Practice Free NSE4_FGT_AD-7.6 Exam Online Questions
Question #11
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?
- A . It uses UDP 53.
- B . It uses DNS over HTTPS.
- C . It uses DNS over TLS.
- D . It uses UDP 8888.
Correct Answer: C
C
Explanation:
“When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers.”
Technical Deep Dive:
The correct answer is
C. It uses DNS over TLS.
This is a direct default-behavior question. If you configure FortiGuard servers as DNS servers and do not change anything else, FortiGate uses DoT rather than plain DNS. That means the DNS session is encrypted, which protects DNS queries from simple interception or tampering on the path.
Why the other options are wrong:
A is standard clear-text DNS behavior, not the FortiGuard DNS default stated in the guide.
B is incorrect because the guide specifically says DNS over TLS, not DNS over HTTPS.
D is incorrect; the guide does not describe UDP 8888 as the default transport for this DNS use case.
Operationally, this matters because FortiGate relies on DNS not only for client-facing services, but also for resolving objects and securely reaching cloud-based services. Using DoT improves confidentiality for those DNS lookups.
C
Explanation:
“When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers.”
Technical Deep Dive:
The correct answer is
C. It uses DNS over TLS.
This is a direct default-behavior question. If you configure FortiGuard servers as DNS servers and do not change anything else, FortiGate uses DoT rather than plain DNS. That means the DNS session is encrypted, which protects DNS queries from simple interception or tampering on the path.
Why the other options are wrong:
A is standard clear-text DNS behavior, not the FortiGuard DNS default stated in the guide.
B is incorrect because the guide specifically says DNS over TLS, not DNS over HTTPS.
D is incorrect; the guide does not describe UDP 8888 as the default transport for this DNS use case.
Operationally, this matters because FortiGate relies on DNS not only for client-facing services, but also for resolving objects and securely reaching cloud-based services. Using DoT improves confidentiality for those DNS lookups.
Question #11
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?
- A . It uses UDP 53.
- B . It uses DNS over HTTPS.
- C . It uses DNS over TLS.
- D . It uses UDP 8888.
Correct Answer: C
C
Explanation:
“When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers.”
Technical Deep Dive:
The correct answer is
C. It uses DNS over TLS.
This is a direct default-behavior question. If you configure FortiGuard servers as DNS servers and do not change anything else, FortiGate uses DoT rather than plain DNS. That means the DNS session is encrypted, which protects DNS queries from simple interception or tampering on the path.
Why the other options are wrong:
A is standard clear-text DNS behavior, not the FortiGuard DNS default stated in the guide.
B is incorrect because the guide specifically says DNS over TLS, not DNS over HTTPS.
D is incorrect; the guide does not describe UDP 8888 as the default transport for this DNS use case.
Operationally, this matters because FortiGate relies on DNS not only for client-facing services, but also for resolving objects and securely reaching cloud-based services. Using DoT improves confidentiality for those DNS lookups.
C
Explanation:
“When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers.”
Technical Deep Dive:
The correct answer is
C. It uses DNS over TLS.
This is a direct default-behavior question. If you configure FortiGuard servers as DNS servers and do not change anything else, FortiGate uses DoT rather than plain DNS. That means the DNS session is encrypted, which protects DNS queries from simple interception or tampering on the path.
Why the other options are wrong:
A is standard clear-text DNS behavior, not the FortiGuard DNS default stated in the guide.
B is incorrect because the guide specifically says DNS over TLS, not DNS over HTTPS.
D is incorrect; the guide does not describe UDP 8888 as the default transport for this DNS use case.
Operationally, this matters because FortiGate relies on DNS not only for client-facing services, but also for resolving objects and securely reaching cloud-based services. Using DoT improves confidentiality for those DNS lookups.
Question #11
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?
- A . It uses UDP 53.
- B . It uses DNS over HTTPS.
- C . It uses DNS over TLS.
- D . It uses UDP 8888.
Correct Answer: C
C
Explanation:
“When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers.”
Technical Deep Dive:
The correct answer is
C. It uses DNS over TLS.
This is a direct default-behavior question. If you configure FortiGuard servers as DNS servers and do not change anything else, FortiGate uses DoT rather than plain DNS. That means the DNS session is encrypted, which protects DNS queries from simple interception or tampering on the path.
Why the other options are wrong:
A is standard clear-text DNS behavior, not the FortiGuard DNS default stated in the guide.
B is incorrect because the guide specifically says DNS over TLS, not DNS over HTTPS.
D is incorrect; the guide does not describe UDP 8888 as the default transport for this DNS use case.
Operationally, this matters because FortiGate relies on DNS not only for client-facing services, but also for resolving objects and securely reaching cloud-based services. Using DoT improves confidentiality for those DNS lookups.
C
Explanation:
“When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers.”
Technical Deep Dive:
The correct answer is
C. It uses DNS over TLS.
This is a direct default-behavior question. If you configure FortiGuard servers as DNS servers and do not change anything else, FortiGate uses DoT rather than plain DNS. That means the DNS session is encrypted, which protects DNS queries from simple interception or tampering on the path.
Why the other options are wrong:
A is standard clear-text DNS behavior, not the FortiGuard DNS default stated in the guide.
B is incorrect because the guide specifically says DNS over TLS, not DNS over HTTPS.
D is incorrect; the guide does not describe UDP 8888 as the default transport for this DNS use case.
Operationally, this matters because FortiGate relies on DNS not only for client-facing services, but also for resolving objects and securely reaching cloud-based services. Using DoT improves confidentiality for those DNS lookups.
Question #14
You have configured an application control profile, set peer-o-peer traffic to Block under the Categories tab, and applied it to the firewall policy. However, you peer-to-peer traffic on known ports is passing through the FortiGate without being blocked.
What FortiGate settings should you check to resolve this issue?
- A . Replacement Messages for UDP-based Applications
- B . Network Protocol Enforcement
- C . Application and Filter Overrides
- D . FortiGuard category ratings
Correct Answer: C
C
Explanation:
“After the IPS engine examines the traffic stream for a signature match, FortiGate scans packets for matches, in this order, for the application control profile:
C
Explanation:
“After the IPS engine examines the traffic stream for a signature match, FortiGate scans packets for matches, in this order, for the application control profile:
Question #15
Refer to the exhibit.
An intrusion prevention system (IPS) profile signature setting is shown.
What can you conclude about the signature when adding the FTP.Login.Failed signature to the IPS Sensor profile?
- A . The signature setting uses a custom rating threshold.
- B . FortiGate allows this low severity signature packet and creates a log.
- C . FortiGate stores a local copy of the packet that matches the signature.
- D . The signature setting includes a group of other signatures.
Correct Answer: C
C
Explanation:
“When you create a new entry to add signatures or filters, you can select the action by clicking Action.”
“When you enable Packet logging, FortiGate stores a local copy of the packet that matches the signature. This enhances the view of erroneous or suspicious packets.”
“You can configure IP exemptions on individual signatures only.”
Technical Deep Dive:
The correct answer is C.
The exhibit shows an IPS entry being added with:
Type = Signature
Action = Block
Packet logging = Enable
Rate-based settings = Default
The most certain conclusion from that configuration is that packet logging is enabled, and the study guide explicitly states that this causes FortiGate to store a local copy of the matching packet.
Why the others are wrong:
A is wrong because the exhibit shows Rate-based settings = Default, not a custom threshold.
B is wrong because the configured action is Block, not allow/monitor.
D is wrong because the entry type is Signature, meaning an individual signature is being added, not a signature group.
A useful operational note: packet logging is powerful for IPS investigation and false-positive analysis, but it consumes more storage and processing resources. It should be enabled selectively on signatures where deeper forensic visibility is needed.
C
Explanation:
“When you create a new entry to add signatures or filters, you can select the action by clicking Action.”
“When you enable Packet logging, FortiGate stores a local copy of the packet that matches the signature. This enhances the view of erroneous or suspicious packets.”
“You can configure IP exemptions on individual signatures only.”
Technical Deep Dive:
The correct answer is C.
The exhibit shows an IPS entry being added with:
Type = Signature
Action = Block
Packet logging = Enable
Rate-based settings = Default
The most certain conclusion from that configuration is that packet logging is enabled, and the study guide explicitly states that this causes FortiGate to store a local copy of the matching packet.
Why the others are wrong:
A is wrong because the exhibit shows Rate-based settings = Default, not a custom threshold.
B is wrong because the configured action is Block, not allow/monitor.
D is wrong because the entry type is Signature, meaning an individual signature is being added, not a signature group.
A useful operational note: packet logging is powerful for IPS investigation and false-positive analysis, but it consumes more storage and processing resources. It should be enabled selectively on signatures where deeper forensic visibility is needed.
Question #16
Refer to the exhibits.
An administrator wants to add HQ-ISFW-2 in the Security Fabric. HQ-ISFW-2 is in the same subnet as HQ-ISFW. After configuring the Security Fabric settings on HQ-ISFW-2, the status stays Pending.
What can be the two possible reasons? (Choose two answers)
- A . Upstream FortiGate IP must be set to 10.0.11.254.
- B . SAML Single Sign-On must be set to Manual.
- C . HQ-ISFW-2 must be authorized on HQ-ISFW.
- D . Management IP must be set to 10.0.13.254.
Correct Answer: A, C
A, C
Explanation:
According to the FortiOS 7.6 Security Fabric documentation and Study Guide, several conditions must be met for a downstream FortiGate to successfully join a Security Fabric.
First, the Upstream FortiGate IP/FQDN configured on the downstream device must point to the IP address of the interface on the upstream device that is listening for fabric connections. In the provided logical topology, the Fabric Root (HQ-NGFW-1) uses port4 with the IP 10.0.11.254 to connect to the internal segmentation firewalls (ISFWs). Since HQ-ISFW-2 is in the same subnet as HQ-ISFW, it is physically and logically connected to the network segment serviced by port4. Therefore, the current configuration of 10.0.13.254 (which is port6, likely the WAN side) is incorrect, and it must be set to 10.0.11.254 (Statement A).
Second, once the downstream device successfully reaches the upstream device, it enters a Pending state. For security purposes, FortiOS does not allow devices to join the fabric automatically; the administrator of the upstream device (in this case, HQ-ISFW or the root) must manually authorize the new device (Statement C) in the Fabric Management console. Until this authorization is granted, the status will remain "Pending" and no fabric data will be synchronized.
Statements B and D are incorrect as SAML settings do not block the initial fabric join, and the management IP should be the local device’s IP, not the upstream’s IP.
A, C
Explanation:
According to the FortiOS 7.6 Security Fabric documentation and Study Guide, several conditions must be met for a downstream FortiGate to successfully join a Security Fabric.
First, the Upstream FortiGate IP/FQDN configured on the downstream device must point to the IP address of the interface on the upstream device that is listening for fabric connections. In the provided logical topology, the Fabric Root (HQ-NGFW-1) uses port4 with the IP 10.0.11.254 to connect to the internal segmentation firewalls (ISFWs). Since HQ-ISFW-2 is in the same subnet as HQ-ISFW, it is physically and logically connected to the network segment serviced by port4. Therefore, the current configuration of 10.0.13.254 (which is port6, likely the WAN side) is incorrect, and it must be set to 10.0.11.254 (Statement A).
Second, once the downstream device successfully reaches the upstream device, it enters a Pending state. For security purposes, FortiOS does not allow devices to join the fabric automatically; the administrator of the upstream device (in this case, HQ-ISFW or the root) must manually authorize the new device (Statement C) in the Fabric Management console. Until this authorization is granted, the status will remain "Pending" and no fabric data will be synchronized.
Statements B and D are incorrect as SAML settings do not block the initial fabric join, and the management IP should be the local device’s IP, not the upstream’s IP.
Question #17
0.11.254/24.
If the host 100.65.1.111 sends a TCP SYN packet on port 443 to 100.65.0.200.
What will the source address, destination address, and destination port of the packet be at the time FortiGate forwards the packet to the destination?
- A . 10.0.11.254, 100.65.0.200. and 443, respectively
- B . 10.0.11.254, 10.0.15.50, and 4443. respectively
- C . 100.65.1. 111, 10.0.11.50, and 4443. respectively
- D . 100.65.1.111, 10.0.11.50. and 443. respectively
Correct Answer: C
C
Explanation:
From the exhibits:
A VIP named VIP-WEB-SERVER is configured on WAN (port2) with: External IP: 100.65.0.200
Mapped (internal) IP: 10.0.11.50 Port forwarding enabled (TCP) External service port: 443 Map to IPv4 port: 4443
The inbound firewall policy Web_Server_Access is: From WAN (port2) to LAN (port4)
Destination: VIP-WEB-SERVER
Service: HTTPS
NAT: Disabled (meaning no source NAT is applied)
What happens to the packet
A host 100.65.1.111 sends TCP SYN dst-port 443 to 100.65.0.200.
When FortiGate matches the VIP and forwards traffic to the internal server, FortiGate performs destination NAT (DNAT) based on the VIP:
Source IP is unchanged because policy NAT is disabled:
Source remains 100.65.1.111
Destination IP is translated by the VIP:
Destination becomes 10.0.11.50
Destination port is translated by the VIP port-forward:
Destination port becomes 4443
Therefore, at the time FortiGate forwards the packet to the destination (internal server), it will be:
Source address: 100.65.1.111
Destination address: 10.0.11.50
Destination port: 4443
C
Explanation:
From the exhibits:
A VIP named VIP-WEB-SERVER is configured on WAN (port2) with: External IP: 100.65.0.200
Mapped (internal) IP: 10.0.11.50 Port forwarding enabled (TCP) External service port: 443 Map to IPv4 port: 4443
The inbound firewall policy Web_Server_Access is: From WAN (port2) to LAN (port4)
Destination: VIP-WEB-SERVER
Service: HTTPS
NAT: Disabled (meaning no source NAT is applied)
What happens to the packet
A host 100.65.1.111 sends TCP SYN dst-port 443 to 100.65.0.200.
When FortiGate matches the VIP and forwards traffic to the internal server, FortiGate performs destination NAT (DNAT) based on the VIP:
Source IP is unchanged because policy NAT is disabled:
Source remains 100.65.1.111
Destination IP is translated by the VIP:
Destination becomes 10.0.11.50
Destination port is translated by the VIP port-forward:
Destination port becomes 4443
Therefore, at the time FortiGate forwards the packet to the destination (internal server), it will be:
Source address: 100.65.1.111
Destination address: 10.0.11.50
Destination port: 4443
Question #18
Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
- A . The collector agent uses a Windows API to query DCs for user logins.
- B . The NetSessionEnum function is used to track user logouts.
- C . NetAPI polling can increase bandwidth usage in large networks.
- D . The collector agent must search Windows application event logs.
Correct Answer: B
B
Explanation:
NetAPI: Polls temporary sessions created on the DC when a user logs on or logs off and calls the NetSessionEnum function on Windows. It’s faster than the WinSec and WMI methods; however, it can miss some logon events if a DC is under heavy system load. This is because sessions can be quickly created and purged form RAM, before the agent has a chance to poll and notify FG.
B
Explanation:
NetAPI: Polls temporary sessions created on the DC when a user logs on or logs off and calls the NetSessionEnum function on Windows. It’s faster than the WinSec and WMI methods; however, it can miss some logon events if a DC is under heavy system load. This is because sessions can be quickly created and purged form RAM, before the agent has a chance to poll and notify FG.
Question #19
When configuring firewall policies which of the following is true regarding the policy ID? (Choose two.)
- A . A firewall policy ID identifies the order of policy execution in firewall policies.
- B . A policy ID cannot be modified once a policy is created.
- C . You can create a policy in CLI with policy ID 0
- D . It is mandatory to provide a policy ID while creating a firewall policy regardless of GUI or CLI.
Correct Answer: B, C
B, C
Explanation:
According to the FortiOS 7.6 Administration Guide, the firewall policy ID is a unique numerical identifier assigned to each policy for internal database tracking and management purposes. It is important to distinguish the policy ID from the policy sequence. While the FortiGate processes traffic based on a top-down approach (the sequence), the policy ID itself does not determine the order of execution (Statement A is incorrect).
In FortiOS, once a policy is committed to the configuration, the policy ID cannot be modified (Statement B). If an administrator needs to change a policy ID, they must either delete and recreate the policy or use the clone command in the CLI to copy the settings to a new ID.
Furthermore, the CLI provides a specific shortcut for policy creation: you can create a policy with ID 0 (Statement C). When the command edit 0 is used within the config firewall policy context, the FortiOS kernel automatically assigns the next available integer as the policy ID. This is a standard practice for efficient configuration via the command line. Statement D is incorrect because, while every policy must have an ID, the GUI automatically generates this value without requiring the user to manually provide or even see it during the initial creation process.
B, C
Explanation:
According to the FortiOS 7.6 Administration Guide, the firewall policy ID is a unique numerical identifier assigned to each policy for internal database tracking and management purposes. It is important to distinguish the policy ID from the policy sequence. While the FortiGate processes traffic based on a top-down approach (the sequence), the policy ID itself does not determine the order of execution (Statement A is incorrect).
In FortiOS, once a policy is committed to the configuration, the policy ID cannot be modified (Statement B). If an administrator needs to change a policy ID, they must either delete and recreate the policy or use the clone command in the CLI to copy the settings to a new ID.
Furthermore, the CLI provides a specific shortcut for policy creation: you can create a policy with ID 0 (Statement C). When the command edit 0 is used within the config firewall policy context, the FortiOS kernel automatically assigns the next available integer as the policy ID. This is a standard practice for efficient configuration via the command line. Statement D is incorrect because, while every policy must have an ID, the GUI automatically generates this value without requiring the user to manually provide or even see it during the initial creation process.
Question #20
An administrator manages a FortiGate model that supports NTurbo How does NTurbo acceleration enhance antivirus performance?
- A . For flow-based inspection. NTurbo establishes a dedicated data path to redirect traffic between the IPS engine and FortiGate ingress and egress interfaces.
- B . For flow-based inspection. NTurbo creates two inspection sessions on the FortiGate device.
- C . For proxy-based inspection. NTurbo offloads traffic to the content processor.
- D . For proxy-based inspection. NTurbo buffers the whole file and then sends it to the antivirus engine.
Correct Answer: A
A
Explanation:
According to the FortiOS 7.6 Administration Guide and Fortinet hardware acceleration (NTurbo) documentation, the correct answer is A.
What NTurbo Is (FortiOS 7.6 C Verified)
NTurbo is a hardware-based acceleration feature available on specific FortiGate models. It is designed to improve antivirus and IPS performance when operating in flow-based inspection mode.
NTurbo works by creating a fast, optimized data path between:
FortiGate ingress interface
IPS/AV engine
FortiGate egress interface
This minimizes CPU involvement and reduces packet traversal overhead.
Why Option A Is Correct
A
Explanation:
According to the FortiOS 7.6 Administration Guide and Fortinet hardware acceleration (NTurbo) documentation, the correct answer is A.
What NTurbo Is (FortiOS 7.6 C Verified)
NTurbo is a hardware-based acceleration feature available on specific FortiGate models. It is designed to improve antivirus and IPS performance when operating in flow-based inspection mode.
NTurbo works by creating a fast, optimized data path between:
FortiGate ingress interface
IPS/AV engine
FortiGate egress interface
This minimizes CPU involvement and reduces packet traversal overhead.
Why Option A Is Correct