Back to Fortinet NSE 7 Advanced Security NSE7 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Fortinet NSE 7 Advanced Security NSE7 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
NSE7
exam code
Fortinet
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related NSE7 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Read the full VPN explanation →

An administrator is troubleshooting a scenario where IPSec VPN tunnels between two FortiGates are flapping. The logs show Phase 1 is up but Phase 2 fails with 'no proposal chosen'. The remote FortiGate has multiple Phase 2 selectors configured. What is the most likely cause?

Question 2mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to troubleshoot a FortiGate SSL VPN connection failure into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 3mediummultiple choice
Review the full subnetting walkthrough →

A customer reports intermittent connectivity issues between two internal subnets separated by a FortiGate firewall. The traffic is allowed by the policy, but users experience timeouts during peak hours. Which troubleshooting step should you take first?

Question 4mediummulti select
Read the full VPN explanation →

An administrator is troubleshooting a VPN tunnel that is not coming up. The remote peer is a third-party device. Which THREE actions should be taken to diagnose the issue?

Question 5hardmultiple choice
Read the full VPN explanation →

A company uses SSL VPN with FortiGate for remote access. Users report that after connecting, they can access internal web servers but cannot ping them. Which configuration is most likely missing?

Question 6mediummulti select
Full question →

Which TWO actions are appropriate when troubleshooting a slow network connection through a FortiGate?

Question 7easymultiple choice
Full question →

An administrator is reviewing the HA configuration shown in the exhibit. The primary unit has failed, and the secondary unit (with priority 100) has taken over. However, the administrator notices that the secondary unit has an IP address of 10.10.10.2 on port3, but cannot ping the management gateway 10.10.10.1. What is the most likely cause?

Exhibit

Refer to the exhibit.

config system ha
    set group-name "HA_Cluster"
    set mode a-p
    set hbdev "port1" 50 "port2" 50
    set session-pickup enable
    set session-pickup-connectionless enable
    set ha-mgmt-status enable
    set ha-mgmt-interface "port3"
    set ha-mgmt-interface-gateway 10.10.10.1
    set override enable
    set priority 200
end
Question 8mediummulti select
Full question →

An administrator is troubleshooting an HA cluster issue. The cluster consists of two FortiGate units in active-passive mode. The passive unit is showing a 'heartbeat lost' error in the logs. Which TWO configuration checks should the administrator perform to resolve this issue?

Question 9hardmultiple choice
Full question →

An administrator is troubleshooting a ZTNA connection issue where a user can access the ZTNA gateway but the connection to the internal application fails after a few seconds. The FortiGate logs show 'ZTNA session timeout' but the timeout value is set to 30 minutes. What could be the reason?

Question 10mediummultiple choice
Full question →

An administrator is troubleshooting a scenario where FortiAnalyzer is not receiving logs from a FortiGate. The FortiGate shows 'log-fortianalyzer setting status: disconnected'. Which step should be taken first to resolve this?

Question 11mediummulti select
Full question →

A FortiGate administrator is troubleshooting slow network performance. The administrator runs the command 'diagnose sys session filter dst 10.0.0.1' and sees many sessions in a 'proto_state=0a' state. What does this state indicate? (Select TWO.)

Question 12hardmultiple choice
Review the full routing breakdown →

A FortiGate administrator is troubleshooting a scenario where users in VDOM-1 cannot reach a server in VDOM-2. Inter-VDOM routing is configured using a VDOM link. The administrator checks the session table and sees that packets are arriving on the VDOM link interface but are not being forwarded. What is the MOST likely cause?

Question 13mediummulti select
Read the full VPN explanation →

A FortiGate administrator is troubleshooting an issue where IPsec VPN traffic is not being forwarded correctly in a multi-VDOM environment. Which TWO factors should the administrator verify?

Question 14hardmultiple choice
Full question →

An administrator wants to create an automation stitch that automatically blocks an IP address when a high-severity IPS alert is triggered. The administrator creates a trigger for 'IPS event' and an action of 'Add to Blocked IPs'. However, the action fails to execute. Which of the following is the most likely cause?

Question 15mediummultiple choice
Read the full VPN explanation →

When troubleshooting an IPsec VPN phase 1 failure, you run 'diagnose vpn ike config' and see that the remote gateway IP address is incorrect. Which command is used to correct the peer IP configuration?

These NSE7 practice questions are part of Courseiva's free Fortinet certification practice question bank. Courseiva provides original exam-style NSE7 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.