Browse Certification Practice Tests by Exam Family

Fortinet FCF Sample Questions & Practice Test

May 1, 2026

Try 12 Fortinet Certified Fundamentals (FCF) in Cybersecurity sample questions and practice-test preview prompts on threat concepts, security controls, network basics, cloud security, identity, and responsible escalation.

On this page

Fortinet Certified Fundamentals (FCF) in Cybersecurity is a foundations route for candidates building security vocabulary, risk awareness, and first-pass operational judgment before moving into more specialized Fortinet certification paths.

Use this page to preview the kind of cybersecurity reasoning an FCF practice route should test. The questions below are original IT Mastery sample questions, not official Fortinet exam questions.

What this route should test

  • recognizing common attack types, controls, and defensive layers
  • applying basic identity, access, network, endpoint, and cloud-security concepts
  • choosing responsible escalation and evidence collection steps
  • avoiding memorized acronym-only answers when the scenario asks for risk judgment

Sample Exam Questions

Question 1

Topic: phishing

A user receives an email that appears to be from IT support and asks them to enter their password on an unfamiliar site. What is the best first action?

  • A. Reply with the password only if the email looks urgent
  • B. Report the message through the approved phishing or security-reporting process
  • C. Forward the message to every employee
  • D. Disable antivirus because the message is probably safe

Best answer: B

Explanation: A suspected credential-harvesting message should be reported through the approved channel so security staff can preserve evidence, block similar messages, and warn affected users.

Question 2

Topic: availability

Which situation most directly affects the availability part of the CIA triad?

  • A. A password is guessed by an attacker
  • B. A private file is posted publicly
  • C. A log entry is modified without authorization
  • D. A service outage prevents users from reaching a required application

Best answer: D

Explanation: Availability means systems and data are accessible when needed. Outages, denial-of-service events, and failed dependencies are availability concerns.

Question 3

Topic: least privilege

An intern needs read-only access to one documentation folder for two weeks. Which access choice best follows least privilege?

  • A. Grant read-only access to the needed folder and set a review or expiration date
  • B. Grant permanent administrator access
  • C. Share the manager’s password
  • D. Disable access logging for the intern

Best answer: A

Explanation: Least privilege gives only the access needed, for only as long as needed, with enough review evidence to remove or adjust the access later.

Question 4

Topic: multi-factor authentication

Why does multi-factor authentication reduce account-takeover risk?

  • A. It removes the need for passwords forever
  • B. It encrypts every network packet
  • C. It requires more than one proof of identity before access is granted
  • D. It prevents every phishing attempt from being delivered

Best answer: C

Explanation: Multi-factor authentication adds a second proof, such as a device, app prompt, hardware key, or biometric factor. It does not eliminate every attack, but it reduces the impact of a stolen password.

Question 5

Topic: segmentation

A guest Wi-Fi network should not reach internal finance systems. Which control idea is most relevant?

  • A. Use the same flat network for every device
  • B. Segment guest traffic from internal systems and apply restrictive policy
  • C. Remove all wireless encryption
  • D. Store finance files on guest laptops

Best answer: B

Explanation: Network segmentation separates traffic zones and reduces blast radius. Guest access should be isolated from sensitive business systems.

Question 6

Topic: cloud responsibility

In a cloud service, the provider secures part of the platform, but the customer still controls user access and some configuration. What model does this describe?

  • A. Public-key encryption
  • B. Denial of service
  • C. Single sign-on only
  • D. Shared responsibility

Best answer: D

Explanation: Cloud security commonly follows a shared-responsibility model. The exact split depends on the service type, but customers usually retain responsibility for identity, data, and configuration choices.

Question 7

Topic: incident response

A workstation displays ransomware notes and suspicious file extensions. What should the user do first?

  • A. Disconnect from the network if instructed by policy and report the incident immediately
  • B. Pay the ransom directly
  • C. Delete all logs
  • D. Reboot repeatedly until the message disappears

Best answer: A

Explanation: Ransomware response should preserve evidence, limit spread, and alert the right responders. Payment, log deletion, or random restarts can make recovery harder.

Question 8

Topic: logging

Why are security logs useful?

  • A. They replace all preventive controls
  • B. They make every user an administrator
  • C. They provide evidence for monitoring, investigation, troubleshooting, and audit
  • D. They guarantee that no attacker can enter the network

Best answer: C

Explanation: Logs support visibility. They help teams understand what happened, when it happened, and which systems or users were involved.

Question 9

Topic: malware prevention

Which approach is strongest for reducing malware risk?

  • A. Rely on one control and ignore updates
  • B. Combine user awareness, endpoint protection, patching, filtering, backups, and monitoring
  • C. Allow every attachment type
  • D. Disable backups to save storage

Best answer: B

Explanation: Malware defense is layered. No single tool is enough; prevention, detection, recovery, and user behavior all matter.

Question 10

Topic: VPNs

What is the main security purpose of a VPN for remote access?

  • A. To make every website trustworthy
  • B. To replace endpoint protection
  • C. To remove the need for authentication
  • D. To create an encrypted path for remote users to reach approved resources

Best answer: D

Explanation: A VPN can protect remote traffic and connect users to authorized resources. It still needs authentication, endpoint controls, and access policy.

Question 11

Topic: data classification

Why should an organization classify data?

  • A. To match handling, storage, sharing, and protection rules to data sensitivity
  • B. To make all data public
  • C. To remove backups
  • D. To bypass access reviews

Best answer: A

Explanation: Classification helps teams decide which controls fit the sensitivity and business impact of data. Public marketing content and confidential client data should not be handled the same way.

Question 12

Topic: vulnerability and exploit

Which statement best distinguishes a vulnerability from an exploit?

  • A. A vulnerability is always harmless
  • B. An exploit is a policy document
  • C. A vulnerability is a weakness; an exploit is a method or code that takes advantage of it
  • D. A vulnerability only exists after data is stolen

Best answer: C

Explanation: A vulnerability is the weakness. An exploit is how an attacker or test tool uses that weakness to produce impact.

Quick FCF checklist

AreaWhat to check
ThreatsCan you identify phishing, malware, credential theft, and denial-of-service patterns?
ControlsCan you map basic controls to identity, endpoint, network, cloud, and data risks?
ResponseCan you choose escalation steps that preserve evidence and reduce spread?
JudgmentCan you explain why a control fits the scenario rather than only naming an acronym?
Revised on Monday, May 18, 2026
FCA Cybersecurity
FCP Secure Networking