Explanation:

FortiToken push notifications require that the FortiAuthenticator has an internet routable IP address. This is because the FortiAuthenticator uses this IP address to send push notifications to the FortiGate.

The other options are not correct. Enabling the ftm access protocol on FG-1 port1 is not necessary for push notifications to work. The ftm-push server setting on FG-1 CLI should already point to the FortiAuthenticator's IP address. The FortiToken public IP setting on FAC-1 is not relevant to push notifications.

Here is a table that summarizes the different options:

Explanation:

ADVPN uses NHRP and IKEv2 to dynamically create spoke-to-spoke tunnels when traffic flows between spokes. In this case, FTP traffic from Spoke1 to Spoke2 triggers a shortcut tunnel. This eliminates hub hairpinning, reduces latency, and ensures efficient bandwidth usage while maintaining security policies across the VPN topology.

✅ Correct Option:
D. Spoke1 will establish an ADVPN shortcut to Spoke2. With ADVPN enabled, inter-spoke traffic dynamically triggers shortcut tunnels. When the host at Spoke1 downloads from Spoke2’s FTP server, the hub signals NHRP to establish a direct IPsec tunnel between spokes, bypassing the hub and optimizing performance.

❌ Why Other Options Are Incorrect

A. All the session traffic will pass through the Hub.
This describes traditional hub-and-spoke IPsec VPNs. ADVPN specifically avoids hub hairpinning by allowing dynamic spoke-to-spoke tunnels. Once traffic between spokes is detected, the hub provides routing information and NHRP signaling, enabling direct communication. Therefore, traffic does not remain hub-bound.

B. The TCP port 21 must be allowed on the NAT Device2.
FTP traffic (TCP 21) is encapsulated inside the IPsec tunnel. NAT devices only need to allow IKE (UDP 500), NAT-T (UDP 4500), and ESP traffic. Application-layer ports are irrelevant to NAT traversal in IPsec tunnels. Allowing TCP 21 on NAT devices does not fix shortcut formation.

C. ADVPN is not supported when spokes are behind NAT.
ADVPN supports NATed spokes using IKEv2 with NAT-T encapsulation. NAT traversal ensures dynamic shortcuts can still be established. Fortinet documentation confirms ADVPN works with NAT environments as long as proper UDP ports are open. Thus, NAT does not prevent ADVPN operation.

📚 Reference
Fortinet Documentation – FortiGate ADVPN Guide:
“ADVPN dynamically establishes shortcuts between spokes using NHRP and IKEv2. NAT traversal is supported with UDP 4500, allowing spokes behind NAT to form direct tunnels.” Source: Fortinet Docs – ADVPN Configuration

Explanation:

The ntlm-guest option is specifically designed to control whether unauthenticated users are allowed. Disabling it ensures all traffic matching the policy requires successful user authentication.

Why other options are incorrect:

A (auth-on-demand always)
enables captive portal but does not enforce mandatory authentication; users can click "Cancel" and pass through.

B (auth-secure-http enable and auth-http-basic disable)
selects HTTPS over HTTP for captive portal but does not enforce authentication for all traffic.

D (fsso enable)
enables Fortinet Single Sign-On, which is a method for passive authentication, but does not enforce active authentication for guest users like ntlm-guest disable does.

Reference:
FortiOS Handbook – Firewall Authentication: The set ntlm-guest disable command forces authentication for all users, blocking unauthenticated (guest) access through the policy.

Explanation:

The setting set fabric-object-unification local on FGT_2 configures it to synchronize its locally defined address and service objects upstream to the root FortiGate (FGT_1). Once these objects reach the root, they can be distributed fabric-wide if configured. This is the primary function of the local setting—enabling a downstream device to share its objects upward for potential use by other fabric members. The root and FGT_3 use the default setting (global or default), which means they receive objects from the root but do not push their own upstream.

Why other options are incorrect:

B is incorrect
because the root FortiGate synchronizes its objects to all downstream fabric members by default (both FGT_2 and FGT_3). FGT_2’s local setting does not restrict it from receiving root objects; it only changes FGT_2’s own synchronization direction.

C is false;
the default behavior of the Security Fabric is hierarchical object synchronization, where the root’s objects are synchronized to downstream devices. Nothing in the configuration shown disables this.

D is incorrect;
there is no exclusive synchronization channel. FGT_3 receives objects from the root just as FGT_2 does, because both are downstream members with default (global) unification settings.

Reference:
FortiOS 7.4 Security Fabric Guide – Fabric Object Unification: The local setting allows a downstream FortiGate to publish its local objects to the root FortiGate, while global (default) allows the device to receive objects from the root. The root can propagate obje

Explanation:

In Transparent (Layer 2) mode, the FortiGate forwards multicast frames between interfaces based on the multicast-forward setting. Disabling it (set multicast-forward disable) blocks multicast traffic, while enabling it allows it. This gives explicit administrative control over whether multicast packets pass through the device. The other setting (multicast-skip-policy) is irrelevant in transparent mode as it only applies to multicast routing in NAT mode.

Why other options are incorrect:

A and D (multicast-skip-policy) are invalid because this command only functions in NAT/Route mode. In transparent mode, there are no multicast routes or policies for multicast to skip; the setting has no effect.

B (multicast-forward enable) would permit multicast forwarding, which is the opposite of “controlling” traffic in a security context where blocking or restricting is typically desired. The question implies implementing a control measure, which in firewall terms usually means restricting traffic, making disable the correct choice for establishing control.

Reference:

FortiOS 7.4 Transparent Mode Administration Guide:
The multicast-forward system setting determines whether multicast Layer 2 frames are forwarded between interfaces in transparent mode. This is separate from multicast-skip-policy, which applies only to routed multicast traffic in NAT mode.

Explanation:

ZTNA architecture tunnels TCP-based applications like SSH between the FortiClient endpoint and the FortiGate access proxy over an HTTPS connection. This allows the FortiGate to inspect the traffic, apply security policies, and perform additional security checks. One such check is SSH host-key validation, where the FortiGate can verify the SSH server’s public key against a preconfigured fingerprint to prevent man-in-the-middle attacks. The ZTNA model ensures encrypted access without requiring a full SSL‑VPN tunnel.

Why other options are incorrect:

B is incorrect because ZTNA does not use SSL‑VPN tunnels; it establishes its own TLS/HTTPS-based tunnel directly between FortiClient and the FortiGate acting as the ZTNA access proxy. SSL‑VPN is a separate remote-access technology with different configuration and packet flow.

D is false; ZTNA explicitly supports SSH through TCP forwarding rules in the ZTNA access proxy configuration. SSH is a common use case documented in Fortinet’s ZTNA deployment guides, and the access proxy can broker and inspect the SSH session.

Reference:
FortiOS 7.4 ZTNA Guide – Access Proxy Configuration: ZTNA access proxy tunnels TCP applications over HTTPS and can validate SSH host keys to ensure server identity. SSH traffic is forwarded through the proxy after authentication and host-key verification, enabling inspection and policy enforcement.

Explanation:

The Let's Encrypt renewal fails because the ACME HTTP-01 challenge requires public access to port 80 on the same IP (129.11.1.100). In the original configuration, port1 hosts SSL‑VPN on port 443 and likely lacks an open HTTP (port 80) responder for ACME validation. Setting set interface "port2" in the ACME configuration redirects renewal traffic to the internal network, where an internal web service or the FortiGate’s built-in ACME responder can properly answer the HTTP challenge without conflicting with the production SSL‑VPN service on port1.

Why other options are incorrect:

A (set https-redirect disable) only stops redirecting HTTP to HTTPS for the SSL‑VPN portal. It does not free port 80 or solve the ACME validation path.

C (appending h-fortigate_public to the firewall policy) merely adds the FortiGate’s public address as a destination for the existing FortiMail policy, which is irrelevant to the ACME renewal process and port accessibility.

D (set admin-port 8080) changes the management GUI port, but ACME challenges target the configured interface’s public IP on standard ports (80/443), not the admin port.

Reference:
FortiOS 7.4 Certificate Management Guide – ACME Integration: For successful renewal, the interface specified in config system acme must have port 80 publicly reachable (for HTTP-01) or port 443 (for TLS-ALPN-01). If the external interface’s ports are occupied, the ACME client should be assigned to a different interface with proper routing/NAT to an internal responder.

Explanation:

On a FortiGate 6000F, ports 1–4 are 1/10/25G SFP28 interfaces, which support multiple speeds through software configuration. This allows the initial connection to be established at a lower speed (e.g., 10G). When the switch’s new high-speed module is installed, the same physical port can be reconfigured to a higher speed (e.g., 25G) by changing the interface’s speed setting in the FortiGate CLI/GUI—without physically moving the cable or affecting neighboring ports. This provides future-proof flexibility and minimizes disruption.

Why other options are incorrect:

A & D (ports 5–8 and 21–24):
While these are also 1/10/25G SFP28 ports and could technically be reconfigured, the question’s scenario calls for a connection that does not affect any other port when the speed is changed. Using ports 1–4 (the first bank) is the logical choice in a staged deployment, as these are often reserved for flexible uplink configurations.

B (ports 25–28):
These are 40/100G QSFP28 interfaces, which are fixed high-speed ports. They do not support lower-speed connections (e.g., 10G) without expensive breakout cables or different transceivers, and changing speeds later would likely require physical re-cabling, which could disrupt adjacent ports in a dense chassis.

Reference:

FortiGate 6000F Hardware Guide – Network Interfaces:
SFP28 ports (1–24) can be configured for 1G, 10G, or 25G speeds via CLI commands (set speed). This allows speed adjustments to match upgraded switch ports without hardware replacement. QSFP28 ports (25–28) are fixed 40/100G and lack the same multi-speed flexibility for gradual migration.

🔍 Explanation:

FortiManager CLI templates using Jinja require variables to be enclosed in {{ }}. These variables must be mapped to per-device values using meta fields under Device Manager. This allows dynamic rendering of interface names or other parameters during template execution, ensuring device-specific configurations are correctly applied.

✅ Correct Option:

C. The template will work if you change the variable format to {{ WAN }}.
Jinja syntax requires double curly braces for variable substitution. FortiManager CLI templates using Jinja must follow this format to correctly render device-specific values during deployment.

D. The administrator must first manually map the interface for each device with a meta field.
Jinja variables like {{ WAN }} must be mapped to actual interface names per device using FortiManager’s meta variables. Without this mapping, the template will fail to render correctly.

❌ Why Other Options Are Incorrect :

A. The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate.
Jinja does not auto-discover or auto-map interface roles. It relies on explicit variable mapping via meta fields. FortiManager does not infer that {{ WAN }} means the interface with role “WAN.” The administrator must manually define what WAN means for each device.

**B. The template will work if you change the variable format to ( 𝑊 𝐴 𝑁 ) . ∗ ∗ ‘
(WAN)is not valid Jinja syntax. That format is used in TCL or shell scripting, not in FortiManager’s Jinja-based CLI templates. Using$(WAN)` will result in a syntax error or failed rendering during template execution.

E. The template will fail because this configuration can only be applied with a CLI or TCL script.
FortiManager fully supports Jinja-based CLI templates starting from version 7.0.1+. The configuration shown (IPsec VPN setup) is valid and supported through Jinja templates. This option is incorrect because Jinja is explicitly designed for CLI template automation in FortiManager.

📚 Reference:
Fortinet KB Article: New Meta Variables and Jinja Usage in FortiManager

Explanation:

Using VLAN mode for FortiExtender WAN-extension sends user/data traffic directly over a VLAN to FortiGate while keeping CAPWAP for management only. This reduces control-plane encapsulation overhead and optimizes throughput under high utilization compared to full CAPWAP tunneling of data traffic.

Why other options are incorrect

A: Adding a switch does not change encapsulation or control-plane overhead; it merely adds a Layer 2 hop without optimizing data path efficiency between FEX and FortiGate.

B: Enabling CAPWAP is required for management, but using CAPWAP for data introduces overhead; VLAN mode specifically minimizes data-plane overhead by passing WAN traffic via VLAN, not CAPWAP.

D: Adding a VLAN under FEX-WAN on FortiGate alone is insufficient. VLAN mode must be explicitly enabled for FortiExtender WAN-extension, and existing FEX-WAN interfaces are removed before enabling it to switch the data path from CAPWAP to VLAN bridging.

Reference:

Fortinet documentation describes FortiExtender WAN-extension VLAN mode, where management stays on CAPWAP but user traffic flows via VLAN to reduce overhead; VLAN mode requires explicit enablement and interface adjustments on FortiGate and FortiExtender

Explanation:

Graceful-restart allows BGP peers to retain and continue using stale routes during a neighbor’s control-plane restart, ensuring uninterrupted forwarding. This is essential for achieving high availability and minimizing traffic disruption during maintenance or failover events.

Why other options are incorrect:

B. Deterministic-med ensures consistent MED comparison across multiple ASes but does not address session stability or failover goals.

C. Synchronization is a legacy requirement for BGP to match IGP routes and is irrelevant in modern deployments where synchronization is disabled.

D. Soft-reconfiguration allows route refresh without session reset but does not maintain forwarding during a peer restart.

Reference:
FortiOS BGP Configuration Guide: Graceful-restart is a key feature for maintaining network stability during routing processor restarts, allowing the data plane to continue forwarding while control plane reconverges.

Explanation:

The FortiEDR event shows a File Write Access operation by gapf.exe located in a suspicious temporary user path (C:\Users\...\AppData\Local\Temp\...), which is indicative of data gathering and exfiltration behavior. The event is logged and received by the collector but lacks any “Blocked” or “Prevented” status, confirming it was detected but not stopped.

Why other options are incorrect:

A is false because the event log shows no evidence of blocking; exfiltration would show a prevention action if stopped.

C and D are incorrect; ransomware attacks typically involve file encryption, mass file renaming, or ransom note drops—not merely “File Write Access.” The event classification and details do not match ransomware patterns.

Reference:

FortiEDR 5.0 Event Analysis Guide:
File Write Access events from untrusted locations (e.g., Temp folders) with no mitigation action indicate detected exfiltration attempts that were allowed. Blocked events clearly display “Action: Blocked” in the event details.