ZTNA operates on a principle of continuous verification. When FortiClient EMS detects a change in an endpoint's security posture (for example, antivirus is disabled), it updates the ZTNA tags for that device and notifies the FortiGate. The FortiGate then immediately re-evaluates all active sessions from that endpoint against the configured ZTNA policies. If the endpoint no longer meets the policy requirements due to the tag change, its active sessions are terminated.

A. They will be re-evaluated to match the endpoint policy: "Endpoint policy" is ambiguous. The re-evaluation happens against the ZTNA policy on the FortiGate access proxy.

B. They will be re-evaluated to match the firewall policy: While a ZTNA policy is a type of firewall policy, "ZTNA policy" is the more specific and correct term for this feature.

D. They will be re-evaluated to match the security policy: "Security policy" is a generic term. The specific policy type governing ZTNA access is the ZTNA policy.

- FortiOS 7.2 Administration Guide, "ZTNA" chapter, section "ZTNA session re-evaluation". It states, "When a ZTNA tag for an endpoint changes, FortiClient EMS notifies the FortiGate. The FortiGate then re-evaluates the ZTNA policy for any active connections from that endpoint. If the endpoint is no longer compliant with the policy, the connection is dropped."

The user's traffic originates from 10.0.1.10 (port3) and is destined for 10.200.3.1 (port1). The FortiGate evaluates firewall policies to find a match. The "WebServer" policy is disabled and therefore ignored. The second policy (ID 2) matches the traffic flow: incoming interface port3, outgoing interface port1, source all, destination all, and service ALL. This policy has NAT enabled and configured to "Use Outgoing Interface Address". The outgoing interface for this traffic is port1, which has the IP address 10.200.1.1. Therefore, the user's source IP (10.0.1.10) will be translated to 10.200.1.1.

A. 10.200.1.10 is the external IP of a VIP object used in a disabled policy for incoming traffic and is irrelevant to this outgoing traffic flow.

B. 10.0.1.254 is the IP address of the incoming interface (port3). Source NAT uses the outgoing interface address, not the incoming one.

D. 10.200.3.1 is the destination IP address of the traffic. The question asks for the source NAT address, not the destination.

1. FortiOS 7.2 Administration Guide, "Firewall policies". Fortinet Document Library, docs.fortinet.com. Accessed October 2023. The "NAT" subsection explains that when "Use Outgoing Interface Address" is selected, FortiOS uses the IP address of the interface that the traffic is leaving from as the source NAT address.

2. FortiOS 7.2 Cookbook, "Top-down processing of firewall policies". Fortinet Document Library, docs.fortinet.com. Accessed October 2023. This document confirms that policies are matched in order from top to bottom and that a disabled policy is skipped during evaluation.

:

The firewall policy is configured to use the certificate-inspection SSL inspection profile. This mode only examines the server's certificate during the SSL/TLS handshake to verify its validity and identify the server name. It does not decrypt the encrypted traffic payload. Because the EICAR virus signature is contained within the encrypted HTTPS data stream, the antivirus engine cannot inspect the content. To detect the virus, the policy would need to be configured with a deep inspection profile, which decrypts the traffic, allows the antivirus engine to scan it, and then re-encrypts it before sending it to the client.

A. The exhibit clearly shows that the Web Filter profile named default is enabled on the firewall policy, so this statement is factually incorrect.

C. Flow-based inspection mode can perform antivirus scanning. The inability to scan is due to encryption, not the inspection mode itself. Deep inspection is required in either mode.

D. The action is correctly set to ACCEPT. Security profiles like antivirus are applied to accepted traffic; a DENY action would block all traffic, preventing any inspection.

FortiOS 7.2 Security Profiles Guide, Page 18, Section: "SSL/TLS Inspection". It states, "Without SSL inspection, security features that require content inspection, such as Antivirus, Web Filter, DLP, and Application Control, cannot inspect encrypted traffic."

FortiOS 7.2 Administration Guide, Page 488, Section: "SSL & TLS inspection". The guide clarifies, "Certificate inspection: Only inspects the certificate. The traffic is not decrypted." This confirms why the AV engine is blind to the traffic's content.

Session-based authentication uses HTTP cookies to track individual user sessions, allowing FortiGate to differentiate between multiple users even when they share the same source IP address (such as users behind NAT). This granular tracking requires more system resources compared to IP-based authentication because the firewall must maintain state information for each individual session rather than just tracking IP addresses.

B. IP sessions are NOT treated as a single user in session-based auth; each session is tracked individually.

E. Session-based auth is actually RECOMMENDED for multiple users behind NAT, not discouraged.

1. Fortinet FortiGate Administration Guide 7.0, Chapter on Authentication Methods, pp. 412-418

2. FortiOS 7.0 Handbook - Identity Based Policies, Section 3.2: Session vs IP-based Authentication

3. Fortinet Technical Documentation: "Authentication Methods in FortiOS 7.0" (Document ID: FD-50134)

4. FortiGate Security 7.0 Study Guide - NSE4, Module 8: User Authentication

5. Fortinet Knowledge Base Article: "Comparing Authentication Methods" (KB-FD-06789)

In a multi-VDOM environment, the Security Fabric topology views (both logical and physical) are generated from the root FortiGate. The physical topology view specifically illustrates the physical network layout, showing devices and the interfaces they are connected to. If a VDOM does not have any physical interfaces assigned to it, or if there are no devices connected and discovered on its assigned interfaces, it has no physical presence to display. Therefore, such VDOMs will not appear in the physical topology map.

B: Downstream devices must be configured to connect to the upstream FortiGate from a specific VDOM and interface, not from any of their VDOMs.

C: Security Rating reports are run for the entire Security Fabric from the root FortiGate. The report consolidates data from all participating VDOMs, it is not run individually for each VDOM.

D: All VDOMs on a single FortiGate device are part of the same Security Fabric. A VDOM cannot be configured to join a different Security Fabric from other VDOMs on the same hardware.

FortiOS 7.2.0 Security Fabric Administration Guide, Page 41, "Security Fabric in a VDOM environment". This section states, "The physical topology page displays the devices in the Security Fabric and the interfaces that they are connected to."

FortiOS 7.2.0 Security Fabric Administration Guide, Page 42, "Configuring the Security Fabric in a VDOM environment". This guide details the specific configuration required for VDOMs to participate in the fabric.

Exhibit A shows that Captive Portal is enabled on the lan interface, with the HR and Sales user groups selected. This configuration forces any user initiating traffic through this interface to be challenged for authentication. After a user authenticates, their identity is known. Exhibit B shows the firewall policies that apply to this traffic. Policy 1 explicitly allows traffic from the source user group HR. Policy 2 is an explicit deny for all other traffic. Therefore, all users will be prompted to authenticate, but only users who successfully authenticate as members of the HR group will have their traffic matched by Policy 1 and allowed to pass.

A. The captive portal is enabled on the interface, which forces an authentication prompt before policy evaluation. The presence of a deny policy (not a fall-through) is what blocks non-HR users.

B. Authentication is enforced at the interface level via captive portal, not the policy level. The policy uses the authenticated identity but does not trigger the authentication itself.

C. While users from the Sales group can authenticate successfully (as they are in the captive portal's group list), their traffic will be blocked by the explicit deny in Policy 2.

FortiOS 7.2 Administration Guide, Page 338, Section: "Firewall authentication". This section explains that when authentication is enabled on an interface, the FortiGate challenges the user for credentials.

FortiOS 7.2 Administration Guide, Page 340, Section: "Identity-based policies". It states, "After a user is authenticated, their traffic is handled by the identity-based security policy that applies to them." This confirms the two-step process of authentication followed by policy matching.

Each firewall policy is assigned a Universally Unique Identifier (UUID). This UUID is essential when a FortiGate is part of a larger Security Fabric, managed by FortiManager, or sending logs to FortiAnalyzer. Unlike the Policy ID, which is only unique locally on a single FortiGate, the UUID is a globally unique attribute. This ensures that logs and policy information from different FortiGates can be accurately correlated and managed centrally without conflicts, which is critical for consistent reporting and administration across the fabric.

A. Log ID is a generic term and not the specific attribute used for uniquely identifying policies across devices.

C. The Policy ID is only unique on the local FortiGate and can cause conflicts when multiple devices are managed centrally.

D. Sequence ID is not a standard attribute used for this purpose in FortiGate firewall policies.

1. FortiOS 7.0.0 Administration Guide, "Firewall & DoS Protection" chapter, "Firewall policies" section. It states, "Each firewall policy has a universally unique identifier (UUID). When FortiGate is managed by FortiManager, the UUID is used to uniquely identify the policy."

2. FortiManager 7.0.0 Administration Guide, "Policy & Objects" chapter, "About policies" section. The documentation explains that UUIDs are used to track policy changes and ensure uniqueness across the management domain.

The output from the diagnose firewall proute list command shows a policy route with the attribute sdwanserviceid=1. This specific attribute indicates that the route was not manually created as a standard policy route but was dynamically generated by an SD-WAN rule. SD-WAN rules are implemented in the FortiOS routing table as policy routes with high-numbered IDs (like 2048 in this case) and are explicitly linked to an SD-WAN service, making them distinct from regular or ISDB-based policy routes.

A. The output does not contain any reference to an Internet Service Database (ISDB) object, which would be explicitly mentioned if it were an ISDB route.

B. A regular policy route would typically specify a gateway IP address and would not include the sdwanserviceid attribute.

C. This option is incorrect because there is no indication of an ISDB object being used in the policy route shown in the output.

1. Fortinet. (2023). FortiOS Administration Guide 7.2.4. Page 588. "SD-WAN rules are implemented as policy routes."

2. Fortinet. (2023). FortiOS CLI Reference 7.2.4. Page 684. The output fields for diagnose firewall proute list include sdwanserviceid, which is described as the "SD-WAN service ID".

FortiGate's Next-Generation Firewall (NGFW) can operate in two modes: profile-based or policy-based. When configured in policy-based NGFW mode, application control and web filtering are integrated directly into the firewall policy itself, rather than being applied as separate security profiles. This mode is designed for simplified configuration and high performance, and it exclusively uses the flow-based inspection engine. Flow-based inspection analyzes traffic as it passes through the FortiGate without buffering, which offers lower latency suitable for high-speed environments.

A. "Full Content inspection" is a general term often used to describe proxy-based inspection, which is not used in policy-based NGFW mode.

B. Proxy-based inspection buffers entire files for analysis before forwarding them. This mode is available in profile-based NGFW, but not in policy-based NGFW.

C. Certificate inspection is a method used for inspecting SSL/TLS traffic and can be used within flow-based mode, but it is not the overall inspection mode itself.

- FortiGate Security 7.0 Study Guide, "NGFW Mode" chapter, page 10: "Policy-based NGFW mode uses flow-based inspection only."

- FortiOS 7.0.0 Administration Guide, "NGFW mode" section: "In policy-based mode, you can add applications and web filtering categories directly to a firewall policy... This mode uses flow-based inspection."