Back to Fortinet NSE 7 Advanced Security NSE7 questions

Scenario-based practice

Hard Difficulty Questions

Practise Fortinet NSE 7 Advanced Security NSE7 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
NSE7
exam code
Fortinet
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related NSE7 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A FortiGate cluster (A-P) has a session that is not synchronizing to the secondary unit. The administrator runs 'diagnose sys ha session-sync status' and sees that the session count is different between primary and secondary. Which is the most likely cause?

Question 2hardmultiple choice
Read the full VPN explanation →

An administrator is troubleshooting a scenario where IPSec VPN tunnels between two FortiGates are flapping. The logs show Phase 1 is up but Phase 2 fails with 'no proposal chosen'. The remote FortiGate has multiple Phase 2 selectors configured. What is the most likely cause?

Question 3hardmultiple choice
Full question →

A FortiGate is blocking HTTP traffic from 10.0.1.5 to 10.0.2.100, despite an explicit allow policy. The exhibit shows the configuration and debug flow output. What is the most likely cause?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "Allow-Web"
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "10.0.1.0/24"
        set dstaddr "10.0.2.100"
        set action accept
        set schedule "always"
        set service "HTTP"
        set logtraffic all
    next
end

diag debug flow show function-name show-verbose

--- flow debug output ---
proton_state=0, reason=session-denied
id=20085 trace_id=155 func=print_pkt_detail line=4945 msg="vd-root:0 received a packet from port1: 10.0.1.5:45231 -> 10.0.2.100:80, proto 6."
id=20085 trace_id=155 func=resolve_ip_tuple line=4125 msg="Find an existing session, id 00001234, original direction"
id=20085 trace_id=155 func=__ip_session_match_tuple line=2818 msg="Session state: not ready"
id=20085 trace_id=155 func=__ip_session_find_by_session_id line=2773 msg="session session_deny because state proto is not ready"
Question 4hardmulti select
Read the full VPN explanation →

Which TWO configurations are required to enable SSL VPN authentication using a RADIUS server on a FortiGate?

Question 5hardmultiple choice
Full question →

Refer to the exhibit. A FortiGate is connected to the Security Fabric and registered with FortiManager. However, the administrator notices that the FortiGate is not receiving policy updates from FortiManager. What is the most likely cause?

Exhibit

FGT # get system fabric-status
Fabric Role: Member
Fabric Status: Connected
Fabric Group: MyGroup
Fabric Root: FGT-Root (serial: FG100D3TF16800001)
Last contact: 2024-01-15 10:30:00
FGT # diagnose test application fgfms 3
FGFMs status:
  Registered with FortiManager: Yes
  FortiManager IP: 192.168.1.100
  FortiManager status: Connected
  Last heartbeat: 2024-01-15 10:29:55
Question 6hardmulti select
Open the full BGP breakdown →

Which TWO statements are true regarding BGP path selection in a FortiGate SD-WAN environment?

Question 7hardmultiple choice
Read the full VPN explanation →

A company uses SSL VPN with FortiGate for remote access. Users report that after connecting, they can access internal web servers but cannot ping them. Which configuration is most likely missing?

Question 8hardmultiple choice
Full question →

A network engineer is designing a FortiGate HA cluster with two units operating in active-active mode. The cluster will be placed in a VDOM-enabled environment. The engineer wants to ensure that traffic from a specific VDOM is load-balanced across both units based on source IP address. Which setting must be configured on the cluster to achieve this?

Question 9hardmulti select
Full question →

A FortiGate with multiple VDOMs is experiencing high CPU usage. The administrator suspects that one VDOM is consuming excessive resources. Which THREE methods can be used to limit resource usage per VDOM?

Question 10hardmultiple choice
Full question →

An administrator is troubleshooting a ZTNA connection issue where a user can access the ZTNA gateway but the connection to the internal application fails after a few seconds. The FortiGate logs show 'ZTNA session timeout' but the timeout value is set to 30 minutes. What could be the reason?

Question 11hardmultiple choice
Full question →

During a ZTNA implementation, the administrator configures a ZTNA rule for an internal application but users cannot connect. The FortiGate policy is correct and the application is reachable from the FortiGate. What is the most likely misconfiguration?

Question 12hardmulti select
Full question →

Which THREE of the following are valid methods to deliver ZTNA tags to FortiClient? (Select three.)

Question 13hardmultiple choice
Review the full subnetting walkthrough →

A FortiGate in transparent mode is deployed in a data center. The admin notices that ARP requests from a downstream switch for the default gateway are not being answered. The FortiGate's management IP is configured on the same subnet as the switch. What is the most likely cause?

Question 14hardmultiple choice
Review the full routing breakdown →

During a security audit, it is found that traffic between two VDOMs is allowed even though no inter-VDOM routing policy is configured. The VDOMs are connected via a VDOM link. What could explain this behavior?

Question 15hardmultiple choice
Full question →

An organization has multiple ADOMs in FortiManager. The admin wants to share a set of firewall objects across all ADOMs. What is the best approach?

Question 16hardmulti select
Full question →

A company has a FortiGate with multiple VDOMs. The security team wants to use FortiManager to manage policies centrally. Which three steps are necessary to set up VDOM management via FortiManager? (Choose three.)

Question 17hardmulti select
Full question →

A FortiManager administrator wants to use automation stitches to respond to a specific security event on managed FortiGates. Which THREE components are required to build an automation stitch? (Select THREE.)

Question 18hardmultiple choice
Full question →

An administrator configures a firewall policy with an application control profile to block social media. The administrator observes that some social media traffic is still passing through. The traffic is HTTPS. What additional configuration is REQUIRED for application control to effectively block HTTPS-based social media?

Question 19hardmultiple choice
Review the full routing breakdown →

A FortiGate in transparent mode is deployed between a router and a switch. The administrator needs to apply a deep inspection profile to HTTP traffic. What is the correct configuration for the interfaces?

Question 20hardmulti select
Full question →

A FortiGate administrator wants to generate customized reports in FortiAnalyzer for different departments. The administrator needs to ensure that each department can only see its own logs. Which TWO configurations are necessary?

These NSE7 practice questions are part of Courseiva's free Fortinet certification practice question bank. Courseiva provides original exam-style NSE7 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.