NSE7 · topic practice

Troubleshooting and Diagnostics practice questions

Practise Fortinet NSE 7 Advanced Security NSE7 Troubleshooting and Diagnostics practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Troubleshooting and Diagnostics

What the exam tests

What to know about Troubleshooting and Diagnostics

Troubleshooting and Diagnostics questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Troubleshooting and Diagnostics exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Troubleshooting and Diagnostics questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Review the full subnetting walkthrough →

A FortiGate administrator notices that traffic from a specific subnet is being dropped unexpectedly. The security policy allows the traffic, and there are no firewall policies blocking it. What is the most efficient first step to identify the cause of the drops?

Question 2hardmulti select
Review the full OSPF breakdown →

An organization uses FortiGate with OSPF and BGP. Recently, routes from BGP are not being preferred over OSPF routes, causing suboptimal routing. The administrator wants to ensure BGP routes are preferred. Which two actions can achieve this? (Choose two.)

A FortiGate is experiencing high CPU usage. The administrator runs 'diagnose sys top' and sees that the process 'ipsengine' is using the most CPU. What is the most likely cause?

Question 4mediummulti select
Read the full VPN explanation →

An administrator is troubleshooting a VPN tunnel that is not coming up. The remote peer is a third-party device. Which THREE actions should be taken to diagnose the issue?

A FortiGate administrator sees the following kernel log: 'kernel: [pid 1234] received packet with unknown or unsupported protocol 0x0800 on interface port1, drop'. What does this log indicate?

Based on the debug flow output, what is the reason the packet is dropped?

Exhibit

Refer to the exhibit.

```
diagnose debug flow filter saddr 10.0.1.100
diagnose debug flow filter daddr 10.0.2.200
diagnose debug flow trace start 100
diagnose debug enable

# Output:
id=20085 trace_id=1 func=print_pkt_detail line=5757 msg="vd-root:0 received a packet from port1. src=10.0.1.100 dst=10.0.2.200 sport=12345 dport=80 proto=6"
id=20085 trace_id=1 func=resolve_ip_tuple line=3485 msg="tuple: 10.0.1.100->10.0.2.200, vd=0"
id=20085 trace_id=1 func=fw_pre_route_handler line=162 msg="no matching policy"
id=20085 trace_id=1 func=run_fw_handler line=59 msg="packet dropped"
```

An administrator applies the above policy but users from 10.0.1.0/24 cannot access web servers at 10.0.2.0/24. However, they can ping the servers. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
config firewall policy
    edit 1
        set name "Allow Web"
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "10.0.1.0/24"
        set dstaddr "10.0.2.0/24"
        set action accept
        set schedule "always"
        set service "HTTP"
        set logtraffic all
    next
end
```
Question 8mediummulti select
Review the full routing breakdown →

A FortiGate is experiencing high latency on traffic passing through it. The administrator suspects that asymmetric routing is occurring. Which TWO symptoms are indicative of asymmetric routing?

A FortiGate cluster (A-P) has a session that is not synchronizing to the secondary unit. The administrator runs 'diagnose sys ha session-sync status' and sees that the session count is different between primary and secondary. Which is the most likely cause?

Question 10mediummultiple choice
Review the full subnetting walkthrough →

A customer reports intermittent connectivity issues between two internal subnets separated by a FortiGate firewall. The traffic is allowed by the policy, but users experience timeouts during peak hours. Which troubleshooting step should you take first?

Question 11hardmultiple choice
Read the full VPN explanation →

An administrator is troubleshooting a scenario where IPSec VPN tunnels between two FortiGates are flapping. The logs show Phase 1 is up but Phase 2 fails with 'no proposal chosen'. The remote FortiGate has multiple Phase 2 selectors configured. What is the most likely cause?

A FortiGate is set up in a high availability (HA) cluster. The administrator notices that the primary unit is not synchronizing configuration changes to the secondary unit. The HA status shows 'synchronization failed'. What is the most likely cause?

Which TWO actions are appropriate when troubleshooting a slow network connection through a FortiGate?

Based on the exhibit, what can be concluded about the session?

Exhibit

Refer to the exhibit.

FGT # diagnose sys session list

session info: proto=6 proto_state=01 duration=826 expire=3579 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper= 
reply-shaper= 
per_ip_shaper= 
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu bcm npu_flag=01
statistic(bytes/packets/err): org=1234/10/0 reply=5678/20/0
orgs:10.1.1.10/1234->20.2.2.20/80 vlan=10
reply:20.2.2.20/80->10.1.1.10/1234 vlan=10

FGT #
Question 15hardmultiple choice
Open the full BGP breakdown →

A company runs a FortiGate 600E in NAT/Route mode. They have a site-to-site VPN to a partner using route-based VPN with BGP. Recently, they added a new subnet 192.168.50.0/24 behind the FortiGate. The BGP session is up, and the route is being advertised to the partner. However, traffic from the partner to the new subnet fails. The FortiGate's routing table shows the route to 192.168.50.0/24 is present via the VPN interface. Firewall policies allow the traffic. A packet capture on the FortiGate's internal interface shows the partner's traffic arriving but no SYN-ACK being sent back. The FortiGate's session table shows sessions in 'SYN_RECV' state for the new subnet. What is the most likely cause?

Question 16mediummulti select
Open the full VLAN trunking answer →

An administrator is troubleshooting a scenario where traffic from VLAN 100 to a server at 10.1.2.100 is being blocked. The FortiGate has an active security policy allowing the traffic and the routing table shows a correct route. Which TWO diagnostic commands should the administrator run to identify the cause of the blockage?

A FortiGate is blocking HTTP traffic from 10.0.1.5 to 10.0.2.100, despite an explicit allow policy. The exhibit shows the configuration and debug flow output. What is the most likely cause?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "Allow-Web"
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "10.0.1.0/24"
        set dstaddr "10.0.2.100"
        set action accept
        set schedule "always"
        set service "HTTP"
        set logtraffic all
    next
end

diag debug flow show function-name show-verbose

--- flow debug output ---
proton_state=0, reason=session-denied
id=20085 trace_id=155 func=print_pkt_detail line=4945 msg="vd-root:0 received a packet from port1: 10.0.1.5:45231 -> 10.0.2.100:80, proto 6."
id=20085 trace_id=155 func=resolve_ip_tuple line=4125 msg="Find an existing session, id 00001234, original direction"
id=20085 trace_id=155 func=__ip_session_match_tuple line=2818 msg="Session state: not ready"
id=20085 trace_id=155 func=__ip_session_find_by_session_id line=2773 msg="session session_deny because state proto is not ready"
Question 18hardmultiple choice
Read the full VPN explanation →

A FortiGate is deployed as the edge firewall for a medium-sized enterprise. The network has three internal zones: Trust (10.10.0.0/16), DMZ (172.16.0.0/24), and Guest (192.168.0.0/24). The FortiGate has an IPSec VPN to a branch office (10.20.0.0/16). Users in the Trust zone report intermittent connectivity to a web server in the DMZ (172.16.0.10, TCP port 443). The FortiGate logs show occasional 'session denied' messages for traffic from Trust to DMZ with reason 'denied by forward policy check'. The security policy has an explicit allow rule for Trust to DMZ HTTPS. The administrator has verified routing is correct and there are no address overlaps. When the issue occurs, the administrator runs 'diag debug flow' and sees that the packet matches the correct policy but still gets denied. The debug output also shows 'forward policy check: denied'. What is the most likely cause and recommended action?

Drag and drop the steps to perform a firmware upgrade on a FortiGate device into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each high availability (HA) mode to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

One unit handles traffic; standby takes over on failure

Both units handle traffic simultaneously

FortiGate Clustering Protocol

Synchronizes sessions between HA members

Link used for HA communication and synchronization

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Troubleshooting and Diagnostics sessions

Start a Troubleshooting and Diagnostics only practice session

Every question in these sessions is drawn from the Troubleshooting and Diagnostics domain — nothing else.

Related practice questions

Related NSE7 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the NSE7 exam test about Troubleshooting and Diagnostics?
Troubleshooting and Diagnostics questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Troubleshooting and Diagnostics questions in a focused session?
Yes — the session launcher on this page draws every question from the Troubleshooting and Diagnostics domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other NSE7 topics?
Use the topic links above to move to related areas, or go back to the NSE7 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the NSE7 exam covers. They are not copied from any real exam or dump site.