FCP - FortiGate Administrator (FCP-FGT-AD) practice questions

A FortiGate has two static default routes out of two different ISP links. Both routes have the same administrative distance and the same priority. What is the effect on traffic that uses the default route?

• ABoth routes are installed in the forwarding table and traffic is load balanced across both links using equal-cost multi-path routingcheck_circle Correct
• BOnly the route whose gateway has the lower IP address is installed, and all default traffic uses that single link
• CNeither route is installed because FortiGate rejects duplicate default routes and logs a configuration conflict
• DBoth routes are installed but only the most recently configured one forwards traffic until it fails over to the other

Why A is correct: When two routes share the same distance and priority, FortiGate treats them as equal-cost and installs both, performing ECMP load balancing across the two links according to the configured load-balancing method.

Why B is wrong: FortiGate does not select between equal routes by comparing gateway IP addresses. This sounds like a deterministic tie-breaker but no such rule exists, so it is incorrect.

Why C is wrong: FortiGate accepts multiple default routes; it does not reject them as duplicates. The idea of a conflict rejection is plausible to a newcomer but does not reflect FortiOS behaviour.

Why D is wrong: Equal routes do not behave as an active and passive pair when distance and priority match. This describes failover, which requires differing priority or distance, so it is a tempting but wrong assumption.

An administrator configures a performance SLA that probes a public server through port1 and port2. The probe uses the HTTP protocol against a server reachable only via a static route bound to port1. The SLA shows port1 as alive but port2 is permanently dead, even though port2 has a working default route and can browse the internet normally. What is the most likely cause of the false dead status on port2?

• AHTTP probes are unsupported on secondary SD-WAN members, so only the first member in the zone can use the HTTP protocol and all others must use Ping.
• BThe HTTP probe server is reachable only through the port1 static route, so probes sourced on port2 cannot reach it, making the health check fail for port2 regardless of that link's real internet connectivity.check_circle Correct
• CThe detection interval on port2 is shorter than its configured timeout, which FortiOS treats as an invalid timer set and forces the member into a dead state.
• DPort2 needs the probe server added to its interface allowlist before the SLA can mark it alive, and an empty allowlist defaults every member to dead.

Why A is wrong: Tempting as a plausible feature limit, but wrong: the HTTP probe protocol is available to every member, so member ordering does not restrict the protocol.

Why B is correct: Correct: a health-check server reachable by only one path means probes egressing the other member fail, producing a false dead status that reflects probe routing rather than true link health.

Why C is wrong: Tempting by invoking timer relationships, but wrong: a short interval does not force a dead state; the member fails because its probes cannot reach the server.

Why D is wrong: Tempting because allowlists exist elsewhere, but wrong: performance SLA has no per-interface probe-server allowlist that defaults members to dead.

Two FortiGates negotiate IKEv2 phase 1, but the tunnel never establishes. Diagnostics show phase 1 proposals do not match: one peer offers AES256-SHA256 with DH group 14, the other offers AES256-SHA256 with DH group 20. Both peers share the same pre-shared key and the same phase 2 selectors. What is the correct conclusion about why phase 1 fails?

• AThe pre-shared key mismatch is the real cause, because a differing DH group always indicates the authentication payload was computed with different secrets.
• BThe phase 2 selectors are too broad, so the kernel rejects the phase 1 SA before the Diffie-Hellman exchange can complete.
• CThe Diffie-Hellman group must match in at least one common phase 1 proposal, so groups 14 and 20 with no overlap cause the IKE SA negotiation to fail.check_circle Correct
• DIKEv2 ignores the Diffie-Hellman group during the initial exchange, so the failure must come from a mismatched encryption algorithm instead.

Why A is wrong: It is tempting to blame authentication when phase 1 fails, but the scenario states the keys are identical and a DH group is an independent negotiated parameter, so the key is not the fault here.

Why B is wrong: Phase 2 selectors are negotiated only after phase 1 succeeds and cannot block the phase 1 SA, so selector breadth cannot explain a failure that occurs during the phase 1 key exchange.

Why C is correct: Phase 1 builds the IKE SA using a mutually agreed Diffie-Hellman group; if neither peer offers a group the other accepts, the key exchange cannot complete and phase 1 fails even when encryption, hash, and the pre-shared key all match.

Why D is wrong: IKEv2 absolutely requires an agreed Diffie-Hellman group in the initial exchange, and the scenario shows encryption and hash already match, so blaming the cipher is both factually wrong and inconsistent with the diagnostics.