CCNA Troubleshooting Questions

75 of 151 questions · Page 1/3 · Troubleshooting topic · Answers revealed

1
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN tunnel that establishes phase 1 but fails phase 2. Which TWO commands are MOST useful to diagnose the phase 2 failure? (Choose two.)

Select 2 answers
A.diagnose sys session list
B.show vpn ipsec phase2-interface
C.get system performance status
D.diagnose vpn ike config
E.diagnose debug application ike 255
AnswersD, E

Shows phase 2 proposals and selectors.

Why this answer

Options A and D are correct. 'diagnose vpn ike config' shows the IKE configuration including phase 2 proposals and selectors. 'diagnose debug application ike 255' enables detailed IKE debug, which will show the negotiation details including phase 2 failure reasons.

2
MCQmedium

A FortiGate is configured to send logs to FortiAnalyzer. The administrator notices that logs are not appearing on FortiAnalyzer. Running 'diagnose log device show' shows 'connected=no'. What is the most likely cause?

A.The log rate is too high and logs are being dropped
B.The FortiGate's log buffer is full
C.The FortiGate cannot reach the FortiAnalyzer due to a network issue
D.The FortiAnalyzer license has expired
AnswerC

Connectivity failure is the primary reason for 'connected=no'.

Why this answer

Option B is correct. 'connected=no' indicates that the FortiGate is not successfully establishing a connection to the FortiAnalyzer. This is commonly due to network connectivity issues between the two devices or incorrect IP/port configuration.

3
Multi-Selectmedium

A FortiGate is experiencing high latency on traffic passing through it. The administrator suspects that asymmetric routing is occurring. Which TWO symptoms are indicative of asymmetric routing?

Select 2 answers
A.The routing table shows multiple equal-cost paths to the same destination.
B.Traffic from the same source IP arrives on different interfaces for different sessions.
C.Traffic matching a policy is logged as allowed but the application does not work.
D.CPU usage is consistently above 90% during peak hours.
E.The firewall logs show TCP SYN packets but no corresponding SYN-ACK packets for the same session.
AnswersB, E

This indicates that the return traffic may be arriving on a different interface than expected.

Why this answer

Asymmetric routing occurs when traffic from the same source IP takes different paths through the network, causing packets to arrive on different FortiGate interfaces for different sessions. This breaks stateful inspection because the firewall expects all packets of a session to traverse the same interface; when they don't, it can lead to session timeouts or dropped packets, manifesting as high latency.

Exam trap

The trap here is that candidates often confuse asymmetric routing with general routing issues like ECMP (option A) or performance problems (option D), but the exam specifically tests the stateful firewall behavior where traffic arriving on different interfaces for the same session is the definitive symptom.

4
MCQhard

A FortiGate in an HA cluster shows the message 'split-brain detected' in the event log. The administrator checks the HA status and sees both units are in 'standalone' mode. What is the MOST likely cause of this split-brain scenario?

A.The heartbeat interface is down on both units, causing them to assume they are the primary
B.The HA priority is set to the same value on both units
C.The HA mode is set to 'active-active' instead of 'active-passive'
D.The HA cluster is using a unicast heartbeat and the configuration is incorrect
AnswerA

When heartbeat communication is lost, both units may assume primary role, leading to split-brain.

Why this answer

Option A is correct. Loss of heartbeat communication is the typical cause of split-brain.

5
Multi-Selecteasy

A FortiGate is experiencing high CPU usage due to a large number of sessions. Which TWO actions can the admin take to mitigate the issue? (Choose two.)

Select 2 answers
A.Set a shorter session TTL for idle sessions to free up resources
B.Increase the session table size
C.Upgrade the firmware to the latest version
D.Implement session rate limiting using 'config system session-ttl'
E.Disable all security profiles
AnswersA, D

Shorter TTL removes idle sessions quicker, reducing table size and CPU overhead.

Why this answer

Rate limiting sessions and increasing session TTL can reduce CPU load by controlling session creation and expiration. Option A and D are correct.

6
MCQhard

An administrator is troubleshooting an SD-WAN scenario where traffic from a branch office to a critical SaaS application is experiencing high latency. The SD-WAN rule uses the best quality SLA strategy. The administrator runs 'diagnose sys sdwan neighbor' and sees that both WAN links have SLA compliance above 90%. However, traffic still uses the slower link. The administrator then runs 'diagnose sys sdwan health-check list' and notices that the health-check server IP is different from the SaaS application's server IP. What is the MOST likely reason the traffic is not using the best-performing link?

A.The health-check server's IP does not match the application's destination IP, so SLA measurements are not representative
B.The SD-WAN rule is configured with 'set load-balance-mode' instead of 'best-quality'
C.The health-check server is not reachable from the faster link
D.The SD-WAN rule has a manual routing override configured
AnswerA

SLA probes measure performance to the configured server, which may not correlate with actual performance to a different destination. The administrator should configure a health-check server that represents the real application traffic.

Why this answer

SD-WAN SLA health checks measure performance to a specific server (e.g., a public DNS or internet IP). If the actual application traffic goes to a different server, the measured SLA may not reflect the real path performance to that destination. The route selection logic uses SLA results only for the configured health-check server.

7
MCQhard

An administrator is testing failover in an HA cluster. They unplug the primary FortiGate's port1 (the heartbeat interface) but the secondary does not take over. The heartbeat is configured on port1. What is the MOST likely cause?

A.The primary unit still has a heartbeat path through other interfaces
B.The HA uptime is less than the failover hold time
C.The secondary unit's priority is higher than the primary's
D.The secondary unit has a faulty power supply
AnswerA

If heartbeat is configured on multiple interfaces, the secondary may still receive heartbeat from the primary via another interface, preventing failover.

Why this answer

Option C is correct. In HA, failover is triggered by loss of heartbeat plus loss of monitored ports or a dead gateway. Simply unplugging the heartbeat interface may cause split-brain, not failover, because the primary is still operational and the secondary still sees the primary's heartbeat? Actually, unplugging the heartbeat interface on the primary means the secondary loses heartbeat.

But if the primary still has other monitored ports up, it will remain primary. However, the secondary should detect loss of heartbeat and become primary after a timeout. But if the primary still has heartbeat on another path? The question says heartbeat is configured on port1 and that port was unplugged.

The likely cause is that the primary still has another heartbeat interface or the failover threshold is not met. Option C is the most plausible.

8
MCQeasy

A network administrator runs 'get system ha status' on a FortiGate HA cluster and sees that only one unit shows as primary. The secondary unit shows as 'standalone' with no HA peer detected. What is the MOST likely cause of this issue?

A.The cluster serial numbers do not match
B.The heartbeat interface is down or misconfigured
C.The HA group ID is different on each unit
D.The HA priority on the secondary unit is set to 0
AnswerB

If the heartbeat link fails, the secondary cannot communicate with the primary and will assume it is standalone, resulting in the observed status.

Why this answer

When the HA heartbeat link is down, the secondary unit cannot detect the primary and will operate as standalone. The serial number mismatch or priority settings would cause different behavior (e.g., split-brain or both primary).

9
MCQmedium

A FortiGate admin runs 'diagnose debug application authd -1' but sees no output for LDAP authentication attempts. What is the MOST likely reason?

A.The LDAP server is unreachable
B.The FortiGate is in FIPS mode
C.The LDAP server timed out
D.Debug flow is not enabled
AnswerD

To see authd debug, you need to enable debug flow or set debug level.

Why this answer

Option B is correct because without enabling debug flow or setting debug level, authd may not output debug messages. Option A is not specific to authd. Option C would cause connection errors, not silent.

Option D is unlikely.

10
MCQmedium

An administrator configures BGP route advertisement but the routes are not being sent to the neighbor. The BGP session is established. What is the MOST likely cause?

A.The BGP administrative distance is set too high
B.The BGP neighbor has the wrong update-source interface
C.The route is filtered by a route-map
D.The 'network' statement is missing for the desired prefix
AnswerD

Without a network statement, FortiGate does not advertise the route even if it is in the routing table.

Why this answer

For routes to be advertised, they must be present in the BGP table, which requires either redistribution from another protocol or manual network statements. The most common causes are missing 'network' statements or redistribution configuration.

11
MCQhard

An administrator is troubleshooting BGP and runs 'get router info bgp neighbors 10.0.0.1' and sees 'BGP state = Active'. The neighbor IP is reachable via ping. What is the most likely cause?

A.The BGP update-source interface is missing
B.The BGP network statement is missing
C.The BGP router-id is not configured
D.The BGP neighbor's remote-as is misconfigured
AnswerD

A mismatch in remote AS will cause the neighbor to reject the connection, leading to Active state.

Why this answer

BGP state Active indicates the router is trying to initiate a TCP connection but has not received a response. Since ping works, the issue is likely a TCP port 179 issue, such as a firewall blocking the port or BGP misconfiguration (e.g., wrong remote AS).

12
MCQhard

A FortiGate is deployed as the edge firewall for a medium-sized enterprise. The network has three internal zones: Trust (10.10.0.0/16), DMZ (172.16.0.0/24), and Guest (192.168.0.0/24). The FortiGate has an IPSec VPN to a branch office (10.20.0.0/16). Users in the Trust zone report intermittent connectivity to a web server in the DMZ (172.16.0.10, TCP port 443). The FortiGate logs show occasional 'session denied' messages for traffic from Trust to DMZ with reason 'denied by forward policy check'. The security policy has an explicit allow rule for Trust to DMZ HTTPS. The administrator has verified routing is correct and there are no address overlaps. When the issue occurs, the administrator runs 'diag debug flow' and sees that the packet matches the correct policy but still gets denied. The debug output also shows 'forward policy check: denied'. What is the most likely cause and recommended action?

A.A traffic shaping policy or application control profile is blocking the traffic; review and adjust the traffic shaping policy or application control profile applied to the policy.
B.The route to the DMZ is intermittently flapping; add a static route with a higher distance.
C.The security profiles (AV, IPS) are blocking the traffic; temporarily disable all security profiles on the policy.
D.The session helper for HTTPS is interfering; disable the HTTPS session helper.
AnswerA

Forward policy check denials are caused by traffic shaping or application control.

Why this answer

The debug flow output shows the packet matches the correct security policy but is still denied by 'forward policy check'. This indicates that a secondary policy component, such as a traffic shaping policy or application control profile, is blocking the traffic. These features can override the security policy action if they are configured to deny or drop matching traffic, even when the security policy itself is set to allow.

Exam trap

The trap here is that candidates often assume a security policy 'allow' rule is sufficient, overlooking that FortiGate's forward policy check evaluates additional policy layers (like traffic shaping or application control) that can independently deny traffic even after a security policy match.

How to eliminate wrong answers

Option B is wrong because route flapping would cause 'no route to host' errors, not 'denied by forward policy check' in the debug flow; the administrator has already verified routing is correct. Option C is wrong because security profiles (AV, IPS) would show specific block messages in the logs (e.g., 'IPS: blocked') and the debug flow would indicate the profile action, not a generic 'forward policy check' denial. Option D is wrong because the HTTPS session helper is used for non-standard ports or explicit proxy scenarios and does not cause 'forward policy check' denials; disabling it would not resolve a policy-based block.

13
MCQeasy

An administrator needs to monitor the FortiGate's CPU usage in real-time from the CLI. Which command should be used?

A.diagnose debug application httpsd
B.diagnose hardware sysinfo memory
C.get system performance status
D.diagnose sys top
AnswerD

This is the correct command for real-time CPU monitoring.

Why this answer

The command 'diagnose sys top' displays real-time CPU and memory usage for FortiGate processes, similar to 'top' on Linux. It's the standard CLI tool for performance monitoring.

14
MCQmedium

A FortiGate administrator notices that traffic from a specific subnet is being dropped unexpectedly. The security policy allows the traffic, and there are no firewall policies blocking it. What is the most efficient first step to identify the cause of the drops?

A.Use the 'diag sniffer packet any "host 10.0.1.0/24" 4' command to capture packets and analyze where they are dropped.
B.Run 'diagnose debug flow' with the source IP and look for 'no matching policy' or 'dropped' messages.
C.Enable 'deny-log' on all policies and check logs for the subnet.
D.Enable global traffic logging and review logs after some traffic passes.
AnswerA

Packet sniffer with filter can capture the actual packets and show the drop reason in the output.

Why this answer

The 'diag sniffer packet any "host 10.0.1.0/24" 4' command captures packets at the kernel level before firewall processing, allowing you to see if traffic is reaching the FortiGate and where it is being dropped (e.g., due to reverse-path forwarding, session helper, or DoS policies). This is the most efficient first step because it provides immediate, low-level visibility into packet drops without requiring configuration changes or waiting for logs.

Exam trap

The trap here is that candidates often jump to 'diagnose debug flow' as the default troubleshooting tool, but it only works after a session is created, missing pre-session drops that the sniffer can immediately expose.

How to eliminate wrong answers

Option B is wrong because 'diagnose debug flow' is a session-level debug that requires traffic to first match a session; if traffic is dropped before session creation (e.g., by ASIC, DoS policy, or RPF check), the debug flow may show no output or misleading 'no matching policy' messages, wasting time. Option C is wrong because enabling 'deny-log' on all policies only logs drops caused by explicit firewall policies, but the question states no policies are blocking the traffic, so this would not capture the actual drop cause (e.g., session helper, DoS, or routing issues). Option D is wrong because enabling global traffic logging requires a configuration change and waiting for traffic to pass, which is inefficient; logs may also not show the specific drop reason (e.g., kernel-level drops are not always logged).

15
MCQmedium

Two FortiGates in an HA cluster are experiencing a split-brain scenario where both units become primary. The administrator checks the HA configuration and sees that the heartbeat interfaces are configured correctly but the link status is 'down' on both units. What could cause this?

A.The heartbeat interface has been administratively disabled
B.The physical cable connecting the heartbeat interfaces is faulty
C.The HA group ID is different on each unit
D.The HA priority values are the same on both units
AnswerB

Correct. A faulty cable causes link down, leading to loss of heartbeat and split-brain.

Why this answer

A split-brain occurs when heartbeat communication is lost. If the heartbeat interfaces show link down, it indicates a physical or layer-1 issue, such as a faulty cable or switch port.

16
MCQeasy

An administrator needs to verify if a FortiGate is receiving BGP routes from a peer. Which command should the admin run to see the BGP routing table?

A.get router info routing-table bgp
B.show ip bgp
C.diagnose ip router bgp table
D.get router info bgp table
AnswerD

This command shows the BGP routing table entries.

Why this answer

'get router info bgp table' displays the BGP routing table, showing learned and advertised routes.

17
MCQeasy

An administrator needs to check the health of an SD-WAN link by viewing the last SLA probe results. Which command should be used?

A.diagnose sys sdwan sla-log
B.get system interface physical
C.diagnose debug application sdwan -1
D.diagnose sys virtual-wan-link health-check
AnswerD

This command shows the results of SD-WAN health checks including SLA status.

Why this answer

Option A is correct. 'diagnose sys virtual-wan-link health-check' displays current health check status.

18
Multi-Selecthard

A FortiGate administrator is investigating a slow network performance issue. The administrator suspects that session table limits are being reached. Which TWO metrics should be monitored to confirm this? (Choose two.)

Select 2 answers
A.Interface bandwidth utilization
B.Session fail rate
C.Current session count
D.CPU usage
E.Memory usage
AnswersB, C

A high session fail rate may indicate that new session creation is being denied due to table limits.

Why this answer

Options A and D are correct. Current session count shows how many sessions exist, and session fail rate indicates if new sessions are being dropped.

19
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN tunnel that establishes phase 1 but fails to establish phase 2. The phase 2 configuration shows 'set proposal aes128-sha256' on both sides. Which TWO configuration items should the administrator verify?

Select 2 answers
A.PFS (Perfect Forward Secrecy) settings
B.The local authentication method (certificate vs pre-shared key)
C.The encryption algorithm for phase 2
D.The local and remote subnets defined in phase 2 (proxy IDs)
E.The pre-shared key
AnswersA, D

If one side has PFS enabled and the other does not, or they use different DH groups, phase 2 will fail.

Why this answer

Even if phase 1 succeeds, phase 2 can fail due to mismatched proxy IDs (local/remote subnets) or mismatched PFS settings. Authentication method and encryption algorithm are phase 1 parameters.

20
MCQhard

In an HA cluster, after a failover, some established sessions are not being synchronized to the new primary unit. Which setting must be enabled to ensure session synchronization?

A.set override enable
B.set sync-sessions enable
C.set priority <value>
D.set session-pickup enable
AnswerD

This enables session synchronization in HA.

Why this answer

Option B is correct because 'set session-pickup enable' under config system ha enables session synchronization between HA members. Option A controls failover order. Option C is for priority.

Option D is not a valid setting.

21
Multi-Selecteasy

A FortiGate administrator wants to monitor performance thresholds to be alerted when the firewall is under heavy load. Which THREE metrics can be monitored using the built-in performance monitoring features (e.g., 'diagnose sys top' or SNMP)?

Select 3 answers
A.CPU utilization percentage
B.Interface speed
C.Number of concurrent sessions
D.Disk space utilization
E.Memory utilization percentage
AnswersA, C, E

CPU usage is a critical performance indicator.

Why this answer

Common performance metrics include CPU usage, memory usage, and session count. Disk usage is not a direct performance metric for firewall throughput, and interface speed is a capacity metric rather than load.

22
Multi-Selecthard

An administrator is troubleshooting an IPsec VPN Phase 2 negotiation failure. The debug shows 'no matching phase 2 proposal' from the remote peer. Which TWO of the following are likely causes? (Choose two.)

Select 2 answers
A.The local and remote proxy IDs (subnets) are not matching
B.The pre-shared key is incorrect
C.The firewall policy does not allow UDP port 500
D.The encryption algorithm (e.g., AES256 vs AES128) does not match between peers
E.The IKE version (IKEv1 vs IKEv2) is different
AnswersA, D

Phase 2 requires matching proxy IDs to establish SAs.

Why this answer

Options B and D are correct. Phase 2 proposal mismatch is usually due to incompatible encryption/authentication algorithms (B) or mismatched proxy IDs (local/remote subnets) (D). Options A and C would not cause a proposal mismatch.

23
Multi-Selectmedium

A network administrator is troubleshooting a split-brain scenario in an HA cluster. Which TWO conditions can cause split-brain? (Choose two.)

Select 2 answers
A.Loss of heartbeat link between HA members
B.One unit has a higher priority
C.Firmware version mismatch
D.Mismatched HA configuration (e.g., different HA mode)
E.Session pickup is disabled
AnswersA, D

Without heartbeat, each unit assumes the other is down and becomes primary.

Why this answer

Options A and D are correct. Loss of HA heartbeat communication (A) causes both units to think they are primary. Mismatched HA configuration (D) can also cause split-brain.

Option B causes failover but not split-brain. Option C is irrelevant.

24
Multi-Selectmedium

An admin is troubleshooting an IPsec VPN tunnel that is failing phase 2. The IKE debug shows 'no matching proposal'. Which TWO settings should the admin verify on both sides? (Choose two.)

Select 2 answers
A.Dead Peer Detection interval
B.Encryption algorithm (e.g., AES128, AES256)
C.Diffie-Hellman group for PFS
D.Pre-shared key
E.Local and remote gateway IP addresses
AnswersB, C

Part of phase 2 proposal.

Why this answer

Phase 2 uses different proposals than phase 1. The correct proposals are encryption algorithm (ESP), authentication algorithm, and perfect forward secrecy (PFS). Option A and B are correct because they are part of the phase 2 proposal.

25
MCQmedium

A FortiGate administrator is troubleshooting a VPN tunnel that connects to a remote site. The tunnel is up, but traffic is not passing. The administrator checks the Phase 2 settings and sees that the local and remote subnets are correctly defined. What is the next step to diagnose the issue?

A.Check the firewall policies that reference the VPN interface
B.Check the routing table for the remote subnet
C.Run 'diagnose vpn ike log' to check for Phase 1 errors
D.Restart the VPN tunnel
AnswerA

Even if the tunnel is up, traffic must be allowed by a firewall policy from the VPN interface to the destination zone.

Why this answer

Option A is correct. Missing or incorrect firewall policies are a common cause of traffic not passing through an established VPN.

26
MCQmedium

A network administrator is troubleshooting an IPsec VPN tunnel that fails to establish. The remote gateway logs show a proposal mismatch. On FortiGate, the administrator runs 'diagnose vpn ike config' and sees 'proposal: aes128-sha1, aes256-sha256'. The remote side expects 'aes256-sha1'. What is the most likely cause?

A.The Phase 1 proposal list does not include the algorithm combination the remote gateway requires
B.The pre-shared key is incorrect
C.The Phase 2 selectors are misconfigured
D.The IKE version is set to 1 but remote uses 2
AnswerA

Correct. The local proposal list must contain at least one matching algorithm set that the remote gateway supports.

Why this answer

The proposal mismatch occurs because the FortiGate's IKE proposal includes aes256-sha256 but not aes256-sha1, and the remote gateway expects aes256-sha1. The correct action is to add aes256-sha1 to the proposal list.

27
MCQeasy

An administrator wants to monitor the session count on a FortiGate in real time. Which CLI command provides this information?

A.diagnose sys top
B.get system performance status
C.diagnose sys session stat
D.diagnose debug enable
AnswerC

This command displays current session statistics including total session count.

Why this answer

Option A is correct. 'diagnose sys session stat' shows session statistics.

28
MCQeasy

An administrator applies the above policy but users from 10.0.1.0/24 cannot access web servers at 10.0.2.0/24. However, they can ping the servers. What is the most likely cause?

A.The service 'HTTP' does not include port 443 or the web application is using HTTPS.
B.The destination address is incorrect.
C.The schedule 'always' is not correctly configured.
D.The source interface is incorrect.
AnswerA

The service 'HTTP' only covers port 80; if the web server uses HTTPS (port 443), the policy won't match.

Why this answer

The policy allows HTTP traffic (port 80), but the web servers are likely using HTTPS (port 443). Since the service object 'HTTP' in FortiGate typically only includes TCP/80, HTTPS traffic is denied by default. The administrator can ping the servers because ICMP is permitted by an implicit or explicit policy, confirming that routing and connectivity are functional.

Exam trap

The trap here is that candidates assume 'HTTP' covers all web traffic, but FortiGate strictly matches the defined ports in the service object, so HTTPS (port 443) is blocked unless explicitly permitted.

How to eliminate wrong answers

Option B is wrong because the destination address 10.0.2.0/24 is correct for the web servers, and ping success confirms reachability. Option C is wrong because the schedule 'always' is a default, always-active schedule that cannot be misconfigured; if it were invalid, no traffic would pass. Option D is wrong because the source interface is correctly set to the interface connected to 10.0.1.0/24, as evidenced by successful ping traffic from that subnet.

29
MCQhard

An administrator is investigating a security incident and needs to view raw logs from a FortiAnalyzer for a specific time range. The administrator wants to ensure the logs are not aggregated or summarized. Which type of log view should be used?

A.Event Management
B.FortiView
C.Reports
D.Log View
AnswerD

Log View displays raw, unaggregated logs from the FortiAnalyzer, ideal for detailed incident investigation.

Why this answer

Option C is correct. Log View provides access to raw logs without aggregation.

30
MCQhard

An administrator is troubleshooting an HA cluster (active-passive) where both units show 'primary' in 'get system ha status'. The cluster is not synchronizing configurations. What is the MOST likely cause?

A.The HA password is incorrect
B.The HA heartbeat interface is disconnected or misconfigured
C.The HA group ID is mismatched
D.The HA priority values are equal for both units
AnswerB

If heartbeat communication fails, each unit assumes the other is down and transitions to primary, causing a split-brain.

Why this answer

When both units claim to be primary, it indicates a split-brain scenario. This is typically caused by HA heartbeat failure, often due to a faulty or disconnected HA heartbeat interface.

31
Multi-Selectmedium

A FortiGate administrator is troubleshooting a BGP session that fails to establish with a neighbor at 10.0.1.1. Running 'diagnose ip router bgp all' shows the neighbor state as 'Idle'. Which TWO commands should the administrator run NEXT to diagnose the issue?

Select 2 answers
A.show full-configuration router bgp
B.execute ping 10.0.1.1
C.diagnose ip router bgp all
D.diagnose sys session filter dport 179
E.get router info bgp summary
AnswersA, B

This displays the complete BGP configuration, including neighbor IP, remote AS, and update-source, helping identify misconfiguration.

Why this answer

To diagnose BGP neighbor establishment issues, the administrator should check both the BGP configuration (including neighbor settings) and the network connectivity (e.g., TCP port 179) between peers.

32
MCQmedium

A FortiGate VPN tunnel shows 'phase1 negotiation failed' in the logs. The remote gateway is a third-party device. The debug command 'diagnose vpn ike config' shows mismatched proposals. Which setting is MOST likely incorrect on the FortiGate?

A.The pre-shared key
B.The local ID type
C.The encryption algorithm (e.g., AES256 vs 3DES)
D.The DPD configuration
AnswerC

Mismatched encryption algorithms cause phase1 failure.

Why this answer

Phase 1 negotiation fails when proposals do not match. Common causes include encryption algorithm, hash, DH group, or lifetime mismatch. Option A is correct because the encryption algorithm is a key part of the proposal.

33
MCQeasy

Which FortiGate command is used to view the current CPU usage of individual processes in real time?

A.diagnose sys session stat
B.get system performance status
C.diagnose sys top
D.diagnose hardware sysinfo memory
AnswerC

This shows real-time per-process CPU and memory usage.

Why this answer

Option C is correct. 'diagnose sys top' displays a top-like process list with CPU and memory usage.

34
MCQeasy

A FortiGate administrator needs to identify which process is consuming the most memory. Which command should be used?

A.diagnose sys top
B.show system resource usage
C.diagnose hardware sysinfo memory
D.get system performance status
AnswerA

This command displays processes and memory usage; pressing 'm' sorts by memory.

Why this answer

The 'diagnose sys top' command shows processes sorted by CPU usage by default; pressing 'm' changes sort to memory usage.

35
Multi-Selectmedium

An administrator is troubleshooting a BGP session that is not establishing between two FortiGates. The administrator has verified that the neighbor IP is reachable. Which TWO commands should be used to further diagnose the issue? (Choose two.)

Select 2 answers
A.get router info bgp neighbor <IP>
B.diagnose debug flow filter daddr <IP>
C.get router info routing-table bgp
D.diagnose sys session filter dport 179
E.diagnose ip router bgp all enable
AnswersA, E

This command shows BGP session state and counters, useful for troubleshooting.

Why this answer

Options A and B are correct. 'get router info bgp neighbor' shows session state, and 'diagnose ip router bgp all enable' provides debug output for negotiation.

36
MCQmedium

An administrator is configuring SD-WAN with multiple members. When a rule matches, traffic is not being load-balanced as expected. Which command should the admin use to verify the SD-WAN rule selection for a specific flow?

A.diagnose sys session list
B.get system sdwan status
C.diagnose netlink interface list
D.diagnose sys sdwan info
AnswerD

This command displays SD-WAN rules, members, and their status, aiding in rule selection verification.

Why this answer

The command 'diagnose sys sdwan info' shows SD-WAN configuration and rule mapping, helping verify which rule is applied.

37
MCQhard

You are troubleshooting a BGP session between FortiGate and an ISP router. The FortiGate shows BGP state 'Active' and the debug output shows 'No route to peer'. The ISP router's loopback IP is 203.0.113.1, and the next-hop interface is port1 (10.0.0.1/30). The FortiGate has a static route to 203.0.113.1 via port1. What is the MOST likely cause?

A.The BGP neighbor IP is not reachable due to an ACL on the ISP router
B.The BGP update-source is set to a different interface
C.The static route's outgoing interface (port1) is administratively down
D.The BGP configuration has 'next-hop-self' disabled
AnswerC

If port1 is down, the static route is removed from the routing table, causing 'No route to peer'.

Why this answer

The 'No route to peer' message indicates FortiGate cannot find a route to the peer IP. Even though a static route exists, if the route's outgoing interface is down, it's not in the routing table. Option C is correct because a down interface invalidates the static route.

38
Multi-Selecthard

An administrator notices that after upgrading FortiOS, some traffic that was previously inspected by the antivirus profile is now bypassing scanning. The administrator suspects the session helper configuration may be interfering. Which TWO session helper protocols are known to potentially affect traffic inspection if improperly configured?

Select 2 answers
B.FTP
C.PPTP
E.SIP
AnswersB, E

FTP helper manages data channels; improper configuration can lead to inspection gaps.

Why this answer

Session helpers like SIP and FTP can alter sessions (e.g., opening dynamic ports) which can cause traffic to bypass security profiles if not handled correctly. TFTP and HTTP helpers are less likely to cause such issues; PPTP is less common.

39
MCQmedium

A BGP route from an ISP is not appearing in the FortiGate's routing table. The BGP session is established and 'show ip bgp' shows the route as valid but not best. Which command should the admin use to investigate why the route is not selected as best?

A.execute router bgp show
B.diagnose ip router bgp routes
C.get router info bgp summary
D.diagnose ip router bgp network
AnswerB

This command shows BGP route details and best path selection reasons.

Why this answer

The 'diagnose ip router bgp routes' command provides detailed BGP route information, including the reason why a route is not best (e.g., weight, local preference, AS path, MED). Option A is correct.

40
MCQhard

An administrator configures an ALG for SIP traffic but notices that some SIP calls are failing. The admin suspects the ALG is modifying SIP headers incorrectly. Which debug command can help verify the ALG's actions on SIP packets?

A.diagnose debug application sip -1
B.diagnose debug application alg -1
C.get system performance status
D.diagnose sys session filter proto 17
AnswerA

This enables detailed SIP ALG debug output.

Why this answer

'diagnose debug application sip -1' enables SIP ALG debugging, showing how the ALG processes SIP messages.

41
Multi-Selectmedium

An administrator is troubleshooting a scenario where VoIP traffic is not being properly handled by the FortiGate. The SIP ALG is enabled. Which THREE commands should the administrator run to diagnose the SIP traffic flow?

Select 2 answers
A.get router info routing-table all
B.diagnose sys session filter dport 5060
C.diagnose debug application sip -1
D.diagnose debug application sip -1
AnswersB, C

SIP typically uses UDP 5060; filtering sessions on this port helps see if SIP sessions are being created.

Why this answer

To diagnose SIP ALG issues, the administrator should check SIP-specific debug, session table for UDP 5060, and application control logs. Viewing general traffic logs is less specific, and checking the routing table is not directly relevant to ALG processing.

42
MCQeasy

Which of the following is a valid command to check the status of all BGP neighbors on a FortiGate?

A.diagnose router bgp summary
B.get router info bgp summary
C.show bgp neighbors
D.diagnose ip router bgp all
AnswerB

This is the correct command to display BGP neighbor status.

Why this answer

Option D is correct. 'get router info bgp summary' displays a summary of all BGP neighbors and their states.

43
MCQhard

An administrator configures a session helper for FTP but notices that active FTP data connections are not being allowed through the firewall. The FTP control session establishes fine. What is the MOST likely cause?

A.The FTP server is using passive mode
B.The FTP session helper is not enabled on the firewall policy
C.The ALG is configured to use proxy-based inspection instead of flow-based
D.The firewall policy has NAT enabled
AnswerB

Without the session helper enabled, FortiGate will not inspect FTP control traffic and will not open pinholes for data connections.

Why this answer

Active FTP requires the server to initiate a data connection back to the client. The session helper should dynamically create pinholes for these connections. If the session helper is not enabled for the policy, the data connection will be blocked.

44
MCQhard

You are troubleshooting a VPN phase 2 negotiation failure. The logs show 'no proposal chosen'. What is the MOST likely cause?

A.The remote gateway IP is incorrect
B.The pre-shared key mismatch
C.The IKE version mismatch
D.The phase 2 proposal settings differ between the peers
AnswerD

Mismatched algorithms cause 'no proposal chosen'.

Why this answer

Option C is correct because 'no proposal chosen' indicates that the encryption/authentication algorithms proposed by the initiator do not match the responder's configured settings. Option A would cause phase 1 failure. Option B would cause phase 1 failure.

Option D is not a direct cause.

45
MCQmedium

During a failover test in an active-passive HA cluster, the administrator notices that the secondary unit does not take over the primary role after a link failure on the primary. The 'get system ha status' shows both units in 'standalone' mode. What is the MOST likely cause?

A.The session pickup feature is disabled
B.The HA heartbeat interface is down or misconfigured on one unit
C.The cluster is running in active-active mode
D.The HA override feature is disabled
AnswerB

Heartbeat failure causes units to operate independently as standalone.

Why this answer

Option C is correct. If both units show standalone, the HA heartbeat is not functioning. The most common cause is that the HA heartbeat interface is not configured correctly or is down on one unit.

46
Multi-Selectmedium

An administrator is troubleshooting an IPsec VPN where phase 1 is up but phase 2 fails. Which two debug commands would be MOST helpful in diagnosing the phase 2 issue? (Choose TWO.)

Select 2 answers
A.diagnose sys session list
B.diagnose debug application ipsec -1
C.diagnose vpn ipsec phase2-config
D.get vpn ipsec tunnel details
E.diagnose debug application ike -1
AnswersC, E

This shows the configured phase 2 parameters, helpful for mismatch detection.

Why this answer

Phase 2 uses IPsec SA negotiation, which is logged by IKE debug. Additionally, checking the phase 2 configuration can reveal mismatches. The correct commands are A and D.

47
MCQeasy

A FortiGate administrator wants to see the current number of active sessions. Which command provides this information?

A.show system session-info
B.diagnose sys session stat
C.diagnose sys session list
D.get system performance status
AnswerB

This command shows session count and other statistics.

Why this answer

The 'diagnose sys session stat' command displays session statistics, including the total number of sessions.

48
MCQmedium

A site-to-site IPsec VPN tunnel is failing. The administrator runs 'diagnose vpn ike config' and sees that phase 1 parameters are correct. However, phase 2 negotiation fails with 'no proposal chosen'. What is the MOST likely cause?

A.The pre-shared key is incorrect
B.The phase 2 encryption/authentication algorithms do not match between peers
C.The firewall policy allowing IKE traffic is missing
D.The remote gateway IP address is wrong
AnswerB

Phase 2 negotiation fails when proposals do not match.

Why this answer

Option A is correct. The 'no proposal chosen' error in phase 2 indicates a mismatch in the phase 2 parameters (encryption, authentication, PFS, etc.) between the two peers. The administrator should verify that the phase 2 selectors and proposals match on both ends.

49
MCQmedium

An administrator wants to troubleshoot why specific traffic is not matching a configured firewall policy. Which debug command should be used?

A.diagnose sys session list
B.get firewall policy <id>
C.diagnose netlink interface list
D.diagnose debug flow
AnswerD

This traces packet flow and shows policy matching.

Why this answer

Option D is correct because 'diagnose debug flow' shows packet flow and policy matching decisions. Option A shows current sessions. Option B shows interfaces.

Option C shows firewall statistics.

50
MCQhard

An administrator runs 'diagnose debug application fnbam -1' and sees messages like 'LB_SELECT: selected server 10.0.0.2:80' but the client connection fails. The FortiGate is configured with server load balancing. What could be the issue?

A.The real server is not reachable or is down
B.The load balancing algorithm is set to least-connection
C.The persistence setting is misconfigured
D.The virtual server IP is overlapping with a physical interface
AnswerA

Correct. The debug shows selection, but the server may not be listening or reachable.

Why this answer

The debug shows the load balancer selected a server, but the connection fails. This indicates the server is not responding or the health check is failing. The administrator should check the server's health and ensure the real server is up.

51
MCQmedium

A FortiGate is configured with multiple BGP peers. One of the peers is not receiving the expected routes. The administrator runs 'get router info bgp neighbors <IP>' and sees that the 'State/PfxRcd' field is 'Active'. What does this indicate?

A.The BGP peer has reached the maximum prefix limit
B.The BGP peer has been administratively shut down
C.The BGP session is in the Active state, meaning the FortiGate is trying to establish a TCP connection to the peer
D.The BGP session has been established and routes are being exchanged
AnswerC

Active state indicates the router is actively trying to initiate a TCP connection to the peer, but the session is not yet up.

Why this answer

Option B is correct. The Active state in BGP means the router is attempting to establish a TCP connection; the session is not yet up.

52
MCQmedium

An administrator notices high CPU usage on a FortiGate. To identify which process is consuming the most CPU, which command should be used?

A.diagnose sys top
B.diagnose sys session stat
C.get system performance status
D.diagnose hardware sysinfo
AnswerA

This displays a list of processes sorted by CPU usage.

Why this answer

'diagnose sys top' provides a real-time view of process CPU usage, similar to Linux 'top', allowing identification of resource-intensive processes.

53
Multi-Selecthard

A FortiGate HA cluster is experiencing persistent split-brain even after both units are rebooted. Which THREE actions should the administrator take to resolve this issue? (Choose three.)

Select 3 answers
A.Verify that the heartbeat interfaces are properly connected and configured
B.Increase the HA failover threshold (hold time) to avoid flapping
C.Reduce the priority on the secondary unit
D.Configure HA to operate in active-passive mode
E.Disable HA on both units and re-enable
AnswersA, B, D

Ensures reliable heartbeat exchange.

Why this answer

Options A, B, and E are correct. Changing the HA mode to active-passive ensures no concurrent primaries. Increasing the failover threshold (hold time) can prevent flapping.

Verifying heartbeat interface connectivity ensures proper communication. Option C (disabling HA) is not a resolution; option D (reducing priority) does not fix split-brain root cause.

54
MCQeasy

An administrator wants to see the current number of active sessions on a FortiGate. Which command should the admin use?

A.diagnose sys session list
B.diagnose sys session stat
C.get system performance status
D.get system ha status
AnswerB

This command shows session count and other metrics.

Why this answer

'diagnose sys session stat' displays session statistics including total active sessions.

55
Multi-Selectmedium

An administrator notices that an application-based SD-WAN rule is not steering traffic as expected. The SLA targets are configured correctly. Which TWO debug commands should the administrator use to diagnose the issue? (Choose two.)

Select 2 answers
A.diagnose debug application sslvpn -1
B.get system performance status
C.diagnose sys sdwan info
D.diagnose sys sdwan rule list
E.diagnose sys session filter dport 443 ; diagnose sys session list
AnswersC, E

Displays SD-WAN configuration, member status, and SLA compliance.

Why this answer

Options A and C are correct. 'diagnose sys sdwan info' shows SD-WAN configuration and SLA status. 'diagnose sys session list' with filters shows the session details including SD-WAN member selection. Option B is invalid, D shows overall status but not per-rule, E is unrelated.

56
Drag & Dropmedium

Drag and drop the steps to perform a firmware upgrade on a FortiGate device into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Always back up config before upgrade, then upload, confirm, and verify.

57
MCQhard

An HA cluster of two FortiGates is experiencing split-brain. After investigation, you find that the heartbeat link is down on the primary unit. Which action will resolve the split-brain condition?

A.Disable HA on both units and re-enable
B.Restore the heartbeat link by checking cables, interfaces, and VLAN configuration
C.Increase the HA priority on the primary unit
D.Reboot the secondary unit
AnswerB

Split-brain is caused by heartbeat failure; restoring the link resolves it.

Why this answer

Split-brain occurs when heartbeat communication fails, and both units assume primary role. Restoring the heartbeat link (Option C) allows them to re-establish communication and elect a single primary.

58
MCQhard

An administrator configures a session helper for FTP on FortiGate. After enabling the helper, FTP clients can establish control connections but data transfers fail. What is the most likely cause?

A.The firewall policy is configured to deny all FTP traffic
B.The FTP server's certificate is invalid
C.The FTP server is using active mode, which is not supported by the session helper
D.The session helper is not applied to the correct firewall policy or the traffic is not matching the helper
AnswerD

If the helper is not associated with the policy or the traffic doesn't match, the helper won't open data ports.

Why this answer

Option C is correct. FTP uses separate control and data connections. The session helper dynamically opens pinholes for data connections.

If the ALG/session helper is not correctly inspecting the control channel, it may not open the required data ports, causing transfers to fail. However, the question implies the helper is enabled but not working. Often this is due to asymmetric routing or the helper not seeing both directions.

But the most common cause is that the FTP ALG is not inspecting the traffic because the policy does not match the helper's expected traffic. Option C is the best fit.

59
MCQmedium

An SD-WAN rule is configured to steer traffic based on SLA metrics. The administrator notices that traffic is not using the expected member interface even though the SLA is meeting thresholds. What should the administrator check FIRST?

A.Check the firewall policy to ensure SD-WAN is enabled
B.Verify the BGP configuration to ensure routes are being advertised
C.Run 'diagnose sys sdwan info' to verify the rule and member status
D.Restart the FortiGate to clear any stale sessions
AnswerC

This command shows detailed SD-WAN information.

Why this answer

Option A is correct. The 'diagnose sys sdwan info' command provides real-time information about SD-WAN rules, member status, SLA performance, and route selection. It is the first step to troubleshoot why traffic is not following the expected path.

60
MCQhard

You execute 'diagnose sys session filter dport 443' and see output: 'proto=6 proto_state=01 duration=3600 expire=3599'. What does 'proto_state=01' indicate about this session?

A.The session is in the SYN_SENT state, waiting for SYN-ACK
B.The session is in the FIN_WAIT state
C.The session has completed the three-way handshake
D.The session has been terminated with a RST
AnswerA

State 01 = SYN_SENT; the initial SYN has been sent but no SYN-ACK received yet.

Why this answer

In FortiGate session output, proto_state=01 for TCP (proto=6) means the session is in the 'SYN_SENT' state, indicating the three-way handshake has not completed.

61
MCQeasy

An administrator is troubleshooting an HA cluster where both units show as primary after a link failure. What is the most likely cause of this split-brain scenario?

A.The HA heartbeat interface is down or misconfigured
B.The priority values are set identically
C.The HA uptime is mismatched between the two units
D.The session pickup feature is disabled
AnswerA

If the heartbeat link fails, each unit assumes the other is dead and transitions to primary.

Why this answer

Split-brain occurs when HA heartbeat communication fails, causing both units to believe they are the primary. A broken heartbeat link is the typical cause.

62
MCQhard

An administrator configures SD-WAN with multiple members. The SD-WAN rule uses the 'latency' strategy. The administrator notices that traffic is not switching to the best-performing member even when latency exceeds the threshold. What could be the issue?

A.The SLA target is not configured or not applied to the SD-WAN rule
B.The load balancing algorithm is set to 'source-ip-based'
C.The threshold is set too low
D.The SD-WAN members are in different VDOMs
AnswerA

Without SLA, performance monitoring is not active, so latency strategy has no data to act on.

Why this answer

Option D is correct. SD-WAN rules require performance SLA targets to be configured and linked to the SD-WAN rule. Without an SLA, the latency strategy has no performance benchmark to trigger failover.

63
Multi-Selecthard

An admin needs to verify that a new firewall policy is performing SSL inspection. Which THREE CLI commands or steps should the admin use to confirm? (Choose three.)

Select 3 answers
A.Use 'diagnose wad filter' to check if traffic is being processed by the web proxy for SSL inspection
B.Run 'diagnose debug flow' to check if traffic is hitting the policy
C.Filter sessions with 'diagnose sys session filter dport 443' and list sessions to see if they are decrypted
D.Run 'get system performance status' to see SSL inspection statistics
E.Check the policy configuration with 'show firewall policy <id>' and look for 'ssl-ssh-profile'
AnswersA, C, E

SSL inspection in proxy mode goes through the WAD daemon; checking WAD confirms inspection.

Why this answer

To verify SSL inspection, check policy configuration, use session filter to see if sessions are decrypted, and use debug flow to inspect the traffic path. Option A, B, and D are correct.

64
Multi-Selectmedium

An administrator is troubleshooting a scenario where traffic from VLAN 100 to a server at 10.1.2.100 is being blocked. The FortiGate has an active security policy allowing the traffic and the routing table shows a correct route. Which TWO diagnostic commands should the administrator run to identify the cause of the blockage?

Select 2 answers
A.diagnose sniffer packet any 'host 10.1.2.100' 4
B.get system performance status
C.diagnose ip arp list
D.diagnose sys session list
E.diagnose debug flow
AnswersA, E

Captures packets to verify traffic reaches the FortiGate.

Why this answer

Option A is correct because 'diagnose sniffer packet any host 10.1.2.100 4' captures packets to/from the server at the interface level, allowing the administrator to see if traffic from VLAN 100 is actually arriving at the FortiGate and whether it is being dropped or forwarded. This command helps identify if the issue is at Layer 2 (e.g., VLAN misconfiguration) or Layer 3 (e.g., routing or firewall drops).

Exam trap

The trap here is that candidates often choose 'diagnose sys session list' thinking it shows blocked traffic, but it only lists established sessions, not dropped packets or failed session creation attempts.

65
Multi-Selecteasy

An administrator needs to troubleshoot an HA synchronization issue. Which TWO commands provide information about the HA synchronization status?

Select 2 answers
A.diagnose hardware sysinfo
B.show system ha
C.diagnose ha dump
D.get system ha status
E.diagnose sys session stat
AnswersC, D

Dumps detailed HA synchronization data.

Why this answer

The command 'get system ha status' shows the cluster status and synchronization state. The command 'diagnose ha dump' provides detailed synchronization information.

66
MCQmedium

A FortiGate admin runs 'diagnose debug application sslvpn -1' and sees repeated messages: 'SSL VPN tunnel establishment failed: no response from client.' The remote user reports that the FortiClient VPN connects but no traffic passes. What is the MOST likely cause?

A.The SSL VPN realm is misconfigured
B.The SSL VPN certificate has expired
C.The remote user's FortiClient version is incompatible
D.A firewall on the remote user's network is blocking UDP port 4500 or TCP port 443
AnswerD

SSL VPN tunnel establishment requires UDP 4500 (for NAT traversal) or TCP 443 for initial handshake. If blocked, the client cannot respond, leading to the 'no response from client' message.

Why this answer

The debug indicates the SSL VPN tunnel establishment fails because the client does not respond. This commonly occurs when the client is behind a NAT device that drops keepalive packets or blocks UDP/TCP ports needed for the tunnel. Option D correctly identifies a firewall blocking necessary ports.

67
MCQmedium

A network administrator runs the command 'diagnose debug application ssl -1' and sees the following output: 'ssl_generate_proxy_cert: cannot find CA certificate for issuer CN=www.example.com'. What is the MOST likely cause?

A.The FortiGate does not have an internet connection to reach the CA certificate authority
B.The firewall policy does not have SSL inspection enabled
C.The web server's certificate has expired
D.The SSL/SSH inspection profile is configured with an incorrect CA certificate
AnswerD

If the CA certificate used to sign proxy certificates is missing or invalid, FortiGate cannot generate a new certificate for the inspected site.

Why this answer

The error indicates that FortiGate cannot find the CA certificate used to generate a proxy certificate for the site. This happens when deep inspection is enabled but the CA certificate used for re-signing is missing or misconfigured.

68
MCQeasy

A FortiGate administrator wants to check if the device is experiencing high CPU usage due to a specific process. Which command should they use to display real-time process CPU usage?

A.show system resource
B.diagnose sys top
C.get system performance status
D.diagnose debug application crashlog read
AnswerB

Shows real-time process list with CPU usage.

Why this answer

Option A is correct. 'diagnose sys top' shows real-time CPU and memory usage per process, similar to the Linux 'top' command. It helps identify which process is consuming CPU.

69
MCQmedium

When troubleshooting an IPsec VPN phase 1 negotiation failure, which debug command should the administrator run to see detailed IKE negotiation messages?

A.diagnose vpn ike log
B.diagnose debug application ike -1
C.get vpn ipsec tunnel details
D.diagnose debug application ipsec -1
AnswerB

This enables IKE debug with level -1 for verbose output.

Why this answer

The command 'diagnose debug application ike -1' enables detailed IKE debugging, showing phase 1 and phase 2 negotiation steps.

70
MCQhard

Based on the exhibit, what can be concluded about the session?

A.The session is a one-way session with only outbound traffic.
B.The session is not being logged.
C.The session is offloaded to the NPU for hardware acceleration.
D.The session is in the 'npu' state, meaning it is being processed by the CPU.
AnswerC

The 'npu' flag indicates hardware offloading to the network processor.

Why this answer

The session state 'npu' indicates that the session has been offloaded to the Network Processor Unit (NPU) for hardware acceleration. This is a normal and expected state for traffic that matches hardware-offloadable profiles, allowing the NPU to process packets at wire speed without CPU intervention.

Exam trap

The trap here is that candidates often confuse the 'npu' state with CPU processing, assuming it means 'NPU processing by CPU' rather than recognizing it as hardware offload, leading them to select Option D incorrectly.

How to eliminate wrong answers

Option A is wrong because the session state 'npu' does not imply one-way or only outbound traffic; it simply indicates hardware offload, and sessions can be bidirectional. Option B is wrong because the session state 'npu' does not indicate whether logging is enabled or disabled; logging is configured separately via firewall policies or session log settings. Option D is wrong because the 'npu' state means the session is offloaded to the NPU for hardware acceleration, not that it is being processed by the CPU; CPU processing would be indicated by states like 'tcp' or 'udp' without offload.

71
MCQmedium

An administrator is troubleshooting a split-brain situation in an HA cluster. They run 'get system ha status' and see that both FortiGates report themselves as primary. Which command should they run to force the secondary unit to take over as primary?

A.execute ha failover
B.reboot the primary unit
C.diagnose sys ha reset-uptime
D.diagnose sys ha stop
AnswerC

Resets the uptime, which can trigger a priority re-evaluation and failover.

Why this answer

Option D is correct. The 'diagnose sys ha reset-uptime' command resets the HA uptime on the unit, causing it to recalculate priority. If the other unit has a higher priority, this can force a failover.

Alternatively, 'execute ha failover' is not a valid command. The correct command to force a failover is 'execute ha failover set'? Actually, FortiGate does not have a direct failover command. The standard method is to reboot the primary or use 'diagnose sys ha reset-uptime'.

Option D is the most appropriate.

72
MCQeasy

A FortiGate is set up in a high availability (HA) cluster. The administrator notices that the primary unit is not synchronizing configuration changes to the secondary unit. The HA status shows 'synchronization failed'. What is the most likely cause?

A.The firmware versions are different on the two units.
B.The HA heartbeat interface is down.
C.NAT policies are misconfigured.
D.The configuration has not been saved on the primary unit.
AnswerD

HA sync only occurs after the configuration is saved; unsaved changes are not synchronized.

Why this answer

Option D is correct because FortiGate HA requires the configuration to be saved (via 'execute backup config' or 'write memory') on the primary unit before it can be synchronized to the secondary unit. If the configuration is not saved, the primary unit does not have a committed configuration to push, leading to a 'synchronization failed' status even though the HA cluster is otherwise healthy.

Exam trap

The trap here is that candidates often assume HA synchronization issues are always caused by network or heartbeat problems, overlooking the fundamental requirement that the configuration must be saved before it can be synchronized.

How to eliminate wrong answers

Option A is wrong because FortiGate HA requires both units to run the same firmware version; if they differ, the cluster will not form at all or will show 'version mismatch', not just a synchronization failure. Option B is wrong because if the HA heartbeat interface is down, the cluster would show 'heartbeat lost' or 'standalone' status, not 'synchronization failed'—the units would not be able to communicate at all. Option C is wrong because NAT policies are a data-plane configuration and do not affect HA configuration synchronization, which is a control-plane function.

73
Multi-Selecteasy

An administrator is investigating a security incident using FortiAnalyzer logs. The admin wants to identify all traffic that matched a specific firewall policy. Which TWO log fields should the admin use to filter the logs?

Select 2 answers
A.policyid
B.user
C.appid
D.dstip
E.srcintf
AnswersA, E

The policy ID directly identifies the firewall policy that processed the traffic.

Why this answer

In FortiAnalyzer logs, the policy ID (usually 'policyid' or 'policy_id') and source interface (e.g., 'srcintf') are key fields to identify which firewall policy matched the traffic. Other fields like destination IP or user name are not directly tied to the policy ID.

74
Multi-Selectmedium

A FortiGate in an HA cluster is experiencing intermittent session synchronization failures. The administrator runs 'diagnose sys ha dump sync-status' and sees that sessions are not being synchronized properly. Which TWO potential causes should the administrator investigate?

Select 2 answers
A.Mismatched HA group IDs
B.Excessive number of sessions exceeding the session sync limit
C.Incorrect BGP route advertisements
D.High packet loss or latency on the heartbeat interface
E.Mismatched HA passwords
AnswersB, D

If the session table is too large, session synchronization may fail due to resource constraints.

Why this answer

Session sync failures in HA can be caused by network issues on the heartbeat link or session table overload. Authentication or routing issues are less direct causes.

75
MCQmedium

You are troubleshooting an SD-WAN rule where traffic is not matching the expected SLA. The FortiGate shows 'SLA mismatch' in logs. What is the MOST likely cause?

A.The interface is down
B.The SLA probe server is unreachable
C.The measured SLA values exceed the configured thresholds
D.The SD-WAN rule is not enabled
AnswerC

SLA mismatch occurs when the probe results do not meet the thresholds.

Why this answer

Option C is correct because an SLA mismatch typically indicates the interface's measured SLA parameters (latency, jitter, packet loss) do not meet the thresholds defined in the SLA rule. Option A would prevent rule matching entirely. Option B would not directly cause SLA mismatch.

Option D is not relevant.

Page 1 of 3 · 151 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Troubleshooting questions.