CCNA Advanced VPN and Zero Trust Questions

57 of 207 questions · Page 3/3 · Advanced VPN and Zero Trust · Answers revealed

151
Multi-Selecthard

A FortiGate is configured with two VPN tunnels to different remote sites. The administrator notices that traffic is not load-balanced across the tunnels; all traffic uses the first tunnel. The administrator wants to use ECMP (Equal Cost Multi-Path) routing. Which two actions are required? (Choose two.)

Select 2 answers
A.Set the same distance and priority for both static routes
B.Configure both tunnels to use the same IKE version
C.Set the same phase2 lifetime for both tunnels
D.Enable ECMP in the FortiGate's routing settings
AnswersA, D

For ECMP to work, routes must have equal administrative distance and priority.

Why this answer

ECMP requires that routes have the same distance and priority. Also, the administrator must enable ECMP in the routing settings. Option A and D are correct: set the same distance and priority for the static routes, and enable ECMP.

Note: ECMP is enabled by default in policy-based routing? Actually, for static routes, ECMP is automatically used when multiple routes have the same distance and priority. Option D is correct: enable ECMP in the routing settings (if not already). But the question asks for two actions.

So A and D.

152
MCQhard

An administrator runs 'diagnose vpn ike gateway list' and sees that the IKE SA state is 'UP' but the IPsec SA state is 'DOWN'. The remote peer is a FortiGate. What is the most likely cause of this issue?

A.The pre-shared key is incorrect
B.The tunnel interface is down
C.The Phase2 parameters (encryption, authentication, proxy IDs) do not match between the peers
D.The firewall policy on the remote FortiGate is blocking UDP 500
AnswerC

Phase2 negotiations use separate parameters; if they mismatch, IPsec SA fails while IKE SA remains up.

Why this answer

If IKE is up but IPsec is down, the Phase2 parameters are not matching between peers. Common causes include mismatched encryption algorithms, proxy IDs, or lifetimes.

153
Multi-Selecthard

A FortiGate is experiencing high CPU usage due to IPsec VPN traffic. The admin wants to offload cryptographic operations to the hardware. Which THREE conditions must be met for hardware acceleration to work? (Choose three.)

Select 3 answers
A.The FortiGate must have a compatible NP7 or CP9 processor
B.The IPsec phase 2 proposal must use encryption algorithms supported by the hardware accelerator (e.g., AES-GCM)
C.The VPN interface must be configured with 'set acceleration-mode ipsec'
D.The VPN tunnel must not be configured with features that disable offload, such as IPsec interface mode with kernel-version-dependent features
E.The firewall policy using the VPN interface must not have NAT enabled
AnswersA, B, D

Hardware acceleration requires specific processor models.

Why this answer

Hardware acceleration (CP8/CP9) requires specific conditions: supported encryption algorithms, no advanced features that disable offload, and the traffic must match a VPN policy that uses the hardware acceleration capable interface.

154
MCQmedium

A company wants to deploy ZTNA to secure access to internal applications for remote employees. They have a FortiGate with a public IP and internal servers. Which deployment mode should they choose to minimize changes to existing firewall rules?

A.SSL VPN with ZTNA
B.IPsec VPN with ZTNA
C.Both proxy-based and IPsec VPN
D.Proxy-based ZTNA
AnswerD

Proxy-based ZTNA uses a single policy and does not require modifying existing rules.

Why this answer

Proxy-based ZTNA (Option D) is correct because it uses a forward proxy architecture that intercepts traffic at Layer 7, allowing the FortiGate to enforce ZTNA access policies without modifying existing firewall rules. The proxy terminates the client connection and initiates a new connection to the internal server, so no inbound port forwarding or firewall rule changes are needed for the internal servers.

Exam trap

The trap here is that candidates often assume any ZTNA deployment requires VPN tunnels (SSL or IPsec) and overlook the proxy-based mode, which is specifically designed to avoid firewall rule changes by operating at Layer 7 without tunnel overhead.

How to eliminate wrong answers

Option A is wrong because SSL VPN with ZTNA still requires traditional VPN tunnel termination and typically needs firewall rules to allow the VPN traffic and forward it to internal servers, which contradicts the goal of minimizing changes to existing firewall rules. Option B is wrong because IPsec VPN with ZTNA also requires tunnel configuration and firewall rules to permit IPsec traffic and route it to internal servers, adding complexity rather than minimizing rule changes. Option C is wrong because combining both proxy-based and IPsec VPN introduces unnecessary complexity and still requires firewall rule modifications for the IPsec VPN component, failing to achieve the minimal-change objective.

155
MCQmedium

An administrator is deploying ZTNA for a legacy application that uses a fixed IP address and port. Which ZTNA component is responsible for securely proxying traffic from the user to the application without exposing the application's actual network location?

A.ZTNA access proxy
B.ZTNA inline CASB
C.IPsec VPN gateway
D.FortiClient EMS
AnswerA

The ZTNA access proxy sits between the user and the application, terminating the user's connection and establishing a secure connection to the application server.

Why this answer

The ZTNA proxy component acts as an intermediary, hiding the application server's IP address and providing secure access based on identity and posture.

156
MCQmedium

A FortiGate administrator is configuring a multi-peer IPsec VPN where two remote sites connect to a central hub. The administrator wants to ensure that if one remote site loses connectivity, the other site can still reach the hub. Which configuration is essential?

A.Use the same preshared key for both remote sites
B.Configure separate phase1 interfaces for each remote site
C.Enable auto-negotiation on all phase1 interfaces
D.Configure a single phase1 interface with multiple remote IPs
AnswerB

Each remote site requires its own phase1 configuration so that they operate independently. If one fails, the other remains up.

Why this answer

Multi-peer VPN requires each remote site to have its own phase1 and phase2 configuration. The hub must have separate phase1 interfaces or separate phase1 configs for each peer. Option D is correct: configure separate phase1 for each remote site.

157
MCQhard

An administrator runs the following CLI command on a FortiGate and sees the output below: diagnose vpn ike gateway list vd: root/0 name: REMOTE_GW vrf: 0 version: 2 state: UP IKE SA: created 1s ago 1.2.3.4:500->5.6.7.8:500 What is the most likely explanation for the IKE SA being created only 1 second ago?

A.The remote peer changed its IP address
B.DPD detected a dead peer and renegotiated
C.The phase 2 SA expired and triggered phase 1 rekey
D.The VPN tunnel was just configured or a configuration change was applied
AnswerD

Recent creation time indicates the SA was just negotiated, typical after applying config changes or restarting IKE.

Why this answer

The IKE SA was recently created, suggesting a previous SA was deleted and a new one established. This often happens after configuration changes or a restart of IKE negotiation.

158
MCQhard

An administrator is configuring FortiClient EMS to enforce compliance for remote users. The requirement is that all remote devices must have disk encryption enabled. The administrator has created a compliance rule in EMS that checks for 'Full Disk Encryption' and set the action to 'Block'. However, users with unencrypted drives are still able to connect to the VPN. What is the most likely missing configuration?

A.The FortiClient telemetry is not sending compliance status
B.The compliance rule is not enabled on the FortiGate via ZTNA tag
C.The VPN policy on the FortiGate does not require compliance check
D.The compliance rule is not assigned to a FortiClient configuration profile
AnswerD

In EMS, compliance rules must be part of a configuration profile that is assigned to endpoints. Without assignment, the rule is not enforced.

Why this answer

For compliance enforcement, the compliance rule must be applied to a configuration profile that is assigned to the users. Option B is correct because without assigning the compliance rule via a profile, the rule is not enforced on endpoints.

159
MCQmedium

A network administrator has configured an IPsec VPN between two FortiGates using IKEv2 with pre-shared keys. The tunnel establishes successfully, but after a few minutes, traffic stops passing through. The administrator runs 'diagnose vpn ike log' and sees 'DPD timeout' messages. What is the most likely cause of this issue?

A.The remote FortiGate is behind a NAT device without proper NAT-T configuration
B.The IPsec phase2 proposal is mismatched, causing rekey failures
C.The IKE SA lifetime is set too long, causing the tunnel to expire
D.The local FortiGate's DPD interval is set too low, causing false positives
AnswerA

NAT-T is required when one peer is behind NAT. Without it, DPD packets may be dropped, causing the tunnel to be considered dead.

Why this answer

DPD timeout indicates that the remote peer is not responding to Dead Peer Detection probes. The most common cause is a misconfigured firewall on the path dropping UDP 500 or 4500 packets, or NAT keepalive issues if NAT is involved. Option C is correct because DPD relies on bidirectional IKE traffic; if the remote FortiGate is behind a NAT device without proper NAT-T configuration, the DPD packets may be dropped.

160
MCQhard

An administrator configures Multi-Peer VPN (MPVPN) on a FortiGate aggregator. The aggregator has two phase1 configurations for the same remote subnet but different peers. The aggregator's routing table shows both peers as next hops. The administrator notices that traffic between the aggregator and the remote subnet is load-balanced across both peers. What is the cause?

A.The MPVPN feature automatically load-balances traffic across all active peers.
B.The phase1 configurations have the same proposal settings, causing implicit load balancing.
C.The aggregator has two static routes with equal cost to the remote subnet.
D.The remote peers are both advertising the same subnet via BGP with equal metrics.
AnswerC

Why this answer

MPVPN itself does not load balance; it provides redundancy. Load balancing occurs if multiple routes to the same destination exist with equal administrative distance and cost. Static routes with equal distance cause ECMP behavior.

BGP with equal metrics can also cause it, but the question states static routes are in the routing table.

161
MCQmedium

A FortiGate administrator wants to integrate FortiClient EMS to enforce compliance before granting VPN access. The FortiGate is the SSL VPN gateway. Which configuration is required on the FortiGate to use FortiClient's posture check?

A.Add the FortiClient EMS server as a telemetry source and create a ZTNA tag based on posture data.
B.Configure the FortiGate as a SAML IdP for FortiClient EMS.
C.Configure FortiClient EMS as a user group server and assign it to the SSL VPN portal.
D.Enable 'compliance check' under SSL VPN settings and specify the EMS IP address.
AnswerA

Why this answer

FortiClient EMS sends posture data to FortiGate via telemetry. The admin must define ZTNA tags for conditions (e.g., antivirus running) and use those tags in firewall policies or SSL VPN permissions. There is no direct 'compliance check' setting in SSL VPN; it's done via ZTNA.

162
MCQmedium

An administrator is configuring a FortiGate as a SAML Identity Provider (IdP) for a third-party service provider. Which of the following is REQUIRED for the FortiGate IdP configuration?

A.The SP's metadata must be imported as a firewall address
B.User accounts must be synchronized with an LDAP server
C.A certificate for signing SAML assertions
D.A pre-shared key between FortiGate and the SP
AnswerC

The IdP must have a certificate to sign SAML responses. This certificate is trusted by the SP.

Why this answer

As a SAML IdP, FortiGate requires a digital certificate to sign SAML assertions. The service provider's public certificate is needed to encrypt assertions if required, but the IdP's own certificate is mandatory. Option B is correct.

163
MCQmedium

A FortiGate administrator is configuring OSPF over an IPsec VPN between a hub and a spoke. The OSPF adjacency forms correctly, but routes from the spoke are not being advertised to the hub. The administrator checks the OSPF database on the hub and sees no Type-1 LSAs from the spoke. What is the most likely issue?

A.The OSPF hello interval is set too high
B.The OSPF network type is set to broadcast on both ends
C.The OSPF interface is configured as passive
D.The MTU mismatch between the two VPN interfaces
AnswerC

Passive interface prevents OSPF from sending hellos and LSAs, so no routes are advertised. This would still allow adjacency if passive is only on one side? Actually, passive on one side prevents adjacency; but if adjacency formed, passive might not be the issue. Alternatively, route filtering could be the cause. But among options, passive is most plausible.

Why this answer

For OSPF to advertise routes, the interfaces must be in the correct area and not passive. Option D is correct because if the interface is set as passive, OSPF will not send or receive updates on that interface, preventing route advertisement.

164
Multi-Selecthard

An administrator configures ZTNA with FortiClient EMS. The goal is to restrict access to an internal application based on device posture. The administrator configures a ZTNA tag for 'Compliant' that checks antivirus and OS patch status. Which TWO additional steps are required on the FortiGate to enforce access based on this tag?

Select 2 answers
A.Enable SSL deep inspection on the firewall policy
B.Create a ZTNA policy that includes the 'Compliant' tag as a required condition
C.Create a ZTNA access proxy for the internal application
D.Import the FortiClient EMS certificate to FortiGate
E.Configure a firewall policy with source set to the EMS connector
AnswersB, C

The ZTNA policy defines which tags are required for access.

Why this answer

To use ZTNA tags, the administrator must configure a ZTNA access proxy to publish the application and a ZTNA policy that references the tag to grant access.

165
MCQmedium

A FortiGate VPN administrator is configuring IKEv2 with certificate-based authentication using a PKI. The administrator has imported the CA certificate and the local certificate onto the FortiGate. When initiating the VPN, the tunnel fails to establish. The CLI log shows 'IKEv2 authentication failed' and 'certificate validation failure'. What is the most likely missing configuration?

A.The IKEv2 proposal includes an incompatible encryption algorithm
B.The local certificate is not associated with the phase1 interface
C.The remote peer's certificate is not signed by the imported CA
D.The CA certificate is not configured for peer certificate validation
AnswerD

The phase1 must include a reference to the CA certificate (via 'set ca-cert' or 'set certificate-peer') to validate the peer's certificate. Without this, the FortiGate does not know which CA to trust.

Why this answer

For certificate-based authentication, the FortiGate must be configured to verify the peer's certificate against the trusted CA. Option D is correct because the peer's certificate must be validated, and if the CA certificate is not properly referenced in the phase1 configuration (e.g., 'set certificate-peers' or 'set enforcesecrets'), validation fails.

166
MCQeasy

An administrator wants to use SAML SSO with FortiGate as the Service Provider (SP) to allow users to authenticate via an external IdP. What must be configured first on the FortiGate to establish the SAML trust?

A.A firewall policy to allow SAML traffic
B.A RADIUS server for user authentication
C.An LDAP server for group membership lookup
D.A certificate for SAML signing and encryption
AnswerD

The FortiGate must have a certificate to sign SAML messages; this certificate's public key is shared with the IdP to verify signatures.

Why this answer

SAML SSO requires the FortiGate to have a certificate that the IdP trusts for signing assertions. Option D is correct because the FortiGate needs to import a CA-signed certificate (or use a self-signed) to sign SAML requests and also to establish the trust relationship with the IdP.

167
MCQmedium

A FortiGate administrator configures a ZTNA rule to allow access to an internal application. The rule uses a ZTNA tag to identify the application server. However, users cannot connect to the application. What is the most likely cause if the ZTNA proxy and firewall policies are correctly configured?

A.The ZTNA tag is not assigned to the application server in FortiClient EMS
B.The ZTNA proxy is configured with the wrong port
C.The user's device posture check fails
D.The application server does not have FortiClient installed
AnswerA

Tags are assigned to endpoints via EMS; without proper assignment, FortiGate cannot identify the server as a ZTNA resource.

Why this answer

ZTNA tags must be registered with FortiGate via FortiClient EMS. If the tags are not assigned to the server, the FortiGate cannot match the server to the ZTNA rule, and access will be denied.

168
Multi-Selecthard

A FortiGate administrator is configuring OSPF over an IPsec VPN overlay in a hub-and-spoke topology. The spokes have dynamic IPs and use ADVPN. Which THREE conditions are necessary for OSPF to work correctly over the VPN tunnels?

Select 3 answers
A.The OSPF router ID must be unique across all spokes
B.The OSPF hello interval must be less than the DPD retry interval
C.The hub must have all spoke routes in its routing table before OSPF starts
D.The tunnel interfaces must have an IP address configured
E.The OSPF network type on the tunnel interfaces must be set to point-to-point
AnswersA, D, E

OSPF router IDs must be unique to prevent routing issues.

Why this answer

OSPF requires stable network types and correct interface configuration. For ADVPN, OSPF should use point-to-point network type to avoid DR elections and ensure proper neighbor relationships.

169
MCQmedium

A FortiGate administrator sees the following syslog message repeatedly: 'IPsec phase 2 failed to establish SA with peer due to proposal mismatch.' The administrator has already verified that the phase 2 parameters (encryption, authentication, PFS, and lifetime) match on both sides. What else should the administrator check?

A.The local and remote subnets defined in the phase 2 selector
B.The phase 1 proposal settings
C.The DPD configuration
D.The pre-shared key
AnswerA

Mismatched traffic selectors will cause phase 2 negotiation to fail.

Why this answer

Phase 2 negotiation can also fail due to mismatched traffic selectors (local and remote subnets).

170
MCQhard

A FortiGate is configured as a SAML SP for user authentication. When a user attempts to access a protected resource, the FortiGate redirects the user to the IdP login page, but after successful authentication, the user is not redirected back to the original resource. What is the MOST likely cause?

A.The user's browser has cookies disabled
B.The IdP certificate is not trusted by the FortiGate
C.The SAML assertion consumer service URL on the IdP does not include a trailing slash
D.The FortiGate is configured as a SAML IdP instead of SP
AnswerC

FortiGate expects the ACS URL to match exactly; a missing trailing slash can cause the IdP to send the response to an unexpected endpoint.

Why this answer

The SAML assertion consumer service URL must match exactly, including the trailing slash, for the IdP to send the response correctly. A mismatch prevents proper redirect.

171
MCQeasy

In a Zero Trust Network Access architecture, which component acts as the policy enforcement point for access decisions?

A.FortiClient agent
B.FortiAnalyzer
C.FortiGate ZTNA gateway
D.FortiClient EMS
AnswerC

The FortiGate enforces access based on tags and policies.

Why this answer

In a Zero Trust Network Access (ZTNA) architecture, the FortiGate ZTNA gateway acts as the policy enforcement point (PEP). It terminates encrypted ZTNA tunnels from FortiClient agents, inspects traffic against configured access policies, and enforces decisions based on identity, device posture, and context. This is distinct from the control plane (FortiClient EMS) or logging (FortiAnalyzer).

Exam trap

The trap here is that candidates confuse the ZTNA gateway (PEP) with the EMS (controller) or FortiClient (client), but only the gateway sits inline and enforces access decisions based on the ZTNA access proxy protocol.

How to eliminate wrong answers

Option A is wrong because FortiClient is the ZTNA client that initiates connections and reports device posture, not the enforcement point. Option B is wrong because FortiAnalyzer is a logging and analytics platform that collects logs and generates reports, not a real-time policy enforcement component. Option D is wrong because FortiClient EMS is the management server that distributes ZTNA configurations and verifies device compliance, but it does not enforce access decisions inline.

172
MCQeasy

A company wants to ensure that only company-managed laptops with up-to-date antivirus can access the internal file server remotely. Which Fortinet solution integrates with FortiGate to enforce device compliance before granting ZTNA access?

A.FortiClient EMS
B.FortiAnalyzer
C.FortiSandbox
D.FortiWeb
AnswerA

FortiClient EMS manages endpoint security and compliance, and provides posture data to FortiGate for ZTNA access control.

Why this answer

FortiClient EMS (Endpoint Management Server) manages FortiClient endpoints and can enforce compliance policies. It integrates with FortiGate to provide device posture information via ZTNA tags, enabling access control based on compliance.

173
Multi-Selecthard

An administrator is deploying a hub-and-spoke ADVPN with three spoke sites. The spokes have dynamic IP addresses. The hub has a static IP. The administrator wants the spokes to establish direct shortcut tunnels when they communicate with each other. Which THREE conditions must be met for shortcut tunnels to be established? (Choose three.)

Select 3 answers
A.The spoke tunnel interfaces must be in the same IP subnet
B.The spokes must have static public IP addresses
C.The hub must be configured with 'set shortcuthub enable' to act as a shortcut hub
D.Auto-discovery must be enabled in the phase1 settings on all spokes
E.The hub must have routes to all spoke local subnets
AnswersA, D, E

Shortcut tunnels require the spoke tunnel interfaces to be in the same subnet (e.g., 10.0.0.0/24) to allow direct communication.

Why this answer

For ADVPN shortcuts, auto-discovery must be enabled on phase1 (B), the hub must have routes to spoke subnets (D), and the spoke must have a tunnel interface with an IP in the same subnet as other spokes (E). The shortcuthub is not required if the hub is the central point.

174
Multi-Selectmedium

An administrator wants to implement ZTNA with FortiClient EMS to control access to an internal web application. Which TWO components are essential for the ZTNA proxy to function correctly?

Select 2 answers
A.A static route on FortiGate pointing to the application server's network
B.SSL certificate installed on the application server
C.A public DNS record for the ZTNA gateway's FQDN
D.A firewall policy allowing traffic from the ZTNA gateway to the application server
E.An application mapping object that specifies the internal server IP and port
AnswersD, E

The gateway forwards traffic to the server; policy must permit it.

Why this answer

A ZTNA proxy requires a configured application mapping (defining the internal server) and a firewall policy that permits traffic from the ZTNA gateway to the internal server.

175
MCQmedium

A FortiGate administrator runs the following diagnostic command: 'diagnose vpn ike gateway list'. The output shows a gateway with state 'down'. The administrator verifies that the peer is reachable and the pre-shared key is correct. What is a possible reason for the gateway state being 'down'?

A.The remote gateway IP address has changed.
B.DPD is disabled on both ends.
C.IKE idle timeout has expired.
D.The phase2 proposal is mismatched.

Why this answer

A phase2 mismatch can cause the IKE gateway to go down if the SA negotiation fails. The gateway state reflects phase1, but a failed phase2 can cause the entire IKE SA to be deleted. Option B would show 'up' but idle; option C would cause unreachability, but the question states peer is reachable.

176
MCQhard

Refer to the exhibit. An administrator runs the 'diagnose vpn ike stats' command on a FortiGate. What does the output indicate?

A.The tunnel is vulnerable to a man-in-the-middle attack because the IPsec SAs are using the same encryption algorithm.
B.The tunnel configuration is incorrect because there are two IPsec SAs under one IKE SA.
C.The tunnel is using two IKE SAs for redundancy.
D.The tunnel has one IKE SA and two IPsec SAs, which is normal for a single VPN tunnel.
AnswerD

A single tunnel uses two IPsec SAs (one for each direction) under one IKE SA.

Why this answer

The 'diagnose vpn ike stats' output shows one IKE SA (phase 1) and two IPsec SAs (phase 2). This is normal for a single VPN tunnel when using IPsec with both inbound and outbound SAs, or when the tunnel is configured with separate SAs for different traffic selectors. The presence of two IPsec SAs under one IKE SA does not indicate an error or vulnerability; it is the expected behavior for a standard IPsec VPN tunnel.

Exam trap

The trap here is that candidates may misinterpret the presence of two IPsec SAs as a redundancy or error, when in fact it is the normal and expected result of IPsec's directional SA model.

How to eliminate wrong answers

Option A is wrong because using the same encryption algorithm for both IPsec SAs does not inherently make the tunnel vulnerable to a man-in-the-middle attack; the vulnerability would depend on the algorithm's strength and key management, not the mere duplication. Option B is wrong because having two IPsec SAs under one IKE SA is not a configuration error; it is standard for IPsec to create separate SAs for each direction (inbound and outbound) or for different traffic selectors. Option C is wrong because the output shows only one IKE SA, not two; redundancy would require multiple IKE SAs, which is not indicated here.

177
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN tunnel that uses PKI certificates for authentication. The tunnel fails to establish. The administrator checks the certificates and finds that the local certificate is valid and the CA certificate is trusted. Which two additional checks should the administrator perform? (Choose TWO)

Select 2 answers
A.Verify that the certificate is installed in the local certificate store on the FortiGate
B.Ensure that the certificate is using RSA 2048-bit keys
C.Confirm that the certificate's private key is exportable
D.Verify that the certificate's CN matches the peer's IP address
E.Check the certificate revocation list (CRL) to ensure the certificate is not revoked
AnswersD, E

The CN (or SAN) must match the peer identifier used in IKE.

Why this answer

Common certificate issues include: the certificate's Common Name (CN) does not match the peer's IP address, or the certificate has expired. Also, the certificate must have the 'IPsec tunnel' extended key usage (EKU) and the subject alternate name (SAN) must include the peer's IP.

178
MCQmedium

A network administrator is configuring an ADVPN hub-and-spoke topology. The hub is FortiGate-A and the spokes are FortiGate-B and FortiGate-C. The administrator wants spoke-to-spoke traffic to dynamically establish direct tunnels when needed. Which two settings must be enabled on the hub's phase 1 interface to support this?

A.set mode aggressive
B.set auto-discovery-shortcut-mode both
C.set auto-discovery-sender enable
D.set add-route enable
AnswerC, D

The hub must be an auto-discovery sender to advertise routes to spokes.

Why this answer

Option B (set auto-discovery-sender enable) on the hub and Option C (set auto-discovery-receiver enable) on each spoke are required. However, since the question asks for the hub's settings, the correct answer is the hub must be configured as sender and also set add-route to enable shortcut tunnels.

179
MCQhard

A FortiGate is configured with multiple IPsec VPNs to remote branches. One of the branch VPN tunnels goes down frequently. The administrator runs 'diagnose vpn ike log' and sees repeated INITIAL_CONTACT notifications from the remote peer. What does this indicate?

A.The remote peer is rekeying the VPN tunnel
B.The local FortiGate has a mismatched pre-shared key
C.A dead peer detection timeout occurred
D.The remote peer has rebooted or restarted its VPN service
AnswerD

INITIAL_CONTACT is sent after a peer loses its state, typically due to reboot or IKE process restart. The local peer should delete old SAs and accept new ones.

Why this answer

INITIAL_CONTACT is a notify message sent by an IKE peer to indicate that it has rebooted or lost its state. When the remote peer sends this, it means the peer has restarted, causing the tunnel to re-establish. This is normal behavior after a reboot but if frequent, indicates instability at the remote end.

180
MCQeasy

What is the primary purpose of Dead Peer Detection (DPD) in an IPsec VPN configuration?

A.To establish a backup tunnel in case the primary tunnel fails.
B.To detect if a VPN peer is alive by sending periodic probes and bringing down the tunnel if no response is received.
C.To automatically renegotiate IKE phase1 keys before they expire.
D.To verify the integrity of encrypted packets using HMAC authentication.
AnswerB

Why this answer

DPD sends keepalive messages to detect peer reachability. If the peer does not respond, the tunnel is marked down, allowing failover. Key renegotiation is handled by IKE lifetime settings, not DPD.

181
MCQmedium

An administrator configures a ZTNA rule with an inline CASB profile to protect access to a SaaS application. The rule uses a ZTNA tag that requires 'OS Type = Windows' and 'Antivirus = running'. A user with a Windows 10 device and Symantec antivirus running is denied access. What is the MOST likely cause?

A.The user's device is not connected to the corporate network.
B.The inline CASB profile is blocking all traffic from the ZTNA rule.
C.The ZTNA tag requires the FortiClient EMS to be installed on the device.
D.The Symantec antivirus is not listed in the FortiGate's supported antivirus list.
AnswerD

Why this answer

FortiGate checks device posture against known antivirus vendors. If Symantec is not in the supported list, the tag condition fails. FortiClient EMS is not required for ZTNA tags if using other telemetry, but the AV check requires a recognized AV.

182
Multi-Selectmedium

A network administrator is configuring a hub-and-spoke ADVPN with BGP over the VPN tunnels. Which TWO conditions are necessary for the spokes to establish direct shortcut tunnels between each other?

Select 2 answers
A.The spokes must have identical phase2 proposals
B.BGP must be configured on all FortiGates (hub and spokes) to exchange routing information
C.The spokes must use the same IKE version
D.The hub must be configured with 'set next-hop-self disable' for the spoke BGP neighbors
E.The hub must have static routes for each spoke's LAN subnet
AnswersB, D

BGP is used to propagate routes. Each spoke learns the other spoke's subnets via BGP from the hub.

Why this answer

Shortcut tunnels require that the hub propagates routes without setting itself as next-hop (next-hop-self disabled), and that spokes have overlapping routing information so they know the other spoke's subnet via BGP. Option A and D are correct: BGP must be configured on all spokes to exchange routes, and the hub must not set next-hop-self so that the next-hop remains the remote spoke's tunnel IP.

183
Multi-Selectmedium

A FortiGate administrator is troubleshooting an IKEv2 VPN tunnel that fails to establish. The remote peer logs show 'no acceptable proposal' error. Which TWO possible causes should the administrator check?

Select 2 answers
A.The remote peer's IP address is unreachable
B.The phase1 encryption algorithm or integrity algorithm is mismatched
C.The local FortiGate has the wrong IKE version configured
D.The remote peer's pre-shared key is incorrect
E.The Diffie-Hellman group configured is not supported by both peers
AnswersB, E

If the local and remote proposals do not have a common algorithm, negotiation fails with 'no acceptable proposal'.

Why this answer

The 'no acceptable proposal' error occurs when the two peers cannot agree on a set of parameters. Common causes are mismatched encryption/integrity algorithms (phase1 proposal) or mismatched Diffie-Hellman groups.

184
Multi-Selectmedium

A FortiGate administrator needs to block an application (e.g., Facebook) while allowing HTTPS traffic for ZTNA users. Which TWO configurations are required to achieve this?

A.Web filter profile with Facebook categorized as blocked.
B.Enable 'inline CASB' on the ZTNA rule.
C.SSL deep inspection profile to decrypt HTTPS traffic.
D.Application control profile with Facebook blocked applied to the firewall policy.
E.Add a ZTNA tag for Facebook blocking.

Why this answer

Application control can identify and block Facebook regardless of port. SSL deep inspection is required to see inside HTTPS traffic where Facebook may be running. Web filter (C) blocks based on URL, but Facebook uses many domains.

Inline CASB is for SaaS applications, not the same. Tags are not used for application blocking.

185
MCQhard

A FortiGate administrator configures a hub-and-spoke ADVPN network. Spokes are behind NAT. After deployment, spokes can communicate with each other only through the hub. What must be configured to allow spokes to establish direct shortcut tunnels?

A.Enable auto-negotiate on the IPsec phase1 interface
B.Configure NAT traversal on the hub's phase1
C.Set 'add-route' to 'enable' on the hub's ADVPN configuration
D.Add a firewall policy allowing IKE from spoke to spoke
AnswerC

Why this answer

For shortcut tunnels to be established, the hub must have 'add-route' enabled so that it advertises routes to other spokes. Without this, spokes will not know how to reach each other directly and will continue to route through the hub.

186
Multi-Selectmedium

An administrator is deploying ADVPN with a hub-and-spoke topology. The hub FortiGate is configured with 'set auto-discovery enable' and 'set add-route enable'. Spokes have 'set auto-discovery-sender enable'. However, shortcut tunnels are not being established. Which two additional conditions must be met for shortcut tunnels to form? (Choose two.)

Select 2 answers
A.The spokes must have a static route to each other's networks
B.The spokes must have 'set dpd enable' on the phase 1
C.The phase 2 configuration on the hub must have 'set auto-discovery enable'
D.Traffic must be flowing between spokes through the hub
E.The hub must be configured as a route reflector for BGP
AnswersC, D

The hub's phase 2 must allow auto-discovery to negotiate shortcuts.

Why this answer

Shortcut tunnels require traffic between spokes (A) and the hub's phase 2 must have auto-discovery enabled (C).

187
MCQeasy

An administrator wants to use FortiGate as a SAML identity provider (IdP) for a third-party service. Which configuration is required on FortiGate?

A.Enable SAML authentication in the firewall policy
B.Configure FortiAuthenticator as an external IdP
C.Configure a SAML identity provider user and export FortiGate's metadata
D.Configure a SAML service provider user and import the SP metadata
AnswerC

FortiGate as IdP requires creating an IdP user and sharing its metadata with the SP.

Why this answer

FortiGate can act as an IdP by creating a SAML IdP user and configuring the service provider metadata.

188
Multi-Selecthard

Which TWO configurations are required to enable SSL VPN authentication using a RADIUS server on a FortiGate?

Select 2 answers
A.Create a user group that includes the RADIUS server as an authentication method
B.Configure an LDAP server to synchronize user accounts
C.Configure an SSL VPN portal with 'Require Authentication' enabled
D.Define the RADIUS server under User & Authentication > RADIUS Servers
E.Set a local password policy for SSL VPN users
AnswersA, D

A user group ties the RADIUS server to SSL VPN authentication.

Why this answer

Option A is correct because a user group must be created to reference the RADIUS server as an authentication method. This group is then applied to the SSL VPN portal or firewall policy, allowing FortiGate to forward authentication requests to the RADIUS server. Without the user group, the RADIUS server cannot be associated with SSL VPN authentication.

Exam trap

The trap here is that candidates often think configuring the RADIUS server alone is sufficient, but FortiGate requires the user group to link the RADIUS server to the SSL VPN authentication process.

189
MCQeasy

A FortiGate is configured as a ZTNA proxy for a web application. Users report that after authenticating, they receive a '502 Bad Gateway' error. What is the most likely cause?

A.The backend server is unreachable from the FortiGate.
B.The ZTNA proxy is not configured with a valid SSL certificate.
C.The user's device posture is not compliant.
D.The ZTNA rule is not using the correct source interface.

Why this answer

A 502 Bad Gateway error indicates the proxy cannot reach the backend server. The ZTNA proxy itself is working (hence the error page is served), but the connection to the real server fails.

190
MCQmedium

An administrator configures a hub-and-spoke ADVPN with IBGP over the VPN overlays. The spokes receive the default route from the hub, but they cannot reach each other directly. The administrator wants spoke-to-spoke traffic to use shortcut tunnels. Which additional configuration is required on the hub?

A.Enable 'auto-discovery-sender' and 'auto-discovery-receiver' on the phase1 interfaces.
B.Configure 'set neighbor <spoke-ip> next-hop-self' under BGP.
C.Create a firewall policy that permits traffic between spokes.
D.Add 'set advpn-multicast enable' to the phase1 configuration.

Why this answer

ADVPN requires the hub to have 'auto-discovery-sender' and 'auto-discovery-receiver' enabled on the phase1 to exchange route information and trigger shortcut tunnel establishment between spokes.

191
MCQmedium

A network administrator configures a hub-and-spoke ADVPN with FortiGates. Phase 1 and phase 2 settings are correct, and spoke gateways can communicate with the hub. However, shortcut tunnels between spokes are not being established. What is the most likely cause?

A.DPD is disabled on the phase 1 interface
B.The hub FortiGate has 'set auto-discovery-sender enable' configured
C.Dynamic routing (BGP/OSPF) is not configured over the VPN overlay
D.The spoke FortiGates do not have IKEv2 enabled
AnswerC

ADVPN shortcut establishment relies on dynamic routing to exchange spoke routes via the hub. Without it, spokes don't know about each other.

Why this answer

ADVPN requires policy-based routing or routing protocol to propagate routes and trigger shortcut setup. Without a routing protocol like BGP/OSPF, spokes will not learn routes to other spokes, and shortcut negotiation fails.

192
MCQmedium

An administrator receives an error when trying to create a ZTNA proxy rule: 'The ZTNA proxy rule requires a valid application mapping.' What does this indicate?

A.The FortiClient EMS is not reachable
B.The application mapping object is not defined
C.The SSL certificate is missing
D.The firewall policy is not in place
AnswerB

Each proxy rule must reference an application mapping.

Why this answer

A ZTNA proxy rule maps an external FQDN/port to an internal application. The error means the application mapping (which defines the internal server) is missing or misconfigured.

193
MCQmedium

A company is implementing Zero Trust Network Access using Fortinet's ZTNA solution. They have deployed a FortiGate as the ZTNA gateway and are using FortiClient as the ZTNA agent. Users report that they can initiate ZTNA connections but the connections drop after a few minutes. The FortiGate logs show that the ZTNA session is being terminated due to a endpoint compliance check failure. Which action should the administrator take to resolve this issue?

A.Review and adjust the endpoint compliance rules in FortiClient EMS.
B.Disable endpoint compliance checks on the FortiGate.
C.Increase the session timeout on the FortiGate ZTNA gateway.
D.Change the authentication method from certificate to LDAP.
AnswerA

Adjusting compliance rules to match the actual endpoint state will allow the connection to persist.

Why this answer

The correct answer is A because the FortiGate logs explicitly indicate that the ZTNA session is being terminated due to an endpoint compliance check failure. This means the FortiGate is enforcing compliance rules defined in FortiClient EMS, and when the endpoint fails those checks (e.g., missing antivirus updates, firewall disabled), the session is dropped. Reviewing and adjusting the compliance rules in EMS allows the administrator to align the requirements with the actual endpoint posture or correct the misconfiguration causing the failure.

Exam trap

The trap here is that candidates may confuse session timeout (a timer-based disconnect) with compliance enforcement (a policy-based disconnect), leading them to incorrectly choose option C instead of recognizing that the log message directly points to a compliance rule issue in EMS.

How to eliminate wrong answers

Option B is wrong because disabling endpoint compliance checks on the FortiGate would bypass the Zero Trust principle entirely, leaving the network vulnerable to non-compliant endpoints, and does not address the root cause of why compliance checks are failing. Option C is wrong because increasing the session timeout would not prevent the session from being terminated due to a compliance check failure; the timeout controls idle session duration, not compliance enforcement. Option D is wrong because changing the authentication method from certificate to LDAP does not affect endpoint compliance checks; ZTNA session termination due to compliance failure is independent of the authentication method used.

194
MCQmedium

An administrator configures BGP over an IPsec VPN between two FortiGates. The BGP session is established, but routes from the remote site are not being installed in the local routing table. The admin verifies that the BGP neighbor configuration is correct and the remote site is advertising routes. What is the MOST likely cause?

A.The BGP timers are too aggressive causing route flapping
B.The BGP network statement is missing on the local FortiGate
C.A firewall policy is blocking BGP traffic on the VPN interface
D.The next-hop IP address is not reachable
AnswerC

The VPN interface or loopback used for BGP peering must have a firewall policy allowing inbound BGP traffic (TCP 179). Without it, BGP packets are dropped even though the VPN tunnel is up.

Why this answer

BGP routes must be allowed by a firewall policy on the loopback or interface used for BGP. Even if the VPN tunnel is up, BGP traffic (TCP port 179) may be blocked by the local-in policy or by the VPN interface's firewall policy if not explicitly allowed.

195
MCQhard

A network administrator is troubleshooting an IPsec VPN between two FortiGates. The phase1 is up, but phase2 keeps failing to establish. The administrator runs 'diagnose vpn ike log' and sees: 'no proposal chosen'. Both sides have the same phase2 configuration: AES256-SHA256, DH group 14, 3600 seconds lifetime. What is the MOST likely cause?

A.The NAT traversal setting is inconsistent
B.The IKE version is different on each side
C.The phase2 local and remote subnets do not match on both sides
D.The pre-shared key is incorrect
AnswerC

The 'no proposal chosen' error in phase2 usually indicates a mismatch in the traffic selectors (subnets). Both sides must have mirroring subnet definitions.

Why this answer

Even if the encryption/authentication proposals match, a common issue is a mismatch in the local and remote subnets (selectors). The phase2 negotiation requires matching traffic selectors. If one side has 192.168.1.0/24 and the other has 10.0.0.0/8, the proposals will be rejected.

Option D is correct.

196
MCQeasy

Which of the following is a requirement for FortiGate to act as a SAML Identity Provider (IdP) for ZTNA?

A.A public IP address on the WAN interface
B.A configured user database and SAML IdP settings
C.Integration with FortiClient EMS
D.An SSL certificate from a public CA
AnswerB

FortiGate needs users to authenticate and SAML configuration.

Why this answer

FortiGate can be a SAML IdP, providing authentication to service providers. It requires a configured user database (e.g., local users, LDAP) and a SAML IdP profile.

197
Multi-Selectmedium

A FortiGate administrator is troubleshooting a VPN tunnel that uses IKEv2 with certificate authentication. The tunnel fails to establish, and the IKE debug shows 'no acceptable proposal' for the initial exchange. Which TWO configuration mismatches could cause this error? (Choose two.)

Select 2 answers
A.Mismatched encryption algorithms between the two peers
B.Mismatched phase2 encryption algorithms
C.Mismatched IKE version (IKEv1 vs IKEv2)
D.Incorrect local certificate configuration on one peer
E.Mismatched authentication methods (pre-shared key vs certificate)
AnswersA, E

IKEv2 phase1 encryption must match; e.g., AES256 vs AES128.

Why this answer

'No acceptable proposal' typically indicates a mismatch in phase1 parameters such as encryption, hash, DH group, or authentication method. Options A and B are correct because IKEv2 proposal includes encryption and authentication algorithms.

198
MCQmedium

A FortiGate administrator wants to use SAML SSO to authenticate VPN users. The FortiGate will act as the service provider (SP) and an external identity provider (IdP) will be used. Which of the following must be configured on the FortiGate to enable SAML authentication for SSL VPN?

A.A RADIUS server pointing to the IdP and an authentication rule.
B.An LDAP server with the IdP's certificate and a matching policy.
C.A user group with SAML authentication method and an SSL VPN portal referencing that group.
D.A local user with SAML attributes and a firewall policy referencing that user.
AnswerC

Why this answer

For SAML SSO on SSL VPN, you must configure a user group with SAML authentication, then assign an SSL VPN portal that uses that group. The FortiGate acts as SP. RADIUS/LDAP are not required.

199
MCQhard

A FortiGate is configured as a SAML IdP for a partner's cloud application. After configuring the application as a service provider, users report that they are prompted for credentials every time they access the application, even though they already authenticated to FortiGate. What is the MOST likely cause?

A.The SAML single logout URL is misconfigured
B.The SAML assertion is not signed
C.The IdP session timeout is set to a lower value than the SP session timeout
D.The FortiGate is not configured to generate a Name ID
AnswerC

If the IdP session expires, FortiGate will require re-authentication even if the SP session is still active.

Why this answer

SAML SSO requires consistent session timeout settings. If the IdP session timeout is shorter than the SP session, users may need to re-authenticate frequently.

200
MCQmedium

An administrator runs the CLI command 'diagnose vpn ike gateway list' and sees that a phase1 gateway is in 'UP' state, but the 'DPD' field shows 'disabled'. The tunnel is working. What is the implication?

A.DPD is only used for phase2, so phase1 is unaffected.
B.DPD is disabled but the tunnel will still detect peer failure via IKE keepalives.
C.The FortiGate is using NAT-T, which disables DPD automatically.
D.The tunnel will never detect if the remote peer goes down.
AnswerD

Why this answer

DPD is the mechanism to detect peer liveness. If disabled, the FortiGate will not proactively check if the peer is reachable, so a dead peer will not be detected until traffic fails. IKE keepalives are not a separate mechanism; DPD is the standard method.

NAT-T does not inherently disable DPD.

201
MCQmedium

An administrator has configured FortiGate as a SAML service provider (SP) for VPN authentication. Users are prompted for credentials but authentication fails even though they can authenticate directly at the IdP portal. What is the most likely misconfiguration?

A.The IdP is using HTTP-POST binding while FortiGate expects HTTP-Redirect
B.The IdP certificate is not imported on FortiGate
C.The FortiGate's entity ID or ACS URL registered at the IdP is incorrect
D.SAML authentication is not enabled in the VPN portal
AnswerC

Mismatched endpoints prevent the IdP from sending the SAML assertion to the correct location.

Why this answer

If users can authenticate at the IdP but not via FortiGate SP, the problem is likely that the FortiGate entity ID or ACS URL does not match what is registered at the IdP.

202
MCQmedium

A FortiGate administrator is configuring ZTNA to provide secure access to an internal application. The application is hosted on a server with IP 10.0.1.100 and port 8080. The administrator creates a ZTNA rule on the FortiGate as an access proxy. What is the correct configuration for the ZTNA rule's 'Application Access' entry?

A.External port: 0, Mapped port: 8080, Destination: 10.0.1.100
B.External port: 8080, Mapped port: 443, Destination: 10.0.1.100
C.External port: 443, Mapped port: 443, Destination: 10.0.1.100
D.External port: 443, Mapped port: 8080, Destination: 10.0.1.100
AnswerD

The client connects to the FortiGate on port 443, and the FortiGate forwards to the internal server on port 8080.

Why this answer

For ZTNA access proxy, the destination virtual IP maps the external address and port to the internal server. Option A is correct: the external port is the port that the client connects to (e.g., 443) and the mapped port is the internal server port (8080).

203
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the traffic?

A.The session is being blocked by the firewall
B.The session is in a half-open state, waiting for SYN-ACK
C.The session is an established TCP connection
D.The session is a UDP connection with a long timeout
AnswerC

proto=6 indicates TCP, and state 01 means established. The session is active and expected to continue.

Why this answer

The output shows a TCP session (proto=6), with proto_state=01 indicating the session is in the 'listen' or 'established' state? Actually, in FortiGate session diagnostics, proto_state=01 means the session is in the 'established' state (TCP state ESTABLISHED). The session has been up for 3600 seconds and will expire in 3599 seconds. Option A is correct because it's an established TCP session.

204
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is established but traffic is not passing. The administrator runs 'diagnose vpn ike log' and sees 'no matching policy for this IPsec SA'. What is the most likely cause?

A.The phase2 selectors do not match between peers
B.There is no firewall policy allowing traffic from the local network to the remote network via the VPN tunnel interface
C.The pre-shared key is mismatched
D.The tunnel interface is administratively down
AnswerB

Even if the tunnel is up, a firewall policy must explicitly permit traffic to use the tunnel. Without it, traffic is dropped.

Why this answer

The error indicates that the IKE SA exists but no firewall policy matches the traffic to use the tunnel. The tunnel interface is likely configured but the policy to allow traffic through the tunnel is missing or incorrect.

205
MCQeasy

A FortiGate administrator wants to ensure that only devices with an up-to-date antivirus and OS patch level can access a sensitive application published via ZTNA. Which ZTNA component should the administrator configure to enforce this requirement?

A.ZTNA proxy configuration
B.ZTNA tags with posture checks
C.SSL VPN portal settings
D.Firewall policy with application control
AnswerB

ZTNA tags can include posture attributes. Policies reference these tags to control access based on device compliance.

Why this answer

ZTNA tags are used to define conditions based on device posture (e.g., antivirus status, OS patch level). Tags are assigned via FortiClient EMS and referenced in ZTNA policies to grant or deny access.

206
MCQmedium

A FortiGate admin is configuring a multi-peer IPsec VPN where the remote site has two ISPs for redundancy. The admin wants to ensure that if the primary ISP fails, the VPN automatically fails over to the secondary ISP without manual intervention. Which feature should be enabled?

A.IPsec interface mode with DHCP
B.IKEv2 with mobility extension
C.Auto-negotiate phase 1 settings
D.Dead Peer Detection (DPD) with retry and failover
AnswerD

DPD detects when the peer is unreachable and can trigger failover to a secondary path or peer.

Why this answer

DPD (Dead Peer Detection) with auto-negotiation allows the FortiGate to detect peer unreachability and automatically re-establish the tunnel using an alternate path if configured.

207
MCQeasy

A FortiGate administrator wants to use PKI certificates for IKEv2 authentication instead of pre-shared keys. Which phase1 configuration parameter must be changed to support certificate-based authentication?

A.Set the authentication method to 'signature'.
B.Set the proposal to include DH groups 14 or higher.
C.Configure 'local-gw' with the certificate's CN.
D.Enable 'peer-id-option' and set it to 'any'.

Why this answer

For PKI authentication, the phase1 authentication method must be set to 'signature' (RSA signature). This tells FortiGate to use the certificate's private key for IKE authentication.

← PreviousPage 3 of 3 · 207 questions total

Ready to test yourself?

Try a timed practice session using only Advanced VPN and Zero Trust questions.