Question 610 of 1,000
Enterprise Firewall and VDOMsmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is a missing firewall policy in the destination VDOM to allow the return traffic. When inter-VDOM routing is configured between VDOMs A and B on the same FortiGate, traffic initiated from VDOM A to VDOM B creates a session only in VDOM A’s session table. The FortiGate’s stateful inspection engine requires a corresponding session in VDOM B for the return packets; without a firewall policy in VDOM B permitting that return traffic, the engine drops the packets as invalid, causing the failure. This scenario is a classic trap on the Fortinet NSE 7 Advanced Security NSE7 exam, testing your understanding that inter-VDOM routing is stateful and requires bidirectional policies—one in each VDOM—even though the traffic originates from only one side. A common memory tip is “two VDOMs, two policies: source allows out, destination allows back.”

NSE7 Enterprise Firewall and VDOMs Practice Question

This NSE7 practice question tests your understanding of enterprise firewall and vdoms. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An administrator configures inter-VDOM routing between VDOMs A and B. Both VDOMs are on the same FortiGate. The admin creates a policy allowing traffic from VDOM A to VDOM B. Traffic from VDOM A to VDOM B fails. What is the most likely cause?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1mediummultiple choice
Review the full routing breakdown →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

There is no firewall policy in VDOM B to allow the return traffic

In a FortiGate inter-VDOM routing setup, traffic initiated from VDOM A to VDOM B requires a firewall policy in VDOM B to permit the return traffic. Without this policy, the FortiGate's stateful inspection engine drops the return packets because no session exists in VDOM B's session table. This is a common misconfiguration where administrators only create a policy in the source VDOM.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • VDOM A and VDOM B must be in the same administrative VDOM

    Why it's wrong here

    Administrative VDOMs are separate; inter-VDOM routing works between regular VDOMs.

  • The VDOMs are in transparent mode

    Why it's wrong here

    Transparent mode does not affect inter-VDOM routing; the cause is still a missing policy.

  • There is no firewall policy in VDOM B to allow the return traffic

    Why this is correct

    Inter-VDOM traffic requires policies in both VDOMs. The policy in VDOM A allows traffic to VDOM B, but a policy in VDOM B must permit the return traffic.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The inter-VDOM link is not configured

    Why it's wrong here

    Inter-VDOM routing uses a logical link (e.g., .vdom link), but the failure is more likely a missing policy in the destination VDOM.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates assume a single policy in the source VDOM is sufficient, overlooking that FortiGate's stateful inspection requires explicit policies in both VDOMs for bidirectional traffic flow.

Detailed technical explanation

How to think about this question

Inter-VDOM routing uses a virtual inter-VDOM link (or VDOM link) that acts as a logical interface pair between VDOMs. The FortiGate performs stateful inspection across VDOM boundaries, meaning each VDOM maintains its own session table. When a packet traverses from VDOM A to VDOM B, the session is created in VDOM A, but the return packet must match a session in VDOM B; without a policy in VDOM B allowing the traffic, the return packet is dropped. This behavior is analogous to routing between separate firewalls where return traffic policies are required.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related NSE7 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free NSE7 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this NSE7 question test?

Enterprise Firewall and VDOMs — This question tests Enterprise Firewall and VDOMs — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: There is no firewall policy in VDOM B to allow the return traffic — In a FortiGate inter-VDOM routing setup, traffic initiated from VDOM A to VDOM B requires a firewall policy in VDOM B to permit the return traffic. Without this policy, the FortiGate's stateful inspection engine drops the return packets because no session exists in VDOM B's session table. This is a common misconfiguration where administrators only create a policy in the source VDOM.

What should I do if I get this NSE7 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

8 more ways this is tested on NSE7

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. An administrator configures inter-VDOM routing between VDOMs A and B using a VDOM link. The administrator can ping from VDOM A to an interface in VDOM B, but traffic from VDOM B to VDOM A times out. What is the most likely cause?

medium
  • A.VDOM B has no traffic VDOM capability
  • B.The route back to the source subnet is missing in VDOM A
  • C.The firewall policy in VDOM B is blocking traffic
  • D.The VDOM link's MTU is set too high

Why B: The correct answer is B because inter-VDOM routing requires a route in both directions. Since the administrator can ping from VDOM A to VDOM B, the forward path works, but the return traffic from VDOM B to VDOM A fails due to a missing route back to the source subnet in VDOM A. This is a classic asymmetric routing issue where the destination VDOM (A) does not know how to reach the source subnet of VDOM B.

Variation 2. An administrator configures inter-VDOM routing between VDOM-A and VDOM-B using a VDOM link. After configuration, traffic from VDOM-A cannot reach VDOM-B. Which configuration step is MOST likely missing?

medium
  • A.Create a firewall policy on VDOM-A and VDOM-B allowing traffic over the VDOM link interface
  • B.Enable 'inter-vdom-routing' under system settings
  • C.Configure a static route on VDOM-A pointing to VDOM-B's subnet via the VDOM link
  • D.Assign both VDOM link interfaces to the same VDOM

Why A: VDOM links are special inter-VDOM interfaces that require firewall policies on both VDOMs to permit traffic. Without a policy on VDOM-A and VDOM-B that allows traffic over the VDOM link interface, packets will be dropped by the implicit deny rule. This is the most common missing step when inter-VDOM routing fails.

Variation 3. An administrator configures inter-VDOM routing between VDOM-A and VDOM-B using a VDOM link. The default route in VDOM-A points to a next-hop router, and VDOM-B has a static route to a subnet behind VDOM-A. Users in VDOM-B cannot reach that subnet. The administrator runs 'diagnose ip route list' in both VDOMs and sees the routes are present. What is the most likely cause?

hard
  • A.The VDOM link MTU is too small for the traffic
  • B.The VDOM link interfaces are administratively down
  • C.Firewall policies are missing on the VDOMs to permit traffic between the VDOM link and the destination interfaces
  • D.The VDOMs are in different administrative domains (ADOMs) on FortiManager

Why C: Even though the routes are present in both VDOMs, inter-VDOM routing via a VDOM link requires explicit firewall policies on each VDOM to permit traffic between the VDOM link interface and the destination interface. Without these policies, the FortiGate drops the traffic at the firewall layer, even though the routing table is correct. This is a common misconfiguration because VDOM links behave like physical interfaces and are subject to firewall policy enforcement.

Variation 4. An administrator configures a VDOM link between VDOMs A and B. In VDOM A, the VDOM link interface is assigned IP 10.10.10.1/24, and in VDOM B, it is assigned 10.10.10.2/24. A firewall policy on VDOM A allows traffic from a subnet in VDOM A to a subnet in VDOM B. However, traffic fails. The admin checks the routing table in VDOM A and sees a route to the destination subnet via 10.10.10.2. What is the most likely cause?

medium
  • A.No firewall policy in VDOM B to allow traffic from the VDOM link
  • B.The VDOM link is not administratively up in VDOM B
  • C.Inter-VDOM routing is disabled globally
  • D.The subnet in VDOM B is not defined as an address object in VDOM A's policy

Why A: Option A is correct. In VDOM B, there must be a firewall policy allowing inbound traffic from the VDOM link. Without it, the traffic will be dropped upon entering VDOM B.

Variation 5. A FortiGate administrator is configuring inter-VDOM routing between two VDOMs: VDOM-A and VDOM-B. The administrator wants to allow traffic from VDOM-A to reach a server in VDOM-B while keeping the VDOMs logically separated. Which configuration step is REQUIRED?

medium
  • A.Configure a static route in VDOM-A pointing to the server's subnet via the VDOM-B gateway
  • B.Create a VDOM link between VDOM-A and VDOM-B and configure firewall policies on both sides
  • C.Enable inter-VDOM routing under system settings globally
  • D.Assign the same physical interface to both VDOMs and configure routing

Why B: Inter-VDOM routing on FortiGate requires a VDOM link, which is a logical interface pair that connects two VDOMs. Firewall policies must be configured on both sides of the VDOM link to explicitly allow traffic between the VDOMs, ensuring logical separation while enabling controlled communication. Without these policies, traffic will be dropped even if routes exist.

Variation 6. A network administrator is configuring inter-VDOM routing between two VDOMs: VDOM-A and VDOM-B. The administrator creates a inter-VDOM link and adds routes pointing to the link. However, traffic from VDOM-A to VDOM-B fails. What is the most likely missing configuration?

medium
  • A.Both VDOMs must be in transparent mode
  • B.A firewall policy must be created in each VDOM to permit traffic across the inter-VDOM link
  • C.The inter-VDOM link must be in the same VDOM
  • D.The management VDOM must be enabled

Why B: In FortiGate, inter-VDOM routing requires firewall policies in each VDOM to explicitly permit traffic across the inter-VDOM link. Without these policies, the FortiGate drops the traffic even if routes are correctly configured, because the inter-VDOM link behaves like a virtual interface that requires policy-based access control.

Variation 7. In a multi-VDOM deployment, an administrator needs to route traffic between VDOM-A and VDOM-B. The administrator creates a VDOM link between the two VDOMs. What additional configuration is required on each VDOM to enable inter-VDOM traffic?

medium
  • A.Only a firewall policy on VDOM-A allowing traffic to VDOM-B
  • B.Assign the VDOM link interfaces to the same VDOM
  • C.Enable 'inter-vdom-routing' under system settings only
  • D.Configure a static route on each VDOM pointing to the other VDOM's networks via the VDOM link, and create a firewall policy allowing traffic

Why D: Option D is correct because inter-VDOM traffic via a VDOM link requires both a static route on each VDOM pointing to the remote VDOM's networks through the VDOM link interface, and a firewall policy on each VDOM that permits the desired traffic. Without the static route, the VDOM does not know how to reach the other VDOM's subnets; without the firewall policy, traffic is blocked by the implicit deny rule. The VDOM link itself provides the Layer 2 or Layer 3 connectivity between the VDOMs, but routing and policy enforcement are mandatory for traffic to flow.

Variation 8. An administrator needs to ensure that traffic between two VDOMs (VDOM_A and VDOM_B) is inspected by an IPS profile. Which TWO configuration elements are required? (Choose TWO.)

medium
  • A.An inter-VDOM link with IP addresses in the same subnet
  • B.NAT enabled on the inter-VDOM link
  • C.A firewall policy on VDOM_B with the source as the inter-VDOM link
  • D.An IPsec VPN between the VDOMs
  • E.A firewall policy on VDOM_A with the inter-VDOM link as the destination interface and an IPS profile applied

Why A: An inter-VDOM link is required to route traffic between VDOMs, and placing IP addresses in the same subnet on both ends ensures direct Layer 2 connectivity without routing overhead. This allows the firewall policies in each VDOM to control traffic flow, and applying an IPS profile on the policy in VDOM_A (with the inter-VDOM link as the destination interface) ensures that all traffic leaving VDOM_A toward VDOM_B is inspected by IPS.

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This NSE7 practice question is part of Courseiva's free Fortinet certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the NSE7 exam.