CCNA Nse7 Vpn Zerotrust Questions

75 of 207 questions · Page 2/3 · Nse7 Vpn Zerotrust topic · Answers revealed

76
Multi-Selecthard

Which THREE of the following are valid methods to deliver ZTNA tags to FortiClient? (Select three.)

Select 3 answers
A.FortiClient configuration profiles
C.DHCP options
D.FortiClient EMS
E.FortiGate ZTNA tag delivery
AnswersA, D, E

Profiles can include tag assignments.

Why this answer

FortiClient configuration profiles allow administrators to define and push ZTNA tags directly to FortiClient endpoints via the EMS-managed policy framework. This is a core method because tags are applied based on device posture and user identity, enabling granular access control without relying on network-layer attributes.

Exam trap

The trap here is that candidates often confuse network-layer provisioning methods (like DHCP options or SNMP) with application-layer tag delivery mechanisms, assuming any protocol that can carry data can deliver ZTNA tags, but only EMS, FortiClient profiles, and FortiGate ZTNA tag delivery are designed for this purpose.

77
MCQeasy

An organization wants to implement Zero Trust Network Access (ZTNA) for remote users accessing an internal application. The application is hosted on a server that cannot have any client software installed. Which ZTNA deployment method is MOST appropriate?

A.FortiNAC with agent on the server
B.IPsec VPN with full tunnel
C.ZTNA proxy (reverse proxy) with FortiClient for posture
D.SSL VPN with web mode
AnswerC

In proxy mode, the FortiGate terminates the client connection and proxies it to the application server. The server does not require any software; all posture enforcement is on the client side via FortiClient.

Why this answer

ZTNA can be deployed in proxy-based or agent-based modes. For applications that cannot have a client software, the proxy-based method (where FortiGate acts as a reverse proxy) is ideal. The user's FortiClient can still provide posture data, but the application server does not need an agent.

78
MCQmedium

An administrator needs to integrate FortiGate with FortiNAC for network access control. The goal is to dynamically quarantine endpoints that have out-of-date antivirus software. Which component is responsible for enforcing the quarantine on the network?

A.FortiNAC's Network Access Policy (NAP)
B.The RADIUS server used for 802.1X
C.FortiGate firewall policies with ZTNA tags
D.FortiClient EMS compliance rules

Why this answer

FortiNAC enforces network access by dynamically changing VLANs or applying ACLs based on compliance. FortiNAC's NAP defines the conditions and actions, such as moving a non-compliant endpoint to a quarantine VLAN.

79
Multi-Selecthard

An administrator is troubleshooting a ZTNA application access issue. Users can authenticate but cannot reach the internal application via the ZTNA proxy. The FortiGate's ZTNA rule uses a tag requiring 'OS Type = Windows' and 'Antivirus = running'. The device meets both conditions. Which THREE possible reasons could cause the access failure?

Select 3 answers
A.The ZTNA proxy's destination is pointing to the wrong internal IP or port.
B.The firewall policy for ZTNA traffic is not configured or is misordered.
C.The FortiGate's SSL certificate for the ZTNA proxy is not trusted by the client.
D.The user is not assigned the ZTNA tag in the FortiClient EMS portal.
E.The device does not have FortiClient installed.
AnswersA, B, C

Why this answer

If the tag is met, the device passes posture. Access failure can be due to wrong proxy destination (A), missing firewall policy (C), or untrusted certificate (D). Tag assignment (B) is irrelevant if tag is already satisfied; FortiClient EMS is not required for device posture if using other telemetry (E), but even if required, not having FortiClient would prevent the tag from being met, which contradicts the premise.

80
MCQeasy

A FortiGate administrator enables Dead Peer Detection (DPD) on an IPsec VPN tunnel. What is the primary purpose of DPD?

A.To dynamically adjust the tunnel MTU
B.To encrypt the IKE negotiation traffic
C.To automatically renegotiate the IKE SA before it expires
D.To detect when the remote peer is no longer reachable
AnswerD

DPD sends periodic messages to verify the peer is alive.

Why this answer

DPD is used to monitor the liveness of the remote peer. If the peer becomes unreachable, DPD detects it and can trigger a failover or tunnel teardown, ensuring traffic does not blackhole.

81
MCQhard

A FortiGate has multiple IPsec VPNs to different branch offices. The administrator notices that one VPN tunnel is flapping (going up and down repeatedly). From the CLI, 'diagnose vpn ike gateway list' shows the gateway state as 'up' but then quickly goes to 'down'. What is the MOST likely cause?

A.The remote gateway's certificate is expired
B.The phase2 proposal is mismatched
C.Dead Peer Detection (DPD) retry interval is too short
D.The pre-shared key is incorrect
AnswerC

Aggressive DPD can cause false timeouts and tunnel flapping.

Why this answer

Tunnel flapping with IKEv2 is often due to DPD mismatches or aggressive DPD retry intervals. If DPD is configured with very short intervals, the tunnel may drop due to transient delays.

82
MCQmedium

A FortiGate is configured with OSPF over an IPsec VPN tunnel to exchange routes with a remote site. The OSPF neighbor states are stuck in 'INIT' and never progress to 'FULL'. What is the MOST likely cause?

A.The MTU on the VPN interface is too high
B.OSPF authentication is not configured on both sides
C.The IPsec phase 2 proposal does not include the OSPF multicast IP address (224.0.0.5)
D.The OSPF hello interval is too short
AnswerC

OSPF uses multicast address 224.0.0.5. The IPsec SA must be configured to allow this traffic; if the proxy ID does not include the multicast address, OSPF packets are dropped.

Why this answer

OSPF requires multicast support (224.0.0.5) to form adjacencies. Without multicast over the VPN tunnel, OSPF cannot exchange hello packets properly.

83
Multi-Selectmedium

A company wants to provide external contractors with access to a specific internal web application without granting full network access. The solution must authenticate the user, verify device compliance, and log all access. Which three Fortinet features should be combined to meet these requirements? (Choose THREE)

Select 3 answers
A.FortiNAC
B.SSL deep inspection
C.ZTNA proxy
D.FortiClient EMS with compliance enforcement
E.IPsec VPN with XAuth
AnswersB, C, D

Deep inspection decrypts HTTPS traffic for logging and security scanning.

Why this answer

ZTNA provides application-specific access with authentication and logging. FortiClient EMS enforces device compliance (posture). SSL deep inspection is required for decryption to log content.

This combination meets all requirements.

84
MCQhard

A company uses SSL VPN with FortiGate for remote access. Users report that after connecting, they can access internal web servers but cannot ping them. Which configuration is most likely missing?

A.Split tunneling settings
B.SSL VPN web portal settings
C.Firewall policy allowing ICMP
D.DNS server configuration
AnswerC

The firewall policy for SSL VPN traffic must permit ICMP protocol in addition to TCP/80 and TCP/443.

Why this answer

The correct answer is C. SSL VPN tunnels typically allow TCP-based traffic like HTTP/HTTPS to internal web servers, but ICMP (ping) is a separate protocol that requires explicit permission in the firewall policy. Without a firewall policy rule permitting ICMP from the SSL VPN interface to the internal network, the FortiGate will drop the ping requests, even though the tunnel is established and other traffic flows.

Exam trap

The trap here is that candidates assume split tunneling or DNS is the cause, but the real issue is that ICMP is a separate protocol that must be explicitly permitted in the firewall policy, unlike TCP-based web traffic.

How to eliminate wrong answers

Option A is wrong because split tunneling controls whether traffic to the internet goes through the VPN tunnel or directly, not the ability to ping internal servers; it does not affect ICMP traffic to internal resources. Option B is wrong because the SSL VPN web portal settings define the web-based interface and bookmarks for users, not the underlying firewall rules that govern ICMP or other protocols. Option D is wrong because DNS server configuration resolves hostnames to IP addresses, but the issue is that ping fails even when using the IP address, indicating a lack of ICMP permission rather than name resolution.

85
MCQmedium

Refer to the exhibit. Users report that they cannot log in to the SSL VPN portal. The stats show 15 login failures with reason 'auth_fail'. What is the most likely cause?

A.The user 'user1' does not exist
B.The login-attempt-limit is too low
C.The encryption algorithm is set to low
D.The SSL VPN settings do not reference the user group
AnswerD

The configuration is missing 'set user-group' under config vpn ssl settings; thus no group is authorized for login, causing authentication failure.

Why this answer

The 'auth_fail' reason indicates that the authentication request was processed but rejected, typically because the SSL VPN portal is not configured to reference the user group that 'user1' belongs to. Without a group filter or group mapping in the SSL VPN settings, the FortiGate cannot match the user to any allowed group, causing the authentication to fail even if the user credentials are valid.

Exam trap

The trap here is that candidates often assume 'auth_fail' always means a wrong password or missing user, but Fortinet specifically uses 'auth_fail' to indicate a group mismatch when the user exists and the password is correct, testing your understanding of SSL VPN portal-to-group binding.

How to eliminate wrong answers

Option A is wrong because if 'user1' did not exist, the FortiGate would log a 'user not found' error, not 'auth_fail'; 'auth_fail' specifically indicates the user exists but the authentication was denied. Option B is wrong because a low login-attempt-limit would cause 'login-locked' or 'blocked' messages after exceeding attempts, not 'auth_fail' on each failure. Option C is wrong because the encryption algorithm setting (e.g., low, medium, high) affects the SSL cipher strength negotiated during the handshake, not the authentication phase; a mismatch would cause a connection failure, not an 'auth_fail' log.

86
MCQeasy

An administrator is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration uses certificates for authentication. The admin sees the following log message: 'Certificate validation failed: unable to get local issuer certificate.' What is the most likely cause?

A.The peer's certificate has expired
B.The CA certificate that signed the peer's certificate is not imported on the FortiGate
C.The certificate revocation list (CRL) is not configured
D.The local certificate does not match the peer's expected CN
AnswerB

The error 'unable to get local issuer certificate' means the issuing CA is missing.

Why this answer

The error indicates that the FortiGate cannot find the CA certificate that issued the peer's certificate. The CA certificate must be imported and trusted on the FortiGate.

87
MCQeasy

An administrator wants to enforce that only devices with antivirus software installed and running can access a sensitive application via ZTNA. Which ZTNA feature should be used to verify this requirement?

A.ZTNA inline CASB
B.NAC with FortiNAC
C.ZTNA tags with device posture checks
D.IPsec VPN with DPD
AnswerC

ZTNA tags can contain posture attributes like antivirus status. The FortiGate can check these tags in the access proxy rule to grant or deny access.

Why this answer

ZTNA uses tags to indicate device posture. The FortiGate or FortiClient EMS can check for antivirus status and include that information in the device's posture tag. The ZTNA access proxy rule can then require that tag for access.

88
MCQmedium

A FortiGate administrator configures SAML SSO with FortiGate as the Identity Provider (IdP). Users are redirected to the FortiGate login page, but after successful authentication, they are not redirected back to the service provider. What is a likely cause?

A.SAML authentication timeout is too short
B.The assertion consumer service URL is misconfigured on the FortiGate
C.The ACS URL on the service provider does not match the FortiGate's SAML settings
D.The SP certificate is not imported on the FortiGate
AnswerB

Why this answer

When FortiGate is the IdP, it must have the correct Assertion Consumer Service (ACS) URL to which the SAML response is sent after authentication. A mismatch prevents the redirect back to the SP.

89
Multi-Selecthard

An administrator is configuring a hub-and-spoke ADVPN with IBGP as the overlay routing protocol. The hub is configured as a route reflector. Which two conditions must be met for a shortcut tunnel to be established between two spokes? (Choose TWO)

Select 2 answers
A.The hub must have a route to the spoke's subnet via the IPsec tunnel
B.The spokes must use overlapping IPsec proposal sets
C.The hub must have 'set auto-discovery-shortcut-mode both'
D.The spokes must be in the same VDOM
E.The spokes must have 'set auto-discovery-shortcut-mode client' enabled
AnswersA, E

The hub needs to have the route in its routing table to advertise to other spokes.

Why this answer

For shortcut tunnels to establish, the hub must send a shortcut offer to the spokes. This requires that the hub learns the route from one spoke via IBGP and reflects it to the other spoke. The spoke must also have auto-discovery-shortcut-mode enabled to accept the shortcut.

Additionally, the spokes must be able to communicate directly (no NAT between them).

90
Multi-Selectmedium

A company has two FortiGate devices at different sites connected via an IPsec VPN tunnel using IKEv2. The tunnel is established but intermittent packet loss is observed. Which two configuration changes should be applied to improve stability? (Choose two.)

Select 2 answers
A.Reduce the DPD retry interval to 3 seconds.
B.Increase the phase1 lifetime to 86400 seconds.
C.Change the IKE version to IKEv1.
D.Increase the phase2 rekey time to 8 hours.
E.Enable Dead Peer Detection (DPD) on the tunnel interface.
AnswersD, E

Longer rekey intervals reduce the frequency of rekeying, which can disrupt traffic.

Why this answer

Increasing the phase2 rekey time to 8 hours (Option D) reduces the frequency of rekey events, which can cause brief packet loss during key regeneration. This is especially beneficial for stability when the tunnel experiences intermittent loss due to rekey timing. A longer rekey interval minimizes disruptions, making it a correct choice.

Exam trap

The trap here is that candidates often think reducing DPD intervals or increasing lifetimes always improves stability, but in reality, aggressive DPD can cause flapping on lossy links, and IKEv2 is inherently more stable than IKEv1 for VPN tunnels.

91
MCQeasy

In FortiGate's ZTNA, what is the purpose of a 'ZTNA tag'?

A.To identify a device's compliance status and attributes for policy enforcement.
B.To mark packets for quality of service (QoS) prioritization.
C.To label network interfaces for traffic steering.
D.To assign a security level to application traffic.
AnswerA

Why this answer

ZTNA tags are dynamic attributes (e.g., OS type, antivirus status) assigned to devices based on posture checks. They are used in firewall policies to grant access based on device compliance, not for routing or QoS.

92
Multi-Selectmedium

A network administrator is troubleshooting a scenario where remote users can connect via FortiClient VPN but cannot access internal resources. The FortiGate has a valid IPsec VPN configuration. Which THREE checks should the administrator perform to resolve the issue?

Select 3 answers
A.Check if there is a route on the internal network pointing back to the VPN subnet
B.Ensure that NAT is disabled on the VPN policy
C.Increase the MTU on the VPN interface
D.Disable DPD on the VPN phase 1
E.Verify that the firewall policy allows traffic from the VPN IP pool to the internal network
AnswersA, B, E

Without a return route, responses can't reach the VPN clients.

Why this answer

Common issues: firewall policies must allow traffic from VPN IP pool to internal network; routing must be correct; NAT should not be applied to VPN traffic (unless required). Checking these three areas typically resolves connectivity issues.

93
MCQmedium

In a hub-and-spoke VPN, spokes cannot communicate with each other directly. The administrator wants to allow direct spoke-to-spoke traffic without routing through the hub. Which technology should be configured?

A.Static routes on spokes
B.IKEv1 with mode-config
C.GRE over IPsec
D.ADVPN with IKEv2
AnswerD

ADVPN uses IKEv2 to dynamically establish shortcut tunnels.

Why this answer

ADVPN (Auto Discovery VPN) enables shortcut tunnels between spokes after initial hub communication, allowing direct traffic.

94
MCQhard

During a ZTNA deployment, an administrator notices that traffic from a specific internal application is being routed through the ZTNA gateway but is not reaching the destination server. The FortiGate policy allows the traffic, and the client has a valid ZTNA connection. What is the most likely cause of the issue?

A.The ZTNA proxy rule on the FortiGate is misconfigured, pointing to the wrong destination IP or port.
B.The client's FortiClient agent is not connected to the EMS server.
C.The destination server does not have internet connectivity.
D.The FortiGate policy is set to deny traffic from the client's subnet.
AnswerA

A misconfigured proxy rule would cause traffic to be sent to the wrong destination.

Why this answer

Option A is correct because in a ZTNA deployment, the FortiGate acts as a reverse proxy for internal applications. If the ZTNA proxy rule is misconfigured with an incorrect destination IP or port, the FortiGate will forward the traffic to the wrong backend server or service, causing the connection to fail even though the client has a valid ZTNA connection and the firewall policy permits the traffic.

Exam trap

The trap here is that candidates often assume the issue is with the client's connectivity or the firewall policy, but the key is that a valid ZTNA connection and permissive policy do not guarantee correct proxy forwarding—the proxy rule itself must accurately point to the destination server.

How to eliminate wrong answers

Option B is wrong because the client already has a valid ZTNA connection, which requires the FortiClient agent to be connected to the EMS server for authentication and posture checks; if it were disconnected, the ZTNA connection would not be established. Option C is wrong because the destination server does not need internet connectivity; ZTNA traffic is proxied through the FortiGate, and the server only needs reachability from the FortiGate, not the public internet. Option D is wrong because the question explicitly states that the FortiGate policy allows the traffic, so a deny policy for the client's subnet would contradict that condition.

95
Multi-Selectmedium

A FortiGate is configured as a ZTNA proxy. The administrator wants to ensure that only devices with a specific ZTNA tag assigned by FortiClient EMS are allowed to access the application. Which two configuration steps are required? (Choose two.)

Select 2 answers
A.Configure a firewall policy with the ZTNA proxy as destination and enable 'allow only ZTNA'
B.Create a firewall policy allowing all traffic to the ZTNA proxy
C.Enable 'set ztna-tag' on the FortiGate interface
D.Create a ZTNA access rule with a condition matching the tag
E.Import the ZTNA tag from EMS into FortiGate
AnswersD, E

Why this answer

To restrict access based on ZTNA tags, the tag must be imported from EMS (D) and then used in a ZTNA access rule condition (A).

96
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel that is not coming up. The configuration uses IKEv2 with pre-shared keys. The administrator runs 'diagnose vpn ike log-filter' and sees no logs. What is the most likely cause?

A.IKE debug is not enabled
B.The pre-shared key does not match
C.The tunnel name is misspelled in the filter
D.The remote gateway is unreachable
AnswerA

Why this answer

Without enabling IKE debug, the diagnose command will not show any output even if the tunnel is failing. The log-filter only filters the debug output; debug must be started first.

97
MCQmedium

An administrator notices that after upgrading FortiOS, the ADVPN shortcut tunnels are no longer being established. The hub and spokes have the same ADVPN configuration as before. What is the most likely cause?

A.The spokes do not have routes to each other's networks via the hub
B.The IKE version changed to IKEv1
C.Dead Peer Detection (DPD) is disabled on the tunnel
D.The hub's ADVPN configuration was reset during upgrade
AnswerA

Shortcut tunnels are triggered when a spoke has traffic to another spoke's network but no direct route; if routing is not working (e.g., BGP not advertising), shortcuts won't be negotiated.

Why this answer

ADVPN shortcut tunnel initiation may require proper routing. If dynamic routing (e.g., BGP or OSPF) is not advertising the spoke networks to each other, spokes won't have routes to trigger shortcuts.

98
MCQhard

During a ZTNA implementation, the administrator configures a ZTNA rule for an internal application but users cannot connect. The FortiGate policy is correct and the application is reachable from the FortiGate. What is the most likely misconfiguration?

A.The firewall policy is set to deny traffic from the ZTNA gateway.
B.The client does not have a route to the internal application.
C.The client's FortiClient agent is not authenticated.
D.The ZTNA rule's proxy destination IP or port is wrong.
AnswerD

The proxy must correctly forward to the internal server.

Why this answer

Option D is correct because the ZTNA rule defines the mapping between the external proxy address and the internal application's actual IP and port. If the proxy destination IP or port is misconfigured, the FortiGate's ZTNA proxy cannot forward traffic to the correct internal server, even though the firewall policy and network connectivity are otherwise valid. This is a common misconfiguration when the internal application's IP or service port differs from what is specified in the ZTNA rule.

Exam trap

The trap here is that candidates often confuse ZTNA rule misconfiguration with firewall policy issues or client-side routing, but the exam specifically tests that the ZTNA rule's proxy destination must exactly match the internal application's IP and port for the proxy to forward traffic correctly.

How to eliminate wrong answers

Option A is wrong because the firewall policy for ZTNA must permit traffic from the ZTNA gateway (the proxy IP) to the internal application; a deny rule would explicitly block the proxy, but the question states the policy is correct. Option B is wrong because the client does not need a direct route to the internal application; in ZTNA, the client connects only to the FortiGate's external proxy IP, and the FortiGate handles routing to the internal application. Option C is wrong because while FortiClient authentication is required for ZTNA access, the question states users cannot connect despite a correct policy and reachable application, implying the authentication is likely successful; the issue is specifically with the ZTNA rule's proxy destination mapping.

99
MCQeasy

An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal web application. The current network uses FortiGate as the firewall. Which component is required to enforce ZTNA policies on the FortiGate?

A.FortiSandbox for content inspection
B.FortiAnalyzer for log analysis
C.FortiGate ZTNA proxy configuration
D.FortiAuthenticator for RADIUS authentication
AnswerC

The FortiGate acts as a ZTNA proxy/gateway that authenticates users and checks device posture before allowing access.

Why this answer

ZTNA on FortiGate requires the FortiGate to act as a ZTNA proxy (gateway) that intercepts traffic to internal applications. Option B is correct because the FortiGate must be configured as a ZTNA proxy to receive and forward traffic according to access rules.

100
MCQeasy

An administrator wants to configure a multi-peer IPsec VPN where one FortiGate (hub) connects to multiple remote FortiGates (spokes) using a single phase 1 interface with dynamic IP addresses. Which configuration is required on the hub?

A.Set psksecret to a group password and enable XAuth
B.Set mode to aggressive and use pre-shared keys
C.Set type to static and configure each peer's IP in separate phase1
D.Set type to dynamic and set remote-gw 0.0.0.0
AnswerD

Dynamic type with remote-gw 0.0.0.0 allows any peer to initiate the tunnel.

Why this answer

To allow multiple peers to connect with dynamic IPs, the hub must use a phase 1 interface with mode-cfg enabled to assign IPs to clients and accept connections from any remote IP (set remote-gw 0.0.0.0). This is commonly called a dial-up VPN configuration.

101
MCQmedium

An administrator is troubleshooting a ZTNA access issue. Remote users can connect to the FortiGate's ZTNA proxy, but when they try to access the internal application, they receive a 403 Forbidden error. The administrator has verified that the user is authenticated and the ZTNA rule is configured correctly. What is the most likely cause?

A.The FortiGate firewall policy allowing ZTNA traffic is missing
B.The user's device does not have the required ZTNA tags from EMS
C.The application server does not have a valid certificate
D.The ZTNA proxy is configured with the wrong port for the application
AnswerB

ZTNA rules evaluate device posture via tags. If the device lacks the required tag (e.g., antivirus enabled), the rule denies access with a 403.

Why this answer

A 403 Forbidden error in ZTNA typically indicates that the access control rule denied the request. This can happen if the device does not meet the required posture checks (ZTNA tags). Option B is correct because the ZTNA rule likely requires a specific tag that the device does not have, resulting in denial.

102
MCQhard

A FortiGate is configured with FortiClient EMS to enforce ZTNA posture checks. The administrator finds that some Windows 10 clients are not reporting their antivirus status correctly, causing them to be blocked. However, the clients have antivirus installed and running. What is the most likely cause?

A.The FortiClient EMS connector is disabled on the endpoints
B.The clients are not connected to the corporate network
C.The antivirus definitions are outdated
D.FortiGate is using the wrong EMS tag
AnswerA

If the EMS connector is disabled, FortiClient cannot communicate posture information to the FortiGate.

Why this answer

FortiClient requires the EMS connector to be enabled and the correct compliance profile must be applied. If the antivirus status is not reported, the connector might be disabled or the profile not assigned.

103
MCQeasy

An organization wants to implement Zero Trust Network Access (ZTNA) to secure access to an internal application. The application is hosted on a server with IP 10.1.1.100. Which component acts as the intermediary between users and the application in FortiGate ZTNA?

A.FortiClient EMS
B.ZTNA agent on the application server
C.ZTNA proxy on FortiGate
D.ZTNA tags assigned to the application server
AnswerC

FortiGate acts as a ZTNA gateway, hosting the proxy that terminates user connections and forwards to internal apps.

Why this answer

FortiGate ZTNA uses a reverse proxy to forward user connections to internal applications. Users connect to the proxy, which verifies identity and posture before proxying traffic to the application server.

104
MCQmedium

A network administrator configures an IPsec VPN between two FortiGates using IKEv2. The tunnel establishes, but after a period of inactivity, traffic stops passing and the logs show 'IPsec phase 1 down'. The administrator wants to ensure the tunnel is quickly re-established when traffic resumes. Which setting should be configured?

A.Set the phase1 proposal to use AES-256-GCM.
B.Configure the phase1 to use main mode instead of aggressive mode.
C.Enable Dead Peer Detection (DPD) with 'on-idle' mode.
D.Set the IKE idle timeout to 0 (disabled).

Why this answer

DPD with 'on-idle' sends periodic probes during idle periods to detect a dead peer, allowing quick re-negotiation if needed. Option D disables idle timeout but does not probe; the tunnel may still go down if the peer disappears.

105
MCQeasy

What is the purpose of Dead Peer Detection (DPD) in an IPsec VPN?

A.Detect loss of connectivity to the remote VPN peer
B.Detect if the VPN tunnel is using the correct encryption algorithm
C.Detect duplicate IP addresses on the network
D.Detect packet loss over the VPN tunnel
AnswerA

DPD monitors the liveness of the remote VPN peer. If the peer becomes unreachable, DPD detects it and the tunnel can be torn down.

Why this answer

DPD is used to detect if the remote peer is still alive. It sends periodic messages and if no response is received, the tunnel is considered down. Option A is correct.

106
MCQhard

An administrator is troubleshooting a ZTNA connection issue where a user can access the ZTNA gateway but the connection to the internal application fails after a few seconds. The FortiGate logs show 'ZTNA session timeout' but the timeout value is set to 30 minutes. What could be the reason?

A.The internal application is not responding to the proxy request.
B.The ZTNA proxy idle timeout is set to a lower value than the global timeout.
C.The internal application has a 5-second timeout.
D.The client's FortiClient is not receiving the ZTNA tags.
AnswerB

The proxy idle timeout can be configured separately and may be shorter.

Why this answer

The ZTNA proxy has its own idle timeout setting that operates independently of the global timeout. Even though the global timeout is set to 30 minutes, if the per-proxy idle timeout is configured to a lower value (e.g., 30 seconds), the proxy will terminate the session after that idle period, logging 'ZTNA session timeout'. This explains why the connection fails after a few seconds despite the long global timeout.

Exam trap

The trap here is that candidates assume 'ZTNA session timeout' refers to the global timeout value, overlooking that the ZTNA proxy has its own independent idle timeout that defaults to a much shorter interval.

How to eliminate wrong answers

Option A is wrong because if the internal application were not responding, the FortiGate would log a different error such as 'connection refused' or 'upstream timeout', not a 'ZTNA session timeout'. Option C is wrong because a 5-second timeout on the internal application would cause an upstream timeout or 504 error, not a ZTNA session timeout, and the log message specifically points to the proxy's idle timeout. Option D is wrong because if FortiClient were not receiving ZTNA tags, the user would not be able to access the ZTNA gateway at all; the issue occurs after successful gateway access, ruling out tag delivery problems.

107
MCQhard

A FortiGate administrator runs the following command on a FortiGate and sees the output: diagnose sys session filter dport 443 diagnose sys session list proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate about the session?

A.The session is in SYN_SENT state; the three-way handshake is incomplete
B.The session has been terminated due to inactivity
C.The session is a UDP session
D.The session is fully established and has been active for 3600 seconds
AnswerA

proto_state=01 corresponds to TCP SYN_SENT, meaning the session is waiting for SYN-ACK.

Why this answer

proto_state=01 indicates TCP SYN_SENT state, meaning the session has not completed three-way handshake.

108
MCQhard

You run 'diagnose vpn ike gateway list' on a FortiGate hub and see the following output for a spoke connection: IKE SA state: ESTABLISHED, IPsec SA state: UP, but the spoke cannot route traffic to other spokes. The ADVPN shortcut tunnel is not being established. What is the MOST likely cause?

A.DPD is not configured on the hub
B.The hub has a static route for the spoke subnet pointing to the tunnel interface
C.The spoke's phase2 proposal does not match the hub's proposal
D.The spoke is using a different IKE version than the hub
AnswerB

When the hub has a static route for a spoke subnet, it becomes the next hop for traffic between spokes, preventing shortcut establishment. ADVPN requires the hub to not have static routes for spoke subnets; it should rely on dynamic routing to propagate routes but not as a next-hop.

Why this answer

In ADVPN, the hub must not include static routes for the spoke subnets, otherwise the spokes will use the hub as next-hop and not attempt shortcut establishment. The hub should use dynamic routing (BGP/OSPF) to propagate routes but not install a route with a next-hop of the hub itself for other spoke subnets. Option B is correct.

109
MCQhard

An administrator configures OSPF over an IPsec VPN overlay between two FortiGates. The OSPF neighbors show a state of 'EXSTART/EXCHANGE' but never reach 'FULL'. The IPsec tunnel is up and passes ICMP traffic. What is the MOST likely cause?

A.The MTU on the tunnel interface is too large
B.OSPF is not enabled on the tunnel interface
C.The IPsec tunnel is using ESP with authentication
D.The OSPF hello interval is mismatched
AnswerA

Large MTU causes OSPF packet fragmentation and neighbor stuck in EXSTART/EXCHANGE.

Why this answer

OSPF over IPsec often requires adjusting the MTU to avoid fragmentation. The default MTU of 1500 can cause OSPF packets to be fragmented, leading to neighbor state issues.

110
MCQhard

A FortiGate is configured with ZTNA inline CASB to control access to a SaaS application. The administrator wants to block uploads of files containing credit card numbers. Which ZTNA inline CASB feature should be used?

A.Web filter profile
B.Data leak prevention (DLP) profile
C.Antivirus profile
D.Application control profile
AnswerB

DLP can detect sensitive data like credit card numbers and block or log the action.

Why this answer

ZTNA inline CASB can apply DLP (Data Loss Prevention) profiles to inspect content. To block uploads with credit card numbers, a DLP profile with a credit card number sensor should be applied to the ZTNA proxy rule. Option B is correct.

111
MCQmedium

A network admin is configuring a hub-and-spoke ADVPN. The spoke FortiGates are behind NAT. After configuring IKE phase 1 with aggressive mode, the spokes can establish VPN tunnels to the hub, but shortcut tunnels between spokes are not forming. What is the MOST likely cause?

A.The hub FortiGate is not using IKEv2 for the phase 1 configuration
B.The spoke FortiGates are using main mode instead of aggressive mode for IKE phase 1
C.The spoke FortiGates have 'set net-device disable' on the phase 1 interface
D.The hub FortiGate is not configured with 'set add-route enable' on the phase 1 interface
AnswerB

Aggressive mode is required when spokes are behind NAT so the hub learns the spoke's public IP and port for shortcut tunnel negotiation.

Why this answer

Aggressive mode is required for IKE behind NAT when using ADVPN shortcut tunnels. Without it, the hub cannot learn the public IP/port of each spoke to facilitate the shortcut.

112
MCQmedium

A FortiGate administrator configures a hub-and-spoke VPN with OSPF routing. The spoke FortiGates are learning routes from the hub, but inter-spoke traffic is being routed through the hub instead of using shortcut tunnels. What configuration is missing on the hub to allow ADVPN shortcut establishment?

A.Set the VPN interface type to 'tunnel' instead of 'vlan'
B.Disable route redistribution from OSPF into the VPN tunnel interface on the hub
C.Enable 'auto-discovery-sender' on the hub and 'auto-discovery-forwarder' on spokes
D.Configure a static route for inter-spoke traffic on the hub
AnswerB

If the hub redistributes routes between spokes, traffic will always go through hub. ADVPN requires that OSPF does not redistribute; shortcuts are triggered by IKE.

Why this answer

For ADVPN to work, the hub must have 'auto-discovery-sender' enabled and also must not redistribute spoke routes back to other spokes in a way that prevents shortcut. Typically, the hub should not redistribute OSPF routes learned from one spoke into another; ADVPN relies on IKE shortcuts.

113
MCQeasy

Which feature in FortiOS enables a FortiGate to act as a proxy for client-initiated connections to internal applications without requiring a VPN client, by verifying device posture and user identity?

A.IPsec VPN with XAuth authentication
B.SSL VPN with web mode portal
C.FortiGate's explicit web proxy
D.ZTNA (Zero Trust Network Access) proxy
AnswerD

Why this answer

ZTNA proxy provides application-level access without full network connectivity, enforcing identity and posture checks. IPsec and SSL VPN give full network access. Explicit proxy is for web traffic only.

114
MCQmedium

A FortiGate administrator is configuring a site-to-site IPsec VPN with IKEv2. The remote peer supports multiple proposals. The administrator wants to ensure that the VPN tunnel uses AES256-GCM for encryption and SHA256 for integrity. Which configuration setting should be used to enforce this preference?

A.Set the 'proposal' list with AES256-GCM and SHA256 as the first entry
B.Enable 'set proposal-mode strict'
C.Use IKEv2 rekey to change the proposal after initial handshake
D.Configure a phase2 selectors with the exact traffic of interest
AnswerA

The order of proposals defines priority; the first matching proposal is selected. Placing AES256-GCM/SHA256 first ensures it is preferred.

Why this answer

In IKEv2, the proposal order determines the preference. The first matching proposal is used. To enforce AES256-GCM and SHA256, the administrator should set those as the first proposal in the phase1 and phase2 configuration.

115
MCQeasy

An administrator needs to configure a site-to-site IPsec VPN with a remote FortiGate that has a dynamic IP address. Which phase1 parameter must be set to support this?

A.Enable Perfect Forward Secrecy (PFS)
B.Enable NAT traversal
C.Use certificate-based authentication
D.Set mode to aggressive and use a pre-shared key
AnswerD

Aggressive mode allows the responder to initiate without knowing the peer IP; pre-shared key is used for authentication.

Why this answer

When the remote FortiGate has a dynamic IP address, the local FortiGate cannot initiate the VPN because it does not know the remote peer's IP. Setting the phase1 mode to aggressive and using a pre-shared key allows the remote peer to initiate the connection by sending its identity (ID) in the first exchange, enabling the local FortiGate to identify and authenticate the peer without requiring a static IP address for the remote side.

Exam trap

The trap here is that candidates often confuse NAT traversal (which handles NAT devices) with the need for a dynamic IP peer, or they assume certificate-based authentication alone solves the issue, but the key requirement is the ability to identify the peer without a known IP address, which aggressive mode enables.

How to eliminate wrong answers

Option A is wrong because Perfect Forward Secrecy (PFS) is a phase2 parameter that ensures that if a private key is compromised, past session keys are not exposed; it does not address dynamic IP peer identification. Option B is wrong because NAT traversal is used to handle IPsec packets traversing NAT devices by encapsulating them in UDP, not to support a peer with a dynamic IP address. Option C is wrong because certificate-based authentication can be used with either main or aggressive mode, but it does not solve the problem of a dynamic IP peer; aggressive mode with a pre-shared key is specifically required to allow the peer to initiate without a known IP.

116
MCQmedium

A FortiGate is configured with a ZTNA access proxy rule for a web application. The administrator wants to enforce that only devices with a specific FortiClient tag (e.g., 'Compliant') can access the application. Where is this tag-based access control configured?

A.In the FortiClient EMS policy
B.In the firewall policy that permits traffic from the ZTNA gateway to the application
C.In the SSL inspection profile
D.In the ZTNA access proxy rule under the ZTNA gateway configuration
AnswerD

The access proxy rule includes conditions such as device tags (e.g., Compliant) to determine if access is allowed.

Why this answer

In ZTNA, device posture tags from FortiClient are used in access proxy rules to grant or deny access. The tags are matched in the ZTNA proxy rule (access proxy rule) under the ZTNA gateway configuration. Option C is correct.

117
MCQeasy

An organization wants to implement Network Access Control (NAC) using FortiNAC. The goal is to automatically quarantine any device that does not have the latest antivirus definitions. Which FortiNAC component enforces this policy?

A.FortiNAC Collector
B.FortiNAC Profiler
C.FortiNAC Enforcement Engine
D.FortiNAC Portal
AnswerC

The Enforcement Engine applies the policy actions (e.g., quarantine) based on compliance state.

Why this answer

FortiNAC uses policies to define security requirements. The Enforcement Engine applies the policy by changing the VLAN or applying ACLs on network devices to quarantine non-compliant endpoints.

118
MCQmedium

A FortiGate administrator configures a ZTNA access proxy rule to allow access to an internal application only if the user's device has the tag 'Compliant'. The tag is assigned by FortiClient EMS. However, a user with a compliant device is still blocked. The admin sees in the ZTNA logs that the tag is not being received. What should the administrator check FIRST?

A.Verify that the FortiClient is connected to the internet
B.Confirm that the ZTNA rule is enabled and using the correct port
C.Check if the application server is reachable from the FortiGate
D.Ensure the EMS connector is configured under Security Fabric > External Connectors
AnswerD

The Endpoint Control connector to EMS must be configured and authorized. Without this, FortiGate cannot receive any tags from EMS.

Why this answer

For ZTNA tags to be sent to FortiGate, the FortiClient must be registered with EMS and the EMS must be configured as an endpoint control connector on FortiGate. If the connector is missing or misconfigured, FortiGate cannot retrieve tags.

119
MCQmedium

You run the following command on a FortiGate: 'diagnose vpn ike gateway list' and see that the DPD status for a VPN peer is 'dead'. What does this indicate?

A.The remote peer has been manually disconnected from the network
B.The VPN tunnel is still up but the peer is not responding to DPD messages
C.The IKE SA is still active but the IPsec SA has expired
D.The VPN peer has been detected as unreachable and the tunnel is considered down
AnswerD

DPD status 'dead' means the peer is not responding, so FortiGate marks the tunnel as down.

Why this answer

DPD (Dead Peer Detection) is used to check the liveness of a VPN peer. 'Dead' means the peer is not responding to DPD messages, indicating the tunnel is down.

120
MCQeasy

An administrator wants to enforce that only managed FortiClient endpoints with up-to-date antivirus and a specific OS version can access a sensitive internal network via IPsec VPN. Which feature should be used to achieve this?

A.ZTNA tags
B.FortiNAC
C.SAML SSO
D.FortiClient EMS compliance enforcement
AnswerD

FortiClient EMS allows the administrator to define compliance rules and enforce them during VPN connection.

Why this answer

FortiClient EMS can enforce compliance rules such as requiring up-to-date antivirus and specific OS version. When a FortiClient connects to the FortiGate VPN, the FortiGate can check the endpoint's posture via FortiClient EMS and apply a matching firewall policy.

121
MCQhard

A FortiGate administrator configures a ZTNA rule with inline CASB to control access to a SaaS application. Users can access the application but the CASB controls are not being applied. What is the most likely reason?

A.The firewall policy is configured for flow-based inspection
B.SSL inspection is not enabled
C.The CASB profile is not applied to the ZTNA rule
D.The SaaS application is not supported by FortiGate CASB
AnswerA

Inline CASB requires proxy-based inspection; flow-based mode bypasses CASB processing.

Why this answer

Inline CASB requires a proxy-based firewall policy that intercepts traffic to the SaaS application. If the policy is using flow-based inspection, CASB will not be invoked. Inline CASB works only with proxy-based inspection.

122
Multi-Selecteasy

An administrator wants to enforce that only devices with the latest antivirus signatures and a corporate disk encryption solution can access a sensitive application via ZTNA. Which two FortiClient EMS components must be configured? (Choose two.)

Select 2 answers
A.Device posture checks
B.VPN tunnels
C.SAML SSO
D.ZTNA tags
AnswersA, D

Device posture checks verify compliance criteria like AV signatures and encryption.

Why this answer

ZTNA tags define compliance requirements, and device posture checks evaluate endpoint security state. Together they enable conditional access based on endpoint compliance.

123
Drag & Dropmedium

Drag and drop the steps to configure a FortiGate as a DHCP server into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Select interface, enable DHCP, set scope, configure options, then apply.

124
MCQeasy

An administrator wants to ensure that FortiGate validates the identity of the remote VPN peer using a certificate during IKEv2 phase 1. Which authentication method should the administrator select in the IPsec phase 1 configuration?

A.Aggressive mode
B.Pre-shared key
C.EAP
D.Signature (RSA)
AnswerD

Signature authentication uses digital certificates to verify identity.

Why this answer

IKEv2 supports certificate-based authentication (RSA signature) for peer identity verification.

125
MCQmedium

A FortiGate is configured as a SAML identity provider (IdP) for a partner's SaaS application (SP). Users authenticate via FortiGate's local user database. The administrator successfully tests the SAML flow, but after some time, users are prompted to re-authenticate frequently. What is the most likely cause?

A.The FortiGate's SAML service provider certificate has expired
B.The SAML assertion lifetime is configured too short
C.The FortiGate's clock is not synchronized with NTP
D.The SP is using HTTP-POST binding instead of redirect
AnswerB

The assertion lifetime controls how long the SAML assertion is valid. If set too low, users need to re-authenticate when it expires.

Why this answer

SAML assertions have a validity period. If the IdP (FortiGate) sets a short assertion lifetime or the SP's session timeout is shorter, users will be prompted to re-authenticate. The most common cause is the assertion lifetime being too short.

126
MCQhard

An administrator is configuring ZTNA inline CASB for a SaaS application. The goal is to block upload of files containing credit card numbers. Which configuration components are required?

A.Use FortiClient to enforce DLP on endpoints
B.Configure an IPsec VPN between FortiGate and the SaaS provider
C.Configure a ZTNA application with a CASB profile and SSL inspection
D.Configure a web filter profile with DLP sensor
AnswerC

CASB requires the proxy to decrypt traffic and apply CASB policies.

Why this answer

ZTNA inline CASB uses a ZTNA proxy with SSL inspection and a CASB profile that includes a data leak prevention (DLP) rule to detect credit card numbers.

127
MCQmedium

In a hub-and-spoke VPN using OSPF over the overlay, the hub FortiGate learns routes from spoke1 and advertises them to spoke2. However, spoke2's routing table shows the route with a next-hop of the hub's tunnel IP, not spoke1's tunnel IP. What should the administrator configure to allow spoke2 to reach spoke1 directly (using ADVPN shortcut)?

A.Increase the OSPF metric on the hub's loopback interface
B.Configure the hub as an OSPF route reflector
C.Enable 'set auto-discovery-sender' on both spokes' phase 1
D.Disable OSPF on the hub and use static routes instead
AnswerC

Spokes must be configured as auto-discovery senders to initiate shortcut tunnels.

Why this answer

To enable direct spoke-to-spoke communication, ADVPN must be enabled and the OSPF configuration should not prevent the shortcut.

128
Multi-Selecthard

A network engineer is troubleshooting an ADVPN scenario where shortcut tunnels between spokes are not forming. The hub has IKEv2 configured and the spokes are behind NAT. Which THREE conditions must be met for shortcut tunnels to establish?

Select 3 answers
A.NAT traversal is enabled on all gateways
B.Spokes are configured with 'set auto-discovery' enabled
C.IKEv1 is used for the spoke-to-hub tunnels
D.The hub's phase2 configuration has 'auto-negotiate' enabled
E.The hub's phase2 configuration includes 'add-route'
AnswersB, D, E

Spokes need auto-discovery to accept shortcut proposals.

Why this answer

ADVPN shortcut tunnels require: IKEv2 (not IKEv1), auto-negotiate enabled on the hub phase2, and the hub's phase2 must have 'add-route' set to enable route injection. NAT traversal is automatically handled by IKEv2.

129
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is up but traffic is not passing. The administrator runs 'diagnose vpn ike gateway list' and sees that the IKE SA has been established. However, 'diagnose vpn tunnel list' shows no IPsec SA entries. What is the most likely cause?

A.The firewall policies are not configured to allow traffic through the tunnel
B.The phase 2 proposal (encryption, authentication, etc.) does not match between peers
C.The pre-shared key on both sides does not match
D.The interface MTU is set too low
AnswerB

Phase 2 negotiations fail if the proposal is mismatched, leading to no IPsec SA.

Why this answer

IKE SA established but no IPsec SA indicates that phase 2 parameters are misconfigured or the proposal is not matching.

130
MCQhard

An administrator configures a hub-and-spoke ADVPN with FortiGate at the hub and multiple remote sites. After setup, spokes establish shortcuts directly. However, traffic between two spokes consistently goes through the hub even though shortcuts should exist. Running 'diagnose npu np6 ipsec peercache' shows no shortcut entries. What is the MOST likely reason?

A.The spokes are not running BGP over the ADVPN tunnels.
B.The firewall policies on the spokes do not allow shortcut traffic.
C.Shortcut tunnels are disabled on the hub phase1 configuration.
D.The network processor (NP6) is not enabled for IPsec acceleration.
AnswerA

Why this answer

ADVPN shortcut tunnels require dynamic routing (e.g., BGP/OSPF) to exchange routes; otherwise, traffic continues via hub. The command output indicates no shortcut entries (peercache), typically because routes are not learned via routing protocol.

131
Multi-Selectmedium

A FortiGate administrator needs to configure a hub-and-spoke ADVPN with OSPF as the routing protocol over the VPN tunnels. Which TWO steps are required on the hub FortiGate to enable shortcut tunnels?

Select 2 answers
A.Set 'add-route' to 'disable' on the phase2 configuration.
B.Enable 'shortcut' option under the phase2 configuration.
C.Enable 'auto-discovery-sender' on the hub's phase1 configuration.
D.Enable 'auto-discovery-receiver' on the hub's phase1 configuration.
E.Configure OSPF network type as 'broadcast' on the hub's tunnel interface.
AnswersB, C

Why this answer

For ADVPN, the hub must be configured as auto-discovery-sender (to advertise shortcut capability) and the phase2 must have the 'shortcut' option enabled. Receiver is for spokes. OSPF network type can be point-to-multipoint; broadcast is not required. 'add-route' is unrelated.

132
MCQhard

In a hub-and-spoke ADVPN deployment, the spoke FortiGates are configured with IKEv2 and the hub has ADVPN enabled. After initial setup, spokes communicate through the hub. The administrator wants to enable shortcut tunnels so that spokes can directly communicate. What additional configuration is required on the spokes?

A.Enable 'set auto-discovery-sender' on the spoke's phase 1 interface
B.Enable 'set add-route' on the hub's phase 1 configuration
C.Set 'set dpd retrycount' to a higher value on the spoke
D.Configure a static route on the spoke pointing to the hub
AnswerA

The spoke must be configured as auto-discovery sender to initiate shortcut tunnels.

Why this answer

ADVPN shortcut negotiation requires that the spokes have 'set add-route enable' to install the learned shortcut route, and also the phase 2 configuration should accept shortcut tunnels.

133
MCQeasy

An organization uses FortiClient EMS to enforce compliance on endpoints. They want to ensure that only devices with updated antivirus definitions can access the corporate VPN. Which FortiClient configuration should be applied?

A.Create a compliance rule in FortiClient EMS to check antivirus definitions
B.Use a firewall policy to block traffic from non-compliant devices
C.Configure a ZTNA tag that requires updated antivirus
D.Enable CASB in the ZTNA proxy
AnswerA

EMS allows creating compliance rules that check endpoint posture parameters like antivirus version.

Why this answer

Compliance rules in FortiClient EMS check endpoint posture, such as antivirus status. The rule can be configured to require up-to-date antivirus definitions before allowing VPN access.

134
MCQhard

An administrator configures a multi-peer IPsec VPN on FortiGate for redundancy. The primary peer is 10.1.1.1 and secondary is 10.1.1.2. The administrator notices that when the primary peer goes down, the FortiGate does not fail over to the secondary peer until the IKE SA times out (about 60 seconds). Which setting can reduce this failover time?

A.Configure 'idle-timeout' to 30 seconds.
B.Set 'dpd-retryinterval' to 5 and 'dpd-retrycount' to 3.
C.Use aggressive mode for IKE negotiation.
D.Enable 'auto-negotiate' on the phase1 interface.

Why this answer

DPD retry interval and count control how quickly FortiGate detects a dead peer. With retryinterval=5 and retrycount=3, the peer is declared dead after 15 seconds of no response, triggering failover to the secondary.

135
MCQhard

An administrator runs the following command on a FortiGate and sees the output: diagnose sys session filter dport 443 diagnose sys session list proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The TCP handshake has not completed; the client sent SYN and is waiting for SYN-ACK
B.The session is fully established and has been idle for 1 hour
C.The session is in FIN_WAIT state and is closing
D.The session is using UDP protocol
AnswerA

proto_state=01 is TCP SYN_SENT state, indicating the initial SYN has been sent but no SYN-ACK received.

Why this answer

The session has been active for 3600 seconds (1 hour) and will expire in 3599 seconds. Proto_state=01 indicates TCP SYN_SENT state, meaning the TCP handshake hasn't completed. This could be due to the server not responding.

136
MCQmedium

A FortiGate is configured as a ZTNA proxy for an internal web application. The client's device posture check fails due to an outdated antivirus definition. The administrator wants to block access but still display a warning page. Which ZTNA access rule action should be used?

A.set action block
B.set action redirect
C.set action authenticate
D.set action allow
AnswerA

Block action denies access; combined with a warning portal configuration, the user sees a warning.

Why this answer

ZTNA access rules can block or allow with optional warning. 'Allow with warning' is not available; to show a warning while blocking, the action should be 'Block' with a redirect to a warning portal.

137
Multi-Selecthard

An administrator has a FortiGate hub with multiple spoke FortiGates in an ADVPN topology. The spokes are behind NAT and have dynamic public IPs. The hub is configured with a static IP. Which THREE steps are necessary for the spokes to establish a shortcut tunnel between each other?

A.Enable 'auto-discovery-receiver' on the hub's phase1.
B.Set the phase1 authentication method to 'signature' on all devices.
C.Configure the spokes with the hub's public IP as the remote gateway.
D.Enable 'auto-discovery-sender' on the spokes' phase1.
E.Enable NAT traversal on the hub's phase1 configuration.

Why this answer

NAT traversal (A) is needed to handle NAT between spokes. The spokes must point to the hub's static IP (B). Spokes must have 'auto-discovery-sender' enabled to initiate shortcut negotiation (E).

The hub needs 'auto-discovery-receiver' (D), but the question asks for steps necessary for the spokes to establish shortcut - so spokes need sender. Option C is not required.

138
MCQeasy

A multinational company uses FortiGate devices as VPN gateways to connect its headquarters (HQ) and branch offices via IPsec VPN tunnels. The company is migrating its remote access solution from IPsec VPN to SSL VPN using FortiClient. Currently, 500 remote users connect via IPsec VPN with pre-shared keys and XAuth authentication. The migration must be seamless with minimal downtime, and users must continue to authenticate using their existing Active Directory credentials. The SSL VPN portal must provide access to internal web applications and some legacy TCP-based applications that do not support HTTP. The security team requires that all traffic between remote users and the internal network be encrypted and that the SSL VPN use a certificate from a public CA to avoid certificate warnings on client devices. The IT team wants to use FortiToken for two-factor authentication (2FA) for all VPN users. Which of the following is the most appropriate course of action to meet all requirements?

A.Configure SSL VPN with a self-signed certificate and use the local password database for authentication. Enable FortiToken and configure the portal to provide both web and TCP forwarding applications.
B.Deploy SSL VPN with a public CA certificate, configure LDAP authentication against Active Directory, enable FortiToken for 2FA, and create a split-tunneling policy that uses both SSL VPN web mode and tunnel mode via FortiClient.
C.Set up SSL VPN with a public CA certificate, use LDAP for authentication, but do not enable FortiToken because it would require a separate token per user.
D.Create a new IPsec VPN configuration using certificate-based authentication and FortiToken, and gradually move users to the new IPsec VPN.
AnswerB

This meets all requirements: appropriate authentication, public CA, 2FA, and access to both web and legacy TCP applications.

Why this answer

Option B is correct because it meets all requirements: a public CA certificate avoids client certificate warnings, LDAP authentication against Active Directory allows seamless credential reuse, FortiToken provides the required 2FA, and combining SSL VPN web mode (for web apps) with tunnel mode via FortiClient (for legacy TCP applications) ensures full coverage. This approach minimizes downtime by migrating users gradually without changing their authentication backend.

Exam trap

The trap here is that candidates may think SSL VPN cannot handle non-HTTP applications, but FortiClient's tunnel mode with split tunneling or full tunneling can encapsulate any TCP/UDP traffic, making it suitable for legacy applications.

How to eliminate wrong answers

Option A is wrong because a self-signed certificate would cause certificate warnings on client devices, violating the requirement to avoid such warnings, and using the local password database does not integrate with existing Active Directory credentials. Option C is wrong because it explicitly disables FortiToken, failing the two-factor authentication requirement; the statement that FortiToken requires a separate token per user is incorrect—FortiToken can be assigned per user via the FortiGate or FortiAuthenticator. Option D is wrong because it proposes continuing with IPsec VPN instead of migrating to SSL VPN, and certificate-based authentication does not address the need for SSL VPN portal access to web and legacy TCP applications.

139
Multi-Selectmedium

An administrator needs to configure a FortiGate to act as a SAML identity provider (IdP) for a third-party cloud application (SP). Which TWO settings must be configured on the FortiGate to function as an IdP?

Select 2 answers
A.LDAP server configuration
B.SAML IdP user group
C.Service provider configuration with ACS URL and entity ID
D.SP metadata import
E.SSL VPN portal
AnswersB, C

Defines the users that can authenticate via SAML.

Why this answer

FortiGate as IdP requires a SAML IdP user group to authenticate users and a service provider configuration that includes the SP's ACS URL and entity ID.

140
MCQmedium

An administrator configures OSPF over an IPsec VPN tunnel between two FortiGates. The OSPF adjacency does not form. The tunnel is up and ping works between the loopback interfaces used for OSPF. What is the MOST likely issue?

A.OSPF is not enabled on the tunnel interface.
B.The OSPF network type on the tunnel interface is set to point-to-point but the remote side is broadcast.
C.The MTU on the tunnel interface is too large for OSPF packets.
D.The firewall policy allowing OSPF traffic (protocol 89) over the tunnel is missing.
AnswerD

Why this answer

Even if the tunnel is up, OSPF packets (protocol 89) must be explicitly permitted by a firewall policy on the tunnel. Without that policy, OSPF Hellos are dropped and adjacency fails. Network type mismatch can also cause issues, but the most common is missing policy.

141
Multi-Selectmedium

An administrator is configuring FortiClient EMS to enforce compliance for ZTNA. Which TWO settings are required on FortiGate to use compliance-based ZTNA tags?

Select 2 answers
A.FortiClient EMS is added as a security fabric connector
B.The ZTNA proxy rule includes a condition for required ZTNA tags
C.SSL deep inspection is enabled on the firewall policy
D.A local user database is configured for authentication
E.FortiGate is configured as a SAML IdP
AnswersA, B

This allows FortiGate to retrieve tags from EMS.

Why this answer

To use compliance tags, FortiGate must have EMS configured as a fabric connector and the ZTNA proxy rule must reference the tags.

142
MCQhard

A FortiGate is the SAML Service Provider (SP) for a ZTNA application. The IdP is Azure AD. After successful authentication, the user is redirected to the ZTNA proxy with a '403 Forbidden' error. The ZTNA rule has the correct groups allowed. What is the most likely missing configuration?

A.The IdP is not sending the user's group membership in the SAML assertion.
B.The ZTNA proxy certificate is not trusted by the browser.
C.The SAML user group is not mapped to a FortiGate local group.
D.The FortiGate's clock is not synchronized with the IdP.

Why this answer

If the IdP does not include group memberships in the SAML assertion, FortiGate cannot match the user to any allowed group in the ZTNA rule, hence the 403. The other options would cause different issues (authentication failure, certificate warning, or time sync error).

143
MCQmedium

An administrator configures a ZTNA gateway with inline CASB to monitor SaaS applications. Users report that access to Salesforce is blocked. The administrator reviews the ZTNA proxy rule and sees that inline CASB is enabled with a 'monitor-only' action. What is the MOST likely reason for the block?

A.The inline CASB profile is set to 'block' for Salesforce
B.The ZTNA proxy rule does not have SSL inspection enabled
C.FortiClient EMS is not assigning the required ZTNA tags
D.A separate application control profile is blocking Salesforce
AnswerD

Application control can block SaaS apps independently.

Why this answer

Inline CASB with 'monitor-only' should not block traffic. The block may be due to a separate application control or web filtering profile applied on the policy.

144
Matchingmedium

Match each SD-WAN component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Physical or virtual interface in SD-WAN zone

Group of interfaces with same role

Defines traffic steering policy

Service Level Agreement for link quality

Monitors link latency, jitter, and packet loss

Why these pairings

These are key SD-WAN configuration elements in FortiOS.

145
MCQmedium

A company's FortiGate is configured with multiple IPsec VPN tunnels to branch offices. One tunnel keeps dropping and re-establishing every few minutes. The logs show 'IPsec SA negotiation failed' with error 'proposal mismatch'. What is the most likely cause?

A.Dead Peer Detection (DPD) configured too aggressively
B.Mismatched encryption or authentication algorithms between the two VPN peers
C.NAT-Traversal (NAT-T) not enabled
D.Pre-shared key mismatch
AnswerB

Proposal mismatch directly indicates algorithms or parameters don't match.

Why this answer

The error 'proposal mismatch' directly indicates that the two IPsec peers cannot agree on the security parameters for the IKE or IPsec SA. This occurs when the encryption algorithm (e.g., AES256 vs. AES128), authentication algorithm (e.g., SHA256 vs.

SHA1), Diffie-Hellman group, or lifetime values do not match between the FortiGate and the remote peer. The tunnel drops and re-establishes because the negotiation fails, and the FortiGate retries with the same mismatched proposal, leading to repeated failures.

Exam trap

The trap here is that candidates often confuse 'proposal mismatch' with authentication failures (pre-shared key) or connectivity issues (NAT-T/DPD), but the specific log message 'proposal mismatch' is a direct indicator of cryptographic parameter disagreement, not a key or transport layer problem.

How to eliminate wrong answers

Option A is wrong because Dead Peer Detection (DPD) being too aggressive would cause the tunnel to be torn down due to missed keepalives, not a 'proposal mismatch' error; DPD failures generate 'DPD timeout' or 'peer not responding' logs. Option C is wrong because NAT-Traversal (NAT-T) not being enabled would cause issues with UDP encapsulation when a NAT device is present, but the error would be 'no response from peer' or 'NAT detection failed', not a proposal mismatch. Option D is wrong because a pre-shared key mismatch would cause an authentication failure during IKE Phase 1, resulting in 'authentication failed' or 'invalid pre-shared key' errors, not a proposal mismatch.

146
MCQeasy

An administrator is configuring SSL VPN on FortiGate and wants to allow users to access internal applications via a web portal without installing any client software. Which SSL VPN mode should be used?

A.DTLS
B.Tunnel mode
C.Web mode
D.Split tunneling
AnswerC

Web mode provides clientless access through a web portal.

Why this answer

Web mode (option C) is correct because it enables users to access internal web applications through a FortiGate SSL VPN web portal using only a standard browser, with no client software installation required. The portal acts as a reverse proxy, translating HTTPS requests from the client to the internal application servers, making it ideal for clientless remote access.

Exam trap

The trap here is confusing 'Web mode' with 'Tunnel mode' because both are SSL VPN features, but only Web mode provides clientless access via a browser portal, whereas Tunnel mode always requires the FortiClient software to be installed.

How to eliminate wrong answers

Option A is wrong because DTLS (Datagram Transport Layer Security) is a protocol used to provide low-latency encryption for UDP-based traffic in SSL VPN tunnel mode, not a standalone SSL VPN mode for clientless web portal access. Option B is wrong because Tunnel mode requires the installation of the FortiClient SSL VPN client software on the user's device to create a virtual network interface and route all or specific traffic through the tunnel, which contradicts the requirement of no client software. Option D is wrong because Split tunneling is a routing configuration that determines whether traffic destined for the internet goes through the VPN tunnel or directly to the internet; it is not an SSL VPN mode and does not define how users access applications.

147
Multi-Selecteasy

A FortiGate is acting as a SAML Service Provider (SP) for user authentication. Which TWO of the following are required for successful SAML SSO?

Select 2 answers
A.The FortiGate must have a static public IP address
B.The IdP's metadata must be imported to the FortiGate
C.The users must be in the same Active Directory domain as the FortiGate
D.A pre-shared key must be configured
E.The SP (FortiGate) must have a certificate for signing SAML requests
AnswersB, E

The metadata contains the IdP's entity ID, endpoints, and signing certificate, which FortiGate needs to trust and communicate.

Why this answer

For SAML SP, the IdP's metadata (including certificate and endpoints) must be imported, and the SP must have a certificate for signing/encryption. Option A and D are correct.

148
Multi-Selectmedium

Which THREE conditions must be met for an IPsec VPN to successfully establish phase2?

Select 3 answers
A.Proxy IDs (local and remote subnets) match on both sides
B.Firewall policies allow traffic between the subnets
C.Perfect Forward Secrecy (PFS) settings match if enabled
D.Phase2 proposals match between peers
E.NAT traversal is enabled on both sides
AnswersA, C, D

Phase2 uses proxy IDs to define interesting traffic; they must match.

Why this answer

Option A is correct because IPsec Phase 2 uses Proxy IDs (local and remote subnets) to negotiate the security associations (SAs) that define which traffic is protected. If the proxy IDs do not match on both peers, the IKEv1 or IKEv2 Quick Mode exchange will fail, preventing the establishment of Phase 2 SAs. This is a fundamental requirement for matching traffic selectors in the IPsec SA negotiation.

Exam trap

The trap here is that candidates often confuse firewall policy requirements with Phase 2 negotiation requirements, mistakenly thinking that firewall policies must allow traffic before Phase 2 can establish, when in fact Phase 2 only requires matching proxy IDs, proposals, and PFS settings.

149
MCQmedium

A company uses FortiGate ZTNA to provide remote access to an internal web application. The application requires client certificates for authentication. The administrator has configured the ZTNA rule to use certificate authentication. However, users report that they are prompted for credentials repeatedly. What is the most likely cause?

A.The user's password has expired.
B.The ZTNA rule is configured to use SAML authentication instead.
C.The client certificate is not trusted by the FortiGate.
D.The FortiClient EMS server is not reachable from the client.
AnswerC

An untrusted certificate causes authentication failures.

Why this answer

When a ZTNA rule is configured for certificate authentication, the FortiGate must trust the client certificate's issuing CA. If the CA certificate is not imported into the FortiGate's trusted CA list, the certificate chain validation fails, causing the authentication to be rejected and the client to be repeatedly prompted for credentials. This is the most common cause of repeated credential prompts in certificate-based ZTNA setups.

Exam trap

The trap here is that candidates often assume repeated credential prompts are caused by password issues or SAML misconfiguration, but in a certificate-based ZTNA rule, the root cause is almost always a trust issue with the client certificate's CA on the FortiGate.

How to eliminate wrong answers

Option A is wrong because a password expiration would not cause repeated credential prompts in a certificate-based authentication scenario; certificate authentication does not rely on user passwords. Option B is wrong because if the ZTNA rule were configured to use SAML, the user would be redirected to a SAML IdP for authentication, not repeatedly prompted for credentials in the same manner as a failing certificate handshake. Option D is wrong because the FortiClient EMS server being unreachable would affect endpoint compliance and posture checks, but not the certificate authentication process itself; the repeated credential prompt is a direct result of certificate validation failure, not EMS connectivity.

150
MCQmedium

An administrator configures FortiGate as a SAML identity provider (IdP) for a cloud application. The application (SP) initiates the login. Users are redirected to the FortiGate login page and authenticate successfully, but then receive an error from the SP. What is a common cause?

A.The SP's ACS (Assertion Consumer Service) URL is misconfigured on the FortiGate
B.The FortiGate's certificate is not trusted by the user's browser
C.The user's account is locked
D.The SAML attribute mapping is incorrect
AnswerA

If the ACS URL is wrong, the SP won't accept the assertion, causing an error after login.

Why this answer

When FortiGate is the IdP, it must be configured with the SP's ACS URL and entity ID. If these are incorrect, the SAML assertion is not accepted by the SP.

← PreviousPage 2 of 3 · 207 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Nse7 Vpn Zerotrust questions.