Back to Fortinet NSE 7 Advanced Security NSE7 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Fortinet NSE 7 Advanced Security NSE7 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

5
scenario questions
NSE7
exam code
Fortinet
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related NSE7 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A FortiGate is blocking HTTP traffic from 10.0.1.5 to 10.0.2.100, despite an explicit allow policy. The exhibit shows the configuration and debug flow output. What is the most likely cause?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "Allow-Web"
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "10.0.1.0/24"
        set dstaddr "10.0.2.100"
        set action accept
        set schedule "always"
        set service "HTTP"
        set logtraffic all
    next
end

diag debug flow show function-name show-verbose

--- flow debug output ---
proton_state=0, reason=session-denied
id=20085 trace_id=155 func=print_pkt_detail line=4945 msg="vd-root:0 received a packet from port1: 10.0.1.5:45231 -> 10.0.2.100:80, proto 6."
id=20085 trace_id=155 func=resolve_ip_tuple line=4125 msg="Find an existing session, id 00001234, original direction"
id=20085 trace_id=155 func=__ip_session_match_tuple line=2818 msg="Session state: not ready"
id=20085 trace_id=155 func=__ip_session_find_by_session_id line=2773 msg="session session_deny because state proto is not ready"
Question 2hardmultiple choice
Full question →

Refer to the exhibit. A FortiGate is connected to the Security Fabric and registered with FortiManager. However, the administrator notices that the FortiGate is not receiving policy updates from FortiManager. What is the most likely cause?

Exhibit

FGT # get system fabric-status
Fabric Role: Member
Fabric Status: Connected
Fabric Group: MyGroup
Fabric Root: FGT-Root (serial: FG100D3TF16800001)
Last contact: 2024-01-15 10:30:00
FGT # diagnose test application fgfms 3
FGFMs status:
  Registered with FortiManager: Yes
  FortiManager IP: 192.168.1.100
  FortiManager status: Connected
  Last heartbeat: 2024-01-15 10:29:55
Question 3easymultiple choice
Full question →

Refer to the exhibit. An administrator has configured an active-passive HA cluster. After reviewing the configuration and status, the administrator wants to ensure that the management interface (port2) is accessible on both units using the same IP address. What additional configuration is required?

Exhibit

config system ha
    set mode a-p
    set group-name "HA_Cluster"
    set password ENC abcd1234
    set hbdev "port1" 100
    set session-pickup enable
    set session-pickup-connectionless enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port2"
            set gateway 10.0.0.1
        next
    end
end

HA cluster status:

HA Health Status: OK
Model: FortiGate-100F
Mode: Active-Passive
Group: HA_Cluster
Debug: 0
npu-1: primary
npu-2: standby
Question 4easymultiple choice
Full question →

An administrator is reviewing the HA configuration shown in the exhibit. The primary unit has failed, and the secondary unit (with priority 100) has taken over. However, the administrator notices that the secondary unit has an IP address of 10.10.10.2 on port3, but cannot ping the management gateway 10.10.10.1. What is the most likely cause?

Exhibit

Refer to the exhibit.

config system ha
    set group-name "HA_Cluster"
    set mode a-p
    set hbdev "port1" 50 "port2" 50
    set session-pickup enable
    set session-pickup-connectionless enable
    set ha-mgmt-status enable
    set ha-mgmt-interface "port3"
    set ha-mgmt-interface-gateway 10.10.10.1
    set override enable
    set priority 200
end
Question 5hardmultiple choice
Review the full OSPF breakdown →

A FortiGate is running OSPF in a multi-area topology. The administrator needs to redistribute connected routes from area 0 into area 1 but does not want to leak any other routes. Which configuration is correct?

These NSE7 practice questions are part of Courseiva's free Fortinet certification practice question bank. Courseiva provides original exam-style NSE7 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.