CCNA Nse7 Vpn Zerotrust Questions

75 of 207 questions · Page 1/3 · Nse7 Vpn Zerotrust topic · Answers revealed

1
Multi-Selectmedium

A FortiGate administrator is configuring a multi-peer IPsec VPN where two remote sites (Site A and Site B) connect to a central hub. The administrator wants to ensure that if the primary peer for a site goes down, traffic automatically fails over to the backup peer. Which TWO settings must be configured on the hub's phase1?

Select 2 answers
A.Set 'auto-negotiate' to 'enable'
B.Set 'dpd' to 'on-demand'
C.Set 'aggregate-ipsec' to 'round-robin'
D.Set 'peer-options' to include both peers with 'priority'
E.Set 'failover' to 'enable'
AnswersD, E

Why this answer

Multi-peer VPN requires configuring 'peer-options' with multiple peer IPs and priorities, and enabling 'failover' on the phase1 interface to allow automatic switching to the backup peer if the primary goes down.

2
MCQmedium

A FortiGate administrator notices that a VPN tunnel goes down and re-establishes every 30 minutes. The administrator checks the tunnel's phase1 and phase2 lifetimes. The phase1 lifetime is set to 86400 seconds and phase2 to 3600 seconds. What is the most likely cause of the tunnel dropping?

A.The phase2 lifetime is set to 3600 seconds, causing rekey failures
B.The phase1 lifetime is too short, causing frequent renegotiation
C.The VPN tunnel is not configured to use NAT traversal
D.The DPD (Dead Peer Detection) timeout is triggered every 30 minutes
AnswerD

If DPD retry timeout is set to a value that results in the peer being declared dead after 30 minutes, the tunnel will be torn down and re-established.

Why this answer

The phase2 lifetime of 3600 seconds (1 hour) would cause rekey every hour, but the tunnel drops every 30 minutes. Option B is correct because DPD settings can cause the tunnel to be considered dead if the peer does not respond; if DPD timeout is set to 1800 seconds (30 minutes), the tunnel would be torn down. However, the rekey should succeed; DPD timeout indicates the peer is not reachable, possibly due to a transient issue.

But among options, DPD is most plausible.

3
Multi-Selectmedium

Which TWO of the following are required components for a Fortinet ZTNA solution? (Select two.)

Select 2 answers
A.FortiAuthenticator
B.FortiWeb
C.FortiAnalyzer
D.FortiGate
E.FortiClient EMS
AnswersD, E

FortiGate is the ZTNA gateway.

Why this answer

FortiGate is the enforcement point in a ZTNA solution, acting as the ZTNA gateway that verifies device posture and user identity before granting access to protected applications. It terminates ZTNA tunnels from FortiClient and applies identity-based policies, making it a required component for traffic inspection and access control.

Exam trap

The trap here is that candidates often assume FortiAuthenticator is required because ZTNA involves identity, but FortiGate can handle authentication locally or via any SAML IdP, making FortiAuthenticator optional, not mandatory.

4
MCQmedium

A FortiGate administrator needs to integrate with FortiNAC to enforce network access control for wired and wireless devices. The administrator wants FortiNAC to dynamically assign VLANs based on the device's security posture. Which FortiNAC feature enables this?

A.DHCP fingerprinting
B.NAC policies
C.RADIUS accounting
D.SNMP traps
AnswerB

NAC policies use device posture information to assign VLANs dynamically.

Why this answer

NAC policies define rules for device classification and VLAN assignment based on posture assessment results.

5
MCQeasy

An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal application. The application is accessed via HTTPS. Which component must be configured on the FortiGate to act as a reverse proxy for the application?

A.FortiClient EMS
B.SSL-VPN portal
C.ZTNA proxy
D.ZTNA inline CASB
AnswerC

Why this answer

ZTNA proxy is the FortiGate feature that acts as a reverse proxy, terminating the client connection and initiating a new connection to the internal application. It enforces access policies based on identity and device posture.

6
MCQhard

A FortiGate administrator configures a multi-peer IPsec VPN with two remote gateways for redundancy. The phase 1 configuration has 'set proposal aes256-sha256' and 'set dpd on-idle'. The tunnel is established but traffic fails over to the backup peer only after a long delay. What change would improve failover time?

A.Increase the phase 2 lifetime
B.Enable NAT traversal
C.Use IKEv1 instead of IKEv2
D.Change DPD mode to 'on-demand' and reduce retry count
AnswerD

On-demand sends DPD probes regularly regardless of traffic, enabling faster detection.

Why this answer

DPD on-idle sends probes only when there is no traffic. With DPD on-idle, failure detection can be slow. Changing to DPD on-demand (active probing) or reducing retry intervals speeds up failure detection.

7
MCQeasy

An administrator wants to enforce that only devices with antivirus software installed and up-to-date can access the corporate network. Which FortiGate feature should be used?

A.Application control profile
B.ZTNA tags and posture checks
C.IPsec VPN with pre-shared key
D.Web filtering profile
AnswerB

ZTNA tags can reflect compliance status from EMS.

Why this answer

FortiGate uses ZTNA device posture checks via FortiClient EMS to enforce endpoint compliance, such as antivirus status.

8
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGate devices. The tunnel is established, but traffic is not passing. Which configuration should the administrator check first?

A.Firewall policies
B.NAT traversal configuration
C.Static routes
D.Phase1 parameters
AnswerA

Firewall policies must explicitly permit the traffic between the IPsec interface and the destination zone.

Why this answer

When an IPsec VPN tunnel is established but traffic does not pass, the most common cause is missing or misconfigured firewall policies. Even with correct Phase 1 and Phase 2 settings, the FortiGate will not forward traffic between the tunnel interface and the destination network unless an explicit firewall policy permits it. This is because FortiGate uses a stateful inspection model where all traffic must be allowed by a policy, regardless of the VPN being up.

Exam trap

The trap here is that candidates assume a working Phase 1 and Phase 2 automatically allows traffic, but FortiGate requires explicit firewall policies to permit traffic through the tunnel, unlike some other vendors where the VPN configuration itself implies a permit.

How to eliminate wrong answers

Option B (NAT traversal configuration) is wrong because NAT traversal is only relevant when there is a NAT device between the VPN peers; if the tunnel is already established, NAT-T is likely working or not needed, and it does not block traffic flow. Option C (Static routes) is wrong because while routes are necessary for traffic to reach the tunnel interface, the tunnel being established indicates that routing is likely correct; the issue is that even with correct routes, traffic is dropped at the policy layer. Option D (Phase1 parameters) is wrong because if Phase 1 parameters were mismatched, the tunnel would not establish at all; the fact that the tunnel is up means Phase 1 negotiation succeeded.

9
MCQhard

An administrator is troubleshooting a ZTNA issue where users are able to authenticate but the application access is still blocked. The ZTNA status on FortiClient shows 'Connected' but the application does not load. What is the MOST likely cause?

A.The user's FortiClient does not have the required ZTNA tags assigned
B.The ZTNA application is not configured with HTTPS
C.The FortiClient EMS server is not reachable from the FortiGate
D.The FortiGate is not configured with the correct ZTNA application gateway
AnswerA

ZTNA tags define access permissions. If the user's client lacks the required tags, the FortiGate blocks access even though the client is connected.

Why this answer

ZTNA uses tags to determine which users or devices can access which applications. If the necessary tags are missing, access is denied even if the client is connected.

10
MCQhard

During a routine audit, a FortiGate administrator discovers that all traffic from a specific user group is being denied by a firewall policy. The policy uses a ZTNA rule that requires the device tag 'Compliant'. The administrator checks the user's device in EMS and sees it is tagged as 'Compliant'. However, the traffic is still denied. What could be the problem?

A.The FortiGate's EMS connector is not syncing tag information in real-time
B.The user's IP address has changed and the tag is mapped to a different IP
C.The ZTNA rule is configured with the wrong application port
D.The device posture compliance check requires additional criteria not met
AnswerA

ZTNA tags are pulled from EMS periodically. If the connector hasn't synced recently, the FortiGate might still have old tag information for that device.

Why this answer

Even if the tag exists, the FortiGate may not have updated tag information from EMS or the session may have been established before the tag was applied. Option A is correct because the FortiGate must re-evaluate tags for new connections; if the EMS connector is not syncing or the session is cached with old tags, it may deny.

11
MCQmedium

A company wants to use FortiGate as a SAML service provider (SP) for authenticating administrators to the FortiGate GUI. The identity provider (IdP) is Azure AD. After configuration, administrators are redirected to Azure AD login but receive an error that the SAML request is invalid. What is the most likely misconfiguration?

A.The IdP's entity ID or SSO URL is incorrectly entered on FortiGate
B.The FortiGate's SP entity ID does not match the Azure AD application's identifier
C.The administrator's account is not synchronized with Azure AD
D.The certificate used for signing is not trusted by the IdP
AnswerA

If the IdP entity ID or SSO URL is wrong, the SAML request will be considered invalid by the IdP.

Why this answer

As an SP, FortiGate must be configured with the correct IdP entity ID and SSO URL. If the IdP entity ID is incorrect, the IdP rejects the SAML request.

12
Multi-Selectmedium

An administrator is deploying ZTNA with FortiClient EMS to secure access to a corporate web application. Which THREE components are required for a successful ZTNA deployment? (Choose three.)

Select 3 answers
A.FortiSandbox for threat analysis
B.FortiClient EMS server
C.FortiClient installed on endpoint devices
D.FortiGate configured as ZTNA access proxy
E.FortiAnalyzer for logging
AnswersB, C, D

EMS manages compliance rules, ZTNA tags, and pushes policies to FortiClient.

Why this answer

ZTNA requires FortiClient for endpoint posture, EMS for policy/tag management, and FortiGate with ZTNA proxy to enforce access control.

13
MCQhard

A FortiGate has an IPsec VPN with a remote peer that uses IKEv2. The administrator wants to ensure that child SA rekeying uses PFS (Perfect Forward Secrecy) with Diffie-Hellman group 14. Which CLI command should the administrator configure on the FortiGate's phase 2 proposal?

A.set auto-negotiate enable; set dh-group 14
B.set pfs enable; set dhgrp 14
C.set proposal aes256-sha256 dh-group 14
D.set pfs enable; set dh-group 14
AnswerB

This correctly enables PFS and sets the Diffie-Hellman group to 14.

Why this answer

To enable PFS with DH group 14 on the phase 2 proposal, the correct CLI command is 'set pfs enable' and 'set dhgrp 14'. The command 'set proposal aes256-sha256' defines encryption/integrity, not PFS. The other options do not set PFS correctly.

14
MCQhard

A FortiGate is configured with an IPsec VPN that uses certificate-based authentication. The VPN fails to establish. The administrator checks the phase1 debug and sees the message: 'no suitable certificate found'. What is the most likely cause?

A.The peer's certificate is not trusted
B.The certificate revocation list (CRL) is outdated
C.The CA certificate is missing
D.The local certificate is not imported or does not match the certificate name
AnswerD

The FortiGate needs a local certificate with a subject that matches the local ID; otherwise it cannot present a certificate.

Why this answer

The 'no suitable certificate found' error in IPsec phase1 debug indicates that the FortiGate cannot locate a local certificate that matches the peer's expected certificate name (often the peer's ID or the configured local certificate name). This typically occurs when the local certificate is not imported or the certificate's Common Name (CN) or Subject Alternative Name (SAN) does not match the configured local ID or peer's expected identifier. Without a matching local certificate, the IKE exchange cannot proceed to authenticate the FortiGate to the remote peer.

Exam trap

The trap here is that candidates often confuse 'no suitable certificate found' with trust or revocation issues, but the error specifically points to a missing or mismatched local certificate, not problems with the peer's certificate or CA chain.

How to eliminate wrong answers

Option A is wrong because 'no suitable certificate found' refers to the local certificate not being found or matching, not the peer's certificate trust; a lack of trust in the peer's certificate would produce a different error like 'certificate validation failed' or 'untrusted certificate'. Option B is wrong because an outdated CRL would cause a certificate validation failure (e.g., 'certificate revoked' or 'CRL not checked'), not a failure to find a suitable local certificate. Option C is wrong because a missing CA certificate would prevent validation of the peer's certificate, resulting in a trust-related error, not the 'no suitable certificate found' message which is about the local certificate selection.

15
MCQmedium

A FortiGate is configured as a SAML Identity Provider (IdP) for a remote user accessing a web application via ZTNA. The user authenticates successfully, but the ZTNA proxy logs show 'access denied' for the user. Which configuration element is most likely missing or misconfigured?

A.The ZTNA access proxy application is not enabled for HTTPS.
B.The SAML user group is not added to the ZTNA rule's allowed groups.
C.A firewall policy with ZTNA tags as source is missing.
D.ZTNA tags are not assigned to the user in FortiClient EMS.

Why this answer

ZTNA rules restrict access based on user groups. Even if the user authenticates via SAML, they must be a member of a group that is explicitly allowed in the ZTNA rule. Tags are for client posture, not authentication groups.

16
Multi-Selectmedium

A FortiGate administrator is configuring NAC (Network Access Control) integration with FortiNAC. The goal is to control access for wired clients based on device compliance. Which TWO configurations are required on the FortiGate to support this integration?

Select 2 answers
A.Configure a RADIUS server pointing to FortiNAC.
B.Create a security group tag (SGT) mapping.
C.Enable '802.1x' authentication on the interface.
D.Enable 'nac-policy' on the switch-facing interface.
E.Set the 'nac-mode' to 'global-vlan' under the interface.
AnswersA, D

Why this answer

FortiGate integrates with FortiNAC via RADIUS (B) to query device compliance and NAC policies (A) on the interface to enforce access. 802.1x is typically handled by the switch, not FortiGate directly. SGT and nac-mode are not standard for this integration.

17
Multi-Selecthard

A FortiGate administrator is troubleshooting a ZTNA problem where users are unable to connect to an internal application via FortiClient. FortiClient reports 'Connection refused'. The FortiGate ZTNA gateway is configured correctly. Which THREE steps should the administrator take to diagnose the issue?

Select 3 answers
A.Check the FortiGate's antivirus update status
B.Verify that FortiClient can reach the ZTNA gateway's IP and port
C.Examine the ZTNA access proxy rule to ensure the application mapping is correct
D.Reboot the FortiClient computer
E.Verify that the application server is reachable from the FortiGate (e.g., ping or telnet)
AnswersB, C, E

Network connectivity between FortiClient and the ZTNA gateway is fundamental.

Why this answer

To diagnose ZTNA connection issues, the administrator should verify network connectivity to the ZTNA gateway, check the ZTNA proxy rule configuration, and verify the application server is reachable from the FortiGate. Option A, C, and D are correct.

18
MCQmedium

A FortiGate is configured as a SAML service provider (SP) for user authentication. Users report they are redirected to the identity provider (IdP) for authentication, but after successful login, they are not allowed access to the requested resource. What is the MOST likely cause?

A.The FortiGate is configured as an IdP instead of SP
B.SAML single logout is enabled and causing session termination
C.The IdP certificate is not trusted by the FortiGate
D.The SAML user group is not configured with the correct IdP attribute mapping
AnswerD

Without proper group mapping, the FortiGate cannot assign the user to a group, and the firewall policy requiring that group will deny access.

Why this answer

After SAML authentication, the FortiGate must have a matching user group and firewall policy that allows traffic from authenticated users. If the IdP sends the correct attributes but the FortiGate does not have a group mapping or policy, access will be denied.

19
Multi-Selectmedium

A FortiGate administrator is configuring a hub-and-spoke ADVPN with BGP. The hub has multiple spokes. Which TWO configuration steps are REQUIRED on the hub FortiGate for shortcut tunnels to be established between spokes?

Select 2 answers
A.Configure BGP to redistribute connected or static routes to the spokes
B.Enable 'set auto-discovery-receiver' on the hub's phase1 interface
C.Enable 'set auto-discovery-sender' on the hub's phase1 interface
D.Disable DPD on the hub's phase1 interface
E.Set the IKE version to IKEv1 on the hub
AnswersA, C

Without route redistribution, spokes will not learn about other spoke subnets, so shortcut tunnels would have no traffic to trigger.

Why this answer

For ADVPN shortcut tunnels, the hub must enable auto-discovery sender and must also advertise the spoke routes to other spokes. Without route advertisement, spokes cannot know about each other's networks.

20
MCQeasy

Refer to the exhibit. A FortiGate administrator has configured an IPsec VPN tunnel to a branch office. The tunnel fails to establish. What is the most likely cause?

A.Phase 2 proposal (aes256-sha1) is not compatible with Phase 1 proposal (aes256-sha256)
B.The pre-shared key is encrypted in the configuration
C.The 'net-device disable' setting prevents tunnel creation
D.The phase2 interface name does not match the phase1 name
AnswerA

Phase 2 encryption must be a subset of Phase 1; SHA1 vs SHA256 mismatch causes failure.

Why this answer

The tunnel fails because the Phase 2 proposal (aes256-sha1) is not compatible with the Phase 1 proposal (aes256-sha256). In IPsec VPN, Phase 1 establishes the ISAKMP SA using a set of encryption and authentication algorithms, while Phase 2 negotiates the IPsec SA for data traffic. The authentication algorithm must match between Phase 1 and Phase 2; here, Phase 1 uses SHA-256 but Phase 2 uses SHA-1, causing a mismatch that prevents the tunnel from establishing.

Exam trap

The trap here is that candidates often assume Phase 1 and Phase 2 proposals are independent, but FortiGate requires the authentication algorithm to match between phases, and the exam tests this subtle interoperability constraint.

How to eliminate wrong answers

Option B is wrong because the pre-shared key being encrypted in the configuration is normal behavior in FortiGate (it is always displayed as asterisks or encrypted text) and does not prevent tunnel establishment. Option C is wrong because the 'net-device disable' setting only prevents the tunnel interface from being treated as a network device for routing purposes; it does not block IPsec tunnel creation or negotiation. Option D is wrong because the Phase 2 interface name does not need to match the Phase 1 name; Phase 2 references the Phase 1 configuration via the 'set phase1name' parameter, not by interface name.

21
Multi-Selecthard

A FortiGate administrator is troubleshooting an IPsec VPN that uses IKEv2 with certificate authentication. The VPN fails to establish. The administrator runs 'diagnose vpn ike gateway list' and sees the gateway state is 'IKE_INIT'. Which three possible causes should the administrator investigate? (Choose three.)

Select 3 answers
A.The certificate of the remote peer is not trusted by the local FortiGate
B.The pre-shared key is incorrect
C.The phase 1 proposal (encryption, hash, DH group) does not match
D.The phase 2 proxy ID is incorrect
E.The remote peer's certificate has expired
AnswersA, C, E

Certificate validation failure would cause IKE to stay in INIT.

Why this answer

IKE_INIT state indicates phase 1 has not completed. Certificate trust issues (A), proposal mismatch (B), and expired certificate (D) can all cause phase 1 failure.

22
MCQeasy

A FortiGate is configured as a SAML service provider (SP) for SSO. Users authenticate via an external IdP. After successful authentication, the FortiGate should enforce a firewall policy based on the user's group membership. Which FortiGate setting must be enabled to receive group information from the IdP?

A.Enable 'Require IdP Certificate Validation'
B.Create a separate firewall policy for each user
C.Enable 'Auto-Provision Users' on FortiGate
D.Configure the 'user-group' attribute in the SAML SP settings
AnswerD

FortiGate allows mapping of group membership from a SAML attribute. The administrator must specify which attribute (e.g., group) carries the group information.

Why this answer

FortiGate as SAML SP can receive user attributes from the IdP, including group membership, through SAML assertions. The IdP must send the group attribute, and FortiGate must be configured to accept it. Option B is correct: 'Set single-sign-on-identity-attribute' or similar? Actually, the correct setting is to enable 'SAML User Group' in the SAML SP configuration to map the group attribute from the IdP.

Option B is the best: 'Set the SAML user group attribute in the SP configuration'.

23
MCQhard

An administrator is troubleshooting an ADVPN scenario where spoke FortiGates are behind NAT. The shortcut tunnels are not forming between spokes. The hub has the appropriate ADVPN stage settings. What is the most likely cause of the shortcut failure?

A.The spokes are using dynamic IP addresses.
B.The spokes have the same IKE ID.
C.NAT traversal is not enabled on the hub's phase1 interfaces.
D.The shortcut tunnel uses a different encryption algorithm than the hub-spoke tunnel.

Why this answer

NAT traversal must be enabled on the hub's phase1 to allow spoke-to-spoke shortcut negotiations through NAT devices. Without it, the short-cut tunnel cannot be established because the public IP and port mappings are not properly exchanged.

24
MCQmedium

An administrator configures a ZTNA proxy rule to allow access to an internal application. Users can connect to the FortiGate ZTNA gateway but receive a '403 Forbidden' error. Which step should the administrator take to resolve the issue?

A.Disable the 'require ZTNA tag' option on the proxy rule
B.Check that the ZTNA proxy rule's action is set to 'accept' and the correct tags are specified
C.Ensure the application is reachable from the FortiGate with a ping
D.Verify that the application's firewall policy has an SSL inspection profile applied
AnswerB

The proxy rule controls access based on tags. Missing tags cause forbidden errors.

Why this answer

A 403 error on ZTNA typically indicates that the user's device does not have the required ZTNA tags. The administrator must ensure the FortiClient has the correct tags assigned based on compliance.

25
MCQeasy

Which FortiGate feature allows an administrator to define a granular policy based on the security posture of the endpoint device, such as OS version, antivirus status, and disk encryption, before granting access to a protected application?

A.Web filtering profile
B.SSL VPN portal
C.IPsec phase 1 configuration
D.ZTNA access proxy
AnswerD

ZTNA access proxy enforces access based on device posture and user identity.

Why this answer

ZTNA (Zero Trust Network Access) uses device posture checks to evaluate endpoint security before granting access to applications.

26
MCQmedium

A FortiGate administrator configures a hub-and-spoke ADVPN with OSPF over the VPN overlay. Spoke routers receive the OSPF default route from the hub, but cannot reach subnets behind other spokes. What configuration is missing?

A.IKEv2 is configured instead of IKEv1
B.The spokes have 'set auto-discovery-receiver enable' configured
C.OSPF is not configured to redistribute connected or static routes on the spokes
D.The hub has 'set auto-discovery-sender enable' configured
AnswerC

Each spoke must redistribute its local subnets into OSPF so the hub and other spokes learn them. Without redistribution, the hub only knows its own directly connected networks.

Why this answer

For ADVPN shortcut tunnels to be used for spoke-to-spoke traffic, the hub must have 'set auto-discovery-sender enable' and the spokes must have 'set auto-discovery-receiver enable'. Without these, traffic between spokes still goes through the hub, but if OSPF is not redistributing spoke routes properly, they may not be reachable.

27
MCQmedium

A company uses FortiClient EMS for endpoint compliance and ZTNA tag assignment. An administrator wants to enforce that only endpoints with a ZTNA tag 'Compliant' can access a specific internal application through ZTNA. Which configuration is required on the FortiGate?

A.Create a ZTNA access proxy and a ZTNA policy that references the 'Compliant' tag
B.Add a firewall policy with source set to the tag object
C.Configure an SSL VPN portal and assign the tag as a group
D.Configure a security policy with FortiClient endpoint control
AnswerA

ZTNA access proxy and policy are used to publish applications; the policy can require specific tags.

Why this answer

ZTNA access proxy policies combine a firewall policy with ZTNA rules. The tag condition is defined in the ZTNA policy, which specifies the required ZTNA tags to allow access.

28
Multi-Selecthard

An administrator wants to implement ZTNA inline CASB to control access to a SaaS application (e.g., Office 365). Which three components are required for this setup? (Choose THREE)

Select 3 answers
A.FortiClient EMS for device posture and tag assignment
B.FortiGate with ZTNA proxy enabled
C.FortiNAC for network access control
D.A VPN tunnel between FortiGate and the SaaS provider
E.A ZTNA rule configured as an access proxy for the SaaS application
AnswersA, B, E

EMS provides device compliance and tags.

Why this answer

ZTNA inline CASB requires FortiGate as an inline proxy, FortiClient EMS for device posture and identity, and a ZTNA rule that proxies traffic to the SaaS application. Additionally, SSL deep inspection is required to decrypt and inspect traffic.

29
MCQhard

A FortiGate administrator receives an error during IPsec VPN configuration: 'Certificate validation failed: certificate uses weak key.' The admin is using a PKI certificate with RSA 2048-bit key. The FortiGate firmware is up-to-date. What is the MOST likely reason for this error?

A.The certificate has expired or is not yet valid.
B.The certificate's private key is not imported on the FortiGate.
C.The FortiGate has a security policy that rejects certificates with keys less than 3072 bits.
D.The certificate authority is not trusted by the FortiGate.
AnswerC

Why this answer

In recent FortiOS versions, a security hardening setting may require minimum RSA key size of 3072 bits. RSA 2048 is considered weak by some compliance standards and may be blocked by the 'weak key' validation check. The admin can adjust the setting or use a stronger key.

30
Drag & Dropmedium

Drag and drop the steps to configure a FortiGate VDOM in multi-VDOM mode into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First enable VDOM mode globally, then create and assign interfaces, then configure each VDOM, then resource allocation.

31
MCQhard

A FortiGate administrator observes the following CLI output from 'diagnose vpn ike gateway list': vd: root/0 name: VPN_TO_HUB version: IKEv2 status: up mode: main DPD: on ... Number of IPsec tunnels: 1 name: phase2_tunnel status: up inbound: 0 bytes outbound: 0 bytes The tunnel shows up but no traffic is passing. What is the MOST likely cause?

A.Firewall policies are not configured to permit traffic through the VPN tunnel
B.Dead Peer Detection is disabled
C.The phase1 proposal is mismatched
D.The tunnel is in 'down' status
AnswerA

Without policies, traffic is dropped, resulting in zero bytes.

Why this answer

The output shows the IKE gateway is up but the IPsec tunnel has zero traffic. This often indicates a policy or routing misconfiguration. The most common cause is missing firewall policies to allow traffic through the tunnel.

32
Multi-Selectmedium

A FortiGate is configured as the SAML Identity Provider (IdP) for a cloud application. The administrator wants to enforce device compliance as part of authentication. Which THREE steps must be taken?

Select 3 answers
A.Enable 'require-device-compliance' in the SAML IdP settings
B.Configure a ZTNA tag for compliance
C.Create a firewall policy allowing SAML traffic
D.Set up a VPN tunnel to the cloud application
E.Integrate FortiClient EMS with the FortiGate
AnswersA, B, E

Why this answer

To enforce device compliance during SAML authentication, the FortiGate IdP must have device compliance enabled, integrate with FortiClient EMS to receive posture data, and use ZTNA tags to define compliance requirements.

33
Multi-Selectmedium

A FortiGate administrator wants to integrate FortiClient EMS with FortiGate for ZTNA. Which TWO components must be configured on FortiGate to enable ZTNA access?

Select 2 answers
A.A ZTNA proxy policy
B.A firewall policy to allow traffic from ZTNA proxy to internal servers
C.A ZTNA proxy (gateway) configuration
D.A ZTNA tag on the application server
E.FortiClient EMS registration on FortiGate
AnswersA, C

The proxy policy defines which users and devices can access which applications based on tags.

Why this answer

ZTNA requires a proxy policy to define access rules and a ZTNA proxy/gateway to terminate user connections. Tags and EMS are configured separately.

34
MCQhard

An administrator configures ZTNA inline CASB to control access to a SaaS application. The goal is to block uploads of files with credit card numbers. The administrator configures a CASB profile with a DLP rule for credit card numbers. However, uploads are not being blocked. What is the most likely reason?

A.The CASB profile is not applied to the ZTNA policy
B.SSL inspection is not enabled for the traffic
C.The DLP rule is configured to monitor instead of block
D.The SaaS application is not supported by CASB
AnswerB

Without SSL deep inspection, the DLP engine sees only encrypted content and cannot detect credit card numbers.

Why this answer

Inline CASB requires the traffic to be decrypted via SSL inspection; otherwise, the DLP engine cannot inspect the content of encrypted HTTPS traffic.

35
MCQhard

A multinational corporation is implementing ZTNA for remote access to a critical internal application hosted on a server with IP 10.0.1.200:8443. The FortiGate is deployed at the edge with WAN IP 203.0.113.50. The administrator configures a ZTNA rule with proxy destination 10.0.1.200:8443, a firewall policy allowing traffic from the ZTNA gateway to the internal server, and a VIP for port forwarding for testing. However, remote users report that they can establish a ZTNA connection to the gateway but the application page fails to load, showing a blank page after a long delay. The FortiGate logs show no errors, and the debug output indicates that the proxy successfully forwarded the request to 10.0.1.200:8443 and received a response. The internal server team confirms the application is working correctly for on-site users. What is the most likely cause?

A.The ZTNA proxy is not configured to support HTTPS.
B.The internal server is not reachable from the FortiGate.
C.The client's ZTNA tags are expired.
D.The application uses hardcoded IP addresses or internal hostnames that are not resolvable externally.
AnswerD

This causes partial page loading or blank pages.

Why this answer

Option D is correct because the application uses hardcoded IP addresses or internal hostnames that are not resolvable externally. When the ZTNA proxy forwards the request to the internal server, the server responds with HTML content that references internal resources (e.g., images, scripts, or links) using private IP addresses (like 10.0.1.200) or internal DNS names. The remote client cannot resolve or reach these internal addresses, causing the page to load partially or display a blank page after a delay, even though the initial proxy connection and response are successful.

Exam trap

The trap here is that candidates see the proxy successfully forwarding and receiving a response and assume the issue is network connectivity or proxy configuration, overlooking the fact that the application's embedded content (hardcoded IPs/hostnames) can break the client-side rendering even when the initial proxy transaction succeeds.

How to eliminate wrong answers

Option A is wrong because the ZTNA proxy is configured with a proxy destination of 10.0.1.200:8443, which implies HTTPS (port 8443 is commonly used for HTTPS), and the debug output confirms the proxy successfully forwarded the request and received a response, indicating HTTPS support is present. Option B is wrong because the debug output explicitly states the proxy forwarded the request to 10.0.1.200:8443 and received a response, proving the internal server is reachable from the FortiGate. Option C is wrong because if the client's ZTNA tags were expired, the client would not be able to establish a ZTNA connection to the gateway at all; the question states remote users can establish the connection, so tags are valid.

36
MCQeasy

A FortiGate administrator wants to use PKI certificates for IPsec VPN authentication instead of pre-shared keys. Which phase1 parameter must be set to 'signature' to enable certificate-based authentication?

A.set authmethod signature
B.set cert-validation enable
C.set ike-version 2
D.set peer-id certificate
AnswerA

This configures the IKE phase1 to use certificate authentication.

Why this answer

The IKE peer authentication method is controlled by the 'authmethod' parameter. Setting it to 'signature' enables RSA signature-based authentication using certificates.

37
MCQeasy

A FortiGate administrator wants to integrate ZTNA with FortiClient EMS to control access to an internal application based on device posture. The admin has configured a ZTNA tag in EMS for 'AntiVirus enabled' and created a ZTNA rule in FortiGate. What additional configuration is required on the FortiGate to enforce access based on the ZTNA tag?

A.Configure SSL VPN to authenticate users and assign tags
B.Install a client certificate on each FortiClient from the FortiGate
C.Enable ZTNA inline CASB in the antivirus profile
D.Configure the FortiGate as an EMS connector and import the tag
AnswerD

The FortiGate must connect to EMS to receive tag definitions and assign them to users/devices. Then ZTNA rules can reference the tag.

Why this answer

ZTNA uses tags from EMS to make access decisions. The FortiGate must be configured to receive these tags via the EMS connector and then use them in firewall policies (via ZTNA rules). Option C is correct because the FortiGate needs to connect to EMS to pull tag information and then apply it in security policies.

38
MCQeasy

An organization is designing a Zero Trust Network Access solution with Fortinet. They want to ensure that only devices with up-to-date antivirus software can access sensitive applications. Which component is responsible for enforcing this requirement?

A.FortiAnalyzer
B.FortiClient EMS
C.FortiAuthenticator
D.FortiGate ZTNA gateway
AnswerB

FortiClient EMS applies compliance rules and tags devices accordingly.

Why this answer

FortiClient EMS is the correct component because it manages endpoint compliance policies, including antivirus status. It enforces the requirement by checking that devices have up-to-date antivirus software before issuing a ZTNA access token, which the FortiGate ZTNA gateway then validates to grant access.

Exam trap

The trap here is that candidates often confuse the FortiGate ZTNA gateway as the sole enforcement point, overlooking that FortiClient EMS is the component responsible for performing the actual endpoint posture check and issuing the compliance token.

How to eliminate wrong answers

Option A is wrong because FortiAnalyzer is a logging and analytics platform, not an enforcement point for endpoint compliance; it cannot check or enforce antivirus status on devices. Option C is wrong because FortiAuthenticator handles identity and authentication (e.g., RADIUS, LDAP), not endpoint posture checks like antivirus version. Option D is wrong because the FortiGate ZTNA gateway enforces access decisions based on tokens and policies, but it relies on FortiClient EMS to provide the endpoint compliance verification; the gateway itself does not directly check antivirus status.

39
Multi-Selecteasy

Which TWO of the following can be used to authenticate users in a ZTNA connection? (Select two.)

Select 2 answers
A.LDAP authentication
B.FortiToken
C.IPsec authentication
D.SAML authentication
E.Certificate authentication
AnswersD, E

SAML is supported for SSO.

Why this answer

In a ZTNA connection, authentication can be performed using SAML (Security Assertion Markup Language) because it enables federated identity management and single sign-on (SSO), allowing the FortiGate to verify user identity via an external identity provider (IdP) without direct password handling. Certificate authentication is also valid because ZTNA leverages client certificates (X.509) to establish mutual TLS (mTLS) between the user device and the FortiGate, ensuring device identity and trust before granting access.

Exam trap

The trap here is that candidates often confuse authentication methods used in traditional VPNs (like LDAP or FortiToken) with the identity-centric methods required for ZTNA, forgetting that ZTNA mandates integration with an IdP or certificate-based trust rather than direct password or token verification.

40
MCQmedium

A healthcare provider is deploying ZTNA to secure access to an internal electronic health records (EHR) system. The EHR system is composed of multiple web services running on different ports behind a load balancer with IP 10.0.10.100. The load balancer listens on ports 443, 8443, and 9090. The administrator configures a single ZTNA rule with proxy destination 10.0.10.100:443, expecting that the other ports will be accessed via the same rule. However, users report that they can only access the service on port 443; connections to ports 8443 and 9090 fail. The FortiGate logs show that requests to other ports are being dropped. What should the administrator do to resolve this?

A.Configure the load balancer to redirect all traffic to port 443.
B.Configure the ZTNA gateway to allow all ports to the load balancer.
C.Create separate ZTNA rules for each port (8443 and 9090).
D.Ask users to change the port in their browser to 443.
AnswerC

ZTNA rules are port-specific.

Why this answer

Option C is correct because each ZTNA rule maps to a single proxy destination port. The rule configured with proxy destination 10.0.10.100:443 only forwards traffic for that specific port. To access services on ports 8443 and 9090, separate ZTNA rules must be created for each port, each with its own proxy destination and access proxy configuration.

Exam trap

The trap here is that candidates assume a single ZTNA rule with a destination IP will automatically forward traffic to all ports on that IP, overlooking that ZTNA rules are port-specific and require separate rules for each service port.

How to eliminate wrong answers

Option A is wrong because redirecting all traffic to port 443 would break the intended functionality of the separate web services running on ports 8443 and 9090, and the load balancer is not designed to redirect traffic arbitrarily. Option B is wrong because the ZTNA gateway does not support a wildcard 'allow all ports' configuration; ZTNA rules require explicit proxy destination IP and port pairs. Option D is wrong because asking users to change the port in their browser does not address the underlying ZTNA rule limitation; the gateway would still drop connections to ports not defined in the rule.

41
MCQeasy

In a Fortinet ZTNA deployment, which component is responsible for forwarding decrypted traffic to the internal application server after the FortiGate proxy has performed SSL inspection?

A.FortiClient EMS
B.ZTNA proxy on FortiGate
C.IPsec VPN tunnel
D.FortiNAC
AnswerB

The ZTNA proxy terminates the client connection and creates a new connection to the server.

Why this answer

ZTNA proxy receives client requests, performs SSL inspection, and forwards the decrypted traffic to the internal server.

42
MCQmedium

A network administrator is troubleshooting an ADVPN deployment. Spoke FortiGates can communicate with the hub, but shortcut tunnels between spokes are not being established. The administrator verifies that IKE and IPsec settings are correct on all devices. What is the MOST likely cause?

A.Dead Peer Detection (DPD) is disabled on the hub
B.The hub's phase2 configuration has 'auto-negotiate' disabled
C.The hub's phase1 configuration has 'auto-negotiate' disabled
D.The spokes have different IKE versions configured
AnswerB

Without auto-negotiate, the hub will not propose shortcut tunnels to spokes.

Why this answer

In ADVPN, shortcut tunnels require IKEv2 with the 'add-route' option and auto-negotiate. If the hub's phase2 configuration does not have 'auto-negotiate' enabled, it will not initiate shortcut tunnels.

43
MCQhard

A FortiGate administrator is configuring Auto Discovery VPN (ADVPN) in a hub-and-spoke topology. Spokes are FortiGates with dynamic public IPs. Which setting is required on the spoke for it to automatically initiate shortcut tunnels to other spokes when needed?

A.set net-device disable
B.set mode aggressive
C.set add-route enable
D.set shortcut-station enable
AnswerC

This command on the phase1-interface allows dynamic route injection for shortcut tunnels.

Why this answer

ADVPN shortcut tunnels require the spoke to accept shortcut offers from the hub. Setting 'set add-route enable' on the phase1 interface allows the spoke to install routes for shortcuts. Without this, the spoke will not create shortcut tunnels even if it receives the offer.

44
Multi-Selecthard

A company is deploying ZTNA to protect an internal application. They want to ensure that only users with devices that have disk encryption enabled and the latest OS patches can access the application. Which THREE components must be configured to achieve this?

Select 3 answers
A.FortiNAC for network admission control
B.IPsec VPN to encrypt traffic between client and FortiGate
C.FortiClient on the endpoint device
D.FortiGate ZTNA access proxy with tag-based rules
E.FortiClient EMS to define compliance policies and assign tags
AnswersC, D, E

FortiClient collects device posture information such as disk encryption status and OS patch level.

Why this answer

To enforce device posture requirements like disk encryption and OS patch level, you need FortiClient on the device to report posture, FortiClient EMS to define compliance policies and generate tags, and FortiGate ZTNA proxy to check those tags before granting access.

45
Multi-Selectmedium

A FortiGate administrator is troubleshooting a scenario where remote users can connect to the VPN but cannot access internal resources. The VPN policy is configured correctly. Which TWO steps should the administrator take to diagnose the issue?

Select 2 answers
A.Verify that the routing table on the FortiGate includes the remote networks
B.Check the firewall policy to ensure it allows traffic from the VPN to internal networks
C.Restart the IKE daemon on the FortiGate
D.Disable NAT on the VPN policy
E.Increase the DPD retry count
AnswersA, B

Without routes to the remote networks, traffic will not be forwarded through the tunnel.

Why this answer

Check routing and firewall policies. If the tunnel is up but traffic is not forwarded, routing may be missing or firewall policies may be blocking or not matching.

46
MCQhard

Refer to the exhibit. A tunnel interface is configured with IP 10.0.1.1/30 and remote-ip 10.0.1.2/30. The phase2 defines src-subnet as 10.0.1.0/30 and dst-subnet as 10.0.2.0/30. What is the most likely problem with this configuration?

A.The phase2 src-subnet includes the tunnel interface IP
B.The remote gateway is set to a static IP but the peer might be dynamic
C.The tunnel interface is missing the 'ip' command
D.The phase2 dst-subnet overlaps with the remote gateway
AnswerA

The tunnel interface IP (10.0.1.1) is inside the src-subnet (10.0.1.0/30), which is incorrect. The src-subnet should be the local LAN subnet, not the tunnel subnet.

Why this answer

The phase2 src-subnet is set to 10.0.1.0/30, which includes the tunnel interface IP 10.0.1.1/30. In IPsec VPN configurations, the phase2 selector must not include the tunnel interface IP itself because the tunnel interface is used for routing encapsulated traffic; including it can cause routing loops or prevent the tunnel from establishing correctly. The correct src-subnet should be the protected internal network behind the FortiGate, not the tunnel subnet.

Exam trap

The trap here is that candidates often confuse the tunnel interface subnet with the protected local subnet, assuming the phase2 selectors should match the tunnel IPs, when in fact they must specify the actual internal networks behind the VPN gateways.

How to eliminate wrong answers

Option B is wrong because the question does not provide any information about the peer being dynamic; the remote-ip is statically configured, and a static peer is valid. Option C is wrong because the tunnel interface is configured with an IP address (10.0.1.1/30), which implies the 'ip' command is present; the issue is not a missing command. Option D is wrong because the phase2 dst-subnet (10.0.2.0/30) does not overlap with the remote gateway (10.0.1.2/30); they are on different subnets, so no overlap exists.

47
Multi-Selectmedium

A FortiGate is configured as a ZTNA proxy for an internal application. Users authenticate via SAML with FortiGate as the IdP. The administrator wants to enforce that only devices with a valid ZTNA tag can access the application. Which TWO configurations are required?

A.Install a client certificate on each device for authentication.
B.Configure FortiClient EMS to push compliance tags to FortiGate.
C.Set the ZTNA proxy to require FortiClient on the client device.
D.Create a ZTNA rule with tag conditions.
E.Enable ZTNA tags on the firewall policy that permits access to the application.

Why this answer

FortiClient EMS must send tags to FortiGate (B). ZTNA rules must include tag conditions to filter access based on those tags (C). Option A is not correct because tags are used in ZTNA rules, not directly on firewall policies.

Option D is not specifically required if tags are used. Option E is not needed if SAML is used.

48
Multi-Selecteasy

A company is deploying ZTNA to replace their legacy VPN. They want to ensure that only users with a valid certificate and compliant antivirus can access the internal application. Which TWO components are required on the FortiGate for this deployment?

Select 2 answers
A.ZTNA proxy rule with access proxy
B.Dynamic routing protocol (BGP)
C.Firewall policy with ZTNA tags matching
D.SSL-VPN portal
E.IPsec phase1 with certificate authentication
AnswersA, C

Why this answer

ZTNA uses a proxy rule (access proxy) to publish the application, and a firewall policy that references ZTNA tags and the access proxy to enforce access based on identity and posture.

49
MCQmedium

A network administrator is configuring a hub-and-spoke ADVPN with FortiGates. The spokes are behind NAT and use dynamic IPs. The hub has a static IP. Which IKEv2 configuration is REQUIRED to allow the spokes to initiate the VPN and receive shortcut tunnels?

A.Set the phase1 remote-gateway to 0.0.0.0 and enable 'accept-any-remote-gateway' on the hub
B.Set IKE version 2 to aggressive mode to allow rapid negotiation
C.Configure the hub with a static IP in the phase1 local-gateway interface
D.Use a preshared key and set the local ID to the spoke's public IP
AnswerA

The hub must accept connections from any source IP since spokes have dynamic IPs. This is achieved by setting remote-gateway 0.0.0.0 and optionally enabling accept-any-remote-gateway.

Why this answer

Aggressive mode is not supported in IKEv2 (only main mode). Setting the local ID is not sufficient for NAT traversal. Allowing IKE and ESP from any source is required because spokes may have dynamic IPs, and the hub must accept incoming connections from unknown source IPs.

However, the key requirement for ADVPN is that the hub must accept connections from any source, which is achieved by setting the interface to 'any' or allowing 0.0.0.0/0. Option C is the common practice: the hub uses a wildcard selector and accepts connections from any peer ID. But the question asks for 'REQUIRED' – the most accurate is that the hub must be configured to accept connections from any source IP, which is done by setting the remote gateway to 0.0.0.0 or using a peer ID with accept-any.

Option C is the best answer.

50
MCQeasy

A FortiGate administrator wants to use Fortinac for network access control. Which of the following is the PRIMARY function of Fortinac in a network?

A.Perform deep packet inspection on all traffic
B.Act as a VPN concentrator for remote access
C.Provide network access control by enforcing policies based on device identity and posture
D.Provide a cloud-based sandbox for malware analysis
AnswerC

FortiNAC's core function is NAC: controlling network access based on device identity, compliance, and user role.

Why this answer

FortiNAC is the Network Access Control solution from Fortinet. It provides visibility, control, and automated response for endpoints on the network, including device profiling, guest management, and policy enforcement. Option A is correct.

51
MCQmedium

A FortiGate administrator is using FortiNAC to enforce network access control for wired endpoints. The administrator wants to quarantine any endpoint that fails antivirus compliance. Which action should be configured in the FortiNAC policy to achieve this?

A.Disable the switch port
B.Send a SNMP trap to the admin
C.Assign the endpoint to a quarantine VLAN
D.Block the MAC address at the switch port
AnswerC

This is the standard method to isolate non-compliant endpoints while allowing limited remediation access.

Why this answer

FortiNAC policies can enforce compliance by moving endpoints to a quarantine VLAN or applying a quarantine ACL. The typical action is to place the endpoint in a quarantine VLAN where access is restricted.

52
MCQmedium

A FortiGate administrator configures SAML SSO with FortiGate as the Service Provider (SP) and an external IdP. Users report that they are prompted for credentials repeatedly without successful authentication. What is the most likely cause?

A.The SAML attribute mapping is incorrect
B.The FortiGate's clock is synchronized via NTP
C.The firewall policy does not allow SAML traffic
D.The IdP certificate is not imported or trusted on the FortiGate
AnswerD

FortiGate must trust the IdP's signing certificate to validate SAML responses; otherwise, authentication fails.

Why this answer

SAML SSO requires certificate trust. If the IdP certificate is not trusted by the FortiGate, the SAML assertion will not be validated, causing authentication failures. The clock skew is another common issue.

53
MCQmedium

An administrator configures OSPF over an IPsec VPN overlay between two FortiGates. The OSPF neighbors form, but routes learned from the remote site are not appearing in the routing table. What is the most likely cause?

A.The firewall policy allows OSPF traffic (protocol 89) but not IPsec ESP.
B.The IPsec interface MTU is too low for OSPF packets.
C.The OSPF network type is not set to point-to-point.
D.The 'allowaccess' setting on the IPsec interface does not include OSPF.

Why this answer

FortiGate's IPsec virtual interfaces require the 'allowaccess' command to specify which dynamic routing protocols are allowed. Without 'allowaccess ospf', OSPF packets are dropped even if the tunnel is up.

54
MCQmedium

An administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is up, but traffic is not passing. The administrator runs 'diagnose vpn tunnel list' and sees that both phase 1 and phase 2 are up. The policy allows traffic from both sides. What should the administrator check next?

A.Check the routing table for routes to the remote subnet
B.Increase the phase 2 keylife
C.Check the FortiGate's NTP status
D.Disable DPD
AnswerA

Routes are needed to send traffic into the tunnel.

Why this answer

Since both phases are up and policies are correct, the issue is likely routing. The administrator should verify that the correct routes are pointing to the VPN interface (tunnel interface) on both sides. Without proper routes, traffic will not be forwarded into the tunnel.

55
MCQhard

An administrator has configured an OSPF overlay over an IPsec VPN between two FortiGates. The OSPF neighbors are established, but routes from one side are not being installed in the routing table on the other side. 'get router info ospf neighbor' shows FULL state. What is the most likely cause?

A.The IPsec tunnel is using transport mode instead of tunnel mode
B.The route's OSPF cost is higher than an existing route with a lower administrative distance
C.OSPF authentication is mismatched
D.The OSPF network type is not set to point-to-point
AnswerB

OSPF routes have an AD of 110. If a static route (AD 10) or other protocol has a lower AD, the OSPF route may not be installed.

Why this answer

Even though OSPF neighbors are FULL, routes may not be installed if they are not selected as best paths. One common reason is that the OSPF cost is higher than a static route or another routing protocol's metric. The other options would prevent neighbor from reaching FULL state.

56
MCQeasy

An administrator wants to enforce that only devices with up-to-date antivirus software can access corporate resources via ZTNA. Which FortiClient feature should be used to enforce this requirement?

A.VPN tunnel
B.Web filter
C.Application firewall
D.ZTNA tags
AnswerD

Why this answer

ZTNA tags are used to define device posture requirements, such as antivirus status. FortiClient reports compliance, and the FortiGate uses these tags to allow or deny access.

57
MCQeasy

An administrator wants to integrate FortiClient EMS with FortiGate for ZTNA. Which protocol must be allowed between FortiGate and FortiClient EMS?

A.HTTPS (TCP/443)
B.LDAP (TCP/389)
C.SNMP (UDP/161)
D.Syslog (UDP/514)
AnswerA

EMS API uses HTTPS for communication.

Why this answer

FortiGate communicates with FortiClient EMS using HTTPS (TCP/443) to retrieve tags and endpoint posture information.

58
MCQeasy

An administrator wants to enforce that only devices with corporate-owned certificates can establish an IPsec VPN tunnel. Which IPsec authentication method should be configured?

A.Pre-shared keys
B.Extended Authentication (XAuth)
C.Aggressive mode
D.X.509 certificates
AnswerD

X.509 certificates enable certificate-based authentication, ensuring only devices with the corporate certificate can connect.

Why this answer

PKI certificates allow the FortiGate to verify the identity of remote peers using digital certificates issued by a trusted Certificate Authority.

59
Multi-Selectmedium

An administrator is configuring a new branch office VPN using IKEv2 with PKI certificates. Which TWO steps are essential to ensure the VPN tunnel establishes successfully?

Select 2 answers
A.Set the phase 1 proposal to use AES-256-GCM only
B.Import the remote peer's certificate into the FortiGate's trusted CA list
C.Assign the local certificate to the phase 1 interface
D.Enable DPD on the phase 1 interface
E.Configure the phase 2 selector to include all traffic (0.0.0.0/0)
AnswersB, C

The FortiGate must trust the CA that signed the remote peer's certificate for validation.

Why this answer

Certificate-based authentication requires both sides to have valid certificates and the CA must be trusted. Without these, IKE negotiation fails.

60
MCQeasy

An administrator wants to ensure that only devices with up-to-date antivirus software can access a sensitive application via ZTNA. Which FortiGate feature should be used to enforce this requirement?

A.ZTNA tags from FortiClient EMS
B.SSL deep inspection profile
C.Application control profile
D.AntiVirus profile on the firewall policy

Why this answer

ZTNA tags reflect device posture, including antivirus status. FortiClient EMS reports compliance, and FortiGate can use those tags in ZTNA rules to permit or deny access based on antivirus status.

61
Matchingmedium

Match each Fortinet command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays CPU and memory usage

Packet flow debugging

Tests network connectivity

Displays entire configuration

Packet capture for troubleshooting

Why these pairings

These are common CLI commands used in FortiOS.

62
MCQhard

You run 'diagnose vpn ike gateway list' and see the following: gateway name: HUB_GW version: IKEv2 state: UP mode: main local: 10.0.0.1:500 remote: 203.0.113.5:500 auth: psk dpd: on rekey: 86400 num_peers: 2 total_tunnels: 2 auto-discovery: enabled What does the 'auto-discovery: enabled' indicate about this VPN gateway?

A.The gateway will automatically create new phase2 selectors for any remote subnet
B.The gateway is acting as an ADVPN hub and will advertise routes to spokes for shortcut tunnel creation
C.The gateway will automatically renegotiate IKEv2 keys before expiration
D.The gateway will discover other VPN gateways on the same network and form peer relationships
AnswerB

When auto-discovery is enabled on a gateway, it can act as an ADVPN hub, sending route information to spokes to allow direct spoke-to-spoke tunnels.

Why this answer

In an ADVPN setup, enabling auto-discovery on the hub allows it to send shortcut route advertisements to spokes, which then can establish direct tunnels. The output confirms the gateway is configured to participate in ADVPN as a hub or as a spoke that can initiate shortcuts.

63
Multi-Selectmedium

A FortiGate administrator needs to ensure that only devices with an updated antivirus can access a sensitive internal application via ZTNA. The administrator has created a ZTNA tag 'AV_Updated' in EMS and configured a ZTNA rule on FortiGate that requires this tag. Which TWO additional steps are necessary to enforce this access control? (Choose two.)

Select 2 answers
A.Configure the application server to use HTTPS
B.Enable SSL VPN on the FortiGate for ZTNA traffic
C.Create a firewall policy that references the ZTNA rule
D.Configure the FortiGate as an EMS connector and import the ZTNA tag
E.Install a client certificate on each device for authentication
AnswersC, D

The ZTNA rule must be included in a firewall policy to permit or deny traffic based on the tag.

Why this answer

To enforce ZTNA tag-based access, the FortiGate must import the tag from EMS (A) and the ZTNA rule must be referenced in a firewall policy (D). Without the firewall policy, the rule is not applied to traffic.

64
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel between Site A (FortiGate) and Site B (third-party VPN peer). The tunnel fails to establish. On FortiGate, phase1 status shows 'up' but phase2 status remains 'down'. What is the MOST likely cause?

A.The phase2 proposal (encryption, authentication, etc.) does not match.
B.The firewall policies at Site B are blocking UDP port 500.
C.The pre-shared key does not match on both sides.
D.The DPD settings are incompatible between the peers.
AnswerA

Why this answer

Phase1 being up indicates IKE SA is established. Phase2 down indicates IPsec SA negotiation failed, typically due to mismatched proposals (encryption, integrity, PFS) or traffic selector mismatch.

65
MCQmedium

A ZTNA rule is configured to allow access to an internal application only if the client device has the ZTNA tag 'Compliant' and the user is authenticated via SAML. The FortiGate is acting as ZTNA proxy. A user successfully authenticates but the device is not tagged. What happens when the user tries to access the application?

A.The user is denied access
B.The FortiGate dynamically assigns the 'Compliant' tag to the device
C.The user is redirected to a device registration portal
D.The user is granted access because authentication succeeded
AnswerA

The ZTNA rule requires the tag; without it, access is blocked.

Why this answer

ZTNA rules can require both authentication and device posture (ZTNA tags). If the device tag is missing or does not match, the access will be denied. The user may see an access denied page or a generic error.

66
MCQhard

An administrator is configuring a hub-and-spoke ADVPN with FortiGates. The spoke sites use dynamic public IP addresses. The administrator has enabled auto-discovery on the spoke and hub. However, shortcut tunnels are not being established between spokes that communicate frequently. What is the most likely missing configuration?

A.Auto-discovery is not enabled on the spoke's phase1 configuration
B.The spoke's phase2 proposal includes a different encryption algorithm than the hub
C.The hub does not have a route to the spoke's local subnets
D.The spoke's VPN interface is not in the same VDOM as the hub
AnswerA

Auto-discovery must be enabled in the phase1 settings on both hub and spoke to allow shortcut negotiation. Without it, the spoke will not send or respond to shortcut requests.

Why this answer

For shortcut tunnels to be established in ADVPN, each spoke must have a tunnel interface with an IP address in the same subnet as other spokes, and the 'auto-discovery' setting must be enabled on the spoke's phase1 configuration. Additionally, a firewall policy must allow the shortcut traffic. Option D is correct because without enabling auto-discovery on the spoke's phase1, the spoke will not initiate shortcut negotiation.

67
Multi-Selecthard

Which TWO features are required to implement an always-on SSL VPN tunnel with FortiGate that automatically reconnects when the user's network changes?

Select 2 answers
A.Tunnel mode enabled
B.DTLS enabled
C.Auto-connect setting in FortiClient
D.Web mode portal
E.Split tunneling configured
AnswersA, C

Tunnel mode provides a virtual interface for always-on connectivity.

Why this answer

Option A is correct because tunnel mode is required for an always-on SSL VPN tunnel, as it encapsulates all traffic at the network layer (TUN) and maintains a persistent virtual interface on the client. This allows the VPN to stay active and automatically reconnect when the user's network changes, such as switching from Wi-Fi to cellular, without manual intervention.

Exam trap

The trap here is that candidates often confuse DTLS (which improves performance but is optional) with a requirement for always-on connectivity, or they mistakenly think split tunneling is needed for automatic reconnection, when in fact the core requirements are tunnel mode and the auto-connect client setting.

68
Multi-Selecthard

An organization uses FortiNAC for network access control. They want to enforce that only corporate-managed devices with up-to-date patches can access the production VLAN. Which THREE components must be integrated or configured?

Select 3 answers
A.ZTNA proxy on FortiGate
B.FortiClient EMS with compliance rules
C.SNMP read/write community on network devices
D.IPsec VPN between FortiNAC and FortiGate
E.RADIUS authentication on switches
AnswersB, C, E

Why this answer

For NAC enforcement, FortiNAC typically uses SNMP to query switch port status and RADIUS to authenticate devices. FortiClient EMS provides endpoint compliance data that FortiNAC can use to determine access rights.

69
MCQhard

A FortiGate administrator is troubleshooting a ZTNA access proxy issue. The ZTNA rule is configured to require the tag 'AV_Installed' and 'OS_Updated'. Users with compliant devices are still denied access. The admin checks the ZTNA connection monitor and sees 'Tag mismatch'. What is the MOST likely cause?

A.The FortiGate does not have a valid PKI certificate for the ZTNA proxy
B.The user is not authenticated via SAML
C.The FortiClient EMS is not configured as an endpoint control source on the FortiGate
D.The ZTNA rule is using the wrong port number
AnswerC

The FortiGate must have EMS configured under Security Fabric > External Connectors > Endpoint Control. Without this, it cannot retrieve and verify tags from EMS.

Why this answer

ZTNA tags are assigned by FortiClient EMS based on device posture. If the FortiGate does not trust the EMS server or the tag names are mismatched, the tag check fails. The EMS must be configured as an endpoint control source and the tags must exactly match those defined in EMS.

70
MCQmedium

A FortiGate is configured as a SAML service provider (SP) for ZTNA. Users authenticate via an external IdP. After authentication, users are not able to access applications even though the ZTNA proxy rule lists them. What should the administrator check FIRST?

A.The FortiClient EMS license is invalid
B.The application server is unreachable from FortiGate
C.The ZTNA proxy rule's allowed group does not include the user's group
D.The SAML IdP certificate is expired
AnswerC

After authentication, the user must be in an allowed group to access resources.

Why this answer

When using SAML, the FortiGate needs to map the SAML attributes (e.g., username) to a user group. If the user is not in the correct group, access will be denied.

71
MCQeasy

An administrator is troubleshooting an IPsec VPN tunnel that connects a branch office to the main office. The tunnel is down. The administrator runs 'diagnose vpn ike gateway list' and sees the following output: IKE gateway: branch state: down DPD: enabled DPD retrycount: 3 DPD retryinterval: 10 What does the DPD configuration indicate?

A.The tunnel will be brought down immediately after the first DPD timeout
B.The tunnel will stay up indefinitely because DPD is disabled
C.The tunnel will be brought down after 3 unanswered DPD probes, each 10 seconds apart
D.DPD will send probes every 30 seconds
AnswerC

This is the correct interpretation of the DPD retrycount and retryinterval.

Why this answer

DPD (Dead Peer Detection) is configured with a retry count of 3 and a retry interval of 10 seconds. This means the FortiGate will send DPD probes every 10 seconds and after 3 consecutive failures (30 seconds total without response), it will consider the peer dead. The tunnel is currently down, likely because DPD detected the peer as unreachable.

72
MCQmedium

A network administrator configured a hub-and-spoke ADVPN with IKEv2. Spoke sites can establish tunnels to the hub, but shortcut tunnels are not being created between spokes. What is the MOST likely cause?

A.Dead Peer Detection is disabled on the hub
B.Auto-discovery is disabled on the hub FortiGate
C.The spokes are using different IKE versions
D.The IKEv2 authentication method is not set to pre-shared key
AnswerB

Without auto-discovery enabled on the hub, it will not send route advertisements that trigger shortcut tunnel setup between spokes.

Why this answer

For ADVPN shortcut tunnels to form, the hub must have 'set auto-discovery-sender enable' and spokes must have 'set auto-discovery-receiver enable'. If the hub does not advertise its ability to relay shortcut routes, spokes will not attempt to create direct tunnels.

73
MCQmedium

A FortiGate administrator is configuring a multi-peer IPsec VPN (dial-up) for remote users. The administrator wants to assign different IP pools to different groups of users based on their authentication group. Which configuration is required?

A.Use the 'set ipv4-start-ip' parameter in the phase1 interface
B.Configure a separate phase1 interface for each user group with a different IP pool
C.Configure a single phase1 interface with multiple IP pools and use group matching in the firewall policy
D.Use RADIUS to assign IP addresses per user
AnswerB

Each dial-up phase1 can have its own IP pool; by assigning different groups to different phase1 configurations, different pools are used.

Why this answer

FortiGate can assign IP pools based on user groups when using IKE with XAuth or IKEv2. The 'set ipv4-dns-server' and 'set ipv4-exclude-range' are not group-based. The 'set user-group' in phase1 associates a group with the tunnel, but IP pool per group requires separate phase1 configurations or using 'set ipv4-start-ip' with group mapping.

74
Multi-Selecthard

An administrator is troubleshooting an OSPF over IPsec VPN overlay. The OSPF neighbor state is stuck in EXSTART. The VPN tunnel is up. Which TWO issues could cause this?

Select 2 answers
A.IP fragmentation issue due to GRE/IPsec overhead
B.OSPF hello/dead interval mismatch
C.OSPF area ID mismatch
D.IPsec phase2 proposal mismatch
E.MTU mismatch on the tunnel interface
AnswersA, E

Why this answer

A stuck EXSTART state often indicates issues with the maximum transmission unit (MTU) or fragmentation, preventing OSPF packets from being exchanged properly. MTU mismatch or fragmentation due to encapsulation overhead can cause this.

75
MCQmedium

A FortiGate administrator wants to implement ZTNA to control access to an internal application server. Users will access the application via FortiClient. Which configuration step is REQUIRED to allow FortiClient to forward traffic to the ZTNA gateway?

A.Install a CA-signed certificate on FortiClient
B.Create a firewall policy from the WAN interface to the application server
C.Configure a ZTNA gateway on the FortiGate with an access proxy rule for the application
D.Configure the application server to accept connections from FortiClient's IP range
AnswerC

The ZTNA gateway receives traffic from FortiClient and forwards it to the internal application. The access proxy rule defines the mapping and access control.

Why this answer

FortiClient uses a ZTNA access proxy to forward traffic. The administrator must configure a ZTNA server on FortiGate and an access proxy rule that maps the external hostname/port to the internal application. The FortiClient connects to the ZTNA gateway's proxy IP/port.

Option D is correct: the FortiGate must be configured as a ZTNA gateway and have a ZTNA proxy rule for the application.

Page 1 of 3 · 207 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Nse7 Vpn Zerotrust questions.