Practice Free NSE4_FGT_AD-7.6 Exam Online Questions
Question #111
HOTSPOT
You have an Azure AD tenant named contoso.com that contains the devices shown in the following table.
The tenant contains the Azure AD groups shown in the following table.
You add an Autopilot deployment profile as shown in the following exhibit.
You have an Azure AD tenant named contoso.com that contains the devices shown in the following table.
The tenant contains the Azure AD groups shown in the following table.
Correct Answer:
Question #2
What are three key routing principles in SD-WAN? (Choose three answers)
- A . By default, SD-WAN rules are skipped if the included SD-WAN members do not have a valid route
to the destination. - B . SD-WAN rules have precedence over any other type of routes.
- C . Regular policy routes have precedence over SD-WAN rules.
- D . By default, SD-WAN rules are skipped if only one route to the destination is available.
- E . By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
Correct Answer: A, C, E
A, C, E
Explanation:
“This slide shows the SD-WAN rule lookup process. SD-WAN rules are essentially policy routes.”
“FortiGate performs a forwarding information base (FIB) lookup for the packet destination IP (dstip). If the resolved interface for the fib-best-match isn’t an SD-WAN member, then FortiGate moves on to the next rule. This behavior follows the key routing principle: SD-WAN rules are skipped if the best route to the destination isn’t an SD-WAN member.”
“If the resolved interface is an SD-WAN member, then FortiGate looks for one or more acceptable members in the oif list… An acceptable member is an alive member that has a route to the destination. This behavior follows the key routing principle: SD-WAN rules are skipped if none of the configured members in the rule have a valid route to the destination.”
“Because regular policy routes have precedence over any other routes…”
“Also note that policy routes have precedence over SD-WAN rules, and over any routes in the FIB.”
Technical Deep Dive:
The correct answers are A, C, and E.
A is correct because an SD-WAN rule is not enough by itself. A selected member must also be alive and have a valid route to the destination. If none of the members referenced by the rule can actually reach the destination, the rule is skipped.
C is correct because a regular policy route is evaluated before SD-WAN rules. This is a classic exam trap. FortiGate treats SD-WAN steering like policy-route logic, but standard policy routes still win if they match and are valid.
E is correct because FortiGate first checks the FIB best match. If that best route resolves to an interface that is not an SD-WAN member, FortiGate skips the SD-WAN rule and continues.
Why the others are wrong:
B is false because SD-WAN rules do not have precedence over everything; regular policy routes do.
D is false because the number of available routes is not the deciding rule. Even with only one route,
SD-WAN can still steer traffic if the routing and member conditions are met.
Operationally, think of SD-WAN routing in this order: policy route check → SD-WAN rule lookup → standard FIB fallback.
On FortiGate, the practical validation commands are:
get router info routing-table all
diagnose sys sdwan service
diagnose firewall proute list
That combination lets you confirm whether a packet is being captured by a policy route, whether an SD-WAN rule has acceptable members, and what the FIB currently resolves for the destination.
A, C, E
Explanation:
“This slide shows the SD-WAN rule lookup process. SD-WAN rules are essentially policy routes.”
“FortiGate performs a forwarding information base (FIB) lookup for the packet destination IP (dstip). If the resolved interface for the fib-best-match isn’t an SD-WAN member, then FortiGate moves on to the next rule. This behavior follows the key routing principle: SD-WAN rules are skipped if the best route to the destination isn’t an SD-WAN member.”
“If the resolved interface is an SD-WAN member, then FortiGate looks for one or more acceptable members in the oif list… An acceptable member is an alive member that has a route to the destination. This behavior follows the key routing principle: SD-WAN rules are skipped if none of the configured members in the rule have a valid route to the destination.”
“Because regular policy routes have precedence over any other routes…”
“Also note that policy routes have precedence over SD-WAN rules, and over any routes in the FIB.”
Technical Deep Dive:
The correct answers are A, C, and E.
A is correct because an SD-WAN rule is not enough by itself. A selected member must also be alive and have a valid route to the destination. If none of the members referenced by the rule can actually reach the destination, the rule is skipped.
C is correct because a regular policy route is evaluated before SD-WAN rules. This is a classic exam trap. FortiGate treats SD-WAN steering like policy-route logic, but standard policy routes still win if they match and are valid.
E is correct because FortiGate first checks the FIB best match. If that best route resolves to an interface that is not an SD-WAN member, FortiGate skips the SD-WAN rule and continues.
Why the others are wrong:
B is false because SD-WAN rules do not have precedence over everything; regular policy routes do.
D is false because the number of available routes is not the deciding rule. Even with only one route,
SD-WAN can still steer traffic if the routing and member conditions are met.
Operationally, think of SD-WAN routing in this order: policy route check → SD-WAN rule lookup → standard FIB fallback.
On FortiGate, the practical validation commands are:
get router info routing-table all
diagnose sys sdwan service
diagnose firewall proute list
That combination lets you confirm whether a packet is being captured by a policy route, whether an SD-WAN rule has acceptable members, and what the FIB currently resolves for the destination.
Question #3
An administrator has configured the following settings.
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)
- A . The number of logs generated by denied traffic is reduced.
- B . A session for denied traffic is created.
- C . Denied users are blocked for 30 minutes.
- D . Session helpers are disabled for denied traffic.
Correct Answer: A, B
A, B
Explanation:
“To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets for that session are also denied. This ensures that FortiGate does not have to perform a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation.”
“The CLI command is ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-session-timer in the CLI. By default, it is set to 30 seconds.”
Technical Deep Dive:
The correct answers are A and B.
When set ses-denied-traffic enable is configured, FortiGate creates a session-table entry for denied traffic. That means once traffic is denied, subsequent packets that belong to the same denied flow do not need a full policy lookup again. FortiGate can drop them immediately based on the existing denied-session entry. That directly confirms B.
Because FortiGate no longer re-evaluates every repeated denied packet in the same way, the device generates fewer logs and uses less CPU for repeated denied traffic. That is exactly why A is also
correct.
Why the other two are wrong:
C is incorrect because block-session-timer 30 means 30 seconds, not 30 minutes. The denied session entry is kept in the session table for that duration.
D is incorrect because these settings do not disable session helpers. They only control how denied traffic is tracked in the session table.
In operational terms, this feature is useful when a host repeatedly retries traffic that FortiGate is already denying. Instead of doing a fresh lookup for every retry, FortiGate caches the denied decision temporarily and drops the repeated packets faster.
A, B
Explanation:
“To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets for that session are also denied. This ensures that FortiGate does not have to perform a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation.”
“The CLI command is ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-session-timer in the CLI. By default, it is set to 30 seconds.”
Technical Deep Dive:
The correct answers are A and B.
When set ses-denied-traffic enable is configured, FortiGate creates a session-table entry for denied traffic. That means once traffic is denied, subsequent packets that belong to the same denied flow do not need a full policy lookup again. FortiGate can drop them immediately based on the existing denied-session entry. That directly confirms B.
Because FortiGate no longer re-evaluates every repeated denied packet in the same way, the device generates fewer logs and uses less CPU for repeated denied traffic. That is exactly why A is also
correct.
Why the other two are wrong:
C is incorrect because block-session-timer 30 means 30 seconds, not 30 minutes. The denied session entry is kept in the session table for that duration.
D is incorrect because these settings do not disable session helpers. They only control how denied traffic is tracked in the session table.
In operational terms, this feature is useful when a host repeatedly retries traffic that FortiGate is already denying. Instead of doing a fresh lookup for every retry, FortiGate caches the denied decision temporarily and drops the repeated packets faster.
Question #4
How does FortiExtender connect to FortiSASE in a site-based, remote internet access method?
- A . FortiExtender uses a Virtual Extensible LAN (VXLAN)-over-IPsec connection.
- B . FortiExtender establishes a secure SSL connection using FortiClient.
- C . FortiExtender first connects to a FortiGate LAN extension through a secure web gateway (SWG).
- D . FortiExtender uses the proxy auto-configuration <PAC) file and an explicit web proxy to connect.
Correct Answer: A
A
Explanation:
In FortiSASE site-based (remote internet access) deployments, FortiExtender is used to onboard branch or remote sites without a local FortiGate.
According to FortiSASE and FortiExtender architecture documentation:
FortiExtender integrates with FortiSASE using a secure VXLAN-over-IPsec tunnel
This tunnel:
Extends the site network to FortiSASE
Transparently forwards traffic for inspection
Preserves network segmentation and routing context
This design is similar to cloud-based LAN extension and is not proxy-based Why the other options are incorrect
B: FortiClient is used for agent-based user access, not FortiExtender
C: Secure Web Gateway (SWG) is a service, not a transport mechanism
D: PAC files and explicit proxies are used in agentless / proxy-based access, not site-based FortiExtender deployments
A
Explanation:
In FortiSASE site-based (remote internet access) deployments, FortiExtender is used to onboard branch or remote sites without a local FortiGate.
According to FortiSASE and FortiExtender architecture documentation:
FortiExtender integrates with FortiSASE using a secure VXLAN-over-IPsec tunnel
This tunnel:
Extends the site network to FortiSASE
Transparently forwards traffic for inspection
Preserves network segmentation and routing context
This design is similar to cloud-based LAN extension and is not proxy-based Why the other options are incorrect
B: FortiClient is used for agent-based user access, not FortiExtender
C: Secure Web Gateway (SWG) is a service, not a transport mechanism
D: PAC files and explicit proxies are used in agentless / proxy-based access, not site-based FortiExtender deployments
Question #5
Which three statements about SD-WAN performance SLAs are true? (Choose three.)
- A . They rely on session loss and jitter.
- B . They monitor the state of the FortiGate device.
- C . All the SLA targets can be configured.
- D . They are applied in a SD-WAN rule lowest cost strategy.
- E . They can be measured actively or passively.
Correct Answer: C,D,E
C,D,E
Explanation:
In FortiOS 7.6, SD-WAN Performance SLAs are used to measure link quality and influence SD-WAN rule decisions. The following three statements are true.
C. All the SLA targets can be configured.
True
SD-WAN Performance SLAs allow administrators to configure:
Latency
Jitter
Packet loss
Mean Opinion Score (MOS) (for voice)
Threshold values for these metrics are fully configurable per SLA.
This is explicitly documented in the SD-WAN Performance SLA configuration section.
D. They are applied in an SD-WAN rule lowest cost strategy.
True
Performance SLAs are commonly used with the Lowest Cost (SLA-based) strategy.
In this strategy:
FortiGate selects the lowest-cost link that meets the SLA requirements.
If a link violates the SLA, it is excluded from selection.
E. They can be measured actively or passively.
True
FortiOS supports:
Active probing (synthetic probes such as ping/HTTP)
Passive measurement (based on real traffic statistics)
Administrators can choose how SLAs are measured depending on the deployment and requirements.
Why the other options are incorrect
C,D,E
Explanation:
In FortiOS 7.6, SD-WAN Performance SLAs are used to measure link quality and influence SD-WAN rule decisions. The following three statements are true.
C. All the SLA targets can be configured.
True
SD-WAN Performance SLAs allow administrators to configure:
Latency
Jitter
Packet loss
Mean Opinion Score (MOS) (for voice)
Threshold values for these metrics are fully configurable per SLA.
This is explicitly documented in the SD-WAN Performance SLA configuration section.
D. They are applied in an SD-WAN rule lowest cost strategy.
True
Performance SLAs are commonly used with the Lowest Cost (SLA-based) strategy.
In this strategy:
FortiGate selects the lowest-cost link that meets the SLA requirements.
If a link violates the SLA, it is excluded from selection.
E. They can be measured actively or passively.
True
FortiOS supports:
Active probing (synthetic probes such as ping/HTTP)
Passive measurement (based on real traffic statistics)
Administrators can choose how SLAs are measured depending on the deployment and requirements.
Why the other options are incorrect
Question #6
Refer to the exhibit.
Which two ways can you view the log messages shown in the exhibit? (Choose two.)
- A . By right clicking the implicit deny policy
- B . Using the FortiGate CLI command diagnose log test
- C . By filtering by policy universally unique identifier (UUID) and application name in the log entry
- D . In the Forward Traffic section
Correct Answer: C,D
C,D
Explanation:
The exhibit shows a FortiGate UTM application control log with fields such as:
type="utm"
subtype="app-ctrl"
action="block"
policyid=1
appid=30220
appcat="Video/Audio"
service="HTTP"
apprisk="elevated"
This is a forward traffic security log, generated by Application Control applied to a firewall policy.
Why the correct answers are C and D
C. By filtering by policy universally unique identifier (UUID) and application name in the log entry Correct.
FortiOS logs can be viewed and filtered in:
Log & Report → Forward Traffic
Administrators can filter logs using fields such as:
Policy ID / Policy UUID
Application name (app)
Application ID (appid)
The log entry clearly includes application-related fields, making filtering by policy and application a valid and documented way to view these logs.
D. In the Forward Traffic section
Correct.
The log is a UTM Application Control log for traffic passing through a firewall policy.
Such logs are displayed under:
Log & Report → Forward Traffic
This is the standard and correct location to view application control, web filter, IPS, and other security profile logs related to user traffic.
Why the other options are incorrect
C,D
Explanation:
The exhibit shows a FortiGate UTM application control log with fields such as:
type="utm"
subtype="app-ctrl"
action="block"
policyid=1
appid=30220
appcat="Video/Audio"
service="HTTP"
apprisk="elevated"
This is a forward traffic security log, generated by Application Control applied to a firewall policy.
Why the correct answers are C and D
C. By filtering by policy universally unique identifier (UUID) and application name in the log entry Correct.
FortiOS logs can be viewed and filtered in:
Log & Report → Forward Traffic
Administrators can filter logs using fields such as:
Policy ID / Policy UUID
Application name (app)
Application ID (appid)
The log entry clearly includes application-related fields, making filtering by policy and application a valid and documented way to view these logs.
D. In the Forward Traffic section
Correct.
The log is a UTM Application Control log for traffic passing through a firewall policy.
Such logs are displayed under:
Log & Report → Forward Traffic
This is the standard and correct location to view application control, web filter, IPS, and other security profile logs related to user traffic.
Why the other options are incorrect
Question #7
Refer to the exhibit.
FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles.
Which action must the administrator perform to consolidate the two policies into one?
- A . Select port1 and port2 subnets in a single firewall policy.
- B . Create an Aggregate interface that includes port1 and port2 to create a single firewall policy.
- C . Replace port1 and port2 with the any interface in a single firewall policy.
- D . Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy.
Correct Answer: D
D
Explanation:
“By default, you can select only a single interface as the incoming interface and a single interface as
the outgoing interface. This is because the option to select multiple interfaces, or any interface in a firewall policy, is disabled on the GUI. However, you can enable the Multiple Interface Policies option on the Feature Visibility page to disable the single interface restriction.”
“You can also specify multiple interfaces, or use the any option, if you configure a firewall policy on the CLI, regardless of the default GUI setting.”
Technical Deep Dive:
The correct answer is D.
The policies are identical except for the incoming interface: one is for Sales and one is for Engineering. FortiGate GUI policy creation normally restricts you to one incoming interface per policy. To consolidate both into a single GUI policy, the administrator must enable Multiple Interface Policies so both port1 and port2 can be selected in the same rule.
Why the others are wrong:
A is not enough, because policy matching also includes the incoming interface, not just the source subnets.
B changes the network design and is unnecessary.
C would work too broadly by matching traffic from any interface, which is not the intended controlled consolidation.
A matching CLI-style concept would be: config firewall policy
edit <id>
set srcintf "port1" "port2"
set dstintf "<server-interface>"
set srcaddr "Sales_Subnet" "Engineering_Subnet" set dstaddr "<web-server>"
set service "HTTP" "HTTPS" set action accept
next end
That preserves a single policy while still being specific about which interfaces are allowed.
D
Explanation:
“By default, you can select only a single interface as the incoming interface and a single interface as
the outgoing interface. This is because the option to select multiple interfaces, or any interface in a firewall policy, is disabled on the GUI. However, you can enable the Multiple Interface Policies option on the Feature Visibility page to disable the single interface restriction.”
“You can also specify multiple interfaces, or use the any option, if you configure a firewall policy on the CLI, regardless of the default GUI setting.”
Technical Deep Dive:
The correct answer is D.
The policies are identical except for the incoming interface: one is for Sales and one is for Engineering. FortiGate GUI policy creation normally restricts you to one incoming interface per policy. To consolidate both into a single GUI policy, the administrator must enable Multiple Interface Policies so both port1 and port2 can be selected in the same rule.
Why the others are wrong:
A is not enough, because policy matching also includes the incoming interface, not just the source subnets.
B changes the network design and is unnecessary.
C would work too broadly by matching traffic from any interface, which is not the intended controlled consolidation.
A matching CLI-style concept would be: config firewall policy
edit <id>
set srcintf "port1" "port2"
set dstintf "<server-interface>"
set srcaddr "Sales_Subnet" "Engineering_Subnet" set dstaddr "<web-server>"
set service "HTTP" "HTTPS" set action accept
next end
That preserves a single policy while still being specific about which interfaces are allowed.
Question #8
An administrator wants to address shadow IT visibility challenges and prevent users from sending sensitive files outside the organization without proper approval.
Which FortiSASE method should the administrator implement to achieve these goals? (Choose one answer)
- A . Secure SD-WAN access (SSD-WAN)
- B . Secure private access (SPA)
- C . Secure SaaS access (SSA)
- D . Secure internet access (SIA)
Correct Answer: C
C
Explanation:
“FortiSASE provides secure access to remote users for the following use cases:
• SIA enables secure web browsing for remote users to protect from known and unknown threats
• SPA enables explicit application access under a zero-trust access or with SD-WAN integration to ensure secure application access
• SSA addresses shadow IT visibility challenges and safeguards data loss prevention”
“FortiCASB provides cloud-based and API-based features to enable deep inspection of SaaS applications to enable detailed monitoring, analysis, and reporting features… Data loss prevention (DLP) helps to identify, monitor, and protect organizational data at rest and in motion.”
Technical Deep Dive:
The correct answer is C. Secure SaaS access (SSA).
The question gives two very specific requirements:
Shadow IT visibility
Prevent sensitive files from leaving the organization without approval
The study guide maps both directly to SSA. In FortiSASE, SSA aligns with SaaS governance and CASB-style controls. That is the right architecture when you need visibility into sanctioned and unsanctioned SaaS usage, plus DLP controls for uploads, sharing, and file movement.
Why the other options are wrong:
SIA focuses on securing internet browsing and remote web traffic.
SPA is for explicit zero-trust access to private applications.
SSD-WAN is not the FortiSASE method for SaaS visibility/DLP control.
In practice, SSA is the choice because it combines SaaS visibility, activity monitoring, and DLP-style enforcement. That lets an administrator detect shadow SaaS usage and apply controls such as blocking uploads, monitoring sharing events, or restricting file transfers based on policy. This is a CASB-oriented use case, not just generic web security.
C
Explanation:
“FortiSASE provides secure access to remote users for the following use cases:
• SIA enables secure web browsing for remote users to protect from known and unknown threats
• SPA enables explicit application access under a zero-trust access or with SD-WAN integration to ensure secure application access
• SSA addresses shadow IT visibility challenges and safeguards data loss prevention”
“FortiCASB provides cloud-based and API-based features to enable deep inspection of SaaS applications to enable detailed monitoring, analysis, and reporting features… Data loss prevention (DLP) helps to identify, monitor, and protect organizational data at rest and in motion.”
Technical Deep Dive:
The correct answer is C. Secure SaaS access (SSA).
The question gives two very specific requirements:
Shadow IT visibility
Prevent sensitive files from leaving the organization without approval
The study guide maps both directly to SSA. In FortiSASE, SSA aligns with SaaS governance and CASB-style controls. That is the right architecture when you need visibility into sanctioned and unsanctioned SaaS usage, plus DLP controls for uploads, sharing, and file movement.
Why the other options are wrong:
SIA focuses on securing internet browsing and remote web traffic.
SPA is for explicit zero-trust access to private applications.
SSD-WAN is not the FortiSASE method for SaaS visibility/DLP control.
In practice, SSA is the choice because it combines SaaS visibility, activity monitoring, and DLP-style enforcement. That lets an administrator detect shadow SaaS usage and apply controls such as blocking uploads, monitoring sharing events, or restricting file transfers based on policy. This is a CASB-oriented use case, not just generic web security.
Question #9
Refer to the exhibit.
The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories from SSL inspection, as shown in the exhibit.
For which two reasons are these web categories exempted? (Choose two.)
- A . The resources utilization is optimized because these websites are in the trusted domain list on FortiGate.
- B . The legal regulation aims to prioritize user privacy and protect sensitive information for these websites.
- C . These websites are in an allowlist of reputable domain names maintained by FortiGuard.
- D . The FortiGate temporary certificate denies the browser’s access to websites that use HTTP Strict Transport Security.
Correct Answer: B, D
B, D
Explanation:
“You may need to exempt traffic from SSL inspection if it is causing problems with traffic, or for legal reasons.”
“Performing SSL inspection on a site that is enabled with HTTP Strict Transport Security (HSTS), for example, can cause problems with traffic. Remember, the only way for FortiGate to inspect encrypted traffic is to intercept the certificate coming from the server and generate a temporary one. After FortiGate presents the temporary SSL certificate, browsers that use HSTS refuse to proceed.”
“Laws protecting privacy might be another reason to bypass SSL inspection. For example, in some countries, it is illegal to inspect SSL bank-related traffic. Configuring an exemption for sites is simpler than setting up firewall policies for each individual bank. You can exempt sites based on their web category, such as Finance and Banking…”
“The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories―Finance and Banking, and Health and Wellness―and some FQDN addresses…”
Technical Deep Dive:
The correct answers are B and D.
B is correct because the study guide explicitly says SSL inspection may be bypassed for legal reasons, especially where privacy laws restrict inspection of sensitive categories such as Finance and Banking.
The same privacy rationale also explains why Health and Wellness is commonly exempted.
D is correct because some sites break under deep inspection due to HSTS. FortiGate must generate and present a temporary certificate during full SSL inspection, and browsers enforcing HSTS can reject that interception flow. That is why some sites are exempted from deep inspection.
Why the others are wrong:
A is not stated in the guide.
C refers to the separate Reputable websites option, which is a FortiGuard-maintained allowlist feature, not the reason the predefined categories shown in the exhibit are excluded.
From an operational standpoint, this is a classic balance between security visibility and application/legal compatibility. Deep inspection gives FortiGate payload visibility, but it can interfere with pinned-certificate/HSTS behavior and can violate privacy policy for regulated content.
B, D
Explanation:
“You may need to exempt traffic from SSL inspection if it is causing problems with traffic, or for legal reasons.”
“Performing SSL inspection on a site that is enabled with HTTP Strict Transport Security (HSTS), for example, can cause problems with traffic. Remember, the only way for FortiGate to inspect encrypted traffic is to intercept the certificate coming from the server and generate a temporary one. After FortiGate presents the temporary SSL certificate, browsers that use HSTS refuse to proceed.”
“Laws protecting privacy might be another reason to bypass SSL inspection. For example, in some countries, it is illegal to inspect SSL bank-related traffic. Configuring an exemption for sites is simpler than setting up firewall policies for each individual bank. You can exempt sites based on their web category, such as Finance and Banking…”
“The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories―Finance and Banking, and Health and Wellness―and some FQDN addresses…”
Technical Deep Dive:
The correct answers are B and D.
B is correct because the study guide explicitly says SSL inspection may be bypassed for legal reasons, especially where privacy laws restrict inspection of sensitive categories such as Finance and Banking.
The same privacy rationale also explains why Health and Wellness is commonly exempted.
D is correct because some sites break under deep inspection due to HSTS. FortiGate must generate and present a temporary certificate during full SSL inspection, and browsers enforcing HSTS can reject that interception flow. That is why some sites are exempted from deep inspection.
Why the others are wrong:
A is not stated in the guide.
C refers to the separate Reputable websites option, which is a FortiGuard-maintained allowlist feature, not the reason the predefined categories shown in the exhibit are excluded.
From an operational standpoint, this is a classic balance between security visibility and application/legal compatibility. Deep inspection gives FortiGate payload visibility, but it can interfere with pinned-certificate/HSTS behavior and can violate privacy policy for regulated content.
Question #10
When configuring a FortiGate in a multi-WAN setup, why would an administrator enable session preservation on an interface? (Choose one answer)
- A . To allow the FortiGate to dynamically change interfaces for all active sessions when a WAN link fails
- B . To make sure all sessions without source NAT enabled always use the primary WAN link
- C . To improve security by forcing users to authenticate again when the WAN link changes
- D . To ensure that existing SSL VPN connections remain on the same interface even if route changes occur
Correct Answer: D
D
Explanation:
A closely related routing principle from the guide is:
“For each session, FortiGate performs two route lookups… After completing these two lookups, FortiGate writes the routing information to its session table. Subsequent packets are routed according to the session table, not the routing table.”
Also, the guide notes an HA limitation that helps explain the same design principle for FortiGate-terminated sessions:
“Enabling session pickup allows active sessions to be seamlessly handed picked up by the new primary in the event of an HA failover… Note that there are some limitations to this C for example, any sessions that terminate at the FortiGate itself (e.g. SSL VPN, proxy sessions) cannot be handed off to another FortiGate and must be restarted on the new primary.”
Technical Deep Dive:
The correct answer is D.
In multi-WAN environments, session preservation is used so that traffic for sessions that are tightly bound to the FortiGate interface they terminate on―most notably SSL VPN and other FortiGate-terminated flows―does not suddenly switch to another egress interface just because the routing table changes. Those sessions are sensitive to interface consistency. If replies start leaving through a different WAN after a route recalculation, the remote peer may see an address/interface mismatch and the session can break.
That means:
A is the opposite of session preservation. Preservation is meant to avoid moving active sessions around.
B is not the purpose of the feature.
C is unrelated.
D correctly describes why an administrator would enable it.
Operationally, this matters most for SSL VPN, management-plane flows, and other sessions that terminate on the FortiGate itself, not just ordinary transit traffic. Transit sessions are generally tracked in the session table and can often survive normal routing behavior more gracefully, but FortiGate-terminated sessions are much more sensitive to WAN/interface changes.
D
Explanation:
A closely related routing principle from the guide is:
“For each session, FortiGate performs two route lookups… After completing these two lookups, FortiGate writes the routing information to its session table. Subsequent packets are routed according to the session table, not the routing table.”
Also, the guide notes an HA limitation that helps explain the same design principle for FortiGate-terminated sessions:
“Enabling session pickup allows active sessions to be seamlessly handed picked up by the new primary in the event of an HA failover… Note that there are some limitations to this C for example, any sessions that terminate at the FortiGate itself (e.g. SSL VPN, proxy sessions) cannot be handed off to another FortiGate and must be restarted on the new primary.”
Technical Deep Dive:
The correct answer is D.
In multi-WAN environments, session preservation is used so that traffic for sessions that are tightly bound to the FortiGate interface they terminate on―most notably SSL VPN and other FortiGate-terminated flows―does not suddenly switch to another egress interface just because the routing table changes. Those sessions are sensitive to interface consistency. If replies start leaving through a different WAN after a route recalculation, the remote peer may see an address/interface mismatch and the session can break.
That means:
A is the opposite of session preservation. Preservation is meant to avoid moving active sessions around.
B is not the purpose of the feature.
C is unrelated.
D correctly describes why an administrator would enable it.
Operationally, this matters most for SSL VPN, management-plane flows, and other sessions that terminate on the FortiGate itself, not just ordinary transit traffic. Transit sessions are generally tracked in the session table and can often survive normal routing behavior more gracefully, but FortiGate-terminated sessions are much more sensitive to WAN/interface changes.