The administrator needs to ensure that each device group has separate policy and object configurations. Which FortiManager feature should be configured?

A.Policy packages with header/footer policies
B.Administrative Domains (ADOMs)
C.Global ADOM
D.Meta fields
AnswerB

ADOMs provide the required separation of configurations for different device groups.

Why this answer

Option B is correct. Administrative Domains (ADOMs) allow logical separation of devices, policies, and objects. Each ADOM can have its own policy packages and object databases, ensuring isolation between groups.

196
MCQeasy

What is the purpose of a management VDOM on a FortiGate?

A.To log all administrative actions
B.To route traffic between different VDOMs
C.To increase the number of available firewall policies
D.To provide a dedicated environment for administrative access and management protocols
AnswerD

This allows separate security controls for management.

Why this answer

A management VDOM is a dedicated virtual domain that isolates administrative traffic (e.g., HTTPS, SSH, SNMP, syslog) from data-plane traffic. This ensures that management access and protocols like RADIUS or TACACS+ authentication are processed in a separate context, preventing interference with production VDOMs and allowing granular administrative access control.

Exam trap

The trap here is that candidates often confuse a management VDOM with a logging or inter-VDOM routing function, but Fortinet specifically designed it to isolate administrative access and protocols, not to perform data-plane tasks like routing or logging.

How to eliminate wrong answers

Option A is wrong because logging all administrative actions is a function of the local log or syslog configuration, not a purpose of a management VDOM; a management VDOM can be used to send logs, but its primary purpose is not logging. Option B is wrong because routing traffic between different VDOMs is done by inter-VDOM links (IVL) or VDOM peering, not by a management VDOM, which is specifically for administrative access. Option C is wrong because the number of available firewall policies is limited by the FortiGate model and license, not by the presence of a management VDOM; a management VDOM does not increase policy capacity.

197
MCQmedium

An administrator sees the following error when trying to commit changes from FortiManager to a FortiGate: 'Policy check failed: Policy ID 5 uses a zone that does not exist on the device.' What is the most likely cause?

A.The policy package is locked by another administrator
B.The zone referenced in the policy is not yet created on the FortiGate
C.The FortiGate is not running the same firmware version as FortiManager
D.The administrator has insufficient permissions
AnswerB

Why this answer

The error 'Policy check failed: Policy ID 5 uses a zone that does not exist on the device' indicates that the FortiGate does not have the zone object referenced in the policy. When FortiManager pushes a policy that references a zone, the zone must already exist on the managed FortiGate; otherwise, the commit fails. Option B correctly identifies that the zone is missing on the FortiGate.

Exam trap

The trap here is that candidates may confuse a missing object error with a firmware version mismatch or permission issue, but the error message explicitly names the missing zone, making the root cause straightforward if read carefully.

How to eliminate wrong answers

Option A is wrong because a locked policy package would produce a different error, such as 'Policy package is locked by another administrator', not a zone existence error. Option C is wrong because firmware version mismatches typically cause compatibility warnings or installation failures, not a specific zone-not-found error. Option D is wrong because insufficient permissions would result in an authorization failure or 'Permission denied' error, not a policy check failure referencing a missing zone.

198
MCQhard

An administrator is configuring FortiAnalyzer to receive logs from FortiGates in a multi-VDOM environment. The admin wants to ensure that logs from each VDOM are separated into their own datasets. What must be configured?

A.Enable per-VDOM logging on the FortiGate and use ADOMs on FortiAnalyzer
B.Use the same log settings for all VDOMs
C.Configure a separate log disk partition for each VDOM
D.Configure each VDOM to send logs to a different FortiAnalyzer
AnswerA

Per-VDOM logging allows each VDOM to send logs with its identifier; ADOMs on FortiAnalyzer can then organize logs per VDOM.

Why this answer

Option A is correct because per-VDOM logging on the FortiGate must be enabled to tag logs with the VDOM identifier, and ADOMs on FortiAnalyzer must be configured to segregate those logs into separate datasets. Without both, logs from different VDOMs would be mixed in a single dataset, defeating the purpose of isolation.

Exam trap

The trap here is that candidates often think disk partitions or separate FortiAnalyzers are required for log separation, but FortiAnalyzer ADOMs provide logical separation without additional hardware or complex partitioning.

How to eliminate wrong answers

Option B is wrong because using the same log settings for all VDOMs would not separate logs; it would cause all VDOM logs to be stored together in a single dataset on FortiAnalyzer. Option C is wrong because FortiAnalyzer does not support per-VDOM disk partitions; disk partitions are system-level and not tied to VDOMs. Option D is wrong because sending logs from each VDOM to a different FortiAnalyzer is unnecessary and inefficient; the correct approach is to use ADOMs on a single FortiAnalyzer to logically separate the data.

199
MCQeasy

Which FortiManager feature allows administrators to view the exact configuration changes that would be applied to a managed FortiGate before committing them?

A.Revision history
B.Install preview
C.Device manager
D.Policy checker
AnswerB

Install preview displays the pending changes.

Why this answer

Install preview in FortiManager shows the CLI commands that will be executed on the device, allowing validation before installation.

200
MCQhard

A FortiGate with VDOMs enabled has a management VDOM (mgmt-vdom) and a traffic VDOM (traffic-vdom). The admin wants to manage the FortiGate via HTTPS from a network in traffic-vdom. What configuration is needed?

A.Configure a static route in the management VDOM to reach traffic-vdom subnets
B.Enable 'admin-sport' in the global system settings
C.Add the interface from traffic-vdom to the management VDOM using 'set vdom mgmt-vdom' in the interface configuration
D.Create a firewall policy in traffic-vdom allowing HTTPS to the FortiGate's IP
AnswerC

This moves the interface into the management VDOM, allowing management traffic.

Why this answer

Option C is correct because when VDOMs are enabled, the management VDOM owns the management IP addresses for the entire FortiGate. To allow HTTPS management from an interface in a non-management VDOM (traffic-vdom), that interface must be reassigned to the management VDOM using the 'set vdom mgmt-vdom' command. This makes the interface part of the management VDOM while still passing traffic for the original VDOM, enabling administrative access from that network.

Exam trap

The trap here is that candidates assume a firewall policy in the traffic VDOM can permit management access, but they forget that the management VDOM controls all administrative access and the interface must be explicitly assigned to it.

How to eliminate wrong answers

Option A is wrong because static routes in the management VDOM cannot reach subnets in traffic-vdom; the management VDOM has its own routing table and does not automatically route to other VDOMs without inter-VDOM links or explicit configuration. Option B is wrong because 'admin-sport' is not a valid global system setting; the correct setting for specifying a management port is 'admin-port', and it does not assign an interface to the management VDOM. Option D is wrong because firewall policies in traffic-vdom cannot allow HTTPS to the FortiGate's IP when the management IP is in the management VDOM; the traffic-vdom does not own the management IP, so the policy would never match.

201
MCQmedium

An administrator needs to generate a report showing top applications by bandwidth usage across all VDOMs for the last 30 days. Which FortiAnalyzer feature should be used?

A.FortiView
B.Playbooks
C.Log browsing
D.Incident management
AnswerA

Correct.

Why this answer

FortiView is the correct feature because it provides pre-aggregated, real-time and historical traffic analytics, including top applications by bandwidth usage, across all VDOMs without requiring custom queries. It leverages the FortiAnalyzer’s built-in data summarization engine to display per-VDOM and cross-VDOM application usage over a specified time range, such as the last 30 days.

Exam trap

The trap here is that candidates may confuse FortiView with log browsing, thinking raw logs are needed for custom reports, but FortiView’s pre-aggregated analytics are specifically designed for this exact use case.

How to eliminate wrong answers

Option B (Playbooks) is wrong because Playbooks are used for automated threat response and remediation workflows, not for generating bandwidth usage reports. Option C (Log browsing) is wrong because while log browsing allows raw log inspection, it does not aggregate or summarize top applications by bandwidth across VDOMs; it requires manual parsing and lacks built-in ranking. Option D (Incident management) is wrong because incident management focuses on tracking and resolving security incidents, not on bandwidth or application usage reporting.

202
MCQmedium

A security administrator wants to generate a weekly report in FortiAnalyzer that shows the top threats detected by the FortiGate. Which feature should the administrator use to create this report?

A.Incidents
B.Reports
C.Playbooks
D.FortiView
AnswerB

Reports allow custom report generation with scheduling.

Why this answer

The Reports feature in FortiAnalyzer is specifically designed to generate scheduled, customizable reports that aggregate security event data from FortiGate devices. By creating a report template with threat-based charts and tables, the administrator can schedule a weekly output showing top threats, leveraging the ADOM and SQL-based report engine for granular data selection.

Exam trap

The trap here is that candidates confuse FortiView's real-time dashboards with the scheduled reporting capability, assuming that a dashboard can be exported weekly, but FortiView lacks the scheduling engine and template-based output that Reports provide.

How to eliminate wrong answers

Option A is wrong because Incidents in FortiAnalyzer are used for tracking and managing security incidents as they occur, not for generating scheduled summary reports. Option C is wrong because Playbooks are automation workflows for incident response actions, not for report generation. Option D is wrong because FortiView provides real-time dashboards and ad-hoc visualizations, but it lacks the scheduling and templating capabilities needed for a weekly report.

203
Multi-Selecteasy

A company is deploying FortiGate in transparent mode between an existing router and LAN switch. Which TWO statements about transparent mode are true?

Select 2 answers
A.The FortiGate forwards traffic based on MAC addresses
B.Each interface requires an IP address
C.The FortiGate can perform routing
D.Transparent mode supports multiple VDOMs
E.The FortiGate does not perform NAT by default
AnswersA, E

As a Layer 2 device, forwarding is based on MAC addresses.

Why this answer

Option A is correct because in transparent mode, FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses rather than IP addresses. It inspects packets at the application layer but does not modify the Layer 3 header, making it transparent to the network.

Exam trap

The trap here is that candidates often assume transparent mode requires IP addresses on all interfaces (like route mode) or that it can perform routing, but FortiGate transparent mode is strictly a Layer 2 bridge with no routing capability.

204
MCQeasy

What is the purpose of a management VDOM in a multi-VDOM FortiGate deployment?

A.To route traffic between different VDOMs
B.To aggregate logs from all other VDOMs
C.To enforce inter-VDOM traffic policies centrally
D.To host the management interfaces and administrative services (GUI, SSH) while other VDOMs carry user traffic
AnswerD

Correct.

Why this answer

A management VDOM is dedicated to hosting all administrative interfaces (GUI, SSH, SNMP, syslog) and management services, isolating them from user traffic VDOMs. This separation ensures that management access remains available even if a data VDOM is overloaded or compromised, and it centralizes administrative control without mixing management and data plane functions.

Exam trap

The trap here is that candidates confuse the management VDOM's role with inter-VDOM routing or policy enforcement, mistakenly thinking it controls traffic between VDOMs, when in fact it only provides isolated administrative access.

How to eliminate wrong answers

Option A is wrong because inter-VDOM routing is handled by inter-VDOM links (IVL) or VDOM peering, not by a management VDOM; the management VDOM does not forward user traffic. Option B is wrong because log aggregation is typically done via syslog to an external server or a dedicated log VDOM, not by the management VDOM; the management VDOM can receive logs but its primary purpose is not aggregation. Option C is wrong because inter-VDOM traffic policies are enforced using firewall policies within each VDOM or via VDOM peering, not centrally by the management VDOM; the management VDOM does not inspect or control traffic between other VDOMs.

205
Multi-Selectmedium

An administrator needs to configure a FortiGate to ensure that antivirus scanning is performed on SMTP traffic. Which two configuration items are required? (Choose two.)

Select 2 answers
A.Firewall policy applying the antivirus profile
B.SSL/SSH inspection profile
C.Application control profile
D.Email filter profile
E.Antivirus profile
AnswersA, E

The policy must reference the profile for it to be active.

Why this answer

Option A is correct because a firewall policy is required to apply an antivirus profile to SMTP traffic. Without a firewall policy that matches the SMTP traffic (typically on port 25), the FortiGate will not inspect the traffic at all. Option E is correct because the antivirus profile itself defines the scanning settings, signatures, and actions for detecting malware in SMTP attachments and message bodies.

Exam trap

The trap here is that candidates often think an email filter profile (Option D) is sufficient for antivirus scanning, but the email filter profile handles spam and content filtering, not malware signature detection, which requires a separate antivirus profile.

206
MCQmedium

In a multi-VDOM deployment, an administrator needs to route traffic between VDOM-A and VDOM-B. The administrator creates a VDOM link between the two VDOMs. What additional configuration is required on each VDOM to enable inter-VDOM traffic?

A.Only a firewall policy on VDOM-A allowing traffic to VDOM-B
B.Assign the VDOM link interfaces to the same VDOM
C.Enable 'inter-vdom-routing' under system settings only
D.Configure a static route on each VDOM pointing to the other VDOM's networks via the VDOM link, and create a firewall policy allowing traffic
AnswerD

Routes direct traffic to the VDOM link, and policies permit the traffic. Both are needed.

Why this answer

Option D is correct because inter-VDOM traffic via a VDOM link requires both a static route on each VDOM pointing to the remote VDOM's networks through the VDOM link interface, and a firewall policy on each VDOM that permits the desired traffic. Without the static route, the VDOM does not know how to reach the other VDOM's subnets; without the firewall policy, traffic is blocked by the implicit deny rule. The VDOM link itself provides the Layer 2 or Layer 3 connectivity between the VDOMs, but routing and policy enforcement are mandatory for traffic to flow.

Exam trap

The trap here is that candidates often assume a VDOM link alone provides full connectivity, forgetting that FortiOS requires explicit routing and firewall policies on both sides of the link to actually forward traffic between VDOMs.

How to eliminate wrong answers

Option A is wrong because a firewall policy on VDOM-A alone is insufficient; VDOM-B also needs a firewall policy to allow return traffic, and both VDOMs require static routes to direct traffic to the other VDOM. Option B is wrong because assigning both VDOM link interfaces to the same VDOM would defeat the purpose of a multi-VDOM deployment, as traffic would remain within a single VDOM rather than crossing VDOM boundaries. Option C is wrong because 'inter-vdom-routing' is not a valid system setting in FortiOS; inter-VDOM routing is achieved through VDOM links or inter-VDOM links, not a global toggle, and static routes and firewall policies are still required.

207
MCQeasy

What is the purpose of a global ADOM in FortiManager?

A.To create global firewall policies applicable to all devices
B.To provide a common object repository that can be referenced by other ADOMs
C.To manage all devices in a single ADOM regardless of location
D.To store global logs from all FortiGates
AnswerB

Why this answer

A global ADOM in FortiManager serves as a shared object repository (e.g., addresses, services, schedules) that can be referenced by other ADOMs, enabling centralized management of common objects across multiple administrative domains. This avoids duplication and ensures consistency, as changes in the global ADOM propagate to all ADOMs that reference those objects. It does not directly create or push firewall policies; instead, it provides the building blocks for policies within individual ADOMs.

Exam trap

The trap here is that candidates confuse the global ADOM's role as a shared object repository with the ability to create and push global policies, leading them to select Option A, when in fact policies are always ADOM-specific and only objects are shared globally.

How to eliminate wrong answers

Option A is wrong because a global ADOM does not create global firewall policies applicable to all devices; policies are defined per ADOM and can reference global objects, but the global ADOM itself only stores objects, not policies. Option C is wrong because a global ADOM does not manage all devices in a single ADOM; devices are assigned to specific ADOMs (e.g., per customer or region), and the global ADOM is a separate container for shared objects, not a device management scope. Option D is wrong because a global ADOM does not store logs; log storage is handled by FortiAnalyzer or the local FortiGate storage, and FortiManager's global ADOM is focused on configuration objects, not log aggregation.

208
MCQhard

In a multi-VDOM deployment, inter-VDOM routing is configured using VDOM links. After configuring the VDOM links and adding static routes, traffic between VDOMs is not working. The administrator verifies that the VDOM link interfaces are up and have correct IP addresses. What is the most likely missing configuration?

A.The inter-VDOM routing mode is set to 'nat' instead of 'route'
B.The VDOM links are not assigned to the correct VDOM
C.Firewall policies are missing or not allowing the traffic
D.The VDOMs are in different administrative domains
AnswerC

Each VDOM needs a policy to allow traffic from the VDOM link interface to the destination.

Why this answer

In a FortiGate multi-VDOM deployment, VDOM links create a direct Layer 3 connection between VDOMs, but traffic is still subject to firewall policies. Even with correct IP addresses and static routes, inter-VDOM traffic will be dropped unless explicit firewall policies are configured on both VDOMs to permit the traffic. This is because FortiGate enforces stateful inspection at every VDOM boundary, including VDOM links.

Exam trap

The trap here is that candidates assume VDOM links bypass firewall policies because they are internal virtual connections, but FortiGate treats all inter-VDOM traffic as requiring explicit policy approval, unlike a simple router-on-a-stick design.

How to eliminate wrong answers

Option A is wrong because inter-VDOM routing mode on a VDOM link can be set to 'nat' or 'route', but both modes require firewall policies to permit traffic; the mode affects NAT behavior, not the fundamental need for policies. Option B is wrong because the administrator already verified that the VDOM link interfaces are up and have correct IP addresses, which implies they are assigned to the correct VDOMs; misassignment would cause the interfaces to be down or unreachable. Option D is wrong because VDOMs are logical partitions within a single FortiGate, and 'administrative domains' is not a FortiGate concept; VDOMs operate under the same administrative domain by default, and inter-VDOM routing does not depend on administrative domain separation.

209
Multi-Selecteasy

A FortiGate administrator is planning to deploy VDOMs to separate customer traffic. The administrator wants to use FortiManager for centralized management. Which TWO prerequisites must be met before the VDOMs can be managed from FortiManager?

Select 2 answers
A.Inter-VDOM routing must be enabled
B.FortiAnalyzer must be registered with FortiManager
C.The FortiGate must be assigned to an ADOM
D.The FortiGate must be added to the FortiManager device list
E.All VDOMs must be in the same ADOM
AnswersC, D

ADOM assignment organizes and isolates management.

Why this answer

Option C is correct because FortiManager uses ADOMs (Administrative Domains) to logically group managed devices, and a FortiGate must be assigned to an ADOM before its VDOMs can be managed. Option D is correct because the FortiGate must be added to the FortiManager device list (via model or managed registration) to establish communication and allow policy/object provisioning to its VDOMs.

Exam trap

The trap here is confusing inter-VDOM routing (a Layer 3 forwarding feature) with the management-plane requirement of ADOM assignment, leading candidates to incorrectly select Option A as a prerequisite for centralized management.

210
MCQeasy

What is the function of FortiAnalyzer in a Fortinet Security Fabric?

A.To collect logs and generate reports and incidents
B.To manage VDOM configurations
C.To act as a VPN concentrator
D.To provide real-time firewall management
AnswerA

FortiAnalyzer is the logging and analytics platform.

Why this answer

FortiAnalyzer is the centralized logging and reporting appliance within the Fortinet Security Fabric. It collects logs from FortiGate and other Fabric components, correlates events, generates compliance reports, and creates incidents for security analysis. This aligns directly with option A, as its primary function is log aggregation and report generation, not real-time management or VPN termination.

Exam trap

The trap here is that candidates often confuse FortiAnalyzer with FortiManager, assuming both handle configuration management, but FortiAnalyzer is strictly for logging and reporting, while FortiManager handles centralized policy and VDOM management.

How to eliminate wrong answers

Option B is wrong because managing VDOM configurations is a function of FortiGate itself (via CLI or FortiManager), not FortiAnalyzer. Option C is wrong because acting as a VPN concentrator is a role of FortiGate or FortiClient, not FortiAnalyzer, which lacks IPsec/SSL VPN termination capabilities. Option D is wrong because providing real-time firewall management is the domain of FortiGate's local management interface or FortiManager, whereas FortiAnalyzer is focused on historical log analysis and reporting, not live policy changes.

211
MCQmedium

A company uses FortiManager to manage multiple FortiGate firewalls. After making changes to a policy package, the administrator runs an install preview and sees a warning: 'Policy ID 10 will be deleted on device XYZ'. What is the most likely reason for this warning?

A.Policy ID 10 was manually added on the device but is not present in the policy package
B.The policy package has been corrupted and needs to be re-imported
C.The device is in a different ADOM and cannot use the same policy ID
D.A revision history conflict exists that prevents the install
AnswerA

The install preview shows actions to align the device with the package.

Why this answer

The warning 'Policy ID 10 will be deleted on device XYZ' indicates that the policy package on FortiManager does not contain Policy ID 10, but the device currently has it. During an install, FortiManager synchronizes the device's policy set with the policy package, so any policy present on the device but absent from the package is flagged for deletion. This is a standard consistency check to prevent unintended policy loss.

Exam trap

The trap here is that candidates assume the warning indicates an error or conflict, when in fact it is a normal behavior of FortiManager's policy synchronization to remove policies that were manually added on the device outside of FortiManager management.

How to eliminate wrong answers

Option B is wrong because a corrupted policy package would typically cause install failures or error messages about parsing or integrity, not a specific warning about a single policy ID being deleted. Option C is wrong because ADOMs are administrative domains that separate management; a device in a different ADOM cannot be targeted by the same policy package at all, so the warning would not appear. Option D is wrong because a revision history conflict would prevent the install from proceeding or generate a conflict error, not a specific deletion warning for a single policy ID.

212
MCQmedium

A FortiGate administrator configures inter-VDOM routing. Traffic from VDOM-A to VDOM-B is blocked. The administrator checks the policy in VDOM-A allowing traffic to the VDOM link interface. What else must be verified?

A.That there is a corresponding policy in VDOM-B allowing traffic from the VDOM link to the destination
B.That the VDOM link uses a different interface type
C.That the VDOM link interface is in the same subnet
D.That inter-VDOM routing is enabled in system settings
AnswerA

Traffic must be allowed in both directions.

Why this answer

In inter-VDOM routing, traffic traverses a VDOM link, which consists of two interfaces—one in each VDOM. A policy in VDOM-A permits traffic to the VDOM link interface, but the packet must also be allowed by a policy in VDOM-B from the VDOM link interface to the destination. Without this second policy, VDOM-B will drop the traffic, even if VDOM-A's policy is correct.

Exam trap

The trap here is that candidates assume a single policy in the source VDOM is sufficient, overlooking that inter-VDOM routing requires explicit policy approval in both VDOMs due to the independent security domains.

How to eliminate wrong answers

Option B is wrong because the VDOM link interface type does not affect policy requirements; it is always a point-to-point logical link, and changing the type does not bypass the need for policies in both VDOMs. Option C is wrong because VDOM link interfaces are not required to be in the same subnet; they are typically in different subnets or use unnumbered interfaces, and subnet configuration does not influence policy enforcement. Option D is wrong because inter-VDOM routing is implicitly enabled when a VDOM link is created; there is no separate system setting to toggle, and the issue is policy-based, not a global routing toggle.

213
MCQeasy

A network administrator needs to create a separate firewall policy for the guest network while keeping management traffic in the main VDOM. Which VDOM type should be configured for the guest network?

A.Root VDOM
B.Administrative VDOM
C.Management VDOM
D.Traffic VDOM
AnswerD

Traffic VDOMs are used to create separate firewall policies for different network segments.

Why this answer

Option D is correct because a Traffic VDOM is a lightweight VDOM type designed specifically to handle user traffic, such as guest network traffic, without the overhead of management-plane functions. It allows the administrator to separate guest traffic into its own firewall policy domain while keeping management traffic (e.g., SSH, HTTPS, SNMP) in the main Root VDOM, ensuring that guest users cannot access the management interface or configuration.

Exam trap

The trap here is that candidates often confuse 'Management VDOM' with a real VDOM type, but FortiGate does not have a dedicated Management VDOM—management is always tied to the Root VDOM, and guest traffic separation requires a Traffic VDOM.

How to eliminate wrong answers

Option A is wrong because the Root VDOM is the default VDOM that contains both management and traffic functions; configuring the guest network in the Root VDOM would mix guest traffic with management traffic, defeating the purpose of separation. Option B is wrong because an Administrative VDOM is not a standard VDOM type in FortiGate; it is a misconception—FortiGate uses 'Admin VDOM' only in the context of multi-tenancy or VDOM administration, not for traffic separation. Option C is wrong because a Management VDOM does not exist as a separate VDOM type; management traffic is always handled by the Root VDOM or a dedicated management interface, and creating a separate VDOM for management is not supported—guest traffic must be isolated in a Traffic VDOM.

214
Multi-Selecthard

A FortiGate with multiple VDOMs is experiencing high CPU usage. The administrator suspects that one VDOM is consuming excessive resources. Which THREE methods can be used to limit resource usage per VDOM?

Select 3 answers
A.Apply per-VDOM traffic shaping policies
B.Enable HA resource reservation
C.Configure VDOM resource limits (CPU/memory)
D.Enable VDOM logging
E.Set the VDOM CPU quota
AnswersA, C, E

Traffic shaping limits bandwidth per VDOM.

Why this answer

Option A is correct because per-VDOM traffic shaping policies allow the administrator to apply bandwidth limits and QoS policies specifically to traffic within a particular VDOM, preventing that VDOM from monopolizing the FortiGate's CPU resources. This is achieved by configuring shaping policies under the VDOM's firewall policy that match traffic and apply a traffic shaper, which can limit bandwidth and prioritize traffic, thereby reducing CPU load from that VDOM.

Exam trap

The trap here is that candidates often confuse 'resource reservation' (which guarantees resources for HA) with 'resource limits' (which cap usage per VDOM), leading them to select Option B, which is unrelated to per-VDOM CPU control.

215
MCQeasy

In a multi-VDOM deployment, what is the purpose of inter-VDOM routing?

A.To route traffic between the management VDOM and data VDOMs
B.To provide redundancy for VDOMs in an HA setup
C.To allow traffic to pass between different VDOMs via firewall policies
D.To connect VDOMs to external routers
AnswerC

Inter-VDOM routing uses VDOM links and policies.

Why this answer

Inter-VDOM routing allows traffic to be forwarded between different VDOMs on the same FortiGate unit. This is achieved by configuring inter-VDOM links (IVL) or using VDOM peering, and then applying firewall policies to control and secure the traffic flow between VDOMs. Option C correctly identifies that firewall policies are the mechanism used to permit or deny inter-VDOM traffic.

Exam trap

The trap here is that candidates often assume inter-VDOM routing is automatic or purely a routing function, but Fortinet requires explicit firewall policies to permit traffic between VDOMs, making it a security-controlled feature rather than a simple routing path.

How to eliminate wrong answers

Option A is wrong because inter-VDOM routing is not limited to traffic between the management VDOM and data VDOMs; it applies to any pair of VDOMs. Option B is wrong because inter-VDOM routing does not provide redundancy for VDOMs in an HA setup; HA redundancy is handled by the HA configuration itself, not by inter-VDOM routing. Option D is wrong because inter-VDOM routing is an internal FortiGate function, not a method to connect VDOMs to external routers; external connectivity is achieved through physical interfaces or VLANs assigned to VDOMs.

216
MCQmedium

A FortiGate admin runs the following command: 'diagnose sys session filter dport 443' and sees output indicating sessions with state 'proto_state=01' and 'duration=3600, expire=3599'. What does this indicate about the session?

A.The session is established and has been active for 3600 seconds
B.The session has timed out and is being removed
C.The session is in a closing state
D.The session is in a half-open state
AnswerA

proto_state=01 means established. Duration is how long it's been active.

Why this answer

The command 'diagnose sys session filter dport 443' filters sessions with destination port 443 (HTTPS). The output shows 'duration=3600, expire=3599', meaning the session has been active for 3600 seconds and will expire in 3599 seconds. The 'proto_state=01' indicates a TCP session in the established state (state 1 = TCP_ESTABLISHED).

This confirms the session is fully established and actively tracked by the FortiGate session table.

Exam trap

The trap here is that candidates confuse 'duration' with 'timeout' or assume a high duration means the session is about to expire, when in fact 'expire' shows remaining time and 'proto_state=01' confirms an established session.

How to eliminate wrong answers

Option B is wrong because 'expire=3599' shows the session still has time remaining, not that it has timed out; a timed-out session would have an expire value of 0 or be absent from the table. Option C is wrong because a closing state (e.g., TCP_FIN_WAIT or TCP_CLOSE_WAIT) would show a different proto_state value (e.g., 02, 03, or 04), not '01'. Option D is wrong because a half-open state (e.g., TCP_SYN_SENT) would have a proto_state of 00 or a very short duration, not 3600 seconds with an established state.

217
Multi-Selecthard

An administrator configures FortiManager automation stitches to respond to high CPU usage on a FortiGate. The stitch should trigger a script to run diagnostics. Which THREE components are required in an automation stitch?

Select 3 answers
A.Condition (e.g., severity threshold)
B.Trigger (e.g., event type)
C.Result (e.g., email notification)
D.Action (e.g., CLI script)
E.Target (e.g., device or device group)
AnswersB, D, E

Defines when the stitch activates.

Why this answer

Option B is correct because an automation stitch in FortiManager requires a trigger to define the event that initiates the stitch, such as a high CPU usage event. The trigger specifies the event type (e.g., 'CPU Usage High') that the FortiGate reports, which then activates the stitch. Without a trigger, the automation stitch has no starting point to respond to the condition.

Exam trap

The trap here is that candidates often confuse 'Condition' (like a severity threshold) as a separate component, but in FortiManager automation stitches, conditions are embedded within the trigger or action, not a standalone required element.

218
Multi-Selecteasy

Which TWO statements about VDOM limits on FortiGate are correct? (Choose TWO.)

Select 2 answers
A.VDOMs can be created only in NAT mode
B.All FortiGate models support at least 10 VDOMs
C.VDOM support requires a valid FortiGate license
D.The maximum number of VDOMs is fixed per model and cannot be exceeded
E.VDOMs can be added without additional memory
AnswersC, D

VDOMs often require an advanced feature license.

Why this answer

Option C is correct because VDOM support on FortiGate is a licensed feature. Without a valid FortiGate license (e.g., an Advanced or Enterprise license bundle), the VDOM functionality is disabled, and the device operates in a single-VDOM (split-task) mode. This licensing requirement ensures that only authorized models and configurations can utilize VDOM isolation.

Exam trap

The trap here is that candidates often assume VDOMs are a free feature available on all models without licensing, or that VDOM count is unlimited, when in fact both a valid license and model-specific hard limits apply.

219
MCQmedium

A network engineer is configuring an HA pair of FortiGate firewalls. They want to ensure that session failover occurs for UDP-based voice traffic with minimal interruption. Which HA configuration setting is most important for achieving this goal?

A.Enable session-pickup
B.Enable session-pickup-delay
C.Set ha-pickup-delay to 0
D.Configure ha-mgmt-interfaces
AnswerA

session-pickup enables the backup unit to take over existing sessions.

Why this answer

Session-pickup is the correct setting because it enables the secondary FortiGate to synchronize UDP session state information from the primary, allowing seamless failover of voice traffic without requiring new session establishment. UDP is connectionless, so without session-pickup, the secondary would drop the traffic as unknown, causing noticeable interruption in real-time voice streams.

Exam trap

The trap here is that candidates confuse 'session-pickup-delay' or 'ha-pickup-delay' with the actual session synchronization mechanism, assuming any delay-related setting is key, when in fact the fundamental enabler is session-pickup itself.

How to eliminate wrong answers

Option B is wrong because session-pickup-delay introduces a delay before the secondary takes over sessions, which would increase interruption for UDP voice traffic, not minimize it. Option C is wrong because ha-pickup-delay controls the delay for the HA cluster to start picking up sessions after failover, not the session synchronization itself; setting it to 0 does not enable session-pickup. Option D is wrong because ha-mgmt-interfaces are used for out-of-band management access to each unit in the HA cluster and have no effect on session failover or synchronization of UDP sessions.

220
MCQeasy

A FortiGate is operating in transparent mode. Which of the following statements is true about this mode?

A.The FortiGate does not modify the MAC addresses of packets
B.The FortiGate can route between different VLANs
C.The FortiGate can perform NAT
D.The FortiGate operates as a Layer 2 device and does not require IP addresses on its interfaces
AnswerD

In transparent mode, interfaces are not assigned IP addresses; the FortiGate bridges traffic at Layer 2.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding frames based on MAC addresses without modifying them. It does not require IP addresses on its interfaces for traffic forwarding, though management IP addresses can be assigned. This allows the FortiGate to be inserted into an existing network segment without reconfiguring IP subnets.

Exam trap

The trap here is that candidates often confuse transparent mode with NAT/Route mode, assuming that because the FortiGate can apply security policies, it must also perform routing or NAT, but in transparent mode it acts purely as a Layer 2 bridge.

How to eliminate wrong answers

Option A is wrong because the FortiGate in transparent mode does not modify the MAC addresses of packets when forwarding them, but this statement is actually true, not false; however, the question asks for the correct statement, and D is more comprehensive. Option B is wrong because transparent mode operates at Layer 2 and cannot route between VLANs; routing requires Layer 3 interfaces, which are not used in transparent mode. Option C is wrong because NAT is a Layer 3 function that requires IP routing, and transparent mode does not perform routing or NAT; it simply bridges traffic at Layer 2.

221
MCQeasy

A network engineer is deploying a FortiGate in transparent mode at a branch office. The goal is to insert the firewall without changing the existing IP subnet scheme. Which statement about transparent mode is TRUE?

A.The FortiGate must have a unique IP subnet for each interface
B.Transparent mode supports all routing protocols like OSPF and BGP
C.NAT is required for traffic to pass through the FortiGate
D.The FortiGate acts as a Layer 2 bridge and forwards traffic based on MAC addresses
AnswerD

This is the definition of transparent mode. It operates at Layer 2.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses without modifying the IP subnet scheme. This allows the firewall to be inserted into an existing network segment without requiring IP reconfiguration of connected devices.

Exam trap

The trap here is that candidates often confuse transparent mode with routed mode, assuming that IP addressing or routing protocols are required, when in fact transparent mode operates purely at Layer 2.

How to eliminate wrong answers

Option A is wrong because in transparent mode, all interfaces share the same IP subnet (the management IP is assigned to the bridge, not per interface). Option B is wrong because transparent mode does not support routing protocols like OSPF or BGP; it operates at Layer 2 and forwards traffic based on MAC addresses, not IP routing tables. Option C is wrong because NAT is not required; traffic passes through the FortiGate as a transparent bridge, and NAT is typically used in routed (Layer 3) modes.

222
MCQmedium

An administrator is configuring a FortiGate in transparent mode for a data center segment. Which of the following is true about transparent mode operation in an enterprise environment?

A.The FortiGate requires an IP address on each interface to route between VLANs
B.Transparent mode operates at Layer 2, so no IP configuration is needed on the FortiGate interfaces
C.Transparent mode is only available on specific hardware models
D.Transparent mode supports NAT and VPN termination
AnswerB

The FortiGate acts as a transparent bridge; interfaces have no IP addresses.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses rather than IP addresses. This means the FortiGate interfaces do not require IP addresses for traffic forwarding; a management IP is configured on a VLAN interface or the root VDOM for administrative access only. Option B correctly identifies that transparent mode functions at Layer 2, so no IP configuration is needed on the physical interfaces for data plane operation.

Exam trap

The trap here is that candidates assume a firewall always needs IP addresses on its interfaces to function, but in transparent mode the FortiGate acts as a bump-in-the-wire at Layer 2, requiring only a management IP for administrative access, not for traffic forwarding.

How to eliminate wrong answers

Option A is wrong because in transparent mode, the FortiGate does not route between VLANs; it bridges traffic at Layer 2, and inter-VLAN routing would require a Layer 3 device upstream or a separate VDOM in NAT/route mode. Option C is wrong because transparent mode is available on all FortiGate models that support the current FortiOS version, not limited to specific hardware. Option D is wrong because transparent mode does not support NAT or VPN termination; these features require the FortiGate to operate in NAT/route mode (Layer 3) with IP routing enabled.

223
Multi-Selecthard

A FortiGate has two VDOMs: VDOM-A and VDOM-B. The administrator wants VDOM-A to have administrative access to VDOM-B for troubleshooting. The administrator configures a management VDOM. Which THREE steps are required to allow administrative access from VDOM-A to VDOM-B? (Choose three.)

Select 3 answers
A.Designate VDOM-A as the management VDOM
B.Enable 'inter-vdom-routing' globally
C.Configure static routes on the management VDOM to reach VDOM-B's management network
D.Create a firewall policy on VDOM-B allowing administrative access from VDOM-A's management IP
E.Disable 'admin-sport' to allow HTTP access
AnswersA, C, D

Management VDOM provides central administrative access to other VDOMs.

Why this answer

Designating VDOM-A as the management VDOM is the first required step because it establishes VDOM-A as the administrative container that can access other VDOMs. In FortiOS, a management VDOM is a special VDOM that has visibility and control over other VDOMs for management purposes. Without this designation, VDOM-A would not have the inherent privilege to initiate administrative sessions into VDOM-B.

Exam trap

The trap here is that candidates often confuse inter-VDOM routing (for data traffic) with the management VDOM feature (for administrative access), leading them to incorrectly select Option B as a required step.

224
Multi-Selecthard

A FortiGate administrator wants to generate customized reports in FortiAnalyzer for different departments. The administrator needs to ensure that each department can only see its own logs. Which TWO configurations are necessary?

Select 2 answers
A.Configure meta fields on FortiGate objects
B.Create separate ADOMs for each department
C.Use dataset filters in FortiView reports to restrict data per device group
D.Enable per-device logging on FortiGate
E.Assign each administrator the 'super_admin' profile
AnswersB, C

ADOMs isolate logs and reports per department.

Why this answer

Option B is correct because ADOMs (Administrative Domains) in FortiAnalyzer provide administrative isolation, allowing each department to have its own segregated management domain. This ensures that administrators assigned to a specific ADOM can only view and generate reports from logs belonging to that ADOM, enforcing strict data separation.

Exam trap

The trap here is that candidates often confuse data filtering (e.g., datasets or FortiView filters) with administrative access control, mistakenly believing that filters alone can prevent a user from seeing other departments' logs, whereas filters only hide data from view but do not enforce security boundaries.

225
MCQhard

You deploy a FortiGate in transparent mode for a retail branch. The upstream router's ARP table shows the FortiGate's management IP, but end users cannot reach the internet. The FortiGate's management IP is on the same subnet as the users. What should you verify first?

A.The upstream router is forwarding traffic to the FortiGate's management MAC
B.The firewall policy allows traffic from internal to external
C.The FortiGate's routing table has a default route
D.The FortiGate's management interface is in the same VDOM as user traffic
AnswerB

Transparent mode firewalling still requires policies. If no policy permits the traffic, it will be denied by default.

Why this answer

In transparent mode, the FortiGate acts as a Layer 2 bridge and does not require a routing table for user traffic; forwarding decisions are based on firewall policies. Since the management IP is on the same subnet as users, the upstream router can ARP for it, but user traffic must be explicitly allowed by a firewall policy from the internal to external zone. Without such a policy, packets are dropped even if Layer 2 connectivity exists.

Exam trap

The trap here is that candidates assume transparent mode operates like a simple switch or bridge without policy enforcement, overlooking that FortiGate still requires explicit firewall policies to forward traffic even in Layer 2 mode.

How to eliminate wrong answers

Option A is wrong because the upstream router's ARP table already shows the FortiGate's management IP, indicating it has resolved the MAC; the issue is not ARP resolution but policy enforcement. Option C is wrong because in transparent mode, the FortiGate does not route traffic based on its own routing table; user traffic is bridged and subject to firewall policies, not IP routing. Option D is wrong because the management interface is implicitly in the same VDOM as user traffic in transparent mode (management IP shares the subnet), and VDOM separation is not the cause of the connectivity failure.

← PreviousPage 3 of 4 · 264 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Enterprise Firewall and VDOMs questions.