CCNA Nse7 Enterprise Vdom Questions

75 of 264 questions · Page 1/4 · Nse7 Enterprise Vdom topic · Answers revealed

1
Multi-Selecthard

A FortiManager administrator wants to use automation stitches to respond to a specific security event on managed FortiGates. Which THREE components are required to build an automation stitch? (Select THREE.)

Select 3 answers
A.Trigger
B.Route
C.Action
D.FortiView dashboard
E.ADOM
AnswersA, B, C

The trigger defines the event that starts the automation stitch.

Why this answer

An automation stitch in FortiManager requires three core components: a Trigger (the event that starts the stitch), a Route (a conditional path that determines which actions to execute based on the trigger's output), and an Action (the actual response, such as a CLI script or object change). Without these three, the stitch cannot function as a complete automation workflow.

Exam trap

The trap here is that candidates often confuse FortiView or ADOM as required components because they are frequently used in FortiManager workflows, but they are not part of the automation stitch's three mandatory building blocks.

2
MCQeasy

An administrator needs to monitor traffic flows across multiple FortiGate devices in a Security Fabric. The administrator wants to see a unified view of all traffic, including inter-device traffic, from a single pane. Which Fortinet tool provides this capability?

A.FortiAP
B.FortiManager
C.FortiGate local logs
D.FortiAnalyzer
AnswerD

FortiAnalyzer aggregates logs and provides cross-device traffic visibility.

Why this answer

FortiAnalyzer is the correct tool because it aggregates logs and traffic data from multiple FortiGate devices within a Security Fabric, providing a unified view of all traffic, including inter-device flows. It uses the FortiTelemetry protocol to collect logs and supports the Security Fabric's topology mapping, allowing administrators to monitor cross-device traffic from a single pane of glass.

Exam trap

The trap here is that candidates often confuse FortiManager's centralized management capabilities with FortiAnalyzer's log aggregation and monitoring functions, leading them to select FortiManager for traffic visibility when it is actually designed for policy and configuration management, not real-time traffic analysis.

How to eliminate wrong answers

Option A is wrong because FortiAP is a wireless access point device that provides Wi-Fi connectivity, not a centralized log aggregation or traffic monitoring tool for multiple FortiGates. Option B is wrong because FortiManager is primarily a centralized management platform for configuration and policy deployment, not a log analysis or traffic monitoring tool; it does not provide the unified traffic view that FortiAnalyzer offers. Option C is wrong because FortiGate local logs are stored locally on each device and cannot provide a unified view across multiple FortiGates or show inter-device traffic flows.

3
MCQmedium

A FortiGate in HA active-passive mode has two VDOMs. VDOM-1 is configured for management (management VDOM). The administrator connects to the management VDOM IP to manage the device. What is a characteristic of the management VDOM?

A.It provides administrative access and is separate from data VDOMs
B.It automatically synchronizes configuration to other VDOMs
C.It must be the root VDOM
D.It can only be accessed via the console port
AnswerA

Management VDOM is dedicated to management traffic, isolating administrative access from data traffic.

Why this answer

In an HA active-passive setup with multiple VDOMs, a management VDOM is dedicated to administrative access (e.g., SSH, HTTPS, SNMP) and is logically separated from data VDOMs that handle production traffic. This separation ensures that management traffic does not interfere with data plane operations and that administrative access remains available even if data VDOMs experience issues. The management VDOM can be any VDOM, not necessarily the root, and its configuration is not automatically synchronized to other VDOMs.

Exam trap

The trap here is that candidates often assume the management VDOM must be the root VDOM or that it automatically syncs configurations to other VDOMs, but Fortinet explicitly separates these concepts to allow flexible administrative isolation without affecting global settings or HA synchronization.

How to eliminate wrong answers

Option B is wrong because the management VDOM does not automatically synchronize its configuration to other VDOMs; configuration synchronization in HA is handled at the system level (e.g., via FGCP), not by the management VDOM itself. Option C is wrong because the management VDOM does not have to be the root VDOM; any VDOM can be designated as the management VDOM, and the root VDOM is a separate concept used for global settings. Option D is wrong because the management VDOM can be accessed via any allowed administrative interface (e.g., network interfaces with HTTPS/SSH enabled), not only the console port; console access is just one of many possible methods.

4
MCQhard

An admin creates a VDOM named 'CustomerA' with inter-VDOM link to the management VDOM. The admin wants CustomerA administrators to manage only their own VDOM. Which configuration step is required?

A.Use the 'config system admin' command and set trusthost to the admin's IP
B.Place the management VDOM and CustomerA in different administrative domains (ADOMs) in FortiManager
C.Create a new administrator and set the 'VDOM' field to 'CustomerA' and assign a profile with appropriate permissions
D.Enable admin-role override in the VDOM settings
AnswerC

This restricts the admin to only CustomerA VDOM.

Why this answer

Option C is correct because to restrict a VDOM administrator to manage only their own VDOM, you must create a new administrator account and explicitly set the 'VDOM' field to that VDOM (e.g., 'CustomerA') and assign a profile with the necessary permissions. This ensures the admin's scope is limited to that VDOM, preventing access to the management VDOM or other VDOMs.

Exam trap

The trap here is confusing IP-based access control (trusthost) with VDOM-based administrative scoping, leading candidates to select Option A instead of understanding that VDOM assignment is the correct method to isolate admin privileges to a single VDOM.

How to eliminate wrong answers

Option A is wrong because the 'trusthost' setting restricts the source IP address from which an admin can log in, not the VDOM scope; it does not limit the admin to managing only CustomerA. Option B is wrong because administrative domains (ADOMs) are a FortiManager concept for multi-device management, not a FortiGate VDOM isolation feature; the question is about local VDOM administration on a single FortiGate. Option D is wrong because 'admin-role override' is not a standard FortiGate VDOM setting; the correct mechanism is to assign the admin to a specific VDOM via the 'config system admin' command with the 'vdom' parameter.

5
MCQeasy

What is the primary function of FortiAnalyzer's FortiView feature?

A.Centralized device configuration management
B.Scheduling and generating compliance reports
C.Real-time traffic monitoring and visualization
D.Automated remediation of security incidents
AnswerC

FortiView is the real-time monitoring tool.

Why this answer

FortiView on FortiAnalyzer provides real-time traffic monitoring and visualization by aggregating logs from FortiGate devices and displaying them in graphical dashboards. It allows administrators to instantly view top talkers, applications, threats, and other network activity without needing to run manual queries, making it the primary function for live traffic analysis.

Exam trap

The trap here is that candidates confuse FortiView's real-time monitoring with FortiManager's centralized management or FortiAnalyzer's reporting capabilities, leading them to pick Option A or B instead of recognizing that FortiView is explicitly designed for live traffic visualization.

How to eliminate wrong answers

Option A is wrong because centralized device configuration management is handled by FortiManager, not FortiAnalyzer; FortiAnalyzer focuses on log management and reporting, not pushing configuration changes. Option B is wrong because while FortiAnalyzer can generate compliance reports, that is a secondary feature of the Reports module, not the primary function of FortiView, which is specifically for real-time monitoring and visualization. Option D is wrong because automated remediation of security incidents is a function of FortiSOAR or FortiGate's automation stitches, not FortiAnalyzer's FortiView, which is read-only and does not execute actions.

6
Multi-Selecthard

An organization uses FortiAnalyzer for centralized logging. The security team wants to use playbooks to automate responses to detected incidents. Which THREE components are essential for a playbook to function?

Select 3 answers
A.Trigger
B.A report schedule
C.Conditions
D.A dashboard visualization
E.Actions
AnswersA, C, E

Defines what event initiates the playbook.

Why this answer

A trigger is essential because it defines the event or condition that initiates the playbook execution. Without a trigger, the playbook has no starting point and cannot automate responses to detected incidents. In FortiAnalyzer, triggers can be based on log events, alerts, or scheduled intervals.

Exam trap

The trap here is that candidates often confuse 'report schedule' or 'dashboard visualization' as necessary components because they are common FortiAnalyzer features, but they are not part of the core playbook execution triad of trigger, conditions, and actions.

7
MCQmedium

An administrator configures a new ADOM in FortiManager for a set of FortiGates. The administrator wants to assign meta fields to devices in this ADOM. Where should the meta fields be defined?

A.Policy & Objects -> Object configurations
B.Device Manager -> ADOM settings
C.System settings -> Admin
D.Global database objects
AnswerB

Meta fields are configured in ADOM settings under Device Manager.

Why this answer

Meta fields in FortiManager are defined at the ADOM level under Device Manager -> ADOM settings. This ensures that the custom fields are available for all devices within that specific ADOM, allowing consistent metadata assignment across managed FortiGates. Defining them elsewhere, such as in global database objects, would apply them globally rather than per-ADOM, which is not the administrator's intent.

Exam trap

The trap here is that candidates may confuse ADOM-specific settings with global database objects, assuming meta fields must be defined globally for consistency, but FortiManager requires them to be defined at the ADOM level to maintain isolation between administrative domains.

How to eliminate wrong answers

Option A is wrong because 'Policy & Objects -> Object configurations' is used for managing firewall policies and shared objects, not for defining device-level meta fields. Option C is wrong because 'System settings -> Admin' deals with administrative access and user permissions, not device metadata configuration. Option D is wrong because 'Global database objects' are shared across all ADOMs and would apply meta fields globally, whereas the requirement is to assign meta fields specifically to devices in a single ADOM.

8
Multi-Selecthard

A FortiGate admin configures inter-VDOM routing between VDOM-A and VDOM-B using a VDOM link. The admin wants traffic from VDOM-A to reach a server in VDOM-B. Which three configuration steps are required? (Choose three.)

Select 3 answers
A.Enable NAT on the VDOM link interface
B.Configure static routes pointing to the VDOM link interface on both VDOMs
C.Configure a firewall policy on VDOM-A allowing traffic to the VDOM link interface
D.Disable ARP on the VDOM link interfaces
E.Create a VDOM link and assign an interface to each VDOM
AnswersB, C, E

Routes are needed to direct traffic towards the other VDOM via the link.

Why this answer

Option B is correct because inter-VDOM routing via a VDOM link requires each VDOM to have a static route pointing to the VDOM link interface as the next hop. Without these routes, traffic from VDOM-A destined for a server in VDOM-B would have no path to the VDOM link, and the FortiGate would drop the packets. The static route ensures the firewall can forward traffic between the two VDOMs across the VDOM link.

Exam trap

The trap here is that candidates often assume VDOM links automatically route traffic between VDOMs, but they forget that each VDOM maintains its own independent routing table, so explicit static routes are mandatory for inter-VDOM communication.

9
MCQmedium

An administrator creates a new VDOM and assigns interfaces. The VDOM is intended to operate in transparent mode. Which additional step is required?

A.Set the VDOM's mode to transparent under config system settings
B.Disable NAT on all policies
C.Configure a management IP for the VDOM
D.No additional steps; VDOMs default to transparent mode
AnswerA

The VDOM must be explicitly set to transparent mode.

Why this answer

A VDOM does not default to transparent mode; it must be explicitly configured. The command 'config system settings' with 'set vdom-type transparent' changes the VDOM's operational mode from the default NAT/route mode to transparent mode, which is required for the VDOM to function as a Layer 2 bridge.

Exam trap

The trap here is that candidates assume VDOMs default to transparent mode or that disabling NAT alone is sufficient, but FortiGate requires an explicit mode change via 'config system settings' to enable transparent operation.

How to eliminate wrong answers

Option B is wrong because disabling NAT on policies is a common practice in transparent mode but is not an additional step required to enable transparent mode; NAT is automatically unavailable in transparent mode. Option C is wrong because configuring a management IP is optional and only needed for administrative access, not to set the VDOM to transparent mode. Option D is wrong because VDOMs default to NAT/route mode, not transparent mode; an explicit configuration change is required.

10
MCQeasy

A network administrator wants to delegate management of a specific VDOM to a junior administrator. The junior should be able to modify firewall policies and objects within that VDOM but not change system settings or other VDOMs. Which administrative access configuration meets this requirement?

A.Place the VDOM in transparent mode to allow full access
B.Create a RADIUS user that is assigned to the VDOM group
C.Use the management VDOM feature to assign the junior admin to the VDOM
D.Create a local user with an admin profile that has permissions for that VDOM only
AnswerD

Local users can be assigned profiles and restricted to specific VDOMs.

Why this answer

Option D is correct because FortiGate allows you to create a local user with an admin profile that has permissions scoped to a specific VDOM. By assigning the junior administrator to that VDOM-only profile, they can modify firewall policies and objects within that VDOM but cannot change system settings or access other VDOMs. This is the standard method for delegating VDOM-specific administrative access without granting global or multi-VDOM privileges.

Exam trap

The trap here is that candidates often confuse the management VDOM feature (which only handles management traffic routing) with VDOM-specific admin profiles, or assume that transparent mode or RADIUS group assignment inherently restricts permissions, when in fact only a properly scoped admin profile can enforce VDOM-level access control.

How to eliminate wrong answers

Option A is wrong because placing a VDOM in transparent mode changes its operational mode (layer 2 forwarding) and does not restrict administrative access; it still allows full access to the VDOM's configuration if the admin has appropriate permissions. Option B is wrong because a RADIUS user assigned to a VDOM group only controls authentication and group membership, not the specific permissions within a VDOM; the admin profile assigned to the user determines the actual access scope, and RADIUS alone does not restrict to a single VDOM. Option C is wrong because the management VDOM feature is used to centralize management traffic (e.g., SNMP, syslog) and does not delegate administrative permissions; it does not restrict a junior admin to a specific VDOM.

11
MCQmedium

A company has two FortiGate firewalls in an HA active-passive cluster. They want to separate network traffic for different departments using VDOMs. After configuring VDOMs on both units, the HA status shows 'synchronized' but traffic for one VDOM is not passing through the active unit. What is the most likely cause?

A.The administrator account used to configure VDOMs lacks permission.
B.The HA mode must be active-active to use VDOMs.
C.A VDOM link is missing on the passive unit.
D.HA is not compatible with VDOMs.
AnswerC

VDOM links are not automatically synchronized; if the passive unit lacks a required VDOM link, traffic may not pass correctly.

Why this answer

In an HA active-passive cluster, VDOM configurations must be identical on both units for synchronization to be complete. A missing VDOM link on the passive unit means the inter-VDOM routing path is not fully replicated, so even though HA status shows 'synchronized' (which may only reflect global or non-VDOM-specific settings), traffic for that VDOM cannot be forwarded correctly by the active unit because the passive unit's configuration is incomplete, breaking the expected redundancy and traffic flow.

Exam trap

The trap here is that candidates assume 'synchronized' HA status guarantees full operational parity, but FortiGate's HA synchronization does not always replicate VDOM-specific link configurations, leading to a scenario where traffic fails despite a healthy HA state.

How to eliminate wrong answers

Option A is wrong because administrator permissions affect the ability to configure VDOMs, not the operational passing of traffic after configuration is complete; the HA status 'synchronized' indicates the configuration was applied successfully. Option B is wrong because VDOMs are fully supported in both active-active and active-passive HA modes; the mode does not determine VDOM functionality. Option D is wrong because HA is explicitly compatible with VDOMs; FortiGate supports VDOMs in HA clusters, and this is a documented feature.

12
MCQeasy

What is the purpose of FortiAnalyzer in a Fortinet security fabric?

A.To provide sandboxing and advanced threat protection
B.To act as a network firewall and IPS
C.To collect and analyze logs, generate reports, and provide visibility into security events
D.To manage and deploy configurations to FortiGates
AnswerC

FortiAnalyzer aggregates logs from multiple devices.

Why this answer

FortiAnalyzer is the centralized logging and analytics platform within the Fortinet Security Fabric. It aggregates logs from FortiGate and other Fabric devices, correlates events, generates compliance reports, and provides a single-pane-of-glass view for security monitoring and forensic analysis. This directly supports visibility and reporting, not real-time threat prevention or configuration management.

Exam trap

The trap here is confusing FortiAnalyzer with FortiManager, as both are central management tools, but FortiAnalyzer focuses on log collection and reporting, while FortiManager handles configuration deployment and policy management.

How to eliminate wrong answers

Option A is wrong because sandboxing and advanced threat protection are functions of FortiSandbox, not FortiAnalyzer; FortiAnalyzer can integrate with FortiSandbox for log correlation but does not perform sandboxing itself. Option B is wrong because network firewall and IPS are core functions of FortiGate, not FortiAnalyzer; FortiAnalyzer is a log collector and analyzer, not an inline security device. Option D is wrong because managing and deploying configurations to FortiGates is the role of FortiManager, which uses the FortiGate API and policy packages; FortiAnalyzer has no configuration deployment capabilities.

13
MCQmedium

An administrator configures a FortiGate with VDOMs and notices that the 'config vdom' command lists multiple VDOMs, but only one VDOM is shown in the 'show full-configuration' output. What is the most likely reason?

A.The administrator is in the context of a specific VDOM
B.The VDOMs are not properly synchronized
C.The VDOMs are not assigned any interfaces
D.The FortiGate is in transparent mode
AnswerA

In VDOM mode, 'show full-configuration' shows only the current VDOM's config. The admin must be in the root VDOM to see all VDOMs.

Why this answer

The 'config vdom' command lists all VDOMs configured on the FortiGate because it operates in the global context. However, 'show full-configuration' only displays the configuration of the current VDOM context. If the administrator is inside a specific VDOM (e.g., after executing 'config vdom' and 'edit <vdom-name>'), the output is scoped to that VDOM, not the global configuration.

This is a fundamental behavior of VDOM-based CLI navigation in FortiOS.

Exam trap

The trap here is that candidates assume 'config vdom' lists all VDOMs because they are all active, but they forget that 'show full-configuration' output is context-dependent and only reflects the current VDOM or global scope, not the entire device configuration.

How to eliminate wrong answers

Option B is wrong because VDOM synchronization is not relevant to CLI output scoping; synchronization affects configuration replication between HA members, not the visibility of VDOMs in 'show full-configuration'. Option C is wrong because unassigned interfaces do not prevent a VDOM from appearing in 'show full-configuration'; a VDOM without interfaces still has its own configuration block. Option D is wrong because transparent mode is a separate operational mode that does not affect VDOM listing or configuration display; a FortiGate in transparent mode can still have multiple VDOMs and the same CLI scoping rules apply.

14
MCQhard

An administrator runs 'diagnose sys session filter dport 443' and sees: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a UDP session
B.The session is in TIME_WAIT state
C.The session is in SYN_SENT state
D.The session is in ESTABLISHED state
AnswerD

TCP state 01 indicates ESTABLISHED.

Why this answer

The output shows `proto=6`, which indicates TCP (protocol 6). The `proto_state=01` corresponds to the TCP state for an established connection (ESTABLISHED). The `duration=3600` and `expire=3599` confirm the session has been active for 3600 seconds and will expire in 3599 seconds, which is typical for a long-lived established TCP session.

Therefore, option D is correct.

Exam trap

The trap here is that candidates may misinterpret `proto_state=01` as a connection setup state (like SYN_SENT) or confuse it with a UDP session, but the protocol number 6 and the specific state value 01 clearly indicate an established TCP session.

How to eliminate wrong answers

Option A is wrong because `proto=6` explicitly indicates TCP, not UDP (UDP uses protocol 17). Option B is wrong because `proto_state=01` represents the ESTABLISHED state, not TIME_WAIT (which would be a different state value, such as 11 in some implementations). Option C is wrong because `proto_state=01` is not SYN_SENT; SYN_SENT would typically be represented by a different state value (e.g., 02 in some Fortinet implementations) and would not have a duration of 3600 seconds, as SYN_SENT is a transient state.

15
MCQmedium

An administrator wants to group firewall objects by department (e.g., Sales, Engineering) and easily filter them in FortiManager policy packages. Which feature should be used?

A.Tags in FortiGate
B.ADOM overrides
C.Meta fields
D.Policy package folders
AnswerC

Why this answer

Meta fields in FortiManager allow administrators to define custom attributes (e.g., Department) for firewall objects. These fields can then be used to group and filter objects within policy packages, enabling efficient management by department without requiring separate ADOMs or VDOMs.

Exam trap

The trap here is that candidates may confuse meta fields with FortiGate tags, but tags are device-local and not available for filtering in FortiManager policy packages, whereas meta fields are a FortiManager-specific feature designed for cross-device object grouping.

How to eliminate wrong answers

Option A is wrong because Tags in FortiGate are local to the FortiGate device and are not synchronized to FortiManager for filtering in policy packages; they are used for object categorization on the device itself. Option B is wrong because ADOM overrides are used to manage configuration differences across ADOMs, not to group or filter objects by custom attributes like department. Option D is wrong because Policy package folders organize policy packages themselves, not individual firewall objects within a package.

16
MCQeasy

A FortiGate administrator needs to delegate firewall policy management to different teams for different departments. Each team should have full control over their policies but should not see or modify policies of other departments. Which feature allows this separation?

A.ADOMs in FortiAnalyzer
B.Policy packages in FortiManager
C.Security fabric tags
D.Administrative profiles (admin profiles) with restricted VDOM access
AnswerD

Admin profiles can be created that limit an administrator's access to specific VDOMs, providing the required separation.

Why this answer

Option D is correct because administrative profiles with restricted VDOM access allow a FortiGate administrator to assign specific VDOMs to different admin accounts. By creating separate VDOMs for each department and granting admin accounts access only to their respective VDOMs, each team can fully manage firewall policies within their VDOM without seeing or modifying policies in other VDOMs. This leverages FortiGate's VDOM-based multi-tenancy and role-based access control (RBAC) to enforce strict policy isolation.

Exam trap

The trap here is that candidates often confuse FortiManager's policy packages (Option B) as the solution for policy delegation, but FortiManager alone does not enforce visibility restrictions without ADOMs, and the question explicitly asks for a FortiGate feature, not a management platform feature.

How to eliminate wrong answers

Option A is wrong because ADOMs (Administrative Domains) are a FortiAnalyzer feature used to segregate log and report data, not to delegate firewall policy management on FortiGate. Option B is wrong because policy packages in FortiManager are used for centralized policy management and revision control, but they do not inherently prevent an administrator from seeing or modifying policies of other departments unless combined with ADOMs or admin profiles; the question specifically asks for a FortiGate feature, not FortiManager. Option C is wrong because security fabric tags are metadata labels used for grouping and automation within the Security Fabric, not for RBAC or policy isolation between administrative teams.

17
MCQeasy

Which FortiManager feature allows an administrator to view the exact CLI commands that will be pushed to a managed FortiGate before installation?

A.Policy Check
B.Revision History
C.Device Manager Dashboard
D.Install Preview
AnswerD

Install Preview displays the CLI commands that will be pushed.

Why this answer

Install Preview is the correct answer because it allows an administrator to review the exact CLI commands that FortiManager will push to a managed FortiGate during the next installation. This feature provides a pre-installation view of the configuration changes, enabling verification before committing changes to the device.

Exam trap

The trap here is that candidates may confuse Install Preview with Revision History, thinking that viewing past configurations is the same as previewing pending changes, but Revision History only shows saved snapshots, not the upcoming installation script.

How to eliminate wrong answers

Option A is wrong because Policy Check is used to validate policy consistency and conflicts across FortiGates, not to preview CLI commands. Option B is wrong because Revision History stores previous configuration backups and allows rollback, but does not show the pending CLI commands for the next installation. Option C is wrong because the Device Manager Dashboard provides a summary view of device status and configuration, but does not display the exact CLI commands that will be pushed.

18
MCQhard

In a FortiManager deployment with global ADOM enabled, an administrator creates a firewall policy in the global ADOM. What is the effect of this policy on the per-ADOM devices?

A.The policy is used only if no per-ADOM policy exists with the same name
B.The policy is applied only to devices in the same ADOM as the global ADOM
C.The policy is ignored unless explicitly assigned to each ADOM
D.The policy is installed as a header policy on all managed FortiGates
AnswerD

Global policies are typically inserted as header policies in each device's policy list.

Why this answer

Global ADOM policies are pushed to all devices in all ADOMs unless a per-ADOM policy overrides them. The global policy is installed before per-ADOM policies.

19
Multi-Selectmedium

An administrator is troubleshooting why a new firewall policy on a managed FortiGate is not taking effect. The policy was created in FortiManager and installed successfully. Which TWO steps should the administrator verify to identify the issue? (Select TWO.)

Select 2 answers
A.Reboot the FortiGate
B.Review the FortiGate's routing table
C.Check if the policy is disabled
D.Check the policy order in the policy list
E.Verify the FortiGate's HA status
AnswersC, D

A policy must be enabled to match traffic.

Why this answer

Option C is correct because a policy that is disabled in FortiManager will be installed to the managed FortiGate in a disabled state, meaning it will not process any traffic. The administrator must verify that the policy is enabled in FortiManager before or after installation, as a disabled policy is effectively inactive regardless of installation success.

Exam trap

The trap here is that candidates often assume a successful installation guarantees the policy is active, overlooking the disabled state or the impact of policy order on traffic matching.

20
Multi-Selectmedium

A FortiGate administrator is setting up automation stitches in FortiManager to remediate threats. The stitch should run a CLI script on a managed FortiGate when a specific event is logged. Which THREE components must be configured in the automation stitch?

Select 3 answers
A.Trigger
B.Schedule
C.Conditions
D.Recovery action
E.Action (CLI script)
AnswersA, C, E

The trigger defines what event starts the automation. It is mandatory.

Why this answer

Option A is correct because an automation stitch in FortiManager requires a trigger to define the event that initiates the stitch. Without a trigger, the stitch has no starting condition and cannot execute. The trigger specifies the log event that, when matched, causes the stitch to run.

Exam trap

The trap here is that candidates often confuse the 'recovery action' (used for rollback in automation stitches) as a required component, but it is optional and only relevant when the stitch includes a recovery step; the three mandatory components are trigger, conditions, and action.

21
Multi-Selectmedium

A FortiGate in HA mode has two VDOMs: VDOM1 and VDOM2. The administrator needs to ensure that if the active unit fails, the standby unit takes over with minimal disruption. Which TWO steps should be taken?

Select 2 answers
A.Enable session synchronization
B.Set the HA mode to active-active
C.Enable HA on each VDOM individually
D.Configure the same VDOMs on both units
E.Use VDOM link for inter-VDOM traffic
AnswersA, D

Session sync ensures active sessions are preserved on failover.

Why this answer

Option A is correct because session synchronization ensures that stateful firewall sessions (e.g., TCP/UDP connections) are replicated from the active FortiGate to the standby unit. In HA active-passive mode, this allows the standby to seamlessly take over active sessions upon failover, minimizing disruption. Without session synchronization, all existing connections would be dropped and must be re-established.

Exam trap

The trap here is that candidates may think enabling HA on each VDOM individually is required (Option C), but FortiGate HA is a global feature that automatically synchronizes all VDOM configurations across cluster members, and per-VDOM HA configuration does not exist.

22
MCQeasy

In FortiAnalyzer, which tool provides real-time traffic monitoring and allows drilling down into details such as top talkers, applications, and threats?

A.Reports
B.Incidents
C.FortiView
D.Log Viewer
AnswerC

FortiView provides real-time dashboards and drill-down for traffic analysis.

Why this answer

FortiView in FortiAnalyzer provides real-time traffic monitoring with drill-down capabilities into top talkers, applications, and threats. It aggregates data from FortiGate logs and presents it in an interactive dashboard, allowing administrators to identify and investigate network anomalies instantly without generating reports.

Exam trap

The trap here is that candidates confuse the Log Viewer's ability to display logs in real time with FortiView's purpose-built aggregation and drill-down features, leading them to select Log Viewer instead of FortiView.

How to eliminate wrong answers

Option A is wrong because Reports in FortiAnalyzer are scheduled or on-demand summaries of historical data, not real-time monitoring tools. Option B is wrong because Incidents are correlated event groupings for security analysis, not a tool for live traffic inspection. Option D is wrong because Log Viewer displays raw log entries in a tabular format without real-time aggregation or drill-down into top talkers, applications, or threats.

23
MCQhard

During a security audit, it is found that traffic between two VDOMs is allowed even though no inter-VDOM routing policy is configured. The VDOMs are connected via a VDOM link. What could explain this behavior?

A.The FortiGate is in NAT mode
B.The VDOMs are in the same administrative domain
C.The VDOM link is using the same interface IP
D.The VDOM link is operating in transparent mode
AnswerD

If the VDOM link is in transparent mode, it bridges traffic without routing, so inter-VDOM routing policies are not required.

Why this answer

If the VDOM link is configured with the same VLAN ID and IP subnet, traffic may be bridged at Layer 2, bypassing Layer 3 policies. Alternatively, a policy might be implicitly allowing traffic.

24
MCQeasy

An administrator needs to isolate customer traffic in a FortiGate deployed at a service provider. Each customer should have independent administrators and security policies. Which feature should be used?

A.VLAN interfaces
B.Policy packages
C.Administrative domains (ADOMs)
D.Virtual domains (VDOMs)
AnswerD

VDOMs provide complete separation of management and traffic.

Why this answer

Virtual domains (VDOMs) allow a single FortiGate to be partitioned into multiple independent virtual firewalls, each with its own administrators, security policies, routing tables, and interfaces. This is the correct feature for isolating customer traffic at a service provider because it provides complete administrative and policy separation per customer, which VLAN interfaces alone cannot achieve.

Exam trap

The trap here is confusing VLAN interfaces (Layer 2 segmentation) with VDOMs (full virtual firewall instances), leading candidates to choose VLANs when the question explicitly requires independent administrators and security policies.

How to eliminate wrong answers

Option A is wrong because VLAN interfaces only provide Layer 2 segmentation of traffic on a physical port; they do not create independent administrative domains or separate security policy contexts. Option B is wrong because policy packages are containers for firewall policies within a single VDOM or non-VDOM mode; they do not isolate administrators or provide independent routing and management. Option C is wrong because administrative domains (ADOMs) are a FortiManager concept for managing multiple FortiGate devices centrally, not a feature on the FortiGate itself for local isolation.

25
MCQhard

A FortiGate in a multi-VDOM environment has a management VDOM (mgmt-vdom) and a traffic VDOM (corp-vdom). The admin wants to access the FortiGate GUI using IP 10.0.1.1 assigned to port1 in mgmt-vdom. However, the GUI is unreachable. The admin can SSH into mgmt-vdom. What is the most likely cause?

A.The admin must enable 'set allowaccess https' under the interface configuration
B.The management VDOM has an implicit deny policy blocking inbound HTTPS
C.The FortiGate is in transparent mode and requires a management IP
D.The traffic VDOM's routing table is incorrect
AnswerB

Even in the management VDOM, a policy must explicitly allow HTTPS access. Without it, the GUI is blocked.

Why this answer

In a multi-VDOM FortiGate, each VDOM has its own independent firewall policies. Even if HTTPS access is enabled on the interface (set allowaccess https), the management VDOM (mgmt-vdom) still requires an explicit firewall policy to permit inbound HTTPS traffic from the source to the FortiGate's own IP. Without such a policy, the implicit deny rule at the end of the policy list blocks the GUI connection.

SSH works because it is typically allowed by a separate policy or by default administrative access rules, but HTTPS is not implicitly permitted.

Exam trap

The trap here is that candidates assume enabling 'allowaccess' on the interface alone is sufficient for GUI access, overlooking the fact that FortiGate's implicit deny in the VDOM's policy layer blocks all inbound traffic unless an explicit permit policy exists.

How to eliminate wrong answers

Option A is wrong because enabling 'set allowaccess https' on the interface is necessary but not sufficient; without a firewall policy in mgmt-vdom permitting inbound HTTPS, the traffic is still dropped by the implicit deny. Option C is wrong because transparent mode is irrelevant here; the FortiGate is in multi-VDOM mode, and the issue is policy-based, not mode-based. Option D is wrong because the traffic VDOM's routing table does not affect management access to the mgmt-vdom interface; management traffic is handled within the mgmt-vdom itself.

26
MCQeasy

A FortiGate administrator is designing a VDOM configuration for a multi-tenant environment. Each tenant requires its own routing table and firewall policies. Which VDOM type should be used for each tenant?

A.TP mode VDOM
B.Router mode VDOM
C.Transparent mode VDOM
D.NAT mode VDOM
AnswerD

NAT mode VDOM provides independent routing and policies.

Why this answer

In a multi-tenant VDOM environment where each tenant requires its own routing table and firewall policies, NAT mode VDOM (option D) is the correct choice because it operates as a Layer 3 routing entity with its own independent routing table, interfaces, and firewall policies. This mode allows each tenant VDOM to perform NAT, route between subnets, and enforce security policies autonomously, which is essential for tenant isolation and policy control.

Exam trap

The trap here is that candidates often confuse 'Router mode' (a non-existent term) with NAT mode, or assume Transparent mode can provide Layer 3 routing isolation, but only NAT mode VDOMs support independent routing tables and firewall policies for multi-tenant environments.

How to eliminate wrong answers

Option A is wrong because TP mode VDOM (Transparent mode) does not maintain its own routing table; it forwards traffic at Layer 2 and relies on the root VDOM or external router for routing, making it unsuitable for tenants needing independent routing. Option B is wrong because 'Router mode VDOM' is not a standard FortiGate VDOM type; the correct term is NAT mode or Transparent mode, and Router mode is a misnomer that does not exist in FortiOS. Option C is wrong because Transparent mode VDOM operates at Layer 2 without its own routing table, so it cannot provide each tenant with an independent routing table, which is a core requirement for multi-tenant routing isolation.

27
Drag & Dropmedium

Drag and drop the steps to configure a FortiGate to send logs to a FortiAnalyzer into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Add log device, set IP and auth, choose log types, apply filters, then test.

28
Multi-Selectmedium

An administrator is configuring a new VDOM on a FortiGate and needs to ensure that certain system resources are isolated for that VDOM. Which TWO settings must be configured to achieve resource isolation?

Select 2 answers
A.Set disk quota
B.Set memory quota
C.Set CPU quota
D.Set bandwidth limit
E.Set session limit
AnswersB, C

Memory quota limits the memory usage for the VDOM.

Why this answer

Option B is correct because setting a memory quota on a VDOM limits the amount of physical memory (RAM) the VDOM can consume, preventing it from starving other VDOMs or the root system. Option C is correct because setting a CPU quota caps the percentage of CPU time the VDOM can use, ensuring fair scheduling across VDOMs. Together, these two settings enforce resource isolation at the system level, which is required for multi-tenant or segmented environments.

Exam trap

The trap here is that candidates confuse 'resource isolation' with 'traffic control' or 'storage limits', leading them to select bandwidth limit or disk quota instead of the correct system-level quotas (memory and CPU).

29
Matchingmedium

Match each Fortinet component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall

Centralized management platform

Logging and reporting server

Advanced threat detection and analysis

Web application firewall

Why these pairings

These are key products in the Fortinet Security Fabric.

30
MCQhard

A company has deployed two FortiGate-600Es in an active-passive HA cluster. The cluster is configured with three VDOMs: VDOM-A (corporate LAN), VDOM-B (guest Wi-Fi), and VDOM-C (DMZ). Each VDOM has its own set of interfaces and policies. The cluster is also configured to use FGCP with session pickup enabled. Recently, the network team noticed that after a failover event, some user sessions in VDOM-B are not being picked up, causing disruption for guest users. The session pickup feature is enabled globally. The administrator checks the configuration and finds the following settings on the primary FortiGate: - config system ha set session-pickup enable set session-pickup-connectionless enable end - config vdom edit VDOM-A config system ha set session-pickup enable end next edit VDOM-B config system ha set session-pickup disable end next edit VDOM-C config system ha set session-pickup enable end next Based on this configuration, what is the most likely reason that sessions in VDOM-B are not being picked up?

A.The HA priority of the cluster is set too low, causing session pickup to fail for VDOM-B.
B.Session pickup for connectionless protocols is not enabled, so UDP sessions in VDOM-B are not picked up.
C.Session pickup is disabled specifically for VDOM-B in the per-VDOM HA configuration.
D.The interfaces assigned to VDOM-B do not have session pickup enabled.
AnswerC

The per-VDOM setting overrides the global setting, so session pickup is disabled for VDOM-B.

Why this answer

Option C is correct because the per-VDOM HA configuration for VDOM-B explicitly disables session pickup with 'set session-pickup disable'. Even though the global HA settings enable session pickup, the per-VDOM setting overrides the global setting for that VDOM. As a result, after a failover, sessions in VDOM-B are not synchronized to the standby FortiGate and are not picked up, causing disruption for guest users.

Exam trap

The trap here is that candidates assume global session pickup settings apply uniformly to all VDOMs, overlooking that per-VDOM HA settings override the global configuration, which is a common misconfiguration in multi-VDOM HA deployments.

How to eliminate wrong answers

Option A is wrong because HA priority affects which unit becomes primary, not whether session pickup functions per VDOM; session pickup is controlled by explicit enable/disable settings, not priority. Option B is wrong because 'session-pickup-connectionless' is enabled globally, which would allow UDP and other connectionless sessions to be picked up, but this global setting is overridden by the per-VDOM disable for VDOM-B. Option D is wrong because session pickup is configured at the VDOM level, not per interface; interfaces inherit the VDOM's session pickup setting, so disabling it on the VDOM prevents pickup regardless of interface configuration.

31
MCQeasy

An administrator is reviewing the HA configuration shown in the exhibit. The primary unit has failed, and the secondary unit (with priority 100) has taken over. However, the administrator notices that the secondary unit has an IP address of 10.10.10.2 on port3, but cannot ping the management gateway 10.10.10.1. What is the most likely cause?

A.The HA management interface IP is not active on the secondary
B.The hbdev configuration is incorrect
C.The override setting is preventing the secondary from taking over management
D.session-pickup is not enabled
AnswerA

The management IP is active only on the primary unit; the secondary uses the same IP after failover, but the network may not have updated.

Why this answer

When the secondary unit takes over in an HA cluster, the HA management interface IP (configured under config system ha) is only active on the primary unit by default. Even after failover, the secondary unit does not automatically activate this IP unless the 'management-interface-ip' is explicitly configured to be active on the secondary. Since the secondary unit has IP 10.10.10.2 on port3 but cannot ping the management gateway 10.10.10.1, the most likely cause is that the HA management interface IP is not active on the secondary, meaning the secondary unit is using its own port3 IP (10.10.10.2) but the gateway expects the management IP to be reachable from that subnet, which it is not.

Exam trap

The trap here is that candidates often assume the secondary unit automatically inherits all IP addresses from the primary after failover, but FortiGate HA specifically requires explicit configuration for the management interface IP to be active on the secondary.

How to eliminate wrong answers

Option B is wrong because hbdev (heartbeat device) configuration affects HA heartbeat communication between units, not the activation of the management IP on the secondary after failover. Option C is wrong because the override setting controls whether a higher-priority unit can preempt the current primary after it recovers; it does not prevent the secondary from taking over management functions after the primary fails. Option D is wrong because session-pickup is a feature for synchronizing firewall sessions between HA members; it has no impact on whether the management interface IP is active on the secondary unit.

32
Multi-Selecthard

A FortiGate is deployed in multi-VDOM mode. The administrator wants to use FortiAnalyzer to centralize logging from all VDOMs. Which THREE steps must be performed? (Choose three.)

Select 3 answers
A.Enable log forwarding on the management VDOM only
B.Ensure that the FortiAnalyzer can reach the FortiGate's management IP
C.Add the FortiGate as a device in FortiAnalyzer
D.Configure FortiAnalyzer settings in each VDOM to point to the FortiAnalyzer IP
E.Enable 'log-all-vdoms' feature on the FortiGate
AnswersB, C, D

Correct.

Why this answer

Option B is correct because the FortiAnalyzer must be able to reach the FortiGate's management IP to establish the logging connection. In multi-VDOM mode, the management VDOM handles all management traffic, including FortiAnalyzer communication, so reachability to that specific IP is essential for centralized logging.

Exam trap

The trap here is that candidates assume a single global setting like 'log-all-vdoms' exists, when in reality FortiOS requires per-VDOM configuration or the use of the 'central-log' feature to aggregate logs from all VDOMs.

33
MCQhard

A FortiGate running FortiOS 7.2 has multiple VDOMs. The administrator notices that inter-VDOM routing between two VDOMs is not working. Configuration shows a firewall policy allowing the traffic, and the route table shows routes to the destination VDOM. What additional configuration is required?

A.Configure a static route with a gateway IP in the destination VDOM
B.Create a VDOM link interface pair and assign them to the respective VDOMs
C.Assign an IP address to the VLAN interface on the source VDOM
D.Enable 'inter-vdom' under config system global
AnswerB

Inter-VDOM routing requires a VDOM link (logical interface pair) connecting the VDOMs.

Why this answer

Inter-VDOM routing requires a VDOM link, which is a pair of logical interfaces (one in each VDOM) that are directly connected. Without this link, the VDOMs cannot exchange traffic even if firewall policies and routes exist, because they operate as separate virtual firewalls with isolated forwarding tables.

Exam trap

The trap here is that candidates assume a firewall policy and routes are sufficient for inter-VDOM traffic, overlooking the mandatory VDOM link interface pair that provides the actual Layer 3 adjacency between the VDOMs.

How to eliminate wrong answers

Option A is wrong because a static route with a gateway IP in the destination VDOM is not possible; the gateway must be reachable via an interface that belongs to the source VDOM, and inter-VDOM routing requires a direct link (VDOM link) rather than a next-hop in another VDOM. Option C is wrong because assigning an IP to a VLAN interface on the source VDOM does not create a path to the destination VDOM; VLAN interfaces are used for Layer 2 segmentation within a single VDOM, not for inter-VDOM connectivity. Option D is wrong because there is no 'inter-vdom' toggle under config system global; inter-VDOM routing is enabled by default when VDOMs are enabled, and the missing piece is the VDOM link interface pair, not a global setting.

34
MCQhard

A FortiGate administrator configures a VDOM with a limit on the number of firewall policies. The VDOM has 200 policies, and the limit is set to 250. The administrator attempts to add a new policy but receives an error indicating the limit has been reached. What is the MOST likely reason?

A.The administrator must reboot the FortiGate for the limit to take effect
B.The limit includes IPv4, IPv6, and other policy types
C.The VDOM has reached the maximum number of objects, not policies
D.The limit is per VDOM and cannot be changed
AnswerB

VDOM policy limits apply to the total number of policies across all types (IPv4, IPv6, etc.). If 200 IPv4 policies exist, plus IPv6 policies, the total may exceed 250.

Why this answer

The FortiGate VDOM policy limit includes all policy types—IPv4, IPv6, and others (e.g., local-in policies, authentication policies). Even if the administrator has only 200 IPv4 policies, the total count of all policy types combined may already reach the 250 limit, preventing the addition of a new policy. This is why the error occurs despite the VDOM appearing to have room under the configured limit.

Exam trap

The trap here is that candidates assume the limit applies only to IPv4 firewall policies, ignoring that FortiGate counts all policy types (IPv4, IPv6, local-in, etc.) against the same limit, leading them to choose an incorrect answer like C or D.

How to eliminate wrong answers

Option A is wrong because policy limits take effect immediately without requiring a reboot; FortiGate enforces the limit dynamically upon policy creation. Option C is wrong because the error specifically references the policy limit, not the object limit; FortiGate has separate limits for objects (e.g., addresses, services) and policies, and the error message would differ if it were an object limit issue. Option D is wrong because the limit can be changed per VDOM via the config vdom command (e.g., set firewall-policy-limit), and it is not immutable.

35
MCQhard

A FortiGate HA cluster is configured with two units in active-passive mode. The administrator needs to perform a firmware upgrade on the cluster with minimal downtime. The current firmware version is 7.2.5 and the target is 7.2.7. The cluster uses FGCP with session synchronization enabled. Which procedure should the administrator follow?

A.Upgrade only the primary unit and let the secondary synchronize automatically
B.Disable HA, upgrade both units, then re-enable HA
C.Upgrade both units at the same time by connecting to each via console
D.Upgrade the passive unit first, perform a graceful failover, then upgrade the new passive unit
AnswerD

This procedure ensures minimal downtime and maintains session synchronization.

Why this answer

Option D is correct because it follows the recommended upgrade procedure for an active-passive FGCP cluster with session synchronization. By upgrading the passive unit first, then performing a graceful failover (which preserves existing sessions via FGCP session sync), and finally upgrading the new passive unit, the administrator ensures that the cluster remains operational throughout the process with minimal traffic disruption. This method avoids a full cluster outage and maintains session continuity.

Exam trap

The trap here is that candidates assume firmware synchronization works like configuration synchronization, leading them to choose Option A, but FGCP does not automatically replicate firmware images between cluster members.

How to eliminate wrong answers

Option A is wrong because upgrading only the primary unit does not cause the secondary to synchronize firmware; FGCP synchronizes configuration and session state, not firmware images, so the secondary would remain on the old version and the cluster would break. Option B is wrong because disabling HA removes redundancy and causes a full traffic outage during the upgrade, which contradicts the goal of minimal downtime. Option C is wrong because upgrading both units simultaneously via console without a failover sequence would likely cause a split-brain scenario or traffic loss, as both units would reboot at the same time, dropping all sessions.

36
MCQeasy

A network administrator wants to logically separate two departments on a single FortiGate. Each department must have its own firewall policies, routing table, and administrators. Which feature should be used?

A.Virtual Domains (VDOMs)
B.Policy Packages
C.Administrative Domains (ADOMs)
D.VLANs
AnswerA

VDOMs create separate virtual firewalls within a single chassis.

Why this answer

Virtual Domains (VDOMs) allow a single FortiGate to be partitioned into multiple independent virtual firewalls, each with its own firewall policies, routing table, and administrative access. This meets the requirement for logical separation of departments with isolated policy and routing domains.

Exam trap

The trap here is confusing VLANs with VDOMs: VLANs segment Layer 2 traffic but do not provide independent routing tables or administrative domains, so candidates often pick VLANs when the question explicitly requires separate routing and administrators.

How to eliminate wrong answers

Option B is wrong because Policy Packages are used to group firewall policies within a VDOM or a non-VDOM FortiGate, but they do not provide separate routing tables or independent administrators. Option C is wrong because Administrative Domains (ADOMs) are a FortiManager concept for managing multiple FortiGates or VDOMs, not a feature on a single FortiGate for local separation. Option D is wrong because VLANs operate at Layer 2 to segment broadcast domains and require a Layer 3 interface or VDOM to enforce separate routing tables and firewall policies; they do not inherently provide independent routing or administrative isolation.

37
MCQhard

A FortiGate VDOM is configured with a WAN interface (port1) and LAN interface (internal). The admin creates a policy allowing HTTP from internal to WAN with an antivirus profile applied. Users report that HTTP throughput is very slow. The admin checks the session table and sees many sessions with state 11 (TCP_CLOSE_WAIT). What is causing the performance issue?

A.The antivirus profile is performing file scanning, causing delays
B.The policy is missing a timeout setting for TCP half-close
C.The HTTP server is not properly closing connections, and the FortiGate is waiting for FIN from client
D.The FortiGate is using proxy-based inspection, which delays session closure
AnswerC

CLOSE_WAIT means the server has closed the connection (FIN received) but the client hasn't. The FortiGate waits for the client's FIN and holds the session.

Why this answer

State 11 (TCP_CLOSE_WAIT) indicates that the FortiGate has received a FIN from the server (WAN side) and is waiting for a FIN from the client (internal side) to complete the TCP connection closure. When the HTTP server does not properly close connections, the FortiGate holds these sessions open, consuming session table resources and causing performance degradation. The antivirus profile is not the direct cause; the issue is the accumulation of sessions stuck in CLOSE_WAIT due to incomplete TCP teardown.

Exam trap

The trap here is that candidates often attribute slow throughput to antivirus scanning (Option A) or proxy inspection (Option D), but the session state TCP_CLOSE_WAIT directly points to a TCP closure problem, not a content inspection issue.

How to eliminate wrong answers

Option A is wrong because antivirus file scanning can introduce latency but does not cause sessions to remain in TCP_CLOSE_WAIT state; that state is specific to TCP connection closure, not scanning delays. Option B is wrong because FortiGate does not have a configurable 'TCP half-close timeout' for policies; session timeouts are handled by the TCP session timeout settings (e.g., default-tcp-timeout), and the issue is not a missing timeout but the server not sending FIN. Option D is wrong because proxy-based inspection may affect session handling but does not cause sessions to stay in CLOSE_WAIT; CLOSE_WAIT is a standard TCP state indicating the device is waiting for the client to close, regardless of inspection mode.

38
MCQhard

An administrator configures a multi-VDOM FortiGate in transparent mode. The admin notices that the management IP is reachable from both interfaces, but traffic passing through the device is not being inspected. What is the likely issue?

A.Inter-VDOM routing is misconfigured
B.The VDOM is in transparent mode, but no firewall policy is applied to the traffic
C.The FortiGate needs a default route
D.The management IP is assigned to the wrong VDOM
AnswerB

In transparent mode, traffic is bridged by default; policies must be created to inspect traffic.

Why this answer

In transparent mode, a FortiGate acts as a Layer 2 bridge, and traffic passing through the device is controlled by firewall policies, not by routing. Even though the management IP is reachable (because it is a separate IP on the bridge interface), no traffic inspection occurs unless an explicit firewall policy is configured to allow and inspect the traffic between the bridge interfaces. Option B correctly identifies that the missing firewall policy is the root cause.

Exam trap

The trap here is that candidates assume transparent mode automatically inspects all traffic or that management IP reachability implies full functionality, but in reality, a firewall policy is mandatory for traffic inspection even in Layer 2 mode.

How to eliminate wrong answers

Option A is wrong because inter-VDOM routing is not relevant in a single-VDOM transparent mode setup; the issue is about intra-VDOM traffic passing through the bridge, not between VDOMs. Option C is wrong because a default route is used for management traffic originating from the FortiGate itself, not for transit traffic passing through the device in transparent mode; transit traffic is bridged and does not require a routing table. Option D is wrong because the management IP being reachable from both interfaces indicates it is correctly assigned to the VDOM; the problem is the lack of a firewall policy to inspect transit traffic, not a misassignment of the management IP.

39
MCQhard

An administrator configures inter-VDOM routing between VDOM-A and VDOM-B using a VDOM link. The default route in VDOM-A points to a next-hop router, and VDOM-B has a static route to a subnet behind VDOM-A. Users in VDOM-B cannot reach that subnet. The administrator runs 'diagnose ip route list' in both VDOMs and sees the routes are present. What is the most likely cause?

A.The VDOM link MTU is too small for the traffic
B.The VDOM link interfaces are administratively down
C.Firewall policies are missing on the VDOMs to permit traffic between the VDOM link and the destination interfaces
D.The VDOMs are in different administrative domains (ADOMs) on FortiManager
AnswerC

Correct.

Why this answer

Even though the routes are present in both VDOMs, inter-VDOM routing via a VDOM link requires explicit firewall policies on each VDOM to permit traffic between the VDOM link interface and the destination interface. Without these policies, the FortiGate drops the traffic at the firewall layer, even though the routing table is correct. This is a common misconfiguration because VDOM links behave like physical interfaces and are subject to firewall policy enforcement.

Exam trap

The trap here is that candidates assume that because routes are present and the VDOM link is up, traffic should flow automatically, forgetting that FortiGate enforces firewall policies even for inter-VDOM traffic.

How to eliminate wrong answers

Option A is wrong because an MTU mismatch would cause fragmentation issues or packet drops, but the routes would still be present and the administrator would typically see ICMP fragmentation-needed messages or packet loss, not a complete inability to reach the subnet. Option B is wrong because if the VDOM link interfaces were administratively down, the routes would not appear in the routing table (the interface would be down, making the next-hop unreachable), and the administrator would see the interfaces in a 'down' state. Option D is wrong because ADOMs on FortiManager are a management-plane concept that controls visibility and administrative access, not data-plane forwarding; inter-VDOM routing is handled locally on the FortiGate and is unaffected by FortiManager ADOM configuration.

40
Multi-Selecteasy

An administrator is troubleshooting why a FortiAnalyzer report is not showing expected data. Which TWO potential causes should the administrator investigate?

Select 2 answers
A.The log data is in a different datastore than the one configured for the report
B.The report schedule is not set
C.The FortiAnalyzer is in a different ADOM
D.The FortiGate is not configured to send logs to FortiAnalyzer
E.The FortiAnalyzer license has expired
AnswersA, D

Reports must point to the correct datastore containing the logs.

Why this answer

Option A is correct because FortiAnalyzer organizes logs into datastores based on device groups or ADOMs. If the report is configured to query a datastore that does not contain the relevant logs, the report will not display the expected data, even if the logs exist elsewhere on the same FortiAnalyzer.

Exam trap

The trap here is that candidates often confuse ADOMs with datastores, assuming an ADOM mismatch would block data, when in fact ADOMs only affect administrative visibility, not the underlying log storage or report query scope.

41
MCQhard

An administrator configures automation stitches on FortiManager to trigger a script when a specific event log is received. The script should block the source IP on the firewall. However, the script does not run when the event occurs. What is a likely cause?

A.The event handler filter does not match the log
B.The FortiGate is in transparent mode
C.The script is not compiled
D.The script is set to run on all managed devices
AnswerA

Correct.

Why this answer

Option A is correct because automation stitches on FortiManager rely on event handler filters to match specific log IDs or patterns. If the filter does not match the incoming event log (e.g., wrong log ID, incorrect field value, or mismatched severity), the trigger condition is never met, and the script will not execute. This is the most common misconfiguration when setting up event-driven automation.

Exam trap

The trap here is that candidates may assume the script itself has a syntax error or that transparent mode disables automation, but the real issue is almost always a filter mismatch in the event handler configuration.

How to eliminate wrong answers

Option B is wrong because FortiGate transparent mode does not prevent automation stitches from running; the script execution is independent of the firewall's operational mode. Option C is wrong because FortiManager scripts are interpreted, not compiled, so there is no compilation step required. Option D is wrong because setting the script to run on all managed devices would not prevent it from running; it would simply apply the script to every device, which could cause unintended behavior but does not block execution.

42
MCQeasy

What is the purpose of header and footer policies in a FortiManager policy package?

A.They are used for VDOM-specific policies that cannot be modified
B.They provide a way to group policies for reporting purposes
C.They define policies that are placed at the top (header) and bottom (footer) of the policy list when applied to a FortiGate
D.They allow policy packages to be installed in a specific sequence
AnswerC

Header policies are evaluated first, footer policies last, regardless of other policies.

Why this answer

Header and footer policies in FortiManager policy packages allow administrators to define policies that are automatically placed at the very top (header) and very bottom (footer) of the policy list when the package is installed on a FortiGate. This ensures that critical policies, such as default deny rules or inter-VDOM links, remain in a fixed position regardless of other policy changes. This mechanism is essential for maintaining a consistent security posture across managed FortiGates.

Exam trap

The trap here is that candidates often confuse header/footer policies with VDOM-specific policies or policy grouping, when in fact they are specifically designed to enforce a fixed policy order at the top and bottom of the policy list.

How to eliminate wrong answers

Option A is wrong because header and footer policies are not VDOM-specific; they are part of the policy package and can be modified like any other policy. Option B is wrong because header and footer policies are not used for grouping policies for reporting; reporting groups are handled via policy tags or separate grouping features. Option D is wrong because header and footer policies do not control the installation sequence of policy packages; installation sequence is managed by the 'Installation Order' setting in FortiManager, not by header/footer policies.

43
MCQeasy

What is the primary purpose of an administrative VDOM on a FortiGate?

A.To enable transparent mode operation
B.To increase the maximum number of firewall policies
C.To provide independent management and administrative access for different tenants or departments
D.To route traffic between different VDOMs
AnswerC

Why this answer

An administrative VDOM on a FortiGate provides independent management and administrative access for different tenants or departments. Each administrative VDOM has its own administrator accounts, authentication settings, and management interfaces (HTTPS, SSH, SNMP), allowing multi-tenant isolation without requiring separate physical firewalls. This is distinct from traffic-forwarding VDOMs, which handle data plane operations.

Exam trap

The trap here is confusing the management-plane isolation of an administrative VDOM with data-plane functions like inter-VDOM routing or transparent mode, leading candidates to select options that describe traffic forwarding or operational modes instead of administrative separation.

How to eliminate wrong answers

Option A is wrong because transparent mode operation is a per-VDOM setting (config system vdom edit <vdom> set mode transparent), not a purpose of an administrative VDOM; administrative VDOMs can operate in either transparent or NAT mode. Option B is wrong because the maximum number of firewall policies is limited by the FortiGate model and total VDOM resources, not by the presence of an administrative VDOM; an administrative VDOM does not increase policy limits. Option D is wrong because routing traffic between different VDOMs is accomplished via inter-VDOM links (config system vdom-link) or VDOM peering, not by an administrative VDOM, which is solely for management plane separation.

44
MCQeasy

Which FortiAnalyzer feature allows administrators to create automated response actions triggered by specific log events, such as blocking an IP address when an intrusion is detected?

A.FortiView
B.Reports
C.Incidents
D.Playbooks
AnswerD

Playbooks automate response actions based on triggers.

Why this answer

Playbooks in FortiAnalyzer define automated workflows triggered by events, enabling actions like blocking IPs via FortiGate API calls.

45
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session has expired and is being removed
B.A UDP session on port 443 is being blocked
C.The firewall policy is incorrectly configured
D.A TCP session on port 443 has been active for 1 hour and will expire in 3599 seconds
AnswerD

The session is established and in state 01 (established).

Why this answer

Option D is correct because the output shows a TCP session (proto=6) on port 443 with a duration of 3600 seconds (1 hour) and an expire value of 3599 seconds, meaning the session has been active for 1 hour and will expire in 3599 seconds. The 'proto=6' indicates TCP, and 'proto_state=01' is the TCP established state, confirming an active TCP session.

Exam trap

The trap here is that candidates may misinterpret 'expire=3599' as the session expiring soon or already expired, when in fact it indicates the remaining time before timeout, and the session is still active with a duration of 3600 seconds.

How to eliminate wrong answers

Option A is wrong because the expire value of 3599 seconds indicates the session is still active and will expire in the future, not that it has expired and is being removed. Option B is wrong because proto=6 indicates TCP, not UDP, and the session is not being blocked; it is active. Option C is wrong because the output does not provide any information about firewall policy configuration; it only shows session state and timing details.

46
MCQmedium

An administrator wants to use FortiManager to deploy a common set of firewall rules to all VDOMs on a single FortiGate. The rules will be the same except for the source and destination addresses, which differ per VDOM. What FortiManager feature allows the administrator to reuse a policy package and customize per-VDOM objects?

A.Policy package header/footer
B.Automation stitches
C.Global ADOM
D.Meta fields
AnswerD

Meta fields act as variables that can be populated per-device, allowing a common policy package to be installed with different object values.

Why this answer

Meta fields in FortiManager allow you to define custom variables that can be assigned to managed devices or VDOMs. When a policy package is installed, these meta fields are substituted with the per-VDOM values, enabling the reuse of a single policy package with different source and destination addresses for each VDOM. This avoids the need to create separate policy packages for each VDOM.

Exam trap

The trap here is that candidates confuse Global ADOM with meta fields, thinking that global objects can be used to achieve per-VDOM customization, but Global ADOM only provides shared objects without variable substitution, whereas meta fields enable true per-VDOM customization within a single policy package.

How to eliminate wrong answers

Option A is wrong because policy package header/footer is used to add common configuration lines at the beginning or end of the policy package, not to customize per-VDOM objects like addresses. Option B is wrong because automation stitches are used to automate responses to events (e.g., logging, script execution), not for policy package reuse or object customization. Option C is wrong because a Global ADOM is used to manage global objects shared across multiple ADOMs, but it does not provide per-VDOM variable substitution within a single policy package.

47
MCQmedium

An enterprise FortiGate has multiple VDOMs. The administrator wants to allow traffic from VDOM A to reach servers in VDOM B without traversing an external router. Which configuration is required?

A.Place both VDOMs in the same VDOM group
B.Configure a static route in each VDOM pointing to the other VDOM's management IP
C.Create an inter-VDOM link using the 'config system interface' command with type 'vdom-link'
D.Enable VDOM forwarding in global settings
AnswerC

This creates a direct link between VDOMs, allowing routed traffic with firewall policies.

Why this answer

Option C is correct because inter-VDOM links are the native FortiGate mechanism for routing traffic between VDOMs without external hardware. Created via 'config system interface' with type 'vdom-link', they act as a direct Layer 3 connection between VDOMs, allowing traffic to flow internally through the FortiGate's backplane. This avoids the need for an external router or physical cabling.

Exam trap

The trap here is that candidates often confuse enabling VDOM forwarding (a global toggle) with creating the actual inter-VDOM link, assuming the toggle alone allows traffic to flow between VDOMs without an explicit interface configuration.

How to eliminate wrong answers

Option A is wrong because VDOM groups are used for administrative grouping or shared resources (like VDOMs in a security fabric), not for enabling Layer 3 traffic forwarding between VDOMs. Option B is wrong because static routes pointing to a VDOM's management IP would only reach the management interface, not forward data traffic to the other VDOM's networks; management IPs are not used for data-plane forwarding. Option D is wrong because VDOM forwarding (enabled via 'config system global' with 'vdom-forward') controls whether the FortiGate can forward traffic between VDOMs at all, but it does not create the actual link or interface needed for inter-VDOM communication; an inter-VDOM link is still required.

48
Multi-Selecthard

An administrator is configuring FortiManager to manage a multi-VDOM FortiGate. The administrator wants to ensure that policy changes are not accidentally applied without review. Which THREE measures should be taken? (Choose three.)

Select 3 answers
A.Use the same password for all devices
B.Configure meta fields to track device location
C.Use install preview to review changes before deploying
D.Disable automatic policy installation
E.Enable ADOM locking to prevent concurrent modifications
AnswersC, D, E

Install preview shows the exact configuration changes that will be applied, allowing review.

Why this answer

To prevent accidental deployment, the administrator should use revision history to track changes, enable install preview to review changes before applying, and use ADOM locking to prevent multiple administrators from making concurrent changes. These features provide control and visibility.

49
Multi-Selecthard

A FortiGate administrator uses FortiManager automation stitches to respond to a security incident. Which THREE components must be defined in an automation stitch? (Choose THREE.)

Select 3 answers
A.Trigger condition (e.g., an event or log)
B.A report template
C.A schedule for the stitch to run
D.Target devices (e.g., specific FortiGates)
E.Action (e.g., execute a CLI command, send email)
AnswersA, D, E

The trigger defines when the stitch runs.

Why this answer

Option A is correct because an automation stitch in FortiManager requires a trigger condition to define when the stitch should be activated. The trigger can be based on specific events, such as a log matching a predefined pattern or a FortiGate incident, which initiates the automated response workflow.

Exam trap

The trap here is that candidates often confuse automation stitches with scheduled tasks or report generation, mistakenly assuming that a schedule or report template is required, when in fact stitches are purely event-driven and require only a trigger, action, and target devices.

50
MCQeasy

In a multi-VDOM deployment, an administrator needs to centralize logging for all VDOMs. Which FortiGate feature should be used to send logs to a central FortiAnalyzer?

A.FortiGate Cloud
B.Global log settings
C.Syslog server
D.Log configuration under each VDOM's settings
AnswerD

Each VDOM can independently send logs to FortiAnalyzer using the config log fortianalyzer setting within the VDOM.

Why this answer

Option D is correct because in a multi-VDOM FortiGate deployment, each VDOM operates as an independent virtual firewall with its own log settings. To centralize logging to a FortiAnalyzer, you must configure the log settings individually under each VDOM, specifying the FortiAnalyzer as the log destination. This ensures that logs from all VDOMs are forwarded to the central FortiAnalyzer, as global log settings do not apply across VDOMs.

Exam trap

The trap here is that candidates assume global log settings apply to all VDOMs, but FortiGate treats each VDOM as an independent firewall with its own log configuration, so logging to FortiAnalyzer must be set per VDOM.

How to eliminate wrong answers

Option A is wrong because FortiGate Cloud is a cloud-based log management service, not a feature for sending logs to a central FortiAnalyzer in a multi-VDOM deployment. Option B is wrong because global log settings apply only to the management VDOM and do not propagate to other VDOMs; each VDOM requires its own log configuration. Option C is wrong because a syslog server is a generic log receiver, not a FortiAnalyzer, and using syslog would lose FortiAnalyzer-specific features like log correlation and reporting.

51
MCQmedium

A FortiGate running FortiOS 7.4.1 has two VDOMs: CustomerA and CustomerB. The administrator wants CustomerA to access an HTTP server in CustomerB. Both VDOMs have appropriate policies. What additional configuration is required?

A.Configure a VDOM link between CustomerA and CustomerB
B.Create a policy allowing traffic from CustomerA to CustomerB
C.Enable inter-VDOM routing under system settings
D.Assign both VDOMs to the same administrative domain in FortiManager
AnswerA

A VDOM link is a virtual interface pair that connects VDOMs.

Why this answer

A VDOM link is required to enable Layer-2 or Layer-3 connectivity between two VDOMs on the same FortiGate. Without a VDOM link, the VDOMs are isolated from each other, even if policies exist. The VDOM link acts as a virtual interface pair that forwards traffic between CustomerA and CustomerB, allowing the HTTP server access.

Exam trap

The trap here is that candidates assume inter-VDOM policies alone suffice, forgetting that VDOMs are fully isolated routing domains requiring a dedicated link (VDOM link) to exchange traffic.

How to eliminate wrong answers

Option B is wrong because policies alone cannot forward traffic between VDOMs; inter-VDOM traffic requires a VDOM link to provide the physical or logical path. Option C is wrong because inter-VDOM routing is not a global setting that can be enabled; it is inherently provided by configuring VDOM links or inter-VDOM links under each VDOM. Option D is wrong because FortiManager administrative domains are management constructs for centralized device management, not for enabling data-plane traffic between VDOMs on a single FortiGate.

52
MCQhard

An organization has multiple ADOMs in FortiManager. The admin wants to share a set of firewall objects across all ADOMs. What is the best approach?

A.Create a meta field and assign objects
B.Use the Global ADOM to create global objects
C.Manually recreate the objects in each ADOM
D.Enable object sharing in the system settings
AnswerB

Global ADOM objects are accessible from regular ADOMs.

Why this answer

The Global ADOM in FortiManager is specifically designed to create and manage global objects (such as address objects, services, and schedules) that can be shared across all regular ADOMs. When an object is created in the Global ADOM, it is automatically available in all ADOMs that are linked to it, eliminating the need for duplication. This is the only native, supported method for sharing objects across multiple ADOMs in FortiManager.

Exam trap

The trap here is that candidates may confuse the Global ADOM with a regular ADOM or think that a simple system setting can enable object sharing, when in fact the Global ADOM is a distinct, purpose-built feature for cross-ADOM object sharing.

How to eliminate wrong answers

Option A is wrong because meta fields are used for custom metadata tagging and filtering of objects within an ADOM, not for sharing objects across ADOMs. Option C is wrong because manually recreating objects in each ADOM is inefficient, error-prone, and defeats the purpose of centralized management with FortiManager. Option D is wrong because FortiManager does not have a system-level 'object sharing' toggle; object sharing is achieved exclusively through the Global ADOM mechanism.

53
Multi-Selecteasy

A FortiGate administrator wants to use FortiAnalyzer to view traffic logs from multiple VDOMs. Which TWO steps must the administrator perform on FortiAnalyzer?

Select 2 answers
A.Install a security profile on FortiAnalyzer
B.Add the FortiGate as a device in FortiAnalyzer
C.Create a separate ADOM for each VDOM
D.Configure the FortiGate to send logs to FortiAnalyzer
E.Enable FortiAnalyzer's built-in firewall
AnswersB, D

Device registration is required.

Why this answer

Option B is correct because FortiAnalyzer must have the FortiGate added as a managed device in order to receive and process logs from it. This registration establishes the trust relationship and log-receiving configuration between the two systems.

Exam trap

The trap here is that candidates often think a separate ADOM is mandatory for each VDOM, but FortiAnalyzer can consolidate logs from multiple VDOMs into a single ADOM, and the key requirement is simply adding the FortiGate as a device and configuring log forwarding.

54
Multi-Selectmedium

An enterprise FortiGate has multiple VDOMs. The security policy requires that all traffic between VDOMs must be inspected by a next-generation firewall profile. Which three steps are necessary to achieve this? (Choose three.)

Select 3 answers
A.Ensure routing is properly configured to forward traffic through the inter-VDOM link
B.Place both VDOMs in the same ADOM in FortiManager
C.Enable VDOM inspection mode in global settings
D.Configure a firewall policy on the inter-VDOM link with the required security profile
E.Create an inter-VDOM link between the VDOMs
AnswersA, D, E

Routes direct traffic to the link interface.

Why this answer

Option A is correct because for traffic to traverse between VDOMs via an inter-VDOM link, proper routing must be configured in each VDOM to forward traffic through the inter-VDOM link interface. Without correct routing entries (static or dynamic), packets will not be directed to the inter-VDOM link, and the next-generation firewall profile cannot be applied.

Exam trap

The trap here is that candidates often assume VDOM inspection mode must be enabled globally to apply security profiles on inter-VDOM links, but in reality, the inspection mode only affects how VDOMs handle traffic at the kernel level and does not control policy-based inspection on inter-VDOM links.

55
MCQmedium

An administrator uses FortiManager to deploy a new security policy to a remote FortiGate. The administrator selects 'Install Preview' and sees that the policy will be created. After confirming, the installation fails with 'Device not reachable'. What is the most likely reason?

A.The FortiGate has insufficient memory
B.The policy package is locked by another administrator
C.The FortiGate's configuration revision has changed since the last sync
D.The FortiGate is behind a NAT device that blocks FGFM traffic
AnswerD

FGFM uses TCP 541, which must be allowed and reachable.

Why this answer

The 'Device not reachable' error during an Install Preview operation indicates that FortiManager cannot establish or maintain the FGFM (FortiGate-to-FortiManager) tunnel with the remote FortiGate. When the FortiGate is behind a NAT device, the NAT may alter the source IP or port of FGFM traffic, causing the tunnel to break or preventing the FortiManager from reaching the FortiGate's management IP. This is the most common cause of such reachability failures in remote deployments.

Exam trap

The trap here is that candidates often confuse a 'Device not reachable' error with configuration or policy issues, such as memory or lock conflicts, when the root cause is almost always a network connectivity problem, specifically related to NAT or firewall rules blocking FGFM traffic.

How to eliminate wrong answers

Option A is wrong because insufficient memory on the FortiGate would typically cause a different error, such as 'out of memory' or a failure during policy installation, not a 'Device not reachable' error which is a connectivity issue. Option B is wrong because a locked policy package prevents changes or installation, but the error would be 'Policy package locked' or similar, not a device reachability failure. Option C is wrong because a configuration revision change since the last sync would cause a 'revision conflict' or 'out of sync' error during installation, not a 'Device not reachable' error, which is purely about network connectivity.

56
MCQhard

An administrator has configured two VDOMs on a FortiGate. One VDOM is in NAT mode and the other in transparent mode. The administrator wants traffic from the transparent mode VDOM to be routed through the NAT mode VDOM. What must be configured to allow inter-VDOM routing?

A.Use a physical interface to connect the VDOMs
B.Create an inter-VDOM link
C.Enable NPU offloading
D.Configure firewall policies between the VDOMs
AnswerB

Inter-VDOM links enable routing between VDOMs.

Why this answer

Inter-VDOM routing between VDOMs in different modes (NAT and transparent) requires a dedicated inter-VDOM link (IVL), which is a virtual internal connection that allows traffic to pass between VDOMs without consuming physical ports. The IVL creates a pair of virtual interfaces, one in each VDOM, and firewall policies must be configured to permit traffic across them. This is the only method that supports routing between VDOMs of different modes on the same FortiGate.

Exam trap

The trap here is that candidates assume firewall policies alone can route traffic between VDOMs, but without an inter-VDOM link, the VDOMs are completely isolated and cannot exchange any traffic regardless of policy configuration.

How to eliminate wrong answers

Option A is wrong because using a physical interface to connect VDOMs is unnecessary and inefficient; inter-VDOM links are virtual and avoid wasting physical ports. Option C is wrong because NPU offloading is a hardware acceleration feature for packet processing, not a mechanism for enabling inter-VDOM routing. Option D is wrong because firewall policies alone cannot enable inter-VDOM routing; they are required after the inter-VDOM link is created to allow traffic, but the link itself is the fundamental connectivity component.

57
MCQhard

A FortiGate in transparent mode is deployed between a router and a switch. The administrator needs to apply a deep inspection profile to HTTP traffic. What is the correct configuration for the interfaces?

A.Configure a management IP on the VDOM and apply the inspection profile to the policy
B.Place both interfaces in the same VDOM and enable DHCP
C.Switch to NAT mode to enable deep inspection
D.Assign IPs to both interfaces and create a policy from LAN to WAN
AnswerA

The VDOM management IP provides connectivity; policies inspect traffic on the bridge.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge, so interfaces do not require IP addresses. Deep inspection of HTTP traffic is applied via a firewall policy that references a deep inspection profile, and a management IP must be configured on the VDOM to allow the FortiGate to participate in management traffic (e.g., DNS, NTP, or proxy operations). Option A correctly identifies that the management IP is set on the VDOM and the inspection profile is applied to the policy.

Exam trap

The trap here is that candidates assume transparent mode cannot perform deep inspection because it lacks routed interfaces, but FortiGate supports full UTM inspection in transparent mode via the management IP and policy-based profiles.

How to eliminate wrong answers

Option B is wrong because placing both interfaces in the same VDOM is correct for transparent mode, but enabling DHCP is unnecessary and irrelevant—transparent mode interfaces do not require IP addresses or DHCP services. Option C is wrong because deep inspection is fully supported in transparent mode; switching to NAT mode is not required and would change the FortiGate's Layer 2 behavior. Option D is wrong because assigning IPs to both interfaces is not valid in transparent mode—interfaces remain without IPs, and policies are created using the management IP, not LAN-to-WAN direction.

58
MCQmedium

A FortiGate has multiple VDOMs. The administrator notices that traffic from VDOM-1 to VDOM-2 is allowed by inter-VDOM policies but is not being inspected by the security profiles. What is the most likely cause?

A.The security profiles are applied only on the egress VDOM
B.The traffic is using a bypass path due to asymmetric routing
C.The VDOMs are in different virtual routers
D.The VDOM link is configured as a signal interface
AnswerA

Correct.

Why this answer

When inter-VDOM traffic flows through a VDOM link, security profiles are applied only on the egress VDOM by default. This is because the VDOM link acts as a logical wire, and inspection occurs at the point where traffic exits the link. If the administrator has applied security profiles only on the ingress VDOM (VDOM-1), they will not be enforced on traffic leaving VDOM-1 toward VDOM-2, resulting in no inspection.

Exam trap

The trap here is that candidates assume security profiles are applied symmetrically on both sides of an inter-VDOM link, but FortiGate only inspects traffic on the egress VDOM, so profiles must be configured on the destination VDOM's policy.

How to eliminate wrong answers

Option B is wrong because asymmetric routing would cause session setup failures or packet drops, not a bypass of security profiles; inter-VDOM policies still enforce inspection regardless of routing symmetry. Option C is wrong because different virtual routers do not prevent inter-VDOM traffic from being inspected; they only affect routing decisions, not security profile application. Option D is wrong because a signal interface is used for heartbeat or management traffic between VDOMs, not for data traffic, and would not cause security profiles to be skipped.

59
MCQeasy

An administrator wants to use FortiAnalyzer to generate weekly compliance reports for all managed FortiGates. Which FortiAnalyzer feature should be used?

A.Incidents
B.Reports
C.FortiView
D.Log Analytics
AnswerB

Reports enable scheduled and on-demand report generation.

Why this answer

FortiAnalyzer's Reports feature is specifically designed to generate scheduled, customizable compliance reports that aggregate data from multiple managed FortiGates. This allows administrators to produce weekly reports aligned with regulatory standards (e.g., PCI DSS, HIPAA) without manual effort, leveraging pre-defined or custom report templates.

Exam trap

The trap here is that candidates often confuse FortiView's real-time dashboards with the scheduled, template-driven reporting capability of the Reports module, assuming that visualization tools can substitute for formal compliance report generation.

How to eliminate wrong answers

Option A is wrong because Incidents in FortiAnalyzer are used for tracking and managing security events and alerts, not for generating scheduled compliance reports. Option C is wrong because FortiView provides real-time and historical data visualization for monitoring and troubleshooting, but it lacks the scheduling and template-based reporting required for weekly compliance reports. Option D is wrong because Log Analytics focuses on searching, correlating, and analyzing log data, not on producing formatted, scheduled compliance reports.

60
MCQmedium

A network administrator is troubleshooting a FortiGate that is not appearing in the Security Fabric topology on FortiManager. The FortiGate is reachable from FortiManager via ping. What is the most likely cause?

A.The FortiGate is not authorized in FortiManager
B.FortiAnalyzer is not configured on the FortiGate
C.SNMP community string is mismatched
D.The FortiGate firewall policy is blocking traffic to FortiManager
AnswerA

Authorization is required for the device to appear in the fabric.

Why this answer

For a FortiGate to appear in the Security Fabric topology on FortiManager, it must first be authorized in FortiManager. Even if the FortiGate is reachable via ping, without authorization, FortiManager will not accept its registration or include it in the topology view. This is a prerequisite step that must occur before any fabric communication can be established.

Exam trap

The trap here is that candidates assume Layer 3 reachability (ping) implies full application-layer communication, but FortiManager requires explicit authorization before it will accept a FortiGate into the Security Fabric, even when network connectivity is perfect.

How to eliminate wrong answers

Option B is wrong because FortiAnalyzer is not required for a FortiGate to appear in the Security Fabric topology on FortiManager; FortiAnalyzer is used for logging and reporting, not for topology discovery. Option C is wrong because SNMP community strings are irrelevant to FortiManager-FortiGate Security Fabric communication, which uses FortiGate's proprietary JSON-based API over HTTPS, not SNMP. Option D is wrong because if a firewall policy were blocking traffic to FortiManager, the FortiGate would not be reachable via ping, but the question states it is reachable, indicating Layer 3 connectivity is fine and the issue is at the application/authorization layer.

61
Multi-Selectmedium

An administrator is troubleshooting a FortiGate in transparent mode where clients cannot reach the internet. The FortiGate has two interfaces in the same VLAN. Which two items must be checked? (Choose two.)

Select 2 answers
A.SSL inspection is enabled on the policy
B.The default gateway is configured on the FortiGate's management IP
C.The two interfaces are members of the same software switch or VDOM
D.The management IP is on a different subnet from the bridged network
E.Firewall policies are present that allow traffic from internal to external zones
AnswersC, E

For transparent mode to work, interfaces must be in the same layer 2 broadcast domain, typically via a software switch or VDOM configuration.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge, so traffic must flow through a single broadcast domain. If the two interfaces are not in the same software switch or VDOM, they are isolated, breaking the Layer 2 path between clients and the upstream router. Option C is correct because both interfaces must be logically bridged to forward traffic within the same VLAN.

Exam trap

The trap here is that candidates assume transparent mode still requires a default gateway on the FortiGate (like in NAT mode), but in transparent mode, clients use their own default gateway, and the FortiGate simply bridges traffic at Layer 2.

62
MCQmedium

An admin needs to configure a FortiGate to send logs to FortiAnalyzer for a specific VDOM only. How can this be achieved?

A.Set the FortiAnalyzer IP in the specific VDOM's log settings
B.Create a separate ADOM in FortiAnalyzer for that VDOM
C.Configure log forwarding globally; it applies to all VDOMs
D.Use a firewall policy to filter logs to FortiAnalyzer
AnswerA

Per-VDOM log setting overrides global for that VDOM.

Why this answer

Option A is correct because FortiGate allows per-VDOM log configuration, including the FortiAnalyzer IP address, under the VDOM's log settings. This ensures that only logs from that specific VDOM are sent to the designated FortiAnalyzer, while other VDOMs remain unaffected.

Exam trap

The trap here is that candidates often confuse global log forwarding with per-VDOM log settings, assuming that a global configuration can be selectively applied to a single VDOM, which is not supported in FortiGate's VDOM architecture.

How to eliminate wrong answers

Option B is wrong because creating a separate ADOM in FortiAnalyzer is a management and administrative grouping on the FortiAnalyzer side, not a configuration on the FortiGate to control which VDOM's logs are sent. Option C is wrong because configuring log forwarding globally applies to all VDOMs, which does not meet the requirement of sending logs for a specific VDOM only. Option D is wrong because firewall policies are used for traffic filtering and not for selecting which logs are forwarded to FortiAnalyzer; log forwarding is controlled by log settings, not firewall policies.

63
MCQeasy

A company is implementing a Security Fabric with multiple FortiGate devices. They want to use FortiAnalyzer for centralized logging and FortiManager for centralized management. Which of the following is a prerequisite for adding a FortiGate to the Security Fabric?

A.The FortiGate must have FortiAnalyzer configured as a log device
B.The FortiGate's management IP must be configured via DHCP
C.The FortiGate must have network connectivity to the FortiManager
D.The FortiGate must be operating in transparent mode
AnswerC

Connectivity is required for management.

Why this answer

For a FortiGate to join a Security Fabric, it must have network connectivity to the FortiManager that manages the fabric. FortiManager acts as the fabric root or controller, and the FortiGate registers with it using the FortiManager IP or FQDN. Without this connectivity, the FortiGate cannot be added to the Security Fabric topology.

Exam trap

The trap here is that candidates often confuse the prerequisite for logging (FortiAnalyzer) with the prerequisite for fabric management (FortiManager), assuming both must be configured before adding a FortiGate, but only FortiManager connectivity is required for fabric membership.

How to eliminate wrong answers

Option A is wrong because configuring FortiAnalyzer as a log device is not a prerequisite for adding a FortiGate to the Security Fabric; logging can be configured after the FortiGate joins the fabric. Option B is wrong because the FortiGate's management IP can be static or DHCP, but DHCP is not a requirement; the prerequisite is simply that the FortiGate has a reachable management IP. Option D is wrong because the FortiGate can operate in NAT/route mode or transparent mode when joining the Security Fabric; transparent mode is not a requirement.

64
Multi-Selectmedium

An administrator is configuring a FortiGate in transparent mode for a retail store. The store has a flat network with a single subnet. Which TWO of the following statements about transparent mode are correct? (Select TWO.)

Select 2 answers
A.Virtual IPs (VIPs) can be used for destination NAT
B.The FortiGate uses a management IP address for administrative access
C.The FortiGate will perform routing between VLANs
D.The FortiGate requires a default route to forward user traffic
E.Firewall policies can be applied to control traffic between bridge interfaces
AnswersB, E

A management IP is needed for GUI/CLI access and can be on the same subnet as the bridged traffic.

Why this answer

In transparent mode, the FortiGate acts as a Layer 2 bridge and does not participate in routing. A management IP address is required for administrative access (e.g., SSH, HTTPS) because the device does not have an IP on the bridged interfaces by default. This management IP is assigned to a dedicated management interface or a VLAN interface and allows the administrator to reach the FortiGate from the same subnet.

Exam trap

The trap here is that candidates often assume transparent mode still requires a default route for management traffic or that VIPs can be used for inbound access, but in reality, transparent mode operates purely at Layer 2 and does not support NAT or routing functions.

65
MCQmedium

Refer to the exhibit. A FortiGate is configured with the above settings. The FortiManager at 192.168.1.100 cannot establish a management connection to the FortiGate. What is the most likely cause?

A.HTTPS access is not enabled on port1
B.The admin user 'admin' is not configured correctly
C.The FortiGate's port1 IP is not in the same subnet as the FortiManager
D.The trusthost configuration does not include the FortiManager IP
AnswerC

The management IP is 10.0.1.1, but FortiManager is on 192.168.1.0/24, so they are on different subnets.

Why this answer

The FortiGate's port1 IP (192.168.2.1/24) is on a different subnet (192.168.2.0/24) than the FortiManager's IP (192.168.1.100), which is on the 192.168.1.0/24 subnet. For a management connection to be established, the FortiGate and FortiManager must be able to route to each other, typically requiring them to be on the same subnet unless a gateway or static route is configured. Since no routing is mentioned, the subnet mismatch is the most likely cause of the failure.

Exam trap

The trap here is that candidates may focus on the HTTPS access or trusthost settings, but the exhibit clearly shows the subnet mismatch, which is the fundamental Layer 3 connectivity issue that prevents the management session from being established.

How to eliminate wrong answers

Option A is wrong because HTTPS access is enabled on port1 (as shown by 'set allowaccess https' in the configuration), so this is not the issue. Option B is wrong because the admin user 'admin' is configured with the correct password and permissions (super_admin profile), and there is no indication of a misconfiguration. Option D is wrong because the trusthost configuration is not present in the exhibit; if trusthost were configured, it would appear under the admin user settings, and its absence means it is not blocking the FortiManager.

66
MCQmedium

A FortiGate administrator runs the following command and sees the output: diagnose sys session filter dport 443 diagnose sys session list Output shows sessions with proto=6 and expire time decreasing. What does this indicate?

A.The sessions are using UDP protocol
B.The FortiGate is performing deep packet inspection on these sessions
C.The sessions are being blocked by a firewall policy
D.The sessions are TCP sessions and are active
AnswerD

proto=6 indicates TCP. The sessions are listed, meaning they are active and being tracked.

Why this answer

The command 'diagnose sys session filter dport 443' filters sessions with destination port 443, and 'diagnose sys session list' displays them. The output shows 'proto=6', which is the protocol number for TCP (per IANA protocol numbers). The 'expire time decreasing' indicates that the session timer is counting down, which is normal behavior for an active TCP session that is being refreshed by ongoing traffic.

Therefore, the sessions are TCP and active.

Exam trap

The trap here is that candidates may confuse 'expire time decreasing' with a session being blocked or expiring, when in fact it is a normal indicator of an active TCP session that is being refreshed by traffic.

How to eliminate wrong answers

Option A is wrong because proto=6 specifically indicates TCP, not UDP (UDP is protocol 17). Option B is wrong because the command output does not show any deep packet inspection (DPI) status; DPI would require additional configuration and is not indicated by session list output. Option C is wrong because blocked sessions would not appear in the session list with a decreasing expire time; blocked traffic is denied by the firewall policy and does not create a session entry.

67
Multi-Selectmedium

An administrator needs to restrict inter-VDOM traffic between two VDOMs on a FortiGate. Which TWO configurations are required?

Select 2 answers
A.Create firewall policies in each VDOM to allow/deny traffic
B.Enable inter-VDOM routing globally
C.Assign an IP address to the VDOM link in each VDOM
D.Configure a VDOM link between the two VDOMs
E.Configure static routes on each VDOM
AnswersA, D

Policies are necessary to control traffic flow.

Why this answer

Option A is correct because inter-VDOM traffic on a FortiGate is controlled by firewall policies within each VDOM. By creating policies in each VDOM that specify the VDOM link as the interface, the administrator can explicitly allow or deny traffic between the VDOMs, enforcing security boundaries. Without these policies, traffic would be implicitly denied by the default firewall behavior.

Exam trap

The trap here is that candidates often assume inter-VDOM routing requires a global enablement or IP addressing on the VDOM link, but FortiGate handles this automatically, and the key requirement is the firewall policies to enforce restrictions.

68
Multi-Selectmedium

A FortiGate administrator wants to use FortiManager automation stitches to automatically block IP addresses that trigger multiple intrusion prevention events. Which two components are required to configure an automation stitch? (Choose two.)

Select 2 answers
A.Trigger
B.Playbook
C.Destination
D.Schedule
E.Action
AnswersA, E

Defines the event that starts the stitch.

Why this answer

An automation stitch consists of a trigger (event condition) and one or more actions. The trigger defines when the stitch runs; the action defines what happens (e.g., CLI script, email).

69
Multi-Selectmedium

Which TWO statements about the Security Fabric and FortiManager are correct? (Choose two.)

Select 2 answers
A.FortiManager can manage multiple Security Fabrics.
B.FortiGate devices must be in transparent mode to join the fabric.
C.FortiAnalyzer must be deployed to use the Security Fabric.
D.The first FortiGate added to the Security Fabric becomes the root FortiGate.
E.A FortiGate can be part of multiple Security Fabrics simultaneously.
AnswersA, D

FortiManager can manage multiple fabrics.

Why this answer

FortiManager can manage multiple Security Fabrics because it is designed as a centralized management platform that can oversee multiple independent FortiGate clusters or fabric topologies. Each Security Fabric is a logical grouping of FortiGate devices that share a common root FortiGate, and FortiManager can be configured to manage several such fabrics simultaneously, each with its own root and member devices, without requiring separate management servers.

Exam trap

The trap here is that candidates often assume FortiAnalyzer is mandatory for the Security Fabric, but the fabric only requires FortiGate devices; FortiAnalyzer is an optional add-on for enhanced logging and analytics.

70
MCQmedium

A FortiGate has two VDOMs: 'root' and 'customer'. The admin wants to route traffic from 'customer' to the internet via 'root', which has a BGP connection to an ISP. What is the required configuration?

A.Enable VDOM forwarding on the WAN interface in 'root'
B.Configure a static route in 'customer' pointing to the 'root' VDOM's management IP
C.Place both VDOMs in the same VDOM group and enable route leak
D.Create an inter-VDOM link between 'customer' and 'root', and configure policies to allow traffic
AnswerD

Correct. The link provides connectivity; policies control traffic.

Why this answer

Option D is correct because inter-VDOM links are the only supported method for routing traffic between VDOMs on the same FortiGate. An inter-VDOM link creates a virtual point-to-point connection between two VDOMs, allowing traffic to flow through firewall policies. Without this link, VDOMs are isolated and cannot exchange traffic, even if static routes or BGP are configured.

Exam trap

The trap here is that candidates often assume VDOMs can route traffic to each other simply by configuring static routes or using a shared interface, but FortiGate requires a dedicated inter-VDOM link with firewall policies to enable inter-VDOM traffic.

How to eliminate wrong answers

Option A is wrong because VDOM forwarding on a WAN interface is not a feature; interfaces belong to a single VDOM and cannot forward traffic to another VDOM without an inter-VDOM link. Option B is wrong because a static route in 'customer' pointing to the 'root' VDOM's management IP would only route control traffic to the management interface, not data-plane traffic between VDOMs. Option C is wrong because VDOM groups are used for administrative grouping and configuration sharing, not for routing traffic between VDOMs; route leaking is not a supported feature between VDOMs on the same FortiGate.

71
Multi-Selectmedium

Which TWO statements about Security Fabric deployment are correct? (Choose two.)

Select 2 answers
A.A Security Fabric can contain a maximum of 50 FortiGate devices.
B.The root FortiGate must have a management IP address that is reachable from all downstream devices.
C.Each FortiGate device in the Fabric must have a unique FortiGate serial number.
D.All FortiGate devices in the Fabric must be managed by the same FortiManager.
E.A FortiGate can only belong to one Security Fabric at a time.
AnswersB, C

Downstream devices need to reach the root for fabric synchronization.

Why this answer

Option B is correct because the root FortiGate acts as the central coordination point for the Security Fabric. All downstream FortiGate devices must be able to reach the root FortiGate's management IP address to establish and maintain the Fabric communication, which uses TCP port 8013 (HTTPS) for the initial handshake and subsequent keepalive messages. Without this reachability, downstream devices cannot join or synchronize with the Fabric.

Exam trap

The trap here is that candidates often assume a FortiGate can only belong to one Security Fabric, but FortiGate supports multi-fabric membership through the use of different fabric groups or VDOMs, allowing a single device to participate in multiple logical fabrics.

72
Multi-Selecthard

Which THREE actions can an administrator perform using FortiManager in a Security Fabric environment? (Choose three.)

Select 3 answers
A.Upgrade the firmware of multiple FortiGates at once
B.View logs from all managed FortiGates in a single dashboard
C.Terminate IPsec VPN tunnels on the FortiManager
D.Configure FortiGate to manage the FortiManager
E.Push firewall policies to multiple FortiGates simultaneously
AnswersA, B, E

Firmware upgrade can be done centrally.

Why this answer

Option A is correct because FortiManager supports centralized firmware management, allowing administrators to upgrade the firmware of multiple FortiGates simultaneously via the 'Firmware Upgrade' wizard in the Device Manager. This leverages the FortiManager's role as a central management point, which can stage and push firmware images to managed devices in a Security Fabric, reducing downtime and ensuring consistency across the fabric.

Exam trap

The trap here is that candidates confuse FortiManager's ability to configure VPN settings with the ability to terminate active tunnels, or they mistakenly think the FortiGate can manage the FortiManager (reversing the management relationship), which is a common misconception in centralized management architectures.

73
Multi-Selectmedium

A network engineer needs to collect logs from multiple FortiGates and generate compliance reports. Which TWO FortiAnalyzer features should be used?

Select 2 answers
A.ADOM configuration
B.Log analytics
C.Reports
D.Automation stitches
E.Policy packages
AnswersB, C

Why this answer

Log analytics (option B) is correct because it provides the ability to search, filter, and visualize logs from multiple FortiGates, enabling the identification of trends and anomalies necessary for compliance reporting. Reports (option C) is correct because FortiAnalyzer includes a dedicated reporting engine that can generate scheduled or on-demand compliance reports based on collected logs, with pre-defined templates for standards like PCI DSS, HIPAA, and SOX.

Exam trap

The trap here is that candidates confuse FortiAnalyzer's ADOM feature (which is for administrative separation) with log collection or reporting, or they mistakenly associate automation stitches or policy packages with compliance reporting, which are actually features of FortiGate or FortiManager, not FortiAnalyzer.

74
MCQmedium

A FortiManager administrator creates an ADOM for the root VDOM and regular VDOMs. The administrator wants to manage only the regular VDOMs from FortiManager. Which ADOM type should be used?

A.Regular ADOM (non-root)
B.Management VDOM ADOM
C.Root ADOM
D.Global ADOM
AnswerA

Regular ADOM can be assigned to specific VDOMs, excluding the root if not needed.

Why this answer

A Regular ADOM (non-root) is the correct choice because it allows the administrator to manage only the regular VDOMs (non-root VDOMs) on a FortiGate, excluding the root VDOM. This ADOM type is designed for managing individual VDOMs as separate entities, providing granular control without affecting the root VDOM's global settings or other VDOMs.

Exam trap

The trap here is that candidates often confuse the 'Root ADOM' with managing only the root VDOM, but it actually manages all VDOMs (root and regular) together, which is not suitable when only regular VDOMs need to be managed.

How to eliminate wrong answers

Option B (Management VDOM ADOM) is wrong because it is not a standard ADOM type in FortiManager; the correct term is 'Management VDOM' for a VDOM that handles management traffic, but it does not define an ADOM type for managing regular VDOMs. Option C (Root ADOM) is wrong because it manages the root VDOM and all regular VDOMs together, which contradicts the requirement to manage only regular VDOMs. Option D (Global ADOM) is wrong because it is used for global policy objects and settings that apply across all ADOMs, not for managing individual VDOMs.

75
Drag & Dropmedium

Drag and drop the steps to configure a site-to-site IPsec VPN on a FortiGate firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Phase 1 establishes the IKE SA, Phase 2 creates the IPsec SA, then routing and policies are applied to allow traffic through the tunnel.

Page 1 of 4 · 264 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Nse7 Enterprise Vdom questions.