NSE 8 – Network Security Expert (811) — Question 3

You cannot ping the FortiGate default gateway 10.10.10.1 from the FortiGate CLI. The FortiGate interface facing the default gateway is wan1 and its IP address is
10.10.10.254/24. During the initial troubleshooting tests, you confirm that you can ping other IP addresses in the 10.10.10.0/24 subnet from the FortiGate CLI without packets lost.
Which two CLI commands will help you to troubleshoot this problem? (Choose two.)

Answer options

• A. diagnose debug flow filter saddr 10.10.10.1 diagnose debug flow trace start 10
• B. diagnose hardware deviceinfo nic wan1
• C. diagnose ip arp list
• D. diag sniffer packet wan1 'arp and host 10.10.10.1'

Correct answer: A, C

Explanation

The commands in option A allow for monitoring the traffic flow to see if packets are reaching the FortiGate from the default gateway, which is crucial for troubleshooting connectivity issues. Option C provides insight into the ARP table, which can help determine if the FortiGate has the correct MAC address for the gateway. Options B and D do not directly address the issue of pinging the gateway.