Browse Certification Practice Tests by Exam Family

Fortinet FCP Sample Questions & Practice Test

May 1, 2026

Try 12 Fortinet Certified Professional (FCP) in Secure Networking sample questions and practice-test preview prompts on FortiGate, firewall policy, SD-WAN, VPN, security profiles, logging, and operational troubleshooting.

On this page

Fortinet Certified Professional (FCP) in Secure Networking is a professional route for candidates working with secure network design, FortiGate operations, firewall policy, VPNs, SD-WAN, inspection, logging, and troubleshooting.

Use this page to preview the kind of secure-networking decisions an FCP practice route should test. The questions below are original IT Mastery sample questions, not official Fortinet exam questions.

What this route should test

  • selecting firewall policy, NAT, VPN, SD-WAN, and inspection choices from scenario evidence
  • troubleshooting traffic with logs, routing, policy match, address objects, and interface context
  • balancing secure access, performance, availability, and operational maintainability
  • applying platform-aware judgment without assuming every issue is solved by one rule change

Sample Exam Questions

Question 1

Topic: firewall policy

A business application needs access from one internal subnet to one partner IP address on a fixed service port. What policy is best?

  • A. Allow all internal traffic to the internet
  • B. Disable logging for the application
  • C. Permit any source because the destination is known
  • D. Create a scoped policy for the required source, destination, service, action, and logging

Best answer: D

Explanation: Secure firewall policy should be as specific as practical and observable. A broad allow rule increases exposure and makes later troubleshooting harder.

Question 2

Topic: security profiles

A rule permits outbound web traffic, but the organization still wants malware and malicious-site controls. What should be applied?

  • A. Only a longer rule name
  • B. Appropriate security profiles such as antivirus, web filtering, DNS security, or IPS where relevant
  • C. No inspection because allow means trusted
  • D. A public administrator account

Best answer: B

Explanation: Allowing traffic does not remove inspection needs. Security profiles add prevention and detection controls to permitted flows.

Question 3

Topic: SD-WAN

A branch has two WAN links. Voice traffic should use the lowest-latency healthy path, while file backups can use a cheaper path. What SD-WAN capability fits?

  • A. One static default route for all traffic
  • B. Disabling health checks
  • C. Application-aware or SLA-based path selection
  • D. Removing the backup link

Best answer: C

Explanation: SD-WAN can steer traffic by application, health, SLA, and business priority. Different traffic classes can use different paths.

Question 4

Topic: IPsec VPN

A site-to-site VPN is up, but only one subnet can reach the remote site. What should be checked first?

  • A. Phase 2 selectors, routes, policy, NAT exemption, and matching subnets
  • B. The color of the dashboard
  • C. Whether email signatures are enabled
  • D. The company logo file size

Best answer: A

Explanation: Partial VPN reachability commonly involves selectors, routing, policies, NAT behavior, or mismatched protected networks.

Question 5

Topic: logging

Users report an application stopped working after a firewall change. Which evidence is most useful first?

  • A. The office floor plan
  • B. A list of unrelated tickets
  • C. A screenshot of the vendor website
  • D. Traffic logs, rule match, NAT, routing, and recent configuration changes

Best answer: D

Explanation: Troubleshooting should start with evidence that shows how traffic is processed. Logs and recent changes can quickly narrow policy, routing, NAT, or inspection causes.

Question 6

Topic: NAT

Internal private hosts need outbound internet access through a public address. Which NAT type is commonly involved?

  • A. Destination NAT only
  • B. Source NAT
  • C. No NAT because private addresses route globally
  • D. A password reset

Best answer: B

Explanation: Source NAT translates private source addresses to an address suitable for external routing. It is separate from policy and threat inspection.

Question 7

Topic: high availability

Two firewall appliances are deployed for resilience. What must be tested before relying on the design?

  • A. Whether the device names are identical
  • B. Whether logs can be deleted
  • C. Failover behavior, session impact, link monitoring, configuration sync, and recovery steps
  • D. Whether all change records can be skipped

Best answer: C

Explanation: High availability is only useful when failover behavior is understood and tested. Teams need evidence about convergence, sessions, monitoring, and recovery.

Question 8

Topic: routing

Traffic is allowed by policy but never reaches the next hop. What should be checked?

  • A. Routing table, interface status, gateway reachability, and path selection
  • B. The user’s browser font
  • C. Payroll settings
  • D. The helpdesk hold music

Best answer: A

Explanation: Policy permits traffic, but routing determines where traffic goes. A correct firewall rule cannot compensate for a broken path.

Question 9

Topic: web filtering

A company wants to reduce access to known malicious and newly registered domains. Which feature area is most relevant?

  • A. Console cable type
  • B. Rule description punctuation
  • C. Local printer names
  • D. Web or DNS filtering with category and reputation intelligence

Best answer: D

Explanation: Web and DNS filtering can apply category and reputation-based decisions. It is a preventive control for risky destinations.

Question 10

Topic: rule cleanup

A temporary vendor access rule remains active after the project ended. What should be done?

  • A. Expand it to all vendors
  • B. Review hits, owner, business need, expiration, risk, and remove or recertify it
  • C. Hide it by renaming the rule
  • D. Disable audit logs

Best answer: B

Explanation: Rule hygiene prevents temporary exceptions from becoming permanent exposure. Ownership and recertification reduce accumulated risk.

Question 11

Topic: TLS inspection

Before enabling deep TLS inspection broadly, what must be reviewed?

  • A. Only the number of monitors in the room
  • B. Whether all traffic can be trusted without inspection
  • C. Privacy, legal, certificate trust, application compatibility, performance, and exception handling
  • D. Whether logs should be deleted

Best answer: C

Explanation: TLS inspection can improve visibility, but it has privacy, legal, trust, performance, and application-compatibility consequences. It must be governed and scoped carefully.

Question 12

Topic: administration

Which administrative control improves accountability for firewall changes?

  • A. Named administrator accounts with role-based permissions and change logging
  • B. One shared admin password
  • C. No backup configuration
  • D. Anonymous console access

Best answer: A

Explanation: Named accounts and role-based access connect changes to accountable users. Shared accounts weaken investigation and governance.

Quick FCP checklist

AreaWhat to check
PolicyCan you scope rules and explain why broad access is risky?
PathCan you separate policy, routing, NAT, VPN, and SD-WAN causes?
InspectionCan you decide where security profiles and TLS inspection belong?
OperationsCan you review HA, logging, admin access, and temporary-rule cleanup?
Revised on Monday, May 18, 2026
FCF Cybersecurity
FCSS Secure Networking