CCNA Nse7 Troubleshooting Questions

75 of 151 questions · Page 2/3 · Nse7 Troubleshooting topic · Answers revealed

76
MCQhard

Based on the debug flow output, what is the reason the packet is dropped?

A.The route to the destination is missing.
B.There is no firewall policy that matches the traffic.
C.The packet has an invalid source IP address.
D.The session table is full.
AnswerB

The message 'no matching policy' clearly states this.

Why this answer

The debug flow output indicates that the packet was dropped because no firewall policy matched the traffic. In FortiGate, even if a valid route exists, the packet must be evaluated against firewall policies; if no policy permits the traffic based on source, destination, service, and interface, the packet is silently dropped. The debug flow will show a message like 'no matching policy' or 'deny by policy' in such cases.

Exam trap

The trap here is that candidates often assume a packet drop is due to a missing route when the debug flow shows a policy drop, because they overlook that FortiGate processes routing before policies and the debug flow output explicitly indicates the stage where the drop occurred.

How to eliminate wrong answers

Option A is wrong because a missing route would cause a different debug flow message, such as 'no route to destination' or 'route lookup failed', and the packet would be dropped at the routing stage, not at the firewall policy stage. Option C is wrong because an invalid source IP address (e.g., RFC 1918 on a public interface) would typically be dropped by antispoofing checks or a specific firewall policy, not by a generic 'no matching policy' message; the debug flow would show 'invalid source' or 'reverse path check failed'. Option D is wrong because a full session table would cause a 'session table full' or 'no session available' message in the debug flow, and the drop would occur during session creation, not during policy lookup.

77
MCQeasy

An HA cluster of two FortiGates is experiencing split-brain. Which command should the administrator use to check the current HA status and identify which unit is the primary?

A.diagnose debug application had 0
B.diagnose sys ha dump
C.get system ha status
D.show system ha
AnswerC

Standard command to show HA status and role.

Why this answer

Option B is correct. The 'get system ha status' command displays detailed HA information including the cluster status, primary/secondary roles, and synchronization state. It helps identify split-brain when both units show themselves as primary.

78
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.SSL/TLS deep inspection is not enabled on the firewall policy
B.The web server's certificate is self-signed and FortiGate is rejecting the connection
C.The FortiGuard antivirus subscription has expired
D.The antivirus profile is configured for flow-based inspection instead of proxy-based
AnswerA

HTTPS traffic is encrypted. FortiGate cannot inspect the payload without SSL deep inspection decrypting the TLS session. The antivirus profile requires inspection mode to be enabled.

Why this answer

Option B is correct because HTTPS uses TLS encryption. Without SSL deep inspection enabled on the policy, FortiGate cannot decrypt and inspect the content of HTTPS traffic. The antivirus profile will only scan unencrypted traffic or traffic where deep inspection has decrypted it first.

79
MCQhard

An administrator is troubleshooting a scenario where IPSec VPN tunnels between two FortiGates are flapping. The logs show Phase 1 is up but Phase 2 fails with 'no proposal chosen'. The remote FortiGate has multiple Phase 2 selectors configured. What is the most likely cause?

A.Mismatched Phase 2 proxy IDs (local/remote subnets).
B.Mismatched pre-shared keys.
C.Dead Peer Detection (DPD) settings are too aggressive.
D.Certificate validation failure.
AnswerA

The error 'no proposal chosen' is often due to mismatched proxy IDs in Phase 2.

Why this answer

The 'no proposal chosen' error during Phase 2, despite Phase 1 being up, indicates a mismatch in the IPsec security association (SA) parameters. Since the remote FortiGate has multiple Phase 2 selectors configured, the most likely cause is that the local and remote proxy IDs (local and remote subnets) do not match any of the configured selectors. Phase 2 negotiation uses these proxy IDs to define which traffic should be encrypted; if they don't align, the IKE SA cannot be established.

Exam trap

The trap here is that candidates often confuse Phase 1 and Phase 2 failures, assuming any 'no proposal chosen' error is due to Phase 1 misconfigurations like PSK or certificates, when in fact Phase 1 is already up, isolating the issue to Phase 2 proxy ID mismatches.

How to eliminate wrong answers

Option B is wrong because mismatched pre-shared keys would cause Phase 1 to fail, not Phase 2; Phase 1 is already up in this scenario. Option C is wrong because aggressive Dead Peer Detection (DPD) settings can cause tunnels to flap (go up and down), but they do not produce a 'no proposal chosen' error; that error is specific to Phase 2 proposal mismatches. Option D is wrong because certificate validation failure would also prevent Phase 1 from completing, as certificates are used during IKE authentication in Phase 1, not Phase 2.

80
MCQmedium

A FortiGate administrator notices that after upgrading the firmware, some BGP sessions to a service provider are flapping. The administrator runs 'diagnose ip router bgp all' and sees that the BGP neighbor state is Active. What is the MOST likely cause of this issue?

A.A configuration checksum mismatch between the two peers
B.The BGP hold timer has expired
C.The BGP neighbor is not reachable due to a routing issue
D.The BGP password is incorrect
AnswerA

Firmware upgrades can introduce new defaults that change the update message, causing checksum mismatch and flapping.

Why this answer

Option B is correct because a configuration checksum mismatch between peers is a common post-upgrade issue that causes BGP sessions to flap. A new default setting or changed behavior in the new firmware can alter the update message, leading to a checksum mismatch.

81
MCQmedium

A BGP session between FortiGate and a neighbor is in 'Active' state. The administrator has verified IP connectivity and that the neighbor IP is reachable. What is the MOST likely cause?

A.The firewall policy is blocking BGP port 179
B.The remote AS number is misconfigured on either side
C.The BGP hold timer is set too high
D.The BGP network statement is missing
AnswerB

A mismatch in the remote AS number prevents BGP from establishing the session, resulting in 'Active' state.

Why this answer

The 'Active' state means the router is trying to initiate a TCP connection but is not receiving a response. Common causes include BGP configuration mismatch, especially the remote AS number.

82
MCQeasy

A FortiGate is experiencing high CPU usage. The administrator runs 'diagnose sys top' and sees that the process 'ipsengine' is using the most CPU. What is the most likely cause?

A.The firewall is experiencing a memory leak.
B.A large volume of traffic is being inspected by IPS, possibly due to a DoS attack.
C.The antivirus engine is scanning large files.
D.There is a routing loop causing packet bouncing.
AnswerB

IPS engine uses CPU for deep packet inspection; high volume or many signatures increases load.

Why this answer

The ipsengine process handles Intrusion Prevention System (IPS) inspection. High CPU usage by ipsengine typically indicates that the FortiGate is processing a large volume of traffic through IPS signatures, which is computationally intensive. This is often triggered by a DoS attack or a sudden surge in traffic that requires deep packet inspection, overwhelming the CPU.

Exam trap

The trap here is that candidates may confuse ipsengine with avengine or assume high CPU is always due to a memory leak, but the specific process name directly points to IPS inspection overload.

How to eliminate wrong answers

Option A is wrong because a memory leak would manifest as steadily increasing memory consumption over time, not as high CPU usage by ipsengine; the 'diagnose sys top' output shows CPU usage, not memory. Option C is wrong because antivirus scanning is handled by the 'avengine' process, not 'ipsengine'; the question explicitly states ipsengine is the culprit. Option D is wrong because a routing loop causes packet bouncing and high CPU due to routing table lookups (handled by the kernel or 'fwd' process), not by the IPS engine, which inspects application-layer traffic.

83
MCQeasy

An administrator needs to monitor FortiGate session count and CPU usage over time using FortiAnalyzer. Which log type should be configured for this?

A.Security logs
B.Performance logs
C.Event logs
D.Traffic logs
AnswerB

Correct. Performance logs provide periodic CPU, memory, and session data.

Why this answer

Performance monitoring logs contain periodic samples of system resource usage, including session count and CPU. The administrator should enable performance logging on FortiGate and send it to FortiAnalyzer.

84
MCQmedium

An HA cluster (active-passive) is configured. The administrator wants to perform a failover test without causing service disruption. Which command should be used?

A.diagnose ha reset-uptime
B.execute shutdown on the primary
C.execute ha synchronize
D.execute ha failover
AnswerD

This command triggers a graceful failover, making the primary become secondary.

Why this answer

To gracefully test failover, the administrator can execute 'execute ha failover' on the primary unit. This forces the primary to become secondary, and the passive unit takes over.

85
MCQmedium

A FortiGate administrator runs 'diagnose debug application sslvpn -1' and sees repeated messages: 'SSL VPN tunnel error: no response from client'. What is the most likely cause?

A.The authentication server is unreachable
B.The tunnel mode is configured for web mode instead of tunnel mode
C.The client cannot reach the FortiGate's SSL VPN IP or port
D.The SSL VPN certificate has expired
AnswerC

No response from client suggests a connectivity problem between client and FortiGate.

Why this answer

This error typically indicates the SSL VPN client is not responding during tunnel setup, often due to network connectivity issues or a firewall blocking the required ports.

86
Multi-Selectmedium

Which TWO actions are appropriate when troubleshooting a slow network connection through a FortiGate?

Select 2 answers
A.Increase the session TTL to reduce session setup overhead.
B.Check the CPU and memory utilization on the FortiGate.
C.Verify the routing table for correct next-hop entries.
D.Disable flow control on the WAN interface.
E.Disable all security profiles to free resources.
AnswersB, C

High resource usage can cause slowdowns; checking this is a standard diagnostic step.

Why this answer

High CPU or memory utilization on a FortiGate can directly cause packet drops, queuing delays, and slow throughput, especially under load. Checking these resources is a fundamental first step in troubleshooting performance issues, as resource exhaustion often manifests as a slow network connection.

Exam trap

The trap here is that candidates may assume disabling security features (Option E) or adjusting session timers (Option A) are quick fixes, but the NSE7 exam expects systematic troubleshooting starting with resource utilization and routing verification.

87
MCQmedium

An administrator observes that traffic from a specific subnet is being dropped by the FortiGate. The session table shows the sessions with 'proto_state=01' and 'expire=0'. What does this indicate?

A.The sessions have expired and are being cleaned up
B.The antivirus scanning is causing a delay
C.The sessions are being offloaded to the NPU
D.The firewall policy is blocking the traffic
AnswerA

Expire=0 means the session has timed out.

Why this answer

Option A is correct. 'expire=0' and 'proto_state=01' indicate that the session has expired and is in a cleanup state. The traffic is being dropped because the session is no longer valid.

88
MCQmedium

A customer reports intermittent connectivity issues between two internal subnets separated by a FortiGate firewall. The traffic is allowed by the policy, but users experience timeouts during peak hours. Which troubleshooting step should you take first?

A.Run a packet sniffer on the FortiGate to capture traffic between the subnets.
B.Check the session table for session limits and session congestion.
C.Disable hardware acceleration on the FortiGate.
D.Configure SNAT on the policy to translate the source IP.
AnswerB

Peak hour timeouts often indicate session table exhaustion; checking this is the quickest diagnostic step.

Why this answer

Option B is correct because intermittent connectivity during peak hours strongly suggests session table exhaustion or session congestion. The FortiGate's session table has a finite capacity, and when it fills up, new sessions are dropped, causing timeouts. Checking the session table for limits and congestion is the fastest, least intrusive first step to confirm whether the firewall is running out of session resources before performing more complex diagnostics.

Exam trap

The trap here is that candidates often jump to packet capture or hardware acceleration as the first step, overlooking the session table as the most common cause of intermittent peak-hour connectivity issues.

How to eliminate wrong answers

Option A is wrong because running a packet sniffer is a reactive, resource-intensive step that should be taken only after ruling out session table issues; it does not directly reveal session limits or congestion. Option C is wrong because disabling hardware acceleration is a drastic step that can degrade performance and is only warranted if a specific hardware offload bug is suspected, not as a first troubleshooting step for peak-hour timeouts. Option D is wrong because configuring SNAT does not resolve session table exhaustion; it changes the source IP but does not increase the session table capacity or address congestion.

89
Multi-Selectmedium

An administrator notices that some traffic through the FortiGate is not being inspected by the application control profile. Which TWO reasons could explain this? (Choose two.)

Select 2 answers
A.The inspection mode is set to proxy-based
B.The application control signatures are outdated
C.The FortiGate has high memory usage
D.The application control profile is disabled
E.Traffic matches a different policy without the application control profile
AnswersA, E

Application control works only in flow-based mode.

Why this answer

Options B and D are correct. If the policy uses proxy-based inspection mode (B), application control may not work correctly. If the traffic matches a policy before the one with the profile (D), it bypasses inspection.

Option A is irrelevant. Option C would affect all traffic, not some. Option E is not a reason.

90
MCQhard

An administrator configures an HA cluster with two FortiGates using an FGCP active-passive configuration. After a failover, the new primary FortiGate shows all sessions are lost. The administrator has 'sync session' enabled in the HA configuration. What is the MOST likely reason sessions were not synchronized?

A.The HA heartbeat interface is overloaded, causing session synchronization packets to be dropped
B.The passive unit's 'session-pickup' setting is disabled
C.The 'failover-monitor' interface is down on the active unit, preventing session sync
D.The 'session-ttl' setting is set to zero on the active unit
AnswerA

Session synchronization uses the heartbeat link; if it is overloaded or has high latency, session sync packets can be lost, leading to session loss after failover.

Why this answer

Option B is correct because session synchronization relies on the heartbeat link; congestion can cause loss of session sync packets, leading to session loss during failover.

91
Multi-Selecthard

An organization uses FortiGate with OSPF and BGP. Recently, routes from BGP are not being preferred over OSPF routes, causing suboptimal routing. The administrator wants to ensure BGP routes are preferred. Which two actions can achieve this? (Choose two.)

Select 2 answers
A.Decrease the administrative distance of BGP routes to 5.
B.Configure route-map to set metric to 1 on BGP routes.
C.Increase the administrative distance of OSPF routes to 120.
D.Set a higher weight on BGP routes for the prefixes.
AnswersA, C

Decreasing BGP AD to 5 makes it more preferred over OSPF AD 110.

Why this answer

Option A is correct because decreasing the administrative distance (AD) of BGP routes to 5 makes them more trustworthy than OSPF routes (default AD 110). Since a lower AD is preferred, BGP routes will be installed in the routing table over OSPF routes, ensuring BGP is preferred for forwarding decisions.

Exam trap

The trap here is that candidates confuse inter-protocol route selection (governed by administrative distance) with intra-protocol BGP path selection attributes (like weight, local preference, or metric), leading them to incorrectly choose options that modify BGP-specific attributes that have no effect on OSPF vs. BGP preference.

92
MCQhard

An SD-WAN rule has two members: port1 (SLA target latency < 10ms) and port2 (SLA target latency < 20ms). The administrator runs 'diagnose sys sdwan sla-check' and sees that both members meet SLA. However, all traffic is going through port2. What is the MOST likely reason?

A.The SD-WAN strategy is set to 'load balancing' and the load balancing algorithm is 'spillover'
B.The SD-WAN strategy is set to 'manual'
C.The SD-WAN rule is configured with 'set service' that does not match the traffic
D.The 'update-static-route' is disabled on the SD-WAN
AnswerC

If the rule's service (application) does not match the traffic, the rule is not applied, and traffic uses the default route or another rule.

Why this answer

SD-WAN uses a strategy to select the best path. If the strategy is set to 'best quality' or 'lowest latency', it should prefer the lower latency path. But if the strategy is 'load balancing' or 'manual', it might not automatically prefer port1.

The most common cause is that the strategy does not consider SLA, or the load balancing mode distributes traffic regardless of SLA.

93
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN tunnel that fails to establish Phase 1. The debug output shows 'no acceptable proposal'. Which TWO configuration parameters should be checked to resolve this issue?

Select 2 answers
A.Encryption algorithm
B.Diffie-Hellman group
C.IKE version
D.Pre-shared key
E.Local and remote subnets
AnswersA, B

Mismatched encryption algorithms cause proposal failure.

Why this answer

Phase 1 proposal mismatch is typically due to differences in encryption algorithms, authentication methods, Diffie-Hellman groups, or key lifetimes.

94
MCQhard

A company runs a FortiGate 600E in NAT/Route mode. They have a site-to-site VPN to a partner using route-based VPN with BGP. Recently, they added a new subnet 192.168.50.0/24 behind the FortiGate. The BGP session is up, and the route is being advertised to the partner. However, traffic from the partner to the new subnet fails. The FortiGate's routing table shows the route to 192.168.50.0/24 is present via the VPN interface. Firewall policies allow the traffic. A packet capture on the FortiGate's internal interface shows the partner's traffic arriving but no SYN-ACK being sent back. The FortiGate's session table shows sessions in 'SYN_RECV' state for the new subnet. What is the most likely cause?

A.The reverse path forwarding (RPF) check is dropping the incoming SYN.
B.The firewall policy is not configured with the correct source interface.
C.The BGP route advertisement is being filtered by a route map on the partner side.
D.The Phase 2 selector for the VPN does not include the new subnet, so the FortiGate does not encrypt the reply traffic.
AnswerD

The SYN is received but the return traffic cannot be encrypted because the Phase 2 selector does not match the new subnet, causing asymmetric routing.

Why this answer

The correct answer is D. In a route-based VPN, the Phase 2 selectors define which traffic is allowed to be encrypted and decrypted. Even though BGP advertises the new subnet 192.168.50.0/24, if the Phase 2 selector on either side does not include this subnet, the FortiGate will not encrypt the reply traffic.

The packet capture shows the SYN arriving, but no SYN-ACK is sent because the FortiGate cannot find a matching Phase 2 proposal to encrypt the response, causing the session to remain in SYN_RECV state.

Exam trap

The trap here is that candidates assume BGP route advertisement alone ensures traffic flow, overlooking that IPsec Phase 2 selectors must explicitly match the new subnet for encryption to occur.

How to eliminate wrong answers

Option A is wrong because the RPF check would drop the incoming SYN packet itself, but the packet capture shows the SYN arriving successfully, and the session table shows SYN_RECV, indicating the SYN was accepted and a SYN-ACK should be generated. Option B is wrong because the firewall policy is already allowing the traffic (as stated), and the source interface is correctly set to the VPN interface; otherwise, the SYN would not have been processed and the session would not be in SYN_RECV. Option C is wrong because the BGP route is being advertised and the BGP session is up; if a route map were filtering the advertisement, the partner would not have the route to 192.168.50.0/24, but the FortiGate's routing table shows the route is present, and the partner's traffic is reaching the FortiGate.

95
Multi-Selectmedium

A FortiGate is experiencing high memory usage due to a large number of UDP sessions. The administrator wants to reduce memory consumption without dropping legitimate traffic. Which THREE actions could help? (Choose three.)

Select 3 answers
A.Increase the maximum session limit
B.Enable session-ttl to enforce idle timeout
C.Reduce the UDP session timeout
D.Disable unnecessary session helpers for UDP
E.Upgrade the FortiGate hardware
AnswersB, C, D

Session-ttl removes sessions that exceed idle time.

Why this answer

High session memory can be mitigated by reducing session timeouts, enabling session-ttl, or using session helper timeouts. Also, increasing memory is not practical. Filtering sessions may drop legitimate traffic.

96
MCQmedium

An administrator runs 'diagnose debug application ssl-helper -1' and sees that sessions to certain HTTPS sites are being terminated by the FortiGate. What is the MOST likely cause?

A.The FortiGate's certificate authority (CA) certificate has expired, causing SSL inspection to fail
B.The antivirus profile is blocking the HTTPS connections due to a virus signature match
C.The FortiGate is performing TCP RST injection due to a mismatch in the SSL/TLS handshake as part of deep inspection
D.The SSL deep inspection policy is set to 'certificate-inspection' which blocks sessions with mismatched certificates
AnswerC

The ssl-helper process performs deep inspection by injecting RST packets when the handshake is invalid or certificate errors occur, causing session termination.

Why this answer

Option B is correct because ssl-helper is involved in deep inspection and can terminate sessions by sending RST packets when handshake issues are detected.

97
MCQeasy

A FortiGate administrator sees the following kernel log: 'kernel: [pid 1234] received packet with unknown or unsupported protocol 0x0800 on interface port1, drop'. What does this log indicate?

A.The packet is an ARP request that failed.
B.The packet has an invalid MAC address.
C.The interface is not configured with an IP address or is in the wrong VDOM.
D.The packet has IP options set that are not supported.
AnswerC

The kernel drops packets when the interface is not configured to handle that protocol.

Why this answer

The kernel log indicates that the interface port1 received an Ethernet frame with EtherType 0x0800 (IPv4) but the FortiGate dropped it because the interface is either not configured with an IP address or is bound to the wrong VDOM. Without an IP address or proper VDOM assignment, the kernel cannot process the packet at Layer 3, so it logs the packet as having an 'unknown or unsupported protocol' even though 0x0800 is standard IPv4.

Exam trap

The trap here is that candidates see 'unknown or unsupported protocol 0x0800' and assume it refers to an exotic or malformed protocol, when in fact 0x0800 is standard IPv4 and the issue is a missing IP address or VDOM assignment on the interface.

How to eliminate wrong answers

Option A is wrong because ARP requests use EtherType 0x0806, not 0x0800, and the log specifically mentions protocol 0x0800 (IPv4). Option B is wrong because invalid MAC addresses would generate a different log entry related to MAC filtering or source address validation, not a protocol drop. Option D is wrong because IP options are handled at a higher layer within the IP stack, and the kernel drop occurs before any IP header parsing; the log indicates the interface itself does not recognize the protocol, not that options are unsupported.

98
MCQhard

A BGP peering between two FortiGates is not establishing. The administrator runs 'get router info bgp neighbor' and sees that the neighbor state is 'Idle' and the BGP configuration appears correct. What should the administrator check next?

A.Run 'diagnose ip router bgp all enable' to enable debug
B.Check the BGP AS number configuration
C.Verify that the BGP neighbor IP is reachable via the routing table
D.Increase the BGP timers
AnswerC

If the neighbor is unreachable, BGP stays in Idle state.

Why this answer

Option D is correct. A neighbor state of 'Idle' often indicates that BGP is administratively disabled or there is a problem with the underlying connectivity. The most common cause is that the BGP neighbor is not reachable via a valid route or the interface is down.

Checking the routing table and connectivity is the next step.

99
MCQmedium

During a failover test in an HA cluster, the primary FortiGate fails over to the secondary. After failover, some existing TCP sessions are dropped. What is the MOST likely reason?

A.The failover caused a routing change
B.The session TTL expired during failover
C.The HA mode is active-passive
D.Session pickup is not enabled on the HA cluster
AnswerD

Without session pickup, TCP sessions are lost on failover.

Why this answer

By default, FortiGate HA does not synchronize session states unless session-pickup is enabled. Without it, existing sessions are lost during failover. Option C is correct.

100
MCQmedium

An administrator is troubleshooting an IPsec VPN tunnel that fails to establish. The administrator runs 'diagnose vpn ike log' and sees the message 'no matching proposal found'. What is the MOST likely cause?

A.The remote gateway's IP address is unreachable
B.The Phase 1 parameters (encryption, authentication, DH group) do not match between peers
C.The firewall policy allowing the VPN traffic is missing or has the wrong interface
D.The pre-shared key is incorrect on one side
AnswerB

'No matching proposal found' indicates that during IKE negotiation, the two peers could not agree on a common set of Phase 1 parameters.

Why this answer

Option C is correct because the error 'no matching proposal found' is a standard IKE message indicating incompatible Phase 1 proposals.

101
Multi-Selecthard

A FortiGate administrator is investigating a slow network issue. The 'diagnose sys session stat' shows a high number of sessions. Which THREE commands can help identify the source of the high session count?

Select 3 answers
A.diagnose sys session list | grep <policy_id>
B.diagnose sys session filter src <IP>
C.diagnose sys session top-talkers
D.diagnose sys session stat
E.diagnose netlink interface list
AnswersA, B, C

Counts sessions per policy to see which policy is most used.

Why this answer

To identify high session count sources, the administrator can list sessions filtered by source IP, list sessions per policy, or use top talkers.

102
Multi-Selectmedium

A network admin is investigating a high CPU usage issue on a FortiGate firewall. The admin runs 'diagnose sys top' and sees that the 'ipsengine' process is consuming 70% CPU. Which THREE actions should the admin take to reduce CPU load?

Select 2 answers
A.Review and optimize IPS signatures; disable unnecessary signatures
B.Increase the IPS engine process priority
C.Increase the IPS engine process priority
D.Disable IPS on all policies
E.Enable IPS hardware acceleration using NPU offloading
AnswersA, E

Reducing the number of active signatures directly reduces CPU overhead.

Why this answer

High CPU usage from ipsengine can be mitigated by tuning IPS profiles, offloading inspection to NPU, or raising thresholds to reduce load from less important traffic.

103
MCQmedium

When testing HA failover, you manually switch the primary unit to standby. The secondary unit becomes primary but does not take over the IP address of the virtual cluster. What is the MOST likely cause?

A.Session pickup is not enabled
B.The HA interface monitoring is disabled
C.The HA mode is set to 'load-balance' without a virtual cluster IP
D.The HA cluster is in split-brain
AnswerC

In load-balance mode, the virtual IP is not automatically taken over; it must be configured.

Why this answer

Option A is correct because if the HA mode is configured as 'standalone' (load balance without virtual IP) or if the virtual cluster configuration is missing, the IP might not be taken over. Option B is not a typical cause. Option C would affect sessions, not IP takeover.

Option D is not relevant.

104
MCQhard

An SD-WAN rule uses a performance SLA to steer traffic to the best-quality link. Traffic is consistently using the backup link even though the primary link meets SLA thresholds. The admin runs 'diagnose sys sdwan sla-check' and sees the primary link SLA status is 'pass'. What is the MOST likely cause?

A.The primary link's interface is administratively down
B.The primary link's cost is set higher than the backup
C.The SD-WAN rule's strategy is not set to 'Best Quality' or 'SLA'
D.The backup link has a higher bandwidth
AnswerC

The rule must use SLA-based strategy; otherwise, it may ignore SLA results.

Why this answer

Even if SLA passes, the SD-WAN rule may prefer a different link based on strategy or load balancing. Option B is correct because the SD-WAN rule's strategy might be set to 'Maximize Bandwidth' or 'Best Quality' but with tie-breaking that favors the backup link.

105
MCQmedium

A FortiGate admin notices that sessions to a particular server are not being logged in FortiAnalyzer. The firewall policy has logging enabled. What is the MOST likely reason?

A.The FortiAnalyzer's device registration is incorrect
B.The log queue on FortiGate is full
C.The FortiGate is not configured to send logs to FortiAnalyzer
D.The FortiAnalyzer is out of disk space
AnswerC

If the log forwarding is not set up, logs are stored locally but not sent to FortiAnalyzer.

Why this answer

Logging to FortiAnalyzer requires proper configuration on both FortiGate and FortiAnalyzer. If the FortiGate is not sending logs to the correct IP or the connectivity is broken, logs won't appear. Option D is correct.

106
MCQeasy

An administrator wants to see the current sessions for a specific source IP address 192.168.1.10. Which CLI command should be used?

A.diagnose sys session filter src 192.168.1.10; diagnose sys session list
B.get system session list src 192.168.1.10
C.diagnose debug flow src-addr 192.168.1.10
D.execute session list source 192.168.1.10
AnswerA

This is the correct way to filter and list sessions for a source IP.

Why this answer

The 'diagnose sys session filter' command allows filtering sessions by various criteria. Setting the source filter and then using 'diag sys session list' displays matching sessions.

107
MCQmedium

A FortiGate administrator is troubleshooting a VPN tunnel that is up but no traffic passes through. The Phase 2 selectors match. The administrator runs 'diagnose vpn tunnel list' and sees that the tunnel has '0 bytes' in both directions. What is the MOST likely cause?

A.The firewall policy is not configured to allow traffic through the tunnel
B.The static route for the remote subnet does not point to the VPN tunnel interface
C.The IPsec SA rekey interval is too short
D.The NAT traversal is not enabled
AnswerB

Without proper routing, traffic is not sent to the tunnel.

Why this answer

Option B is correct. A correct Phase2 SA but zero traffic indicates that routing is not directing traffic into the tunnel. The routes for the remote subnet must point to the tunnel interface.

108
MCQhard

An administrator is troubleshooting an IPsec VPN tunnel that fails to establish. The Phase 1 status shows 'init' and the debug output indicates 'no suitable proposal found'. The remote peer is a third-party VPN device. Which of the following is the MOST likely cause?

A.The pre-shared key is incorrect on one side
B.The remote peer's IP address is not reachable
C.The IKE version or encryption algorithm does not match between the peers
D.The firewall policy allowing the VPN traffic is missing
AnswerC

Proposal mismatch is caused by incompatible IKE parameters like encryption, hash, or DH group.

Why this answer

Option C is correct. 'No suitable proposal found' means the local and remote devices do not share a common IKE proposal (encryption, authentication, DH group, etc.). This is a proposal mismatch in Phase 1.

109
MCQhard

An administrator is investigating a security incident and needs to determine which firewall policy allowed a specific malicious traffic flow. The traffic is no longer active. Which FortiAnalyzer log type should the admin query?

A.Event logs
B.Security logs
C.Traffic logs
D.Audit logs
AnswerC

Traffic logs contain policy ID and action for each session, perfect for this investigation.

Why this answer

Traffic logs record all allowed/denied sessions, including source/destination, policy ID, and action, making them ideal for identifying which policy allowed a flow.

110
MCQeasy

An administrator wants to view the current number of active sessions on a FortiGate. Which CLI command should be used?

A.exec system session count
B.show system session count
C.diagnose sys session list
D.get system performance status
AnswerD

Correct. This command displays session count, CPU, and memory usage.

Why this answer

The command 'get system performance status' provides a snapshot of system performance including session count. Alternatively, 'diagnose sys session stat' can be used.

111
Multi-Selectmedium

An administrator is configuring SD-WAN and wants to ensure that traffic matching a specific SLA rule uses the best-performing member. Which TWO commands can be used to verify the SLA performance and route selection? (Choose two.)

Select 2 answers
A.diagnose sys session list
B.diagnose sys sdwan health-check
C.get router info routing-table
D.diagnose sys sdwan info
E.show system sdwan
AnswersB, D

Shows health-check results per member.

Why this answer

Options B and D are correct. 'diagnose sys sdwan info' shows detailed SD-WAN information including SLA performance and routing decisions. 'diagnose sys sdwan health-check' shows the health-check results for each member, which is essential for SLA verification.

112
MCQeasy

An administrator wants to monitor CPU usage of specific processes on a FortiGate. Which command should be used?

A.get system performance status
B.diagnose sys top
C.get system performance
D.top
AnswerB

This shows process-level CPU and memory usage.

Why this answer

Option C is correct because 'diagnose sys top' shows real-time process CPU usage. Option A shows system resources summary. Option B shows system performance statistics.

Option D is a Linux command not available on FortiOS.

113
MCQeasy

A BGP peering between two FortiGates is not establishing. The admin runs 'get router info bgp summary' and sees the neighbor state as 'Idle'. What is the most common cause of a BGP session stuck in Idle?

A.The BGP update timer is set too high
B.The remote AS number is misconfigured
C.The neighbor IP is not reachable or the TCP port 179 is blocked
D.The route advertisement is disabled
AnswerC

BGP uses TCP port 179; if the neighbor is unreachable or port is blocked, the session cannot start, staying in Idle.

Why this answer

Idle state usually means the BGP process has not started or is waiting for a start event. The most common cause is that the neighbor IP is unreachable or the TCP connection cannot be established.

114
MCQmedium

An administrator runs 'diagnose debug application ipsmonitor -1' and sees repeated messages: 'IPS engine restarting'. What is the MOST likely cause of this behavior?

A.The FortiGate is overloaded with too many concurrent sessions
B.The IPS engine is running out of memory
C.The firewall policy is configured for flow-based inspection
D.The IPS signatures are outdated and need updating
AnswerB

Memory exhaustion causes the IPS engine to restart to free resources.

Why this answer

Option A is correct. IPS engine restarts often indicate memory exhaustion or a crash. High memory usage can force the engine to restart to reclaim resources.

115
Multi-Selectmedium

A FortiGate administrator is investigating a security incident and needs to identify which user initiated a specific outbound connection to a malicious IP address. The company uses FSSO for authentication. Which THREE pieces of information from FortiAnalyzer logs would be MOST useful? (Choose three.)

Select 3 answers
A.Username from the FortiGate authentication log
B.Destination IP address
C.Event type (e.g., traffic, event, attack)
D.Source IP address of the session
E.Timestamp of the session
AnswersA, D, E

Links the session to the authenticated user.

Why this answer

Options A, B, and D are correct. Source IP identifies the device, username identifies the authenticated user, and timestamp correlates events. Destination IP (C) is known, and event type (E) might not show user association.

116
MCQeasy

An administrator runs 'diagnose sys top' and sees process 'httpsd' consuming 95% CPU. What is the best immediate action to alleviate the issue?

A.Change the administration HTTPS port and restrict access to trusted hosts
B.Kill the httpsd process
C.Disable HTTPS administration access
D.Reboot the FortiGate
AnswerA

Correct. Changing the port and restricting source IPs can mitigate the attack without losing access.

Why this answer

The httpsd process handles HTTPS administrative access. High CPU could be due to brute-force attacks or excessive GUI logins. The best action is to change the administrative access port or limit access via trusted hosts.

117
Multi-Selecthard

During a BGP troubleshooting session, an administrator sees that the BGP neighbor state is 'Active'. Which three conditions could cause this state? (Choose THREE.)

Select 3 answers
A.The remote AS number is misconfigured
B.The BGP update timer is too short
C.The neighbor IP address is incorrectly configured
D.The maximum-prefix limit has been exceeded
E.A firewall is blocking TCP port 179
AnswersA, C, E

ASN mismatch causes the remote end to reject the open message, leading to Active state.

Why this answer

Active state means BGP is trying to initiate a TCP connection but hasn't succeeded. Common causes include incorrect neighbor IP, ASN mismatch, or TCP port blocking.

118
MCQeasy

A FortiGate administrator wants to verify whether a specific session is being offloaded to the NP6 processor. Which CLI command should the administrator use?

A.diagnose sys session filter src 10.0.0.1 ; diagnose sys session list
B.get system performance status
C.diagnose hardware sysinfo memory
D.diagnose npu np6 session list
AnswerA

This shows session details and offload status.

Why this answer

Option A is correct. 'diagnose sys session filter' followed by 'diagnose sys session list' shows session details including offload status (NPU flag).

119
MCQmedium

A FortiGate is receiving BGP routes from a neighbor but not advertising them to other peers. The administrator runs 'get router info bgp network' and sees the routes are in the BGP table but not advertised. What is the most likely cause?

A.BGP synchronization is enabled and the routes are not in the IGP
B.An outbound route map is applied that filters these routes
C.The next hop is unreachable
D.The router-id is the same as the peer
AnswerB

Correct. A route map can selectively permit or deny routes from being advertised.

Why this answer

BGP routes are not advertised unless they pass outbound filtering (prefix lists, route maps) or are not the best path. Additionally, if synchronization is enabled, routes must be in the IGP routing table. The most common cause is a missing or restrictive outbound route map.

120
MCQmedium

After upgrading FortiGate firmware, an admin notices that several sessions using SIP are failing. The SIP ALG was enabled before the upgrade. What is the MOST likely cause?

A.The SIP session helper is now deprecated
B.The SIP service port changed
C.The SIP ALG configuration was reset to default, affecting session handling
D.The FortiGate's SIP inspection profile was removed
AnswerC

Upgrades can reset ALG settings, causing SIP sessions to fail.

Why this answer

Firmware upgrades can reset or change default settings. Option B is correct because the SIP ALG might have been disabled or its settings changed, breaking SIP session helpers. Checking the ALG configuration is the first step.

121
MCQeasy

You receive an alert that FortiAnalyzer log disk usage is at 95%. Which action should you take to immediately free up space without losing important logs?

A.Delete all logs older than 30 days
B.Enable log compression
C.Configure log archiving to an external storage
D.Increase log disk quota
AnswerC

Archiving moves old logs off the device.

Why this answer

Option C is correct because archiving old logs to external storage is the best practice to free space while preserving logs. Option A would lose logs. Option B is not a standard feature.

Option D is temporary.

122
MCQeasy

An administrator wants to verify that a BGP route is being advertised to a neighbor. Which command displays the routes that FortiGate is advertising to a specific BGP neighbor?

A.get router info bgp network
B.get router info bgp neighbor <ip> advertised-routes
C.diagnose ip router bgp routes
D.show ip bgp summary
AnswerB

Correct command.

Why this answer

Option A is correct. 'get router info bgp neighbor <ip> advertised-routes' shows all routes that the FortiGate is advertising to that specific BGP neighbor. This is the standard command for verifying outbound route advertisement.

123
Multi-Selectmedium

An administrator is investigating a security incident using FortiAnalyzer logs. The admin needs to identify all connections from a specific internal IP (10.0.0.100) to external servers on TCP port 443 during the last hour. Which TWO log fields should be used to filter the logs? (Choose two.)

Select 2 answers
A.dstip
B.dstport
C.srcip
D.action
E.policyid
AnswersB, C

Correct. Destination port field filters by port number (443).

Why this answer

To filter traffic from a source IP and destination port, the administrator should use the source IP field and the destination port field. The service field may also show port but is less precise.

124
MCQhard

Two FortiGate units in an HA cluster are experiencing synchronization issues. The administrator runs 'diagnose sys ha checksum cluster' and sees different checksum values for the 'system' and 'router' objects. What is the FIRST step to resolve the mismatch?

A.Execute 'execute ha synchronize start' from the primary unit
B.Upgrade the firmware on both units to the same version
C.Reboot both units to force a full sync
D.Disable and re-enable HA on both units
AnswerA

This command forces configuration synchronization from primary to secondary.

Why this answer

Option B is correct. The checksum mismatch indicates configuration drift. The first step should be to synchronize the configuration from the primary unit to the secondary using 'execute ha synchronize start'.

125
MCQmedium

A FortiGate administrator uses FortiAnalyzer for log analysis and wants to identify all sessions that were blocked by a specific firewall policy ID 10. Which log filter should be applied?

A.Filter by 'action eq block' and then manually look for policy 10
B.Filter by 'policyid == 10'
C.Filter by 'policy_id = 10'
D.Filter by 'devid contains 10'
AnswerB

FortiAnalyzer uses 'eq' for equality, but many interfaces accept '==' as well; the standard is 'policyid eq 10'.

Why this answer

FortiAnalyzer logs contain a field for the policy ID that triggered the action. The correct filter is 'policyid eq 10'.

126
Multi-Selecthard

You are troubleshooting BGP route advertisement issues. Which THREE debug commands would be useful to identify why a route is not being advertised to a neighbor? (Choose three.)

Select 3 answers
A.diagnose debug router bgp <neighbor>
B.get router info bgp neighbors <neighbor> received-routes
C.get router info bgp summary
D.get router info bgp neighbors <neighbor> advertised-routes
E.get router info routing-table bgp
AnswersA, D, E

Shows BGP debug messages including updates.

Why this answer

Options B, C, and D are correct. Debug BGP (B) shows updates and errors. Show route (C) checks if route exists in table.

Show advertised-routes (D) shows what is sent. Option A shows summary only. Option E shows received but not advertisement.

127
MCQmedium

You run 'diagnose sys session filter dport 443' and see sessions with a duration of 7200 seconds and expire time of 3600 seconds. What does this indicate?

A.The session has been idle for 7200 seconds
B.The session helper is interfering with the session
C.The session has been alive for 7200 seconds and will expire in 3600 seconds
D.The session has already expired
AnswerC

Duration is time alive; expire is remaining lifetime.

Why this answer

Option C is correct because expire time being less than duration indicates the session has been alive longer than its remaining lifetime, which could mean the session is about to expire or there is a timing issue. Option A is incorrect because the expire is less than duration. Option B is incorrect because the session is still active.

Option D is not supported by data.

128
MCQmedium

A user reports that they cannot connect to a remote office via IPsec VPN. Phase 1 is up, but Phase 2 fails to establish. The administrator runs 'diagnose vpn ike log' and sees 'no matching phase2 proposal'. What should be checked?

A.The firewall policies allow IKE traffic
B.The local and remote subnet definitions are correct
C.The pre-shared key is correct
D.The Phase 2 proposal settings (encryption, authentication, PFS) match on both peers
AnswerD

Mismatched Phase 2 proposals prevent the tunnel from establishing.

Why this answer

The error 'no matching phase2 proposal' indicates that the Phase 2 parameters (encryption, authentication, etc.) do not match between the two endpoints. The administrator should verify the Phase 2 selectors on both sides.

129
Matchingmedium

Match each high availability (HA) mode to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

One unit handles traffic; standby takes over on failure

Both units handle traffic simultaneously

FortiGate Clustering Protocol

Synchronizes sessions between HA members

Link used for HA communication and synchronization

Why these pairings

These are fundamental HA concepts in FortiOS.

130
MCQmedium

A FortiGate is configured with SD-WAN and multiple members. The administrator notices that traffic to a critical application is consistently routed over a low-quality link, even though a better link is available. The SD-WAN rule uses the 'Best Quality' strategy with a performance SLA. What is the most likely reason?

A.The better link is failing its SLA probes
B.The better link is in 'standby' mode
C.The SD-WAN rule is using source-based routing
D.The application traffic is not matching the SD-WAN rule
AnswerA

Correct. If a link fails SLA, it is considered out of compliance and not selected by 'Best Quality'.

Why this answer

The 'Best Quality' strategy selects the best link based on measured performance. If the better link is not meeting the SLA, it will not be selected. The administrator should check the SLA thresholds and ensure the link is passing.

131
MCQhard

You are troubleshooting a BGP neighbor flapping. The neighbor state shows 'Active'. Which command will help you see the reason for the state change?

A.get router info bgp neighbors
B.get router info bgp neighbors <neighbor> rejected-routes
C.get router info bgp neighbors <neighbor> received-routes
D.get router info bgp summary
AnswerB

This shows routes that were rejected and why, helping identify flapping cause.

Why this answer

Option D is correct because 'get router info bgp neighbors <neighbor> rejected-routes' shows routes that were rejected and the reason. Option A shows established neighbors. Option B shows summary.

Option C shows received routes but not rejection reasons.

132
MCQmedium

A network admin runs 'diagnose sys top' on a FortiGate and sees that the process 'httpsd' is consistently using 95% CPU. Which of the following actions is MOST appropriate to troubleshoot this issue?

A.Restart the FortiGate firewall engine with 'diagnose test application fgwbd 255'
B.Disable the antivirus profile on all policies to reduce processing load
C.Increase the log rate to capture more details about the httpsd process
D.Check the number of active admin sessions and consider stopping the web GUI service temporarily
AnswerD

httpsd handles web management; high CPU may be due to many admin sessions or a stuck process.

Why this answer

Option A is correct because httpsd is the web management daemon. High CPU usage from httpsd often indicates excessive web GUI access or a stuck session. The first step is to check active admin sessions and consider stopping the GUI service temporarily for diagnosis.

133
MCQeasy

An administrator wants to monitor real-time CPU usage per process on a FortiGate. Which command should be used?

A.diagnose hardware sysinfo cpu
B.get system performance status
C.diagnose sys top
D.show system performance monitor
AnswerC

This command displays a real-time list of processes and their resource usage.

Why this answer

The 'diagnose sys top' command shows running processes with CPU and memory usage, similar to Linux 'top'. Options B and C are not valid commands; option D shows overall CPU statistics but not per-process.

134
MCQmedium

When troubleshooting a FortiGate that is not synchronizing configuration to its HA peer, which command should be used to check the HA synchronization status?

A.diagnose sys ha sync-status
B.get system ha status
C.diagnose sys ha status
D.show system ha
AnswerB

This command displays HA cluster status, sync state, and last sync error.

Why this answer

'get system ha status' provides detailed information about HA cluster status, including synchronization state and any errors.

135
Multi-Selectmedium

An administrator is configuring SD-WAN and wants to ensure that voice traffic uses the lowest latency link. Which two configurations are required to achieve this? (Choose TWO.)

Select 2 answers
A.Configure a static route for the voice subnet
B.Configure a performance SLA with latency threshold
C.Set the SD-WAN rule to use 'manual' strategy
D.Create an SD-WAN rule that matches voice traffic and uses 'best quality' strategy
E.Enable NAT on the SD-WAN interface
AnswersB, D

The SLA measures latency and marks link quality.

Why this answer

To steer traffic based on latency, you need a performance SLA with latency measurement and an SD-WAN rule that matches the voice traffic and uses the lowest latency strategy.

136
Multi-Selecthard

An administrator is troubleshooting an IPsec VPN tunnel that fails to establish. Phase 1 seems to complete, but Phase 2 fails with 'no proposal chosen'. The administrator checks the Phase 2 configuration and sees the following settings: 'Local address: 10.0.0.0/24, Remote address: 192.168.0.0/24, Proposal: aes256-sha1, Enable Perfect Forward Secrecy (PFS): Disabled'. Which TWO changes would most likely resolve the issue? (Choose two.)

Select 2 answers
A.Enable PFS on FortiGate
B.Verify that the Phase 2 selectors match exactly on both sides
C.Change the local address to 10.0.0.0/8
D.Add aes256-sha256 to the Phase 2 proposal
E.Increase the Phase 2 lifetime
AnswersA, B

If the remote side requires PFS, FortiGate must enable it to match.

Why this answer

Phase 2 failure with 'no proposal chosen' indicates a mismatch in proposal or selectors. Common causes: PFS mismatch (if remote requires PFS) or selector mismatch (subnets).

137
MCQeasy

An administrator observes that after a failover in an HA cluster, some established sessions are dropped. The cluster is configured with session pickup enabled. What is the most likely reason for the dropped sessions?

A.The failover occurred during a configuration synchronization
B.The HA uptime is less than the session TTL
C.Session pickup only synchronizes TCP sessions, and the dropped sessions are UDP
D.The session helper for the protocol is not enabled
AnswerC

Session pickup by default only synchronizes TCP sessions. UDP and other protocols are not preserved during failover.

Why this answer

Session pickup synchronizes sessions between HA members, but if the session was established before the cluster was fully synchronized, or if the session table is full, sessions may be dropped. However, the most common reason is that session pickup only works for TCP sessions, not UDP or other protocols.

138
MCQmedium

A FortiGate administrator observes that traffic from an internal user to the internet is being blocked. The firewall policy allows the traffic, and the user can ping external hosts. The administrator runs 'diagnose debug flow' for the user's IP and sees 'session denied by forward policy check'. What is the MOST likely cause?

A.There is an implicit deny policy blocking the traffic
B.The antivirus profile has detected a threat and is blocking the session
C.The user's traffic is being rate-limited by a traffic shaper
D.The user's source IP is in a local-in policy that denies the traffic
AnswerA

The forward policy check indicates that no explicit policy matches the traffic, so it is denied by the implicit deny.

Why this answer

Option B is correct. 'session denied by forward policy check' indicates no matching policy, leading to implicit deny.

139
MCQhard

A FortiGate cluster (A-P) has a session that is not synchronizing to the secondary unit. The administrator runs 'diagnose sys ha session-sync status' and sees that the session count is different between primary and secondary. Which is the most likely cause?

A.The session is using a custom application control profile that prevents synchronization.
B.The HA heartbeat interface is down.
C.The secondary unit has insufficient memory to accept new sessions.
D.The session was created by a local-in traffic (e.g., management traffic) which is not synchronized.
AnswerD

Local-in sessions are typically not synced across HA members.

Why this answer

FortiGate A-P clusters synchronize sessions via the HA heartbeat interface, but local-in traffic (e.g., management sessions like HTTPS, SSH, or SNMP) is never synchronized because it is destined to the cluster IP itself and is inherently unit-specific. The 'diagnose sys ha session-sync status' command shows a session count mismatch because the primary unit has local-in sessions that the secondary does not replicate, making D the correct answer.

Exam trap

The trap here is that candidates assume all sessions are synchronized by default, but FortiGate explicitly excludes local-in traffic (management sessions) from HA synchronization, so a session count difference is normal and expected for those sessions.

How to eliminate wrong answers

Option A is wrong because application control profiles do not affect session synchronization; they are inspection profiles applied to traffic policies, and session synchronization is controlled by HA settings and session type, not by security profiles. Option B is wrong because if the HA heartbeat interface were down, the cluster would not be able to maintain a synchronized state at all, and the secondary would likely be isolated or the cluster would split-brain; the question states the cluster is operational with a session count difference, not a total sync failure. Option C is wrong because insufficient memory on the secondary would cause it to reject new sessions or fail to synchronize, but the symptom would be a growing session count mismatch over time, not a persistent difference for a specific session; moreover, the secondary would still attempt synchronization and log memory pressure, not simply skip a session silently.

140
MCQeasy

A FortiGate administrator wants to quickly identify which process is consuming the most CPU on the device. Which CLI command should be used?

A.diagnose hardware sysinfo memory
B.diagnose sys top
C.diagnose debug application crashlog read
D.get system performance status
AnswerB

This command shows real-time process CPU and memory usage, allowing identification of high CPU consumers.

Why this answer

Option A is correct. 'diagnose sys top' provides a real-time view of process CPU and memory usage.

141
Multi-Selectmedium

An administrator is configuring a FortiGate to inspect SMTP traffic for spam and viruses. The traffic must be decrypted to inspect the content. Which THREE elements are required for this configuration? (Choose three.)

Select 3 answers
A.A spam filter profile applied to the firewall policy
B.A web filter profile applied to the firewall policy
C.An antivirus profile applied to the firewall policy
D.An application control profile applied to the firewall policy
E.A firewall policy that allows SMTP traffic and has SSL inspection enabled
AnswersA, C, E

Spam filtering is needed to identify and block spam.

Why this answer

Options A, B, and C are correct. SSL inspection decrypts traffic, antivirus scans for viruses, and spam filter blocks spam.

142
MCQhard

A FortiGate is blocking HTTP traffic from 10.0.1.5 to 10.0.2.100, despite an explicit allow policy. The exhibit shows the configuration and debug flow output. What is the most likely cause?

A.The policy is applied to the wrong source interface.
B.The policy action is set to deny.
C.TCP SYN flood protection is dropping the incomplete session.
D.The source address object does not include 10.0.1.5.
AnswerC

The 'state proto not ready' indicates TCP handshake incomplete; often due to DoS protection thresholds.

Why this answer

The debug flow output shows the session is in a 'SYN_RECV' state and never transitions to 'ESTABLISHED', which is characteristic of TCP SYN flood protection. When the FortiGate's SYN flood protection threshold is exceeded, it drops incomplete sessions before they can be fully established, even if an explicit allow policy exists. This explains why HTTP traffic from 10.0.1.5 to 10.0.2.100 is blocked despite the policy being correctly configured.

Exam trap

The trap here is that candidates often assume a policy issue (wrong interface, wrong action, or wrong address object) when the debug flow shows a session being created but not completing, but the real cause is a DoS protection mechanism that drops the session after the initial SYN.

How to eliminate wrong answers

Option A is wrong because if the policy were applied to the wrong source interface, the debug flow would typically show a 'no matching policy' message or a policy lookup failure, not a session stuck in SYN_RECV. Option B is wrong because if the policy action were set to deny, the debug flow would show an explicit deny action or a 'deny' flag in the session table, not a session that is being tracked but never completes. Option D is wrong because if the source address object did not include 10.0.1.5, the policy lookup would fail to match, resulting in a 'no matching policy' or implicit deny, not a session that reaches SYN_RECV and then stalls.

143
Multi-Selecthard

An administrator is troubleshooting a VPN tunnel between two FortiGates. The phase 1 fails to come up. The administrator runs 'diagnose vpn ike log' and sees the error 'no proposal chosen'. Which THREE configuration mismatches could cause this error?

Select 3 answers
A.Different Diffie-Hellman groups (e.g., DH5 vs DH14)
B.Different encryption algorithms (e.g., AES128 vs 3DES)
C.Mismatched local and remote gateway IPs
D.Mismatched pre-shared keys
E.Different IKE mode (main vs aggressive)
AnswersA, B, E

DH group is a key component of the IKE proposal; mismatch results in 'no proposal chosen'.

Why this answer

The 'no proposal chosen' error in IKE phase 1 indicates that the two peers cannot agree on the IKE SA parameters. Common mismatches include encryption algorithm, authentication method, and Diffie-Hellman group.

144
MCQeasy

A network administrator runs 'diagnose sys top' and sees that the 'ipsengine' process is consistently using 99% CPU. What is the BEST immediate action to reduce CPU load?

A.Reboot the FortiGate
B.Increase the session limit
C.Disable IPS inspection on policies that don't require it
D.Change IPS engine to flow-based mode
AnswerC

Disabling IPS reduces CPU usage by the ipsengine process.

Why this answer

Option B is correct because disabling IPS inspection will stop the IPS engine from processing traffic, thus reducing CPU load. Option A would not help if the issue is CPU load. Option C might help but is less direct.

Option D is not relevant.

145
MCQhard

An administrator runs 'diagnose debug application sslvpn -1' and sees repeated 'SSL_ERROR_SSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate'. The SSL-VPN is configured to require client certificates. What is the cause?

A.The client is not sending a client certificate
B.The SSL-VPN server certificate is expired
C.The SSL-VPN tunnel mode is misconfigured
D.The CA certificate is not imported on FortiGate
AnswerA

Correct. The error 'peer did not return a certificate' means the client did not provide the required certificate.

Why this answer

The error indicates that the SSL-VPN server expects a client certificate (mutual authentication) but the client did not provide one. The administrator should check the client certificate configuration on the user's machine.

146
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees output indicating sessions with state 'proto=6 proto_state=01 duration=3600 expire=3598'. What does this output indicate about the session?

A.The session is an expired TCP session that is being removed
B.The session is a UDP session to port 443 that has been idle for 3600 seconds
C.The session is an established TCP session to port 443, lasting 3600 seconds with 3598 seconds remaining
D.The session is blocked by a firewall policy and has been logged
AnswerC

Correct interpretation of the diagnose output.

Why this answer

Option A is correct. The output shows a TCP session (proto=6) with state 01 (TCP session established). Duration and expire values are in seconds.

This indicates an active TCP session that has been established for 3600 seconds (1 hour) and will expire in 3598 seconds.

147
MCQeasy

Which command displays the current session count on a FortiGate?

A.get system performance status
B.diagnose sys session stat
C.show system session
D.diagnose hardware sysinfo session
AnswerA

This command shows session count under 'Session number'.

Why this answer

The 'get system performance status' command shows the number of current sessions among other performance statistics.

148
Multi-Selectmedium

An administrator is troubleshooting a VPN tunnel that is not coming up. The remote peer is a third-party device. Which THREE actions should be taken to diagnose the issue?

Select 3 answers
A.Ensure that the pre-shared key matches on both sides.
B.Confirm that UDP ports 500 and 4500 are not blocked by any firewall.
C.Verify that the remote peer's IP address is reachable via ping.
D.Check the IPSec VPN logs with 'diag debug application ike -1'.
E.Review the routing table to ensure the remote subnet is reachable through the tunnel interface.
AnswersA, C, D

Mismatched PSK is a common cause of tunnel failure.

Why this answer

Option A is correct because IPsec IKE (Internet Key Exchange) uses the pre-shared key (PSK) during authentication phase 1 (Main Mode or Aggressive Mode). If the PSK does not match on both peers, the IKE SA will fail to establish, and the VPN tunnel will not come up. This is a fundamental prerequisite for any IPsec VPN, and mismatched PSKs are a common misconfiguration.

Exam trap

The trap here is that candidates often confuse post-tunnel routing checks (Option E) with pre-tunnel connectivity checks, or they assume firewall port blocking (Option B) is a direct diagnostic step rather than a prerequisite to verify after other checks fail.

149
MCQmedium

An administrator configured a firewall policy to inspect SMTP traffic using an antivirus profile. However, email attachments are not being scanned. The FortiGate is operating in proxy-based inspection mode. What is the most likely cause?

A.The policy is set to 'accept' instead of 'deny'
B.The email is sent over TLS encryption
C.The antivirus profile is set to flow-based inspection
D.The SMTP session helper is not enabled
AnswerD

Correct. The SMTP helper ensures FortiGate understands the SMTP protocol and can inspect email attachments.

Why this answer

SMTP traffic requires a specific session helper to be enabled for FortiGate to properly parse and scan email traffic. If the SMTP session helper is disabled, the antivirus profile may not scan the attachments correctly.

150
MCQmedium

An administrator notices that SD-WAN rule-based traffic is not failing over as expected when the primary link goes down. The SLA targets are configured correctly, and the interface health check is showing 'dead' for the primary link. What is the MOST likely reason for the failover not occurring?

A.The SD-WAN rule's 'set strategy' is 'manual' and the preferred member is still set to the primary interface
B.The SD-WAN rule's 'set status' is set to 'disable'
C.The secondary interface has a higher cost than the primary interface
D.The 'set update-static-route' is not enabled on the SD-WAN
AnswerA

When strategy is 'manual', the rule will not failover automatically; traffic continues to be sent to the preferred member even if the SLA is dead.

Why this answer

Option C is correct. Manual strategy does not automatically failover; the preferred member must be changed manually or via automation.

← PreviousPage 2 of 3 · 151 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Nse7 Troubleshooting questions.