CCNA Nse7 Enterprise Vdom Questions

75 of 264 questions · Page 2/4 · Nse7 Enterprise Vdom topic · Answers revealed

76
MCQmedium

A FortiGate administrator wants to use FortiAnalyzer to generate a report on top talkers in the network. Which FortiView feature should be used?

A.Log Analytics
B.FortiView
C.Playbooks
D.Incidents
AnswerB

FortiView provides traffic analytics including top talkers.

Why this answer

FortiView is the correct feature because it provides real-time and historical traffic visibility, including top talkers, directly from the FortiGate's session table and logs. FortiView's 'Top Talkers' widget aggregates traffic by source IP, destination IP, or application, allowing the administrator to generate reports on the highest bandwidth consumers without needing to run complex queries in Log Analytics.

Exam trap

The trap here is that candidates confuse FortiView with Log Analytics, assuming that any log-based reporting must go through Log Analytics, but FortiView provides the pre-built, aggregated top talkers view without requiring SQL-like queries.

How to eliminate wrong answers

Option A is wrong because Log Analytics is a FortiAnalyzer feature for running SQL-like queries against indexed logs, not a dedicated FortiView feature for visualizing top talkers; it requires manual query construction and lacks the pre-built, real-time top talker widgets. Option C is wrong because Playbooks are automation workflows in FortiSOAR or FortiAnalyzer for incident response, not a reporting or traffic visibility feature. Option D is wrong because Incidents are security event aggregations in FortiAnalyzer's Incident Management module, used for threat investigation and response, not for generating top talker reports.

77
MCQmedium

An administrator configures an automation stitch on FortiManager to trigger a script when a specific log message is received. After saving, the stitch does not execute. What is a likely cause?

A.The FortiGate is not in the same ADOM
B.The log message is not being sent to FortiManager
C.The script is not uploaded to the FortiGate
D.The automation stitch is not enabled
AnswerD

Automation stitches must be enabled to run.

Why this answer

Option D is correct because automation stitches on FortiManager are disabled by default after creation. The administrator must explicitly enable the stitch before it will trigger on incoming log events. Without enabling, the stitch remains inactive regardless of other configurations.

Exam trap

The trap here is that candidates assume saving a configuration automatically activates it, but FortiManager requires an explicit enable step for automation stitches, unlike some other FortiManager objects that are active by default.

How to eliminate wrong answers

Option A is wrong because the FortiGate does not need to be in the same ADOM for the automation stitch to execute; FortiManager can manage devices across ADOMs as long as the device is properly assigned. Option B is wrong because the question states the stitch does not execute after saving, implying the log message is expected to be received; if logs were not sent, the issue would be a missing log forwarding configuration, not a disabled stitch. Option C is wrong because the script is executed from FortiManager, not uploaded to the FortiGate; automation stitches on FortiManager run scripts stored locally on the FortiManager, not on the managed device.

78
Matchingmedium

Match each FortiGate routing concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manually configured route

Link-state dynamic routing protocol

Path-vector dynamic routing protocol

Routes traffic based on policy criteria

Load balancing across multiple paths

Why these pairings

These are routing features in FortiOS.

79
Multi-Selectmedium

A FortiGate administrator is troubleshooting slow network performance. The administrator runs the command 'diagnose sys session filter dst 10.0.0.1' and sees many sessions in a 'proto_state=0a' state. What does this state indicate? (Select TWO.)

Select 2 answers
A.The session has been reset
B.The session is in FIN_WAIT_2 state
C.The session is in TIME_WAIT state
D.The session is actively transferring data
E.The session is in SYN_RECEIVED state
AnswersB, C

FIN_WAIT_2 is a common state during TCP teardown.

Why this answer

In FortiOS, the 'proto_state=0a' value in session diagnostics indicates the session is in the TCP FIN_WAIT_2 state (hex 0x0a = decimal 10). This state occurs after the local side has sent a FIN and received an ACK, but is still waiting for the remote side to close its connection. It is a normal part of TCP connection teardown, but an excessive number of sessions in this state can indicate that the remote peer is not properly closing connections, potentially contributing to slow performance due to resource exhaustion.

Exam trap

The trap here is that candidates often confuse FIN_WAIT_2 (0x0a) with TIME_WAIT (0x0b) or assume any non-ESTABLISHED state indicates a problem, but the question specifically asks for the meaning of 'proto_state=0a', which is FIN_WAIT_2, not TIME_WAIT.

80
MCQmedium

A FortiGate administrator needs to configure a policy that allows traffic from VDOM A to VDOM B using inter-VDOM routing. Which configuration is required?

A.A single policy in VDOM A with destination VDOM B
B.A static route in VDOM A pointing to VDOM B
C.Policies in both VDOMs allowing traffic to and from the inter-VDOM link
D.Disable VDOM security features
AnswerC

Correct: policies in both VDOMs are required to allow bidirectional traffic.

Why this answer

Inter-VDOM routing requires explicit policy enforcement on both sides of the inter-VDOM link. A single policy in VDOM A cannot control return traffic from VDOM B, and FortiGate does not implicitly allow traffic between VDOMs. Therefore, policies must be configured in both VDOMs to permit traffic in both directions, ensuring stateful inspection and security controls are applied consistently.

Exam trap

The trap here is that candidates assume a single policy in the source VDOM is sufficient, forgetting that FortiGate treats each VDOM as a separate virtual firewall requiring its own policy for return traffic.

How to eliminate wrong answers

Option A is wrong because a single policy in VDOM A only controls outbound traffic from VDOM A; return traffic from VDOM B would be dropped without a corresponding policy in VDOM B. Option B is wrong because static routes direct traffic but do not provide firewall policy enforcement; inter-VDOM traffic still requires explicit allow policies in both VDOMs. Option D is wrong because disabling VDOM security features would bypass all security controls, which is not a valid or secure configuration for inter-VDOM routing.

81
MCQeasy

An administrator wants to limit the number of VDOMs that can be created on a FortiGate. What should the administrator configure?

A.Use the 'config vdom' command to delete unused VDOMs
B.Set the 'max-vdom' option under 'config system global'
C.Configure the VDOM license on FortiManager
D.Set the 'vdom-admin' option to 'enable'
AnswerB

The 'max-vdom' parameter in system global sets the maximum number of VDOMs.

Why this answer

The 'max-vdom' option under 'config system global' directly limits the number of VDOMs that can be created on a FortiGate. This setting enforces a hard cap on the total VDOM count, regardless of licensing or administrative roles. By default, the value is set to 10 on most models, but it can be increased up to the maximum supported by the platform or license.

Exam trap

The trap here is that candidates often confuse the FortiGate's local 'max-vdom' limit with FortiManager licensing or the 'vdom-admin' toggle, mistakenly thinking those options control the creation cap when they actually address management scope or administrative access.

How to eliminate wrong answers

Option A is wrong because deleting unused VDOMs reduces the current count but does not prevent future creation of additional VDOMs; it is a reactive action, not a proactive limit. Option C is wrong because the VDOM license on FortiManager controls the number of VDOMs that can be managed centrally, but it does not enforce a creation limit on the FortiGate itself; the FortiGate's local 'max-vdom' setting is independent of FortiManager licensing. Option D is wrong because the 'vdom-admin' option enables or disables VDOM administration mode (allowing VDOM configuration), but it does not impose any numerical limit on how many VDOMs can be created.

82
Multi-Selecthard

A security analyst notices that an automation stitch in FortiManager did not trigger when a specific event occurred on a managed FortiGate. Which three possible reasons could explain why the stitch did not fire? (Choose three.)

Select 3 answers
A.The trigger event type does not match the actual event
B.The FortiGate has reached its license limit for automation stitches
C.The automation stitch was configured with a condition that was not met
D.The automation stitch is disabled
E.The FortiManager had a temporary network connectivity issue with the FortiGate
AnswersA, D, E

If the trigger is set for a different event type, it will not fire.

Why this answer

Option A is correct because an automation stitch in FortiManager triggers only when the event type defined in the stitch matches the actual event generated by the FortiGate. If the event type (e.g., 'event-log' vs. 'traffic-log') does not match, the stitch will not fire. This is a fundamental condition for stitch execution.

Exam trap

The trap here is confusing a condition (which is checked after the trigger fires) with the trigger itself, leading candidates to incorrectly select Option C as a reason the stitch did not fire at all.

83
MCQmedium

A FortiGate admin configures a policy package with header and footer policies in FortiManager. What is the purpose of header policies?

A.They are used for NAT policies only
B.They provide default logging for all traffic
C.They apply only to the root VDOM
D.They are evaluated before other policies in the same policy package
AnswerD

Header policies have higher priority and are evaluated first.

Why this answer

Header policies in FortiManager are evaluated before any other policies in the same policy package. This allows administrators to enforce mandatory rules—such as blocking specific traffic or applying global inspection—that must be processed first, ensuring they are not bypassed by more specific policies later in the sequence.

Exam trap

The trap here is that candidates often confuse header policies with global policies or default settings, assuming they apply only to NAT or root VDOMs, when in fact they are simply policies that are evaluated first within a specific policy package.

How to eliminate wrong answers

Option A is wrong because header policies are not limited to NAT policies; they can include any firewall policy type, including security, authentication, or traffic shaping. Option B is wrong because header policies do not automatically provide default logging; logging must be explicitly configured within each policy. Option C is wrong because header policies apply to the entire policy package, not just the root VDOM; they affect all VDOMs that use that package.

84
MCQmedium

An administrator configured a new policy package in FortiManager and assigned it to a FortiGate. After installing the policy package, the FortiGate shows the new policies, but traffic is not matching them. What could be the reason?

A.The policy package is installed to the root VDOM instead of the target VDOM
B.The policy package has not been committed
C.The FortiGate has not been added to the ADOM
D.The FortiGate is in transparent mode
AnswerA

Policy packages are installed per VDOM; if the wrong VDOM is selected, policies won't affect the correct traffic.

Why this answer

If the policy package uses a different ADOM or the device is not properly synchronized, the policies may not apply correctly. The most common issue is that the policy package is not installed to the correct VDOM on the FortiGate.

85
MCQeasy

What is the purpose of a management VDOM in a multi-VDOM FortiGate?

A.To apply security profiles for all VDOMs
B.To route all inter-VDOM traffic
C.To provide a dedicated VDOM for system administration and management traffic
D.To host customer-facing services
AnswerC

The management VDOM handles GUI/CLI access, SNMP, etc.

Why this answer

A management VDOM is a dedicated administrative VDOM that isolates system management traffic (e.g., SSH, HTTPS, SNMP, syslog) from data-plane VDOMs. This ensures that administrative access and logging remain available even if a data VDOM fails or is misconfigured, and it prevents management traffic from competing with production traffic for resources.

Exam trap

The trap here is that candidates often confuse the management VDOM with a 'super-VDOM' that controls all others, but in reality it only handles administrative traffic and has no data-plane forwarding role.

How to eliminate wrong answers

Option A is wrong because security profiles (e.g., antivirus, web filtering) are applied per VDOM or per policy, not centrally by a management VDOM; each VDOM has its own independent security policy engine. Option B is wrong because inter-VDOM traffic is routed by the VDOM link or inter-VDOM link feature, not by the management VDOM; the management VDOM does not participate in data-plane forwarding. Option D is wrong because customer-facing services (e.g., web servers, application hosting) are typically placed in a separate data VDOM, not the management VDOM, which is reserved strictly for administrative access and monitoring.

86
Matchingmedium

Match each Fortinet security feature to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Detects and prevents network attacks

Identifies and controls application traffic

Blocks access to malicious or unwanted websites

Scans and removes malware from traffic

Prevents sensitive data from leaving the network

Why these pairings

These are core UTM features in FortiOS.

87
Multi-Selecthard

A FortiGate HA cluster is configured in active-passive mode with VDOMs. The administrator wants to ensure that a specific VDOM (VDOM1) always runs on the primary unit unless that unit fails. Additionally, the administrator wants to minimize disruption during a failover. Which THREE configuration steps should be taken?

Select 3 answers
A.Set the HA priority of the primary unit to a higher value (e.g., 200) than the secondary unit
B.Disable session pickup to speed up failover
C.Configure VDOM load balance with 'prefer' setting for VDOM1 on the primary unit
D.Enable session pickup and ensure session synchronization is configured
E.Enable active-active HA mode
AnswersA, C, D

Higher priority makes the unit preferred to be primary.

Why this answer

Option A is correct because in an active-passive HA cluster, setting a higher HA priority (e.g., 200) on the primary unit ensures it is elected as the active unit. This guarantees that VDOM1, which is not load-balanced, will run on the primary unit under normal conditions, as the higher priority value makes the primary unit preferred during the election process.

Exam trap

The trap here is that candidates often confuse active-passive with active-active HA mode, incorrectly assuming that active-active is required for VDOM-specific control, when in fact the 'prefer' setting within active-passive mode achieves the desired behavior without allowing VDOMs to run on both units simultaneously.

88
Multi-Selectmedium

An administrator is using FortiAnalyzer to generate a compliance report. The report should include logs from multiple FortiGates in different ADOMs. Which three actions must the administrator take? (Choose three.)

Select 3 answers
A.Configure a meta field to tag the devices for report filtering
B.Ensure the FortiGates are logging to the same ADOM or multiple ADOMs
C.Create a new ADOM that spans all the FortiGates
D.Use the 'device groups' feature in FortiAnalyzer to aggregate logs
E.Select the appropriate ADOM scope when configuring the report
AnswersA, B, E

Meta fields allow grouping of devices across ADOMs for reporting.

Why this answer

Option A is correct because meta fields in FortiAnalyzer allow you to tag devices with custom attributes, which can then be used as filters when generating compliance reports. This enables the report to include logs from multiple FortiGates across different ADOMs by filtering based on the meta field value, rather than being restricted to a single ADOM's scope.

Exam trap

The trap here is that candidates often assume that logs from different ADOMs must be aggregated into a single ADOM or use device groups, but FortiAnalyzer's meta fields and ADOM scope selection provide a more flexible and secure method for cross-ADOM reporting without compromising ADOM boundaries.

89
MCQhard

An administrator configures VDOMs on a FortiGate and assigns port1 to VDOM-A and port2 to VDOM-B. The administrator then creates a firewall policy in VDOM-A to allow traffic from port1 to the VDOM link. Traffic from VDOM-A to VDOM-B is still failing. What is the most likely missing configuration?

A.An inter-VDOM routing policy under system settings
B.A policy in VDOM-B allowing traffic from the VDOM link to port2
C.A static route in VDOM-A pointing to VDOM-B's subnet
D.A VDOM link connecting VDOM-A and VDOM-B
AnswerD

The VDOM link is required for inter-VDOM communication.

Why this answer

The most likely missing configuration is a VDOM link, which is the logical interconnecting interface required to route traffic between VDOMs. Without a VDOM link, VDOM-A and VDOM-B are isolated from each other, and no firewall policy or route can forward traffic between them. The administrator must create a VDOM link (e.g., using the 'config system vdom-link' command) to establish the Layer 3 adjacency needed for inter-VDOM communication.

Exam trap

The trap here is that candidates often assume a firewall policy alone is sufficient for inter-VDOM traffic, overlooking the mandatory requirement of a VDOM link to create the logical path between VDOMs before any policy or route can be applied.

How to eliminate wrong answers

Option A is wrong because an inter-VDOM routing policy is not a valid configuration object under system settings; inter-VDOM routing is achieved via VDOM links and policies, not a separate routing policy. Option B is wrong because while a policy in VDOM-B is eventually required to permit traffic from the VDOM link to port2, the immediate missing element is the VDOM link itself—without it, no traffic can reach VDOM-B to even be evaluated by a policy. Option C is wrong because a static route in VDOM-A pointing to VDOM-B's subnet is unnecessary until the VDOM link is created and the next-hop interface (the VDOM link) is defined; the route cannot function without the link.

90
MCQmedium

In FortiManager, an administrator wants to apply a set of firewall policies to multiple FortiGates in different ADOMs. The policies must be centrally managed. What is the best approach?

A.Use the Global ADOM to define global policies that apply to all ADOMs
B.Create a policy package in each ADOM and use the same policies
C.Configure the policies directly on each FortiGate
D.Use automation stitches to copy policies between ADOMs
AnswerA

Global ADOM policies are inherited by all ADOMs, providing central management.

Why this answer

The Global ADOM in FortiManager allows administrators to define firewall policies that are automatically inherited by all ADOMs, ensuring consistent, centrally managed policy enforcement across multiple FortiGates without manual duplication. This approach leverages FortiManager's hierarchical policy model, where global policies are pushed to each ADOM's policy packages and take precedence over local policies unless overridden.

Exam trap

The trap here is that candidates often confuse the Global ADOM with a simple 'global policy' feature, not realizing it is a dedicated administrative domain with its own policy database and inheritance rules, leading them to choose option B (manual duplication) or D (automation stitches) as workarounds.

How to eliminate wrong answers

Option B is wrong because creating a policy package in each ADOM with the same policies duplicates configuration effort and defeats centralized management, as each ADOM's policies must be individually maintained and pushed. Option C is wrong because configuring policies directly on each FortiGate bypasses FortiManager's centralized control, leading to configuration drift and no single source of truth. Option D is wrong because automation stitches are designed for event-triggered actions (e.g., dynamic responses), not for replicating static policy sets between ADOMs, and they lack the inheritance and revision control of Global ADOM policies.

91
Multi-Selectmedium

An administrator is planning a FortiManager deployment to manage multiple FortiGates with multiple VDOMs. The administrator wants to use ADOMs to separate configurations. Which TWO statements about ADOMs are correct? (Choose two.)

Select 2 answers
A.ADOMs support revision history for tracking configuration changes
B.Regular ADOMs can only contain devices with a single VDOM
C.A Global ADOM can manage all VDOMs on a managed FortiGate
D.Policy packages in an ADOM can be shared across different ADOMs
E.ADOMs cannot be renamed after creation
AnswersA, C

Each ADOM maintains its own revision history for managed devices/VDOMs.

Why this answer

Option A is correct because ADOMs in FortiManager maintain a revision history for each managed device or VDOM, allowing administrators to track configuration changes over time, compare revisions, and roll back to previous states if needed. This revision control is essential for auditing and troubleshooting in multi-VDOM environments.

Exam trap

The trap here is that candidates often assume regular ADOMs can only contain single-VDOM devices (Option B) because of the word 'regular,' but FortiManager allows multi-VDOM devices to be split across ADOMs or grouped together, and the Global ADOM is specifically designed for cross-VDOM management.

92
Multi-Selecthard

An administrator wants to ensure that traffic between two VDOMs on the same FortiGate is properly inspected. Which THREE configurations must be in place?

Select 3 answers
A.Inspection profiles applied to the policies
B.Enable SSL inspection on the inter-VDOM link interface
C.A firewall policy in each VDOM permitting traffic across the link
D.An inter-VDOM link between the VDOMs
E.Static routes on both VDOMs pointing to the inter-VDOM link
AnswersA, C, D

Why this answer

Option A is correct because inspection profiles (such as antivirus, web filtering, and IPS) must be explicitly applied to the firewall policies that govern traffic traversing the inter-VDOM link. Without these profiles, the FortiGate will forward traffic between VDOMs based solely on the policy action (accept/deny) without performing any deep packet inspection, leaving the traffic unexamined for threats. This is a fundamental requirement for UTM inspection in a multi-VDOM architecture.

Exam trap

The trap here is that candidates often assume SSL inspection must be enabled on the inter-VDOM link interface itself, but FortiGate requires SSL inspection to be configured as part of the inspection profile applied to the firewall policy, not on the interface.

93
MCQhard

An organization uses FortiManager to manage multiple FortiGate devices in a Security Fabric. The administrator wants to push a new firewall policy that includes an FQDN address object. Which statement is true regarding FQDN objects in FortiManager policies?

A.FQDN objects must be defined on each managed FortiGate individually
B.The FQDN resolution is done automatically every 60 seconds by FortiManager
C.FortiManager resolves the FQDN to IP addresses at installation time and updates the policy accordingly
D.FQDN objects cannot be used in policies pushed from FortiManager
AnswerC

This ensures the FortiGate has the resolved IPs.

Why this answer

When an administrator pushes a policy containing an FQDN address object from FortiManager, FortiManager resolves the FQDN to its current IP addresses at installation time. The resolved IPs are then written into the policy on the managed FortiGate, ensuring the policy is immediately effective without requiring the FortiGate to perform DNS resolution. This behavior is specific to FortiManager-managed policies and differs from locally configured FQDN objects on FortiGate.

Exam trap

The trap here is that candidates confuse FortiManager's installation-time resolution with FortiGate's built-in FQDN caching and periodic re-resolution (default 60 seconds), leading them to incorrectly select Option B.

How to eliminate wrong answers

Option A is wrong because FQDN objects can be defined centrally in FortiManager and pushed to multiple FortiGates, eliminating the need for individual definition on each device. Option B is wrong because FortiManager does not perform automatic FQDN resolution every 60 seconds; resolution occurs only at installation time, and subsequent updates require a re-install or a scheduled policy push. Option D is wrong because FQDN objects are fully supported in policies pushed from FortiManager, with the resolution handled during installation as described.

94
MCQeasy

An administrator wants to ensure that all traffic from VDOM 'Guest' is logged to a FortiAnalyzer that is managed by FortiManager. What must be configured in FortiManager to achieve this?

A.Enable FortiView on the FortiGate
B.Configure a log forwarding policy in the Global ADOM
C.Create an automation stitch to forward logs
D.Configure the VDOM's log settings and assign the device to an ADOM with log forwarding enabled
AnswerD

Proper log settings on the VDOM and correct ADOM configuration ensure logs are sent to FortiAnalyzer.

Why this answer

Option D is correct because FortiManager manages log forwarding at the ADOM level. To forward logs from a specific VDOM (Guest) to FortiAnalyzer, the administrator must configure the VDOM's log settings to send logs to FortiAnalyzer and assign the FortiGate to an ADOM that has log forwarding enabled. This ensures that logs from the Guest VDOM are properly forwarded to the FortiAnalyzer managed by FortiManager.

Exam trap

The trap here is that candidates often confuse log forwarding with automation stitches or global policies, thinking that a global setting or event-triggered action can replace the need for per-VDOM log configuration within an ADOM.

How to eliminate wrong answers

Option A is wrong because enabling FortiView on the FortiGate only provides local traffic visualization and does not forward logs to FortiAnalyzer; FortiView is a monitoring tool, not a log forwarding mechanism. Option B is wrong because a log forwarding policy in the Global ADOM applies to all VDOMs globally, not specifically to the Guest VDOM, and it does not handle per-VDOM log forwarding granularity. Option C is wrong because an automation stitch is used for automated responses to events (e.g., triggering scripts or sending alerts), not for forwarding logs to FortiAnalyzer; log forwarding is configured via log settings and ADOM policies.

95
MCQhard

A FortiGate has VDOMs enabled. An administrator runs 'get system status' and sees only one VDOM listed. However, the administrator configured two VDOMs earlier. What is the most likely cause?

A.The second VDOM was deleted by another administrator
B.VDOM mode is not enabled globally
C.The second VDOM has a different name and is hidden due to a bug
D.The command only shows the management VDOM; use 'config vdom' to see all
AnswerD

'get system status' displays only the current VDOM (usually management). To list all VDOMs, use 'show vdom' or 'config vdom'.

Why this answer

When VDOMs are enabled, the 'get system status' command displays only the management VDOM (the VDOM from which the administrator is currently logged in). To see all configured VDOMs, the administrator must use the 'config vdom' command followed by 'show' or 'get system status' within the global context. Option D correctly identifies this behavior, as the second VDOM is not deleted or hidden by a bug; it simply is not shown by that command.

Exam trap

The trap here is that candidates assume 'get system status' shows all configured VDOMs, when in fact it only displays the current management VDOM, leading them to incorrectly suspect deletion, misconfiguration, or a bug.

How to eliminate wrong answers

Option A is wrong because if the second VDOM had been deleted by another administrator, the 'config vdom' command would also show only one VDOM, but the question states the administrator configured two VDOMs earlier, and the issue is specifically with the output of 'get system status', not with the actual existence of the VDOM. Option B is wrong because if VDOM mode were not enabled globally, the 'get system status' command would not show any VDOM at all, and the administrator would not be able to configure VDOMs; the fact that one VDOM is listed indicates VDOM mode is enabled. Option C is wrong because there is no known bug in FortiOS that hides a VDOM due to its name; the 'get system status' command consistently shows only the current management VDOM, regardless of naming.

96
MCQhard

An administrator configures FortiAnalyzer to receive logs from multiple FortiGates. They want to create a report that shows only incidents involving 'critical' severity and specific attack types. Which FortiAnalyzer feature allows the administrator to define such a custom report?

A.Incident management
B.Playbooks
C.FortiView dashboards
D.Report datasets and charts
AnswerD

Datasets define the data source and filters; charts visualize it.

Why this answer

Option D is correct: FortiAnalyzer reports use SQL-like queries and dataset definitions to filter and aggregate log data based on severity, attack type, etc.

97
MCQmedium

An administrator is troubleshooting a scenario where FortiAnalyzer is not receiving logs from a FortiGate. The FortiGate shows 'log-fortianalyzer setting status: disconnected'. Which step should be taken first to resolve this?

A.Check the FortiGate's DNS resolution for the FortiAnalyzer hostname
B.Verify that the FortiGate can reach the FortiAnalyzer IP address and that the FortiAnalyzer service is running
C.Restart the FortiGate's logging service
D.Disable and re-enable logging to FortiAnalyzer
AnswerB

Connectivity is the most basic check; ping and service status should be verified first.

Why this answer

The 'disconnected' status indicates that the FortiGate cannot establish a TCP connection to the FortiAnalyzer. The first step is to verify basic Layer 3 reachability (ping) and that the FortiAnalyzer service is listening on the default port (TCP 514 or 3000 for encrypted). Without confirming these, further troubleshooting is premature.

Exam trap

The trap here is that candidates often jump to reconfiguring logging or restarting services (options C or D) without first verifying the most fundamental Layer 3 connectivity and service availability, which is the logical starting point for any 'disconnected' status.

How to eliminate wrong answers

Option A is wrong because DNS resolution is only relevant if the FortiGate is configured to use a hostname instead of an IP address; the status 'disconnected' points to a connectivity or service issue, not name resolution. Option C is wrong because restarting the FortiGate's logging service does not address underlying network or server-side problems; it only restarts the local logging daemon. Option D is wrong because disabling and re-enabling logging to FortiAnalyzer merely toggles the configuration without fixing the root cause of the disconnection; it is a reactive step that should be taken only after connectivity and service status are confirmed.

98
MCQhard

An organization is deploying multiple FortiGate devices across different geographic locations. The central IT team manages all devices from a single FortiManager. The remote FortiGates connect to FortiManager over a WAN link. Which feature should be enabled on FortiManager to ensure that configuration changes are applied consistently and without interruption to the remote FortiGates?

A.Enable auto-link configuration on the FortiManager
B.Use the 'Install on Next Reboot' option in the install wizard
C.Use 'Install Wizard' with 'Immediate Install' option
D.Enable 'Configuration Override' on the managed FortiGates
AnswerB

This ensures changes are applied after reboot, avoiding disruption.

Why this answer

Option B is correct because the 'Install on Next Reboot' option ensures that configuration changes are staged on the remote FortiGate and applied atomically when the device reboots. This prevents partial or inconsistent application over an unreliable WAN link, as the FortiManager pushes the full configuration revision to the device, which then applies it during the boot process without requiring a persistent management session.

Exam trap

The trap here is that candidates often choose 'Immediate Install' (Option C) thinking it is the fastest method, but they overlook the risk of configuration corruption or incomplete application over an unreliable WAN link, which 'Install on Next Reboot' specifically avoids.

How to eliminate wrong answers

Option A is wrong because 'auto-link configuration' is not a standard FortiManager feature; the correct term is 'auto-link' for FortiGate interfaces, not for configuration deployment. Option C is wrong because 'Immediate Install' attempts to apply changes in real time over the WAN, which can cause interruptions or partial updates if the link is unstable or the device reboots mid-install. Option D is wrong because 'Configuration Override' allows a managed FortiGate to reject or overwrite FortiManager policies, which would defeat the purpose of consistent centralized management.

99
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a UDP session for DNS
B.The session is in a half-open state (SYN_RCVD)
C.The session is blocked because duration exceeds the timeout
D.The session has been active for 1 hour and will expire in approximately 1 hour
AnswerD

Why this answer

Option D is correct because the output shows 'duration=3600' and 'expire=3599', meaning the session has been active for 3600 seconds (1 hour) and will expire in 3599 seconds (approximately 1 hour). The 'proto=6' indicates TCP, and 'proto_state=01' is the TCP state code for an established connection (ESTABLISHED), not a half-open state. This is a normal, healthy session.

Exam trap

The trap here is that candidates confuse 'proto_state=01' with a half-open state (like SYN_RCVD) or misinterpret the 'duration' and 'expire' fields as indicating a blocked or expired session, when in fact they show a normal established TCP session with remaining lifetime.

How to eliminate wrong answers

Option A is wrong because 'proto=6' indicates TCP (protocol number 6), not UDP (protocol 17), and DNS typically uses UDP port 53, not TCP port 443. Option B is wrong because 'proto_state=01' represents the TCP ESTABLISHED state (SYN_SENT/SYN_RCVD states are '02' or '03' in FortiOS), so the session is fully connected, not half-open. Option C is wrong because the session is not blocked; the 'expire' counter shows the remaining time before timeout, and the duration (3600 seconds) is well within typical TCP session timeouts (default 3600 seconds for FortiGate), so no blocking occurs.

100
Multi-Selecthard

A company has a FortiGate with multiple VDOMs. The security team wants to use FortiManager to manage policies centrally. Which three steps are necessary to set up VDOM management via FortiManager? (Choose three.)

Select 3 answers
A.Enable VDOMs on the FortiGate and configure them for FortiManager management
B.Configure a static route on FortiManager to reach the FortiGate's management IP
C.Disable VDOM configuration locking on FortiManager
D.Add the FortiGate to FortiManager and assign it an appropriate ADOM
E.Ensure the FortiGate can reach the FortiManager server (network connectivity)
AnswersA, D, E

VDOMs must be enabled and each VDOM's management must be set to FortiManager.

Why this answer

Option A is correct because VDOMs must be enabled on the FortiGate and each VDOM must be configured to allow FortiManager management. This is done by setting the 'set vdom mgmt' parameter within each VDOM or globally, which permits FortiManager to push policy and object changes to the specific VDOM context. Without this step, FortiManager cannot authenticate or communicate with the VDOMs, even if the device is added to the ADOM.

Exam trap

The trap here is that candidates often assume FortiManager needs a static route to the FortiGate, but in reality the FortiGate must initiate the FGFM tunnel, so network connectivity must be from the FortiGate to FortiManager, not the other way around.

101
MCQmedium

A network admin is deploying a FortiGate in transparent mode to inspect traffic between two Layer 2 switches. Which of the following statements about transparent mode is correct?

A.Transparent mode can only inspect traffic in one VLAN
B.Transparent mode requires an IP address on each interface for management purposes
C.Transparent mode supports NAT policies
D.Transparent mode requires VDOMs to be enabled
AnswerB

Management IPs are configured on the interfaces or a dedicated management VLAN. Traffic forwarding uses MAC addresses.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge and does not require IP addresses on its interfaces for forwarding traffic. However, to manage the device (e.g., via SSH, HTTPS, or SNMP), an IP address must be assigned to each interface or to a management VLAN. This allows administrative access while the firewall remains invisible to the Layer 2 network.

Option B correctly identifies this requirement.

Exam trap

The trap here is that candidates often assume transparent mode requires no IP addresses at all, forgetting that management access still needs an IP, or they confuse transparent mode with Layer 3 mode where NAT is commonly used.

How to eliminate wrong answers

Option A is wrong because transparent mode can inspect traffic across multiple VLANs using VLAN subinterfaces or by bridging multiple VLANs, as long as the FortiGate is configured with the appropriate VLAN tags. Option C is wrong because transparent mode does not support NAT policies; NAT is a Layer 3 function and transparent mode operates at Layer 2, so NAT is not available. Option D is wrong because VDOMs are not required for transparent mode; transparent mode can be enabled on a standalone FortiGate without VDOMs, though VDOMs can be used to segment management domains if desired.

102
MCQhard

A FortiGate administrator is troubleshooting a scenario where users in VDOM-1 cannot reach a server in VDOM-2. Inter-VDOM routing is configured using a VDOM link. The administrator checks the session table and sees that packets are arriving on the VDOM link interface but are not being forwarded. What is the MOST likely cause?

A.The VDOM link is in the wrong VDOM
B.A firewall policy is blocking the traffic from the VDOM link to the destination
C.The routing table in VDOM-1 does not have a default route
D.The VDOM link is not administratively up
AnswerB

Traffic entering a VDOM must match a policy. If no policy permits the traffic, it is dropped. The session table would show the packet arriving but no forward decision.

Why this answer

When packets arrive on the VDOM link interface but are not forwarded, the issue is typically a missing or misconfigured firewall policy in the destination VDOM (VDOM-2). Even though inter-VDOM routing is correctly set up via the VDOM link, FortiGate requires an explicit firewall policy in the destination VDOM to permit traffic from the VDOM link interface to the destination server. Without this policy, the FortiGate drops the packets after routing, which matches the symptom of packets arriving but not being forwarded.

Exam trap

The trap here is that candidates assume inter-VDOM routing bypasses firewall policies, but FortiGate still enforces policies in each VDOM, so a missing policy in the destination VDOM is the most likely cause when packets arrive but are not forwarded.

How to eliminate wrong answers

Option A is wrong because if the VDOM link were in the wrong VDOM, packets would not even arrive on the VDOM link interface in VDOM-2; the link would be misassociated, causing a different failure mode. Option C is wrong because the routing table in VDOM-1 does not need a default route; it only needs a route to the destination subnet in VDOM-2, which is typically provided by the VDOM link configuration or static routes, and the symptom of packets arriving on the VDOM link interface indicates routing is working. Option D is wrong because if the VDOM link were not administratively up, the interface would be down and packets would not arrive on it at all; the symptom explicitly states packets are arriving, ruling out this cause.

103
MCQeasy

A FortiGate administrator notices that after installing a new policy package from FortiManager, the firewall policies on the managed FortiGate do not match what was configured in FortiManager. What feature should the administrator use to review the exact changes before committing?

A.Revision history
B.Device manager log
C.Install preview
D.Policy consistency check
AnswerC

Install preview generates the CLI script that will be pushed to the device, allowing review.

Why this answer

Option C, Install preview, is correct because it allows the administrator to review the exact configuration changes that FortiManager will push to the managed FortiGate before the changes are committed. This feature compares the current running configuration on the FortiGate with the intended policy package in FortiManager and displays a detailed diff of additions, deletions, and modifications. It is specifically designed to prevent unexpected policy mismatches by providing a pre-commit review step.

Exam trap

The trap here is that candidates often confuse Revision history (which shows past snapshots) with the pre-commit review feature, but Revision history does not show the pending changes that will be applied in the next install operation.

How to eliminate wrong answers

Option A is wrong because Revision history shows past configuration snapshots on FortiManager, not the pending changes about to be installed. Option B is wrong because Device manager log records historical events and errors, not a pre-commit diff of policy changes. Option D is wrong because Policy consistency check compares policies between FortiGates or against a baseline, but does not show the exact changes that will be applied during an install operation.

104
Multi-Selectmedium

A FortiGate administrator wants to use FortiAnalyzer to generate reports on traffic patterns for each VDOM separately. Which TWO configuration steps are required? (Choose two.)

Select 2 answers
A.Configure each VDOM to send logs to a different FortiAnalyzer
B.Disable logging on the FortiGate system
C.Enable per-VDOM logging on the FortiGate
D.Create separate ADOMs for each VDOM on FortiAnalyzer
E.Configure log forwarding from each VDOM to FortiAnalyzer
AnswersC, E

This adds a VDOM identifier to logs.

Why this answer

Option C is correct because per-VDOM logging must be enabled on the FortiGate to allow each VDOM to generate its own independent log stream. Without this setting, all VDOMs share a single log stream, making it impossible to separate traffic patterns per VDOM on FortiAnalyzer. Option E is correct because log forwarding from each VDOM to FortiAnalyzer is required to send the per-VDOM logs to the FortiAnalyzer for reporting.

Exam trap

The trap here is that candidates often confuse per-VDOM logging (a FortiGate setting) with ADOMs (a FortiAnalyzer setting), and incorrectly select Option D as a required step on the FortiGate, when in fact ADOMs are configured solely on FortiAnalyzer.

105
Multi-Selecthard

A FortiGate administrator is troubleshooting an issue where certain traffic is not being logged despite having a firewall policy with logging enabled. The administrator checks the policy and confirms logging is set to 'All Sessions'. Which THREE reasons could explain why the traffic is not being logged?

Select 3 answers
A.The log disk is full
B.The traffic is denied by a local-in policy
C.The log device (FortiAnalyzer or syslog) is not reachable and the FortiGate is configured to drop logs when the remote server is unavailable
D.The traffic is hardware-accelerated and not sent to the CPU for logging
E.The FortiGate is experiencing high session rate and logging is rate-limited
AnswersC, D, E

If the log destination is unreachable, the FortiGate may discard logs if configured to do so.

Why this answer

Option C is correct because when a FortiGate is configured to drop logs when the remote logging server (FortiAnalyzer or syslog) is unreachable, the logs are discarded locally rather than queued or buffered. This behavior is controlled by the 'log-drop-packet' setting or the 'reliable' vs 'unreliable' logging mode, and if the remote server is down, the logs never leave the FortiGate, resulting in no logging despite the policy being set to log all sessions.

Exam trap

The trap here is that candidates often assume a full disk or unreachable log server will always cause log loss, but FortiGate's behavior depends on specific configuration settings like log rotation and reliable logging mode, which are explicitly tested in the NSE7 exam.

106
Matchingmedium

Match each FortiGate authentication method to its protocol.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lightweight Directory Access Protocol

Remote Authentication Dial-In User Service

Terminal Access Controller Access-Control System Plus

Fortinet Single Sign-On

Public Key Infrastructure

Why these pairings

These are authentication methods supported on FortiGate.

107
MCQmedium

A FortiGate is operating in transparent mode and is deployed in an enterprise network. The administrator needs to apply a security policy to control traffic between two VLANs. What is a key consideration when configuring policies in transparent mode?

A.Transparent mode does not support firewall policies
B.The policy is applied to the Layer 2 interface where the traffic enters
C.The policy must be applied to the management IP address
D.Policies must be configured using MAC addresses only
AnswerB

In transparent mode, traffic is bridged, and policies are applied on ingress interfaces.

Why this answer

In transparent mode, the FortiGate acts as a Layer 2 bridge, and security policies are applied to the ingress interface where traffic enters the device. This allows the firewall to filter traffic between VLANs based on Layer 3 and Layer 4 criteria without requiring IP addresses on the interfaces, as the device is transparent to the network.

Exam trap

The trap here is that candidates often assume transparent mode policies must be based on MAC addresses or that the management IP is used for policy matching, but FortiGate transparent mode policies work identically to route mode policies except for the absence of NAT and routing.

How to eliminate wrong answers

Option A is wrong because transparent mode fully supports firewall policies, including stateful inspection, just like NAT/route mode, but without routing. Option C is wrong because the management IP address is used only for administrative access (e.g., SSH, HTTPS) and is not involved in policy matching for transit traffic; policies are applied to data interfaces. Option D is wrong because transparent mode policies can use IP addresses, ports, and other Layer 3/4 criteria, not just MAC addresses; MAC addresses are only relevant for Layer 2 features like MAC-based policies or transparent proxy.

108
Multi-Selecteasy

A FortiGate administrator needs to use FortiManager to deploy a new security policy to all firewalls in a specific ADOM. Which two steps are part of the installation process? (Choose two.)

Select 2 answers
A.Configure revision history to track changes
B.Run the install preview to see the changes that will be applied
C.Select the target devices and click 'Install'
D.Create a new ADOM for the policy package
E.Enable automation stitches to push the policy
AnswersB, C

Install preview shows the differences between the current and new configuration.

Why this answer

Option B is correct because the install preview in FortiManager allows the administrator to review the exact configuration changes (adds, deletes, modifications) that will be pushed to the target devices before committing the installation. This step is critical to avoid unintended policy disruptions, as it shows a diff of the policy package against the current device configuration. Option C is correct because selecting target devices and clicking 'Install' is the final manual step that triggers the actual deployment of the policy package to the chosen firewalls within the ADOM.

Exam trap

The trap here is that candidates often confuse the 'install preview' (a read-only verification step) with the actual 'install' action, or they mistakenly think that revision history or automation stitches are mandatory prerequisites for deploying a policy package.

109
Multi-Selectmedium

A FortiGate administrator is planning a multi-VDOM deployment for a service provider. Which TWO statements are true about VDOM limitations and best practices?

Select 2 answers
A.There is no limit to the number of VDOMs supported
B.All VDOMs must share the same routing table
C.It is recommended to use a dedicated management VDOM
D.Each VDOM can have its own independent administrator accounts
E.VDOMs cannot operate in transparent mode
AnswersC, D

Best practice to separate management traffic.

Why this answer

Option C is correct because using a dedicated management VDOM is a best practice in multi-VDOM deployments. It isolates administrative traffic (e.g., HTTPS, SSH, SNMP) from data-plane VDOMs, ensuring that management access remains available even if a data VDOM fails or is misconfigured. This also simplifies auditing and RBAC by centralizing admin access without exposing production traffic.

Exam trap

The trap here is that candidates often assume VDOMs share a routing table or that transparent mode is unsupported, but FortiGate allows full routing isolation and both Layer 2 and Layer 3 operation per VDOM.

110
MCQmedium

An enterprise deploys a FortiGate in transparent mode to bridge two broadcast domains. The administrator needs to apply a web filter to HTTP traffic between these domains. Which configuration is required?

A.Apply the web filter profile directly to the bridge interface
B.Configure a security policy with source and destination interfaces as the bridge, action ACCEPT, and a web filter profile
C.Enable web filtering globally under Config -> Features
D.Create a policy with action SET_PERMIT and enable web filtering
AnswerB

Correct.

Why this answer

In transparent mode, FortiGate bridges traffic at Layer 2, so security policies must use the bridge interface as both source and destination. Option B correctly configures a security policy with source and destination interfaces set to the bridge, action ACCEPT, and a web filter profile applied. This allows the FortiGate to inspect HTTP traffic between the two broadcast domains and apply the web filter.

Exam trap

The trap here is that candidates often think web filter profiles can be applied directly to interfaces (like in NAT/route mode) or that global settings enable filtering, but in transparent mode, all Layer 7 inspection must be configured via security policies with the bridge interface as both source and destination.

How to eliminate wrong answers

Option A is wrong because web filter profiles cannot be applied directly to a bridge interface; they must be applied via a security policy. Option C is wrong because web filtering is not enabled globally under Config -> Features; it is enabled per policy or per profile, and the 'Features' menu is for toggling feature visibility, not for enabling web filtering. Option D is wrong because SET_PERMIT is not a valid action in FortiGate security policies; the correct action is ACCEPT, and the web filter profile is applied within the policy, not as a separate action.

111
MCQmedium

A FortiManager administrator wants to deploy a policy package that contains shared header and footer policies across multiple devices. How should these policies be configured in FortiManager?

A.Define the policies in the ADOM's default policy package
B.Configure the policies as header/footer policies within the policy package
C.Create a global policy package and assign it to all devices
D.Use the 'install preview' feature to merge policies
AnswerB

Header/footer policies are defined in the policy package and applied universally.

Why this answer

In FortiManager, header and footer policies are specifically designed to be shared across multiple devices within a policy package. By configuring them as header/footer policies, the administrator ensures that these common rules are applied consistently at the top and bottom of the device-specific policy tables, while the middle policies can vary per device. This is the correct method for deploying shared policies without duplicating them in each device's policy set.

Exam trap

The trap here is that candidates often confuse header/footer policies with global policy packages or assume that the default policy package can serve the same purpose, but FortiManager's architecture explicitly separates these concepts to enforce policy ordering and sharing.

How to eliminate wrong answers

Option A is wrong because the ADOM's default policy package is a starting template for new devices, not a mechanism for sharing header/footer policies across already deployed devices; it does not enforce shared policies at the top or bottom of the policy table. Option C is wrong because FortiManager does not support a 'global policy package' that spans ADOMs or devices; policy packages are ADOM-scoped and header/footer policies are the intended feature for sharing policies across multiple devices within the same ADOM. Option D is wrong because the 'install preview' feature is used to review and validate changes before installation, not to merge or share policies across devices.

112
MCQeasy

In FortiManager, what is the difference between a Global ADOM and a regular ADOM?

A.Global ADOM allows sharing of global objects across all ADOMs
B.Regular ADOM supports automation stitches while Global ADOM does not
C.Regular ADOM can only manage one FortiGate
D.Global ADOM is used for managing FortiGates in a single VDOM environment
AnswerA

Global ADOM provides a central repository for common objects.

Why this answer

In FortiManager, a Global ADOM is a special administrative domain that stores global objects (such as address objects, services, and policies) that can be shared and referenced by all regular ADOMs. This centralizes management of common resources, reducing duplication and ensuring consistency across multiple ADOMs. Regular ADOMs are isolated from each other by default, but they can import objects from the Global ADOM, which is the key distinction.

Exam trap

The trap here is that candidates often confuse the Global ADOM with a 'super ADOM' that manages devices, when in fact its sole purpose is to share objects, not to manage devices or VDOMs directly.

How to eliminate wrong answers

Option B is wrong because automation stitches are supported in both Global ADOM and regular ADOMs; there is no restriction that Global ADOM lacks this feature. Option C is wrong because a regular ADOM can manage multiple FortiGates, not just one; it is a logical grouping that can contain many devices. Option D is wrong because a Global ADOM is not used for managing FortiGates in a single VDOM environment; it is used for sharing objects across ADOMs, regardless of VDOM configuration.

113
MCQmedium

A FortiManager administrator wants to push policy package changes to a managed FortiGate, but wants to see what changes will be applied before committing. Which FortiManager feature should the administrator use?

A.Install preview
B.Meta fields
C.Automation stitch
D.Revision history
AnswerA

Why this answer

Install preview is the correct feature because it allows the administrator to simulate the installation of policy package changes on a managed FortiGate without actually applying them. This provides a detailed diff of what will be added, modified, or removed, enabling verification before committing the changes. It is specifically designed for pre-commit validation in FortiManager's centralized management workflow.

Exam trap

The trap here is that candidates confuse revision history (which shows past changes) with install preview (which shows future changes), leading them to select revision history as a way to see pending changes.

How to eliminate wrong answers

Option B is wrong because meta fields are used to store custom metadata (e.g., location, contact) for objects like policies or devices, not to preview pending changes. Option C is wrong because automation stitches trigger automated responses based on events (e.g., interface down), not for previewing policy package installations. Option D is wrong because revision history allows viewing and comparing past configuration backups, but it does not show what changes will be applied in the next commit; it is retrospective, not prospective.

114
MCQeasy

In FortiManager, what is an automation stitch?

A.A feature to stitch multiple ADOMs together
B.A set of scripts that run on a schedule
C.A method to combine multiple policy packages
D.A sequence of automated actions triggered by a specific event
AnswerD

Why this answer

Option D is correct because an automation stitch in FortiManager is a sequence of automated actions (such as running scripts, sending alerts, or executing CLI commands) that are triggered by a specific event (e.g., a log message, a SNMP trap, or a schedule). This allows administrators to automate incident response and policy changes without manual intervention, directly within the FortiManager fabric.

Exam trap

The trap here is that candidates confuse automation stitches with simple scheduled scripts (Option B), but the key distinction is that stitches are event-driven and can include multiple conditional actions, not just time-based execution.

How to eliminate wrong answers

Option A is wrong because ADOM stitching is not a feature; ADOMs (Administrative Domains) are separate management domains that cannot be stitched together—they are isolated by design. Option B is wrong because while automation stitches can include scheduled scripts, they are not merely a set of scripts that run on a schedule; they are event-driven sequences that can also be triggered by logs, SNMP traps, or other events. Option C is wrong because combining multiple policy packages is done via policy package import/export or policy objects, not through automation stitches, which focus on automated actions rather than policy merging.

115
MCQmedium

A multi-tenant FortiGate uses VDOMs. The administrator notices that logins via SSH to the management VDOM succeed, but attempts to SSH to a traffic VDOM's management IP fail. The traffic VDOM has an administrative user configured. What is the most likely cause?

A.The traffic VDOM does not have a license
B.The traffic VDOM is in transparent mode
C.The admin user is not in the correct trust group
D.SSH access is not enabled on the traffic VDOM's management interface
AnswerD

Administrative access protocols must be enabled per interface per VDOM.

Why this answer

Option D is correct because SSH access to a VDOM's management IP requires that the management interface explicitly permits SSH administrative access. In a multi-tenant FortiGate with VDOMs, each VDOM's management interface has its own independent administrative access settings. Even if the admin user exists and the VDOM is licensed, SSH will be rejected if the management interface does not have SSH access enabled under config system interface or via the GUI.

The fact that SSH to the management VDOM succeeds but fails to the traffic VDOM's management IP points directly to this per-interface access control.

Exam trap

The trap here is that candidates assume a configured admin user and a valid management IP are sufficient for SSH access, overlooking the per-interface administrative access control that must be explicitly enabled.

How to eliminate wrong answers

Option A is wrong because VDOM licensing is required for the VDOM to operate, but it does not affect SSH access to the management IP; an unlicensed VDOM would not forward traffic but would still allow administrative access. Option B is wrong because transparent mode VDOMs still support SSH management access to their management IP; the mode does not disable SSH. Option C is wrong because trust groups are used for RADIUS or LDAP authentication and are not relevant to local admin users; a local admin user configured in the VDOM does not require a trust group.

116
MCQmedium

An administrator is configuring a firewall policy on a FortiGate in transparent mode. The policy should allow HTTP traffic from internal users to the internet. Which source and destination addresses should be used in the policy?

A.Source: all, Destination: all
B.Source: the FortiGate's management IP, Destination: the web server's IP
C.Source: internal subnet, Destination: external subnet
D.Source: internal MAC addresses, Destination: external MAC addresses
AnswerA

In transparent mode, the policy can use 'all' for source/destination since the FortiGate does not have IP addresses in the path; it inspects all bridged traffic.

Why this answer

In transparent mode, the FortiGate operates as a Layer 2 bridge and does not route traffic based on IP addresses. Therefore, firewall policies must use 'all' for both source and destination addresses because the FortiGate does not see the original source or destination IPs—it only sees MAC addresses and forwards frames transparently. Using specific IP subnets would break the policy as the FortiGate cannot match Layer 3 addresses in this mode.

Exam trap

The trap here is that candidates mistakenly apply NAT/routed mode logic to transparent mode, assuming they must specify IP subnets, when in fact transparent mode requires 'all' because the FortiGate operates at Layer 2 and does not see IP addresses for policy matching.

How to eliminate wrong answers

Option B is wrong because the FortiGate's management IP is only used for administrative access, not for forwarding user traffic; using it as the source would block all HTTP traffic from internal users. Option C is wrong because transparent mode does not perform IP routing, so specifying internal and external subnets would cause the policy to never match—the FortiGate cannot see Layer 3 addresses in the forwarded traffic. Option D is wrong because while transparent mode uses MAC addresses for forwarding, firewall policies in FortiOS do not support MAC address-based source/destination matching; policies are based on interfaces and IP addresses (or 'all').

117
MCQhard

Refer to the exhibit. A FortiGate is connected to the Security Fabric and registered with FortiManager. However, the administrator notices that the FortiGate is not receiving policy updates from FortiManager. What is the most likely cause?

A.The Fabric Root serial number is incorrect
B.The FortiGate is not registered with FortiManager
C.The policy package on FortiManager is not assigned to the correct device group or policy target
D.The Security Fabric is not fully connected
AnswerC

The device is in a fabric group, but policy must be assigned to that group.

Why this answer

Option C is correct because FortiManager uses policy packages that must be explicitly assigned to a device group or specific FortiGate. Even if the FortiGate is registered and part of the Security Fabric, if the policy package is not assigned to the correct device group or policy target, the FortiGate will not receive policy updates. This is a common misconfiguration where the policy package exists but is not linked to the device.

Exam trap

The trap here is that candidates assume registration and Fabric connectivity guarantee policy updates, but FortiManager requires explicit policy package assignment to the device group or policy target, which is a separate configuration step.

How to eliminate wrong answers

Option A is wrong because the Fabric Root serial number is used for Security Fabric topology discovery and does not affect FortiManager policy push; a mismatch would break Fabric connectivity, not policy updates. Option B is wrong because the scenario explicitly states the FortiGate is registered with FortiManager, so this option contradicts the given information. Option D is wrong because the Security Fabric being not fully connected would impact Fabric services like topology sharing, but FortiManager policy updates use a direct management tunnel (port 541/TCP) independent of Fabric connectivity.

118
MCQmedium

An administrator deploys a FortiGate in transparent mode within a Layer 2 network. They apply a firewall policy with an antivirus profile to inspect traffic between two VLANs. What is a key characteristic of transparent mode that affects policy application?

A.NAT is automatically applied to all traffic to preserve private IP addresses
B.Firewall policies are applied only to traffic entering the management interface
C.Each VDOM in transparent mode requires a unique IP address for management
D.Traffic is forwarded based on MAC addresses, and policies are applied transparently without changing the IP path
AnswerD

Transparent mode operates at Layer 2, so IP routing is not used.

Why this answer

In transparent mode, FortiGate operates as a Layer 2 bridge, forwarding traffic based on MAC addresses rather than IP addresses. This allows firewall policies, including antivirus inspection, to be applied to traffic between VLANs without modifying the IP path or requiring NAT, ensuring seamless integration into existing Layer 2 networks.

Exam trap

The trap here is that candidates often assume transparent mode requires NAT or IP-based routing changes, but the key is that it operates purely at Layer 2, forwarding based on MAC addresses and applying policies without altering the IP path.

How to eliminate wrong answers

Option A is wrong because NAT is not automatically applied in transparent mode; NAT is a Layer 3 function and transparent mode operates at Layer 2, preserving the original IP addresses. Option B is wrong because firewall policies in transparent mode are applied to traffic passing through the FortiGate interfaces, not just the management interface; the management interface is used for administrative access only. Option C is wrong because VDOMs in transparent mode do not require a unique IP address for management; each VDOM can share the management IP or use a dedicated IP, but it is not a mandatory characteristic that affects policy application.

119
Multi-Selecteasy

An administrator wants to use FortiAnalyzer to generate reports for compliance. Which two data sources can be included in a FortiAnalyzer report? (Choose two.)

Select 2 answers
A.Log data from FortiGate
B.Traffic statistics from FortiView
C.Routing table information from routers
D.Configuration backups from FortiManager
E.User authentication logs from LDAP servers
AnswersA, B

Log data is the primary source for reports.

Why this answer

FortiAnalyzer reports are built from log data collected from FortiGate devices, which includes traffic logs, event logs, and security logs. This log data is the primary source for compliance reporting because it provides detailed records of network activity. FortiView traffic statistics are also a valid data source, as they aggregate real-time and historical traffic data from FortiGate logs, allowing reports to include graphical summaries and top-talker information.

Exam trap

The trap here is that candidates assume FortiAnalyzer can directly ingest data from any network source (like routers or LDAP servers), but it only processes logs forwarded from FortiGate devices or other Fortinet products that support log forwarding, not arbitrary external systems.

120
MCQmedium

An administrator configures two FortiGate units in an active-passive HA cluster. During a failover test, the administrator notices that the secondary unit becomes primary but the session table is empty, causing all existing connections to drop. Which configuration change should be made to preserve session information during failover?

A.Enable FGCP configuration synchronization
B.Configure dead gateway detection on the FortiGate units
C.Enable link-failover on the monitored interfaces
D.Enable session pickup and configure HA session synchronization
AnswerD

Session pickup synchronizes session tables between cluster members.

Why this answer

Option D is correct because session pickup and HA session synchronization are specifically designed to replicate the session table from the primary FortiGate to the secondary unit in an active-passive cluster. Without this feature, the secondary unit becomes primary but has no knowledge of existing sessions, causing all active connections to drop. Enabling session synchronization ensures that session state information is continuously mirrored to the standby unit, allowing seamless failover without disrupting established flows.

Exam trap

The trap here is that candidates often confuse configuration synchronization (which is automatic and covers settings) with session synchronization (which must be explicitly enabled), leading them to incorrectly select option A thinking it preserves sessions.

How to eliminate wrong answers

Option A is wrong because FGCP configuration synchronization (enabled by default in HA clusters) only synchronizes configuration changes, not the dynamic session table; it does not preserve active sessions during failover. Option B is wrong because dead gateway detection is a network monitoring feature used to detect upstream gateway failures and trigger route changes, not a mechanism for replicating session state between HA units. Option C is wrong because link-failover on monitored interfaces triggers a failover when a monitored interface goes down, but it does not address the preservation of session information; the session table remains empty on the standby unit unless session synchronization is enabled.

121
MCQmedium

A network admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session was established 1 hour ago and will expire in about 1 hour
B.The session is using UDP port 443
C.The session is for HTTP traffic and has 3599 seconds left
D.The session is for HTTPS traffic and is halfway through its expected lifetime
AnswerA

Duration=3600 seconds (1 hour), expire=3599 seconds (almost 1 hour remaining). Total session lifetime is about 2 hours.

Why this answer

The output shows `duration=3600`, meaning the session has been active for 3600 seconds (1 hour), and `expire=3599`, meaning the session will expire in 3599 seconds (approximately 1 hour). The `proto=6` indicates TCP (protocol 6), and `proto_state=01` corresponds to TCP state ESTABLISHED. Therefore, the session was established 1 hour ago and will expire in about 1 hour, making option A correct.

Exam trap

The trap here is that candidates often misinterpret `expire=3599` as the total session lifetime rather than the remaining time until expiry, leading them to incorrectly calculate the session's age or remaining duration.

How to eliminate wrong answers

Option B is wrong because `proto=6` indicates TCP, not UDP (which is protocol 17). Option C is wrong because `proto=6` and `dport 443` indicate HTTPS (TCP/443), not HTTP (which typically uses port 80), and the session has 3599 seconds left, not 3599 seconds total lifetime. Option D is wrong because while the session is for HTTPS traffic (TCP/443), the duration and expire values show it is at the beginning of its lifetime (3600 seconds elapsed, 3599 seconds remaining), not halfway through.

122
MCQhard

A FortiGate administrator receives an error when trying to create a new VDOM: 'Maximum number of VDOMs reached.' However, the FortiGate model supports more VDOMs. What could be the issue?

A.The VDOM license is not installed or is expired
B.The administrator is in the wrong VDOM context
C.The FortiGate is in transparent mode
D.The FortiGate needs a firmware upgrade
AnswerA

VDOM licenses are required to create additional VDOMs beyond the base limit.

Why this answer

The error 'Maximum number of VDOMs reached' occurs when the FortiGate attempts to exceed the licensed VDOM count, even if the hardware model supports more. FortiGate VDOM licensing is enforced via a separate license file; without a valid, non-expired license, the device restricts VDOM creation to the default (often 1 or 2) or previously licensed limit. This is a common issue when a license has expired or was never installed.

Exam trap

The trap here is that candidates assume the error is due to a hardware limitation or configuration mode, but Fortinet specifically tests the distinction between hardware capability and software licensing enforcement.

How to eliminate wrong answers

Option B is wrong because being in the wrong VDOM context would not generate a 'Maximum number of VDOMs reached' error; it would instead cause a permission or scope issue when trying to create a VDOM from a non-root or non-admin VDOM. Option C is wrong because transparent mode does not limit the maximum number of VDOMs; VDOMs can be created in both transparent and NAT modes, and the error is unrelated to the operational mode. Option D is wrong because a firmware upgrade does not increase the licensed VDOM limit; the limit is enforced by the license, not the firmware version, though a firmware upgrade might be needed to support newer license formats, but the error message specifically points to a licensing issue.

123
MCQmedium

An organization uses FortiManager to manage multiple FortiGates. A junior admin accidentally deleted a critical firewall policy on one device and the change was auto-installed. How can the senior admin revert the device to the previous configuration?

A.Delete the ADOM and recreate it
B.Go to Device Manager -> Revision History and restore the previous revision
C.Use the 'restore' command on FortiManager
D.Manually recreate the policy on the FortiGate
AnswerB

Revision history stores configuration snapshots that can be restored.

Why this answer

FortiManager maintains revision history for managed devices. The admin can restore a previous revision to revert the configuration.

124
MCQmedium

An administrator configures inter-VDOM routing between VDOM-A and VDOM-B using a VDOM link. After configuration, traffic from VDOM-A cannot reach VDOM-B. Which configuration step is MOST likely missing?

A.Create a firewall policy on VDOM-A and VDOM-B allowing traffic over the VDOM link interface
B.Enable 'inter-vdom-routing' under system settings
C.Configure a static route on VDOM-A pointing to VDOM-B's subnet via the VDOM link
D.Assign both VDOM link interfaces to the same VDOM
AnswerA

Each VDOM must have a policy allowing traffic to/from the VDOM link interface, similar to any other interface.

Why this answer

VDOM links are special inter-VDOM interfaces that require firewall policies on both VDOMs to permit traffic. Without a policy on VDOM-A and VDOM-B that allows traffic over the VDOM link interface, packets will be dropped by the implicit deny rule. This is the most common missing step when inter-VDOM routing fails.

Exam trap

The trap here is that candidates often assume static routes or a global inter-VDOM routing toggle are required, overlooking that VDOM links function like physical interfaces and need firewall policies to permit traffic.

How to eliminate wrong answers

Option B is wrong because 'inter-vdom-routing' is not a configurable setting under system settings; inter-VDOM routing is inherently enabled when VDOMs are enabled and a VDOM link is created. Option C is wrong because static routes are not strictly required if the VDOM link is used as a transit link and the destination subnet is directly connected; the missing firewall policy is the primary issue. Option D is wrong because assigning both VDOM link interfaces to the same VDOM would defeat the purpose of inter-VDOM routing, as the link is designed to connect two different VDOMs.

125
MCQeasy

What is the maximum number of VDOMs supported on a FortiGate 600F (assuming license)?

A.10
B.50
C.500
D.100
AnswerC

FortiGate 600F supports up to 500 VDOMs with license.

Why this answer

The FortiGate 600F, when properly licensed, supports up to 500 VDOMs. This is because the 600F is a mid-range enterprise appliance designed for large-scale multi-tenant environments, and its hardware resources (CPU, memory, and NP7 processors) are provisioned to handle the control-plane and data-plane overhead of up to 500 virtual domains. The license unlocks the VDOM feature, but the maximum count is a hardware-imposed limit, not a software cap.

Exam trap

The trap here is that candidates often confuse the default unlicensed limit (10 VDOMs) with the licensed maximum, or they assume the 600F shares the same VDOM limit as the 400F (100 VDOMs), failing to recognize that the 600F is a higher-spec model with a 500-VDOM ceiling.

How to eliminate wrong answers

Option A (10) is wrong because 10 VDOMs is the default unlicensed limit on many FortiGate models, but the 600F with a license supports far more. Option B (50) is wrong because 50 VDOMs is the maximum for lower-end models like the FortiGate 100F/200F, not the 600F. Option D (100) is wrong because 100 VDOMs is the limit for some mid-range models (e.g., FortiGate 400F), but the 600F is a higher-tier platform with a maximum of 500 VDOMs.

126
Multi-Selecteasy

An administrator is troubleshooting a VPN tunnel that fails to establish. The administrator has verified that pre-shared keys match and phase 1 parameters are correct. Which TWO additional items should be checked?

Select 2 answers
A.NAT traversal configuration
B.Firewall policies allowing UDP 500 and 4500
C.The phase 2 proposal
D.The NTP server configuration
E.The FortiGate's hostname
AnswersA, B

Why this answer

NAT traversal (NAT-T) is required when a VPN tunnel passes through a device performing Network Address Translation (NAT). NAT-T encapsulates ESP packets inside UDP 4500 to avoid issues with NAT modifying IP headers. Even if phase 1 parameters match, without NAT-T enabled on both peers, the tunnel may fail to establish if a NAT device is detected between them.

Exam trap

The trap here is that candidates often assume phase 2 parameters must be checked first, but the question specifies the tunnel fails to establish, meaning phase 1 has not completed, so phase 2 is irrelevant at this stage.

127
MCQmedium

An administrator notices that after making changes to a policy package in FortiManager, the 'Install Preview' shows that the changes will modify policies on a FortiGate. However, the admin wants to verify what the exact changes will be before installing. What should the admin do?

A.Check the 'Audit Log' for recent changes
B.Run 'diagnose dvm device list' on FortiManager
C.Use the 'Revision History' to compare the current configuration with the previous version
D.Use the 'Install Preview' and then click 'View Details' on each device
AnswerC

Revision history allows comparing configurations to see exact changes.

Why this answer

Option C is correct because the Revision History feature in FortiManager allows an administrator to compare the current configuration of a policy package with a previous version, showing a detailed diff of exactly which policies will be added, removed, or modified. This provides a precise verification of changes before installation, unlike the Install Preview which only indicates that changes exist without showing the specific modifications.

Exam trap

The trap here is that candidates confuse the Install Preview's summary of changes (which only indicates that modifications exist) with the detailed comparison provided by Revision History, leading them to select Option D without realizing it lacks the granular diff needed to verify exact policy changes.

How to eliminate wrong answers

Option A is wrong because the Audit Log records administrative actions (e.g., who made changes and when) but does not show a side-by-side comparison of policy configurations or the exact modifications to individual policies. Option B is wrong because 'diagnose dvm device list' is a diagnostic command used to display the list of managed devices and their synchronization status, not to compare policy changes. Option D is wrong because the Install Preview's 'View Details' option only shows a summary of which objects will be installed (e.g., policy count changes) but does not provide a granular diff of the actual policy lines or attributes that will be modified.

128
MCQmedium

An administrator has configured a FortiGate HA cluster with two units. The cluster uses a virtual cluster for load balancing in active-active mode. The administrator notices that traffic from one VDOM is not being load-balanced and is only handled by one unit. What is the most likely cause?

A.Session pickup is disabled
B.The HA priority is set to 0 on the secondary unit
C.The VDOM is not assigned to any virtual cluster
D.The management interface is not configured on the VDOM
AnswerC

VDOMs must be assigned to a virtual cluster for load balancing.

Why this answer

In an active-active HA cluster with virtual clusters, each VDOM must be explicitly assigned to a virtual cluster to participate in load balancing. If a VDOM is not assigned to any virtual cluster, it defaults to being handled only by the primary unit, regardless of the cluster mode. This explains why traffic from that VDOM is not load-balanced.

Exam trap

The trap here is that candidates often assume active-active mode automatically load-balances all traffic across both units, overlooking the requirement that each VDOM must be explicitly assigned to a virtual cluster to enable load balancing for that VDOM.

How to eliminate wrong answers

Option A is wrong because session pickup is a feature for synchronizing existing sessions after failover, not a prerequisite for load balancing traffic across units in active-active mode. Option B is wrong because setting HA priority to 0 on the secondary unit would make it a standby unit, but the question states the cluster is in active-active mode, where both units should actively forward traffic; priority 0 would prevent load balancing entirely, not just for one VDOM. Option D is wrong because the management interface configuration is unrelated to VDOM traffic forwarding or load balancing; it only affects administrative access to the VDOM.

129
MCQeasy

Which FortiManager feature allows an administrator to roll back a policy package to a previous version?

A.Install preview
B.Revision history
C.Device manager
D.Automation stitch
AnswerB

Revision history allows an administrator to view and restore previous versions of policy packages or device configurations.

Why this answer

Option D is correct. Revision history stores previous versions of policy packages, allowing rollback. Install preview shows pending changes but does not roll back.

130
Multi-Selectmedium

A company uses FortiManager to manage multiple FortiGates. The admin wants to use a global ADOM to manage certain policies across all devices while allowing local customization. Which two statements about global ADOM are true? (Choose two.)

Select 2 answers
A.Header/footer policies can only be configured in the global ADOM
B.Global ADOM supports per-device policy objects
C.Regular ADOMs can import policy packages from the global ADOM
D.Global ADOM requires a separate FortiManager license
E.Global ADOM policies are installed on all managed FortiGates in all ADOMs
AnswersA, C

Header and footer policies are typically defined in the global ADOM to enforce consistent security baselines.

Why this answer

Option A is correct because header and footer policies are global constructs that can only be created and managed within the global ADOM. These policies are automatically applied to all policy packages across all regular ADOMs, ensuring consistent enforcement at the top and bottom of the policy list without local modification.

Exam trap

The trap here is that candidates often assume global ADOM policies are automatically installed on all devices, but in reality they only apply to policy packages that are explicitly imported from the global ADOM into a regular ADOM.

131
MCQmedium

A network admin configures inter-VDOM routing between two VDOMs on a FortiGate. The admin creates a firewall policy in VDOM A allowing traffic to VDOM B, but traffic is still not passing. What additional step is required?

A.Configure a static route in VDOM B pointing back to VDOM A
B.Enable inter-VDOM routing under config system global
C.Assign the inter-VDOM link to both VDOMs
D.Create a firewall policy in VDOM B to permit the traffic from VDOM A
AnswerD

Inter-VDOM traffic requires policies on both VDOMs to allow the session. Without the return policy, the session is blocked.

Why this answer

Inter-VDOM routing on a FortiGate requires firewall policies in both VDOMs to permit traffic in both directions. Even if VDOM A has a policy allowing traffic to VDOM B, VDOM B must have a corresponding policy to allow the return traffic or the initial traffic from VDOM A to be processed. Without this, the FortiGate drops the packets due to asymmetric policy enforcement.

Exam trap

The trap here is that candidates assume a single firewall policy in the source VDOM is sufficient, but FortiGate requires policies in both VDOMs for inter-VDOM traffic to pass, mirroring the behavior of separate physical firewalls.

How to eliminate wrong answers

Option A is wrong because static routes are not inherently required for inter-VDOM routing; the inter-VDOM link is a direct connection, and routing is handled automatically if the link is configured correctly. Option B is wrong because inter-VDOM routing is enabled by default on FortiGate and does not require a global command; the relevant setting is 'set inter-vdom-routing enable' under config system global, but it is already enabled by default. Option C is wrong because the inter-VDOM link is automatically assigned to both VDOMs when created; no additional assignment step is needed.

132
Multi-Selecthard

An administrator uses FortiManager automation stitches to respond to an incident. The stitch includes a trigger, one or more actions, and conditions. Which THREE components are valid action types in an automation stitch?

Select 3 answers
A.CLI script execution
B.Remote script execution
C.FortiGate reboot
D.Email notification
E.FortiAnalyzer report generation
AnswersA, B, D

CLI scripts can be run on managed devices.

Why this answer

CLI script execution is a valid action type in FortiManager automation stitches because it allows the administrator to run a predefined CLI script on a managed FortiGate device directly from the stitch. This enables automated configuration changes or troubleshooting commands in response to a trigger, such as blocking an IP address after an intrusion detection event.

Exam trap

The trap here is that candidates may confuse 'remote script execution' with local device actions like reboot, or assume FortiAnalyzer integration is an action type, when in fact automation stitches only support CLI scripts, remote scripts, and email notifications as valid action types.

133
MCQeasy

What is the purpose of a Global ADOM in FortiManager?

A.To store backup configurations only
B.To manage all FortiGates in a single VDOM
C.To share common objects and policies across multiple ADOMs
D.To replace the root ADOM for system settings
AnswerC

Global ADOM allows sharing of objects like address objects, services, and policies across ADOMs.

Why this answer

A Global ADOM in FortiManager is a special administrative domain that stores objects and policies shared across multiple regular ADOMs. This allows administrators to define common objects (e.g., address groups, services, schedules) once in the Global ADOM and then reference them in per-ADOM policies, ensuring consistency and reducing duplication. It does not replace the root ADOM, nor is it limited to backups or single-VDOM management.

Exam trap

The trap here is that candidates often confuse the Global ADOM with the root ADOM or think it is for backup purposes, when in fact it is specifically designed for sharing objects and policies across multiple ADOMs to enforce consistency in multi-tenant or multi-region deployments.

How to eliminate wrong answers

Option A is wrong because the Global ADOM is not for storing backup configurations; backups are handled separately via the system backup feature or the CLI. Option B is wrong because the Global ADOM does not manage all FortiGates in a single VDOM; it manages shared objects across multiple ADOMs, each of which can contain multiple VDOMs. Option D is wrong because the Global ADOM does not replace the root ADOM for system settings; the root ADOM remains the administrative domain for system-level configuration (e.g., system admin, HA, firmware), while the Global ADOM focuses on shared policy objects.

134
MCQeasy

A network engineer is configuring a FortiGate HA cluster with two FortiGate 100F units in active-passive mode. The engineer wants to use VDOMs to separate guest and corporate traffic. After initial setup, the engineer configures two VDOMs: 'guest' and 'corp'. Both VDOMs have interfaces assigned. The HA status shows 'synchronized'. However, the engineer notices that traffic from the corporate network is not being forwarded correctly. Pings from the corporate LAN to the internet fail. The guest network works fine. The engineer checks the routing table on the active unit and sees that the default route is present in the 'corp' VDOM. What is the most likely cause of the issue?

A.The interface assigned to the corp VDOM is administratively down.
B.The default route in the corp VDOM has an incorrect gateway IP address.
C.The HA cluster must be in active-active mode for VDOMs to work.
D.The VDOM link between the root VDOM and corp VDOM is not configured.
AnswerB

If the gateway IP is wrong, traffic will not be forwarded, even though the route is present in the routing table.

Why this answer

The most likely cause is an incorrect gateway IP address in the default route for the 'corp' VDOM. Since the guest VDOM works correctly, the HA cluster and VDOM configuration are functional, and the issue is isolated to the corporate VDOM's routing. A misconfigured next-hop IP would prevent traffic from reaching the internet, even though the route itself is present in the routing table.

Exam trap

The trap here is that candidates may assume the issue is with HA synchronization or VDOM links, but the fact that one VDOM works and the other does not points directly to a per-VDOM configuration error, such as an incorrect default route gateway.

How to eliminate wrong answers

Option A is wrong because if the interface were administratively down, the 'corp' VDOM would not have a working link, but the engineer would typically see the interface status as 'down' in the GUI or CLI, and the default route would not be relevant; the issue is specifically with forwarding, not interface state. Option C is wrong because VDOMs work in both active-passive and active-active HA modes; there is no requirement for active-active mode to use VDOMs. Option D is wrong because VDOM links are only needed for inter-VDOM routing, not for forwarding traffic from a VDOM to the internet; the 'corp' VDOM has its own interfaces and default route, so a VDOM link is not required for this scenario.

135
MCQmedium

An administrator is configuring a FortiGate in transparent mode for an enterprise network. The existing gateway firewall must remain in place. How should the administrator configure the FortiGate's interfaces to ensure minimal disruption?

A.Enable VDOMs and separate the interfaces into different VDOMs
B.Place both interfaces in the same VDOM and assign a shared management IP
C.Assign each interface a unique IP address on different subnets
D.Use 802.1Q trunking on a single physical interface
AnswerB

Transparent mode requires both interfaces to be in the same VDOM with a single management IP.

Why this answer

In transparent mode, FortiGate acts as a Layer 2 bridge, so both interfaces must belong to the same VDOM and share a single management IP to allow administrative access without breaking the Layer 2 path. This configuration ensures the existing gateway firewall remains in place and traffic flows uninterrupted, as the FortiGate does not perform routing between its interfaces.

Exam trap

The trap here is that candidates often assume transparent mode requires unique IPs on each interface (like in NAT/route mode), leading them to choose Option C, but in transparent mode all interfaces share a single management IP to maintain Layer 2 transparency.

How to eliminate wrong answers

Option A is wrong because enabling VDOMs and separating interfaces into different VDOMs would break the Layer 2 bridging required in transparent mode, causing traffic to be routed between VDOMs and disrupting the existing gateway firewall. Option C is wrong because assigning each interface a unique IP address on different subnets would force the FortiGate to route between them, which is incompatible with transparent mode's Layer 2 operation and would disrupt the existing network topology. Option D is wrong because 802.1Q trunking on a single physical interface is used for VLAN segmentation in NAT/route mode, not for transparent mode, and does not provide the required Layer 2 bridge between two separate interfaces.

136
MCQmedium

A FortiGate administrator wants to use FortiManager to manage multiple FortiGates in different geographic regions. To isolate configuration changes, the administrator creates separate ADOMs for each region. Which type of ADOM should be used to allow some common objects (like address groups) to be shared across all regions?

A.Per-Device ADOM
B.Global ADOM
C.Regular ADOM
D.Meta ADOM
AnswerB

Correct. Global ADOM objects are available to all regular ADOMs.

Why this answer

The Global ADOM is designed to store and share common objects, such as address groups, policies, and schedules, across all ADOMs in a FortiManager deployment. When an administrator creates separate ADOMs for each region, the Global ADOM acts as a central repository for objects that need to be consistent everywhere, allowing per-region ADOMs to reference these shared objects without duplicating them. This ensures configuration isolation for region-specific settings while maintaining a single source of truth for global resources.

Exam trap

The trap here is that candidates often confuse 'Global ADOM' with 'Regular ADOM' or assume that a 'Per-Device ADOM' can be configured to share objects, when in fact only the Global ADOM provides a centralized, cross-ADOM object repository in FortiManager.

How to eliminate wrong answers

Option A is wrong because a Per-Device ADOM is used when each managed FortiGate requires its own independent ADOM with no sharing of objects, which defeats the purpose of sharing common objects across regions. Option C is wrong because a Regular ADOM (also called a per-ADOM ADOM) is the default type that isolates all objects within that ADOM and does not inherently support sharing objects with other ADOMs; it would require manual duplication or import/export to share objects. Option D is wrong because Meta ADOM is not a valid ADOM type in FortiManager; the correct term is 'Global ADOM' for cross-ADOM object sharing, and 'Meta ADOM' is a distractor that does not exist in the FortiManager architecture.

137
MCQmedium

A FortiGate administrator needs to manage multiple FortiGate devices centrally. They want to deploy policy packages from FortiManager to specific VDOMs on each device. Which FortiManager object must be configured first?

A.Device Group
B.Install Preview
C.Policy Package
D.Administrative Domain (ADOM)
AnswerD

ADOMs provide the logical grouping for devices and VDOMs.

Why this answer

The Administrative Domain (ADOM) is the top-level container in FortiManager that defines the management boundary for a set of FortiGate devices and their VDOMs. Before you can create or assign policy packages to specific VDOMs on managed devices, you must first configure the ADOM to enable multi-tenancy and VDOM-level management. Without an ADOM, FortiManager cannot isolate or target individual VDOMs for policy deployment.

Exam trap

The trap here is that candidates often think a Policy Package (Option C) is the first object to configure, overlooking that FortiManager requires the ADOM to be set up first to establish the management scope and VDOM mapping before any policy package can be created or linked to a specific VDOM.

How to eliminate wrong answers

Option A is wrong because a Device Group is a logical grouping of FortiGate devices used for bulk operations or installation targets, but it does not provide the necessary VDOM-level isolation or management context required to deploy policy packages to specific VDOMs. Option B is wrong because Install Preview is a verification step that shows the changes to be installed after a policy package has been configured and assigned; it is not a prerequisite object. Option C is wrong because a Policy Package contains the firewall policies and objects, but it cannot be created or assigned to a specific VDOM until the ADOM is configured to define the management domain and enable VDOM-level policy targeting.

138
MCQhard

An administrator configures an automation stitch in FortiManager to execute a CLI script on a FortiGate when a specific event is triggered. The automation stitch is enabled but does not run when the event occurs. What is the most likely cause?

A.The event trigger is set to high severity only
B.The FortiGate does not support automation stitches
C.The automation stitch has not been installed to the FortiGate
D.The CLI script contains an invalid command
AnswerC

Automation stitches must be installed (pushed) to the FortiGate before they become active.

Why this answer

Option C is correct because in FortiManager, automation stitches are created and stored in the central management database but must be explicitly installed to the managed FortiGate via the 'Install Wizard' or a direct policy/object install. Until the stitch is installed, the FortiGate does not have the configuration locally, so even if the stitch is enabled in FortiManager and the event occurs, the FortiGate will not execute the CLI script. This is a common oversight where administrators assume enabling the stitch in FortiManager automatically pushes it to the device.

Exam trap

The trap here is that candidates assume enabling the automation stitch in FortiManager is sufficient for it to run on the FortiGate, overlooking the critical step of installing the configuration to the managed device, which is a common point of failure in centralized management workflows.

How to eliminate wrong answers

Option A is wrong because the event trigger in FortiManager can be configured for any severity level (low, medium, high, or any), and by default, triggers are not restricted to high severity only; if the trigger were set to high severity only, the event would still run if the event matched that severity, so this would not prevent the stitch from running entirely. Option B is wrong because FortiGate devices running FortiOS 6.0 or later fully support automation stitches, and the question states the stitch is configured in FortiManager, implying the FortiGate is a supported model. Option D is wrong because an invalid command in the CLI script would cause the script to fail during execution, not prevent the automation stitch from being triggered; the stitch would still run and attempt to execute the script, but the script would produce an error.

139
Multi-Selectmedium

A FortiGate administrator is configuring a multi-VDOM deployment. The administrator wants to use a single physical interface for multiple VDOMs. Which TWO methods allow this?

Select 2 answers
A.Use the same physical interface in multiple VDOMs directly
B.Use NP6 virtual interfaces (e.g., virtual wire) on supported models
C.Configure VLAN subinterfaces and assign each to a different VDOM
D.Create a software switch interface and assign it to multiple VDOMs
E.Configure inter-VDOM routing to share the same IP subnet
AnswersB, C

Some FortiGate models with NP6 processors support virtual interfaces that can be assigned to different VDOMs.

Why this answer

Option B is correct because on supported FortiGate models with NP6 processors, you can create NP6 virtual interfaces (e.g., virtual wire pairs) that allow a single physical interface to be shared across multiple VDOMs without VLAN tagging. Option C is correct because VLAN subinterfaces can be created on a physical interface and each subinterface assigned to a different VDOM, enabling multi-VDOM use of the same physical port.

Exam trap

The trap here is that candidates often assume a physical interface can be directly shared among VDOMs (Option A), not realizing that FortiGate requires either VLAN subinterfaces or NP6 virtual interfaces to achieve this separation.

140
Multi-Selecteasy

A FortiGate administrator is planning to use policy packages in FortiManager to manage firewall policies for multiple devices. Which TWO statements about policy packages are true?

Select 2 answers
A.Header and footer policies can be used to enforce common rules across all policies
B.Policy packages are automatically applied to the device upon creation
C.Policy packages cannot include NAT policies
D.A policy package can be shared among multiple FortiGate devices
E.A policy package can contain policies for different VDOMs
AnswersA, D

Header policies are processed first, footer policies last, allowing consistent enforcement.

Why this answer

Options A and C are correct. Policy packages can be shared across multiple devices of the same type (e.g., FortiGate) within the same ADOM. Header and footer policies allow common policy rules (like logging or NAT) to be applied consistently across all policies in the package.

141
MCQhard

An administrator runs 'diagnose debug application fnbam 3' and sees many entries with state 'sctp'. The FortiGate has flow-based inspection enabled. What is being indicated?

A.Traffic is being fast-forwarded without security profile inspection
B.The FortiGate is performing SCTP deep inspection
C.The FortiGate is using proxy-based inspection
D.There is an SCTP-based attack in progress
AnswerA

fnbam entries with 'sctp' indicate sessions that bypass full scanning.

Why this answer

The 'diagnose debug application fnbam 3' command shows the FortiGate's flow-based Network Processor (NPU) session offload status. When entries show state 'sctp', it indicates that the traffic is being handled by the SCTP (Session Control Traffic Path) fast-path, meaning the session is offloaded to the NPU for hardware acceleration and bypasses security profile inspection. This is normal for flow-based inspection when traffic matches fast-path criteria, not an indication of SCTP protocol inspection or attacks.

Exam trap

The trap here is that candidates see 'sctp' and immediately think of the Stream Control Transmission Protocol (SCTP) rather than recognizing it as a FortiGate-specific acronym for 'Session Control Traffic Path' in the NPU offload context.

How to eliminate wrong answers

Option B is wrong because SCTP deep inspection would require explicit SCTP inspection profiles and would show different debug states (e.g., 'deep_inspect'), not 'sctp' in fnbam output. Option C is wrong because proxy-based inspection would show states like 'proxy' or 'deep' in fnbam debug, not 'sctp', and the question explicitly states flow-based inspection is enabled. Option D is wrong because 'sctp' state in fnbam indicates normal fast-path offloading, not an attack; attack indicators would appear in IPS logs or as 'drop' states, not as 'sctp'.

142
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees 'proto=6 proto_state=01 duration=3600 expire=3599'. What does this indicate?

A.The session is a UDP flow
B.The session is in TCP SYN_SENT state
C.The session will expire in 3599 milliseconds
D.The session has been idle for 3600 seconds
AnswerB

proto_state=01 is TCP SYN_SENT.

Why this answer

The output shows 'proto=6', which is TCP (protocol 6), and 'proto_state=01', which in FortiGate's session table indicates the TCP SYN_SENT state (the first step of the three-way handshake). The 'duration=3600' means the session has been alive for 3600 seconds, and 'expire=3599' means it will expire in 3599 seconds if no further packets are seen. Therefore, the session is in the TCP SYN_SENT state, making option B correct.

Exam trap

The trap here is that candidates confuse 'duration' with idle time or misinterpret 'expire' as milliseconds, when in fact FortiGate uses seconds for both and 'proto_state=01' is a direct indicator of the TCP SYN_SENT state.

How to eliminate wrong answers

Option A is wrong because 'proto=6' explicitly indicates TCP, not UDP (UDP is protocol 17). Option C is wrong because the 'expire' value is in seconds, not milliseconds; 3599 seconds remain before the session times out. Option D is wrong because 'duration=3600' represents the total time the session has existed since creation, not idle time; idle time is tracked separately via the 'idle' field in the session dump.

143
MCQmedium

An administrator configures inter-VDOM routing between VDOMs A and B using a VDOM link. The administrator can ping from VDOM A to an interface in VDOM B, but traffic from VDOM B to VDOM A times out. What is the most likely cause?

A.VDOM B has no traffic VDOM capability
B.The route back to the source subnet is missing in VDOM A
C.The firewall policy in VDOM B is blocking traffic
D.The VDOM link's MTU is set too high
AnswerB

For traffic from B to A to succeed, VDOM A must have a route back to the source subnet. Without it, return traffic is dropped.

Why this answer

The correct answer is B because inter-VDOM routing requires a route in both directions. Since the administrator can ping from VDOM A to VDOM B, the forward path works, but the return traffic from VDOM B to VDOM A fails due to a missing route back to the source subnet in VDOM A. This is a classic asymmetric routing issue where the destination VDOM (A) does not know how to reach the source subnet of VDOM B.

Exam trap

The trap here is that candidates assume a successful ping in one direction implies full bidirectional connectivity, overlooking that each VDOM maintains an independent routing table and the return path must be explicitly configured.

How to eliminate wrong answers

Option A is wrong because VDOMs do not have a 'traffic VDOM capability' setting; all VDOMs can forward traffic by default, and the ability to ping in one direction proves VDOM B is capable of processing traffic. Option C is wrong because if a firewall policy in VDOM B were blocking traffic, the ping from VDOM A to VDOM B would also fail, as the policy would block the forward direction as well. Option D is wrong because an MTU mismatch would cause fragmentation issues or packet drops for large packets, but ICMP echo requests and replies are typically small and would not be affected by a high MTU setting; moreover, the symptom is a complete timeout, not partial or intermittent failure.

144
MCQeasy

A network administrator is configuring VDOMs on a FortiGate and wants to separate management traffic from production data traffic. What is the best practice when using a management VDOM?

A.Disable management access on all VDOMs except the root VDOM
B.Use inter-VDOM routing to route management traffic to the root VDOM
C.Create a dedicated management VDOM and assign only management interfaces to it
D.Assign all interfaces to the management VDOM
AnswerC

This isolates management traffic.

Why this answer

Creating a dedicated management VDOM and assigning only management interfaces to it is the best practice because it isolates management traffic from production data traffic, reducing the attack surface and preventing management access from being exposed to untrusted networks. This aligns with Fortinet's security best practices for VDOM administration, ensuring that management functions are logically separated from data-plane operations.

Exam trap

The trap here is that candidates often confuse the root VDOM's default management role with a best-practice isolation strategy, assuming that disabling management on other VDOMs is sufficient, when in fact a dedicated management VDOM provides true separation and is the recommended approach in the NSE7 curriculum.

How to eliminate wrong answers

Option A is wrong because disabling management access on all VDOMs except the root VDOM does not inherently separate management traffic from production data; the root VDOM itself may still carry production traffic, and this approach does not create a dedicated management plane. Option B is wrong because using inter-VDOM routing to route management traffic to the root VDOM mixes management and production traffic at the routing layer, defeating the purpose of isolation and introducing potential security risks. Option D is wrong because assigning all interfaces to the management VDOM would collapse all traffic—including production data—into the management domain, eliminating any separation and exposing management functions to production threats.

145
MCQmedium

A FortiGate administrator wants to use FortiManager automation stitches to automatically block an IP address when a specific threat is detected. Which components must be configured within the automation stitch?

A.A trigger and a connector to an external threat feed
B.An action only, since the trigger is predefined
C.A trigger, at least one action, and optionally conditions
D.A schedule and a script
AnswerC

Trigger defines when to run; action defines what to do; conditions filter.

Why this answer

An automation stitch in FortiManager requires a trigger (e.g., an event or log match) to start the workflow, at least one action (e.g., a CLI script to block an IP via firewall address creation), and optionally conditions to filter when the trigger fires. This three-part structure is mandatory because the trigger defines the event, the action executes the response, and conditions provide granular control without which the stitch would fire on every trigger occurrence.

Exam trap

The trap here is that candidates assume the trigger is implicit or predefined (like a schedule) and only an action is needed, but FortiManager requires explicit trigger configuration even for event-based automation, and conditions are optional but often necessary to avoid false positives.

How to eliminate wrong answers

Option A is wrong because a connector to an external threat feed is not a required component of an automation stitch; the stitch uses a trigger (like a log event) and actions, not an external feed connector. Option B is wrong because the trigger is not predefined; the administrator must configure a trigger (e.g., event handler or schedule) and at least one action, so an action alone is insufficient. Option D is wrong because a schedule is only one type of trigger (time-based) and a script is one type of action; the stitch requires a trigger and action, but not exclusively a schedule and script—other triggers (e.g., event-based) and actions (e.g., email, webhook) are valid.

146
MCQeasy

What is the purpose of a header policy in a FortiManager policy package?

A.To apply policies to the management VDOM
B.To create policies that bypass security profiles
C.To define policies that are inserted at the beginning of the policy list
D.To specify the name of the policy package
AnswerC

Header policies are placed at the top of the policy list in the target device.

Why this answer

A header policy in a FortiManager policy package is used to define policies that are inserted at the beginning of the policy list, before any other policies. This ensures that certain traffic matching criteria (e.g., from specific sources or to specific destinations) is evaluated first, which is critical for enforcing high-priority rules like allowlisting or blocking specific traffic before more general policies are applied.

Exam trap

The trap here is that candidates often confuse header policies with policies that bypass security profiles or think they apply only to the management VDOM, when in fact they are simply a mechanism to control policy order within any VDOM's policy list.

How to eliminate wrong answers

Option A is wrong because header policies apply to the policy list within a VDOM, not specifically to the management VDOM; the management VDOM is a separate administrative domain used for managing the FortiGate, not for applying traffic policies. Option B is wrong because header policies do not bypass security profiles; they are simply positioned at the top of the policy list and still enforce all configured security profiles (e.g., antivirus, IPS) unless explicitly disabled in the policy. Option D is wrong because the name of the policy package is defined when creating the package, not by a header policy; header policies are entries within the package, not a naming mechanism.

147
Multi-Selectmedium

An administrator is troubleshooting an HA cluster issue. The cluster consists of two FortiGate units in active-passive mode. The passive unit is showing a 'heartbeat lost' error in the logs. Which TWO configuration checks should the administrator perform to resolve this issue?

Select 2 answers
A.Check that the HA password is the same on both units
B.Ensure the heartbeat interface is physically connected and has a valid IP address in the same subnet
C.Verify that HA override is enabled on both units
D.Confirm that the management interface IP addresses are on the same subnet
E.Verify that the heartbeat interface is configured identically on both units
AnswersB, E

Physical connectivity and IP configuration are necessary for heartbeat.

Why this answer

Option B is correct because the heartbeat interface must be physically connected and have a valid IP address on the same subnet for the two FortiGates to exchange HA heartbeat packets (typically UDP port 703). If the interface is down or the IPs are not in the same subnet, the passive unit will log 'heartbeat lost' and fail to maintain cluster synchronization.

Exam trap

The trap here is that candidates confuse the heartbeat interface's IP subnet requirement with the management interface IP subnet, leading them to incorrectly select Option D, while the actual issue is the heartbeat link's physical or IP connectivity.

148
MCQeasy

An administrator wants to isolate tenant traffic in a single FortiGate by creating separate virtual firewalls with independent routing tables, administrators, and policies. Which feature should the administrator use?

A.Virtual Domains (VDOMs)
B.Policy-based routing (PBR)
C.Virtual Router Redundancy Protocol (VRRP)
D.Virtual LANs (VLANs)
AnswerA

Correct.

Why this answer

VDOMs (Virtual Domains) are the correct feature because they partition a single FortiGate into multiple independent virtual firewalls, each with its own routing table, administrator access, and security policies. This allows complete tenant isolation within one physical appliance, meeting the administrator's requirement for separate virtual firewalls with independent routing, administration, and policy control.

Exam trap

The trap here is confusing VLANs (Layer 2 segmentation) with VDOMs (Layer 3+ virtual firewall isolation), leading candidates to pick VLANs because they think network segmentation alone achieves tenant isolation, but VLANs lack independent routing tables and administrative domains.

How to eliminate wrong answers

Option B (Policy-based routing) is wrong because it only controls traffic forwarding based on policies, not creating separate virtual firewalls with independent routing tables and administrators. Option C (VRRP) is wrong because it provides high availability and redundancy between FortiGates, not isolation of tenant traffic within a single device. Option D (VLANs) is wrong because VLANs segment Layer 2 broadcast domains and can be used with VDOMs, but alone they do not provide independent routing tables, administrators, or security policies for each tenant.

149
MCQmedium

An administrator runs 'diagnose debug vd case <vdom_name>' and receives the error 'VDOM not found'. The VDOM exists and is configured. What is the most likely cause?

A.The VDOM is a traffic VDOM and requires a different command
B.The VDOM is administratively disabled
C.The administrator is in the wrong VDOM context
D.The VDOM name is misspelled or has incorrect case
AnswerD

The debug command is case-sensitive and requires exact spelling.

Why this answer

The 'diagnose debug vd case' command is case-sensitive and expects the exact VDOM name as configured. Even if the VDOM exists, a mismatch in letter case (e.g., typing 'VDOM1' instead of 'vdom1') will cause the 'VDOM not found' error because the command performs a literal string comparison without case normalization.

Exam trap

The trap here is that candidates assume the error means the VDOM does not exist or is misconfigured, overlooking FortiOS's strict case sensitivity for VDOM names in CLI commands.

How to eliminate wrong answers

Option A is wrong because the 'diagnose debug vd case' command works for both traffic and management VDOMs; there is no separate command for traffic VDOMs. Option B is wrong because an administratively disabled VDOM still exists in the configuration and can be referenced by name; the command would not return 'VDOM not found' but would instead show the VDOM as disabled. Option C is wrong because the VDOM context of the administrator does not affect the ability to reference another VDOM by name in this debug command; the error is about the VDOM name not being found, not about context permissions.

150
MCQeasy

What is the difference between a global ADOM and a regular ADOM in FortiManager?

A.Global ADOM manages only FortiGates in transparent mode
B.Regular ADOM cannot use meta fields
C.Global ADOM allows sharing policy packages and objects across multiple ADOMs
D.Global ADOM has unlimited device capacity
AnswerC

Correct.

Why this answer

In FortiManager, a Global ADOM is a special administrative domain that allows you to centrally manage and share policy packages, objects, and templates across multiple regular ADOMs. This enables consistent security policies and objects (like addresses, services, and schedules) to be pushed to all managed FortiGates, regardless of which ADOM they belong to. Regular ADOMs are isolated and cannot share objects or policies with other ADOMs, making the Global ADOM essential for large-scale, multi-tenant deployments.

Exam trap

The trap here is that candidates often confuse the Global ADOM with a 'super ADOM' that has unlimited resources or special device modes, when in fact its key differentiator is the ability to share objects and policies across ADOMs, not any hardware or licensing advantage.

How to eliminate wrong answers

Option A is wrong because Global ADOMs manage FortiGates in any mode (transparent, NAT/route, or VDOM), not just transparent mode; the transparent mode limitation is a misconception. Option B is wrong because regular ADOMs do support meta fields; meta fields are a feature available in both regular and Global ADOMs for adding custom metadata to objects. Option D is wrong because Global ADOMs do not have unlimited device capacity; device limits are determined by the FortiManager model and license, not by the ADOM type.

← PreviousPage 2 of 4 · 264 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Nse7 Enterprise Vdom questions.