A financial services company is deploying a FortiGate 7000 series chassis in a new datacenter to handle high-frequency trading traffic. A primary requirement is to ensure that session failover between FortiGate Interface Modules (FIMs) is deterministic and that specific high-priority traffic is always processed by a designated FIM unless it fails. The current configuration uses the default session-aware load balancing. Which configuration change is required to meet this requirement?
A network security architect is designing an ADVPN solution with two hubs in different geographical regions for redundancy. The design requires spokes to dynamically build shortcuts to other spokes, regardless of which hub they are connected to. What is a critical design consideration to ensure seamless spoke-to-spoke communication across both hubs?
A global retailer is using Fortinet Secure SD-WAN and has configured a performance SLA to monitor latency on its primary MPLS and secondary internet underlay links. The SD-WAN rule is set to prefer MPLS. During a period of network congestion, the latency on the MPLS link exceeds the configured threshold. However, an administrator observes that existing long-lived sessions, such as a large file transfer, do not fail over to the internet link. New sessions correctly use the internet link. What is the most likely reason for this behavior?
A security team is implementing Zero Trust Network Access (ZTNA) to provide secure access to an internal web application. They have configured a ZTNA server on the FortiGate, ZTNA connection rules on FortiClient EMS, and a ZTNA policy on the FortiGate. A user reports they can connect to the ZTNA access proxy but receive a 'Permission Denied' error when trying to access the application. The FortiGate logs show the traffic is hitting the ZTNA policy and being denied. What are the two most likely causes of this issue? (Select TWO).
True or False: When configuring a FortiGate automation stitch with a FortiAnalyzer event as the trigger, the FortiGate must be configured to send logs to the FortiAnalyzer in real-time mode for the stitch to execute immediately upon event detection.
A large enterprise has deployed FortiSwitch units in a multi-chassis link aggregation (MCLAG) configuration for switch-level redundancy. An administrator needs to perform a firmware upgrade on the MCLAG peer switches with minimal disruption to network traffic. What is the recommended procedure to achieve this?
**Case Study:** Global Logistics Inc. (GLI) is a multinational shipping company that is modernizing its security infrastructure. They have deployed a central FortiManager and FortiAnalyzer at their primary datacenter for managing hundreds of branch office FortiGates. To improve their security posture, GLI wants to implement a solution where if a threat is detected at any branch (e.g., a malware-infected host), the compromised host is automatically quarantined across the entire organization, preventing it from accessing any network resources at any branch or the datacenter. The current setup involves Security Fabric enabled between the branch FortiGates and the central management devices. Each branch uses FortiSwitch and FortiAP for local access, managed by the local FortiGate. The security team wants to leverage their existing Fortinet investment to achieve this automated, global quarantine without significant new hardware purchases. As the lead security architect, you are tasked with designing this solution. The solution must be scalable and react in near real-time. Which approach best meets GLI's requirements for automated, fabric-wide threat response?
A FortiGate is configured in transparent mode between an internal network and a core router. An administrator notices that traffic passing through the FortiGate is not being accelerated by the NP7 processor as expected. Which TWO of the following configurations could cause the traffic to bypass NP7 acceleration? (Select TWO).
A systems administrator is configuring a FortiGate to act as a SAML Service Provider (SP) for SSL-VPN access, using a third-party Identity Provider (IdP). The IdP provides group membership information in a SAML attribute named `memberOf`. The administrator needs to map users to different SSL-VPN realms based on this attribute. Which FortiGate CLI setting is used to specify the SAML attribute that contains the user's group information?
A consultant is tasked with designing a resilient email security solution using two FortiMail appliances in a high availability (HA) active-passive cluster. A key requirement is that in the event of a primary unit failure, the secondary unit must take over with minimal email service interruption and no loss of the mail queue. Which FortiMail HA mode must be configured to meet this requirement?