[Fortinet] Fortinet - NSE4-FGT-AD-7.6 Exam Dumps & Study Guide

Free [Fortinet] Fortinet - NSE4-FGT-AD-7.6 Practice Questions Preview

• Question 1

  The FortiGate device HQ-NGFW-1 with the IP address 10.0.13.254 sends logs to the FortiAnalyzer device with the IP address 10.0.13.125. The administrator wants to verify that reliable logging is enabled on HQ-NGFW-1.
  Which exhibit helps with the verification?

  • A.
  • B.
  • C.
  • D.

  Correct Answer: B

  Explanation:

  I disagree with the suggested answer B and instead agree with the community members pointing toward D. While Exhibit B shows the configuration context, it explicitly lacks the set reliable enable command required for verification. Exhibit D provides a visual confirmation of the status via the FortiAnalyzer GUI.

  Reason

  Exhibit D is the correct choice for verification because it shows the Logging Mode column in the FortiAnalyzer Device Manager. The presence of a padlock icon next to Real Time indicates that the connection is using Reliable Logging (TCP/SSL), which satisfies the administrator's requirement to verify the feature is active.

  Why the other options are not as suitable

  Exhibit A shows a packet sniffer where the first line clearly identifies udp 514. Reliable logging requires TCP; therefore, this exhibit proves it is not enabled. Exhibit B shows the configuration block for FortiAnalyzer, but the specific command set reliable enable is missing from the output, meaning it is currently disabled. Exhibit C is a standard dashboard view that shows the device is up and logging, but it does not specify the protocol or reliability mode used for transport.

  Citations

  • https://docs.fortinet.com/document/fortianalyzer/7.6.0/administration-guide/721997/device-manager

• Question 2

  Refer to the exhibit.
  
  Based on the routing table shown in the exhibit, which two statements are true? (Choose two.)

  • A. A packet with the source IP address 10.0.13.10 arriving on port2 is allowed if strict RPF is disabled.
  • B. A packet with the source IP address 10.100.110.10 arriving on port3 is allowed if strict RPF is disabled.
  • C. A packet with the source IP address 10.10.10.10 arriving on port2 is allowed if strict RPF is enabled.
  • D. A packet with the source IP address 10.100.110.10 arriving on port2 is allowed if strict RPF is enabled.

  Correct Answer: AD

  Explanation:

  I agree with the suggested answer AD. In FortiGate, Reverse Path Forwarding (RPF) checks are used to prevent IP spoofing by verifying if the source IP of an incoming packet is reachable via the interface it arrived on. Strict RPF requires the best matching route to point to the incoming interface. When Strict RPF is disabled (defaulting to Feasible Path mode), the packet is allowed if there is any valid route (including a default route) to that source IP via the incoming interface.

  Reason

  Statement A is correct because with source IP 10.0.13.10, the best route in the table is 10.0.13.0/24 via port6. When arriving on port2, it would fail strict RPF, but because strict RPF is disabled, FortiGate checks for a feasible path. Since a default route (0.0.0.0/0) exists on port2, the packet is permitted. Statement D is correct because source IP 10.100.110.10 does not match any specific internal routes, so it matches the default route (0.0.0.0/0). Since the default route is via port2, and the packet arrived on port2, it satisfies the Strict RPF requirement (the best/only route matches the incoming interface).

  Why the other options are not as suitable

  Statement B is incorrect because while strict RPF is disabled, the source IP 10.100.110.10 only matches the default route on port2. There is no route (specific or default) for this IP associated with port3, so even in feasible path mode, it is dropped. Statement C is incorrect because the best route for source IP 10.10.10.10 is the specific route 10.10.10.0/24 which points to port3. If the packet arrives on port2, it fails the Strict RPF check because the incoming interface does not match the best route interface.

  Citations

  • https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/434310/reverse-path-forwarding-check

• Question 3

  Which three statements about SD-WAN performance SLAs are true? (Choose three.)

  • A. They can be measured actively or passively.
  • B. They are applied in a SD-WAN rule lowest cost strategy.
  • C. They monitor the state of the FortiGate device.
  • D. All the SLA targets can be configured.
  • E. They rely on session loss and jitter.

  Correct Answer: ABD

  Explanation:

  I agree with the suggested answer ABD. These options correctly identify the measurement methods, application logic, and configuration flexibility of FortiGate SD-WAN Performance SLAs.

  Reason

  A is correct because FortiGate supports active probing (sending specific packets like ICMP or HTTP) and passive WAN health monitoring (observing actual traffic). B is correct because in a Lowest Cost strategy, the FortiGate first checks which interfaces meet the SLA; only those that pass the SLA are then compared based on their cost. D is correct because administrators can manually define custom thresholds for Latency, Jitter, and Packet Loss to suit specific application requirements.

  Why the other options are not as suitable

  C is incorrect because Performance SLAs monitor the quality of the network path to a specific target, not the internal hardware state or health of the FortiGate device itself. E is incorrect because while it mentions jitter and loss, it uses the phrase session loss, which is not a standard SD-WAN metric; the correct metric is Packet Loss.

  Citations

  • https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/526435/performance-sla-health-check

• Question 4

  FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively.
  Which two statements about the requirements of connected physical interfaces on FortiGate are true? (Choose two.)

  • A. Both interfaces must have directly connected routes on the routing table.
  • B. Both interfaces must have IP addresses assigned.
  • C. Both interfaces must have DHCP enabled and interfaces set to LAN and DMZ roles assigned.
  • D. Both interfaces must have the interface role assigned.

  Correct Answer: AB

  Explanation:

  I agree with the community and suggested answer AB. In NAT mode, FortiGate operates as a Layer 3 device, which fundamentally requires each participating physical interface to have a unique IP address and a corresponding entry in the routing table to forward traffic.

  Reason

  Option B is correct because NAT mode requires interfaces to have an IP address assigned to act as a gateway for the connected networks. Option A is correct because once an IP address and subnet mask are configured on an interface, FortiGate automatically creates a directly connected route in the routing table, which is necessary for the device to know where to send packets for those local subnets.

  Why the other options are not as suitable

  • Option C is incorrect because DHCP is an optional service for convenience, not a requirement for the interface to function.
  • Option D is incorrect because the Interface Role (LAN, WAN, DMZ, or Undefined) is a GUI-enhancing setting used to simplify the display of relevant features; it does not affect the actual passing of traffic or Layer 3 functionality.

  Citations

  • https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/469272/nat-mode-and-transparent-mode

• Question 5

  Refer to the exhibit, which shows a firewall policy to enable active authentication.
  
  When attempting to access an external website using an active authentication method, the user is not presented with a login prompt.
  What is the most likely reason for this situation?

  • A. The Service DNS is required in the firewall policy.
  • B. The Remote-users group is not added to the Destination.
  • C. The Remote-users group must be set up correctly in the FSSO configuration.
  • D. No matching user account exists for this user.

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A. In a firewall policy requiring active authentication, the client must first resolve the destination domain name via DNS before an HTTP/HTTPS session can be initiated. Since the policy in the exhibit only allows ALL_ICMP, HTTPS, and HTTP, the DNS traffic is blocked, preventing the browser from reaching the stage where FortiGate can intercept the traffic and present the login prompt.

  Reason

  Option A is correct because DNS is a prerequisite for web browsing. When a user enters a URL, the client device sends a DNS query. If the firewall policy does not permit the DNS service, the name resolution fails. Consequently, no TCP three-way handshake for HTTP/HTTPS occurs, and the FortiGate never receives the traffic necessary to trigger the active authentication captive portal.

  Why the other options are not as suitable

  • Option B is incorrect because the Remote-users group is already correctly placed in the Source field, which is where user-based authentication constraints belong in a FortiGate policy; it should not be in the Destination.
  • Option C is incorrect because FSSO (Fortinet Single Sign-On) is a form of passive authentication, whereas the question specifically addresses active authentication (which involves a direct challenge/login prompt).
  • Option D is incorrect because even if no user account existed, the FortiGate would still present the login prompt to ask for credentials; the failure to see the prompt at all indicates the traffic is being dropped before the authentication layer is reached.

  Citations

  • https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/339480/firewall-policy-parameters

• Question 6

  You have created a web filter profile named restrict_media-profile with a daily category usage quota.
  When you are adding the profile to the firewall policy, the restrict_media-profile is not listed in the available web profile drop down.
  What could be the reason?

  • A. The inspection mode in the firewall policy is not matching with web filter profile feature set.
  • B. The web filter profile is already referenced in another firewall policy.
  • C. The naming convention used in the web filter profile is restricting it in the firewall policy.
  • D. The firewall policy is in no-inspection mode instead of deep-inspection.

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A. In FortiOS, certain Web Filter features, specifically Category Usage Quotas, are only supported in Proxy-based inspection mode. If the Firewall Policy is configured for Flow-based inspection, any profile utilizing proxy-only features will be hidden from the selection menu.

  Reason

  Option A is correct because Web Filter Quotas require the FortiGate to act as a transparent proxy to track and enforce time or volume limits accurately. If the Firewall Policy inspection mode (Flow vs. Proxy) does not match the requirements of the features enabled within the Security Profile, that profile will not appear in the dropdown list to prevent invalid configurations.

  Why the other options are not as suitable

  • Option B is incorrect because Security Profiles in FortiGate are reusable objects and can be referenced by an unlimited number of Firewall Policies simultaneously.
  • Option C is incorrect because FortiOS does not restrict the visibility of profiles based on their naming convention; as long as the name is valid during creation, it will be available if technical requirements are met.
  • Option D is incorrect because while no-inspection mode would indeed prevent the application of a web filter, the specific presence of a Category Usage Quota specifically filters for Proxy-based vs Flow-based compatibility, and 'no-inspection' is a subset of flow-based logic that wouldn't even show the security profile toggle.

  Citations

  • https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/261057/web-filter-quotas

• Question 7

  An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is no inbound traffic.
  Which DPD mode on FortiGate meets this requirement?

  • A. On Demand
  • B. Enabled
  • C. On Idle
  • D. Disabled

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A. According to the Fortinet NSE 4 - FortiGate Security study guide and documentation, On Demand is the specific DPD mode designed to trigger probes only when there is no inbound traffic observed to verify the peer's availability.

  Reason

  On Demand is the default DPD mode. In this mode, the FortiGate monitors for inbound traffic. If there is outbound traffic being sent but no corresponding inbound traffic is received within the configured DPD interval, the FortiGate sends a DPD probe to confirm the tunnel is still functional.

  Why the other options are not as suitable

  Enabled (often referred to as 'On Idle' in some older contexts or simply 'Always') sends DPD probes periodically regardless of whether traffic is flowing or not, which is more resource-intensive. On Idle (the actual mode name) triggers probes specifically when there is absolutely no traffic (neither inbound nor outbound) passing through the tunnel. Disabled prevents the FortiGate from ever initiating a DPD probe, though it will still respond to probes initiated by the remote peer.

  Citations

  • https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/523932/dead-peer-detection

• Question 8

  Refer to the exhibits.
  
  
  You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits.
  Which two factors can you observe from these configurations? (Choose two.)

  • A. YouTube search is allowed based on the Google Application and Filter override settings.
  • B. Facebook access is blocked based on the category filter settings.
  • C. Facebook access is allowed but you cannot play Facebook videos based on Video/Audio category filter settings.
  • D. YouTube access is blocked based on Excessive-Bandwidth Application and Filter override settings.

  Correct Answer: AB

  Explanation:

  I agree with the suggested answer AB. The configuration shows the Social Media category is explicitly blocked, and the Application Overrides are processed before category filters, allowing specific monitoring of Google-related traffic.

  Reason

  A is correct because Application and Filter Overrides take precedence over category filters. There is a filter for Google set to Monitor; since YouTube is a Google property, basic search functions are monitored (allowed) by this override rather than being blocked by general category rules. B is correct because the Social Media category in the Application Sensor is set to Block (the red stop icon), and Facebook is a member of that category with no specific override to allow it.

  Why the other options are not as suitable

  C is incorrect because once the Social Media category is blocked, all access to Facebook is denied; the Video/Audio category filter is never reached for this traffic. D is incorrect because while Excessive-Bandwidth is set to Block, it is a filter that triggers based on specific application behavior tags, not a blanket block on YouTube itself, and the Google monitor override would typically allow the initial connection.

  Citations

  • https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/523877/application-control

• Question 9

  Refer to the exhibit.
  
  The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories from SSL inspection, as shown in the exhibit.
  For which two reasons are these web categories exempted? (Choose two.)

  • A. The FortiGate temporary certificate denies the browser’s access to websites that use HTTP Strict Transport Security.
  • B. The resources utilization is optimized because these websites are in the trusted domain list on FortiGate.
  • C. These websites are in an allowlist of reputable domain names maintained by FortiGuard.
  • D. The legal regulation aims to prioritize user privacy and protect sensitive information for these websites.

  Correct Answer: AD

  Explanation:

  I agree with the suggested answers A and D. These options correctly reflect the technical limitations and legal considerations inherent in SSL Deep Inspection configurations on FortiGate.

  Reason

  Option A is correct because Deep Inspection acts as a 'man-in-the-middle'. Websites using HSTS (HTTP Strict Transport Security) or certificate pinning will detect the FortiGate's CA certificate as an untrusted or unexpected issuer, causing the browser to block the connection entirely; exempting them prevents this service disruption. Option D is correct because Finance and Banking and Health and Wellness categories contain highly sensitive PII (Personally Identifiable Information). Many jurisdictions have strict privacy laws that discourage or prohibit employers from decrypting and viewing private financial or medical data.

  Why the other options are not as suitable

  • Option B is incorrect because the primary goal of these exemptions is compatibility and privacy, not CPU optimization; while bypassing inspection saves resources, 'trusted domain list' is not the standard terminology for this functional bypass.
  • Option C is incorrect because while FortiGuard maintains reputation databases, the specific categories shown (Finance/Health) are exempted by default due to their sensitive nature regardless of the individual site's 'reputation' score.

  Citations

  • https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/523932/preventing-certificate-warnings-with-hsts
  • https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/118320/ssl-ssh-inspection

• Question 10

  What are two features of FortiGate FSSO agentless polling mode? (Choose two.)

  • A. FortiGate does not support workstation check.
  • B. FortiGate directs the collector agent to use a remote LDAP server.
  • C. FortiGate uses the AD server as the collector agent.
  • D. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

  Correct Answer: AD

  Explanation:

  I agree with the suggested answer AD. In FortiGate FSSO agentless polling mode, the FortiGate unit itself performs the polling of the Domain Controller's Windows Security Event Logs using the SMB protocol, but it lacks advanced features like workstation verification that are normally handled by a dedicated Collector Agent.

  Reason

  A is correct because workstation check (verifying if a user is still logged into a specific station) is a function of the external FSSO Collector Agent; since agentless mode removes this agent, the feature is unavailable. D is correct because agentless polling specifically utilizes the Server Message Block (SMB) protocol to remotely read the event viewer logs (Event IDs 4768 and 4769) directly from the Domain Controllers.

  Why the other options are not as suitable

  B is incorrect because in agentless mode, FortiGate acts as the collector itself and does not direct an external collector agent to use a remote LDAP server. C is incorrect because the AD server is merely being polled for its logs; it does not take on the role of a collector agent, which would require the installation of FSSO software on the Domain Controller.

  Citations

  • https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/526435/agentless-polling-mode